The July 2011 Symantec Intelligence Report from Symantec reveals a significant increase in activity related to what may be described as a aggressive and rapidly changing form of generic polymorphic malware. With one in 280.9 emails identified as malicious in July, the rise accounted for 23.7 percent of all email-borne malware intercepted in July; more than double the same figure six months ago, indicating a much more aggressive strategy on the part of the cyber criminals responsible.
2. New: The Symantec Intelligence Report
The new Symantec Intelligence Report combines the best
research and analysis from Symantec:
• Symantec.cloud MessageLabs Intelligence Report
• Symantec State of Spam & Phishing Report
The Symantec Intelligence Report integrated report provides the
latest analysis of cyber security threats, trends and insights from
the Symantec Intelligence team
Symantec Intelligence 2
3. July 2011 Highlights
• Spam – 77.8% in July
• Phishing – One in 319.3 emails identified as phishing
• Malware – One in 280.9 emails in July contained malware
• Malicious Web sites – 6,797 Web sites blocked per day
• 35.9% of all malicious domains blocked were new in July
• 21.1% of all Web-based malware blocked was new in July
• Aggressively unstable malware leads to a rise in sophisticated
socially engineered attacks
• Phishers’ World in Your Cell Phone
• Large scale malware attack using URL shortening services
• Best Practices for Enterprises and Users
Symantec Intelligence 3
6. Top Ten Spam-Sending Botnets (relative volumes)
Since March 2011
Symantec Intelligence 6
7. Most Active Spam-Sending Botnets
Spam
% of /bot estimated
Botnet spam spam/day spam/min /min botnet size Country of Infection
Cutwail 16.1% 9,609,745,048 6,673,434 77 800k to India (10%), Russia (9%), Brazil (8%)
1200k
Xarvester 6.7% 4,002,042,186 2,779,196 455 57k to 86k United Kingdom (18%), France (13%), Italy
(9%)
Maazben 3.1% 1,872,408,382 1,300,284 14 520k to Rep. of Korea (14%), Russia (10%), India
(10%)
780k
Lethic 3.1% 1,824,416,511 1,266,956 45 230k to Rep. of Korea (25%), Russia (15%),
Ukraine (7%)
340k
Grum 3.0% 1,801,605,428 1,251,115 140 200k to Russia (14%), India (14%), Ukraine (8%)
290k
Bagle 2.7% 1,599,896,533 1,111,039 58 140k to India (15%), Russia (1%), Argentina (8%)
200k
Fivetoone 2.3% 1,400,401,724 972,501 98 94k to 140k Vietnam (20%), Brazil (12%), Indonesia
(11%)
Festi 1.2% 691,992,804 480,551 166 25k to 37k India (10%), Vietnam (10%), Brazil (9%)
Bobax 0.4% 254,229,254 176,548 24 80k to 120k Ukraine (27%), India (18%), Russia (18%)
DarkMailer 0.5% 42,575,225 29,566 351 1k to 1.5k France (27%), USA (16%), Germany
(13%)
Other, smaller 0.5% 22,277,510 15,470 321 62k to 95k
Botnets
Unnamed Botnets 36.9% 21,962,912,697 15,252,023 196 660k to
990k
Total Botnet Spam 76.6% 45,084,503,302 31,308,683 162
Non-botnet spam 23.4% 3,411,165,479 2,368,865
Grand Total 48,495,668,780 33,677,548
Symantec Intelligence 7
8. Global Spam Categories
Category Name June 2011 July 2011
Pharmaceutical 40.0% 47.0%
Adult/Sex/Dating 19.0% 14.5%
Jobs/Recruitments - 10.5%
Watches/Jewelry 17.5% 7.5%
Unsolicited Newsletters 11.5% 7.5%
Casino/Gambling 7.0% 3.5%
Degrees/Diplomas 1.5% 2.5%
Unknown/Other 2.5% 2.0%
Symantec Intelligence 8
9. Spam Subject Line Analysis
No. No.
Total Spam: June 2011 Top of Total Spam: July 2011 Top Subject of
Rank Subject Lines Days Lines Days
1 Blank Subject line 31 drop me a line 31
Re: Windows 7, Office 2010,
2 16 r u online now? 16
Adobe CS5 …
3 im online now 31 hi darling.. 31
4 my new pics :) 31 new email 31
5 drop me a line 31 found you :) 31
6 r u online now? 31 im online now 31
7 hi darling.. 31 my new pics :) 31
8 new email 31 my new email 31
9 found you :) 31 my hot pics :) 31
10 my hot pics :) 31 I'm online now… 31
Symantec Intelligence 9
10. Additional Spam Metrics
Spam URL TLD Distribution
Change
TLD June July
(% points)
com 53.4% 54.9% +0.5
ru 19.2% 10.6% -8.6
info 14.9% 18.3% +3.4
net 5.5% 6.2% +0.7
Average Spam Message Size
Change
Message Size June July
(% points)
0Kb – 5Kb 62.3% 65.1% +2.8
5Kb – 10Kb 24.2% 21.2% -3.0
>10Kb 13.4% 13.7% +0.3
Symantec Intelligence 10
20. Most Frequently Blocked Malware at the Endpoint
Malware Name % Malware
W32.Ramnit!html 9.60%
W32.Sality.AE 8.83%
Trojan.Bamital 8.33%
W32.Ramnit.B!inf 7.43%
W32.Downadup.B 3.65%
W32.Almanahe.B!inf 2.68%
W32.Virut.CF 2.68%
W32.SillyFDC 2.06%
Trojan.ADH 1.80%
W32.Mabezat.B 1.78%
[1] For further information on these threats, please visit: http://www.symantec.com/business/security_response/landing/threats.jsp
Symantec Intelligence 20