News From Symantec Hosted Services

We know, only too well, that cyber criminals take advantage of every opportunity that new and emerging technologies provide to expand their trade – data theft.

So, with the huge adoption rate in smart mobile devices, and our increased reliance on these devices (which are literally powerful computers), there is a more pronounced sense of urgency to protect the data stored on these sophisticated mobile devices from the threat of cybercrime.

Symantec Hosted Services, recognizing this need, recently announced enhancements to its MessageLabs Web Security Service roaming support options, that will allow organizations to further support the security needs of their mobile workforce.

According to Symantec – “The new enhancements will monitor and secure the online activity of a highly distributed workforce.  Drawing on findings from the recent MessageLabs Intelligence report highlighting the inappropriate web usage of mobile workers, SmartConnect and RemoteConnect for MessageLabs Hosted Web Security protect against malware, and enforces Web acceptable use policies for teleworkers, or employees, at remote offices.”

____________________________________________________

If you’ve noticed a significant drop in Spam in your inboxes lately, like I have, there’s good reason – according to Symantec Hosted Services.

On Sunday, October 3, Symantec Hosted Services noticed that global spam levels dropped to their lowest in a while. Symantec Hosted Services believes this drop was due to a decrease in output by the Rustock and Cutwail botnets.

For additional insight on how Symantec Hosted Services tracked last weekend’s spam drop via sophisticated botnet intelligence, what contribution to global spam each of the major botnets makes, and what factors influence botnet output, check out the MessageLabs  Intelligence blog report here.

About Message Labs Intelligence:

Symantec’s Message Labs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence provides a range of information on global security threats based on live data feeds from our control towers around the world scanning billions of messages each week.

About Symantec:

Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world.  Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available here.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Are You in the Bullseye for Targeted Malware Attacks?

Cybercriminals, driven by opportunity, tend to use the shotgun approach to achieve the highest “market” penetration possible, and to maximize every conceivable opportunity to spread malware.

The bad guys are strategic in their thinking; they plan ahead – and realize that the timing and implementation of tactics, based on their strategy, is critical to achieving maximum “market” penetration.

Now it seems, certain cybercriminals have developed a new strategy, and tactics, focusing on specific targets, sniping if you like, rather than using the well tested shotgun model.

You’re probably familiar with the successful China-based hacker attack against Google, which used a combination of a PDF attachment, coupled with a zero day security hole in Adobe Reader. As it turned out, Google was not the only company to be victimized in this attack. Reportedly, at least 20 other companies were also specifically targeted.

Symantec Hosted Services latest report, which focuses on this issue, is scary stuff. You’ll find that reading this report will assist you understanding the state of the current Internet threat environment, and will be helpful in expanding your sense of threat awareness that an active Internet user requires.

Courtesy of Symantec Hosted Services and MessageLabs Intelligence.

Even in a world where internet threats present an ever-evolving and increasingly sophisticated danger to businesses, targeted attacks are the most potent of all—dealing the most devastating short and long-term damage to the victims.

Counter to intuitive thinking, a high degree of sophistication makes these low volume, highly personalized emails have a higher probability of being successful than the mass email blasts.

Symantec Hosted Services has detected highly targeted attacks on seven specific companies in the education and public sectors. The attack is unique in that it used the Bredolab malware as the payload and the source of the emails are individual webmail accounts powered by one of the largest botnets currently in operation, presumably Cutwail.

This signifies a new level of sophistication on behalf of cyber criminals, where they are combine the strength of a botnet with the razor sharp focus of social engineering and the sense of legitimacy offered by popular webmail providers.

You can learn more about this particular attack on the MessageLabs Intelligence Blog.

Organizations falling foul of a targeted attack can be faced with crushing bills running into hundreds of thousands of dollars. Lost business, bad publicity, plunging share price – these are just some of the potential consequences of a successful attack.

Here’s a look at some of the popular techniques currently being deployed by cyber criminals:

Targeted Trojans – Aimed and delivered with sniper-like precision, the targeted Trojan’s objective is to slip through an organization’s defenses and cleverly dupe the recipient into downloading a malicious ‘Trojan program onto their computer.

The Trojan may, silently and secretly, lie hidden for weeks, months or years, slowly but surely undermining the targeted organization and imperceptibly eroding their performance and ability to compete.

Phishing Attacks – Schemes that trick people into sending money or providing personal information, phishing emails (and variations called “pharming” or “whaling”) are used for identity theft. A cyber-criminal who sends emails that contain authentic information about the user or their company greatly increases the odds of getting a “bite.”

Social Networking – One popular approach is to create a fake profile on a social media website and use it to post malicious links that “phish” for corporate users. In this form of phishing, spammers post blog comments on other members’ pages; obtain the unsuspecting members’ account information; then send messages from the phished accounts to other contacts.

Organizations must balance the business value of social media websites with the risks of many non-secure social media environments.

About Symantec: Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. More information is available here.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Festi Botnet Joins the Big 5

Symantec’s MessageLabs Intelligence, has just reported that the Cutwail, Bagle, Grum, and Rustock botnets, have been joined by a new botnet – Festi, which now accounts for 3-6% of the daily global spam.

As a percentage this doesn’t sound like an impressive number, but translated into actual spam volume; 1.5 to 3 billion spam e-mails per day globally – that’s impressive. Like all successful botnets Festi continues to grow by adding additional infected (botnetted) machines, to its network.

According to MessageLabs,  Festi is responsible for at least some of the annoying “male enhancement” spam we are all so familiar with.

For information on botnets and how to determine if your machine has been compromised, the following articles should be helpful:

Tech Thoughts: 2 Free Port Checkers – CurrPorts and Process and Port Analyzer

Tech Thoughts: Catch the Bad Bots with Free RUBotted from Trend Micro

PCWorld – Monitor Botnet Threats Your Antivirus Can’t See

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Spammers Are Planning for the Holidays

Symantec’s October 2009, MessageLabs Intelligence Report, shows how far ahead Spammers plan in order to entrap the unwary web surfer. Just as you are preparing for the holidays, so are the Cybercriminals. As the old saying goes “forewarned is forearmed”, so be prepared.

Courtesy of MessageLabs:

October begins the holiday season and for the next three months, online shopping and research will become a premium for consumers.  Symantec today announced its October 2009 MessageLabs Intelligence Report which reveals the that the spam gangs behind the biggest botnets – Cutwail, Rustock and Donbot – are using the same upcoming major holidays and world events as the themes for their the latest spam runs.

Highlights from the latest report.

Halloween – Trick or treat?  Only 0.5% of spam right now is tied to Halloween – however MessageLabs Intelligence expects approximately 500 MILLION Halloween themed spam emails to be in circulation worldwide, each day, as the holiday approaches this week. The majority of this type of spam links to pharmaceutical or medical spam sites and comes from the Rustock and Donbot botnets.

Thanksgiving and Christmas – Spam from the Cutwail botnet uses both Thanksgiving and Christmas as a theme to sell replica watches. To date, holiday spam accounts for approximately 2% of all spam. More than 2 BILLION Thanksgiving or Christmas-themed spam emails are projected to be in circulation globally each day.

And spammers are even preparing for some of the next big holiday and major events in 2010 already.

Valentine’s Day – MessageLabs Intelligence has already started to see the first runs of St. Valentine’s Day spam, more than 4 months before the occasion. These are being sent from the Cutwail and Rustock botnets, and relate to pharmaceutical and medical spam.

2010 World Cup – Next summer’s soccer games in South Africa have already precipitated a small number of spam messages relating to the event. These are advance-fee fraud or 419-style scams, and they include images of Nelson Mandela and the official FIFA logo.

How successful are these scams? Consumers fall victim to messages like this all the time, fueling an underground economy worth an estimated $105 billion in profit from fraudulent activities.

“As is typical with spammers this time of year, we are seeing them try to capitalize on the holiday season,” said MessageLabs Intelligence Senior Analyst, Paul Wood. “Although they may be a bit overzealous, spamming is a numbers game and the spammers have certainly succeeded with volume thus far. Perhaps their early-bird approach is an attempt to compete with the other botnets and get in early to maximize their chances of success.”

You can read a full copy of the report here.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

3.6 Billion Bredolab Trojan Emails Daily Says MessageLabs

Symantec’s latest MessageLabs Intelligence Report – unveiled today – is scary stuff. Botnets continue to be a major cause for concern, particularly Cutwail, which has been in operation for months.

Courtesy of MessageLabs:

MessageLabs Intelligence reports seeing a dramatic rise in volume of the Bredolab Trojan being sent by the Cutwail (Pandex) botnet. Bredolab is a Trojan that arrives in the form of a zip file attachment to an email with a subject referring to postal tracking numbers (as in the sample email below) and is designed to give the sender complete control of the target computer.

The email prompts the recipient to open and run the attachment which automatically installs the Trojan. Once installed, it attempts to disable the host based security and then facilitates downloading other malicious content.

“By nature, once this Trojan is on a system, it is unlikely to be detected and will allow the controller to do whatever they wish with the infected machine, such as installing other malware and spyware,” said MessageLabs Intelligence Senior Analyst, Paul Wood, Symantec Hosted Services.

Currently, the most common form of malicious file type attachments are zip files, owing to the large scale of this latest threat. Zip files are a common file format and have often been used for sending malware in the past, but are often used legitimately too.

There is no indication that a zip file attachment represents an increased likelihood of a file being malicious; however, most businesses are unlikely to use zip files as part of their typical email correspondence.

MessageLabs Intelligence has seen the percentage of spam relating to the Bredolab Trojan steadily increasing in recent months, reaching its highest level in October (to date), it currently accounts for 3.5 percent of all spam and 5.6% of all malware intercepted each day.

So far in October, approximately 3.6 Billion Bredolab malware emails are likely to be in circulation each day, worldwide.

Earlier this year, MessageLabs reported on the battle of the bots, in which Donbot, Cutwail and Mega-D were all vying for the top spot.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

MessageLabs Reports Spammers Shortened URLs Cause Business Shut Down

The unlimited power that cyber-crooks exercise over legitimate traffic on the Internet is becoming more evident. Imagine legitimate businesses being forced to cease operations because of cyber-criminals. Unfortunately, given the current “wild west” state of the Internet, this is now a sad reality.

Courtesy MessageLabs Intelligence

According to Symantec’s new MessageLabs Intelligence report, unveiled today, shortened-URL spam continues to be a popular technique for spammers seeking to sell drugs online.

Spammers are taking advantage of the heightened interest in health-related issues such as swine flu and Obama’s healthcare reform, to distribute large shortened-URL spam runs using the powerful Donbot botnet.

In August, the ongoing abuse of shortened-URLs as a delivery mechanism resulted in a number of legitimate URL-shortening services being forced to close their businesses due to their inability to handle the malicious use of their tools.

Shortened-URL spam has had a big impact on users and businesses this month, but it’s not the only technique we’re seeing from the bad guys. Other online threats that should also be on your radar:

Cutwail’s nine lives: On August 1^st, Latvian ISP Real Host was shutdown, causing Cutwail’s activity levels to drop by 90 percent. However, it only took Cutwail a matter of days to recover, demonstrating just how powerful and intelligent this botnet has become.

DDoS attacks on social networks: A number of social networking websites were recently reported to be victims of DDoS attacks. MessageLabs found that the attacks may be linked with a spam run against an anti-Russian blogger.

MessageLabs Intelligence suggests that this small but strategic spam run contributed to the DDoS attacks on these social networking sites. A botnet was also used to conduct the DDoS attack in parallel, with compromised computers under the botnet’s control commanded to open the page of the targeted social networking website.

Old malware comes back to haunt us: MessageLabs Intelligence analysis highlights how cybercriminals are three times as likely to favor repurposing malware across numerous domains rather than developing new tactics. In August, analysis of malware being blocked each day highlights that only 11.9 percent was newly developed malware.

You can find the full MessageLabs Intelligence report here.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

MessageLabs Reports on the Battle of the Botnets

Competition in the cyber-criminal game? You bet – read what MessageLabs Intelligence has to say about competition in the botnet spam business.

Courtesy MessageLabs Intelligence:

The battle of the botnets is on with Donbot, Cutwail and Mega-D all vying for the top spot and sending up to 21 billion spam messages each day, according to MessageLabs Intelligence.

With all three botnets each responsible for distributing 15-20% of all spam globally, the battle was neck and neck.

However, Cutwail was taken out completely for a brief time last weekend (1 August and 2 August) when Latvian ISP Real Host was taken offline while Donbot ramped up its efforts. Cutwail then restored itself to its previous levels overnight and was back in the race by Monday (3 August).

Continuing to focus on spam runs with shortened URLs, first reported by MessageLabs Intelligence in early July, Donbot was responsible for three additional recent spam runs. One of these runs accounted for as much as 9.25 percent of all spam in a single day (28 July).

According to Symantec, spam volumes for that day were 108 billion, so Donbot’s shortened URL spam for that day could have been up to 10 billion spam mails. The email spam subjects indicate that Donbot is focused on pharmacy spam for discount meds.

“Shortened URLs are being seen continuously in spam,” said MessageLabs Intelligence Senior Analyst, Paul Wood. “And at the same time, shortened URL sites are being forced out of business as they get abused to death by spammers. Even sites that are known for using short URLs are taking measures to phase them out or prevent users from posting malicious links generated from these sites.”

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.