News News

Internet Threats Trend Report, 3rd Quarter of 2011

Date: 2011-07-27
The Commtouch Labs have studied the trend of the Internet threats in the second quarter of 2011. You can read the brief report here.
Spammer tactics are changing
In mid-March, Microsoft led a takedown of the Rustock botnet. The immediate effect on spam levels was a drop of nearly 30% to an average of 119 billion messages per day during the last two weeks of March. In the past, botnet takedowns have resulted in temporary drops in spam levels followed by sustained increases, as spammers created new botnets and resumed mass mailings. The spam levels of this quarter however, suggest that the expected “recovery” of spam might not occur in the near term, and that spammers are changing their tactics. Average daily spam levels for the past year are shown below:

June’s spam level (106 billion) is the lowest in over 3 years. At its lowest point in June, spam accounted for 75% of all emails.
The new tactic therefore calls for the use of compromised accounts to send spam as opposed to using botnets. The move away from botnet spam can be attributed to the use of IP reputation mechanisms that have been increasingly successful in blacklisting zombie IP addresses and therefore blocking botnet spam. The blocking of spam from compromised accounts based on IP address is more difficult for many anti-spam technologies, since these accounts exist within whitelisted IP address ranges.
While spam from compromised accounts is less likely to get blocked by IP reputation systems, the volumes that can be sent are lower due to the thresholds imposed on these accounts. This at least partially accounts for the lower spam volumes seen this quarter.
Analysis of compromised accounts
In addition to the spoofed emails (shown above), a percentage of the emails from Gmail and Hotmail actually come from genuine accounts. These can be compromised accounts or accounts specifically created by spammers for this purpose. The graph below illustrates the percentage of spam received over a trial period this quarter where the “from” field includes Gmail and Hotmail. Based on the IP address, received spam could either be:
  • Sent from a zombie with a phony Gmail or Hotmail address in the from field
  • Or, sent from a compromised or spammer account at Gmail or Hotmail
As shown, almost 30% of the spam from Hotmail actually comes from compromised or spammer Hotmail accounts. Gmail spam, on the other hand, is mostly from zombies that simply forge their Gmail addresses.

Spam topics
Pharmacy spam remained in the top spot but continued to drop this quarter to only 24% (down from 28% in Q1 2011). 419 fraud, phishing, and pornography all increased.

Malware trends
The second quarter included malware distributed using a variety of methods - several of these are shown below.
SEO poisoning leads to fake antivirus
One of the methods of distributing malware is the use of SEO (Search Engine Optimization) technique and pushing fake antivirus links in the search results.
PDF malware
PDF files as well as executables disguised as PDF files were used in numerous attacks during Q2 2011. Two examples are shown below.In the first example the zip file extracts to an executable file, but the icon shown is of an Adobe Acrobat PDF file. Users with file extension view disabled on their computers, will see a PDF icon and think the file is simply a PDF. When the file is executed, it will show a non-malicious PDF file in a fake PDF reader window.
The malware then does the following:
  • Captures all keystrokes and activities as users browse the internet.
  • Saves the stolen keylogging information in the file on the user’s hard drive – “updates2.txt”.
  • Sends the keylogger file to the malware owner via e-mail.
The second example of PDF malware uses complex coding to hide a malicious JavaScript within the PDF file.
Web Security
Compromised sites
Cybercriminals often hack websites to hide phishing pages or malware. This provides them with two main advantages:
1)      The legitimate domain probably has a good reputation from the point of view of most URL filtering engines and is therefore not likely to be blocked.
2)      The compromised site provides free hosting for the malware or phishing page.
The following table shows the categories of sites that have been compromised.

Phishing Trends
Phishing attacks continued to target local and global banks, Web email users, Facebook accounts, and even online gaming sites.
In order to provide protection from keyloggers, some financial institutions have added more complex login pages including virtual keyboards. Phishers have kept up with this trend. The phishing page for ADCB (Abu Dhabi Commercial Bank) successfully simulated the virtual keyboard found on the real site.
During the second quarter of 2011, sites related to games were the greatest target of phishing attacks. The following table shows the categories of sites that have been target of phishing attacks.

Zombie trends
The second quarter saw an average turnover of 377,000 zombies each day that were newly activated for malicious activity, like sending malware and spam. This number shows a substantial increase compared to the 258,000 of the first quarter of 2011.
The following chart shows the newly activated zombies from April to June 2011.
India again claimed the top zombie producer title hosting 17% of the global zombie population. Brazil, Vietnam, and the Russian federation stand at the next places.
India again claimed the top zombie producer title hosting 17% of the global zombie population. Brazil, Vietnam, and the Russian federation stand at the next places.

Internet Threats Trend Report, July 2011, Commtouch

Publish Date: 2011/7/27 Views: 579