Video Screencast Help
Search Video Help Close Back
to help

Symantec Intelligence

Showing posts in English
Word usage in spam
Daren Lewis | 18 Mar 2010 | 0 comments

Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services

There is a huge variety in the types of spam that are sent all over the internet, but there are patterns to be found in the chaos.
 
One way to see patterns is to look at the words most commonly used in spam. If we take a random sample of global spam over a one week period, then there is quite a jumble of topics, but even through all the noise you can see certain words still stand out, as illustrated here (the larger a word, the more often it occurs):
 
 
As you can see, the popular words are fairly generic but all seem to be geared towards encouraging an immediate reaction, trying to get some sense of urgency. This is further indictaded by the fact that 5 of the top 6 words have an exclamation mark. Spammers like to create a sense of urgency in their messages,...

Read more
Death By A Thousand Cuts - Rustock Botnet Sending More Encrypted Spam
MarissaVicario | 10 Mar 2010 | 0 comments

Posted on behalf of Dan Bleaken, Malware Analyst, Symantec Hosted Services

In the past few days we have noticed that the Rustock botnet has been sending a lot more spam using TLS (Transport Layer Security). TLS is the successor to SSL and is a popular way of sending email through an encrypted channel, rather than sending it in the clear like most emails are sent. MessageLabs Intelligence tracks the use of TLS in order to determine how much spam is sent over TLS, and which botnets are sending it.

Not all mail servers force clients to use TLS, but it is frequently used for securing the communications channel between the client email sender and the email server to which the message is being delivered. It prevents eavesdropping of email traffic that would otherwise be sent in plain sight for anyone else on the network to see if they so wished, perhaps using network analysis tools.  Some businesses mandate TLS for remote clients, for example, an employee connecting...

Read more
Pharmacy Spam: Pharmaceutical Websites Fall into Two Distinct Operations
Paul Wood | 01 Mar 2010 | 2 comments

By Yuriko Kako-Batt, Anti-spam Analyst, Symantec Hosted Services

 
Spam is one of the biggest problems for all of people who are using email. And what we imagine when we think of the word of “spam” can be different for all of us and may include spam for dating, fake lotteries, fake designer brands, counterfeit watches, free software – and the list goes on. There are various types of spam that we all receive in our mailboxes every day, and I would be surprised if you had never received “Pharmaceutical spam” that includes hyperlinks leading to websites where you can buy your “little blue pills” without prescription.

This “Pharmaceutical spam” now accounts for more than 65% of all spam, as can be seen in the chart below.  This type of spam is almost always delivered some of the largest spam-sending botnets, including Rustock, Grum, Cutwail, Donbot.  

...

Read more
Targeted Attack Spoofs NYTimes.com and the Times Reader for Windows 2.0 Software
MarissaVicario | 25 Feb 2010 | 0 comments

Posted on behalf of Tony Millington, Malware Operations Engineer, Symantec Hosted Services

MessageLabs Intelligence tracked a new targeted attack yesterday using emails pretending to be from the New York Times sending out it's "Times Reader" software hitting six different domains. One domain was a public sector domain, one was a law firm, three were to chemical companies, but most interestingly the last one was an online gambling company. All are UK based companies. The email attacks appear to have originated from Greece. We can't see this being used as a botnet.
 
When executed the "Times Reader Plugin.exe" uses iexplore.exe to send encrypted data which resolves to an IP address in Denmark which looks like a computer on a home network. It doesn't display anything when you run the exe, so the victim wouldn't know they have been infected. The only indication is an iexplore.exe process running when there is no IE browser session...

Read more
New Brazilian Banking Trojans Alert
Paul Wood | 23 Feb 2010 | 0 comments

By Manoj Venugopalan, Malware Analyst, Symantec Hosted Services

Brazil is the biggest country in Latin America with a population of over 198.7m people, 34% of whom are connected to the internet. It is also a country with a low GDP per capita ratio and higher rates of criminality, especially relating to cyber crime.  With tens of millions of users already using online banking services in Brazil, cyber criminals find Internet banking an attractive target, particularly in the application of banking Trojans used to bypass two-factor authentication systems and other security countermeasures.

MessageLabs Intelligence has seen many Banker Trojan attacks in the past, however, more recently, I came across two different banks that were being targeted by one single attacker: Bradesco and Sicredi. MessageLabs Intelligence had been blocking the Bradesco banking attack some days ago, but then I noticed the Sicredi Bank attack on Saturday 20 February. It was...

Read more
DDoS Attacks Ten Years On
MarissaVicario | 22 Feb 2010 | 0 comments

By Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec Hosted Services

Ten years ago, on 14 February 2000, DDoS or distributed denial-of-service attacks – which attempt to cause disruption to an online service or application – knocked a number of high profile websites leaving them offline for several hours, including a well known auction site, the website of a global news channel and an internationally recognized online retail site. Fast forward a decade and DDoS attacks have evolved to be more sophisticated, more prevalent and more dangerous than ever. Most recently, the website of a prominent Russian newspaper was targeted causing major disruption for the publication and its readers. 

Botnets are a key player in DDoS attacks. Right now, we know that the most prominent spam-sending botnets control over five million active PCs.  The actual number of botnets in existence is likely to be much higher as an infected bot only becomes...

Read more
Targeted Attacks Now Using Bredolab Malware
Paul Wood | 17 Feb 2010 | 3 comments

 
Posted on behalf of Tony Millington (Malware Operations Engineer, Symantec Hosted Services), with contributions from Dan Bleaken (Malware Data Analyst, Symantec Hosted Services)

Today we saw a targeted attack against seven different companies via email, sent mostly to Public Sector addresses, but also to the Education Sector. The attack began on February 16, but the fact that we've seen a targeted attack at all is not particularly interesting, we see targeted attacks every day: for example, in the month of January 2010 we stopped 1,976 confirmed targeted emails. The interesting part with this particular attack is that it is using the Bredolab malware as the payload in the email.

Bredolab (for more information click here) is usually spammed out in vast quantities using the Cutwail botnet (one of the largest botnets currently in...

Read more
Five Years On - Evolving Social Media Threats and Instant Messaging Spam
Paul Wood | 16 Feb 2010 | 1 comment

Tuesday 16th February marks the five year anniversary of the first US arrest for SpIM. In 2005 New York teenager Anthony Greco was arrested and charged with sending more than 1.5 million pieces of ’SpIM’ (spam sent through an instant messenger system) advertising pornography and mortgages.

Today enterprises, SMEs and consumers make wide use of Instant Messaging (IM) at work and home to keep in touch with clients, colleagues and friends. However, while IM use is expected to increase considerably over the next year, few users are conscious of the dangers IM presents not only to a single machine but potentially to an entire network. While spam is now an instantly recognised term with computer users, SpIM is still a relatively new kid on the block, yet opening links over IM from an unknown contact comes with the same risks as opening attachments or emails from unknown senders.

MessageLabs Intelligence predicted in our 2009 annual security report (...

Read more
Valentine Heart Healer or Password Stealer
MarissaVicario | 12 Feb 2010 | 5 comments

Posted on behalf of Bhaskar Krishnappa, Malware Analyst, Symantec Hosted Services

Animated heart shaped cards are common during the Valentine season to heal the restless hearts and it’s not a hidden fact that malware can exploit this holiday causing pail to both users and security vendors alikes. Here we have an interesting sample to look up whose evident startup code is Delphi compiled.

startcode.gif

During sample analysis an interesting component found was “ScriptCryptor”  which makes analysis more curious. A search based on the above keyword results in a tool which is quite handy for people aware of minimal scripting (Java or VBs) knowledge. Additionally, more authors can add their arbitrary resource icon and the version information to the executable...

Read more
Gumblar Botnet Ramps Up Activity
MarissaVicario | 06 Aug 2010 | 2 comments

On the heels of having learned that Gumblar infected three Japanese websites late last year, MesageLabs Intelligence has tracked Gumblar’s latest activity which has been heavy over the past few days, especially on 17 January when it represented 25 percent of all malicious blocks.  Generally in January we have seen a small number of blocks each day: average blocks per day 46 (2.3 percent of malicious blocks).

gumblar1.gif

gumblar2.gif
Gumblar: malicious sites blocked by MessageLabs

Some general statistics

•    Since Feb 2009 MessageLabs Intelligence has made 36926 blocks of Gumblar on 4930 URLs across 2048 different domains
•    Originally the malware was served up via a...

Read more