Sept. 2011 Symantec intelligence report: Polymorphic malware rate peaks at 72 percent

BANGALORE, INDIA: Symantec Corp. announced the results of the September 2011 Symantec Intelligence Report, now combining the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report.

This month’s analysis reveals that a deluge of malicious email-borne malware has left a clear mark on the threat landscape for September. Approximately 72 percent of all email-borne malware in September could be characterized as aggressive strains of generic polymorphic malware, first identified in the July Symantec Intelligence Report. At the end of July, this rate was 23.7 percent, in August it fell slightly to 18.5 percent, before soaring to 72 percent in September.

“This unprecedented high-water mark underlines the nature by which cyber criminals have escalated their assault on businesses in 2011, fully exploiting the weaknesses of more traditional security countermeasures,” said Abhijit Limaye, director, Development, Symantec.

Further analysis reveals that the social engineering behind many of these attacks has also accelerated, with the adoption of a variety of new techniques such as pretending to be an email from a smart printer/scanner being forwarded by a colleague in the same organization.

“The idea of an office printer sending malware is perhaps an unlikely one, as printers and scanners were not actually used in these attacks, but perhaps this sense of security is all that is required for such a socially engineered attack to succeed in the future,” Limaye said.

Although spam levels remained fairly stable during September, Symantec Intelligence observed the use of identified vulnerabilities in certain older versions of the popular WordPress blogging software on a large number of Web sites across the Internet. Spam emails containing links to these compromised Web sites are also being spammed out. It is important to note that blogs hosted by WordPress themselves seem to be unaffected.

The exploitation of these vulnerabilities to serve spammers’ interests is a stark reminder for the need to ensure software is up-to-date with latest patches and releases.

Additional research also reveals that JavaScript is becoming increasing popular as programming language by spammers and malware authors. JavaScript is increasingly used to conceal where spammers are redirecting, and in some cases, also to conceal entire Web pages.

“For spammers, hosting simple JavaScript obfuscation pages on free hosting sites can increase the lifetime of that site before the site operator realizes the page is being used for malicious activity,” Limaye said. “JavaScript is popularly used for redirecting visitors of a compromised Web site to the spammers landing page. While some of these techniques have been common in malware distribution for some time, spammers are increasingly using them.”

Other report highlights:
Spam: In September 2011, the global ratio of spam in email traffic declined to 74.8 percent (1 in 1.34 emails), a decrease of 1.1 percentage points when compared with August 2011.

Phishing: In September, phishing email activity diminished by 0.26 percentage points since August 2011; one in 447.9 emails (0.223 percent) comprised some form of phishing attack.

E-mail-borne threats: The global ratio of email-borne viruses in email traffic was one in 188.7 emails (0.53 percent) in September, an increase of 0.04 percentage points since August 2011.

Web-based malware threats: In September, Symantec Intelligence identified an average of 3,474 Web sites each day harboring malware and other potentially unwanted programs including spyware and adware; an increase of 1.0 percent since August 2011.

Endpoint threats: The most frequently blocked malware for the last month was W32.Sality.AE, a virus that spreads by infecting executable files and attempts to download potentially malicious files from the Internet.

Geographical trends
Spam
* Saudi Arabia remained the most spammed geography; with a spam rate of 84 percent.
* Russia became the second most-spammed.
* In China 89.3 percent of email blocked as spam.
* In the US, 74.5 percent of email was spam and 74.1 percent in Canada.
* The spam level in the UK was 75.5 percent.
* In The Netherlands, spam accounted for 76.4 percent of email traffic, 75.5 percent in Germany, 75.2 percent in Denmark and 73.3 percent in Australia.
* In Hong Kong, 73.9 percent of email was blocked as spam and 72.6 percent in Singapore, compared with 71.6 percent in Japan.
* Spam accounted for 74.3 percent of email traffic in South Africa and 77.1 percent in Brazil.

Phishing
* Phishing attacks in South Africa increased once more position the country as the most targeted geography for phishing in September, with one in 133.1 emails identified as phishing.
* The UK remained the second most targeted country, with one in 221.1 emails identified as phishing attacks.
* Phishing levels for the US were one in 985.9 and one in 317.6 for Canada.
* In Germany, phishing levels were one in 1,125, one in 1,071 in Denmark and one in 377.2 in The Netherlands.
* In Australia, phishing activity accounted for one in 740 emails and one in 1,882 in Hong Kong; for Japan it was one in 12,812 and one in 1,958 for Singapore.
* In Brazil, one in 439 emails was blocked as phishing.

E-mail-borne threats
* Email-borne malware attacks in Hungary climbed to one in 111.2 emails, positioning the country at the top of the table with the highest ratio of malicious emails in September.
* Switzerland was the second most geography under fire in September, with one in 128.2 emails was identified as malicious in September.
* In the UK, one in 129.9 emails was blocked as malicious.
* Virus levels for email-borne malware reached one in 224.8 in the US and one in 164.8 in Canada.
* In Germany, virus activity reached one in 197.9, one in 488.8 in Denmark and in The Netherlands one in 174.9.
* In Australia, one in 341.5 emails were malicious and one in 215.6 in Hong Kong; for Japan it was one in 658.3, compared with one in 307.2 in Singapore.
* In Brazil, one in 363.5 emails in contained malicious content.

Vertical trends
* In September, the automotive industry sector remained as the most spammed industry sector, with a spam rate of 77.8 percent.
* The spam level for the education sector was 77.2 percent and 74.6 percent for the chemical and pharmaceutical sector, 74.4 percent for IT services, 74.3 percent for retail, 74.5 percent for public sector and 74.3 percent for finance.
* The public sector remained the most targeted by phishing activity in September, with one in 125.8 emails comprising a phishing attack.
* Phishing levels for the chemical and pharmaceutical sector reached one in 797.3 and one in 754.6 for the IT services sector, one in 664.5 for retail, one in 156.9 for education and one in 388.6 for finance.
* With one in 61.5 emails being blocked as malicious, the public sector remained the most targeted industry in September.
* Virus levels for the chemical and pharmaceutical sector were one in 104.5 and one in 192.2 for the IT services sector; one in 276.1 for retail, one in 80.1 for education and one in 240.9 for finance.

The September 2011 Symantec Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends.