Symantec Intelligence

The Symantec Intelligence Blog published by serves as a conduit for communicating Intelligence data, trends and statistics based on analysis of cyber security threats, trends and insights from the Symantec Intelligence team comprised of many world-renowned malware and spam experts. Sitting on the front lines of defense, they have a global view of threats across multiple communication protocols drawn from the billions of web pages, email and IM messages they monitor each day.

Follow Us on Twitter
  • 0
    Created: MarissaVicario 03 Sep 2010

    Cutwail Takedown Cripples Bredolab Trojan; No Effect on Spam Levels

    Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services The Cutwail botnet has been one of the most prolific spamming botnets during the last two to three years.  Even before the McColo ISP takedown in November 2008, Cutwail represented between ten and 15 percent of all global spam.  Cutwail was almost certainly disrupted by the takedown of McColo, but came back bigger and stronger in response. At its peak at the start of June 2009, Cutwail was responsible for more than 45 percent of all spam and between 1.4 and 2.1 million bots under its control. In June 2009 and August 2009, Cutwail took some more notable hits, as rogue ISPs were identified and shut down. We reported what happened to Cutwail as a result of the 3FN takedown in the June 2009 MLI report...
  • 0
    Created: MarissaVicario 30 Aug 2010

    Unusual Phishing Scam Disguised as Fast Food Restaurant Survey Aims to Steal Financial Information

    Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec Hosted Services MessageLabs Intelligence has recently seen an interesting variant on normal bank and other financial institution phishing. This particular phish message encourages the recipient to receive 90 dollars by completing a survey sponsored by a fast food restaurant. This scam is different than normal phishing where phishers often impersonate banks and other financial institutions, claiming that the victim's account has been temporarily disabled, requiring some kind of action to restore it. The use of a well-known, unrelated, trusted third-party fast food restaurant brand as a vector for stealing confidential information is relatively new. It appears that this phish was aimed at users in New Zealand. Our analysis shows that most of the recipients where in Australia or New Zealand, the URL of the site included, presumably a very poor attempt by the phishers to try to fool people...
  • 0
    Created: MarissaVicario 25 Aug 2010

    Dating scammers can be ingenious

    By Yuriko Kako-Batt, Malware Analyst, Symantec Hosted Services Dating scams are a common spam email problem.  Spam relating to sex or dating currently accounts for approximately 4 percent of global spam.  In a typical scam, a recipient (male or female) would receive an email from a stranger and the email might say something along the lines of: “I found your information on a website. I think you are my true love…write back to me soon”.  If the recipient replies to the email, the scammer would begin to write to them with stories about their family, their background and how much they love the recipient; any number of subjects are discussed, and flattering/suggestive comments are made, until at some point the attacker feels that the potential victim has been socially engineered to the point that they trust the attacker....
  • 1
    Created: MarissaVicario 25 Aug 2010

    Scareware Haunts Airport Internet Terminals

    Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec Hosted Services This year, people traveling by air have had to contend with disruption caused by the volcanic ash cloud from the Eyjafjallajökull eruption in Iceland, industrial action and tour operators collapsing. But while traveling ourselves, we noticed another threat: airport Internet terminals infected with malware. Many airports have public Internet terminals for passengers without their own laptops to check email or browse the Web. In a large airport in England, we noticed one terminal with an usual "Defense Center Installer" dialog box. "Defense Center Installer" is a fake anti-virus software, also known as "scareware". This type of malware claims that a user is infected with a virus, and encourages them to buy the full version of the software to clean the fictitious infection. It's also common for this type of malware to try to uninstall...
  • 0
    Created: Daren Lewis 23 Aug 2010

    August Botnet Distribution

    In the August 2010 MessageLabs Intelligence report (available here on Tuesday) we present our analysis of the top botnets globally. An analysis of individual bot IP addresses allows mapping of the physical location of bots. This animation allows you to view the variation in geographic concentrations of bots between the top five botnets as reported in the August report: Rustock Grum Cutwail Mega-D Lethic The animation displays each botnet for two seconds. To see an interactive version vist: Bots are widely distributed globally with greater prevalence in those areas with high levels of computer and broadband adoption. In this analysis, with the bots...
  • 0
    Created: MarissaVicario 16 Aug 2010

    Image Spam

    Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Service The use of images in spam is well known, and has been going on for as long as it has been possible to send images in email messages. There are many reasons for using images in email, from simply making the email more interesting, or adding a look of professionalism, to attempting to evade text based spam filters and signatures. The use of remote images in particular has been steadily increasing over the last 16 months. In remote images, the image is not actually contained within the email itself. Instead the email uses HTML to link to a remotely hosted image, which most modern email clients will render just like a web browser. There are good reasons a spammer would want to use remotely hosted images. First, they can change the content of a spam run at any time without having to update templates or make any...
  • 0
    Created: MarissaVicario 10 Aug 2010

    Personalized Spam

    Posted on behalf of Mathew Nisbet, Malware Data Analyst Spammers use many tactics to add legitimacy to their emails. One technique used is the personalization of their spam, where the spammer will add text to the email that specifically mentions the recipient, a technique often used in legitimate marketing campaigns. A legitimate marketing email from a well known company will usually include the recipient’s name. In this case the marketer will likely have access to the users’ personal information because the user has signed up to receive their newsletter or is a previous customer. For a spammer, obtaining personal information is not so simple. An easy way for them to get a similar effect though, is to simply use the email address to which they are sending. While this is not a name, it can have the same effect by making the email appear it was sent in accordance with a legitimate mailing list, rather than spamming at random. This can be a...
  • 0
    Created: MarissaVicario 04 Aug 2010

    MessageLabs Intelligence Finds Dramatic Increase in requests for Streaming Media during World Cup

    Posted on behalf of Dan Bleaken, Senior Malware Data Analyst, Symantec Hosted Services Your company’s internet link is precious. Not only is it expensive and limited but it is a vital business tool. Yet recent MessageLabs Intelligence analysis shows that companies can lose around a quarter of their internet bandwidth to employee web misuse, streaming media and spam. Imagine if you had to give up a quarter of your office space for non-work activities; it’s inconceivable. But when it comes to internet bandwidth, most companies don’t even know about the loss, let alone take steps to prevent it. The MessageLabs Hosted Web Security Service (WSS) blocks millions of web requests every day to protect users from accessing content that is either non-compliant with company policy, or malicious.  In a typical week in 2010 the WSS performs about 107 million blocks (up from 90 million/week in 2009), on 5-10 million distinct URLs, for several...
  • 1
    Created: MarissaVicario 30 Jul 2010

    Wordle: Words Used by Major Spam Sending Botnets

    Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services   In the past, MessageLabs Intelligence did some analysis on the words used by the major spam botnets which showed a marked difference in the type of spam each one sent. Recently we decided to have a look at the different types of emails we see going through our systems. We looked at general spam, phishing, malware, and targeted attacks, and like before, each has a distinct pattern of its own.   Spam is fairly unsurprising in its content; mostly it consists of words having to do with selling something such as product names or words like “discount”, “price”, or “sale!” The main aim of general spam is to get the recipient to buy something as quickly as possible. It tends to be designed to try and convince the recipient of a “must have” offer that can’t be found anywhere else.  ...
  • 1
    Created: Daren Lewis 15 Jul 2010

    MessageLabs Intelligence research on spam in Germany, the UK, Denmark, the US, Canada and Australia

    We've taken a closer look at spam on a regional/city basis in six large markets for July 2010. Just as we see differences in spam rates between countries we often see significant differences within countries: There is no safe haven from the deluge of spam that hits the inboxes of business users around the world. Worldwide, 90% of spam is sent by an estimated five to six million spam-sending computers that have been compromised by cyber criminals.  These computers are organized into automated robot networks, or botnets, and send an estimated 120 billion emails each day. Botnets are sometimes used to launch spam campaigns targeting particular regions, but botnet-driven attacks don’t often discriminate; the greater the number of people they can reach, the more money the cyber criminals stand to make. Targeted attacks are a worldwide threat too, though the level of danger an organization may face is largely determined by what...