Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence
Showing posts tagged with Spam
Showing posts in English
MarissaVicario | 11 Dec 2009 | 0 comments

Posted on behalf of Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec Hosted Services

I never like to dwell on the past. But as I reflect more on what an eventful year 2009 has been, there are some highlights worth noting. I don’t look at it as dwelling as much as I do learning from the past to further build and tone our Intelligence muscle.

Based on the MessageLabs Intelligence 2009 Annual Security Report, below are the security highlights of 2009.

2009 Highlights

Notable ISP Shutdowns : The shutdown of botnet hosting ISPs, such as McColo in late 2008 and Real Host in August 2009 appeared to make botnets re-evaluate and enhance their command and control backup strategy to enable recovery to take hours, rather than weeks or months.

Botnets Ruled the Threat Landscape: Botnets continued to rule the cyber security landscape...

Daren Lewis | 09 Dec 2009 | 0 comments

Posted on behalf of Dan Bleaken, Malware Data Analyst

Financial organizations undergo frequent changes from the point of view of their customers, whether it’s a change to security processes, takeovers, re-branding, new products and so on.  Phish emails often contain generic messages like ‘Account Suspended’ or ‘Update your account details’, but when a change such as this takes place, the perpetrators of the attacks are quick to react and try to convince unfortunate victims to part with their login details.  Attackers know that if they refer to things in the message that customers are familiar with, perhaps from real communications with the imitated organisation, then the target is slightly more likely to fall into the trap, and part with their precious personal details.  For example, last year, with the credit crisis in full swing, and banks closing, re-branding, being taken over, MessageLabs...

MarissaVicario | 08 Dec 2009 | 0 comments

Posted on behalf of Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec Hosted Services

A few weeks ago, when Symantec announced our 2010 Predictions, I stated in my accompanying blog post that what we’ve seen this year was ugly (highlight with link to post). As I’ve worked with my team to draft the MessageLabs Intelligence Annual Security Report, I now realize that was an understatement. What we’ve  seen this year is in fact horrendous. But nevertheless, it keeps us on our toes as we scan billions of messages and web connections each week.

While we’re always prepared for the worst, we can only anticipate what that may be. Looking back on it all in aggregation, is always a stern reminder that the bad guys are capable of more than we often give them credit for.

In 2009, we stopped more than 21 million different types of spam...

Paul Wood | 19 Nov 2009 | 0 comments

This post is made on behalf of my colleague Mat Nisbet, Malware Analyst for Symantec Hosted Services.

As of November 18, we have noticed a huge jump in the number of spam e-mails that contain a link to Twitter. Normally there is a tiny fraction of a percent, but on November 18 it jumped to 4 percent of all spam. This new surge is entirely from the DonBot botnet.


The apparent aim of these e-mails is to get people to fall for “get rich by working at home” schemes where the victim is encouraged to pay an initial fee for a trial and then sit back and watch the cash come in. Though easily stopped by us, this new run of spam uses a number of techniques to attempt to get past basic filters. Firstly, the body of the e-mail is simply an image (of a fake newspaper article), to try and get past text-based signatures.


Paul Wood | 18 Nov 2009 | 1 comment

This week I had the pleasure of sitting on a panel with some of the best and the brightest among my Symantec colleagues to reflect on 2009’s threat landscape and what we anticipate for the year ahead.

We concurred that what we’ve seen this year was ugly. Botnets prevailed and took over as a primary means of spamming and spreading malware and social engineering attacks became more sophisticated. But what we also know is that this year pales in comparison to what 2010 is expected to bring: fast flux botnets will dominate, IM spam will rear its head, rogue security software vendors will up their game, fraud targeted at social networking apps will grow, new CAPTCHA bypass techniques will emerge... to name a few.

That’s the bad news. The good news is that with a bit of preparation and the right security solutions in place, we can continue to outsmart the bad guys. So without further ado, I present to you Symantec’s 2010 Security Predictions.

Daren Lewis | 11 Nov 2009 | 0 comments

This post is made on behalf of my colleague Mathew Nisbet, Malware Data Analyst

Researchers at the Fireeye intelligence lab recently decided to attempt to take down the Mega-D botnet after doing detailed analysis of its inner workings. It seems their actions have been very successful indeed, as our monitoring shows a huge decline in this previously prolific botnet’s activity.

Mega-D was the botnet that took the biggest advantage of the takedown of the McColo ISP in November 2008, becoming the biggest of all the spam botnets. Since then, others (such as Rustock, Bagle, Grum, and Cutwail) have gained strength, but Mega-D has consistently been in the top 10 spam bots. Or at least it was, until the 4th of November, when it was hit, and hit hard.

This shows the number of unique IP’s seen on our systems on a daily basis for the Mega-D botnet. Normally between 600 and 1600 IP’s are seen each day, but you can see...

Daren Lewis | 05 Nov 2009 | 0 comments

Posted on behalf of Dan Bleaken, Malware Data Analyst

MessageLabs Intelligence has been tracking a new botnet, ‘Festi’ since the beginning of August.

Gradually, Festi has steadily increased its output of spam from virtually insignificant volumes up to 3-6% of daily spam.  In terms of spam volumes, 3-6% is estimated at a massive 1.5-3 billion spams per day globally.  This increase in output has been achieved both by gradually increasing the amount of spam sent from each Festi bot, and by recruiting new bots to the botnet.


At the moment it is spewing out 2 variants of spam. 

The first variant, is ‘male enhancement‘ type mails containing .cn domains, leading to a Canadian Pharmacy Website



Daren Lewis | 02 Nov 2009 | 0 comments

This post is made on behalf of my colleague Nicholas Johnston

On 27 October, MessageLabs Intelligence began tracking a small number of spam emails that included links to the popular online file transfer service, In the latest examples, the files that were being distributed were word-processing documents that contained advanced-fee fraud lottery scams.  MessageLabs Intelligence will continue to monitor this activity. YouSendIt and other similar file transfer services are used legitimately by may users to send large files via the Internet where it may not be appropriate or possible to send as an email attachment, for example if the file is too large.

This is another example of the bad guys turning to online services in order to exploit the use of their reputable services and bypass traditional anti-spam countermeasures that consider the reputation of domain names contained in hyperlinks used in email messages in...

Daren Lewis | 27 Oct 2009 | 0 comments

This post is made on behalf of my colleague Mathew Nisbet, Malware Data Analyst

The Bredolab Trojan has been seen “in the wild” for a long time, but the people behind it constantly change the subjects and format of the e-mails to try and fool people. The most recent change has been to use the a popular social networking brand name to try and trick people into opening and running an attachment by telling them their password has been reset, and that their new password is contained in the attachement. Running the attachment will install the Bredolab trojan on their machine and give the people behind the attack full control to do almost anything they want.

The first few occurrences of the new style were seen between 7pm and 8pm on 26th October and there has been a steady stream of them since, reaching almost 30% of all malware seen between 2am and 3am on the 27th October.


Paul Wood | 06 Oct 2009 | 0 comments

Further analysis of Rustock reveals some interesting insights regarding how it seems to have settled into a remarkably predictable pattern of spamming in the last few months - so regular that it may be possible to set your watch by it!  Every day at 8 a.m. GMT (3 a.m. ET) it begins to send out spam emails, continuing throughout the day, peaking at about midday GMT (7 a.m. ET), and then ceasing spamming at midnight GMT (7 p.m. ET).  It then rests for about eight hours, before the cycle begins again the following day.

Figure 1  - Rustock's New, Regular Spamming Pattern

Figure 2 - Typical Spam Output from Cutwail

This pattern of spamming for Rustock (Figure 1) began around July 6-12, 2009.  Prior to that, Rustock...