Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence
Showing posts tagged with Email
Showing posts in English
Daren Lewis | 08 Nov 2010 | 0 comments

Post developed in collaboration with Martin Lee, Senior Software Engineer

Our spam boxes are typically full of the usual suspects -- pharmaceutical spam, watch spam, relationship spam, and offers from the family members of ousted African potentates. The obvious solution is to create a block list of key words used in these spam messages. Unfortunately it isn’t that easy.

Consider pharmaceuticals. While the vast majority of emails with pharmaceutical names are spam there are legitimate emails using these key words and in some industries, like health care, these key words are in use daily. Key word based spam filtering creates high numbers of false positives, putting legitimate emails into spam folders. Extending the health care example, these false positives can have any number of negative outcomes from missing a meeting with a pharmaceutical representative to direct impacts on patient care.

Daren Lewis | 29 Oct 2010 | 2 comments

Posted on behalf of Mathew Nisbet, Malware Data Analyst

Spammers can be quite creative
Spammers will try anything to get their spam past your filters and into your inbox. We've seen many tricks involving random text hidden in the body, use of images, a message body with nothing but a link to the main message somewhere on the web. This example is one of the more elaborate (but ultimately futile) attempts that I've seen.
Recently we have been seeing a run of emails that pretend to be informing the recipient that they have a number of "unread" or "important" messages waiting for them on a well known social network. Over a 3 day period, between the 24th and 26th of October, we saw roughly 18,500 of these. Since then the volume has dropped to less than 100 per day, but we are still seeing them.
The use of a well known social media brand name is the first part of the approach to...

MarissaVicario | 27 Oct 2010 | 0 comments

Posted on behalf of Jo Hurcombe and Manoj Venugopalan, Malware Analysts, Symantec Hosted Services

As many of us already heard the great news about Bredolab Malware that been shut down by Dutch authorities.

“On October 25th 2010, the High Tech Crime Team of the Dutch National Crime Squad took down a very large botnet, containing at least 30 million infected computer systems worldwide since July 2009. These computers were infected with the malicious Bredolab trojan, through infected websites. Through these botnets, cybercriminals can spread large amounts of other viruses and create new botnets.

In close cooperation with a Dutch hosting provider, The Dutch Forensic Institute (NFI), the internet security company Fox-IT and GOVCERT, the computer emergency response team of the Dutch government, shut down 143 computer servers today”

But MessageLabs Intelligence is still seeing different Bredolab runs (distributing different...

Paul Wood | 20 Oct 2010 | 0 comments

By Dan Bleaken, Senior Malware Data Analyst, Symantec Hosted Services 

In the September MLI report we discussed that it is important for IT managers and HR managers to understand that there will always be a subset of employees that are likely to try and flout the rules when browsing the internet. This behaviour not only goes against company policy, but also wastes time, can be a serious drain on resources/bandwidth, and crucially increases the risk of infection by malware. Organisations can protect from this behaviour by using the MessageLabs Web Security Service (WSS).

Browsing safely and within company policy
When users are grouped together according to their browsing habits, we might expect some kind of “bell-curve” or normal distribution; at one end of the curve will be the obedient employees, who present a minimal risk to the organization, and in the middle will be the majority, who present a typical risk, some low-risk, some higher...

Daren Lewis | 06 Oct 2010 | 0 comments

On behalf of Dan Bleaken, Senior Malware Data Analyst, Symantec Hosted Services

Recently it has been widely reported that global spam volumes have decreased, especially on Sunday 3rd October 2010, when spam levels dropped to their lowest for some time.  This week spam volumes seem to be creeping back to normal levels.  At Symantec Hosted Services we have a wealth of data on spam traffic, and crucially what contribution to global spam each of the major botnets makes.  This blog will take a close look at botnet spam, what factors influence botnet output, and will try to explain some of the changes that occurred around the 3rd October. 

The big picture

Nobody can be certain what the true volume of spam in circulation is, but some organisations, like Symantec, have a particularly high exposure to global email traffic.  Symantec analyse email traffic that is seen in their global infrastructure and apply reasonable...

MarissaVicario | 27 Sep 2010 | 0 comments

Posted on behalf of  Nick Johnston, Senior Software Engineer, Symantec Hosted Services

HMRC, the UK's tax collecting agency, recently announced that six million people in the country have paid the wrong amount of tax and stated that it would start sending letters to the affected people. Depending on their circumstances, people would be invited to claim overpaid tax back, or send a demand for payment of unpaid tax.

When we heard this announcement we expected it would not be long before we saw phishing mail trying to take advantage of the confusion caused by the announcement, particularly as the majority of affected people are owed money. Recently we saw an interesting phishing scam, which although doesn't directly refer to HMRC's announcement, it is perhaps more likely to trick people into revealing confidential information since many people are now hoping for an unexpected refund.

The phish message claims that the recipient is...

MarissaVicario | 21 Sep 2010 | 0 comments

Posted on behalf of Mathew Nisbet, Malware Data Analyst

Today there has been a lot of traffic on Twitter related to a very recently discovered Javascript exploit. It took advantage of the way Twitter handled Javascript in updates. Most of the exploits seen used the "onmouseover" trigger, which meant that all a user had to do was move the mouse over a tweet and the code would run. Most would just repost the same thing to your own wall, some would repost and redirect the user to another site. There were some examples of users being redirected towards porn sites. The fact it only needed a cursor to move over it is why it spread so very rapidly all over the world, before people knew what was happening.

More info and screenshots can be found in this F-Secure blog:

Users of the...

MarissaVicario | 17 Sep 2010 | 2 comments

Posted on behalf of Bhaskar Krishnappa, Malware Analyst, Symantec Hosted Services

This month, the security world has witnessed two major threats that occurred around the same time. The first one was the mass mailer worm “Here You Have” (W32.Imsolk.B@mm), and this was well documented in the media, but the other was a lesser-known attack, exploiting a zero-day vulnerability in the PDF file format (CVE-2010-2883). In both events, Symantec Hosted Services protected all of its MessageLabs customers proactively, giving them an upper hand over their would-be attackers.

This blog is to caution its readers about such email threats. On September 9, as the world...

Paul Wood | 10 Sep 2010 | 2 comments

By Tony Millington, Malware Operations Engineer, Symantec Hosted Services

On September 9, 2010 at 15:20 (GMT) MessageLabs Intelligence identified and began blocking a new virus attack using old mass-mailer techniques. Using Skeptic’s patented heuristics, Symantec Hosted Services customers, using MessageLabs Hosted Email AntiVirus, were fully protected from this threat from the outset. As a hosted solution in the cloud, the mass mailer worm was detected using Skeptic’s unique predictive heuristics and it was blocked before it reached clients’ networks – this means that there was no need for customers to update patches or virus definitions.  The heuristic rule that triggered the detection of this virus by Skeptic was actually added in 2008.

At its peak Symantec Hosted Services were blocking over 2,000 malicious emails per a minute. The last copy was blocked on September 10, 2010 at 08:33 GMT, during which time 106,390 copies were...

MarissaVicario | 03 Sep 2010 | 0 comments

Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services

The Cutwail botnet has been one of the most prolific spamming botnets during the last two to three years.  Even before the McColo ISP takedown in November 2008, Cutwail represented between ten and 15 percent of all global spam.  Cutwail was almost certainly disrupted by the takedown of McColo, but came back bigger and stronger in response. At its peak at the start of June 2009, Cutwail was responsible for more than 45 percent of all spam and between 1.4 and 2.1 million bots under its control.

In June 2009 and August 2009, Cutwail took some more notable hits, as rogue ISPs were identified and shut down. We reported what happened to Cutwail as a result of the 3FN takedown in the June 2009 MLI report...