Norton Internet Security logo

Symantec Intelligence Report: July 2011

Jul 26, 2011

With one in 280.9 emails identified as malicious in July, further analysis reveals a significant increase in activity related to what may be described as an aggressive and rapidly changing form of generic polymorphic malware (polymorphic malware may have many variations of the same code using different encoding techniques, but the functionality of the program remains the same in each version). This rise accounted for 23.7 percent of all email-borne malware intercepted in July; more than double the same figure six months ago, indicating a much more aggressive strategy on the part of the cyber criminals responsible, perhaps greater use of automation has enabled them to increase their output to this extent.

In the same time frame, the number of variants, or different strains of malware involved in each attack has also grown dramatically by a factor of 25 times the same quantity six months previously; an alarming proliferation in such a short time almost certainly heightens the risk profiles of many organizations as these new strains are much harder to detect using traditional security defenses. This new breed of malware is likely to be causing a great deal of pain for a great number of traditional anti-virus companies that rely on signatures, heuristics and software emulation in order to detect malicious activity.

The malware is frequently contained inside an executable within the attached ZIP archive file and often disguised as a PDF file or an office document. This new aggressive approach to distributing generic polymorphic malware on such a scale should be concerning for many businesses, particularly for those who rely solely on more traditional security countermeasures, which this type of malware is designed to evade. One example of this technique involves changing the startup code in almost every version of the malware; subtly changing the structure of the code and making it harder for emulators built-in to many anti-virus products to identify the code as malicious. Technology cannot rely on signatures and heuristics alone, and must also take into account the integrity of an executable based on knowledge of its reputation and circulation in the real-world.

In other news, phishing attacks have also been seeking various means to exploit vulnerable cell phone users; two key areas in which we can see this trend are, firstly, the increase in phishing against wireless application protocol (WAP) pages, which are lightweight Web pages designed for smaller mobile devices such as cell phones; and secondly, the use of compromised domain names that have been registered for mobile devices, for example, using the .mobi top-level domain. Symantec has identified phishing sites spoofing such Web pages and has been monitoring the trend. In July, social networking and information services brands were frequently observed in these phishing sites. The primary motive of these attacks continues to be identity theft. Targeting cell phone users is just part of a new strategy for achieving the same result.

Symantec Intelligence Report July 2011 highlights:

  • Spam – 77.8 percent in July (an increase of 4.9 percentage points since June 2011);
  • Phishing – One in 319.3 emails identified as phishing (an increase of 0.01 percentage points since June 2011);
  • Malware – One in 280.9 emails in July contained malware (an increase of 0.02 percentage points since June 2011);
  • Malicious Web sites – 6,797 Web sites blocked per day (an increase of 25.5 percent since June 2011);
  • 35.9 percent of all malicious domains blocked were new in July (an increase of 0.8 percentage points since June 2011);
  • 21.1 percent of all Web-based malware blocked was new in July (an increase of 0.8 percentage points since June 2011);
  • Aggressively unstable malware leads to a rise in sophisticated socially engineered attacks;
  • Phishers’ World in Your Cell Phone;
  • Large scale malware attack using URL shortening services;
  • Best Practices for Enterprises and Users;

Symantec Intelligence Security Podcast - July 2011:

Full version of Symantec Intelligence Report July 2011:
SYMCINT_2011_07_July_FINAL-EN.pdf [1.1 MB]

0 comments: (+add yours?)

Post a Comment

Note: Only a member of this blog may post a comment.