Commtouch April 2011 Internet Threats Trend report
-
Upload
cyren -
Category
Technology
-
view
5 -
download
0
description
Transcript of Commtouch April 2011 Internet Threats Trend report
Internet Threats Trend Report
April 2011
April 2011 Threat Report
The following is a condensed version of the April 2011 Commtouch Internet Threats Trend Report
Download the complete report atwww.commtouch.com/threat-report
Copyright© 2011 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch. U.S. Patent No. 6,330,590 is owned by Commtouch.
April 2011 Threat Report
Key Highlights
Trends Malware, Compromised Websites,Spam and Web 2.0
Feature The ups & downs of Spam in Q1
1
2
3
Key Highlights
Key Security Highlights
Average daily spam/phishing emails sent
149 billion
Average daily spam was up in Q1
258,000 Zombies
Zombie daily turnover
Key Security Highlights
Number of zombies turned off and on each day went down in Q1
Most popular blog topic onuser generated content sites
Streaming media/downloads
Key Security Highlights
Key Security Highlights
Most popular spam topic
Pharmacy ads (28% of spam)
While it was the most popular spam topic,it was down to only 28% of all spam
Country with the most Zombies
India (17%)
Key Security Highlights
India remains atop the list but with just 17%
Website category most likely to be compromised with malware
Parked Domains
Key Security Highlights
Parked Domains took over the top spotin categories likely to be compromised
Feature…
The ups & downs of spam in Q1
• Q1 spam levels start off low after an unusually low-spam Christmas
• Around Jan 10, 2011, spam shot up 45% (compared to previous two weeks) to pre-Christmas levels
› The increase was attributed to the resumption of activity by the Rustock botnet – primarily sending out pharmaceutical spam
• Spam stabilizes in middle of quarter › February averages 165 billion spam emails/day
(in comparison, Oct 2010 has 162 billion per day)
Q1 2011 Spam Trends
• On March 16, the Rustock Botnet is taken down› Result – dramatic 30% decrease in spam rates,
Q1 2011 Spam Trends
Source: Commtouch
Spam Levels, December 2010 - March 2011DEC JAN FEB MAR
Spam
Ham
%spam
ChristmasLull
9th JanIncrease
16th MarRustock
takedown
Pre-Christmasoutbreak
• Rustock takedown results in two week drop in in daily Zombie turnover (25% drop)
• Large malware outbreak at the end of March results in large-scale recruitment of new zombies – more than doubling the daily turnover
Q1 2011 Spam Trends
Source: Commtouch
Newly Activated Zombies, January - March 2011
Other trends in Q1 2011…
Malware
• Over the last two years, virus distributors have steadily decreased their usage of email attachments as a means of malware distribution
• Web-based methods have become more common as illustrated by several of the attacks described in this report
• March Outbreak changed this – very high levels of emails with attached malware
› At its peak accounted for over 30% of all email received› Sudden increase amounted to a 400% difference
compared to the running average (see graph below)
Malware Trends
Malware Trends
Source: Commtouch
Email-borne Malware Levels, March 2011
• Most of the emails in March outbreak came in the form of UPS parcel tracking information
Malware Trends
• The attached zip file contained an executable, disguised with a PDF icon
• Later variations of the outbreak changed subjects to indicate DHL deliveries
Source: Commtouch
• Large speculation over reason for sudden increase in malware-laden spam
• One possible theory is the rebuilding of a botnet or new botnet after the takedown of Rustock
› Rustock takedown resulted in a 30% drop in spam
Malware Trends
Analysis of Q1 Malware Outbreak
Other Malware in Q1 – PDF Vulnerability
Malware Trends
• Emails disguised as if sent from a Xerox office scanner (see example on right)
• Attached file contains JavaScript targeting vulnerabilities in PDF readers not running latest patches
• After PC exploited, the malware fetches other malware from the Internet
Source: Commtouch
Malware Trends
Figure below shows the flow of attack
Other Malware in Q1 targeted
Malware Trends
Other major malware attacks in Q1 2011:• Kama Sutra Virus• T-Online used for fake AV
Read all the details in the complete April 2011 threat report at
www.commtouch.com/threat-report
Malware Trends
Source: Commtouch
Top 10 Malware of Q1 2011Rank Malware Name
1 W32/Worm.BAOX
2 IS/Autorun
3 W32/Worm.MWD
4 W32/VBTrojan.17E!Maximus
5 W32/Sality.gen2
6 W32/Virut.AI!Generic
7 IFrame.gen
8 W32/Ramnit.D
9 W32/Vobfus.L.gen!Eldorado
10 W32/Thecid.B@mm
Other trends in Q1 2011…
Compromised Websites
Compromised Websites
• For the first time in over a year, pornographic and sexually explicit sites have been displaced by parked domains and spam sites
› For both these types of sites, the hosting of malware may well be part of the design of such sites
Analysis of Web sites most likely to be compromised with malware or phishing
Website categoriesinfected with malware
Website categoriesinfected with phishing
Compromised Websites
Rank Category
1 Parked Domains
2 Spam sites
3 Portals
4 Pornography/Sexually Explicit
5 Education
6 Entertainment
7 Business
8 Shopping
9 Fashion & Beauty
10 Computers & Technology
Rank Category
1 Games
2 Health & Medicine
3 Portals
4 Computers & Technology
5 Fashion & Beauty
6 Leisure & Recreation
7 Shopping
8 Sports
9 Education
10 Streaming Media & Downloads
Portals category includes sites offering free homepages, which are abused to host phishing and malware content.
Compromised Websites
• Compromised websites being used to host spam product pages
• Benefits for the spammer› Provides FREE hosting› Forum domains most likely whitelisted by many
URL filtering or anti-spam engines preventing these sites and associated spam emails from being blocked
Trends in Compromised Websites
Compromised Websites
Analysis of attack on:HomeAway holiday rentals
New Trend – Phishers cutting costs and streamlining
Page source reveals filled in form data sent to “formbuddy.com”, not collected directly by the phisher
Source: Commtouch
Compromised Websites
Formbuddy collects and stores all the responses to the “form” and then emails a neat summary to the phisher
Benefits to the phisher:• Doesn’t have to worry about creating/managing/storing
back end form data collection• Cuts costs• Can more easily scale the harvesting of phished data
New Trend – Phishers cutting costs and streamlining
Other trends in Q1 2011…
Spam Trends
Spam Trends• Pharmacy spam remained in the top spot • Dropped to 28% of all spam
› Down from 42% in Q4 2010• 419 fraud, enhancements, and dating all increased
Source: Commtouch
Spam Trends
Spam Sending Domains
Commtouch monitors domains used by spammers in the “from” field of the spam emails, typically faked in order to give the impression of a reputable, genuine source.
Spam TrendsTop spam sending domains
• 10th place – ups.comDue to the very large numbers of fake UPS notification emails sent as part of the March outbreak
• 17th place – dhl.comUsed in the later stages of the March outbreak
• 40th place – postmaster.twitter.comUsed extensively throughout Q1 to distribute fake Twitter notifications with links to pharmacy sites
Source: Commtouch
Others
Q1 2011 Spam TrendsZombie distribution by country in Q1 2011
• India remains atop the list with 17% • Brazil returned to second place with 12% after drop in last quarter• Russia dropped 3% to 7% • Vietnam moved into 3rd place• UK, Germany and Kazakhstan all dropped out of the top 15
replaced by Peru, Columbia and Poland
Source: Commtouch
Other trends in Q1 2011…
Web 2.0
Web 2.0 Trends
Web 2.0 Trends
Commtouch’s GlobalView Network tracks billions of Web browsing sessions and URL requests, and its URL Filtering service includes highly granular categorization of Web 2.0 content. In addition to filtering accuracy, this provides insight into the most popular user generated content sites.
Web 2.0 Trends
Rank Category %1 Streaming Media & Downloads 21%2 Entertainment 8%3 Computers & Technology 8%4 Shopping 5%5 Pornography/Sexually Explicit 5%6 Arts 4%7 Religion 4%8 Fashion & Beauty 4%9 Sports 3%
10 Restaurants & Dining 3%11 Spam Sites 3%12 Education 3%13 Health & Medicine 2%14 Leisure & Recreation 2%15 Games 2%
Includes sites with live or archived media for download or streaming content, such as Internet radio, Internet TV or MP3 files
These blogs typically cover television, movies, and music as well as hosting celebrity fan sites and entertainment news
Most Popular User Generated Content Sites
Source: Commtouch
Review of Q1 2011
Review of Q1 2011
January February March
Spam ratio reaches high
of 92%
T-Online used in Fake AV redirect
Daily spam level shoots
up 45%
AprilZombies increase
Rustocktakedown, spam drops
30%
400% increase in email-attached malware
Continued Christmas,New Year
lull in spam levels
Free hosting of
spam content on forum sites
Xerox scanner
PDF malware
Valentine’s Day spam
Support for Egypt
mass mailings
Malwarespread via Facebook
chat
Kama SutraVirus spreads
with PowerPoint “guide”
HomeAwayphishing uses online form
management
Source: Commtouch
Download the complete April 2011 Internet Threats Trend Report
atwww.commtouch.com/threat-report
For more information contact:[email protected]
650 864 2000 (Americas) +972 9 863 6888 (International)
Web: www.commtouch.comBlog: http://blog.commtouch.com