Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence
Showing posts tagged with Emerging Threats
Showing posts in English
MarissaVicario | 16 Dec 2009 | 0 comments

Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services

“Pump-and-dump” stock spamming is a technique that has been around for a long time now, where spammers attempt to artificially raise the price of a particular company’s shares. It was extremely popular throughout 2007 and the early part of 2008, but after that it dropped off to almost nothing. However, on the 14th December it returned in large volumes, being sent out by the Donbot botnet. Throughout 2009 there has been very little ‘stock spam,’but when Donbot ramped up its activity on the December 14, it pump and dump scams shot up to over 4.5% of spam for that day, which is an estimated 5 billion messages globally (based on the Symantec average daily spam volume estimate for 2009), in just one day.

20091216_pumpanddump_01.gif

The purpose of these “pump-and-dump” emails...

MarissaVicario | 11 Dec 2009 | 0 comments

Posted on behalf of Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec Hosted Services

I never like to dwell on the past. But as I reflect more on what an eventful year 2009 has been, there are some highlights worth noting. I don’t look at it as dwelling as much as I do learning from the past to further build and tone our Intelligence muscle.

Based on the MessageLabs Intelligence 2009 Annual Security Report, below are the security highlights of 2009.

2009 Highlights

Notable ISP Shutdowns : The shutdown of botnet hosting ISPs, such as McColo in late 2008 and Real Host in August 2009 appeared to make botnets re-evaluate and enhance their command and control backup strategy to enable recovery to take hours, rather than weeks or months.

Botnets Ruled the Threat Landscape: Botnets continued to rule the cyber security landscape...

MarissaVicario | 08 Dec 2009 | 0 comments

Posted on behalf of Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec Hosted Services

A few weeks ago, when Symantec announced our 2010 Predictions, I stated in my accompanying blog post that what we’ve seen this year was ugly (highlight with link to post). As I’ve worked with my team to draft the MessageLabs Intelligence Annual Security Report, I now realize that was an understatement. What we’ve  seen this year is in fact horrendous. But nevertheless, it keeps us on our toes as we scan billions of messages and web connections each week.

While we’re always prepared for the worst, we can only anticipate what that may be. Looking back on it all in aggregation, is always a stern reminder that the bad guys are capable of more than we often give them credit for.

In 2009, we stopped more than 21 million different types of spam...

Paul Wood | 19 Nov 2009 | 0 comments

This post is made on behalf of my colleague Mat Nisbet, Malware Analyst for Symantec Hosted Services.

As of November 18, we have noticed a huge jump in the number of spam e-mails that contain a link to Twitter. Normally there is a tiny fraction of a percent, but on November 18 it jumped to 4 percent of all spam. This new surge is entirely from the DonBot botnet.

 blog_img2.jpg

The apparent aim of these e-mails is to get people to fall for “get rich by working at home” schemes where the victim is encouraged to pay an initial fee for a trial and then sit back and watch the cash come in. Though easily stopped by us, this new run of spam uses a number of techniques to attempt to get past basic filters. Firstly, the body of the e-mail is simply an image (of a fake newspaper article), to try and get past text-based signatures.

...

Paul Wood | 18 Nov 2009 | 1 comment

This week I had the pleasure of sitting on a panel with some of the best and the brightest among my Symantec colleagues to reflect on 2009’s threat landscape and what we anticipate for the year ahead.

We concurred that what we’ve seen this year was ugly. Botnets prevailed and took over as a primary means of spamming and spreading malware and social engineering attacks became more sophisticated. But what we also know is that this year pales in comparison to what 2010 is expected to bring: fast flux botnets will dominate, IM spam will rear its head, rogue security software vendors will up their game, fraud targeted at social networking apps will grow, new CAPTCHA bypass techniques will emerge... to name a few.

That’s the bad news. The good news is that with a bit of preparation and the right security solutions in place, we can continue to outsmart the bad guys. So without further ado, I present to you Symantec’s 2010 Security Predictions.

...
Paul Wood | 14 Oct 2009 | 0 comments

This post is made on behalf of my colleague Manoj Venugopalan, Malware Analyst for Symantec Hosted Services.

AutoIT, a free automation language for Windows platform-based development, is often used for scripting Windows-based applications and sometimes misused for creating malware. AutoIT scripts can be compiled into a compressed, standalone executable which will run without an interpreter. Auto2Exe is the application used to compile the AutoIT script into a standalone executiable.

Most of the malware based on AutoIT is in the form of worms and Trojans. Many such worms are well-known for logging into a user's IM client, changing their status message and then sending copies of the malware to all of the "buddies" in the victim's list.

MessageLabs Intelligence recently discovered an AutoIT Trojan using IRC (online chat) to connect an infected machine to a command and control channel without the user's knowledge. The malware is...

Paul Wood | 06 Oct 2009 | 0 comments

Further analysis of Rustock reveals some interesting insights regarding how it seems to have settled into a remarkably predictable pattern of spamming in the last few months - so regular that it may be possible to set your watch by it!  Every day at 8 a.m. GMT (3 a.m. ET) it begins to send out spam emails, continuing throughout the day, peaking at about midday GMT (7 a.m. ET), and then ceasing spamming at midnight GMT (7 p.m. ET).  It then rests for about eight hours, before the cycle begins again the following day.
 

 2009Sep_Ex_rustock.gif
Figure 1  - Rustock's New, Regular Spamming Pattern
 

2009Sep_Ex_cutwail.gif
Figure 2 - Typical Spam Output from Cutwail

This pattern of spamming for Rustock (Figure 1) began around July 6-12, 2009.  Prior to that, Rustock...