Video Screencast Help
Symantec Analyst Relations

Symantec Intelligence Report: February 2013

Created: 18 Mar 2013 • Updated: 25 Jun 2013
Symantec Analyst Relations's picture
+1 1 Vote
Login to vote

The February edition of the Symantec Intelligence report provides the latest analysis of cyber security threats, trends, and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this report includes data from January through February 2013.

Report highlights

  • Spam – 65.9 percent (an increase of 1.8 percentage points since January)
  • Phishing – One in 466.3 emails identified as phishing (an increase of 0.018 percentage points since January)
  • Malware – One in 408.2 emails contained malware (a decrease of 0.11 percentage points since January)
  • Malicious websites – 1,530 websites blocked per day (a decrease of 32.2 percent since January)

Introduction

In the past month we‘ve discovered of the earliest known variant of the Stuxnet worm, as well as combat the Bamital botnet, which was successfully shut down through a joint Symantec/Microsoft collaboration.

Up until last month the earliest known variant of Stuxnet was 1.001, created in 2009. Last month, we discovered the earliest known version of the Stuxnet worm, Stuxnet 0.5, which stems from 2007. Stuxnet 0.5 allows us further insight into the history and evolution of Stuxnet.

Stuxnet 0.5 differs in form from other known variants as it is based on a different programming platform. Stuxnet 0.5 is partly based the same platform as W32.Flamer, whereas 1.x versions were based on the Tilded platform. It is also different in that Stuxnet 0.5’s only method of replication is through infection of Siemens Step 7 project files. When a removable drive is inserted in an infected drive, Stuxnet 0.5 will infect any Step 7 project archives with .s7p or .zip file name extensions on the drive.

Stuxnet 0.5 takes control of valves attached to centrifuges, opening and closing the valves at intervals, compromising the integrity of the system as a whole. Version 0.5 works by fingerprinting target computers to determine if it is in the right location before activating the payload. Stuxnet 0.5 also collects instrument readings when the centrifuges are running as normal and, when it is making its attack, displays those readings to the controllers in order to mask its activities. Stuxnet 0.5 differs in that it was designed to attack the centrifuges’ valve system as opposed to 1.x variants which sought to disrupt the operation of frequency converters used to control the speed of the centrifuges.

In other news, Symantec, in partnership with Microsoft, shut down a botnet controlling hundreds of thousands of computers. Bamital, a botnet which in the last two years has compromised more than eight million computers, operated by hijacking search engine results and redirecting to servers controlled by attackers. Analysis of a single Bamital command and control (C&C) sever over a six week period in 2011 revealed over 1.8 million unique IP addresses communicating with the server. The botnet servers have now been shut down, and users of infected computers will be informed of their infection when attempting to search the Internet.

Bamital is an example of click fraud, a highly lucrative endeavor where by attackers aim to distort the numbers of clicks on an advertisement or visits to a specific website. Redirecting internet users to corrupt third party vendors or selling internet traffic through fictitious users, attackers seek to make financial gain from advertising expenditure.

Please download the Symantec Intelligence Report here and feel free to leave any comments or feedback below.