Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence
Showing posts in English
Paul Wood | 17 Feb 2010 | 3 comments

Posted on behalf of Tony Millington (Malware Operations Engineer, Symantec Hosted Services), with contributions from Dan Bleaken (Malware Data Analyst, Symantec Hosted Services)

Today we saw a targeted attack against seven different companies via email, sent mostly to Public Sector addresses, but also to the Education Sector. The attack began on February 16, but the fact that we've seen a targeted attack at all is not particularly interesting, we see targeted attacks every day: for example, in the month of January 2010 we stopped 1,976 confirmed targeted emails. The interesting part with this particular attack is that it is using the Bredolab malware as the payload in the email.

Bredolab (for more information click here) is usually spammed out in vast quantities using the Cutwail botnet (one of the largest botnets currently in...

Paul Wood | 16 Feb 2010 | 1 comment

Tuesday 16th February marks the five year anniversary of the first US arrest for SpIM. In 2005 New York teenager Anthony Greco was arrested and charged with sending more than 1.5 million pieces of ’SpIM’ (spam sent through an instant messenger system) advertising pornography and mortgages.

Today enterprises, SMEs and consumers make wide use of Instant Messaging (IM) at work and home to keep in touch with clients, colleagues and friends. However, while IM use is expected to increase considerably over the next year, few users are conscious of the dangers IM presents not only to a single machine but potentially to an entire network. While spam is now an instantly recognised term with computer users, SpIM is still a relatively new kid on the block, yet opening links over IM from an unknown contact comes with the same risks as opening attachments or emails from unknown senders.

MessageLabs Intelligence predicted in our 2009 annual security report (...

MarissaVicario | 11 Feb 2010 | 0 comments

Posted on behalf of Bhaskar Krishnappa, Malware Analyst, Symantec Hosted Services

Animated heart shaped cards are common during the Valentine season to heal the restless hearts and it’s not a hidden fact that malware can exploit this holiday causing pail to both users and security vendors alikes. Here we have an interesting sample to look up whose evident startup code is Delphi compiled.


During sample analysis an interesting component found was “ScriptCryptor”  which makes analysis more curious. A search based on the above keyword results in a tool which is quite handy for people aware of minimal scripting (Java or VBs) knowledge. Additionally, more authors can add their arbitrary resource icon and the version information to the executable file.


MarissaVicario | 21 Jan 2010 | 2 comments

On the heels of having learned that Gumblar infected three Japanese websites late last year, MesageLabs Intelligence has tracked Gumblar’s latest activity which has been heavy over the past few days, especially on 17 January when it represented 25 percent of all malicious blocks.  Generally in January we have seen a small number of blocks each day: average blocks per day 46 (2.3 percent of malicious blocks).


Gumblar: malicious sites blocked by MessageLabs

Some general statistics

•    Since Feb 2009 MessageLabs Intelligence has made 36926 blocks of Gumblar on 4930 URLs across 2048 different domains
•    Originally the malware was served up via a malicious site called in April 2009, and the threat was named after that...

Paul Wood | 20 Jan 2010 | 0 comments

Posted on behalf of Dan Bleaken, Malware Data Analyst, Symantec Hosted Services

The Haiti earthquake happened at 21.53 GMT on Tues Jan 12.  It wasn’t long before we saw something related in spam, about 24 hours in fact. 

Spammers, almost without fail, produce spam campaigns containing text relating to virtually every major newsworthy event that is going on.  And also plenty of events that are in the news, that are not particularly global or exciting or even interesting sometimes.   The approaches that spammers frequently use when newsworthy events arise include:

1.    Spammers may just continue to send the same old spam campaigns, Pharmaceuticals, fertility drugs, watches or whatever.  But, if they include the latest news headlines in the subject or somewhere in the body, this works to grab the attention of the recipients and make it more likely they will open the spam and get drawn into whatever the...

MarissaVicario | 15 Jan 2010

On 31 December 2009 MessageLabs Intelligence began tracking a new botnet, named 'Lethic'. At that time, it accounted for 2.5 percent of all spam. On 1 January 2010 it rose to just under 4 percent of all spam and carried on at roughly around that level for another six days. On 8 January, it peaked at 5.25 percent of all spam (which is around 5.25 billion spam globally per day), then over the next 2 days its traffic dropped off to nothing and has yet to return.

The last spam MessageLabs Intelligence tracked from Lethic was received on the 9 January. This drop off is due to community action by Neustar and several ISPs and seems to have effectively 'killed' Lethic.

lethic stats.gif

The spam Lethic has been sending is roughly an even mix of Pharma (all linking to Canadian pharmacy websites as usual) and replica watches. The pharma websites linked to are all hosted in Beijing, the replica watch...

Paul Wood | 14 Jan 2010

Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services

People all over the world are currently feeling a great deal of sympathy for the people of Haiti, who were recently hit by a severe earthquake. Humanitarian aid is being offered by many countries around the globe, and aid charities are looking for donations so that they can send all the help they can.
And then there are people who don’t want to help and will use any means to try and get those donations. '419' advance fee fraud scams are common and the perpetrators are always looking for new attention-grabbing topics which will trick people into handing over their money. Something like the humanitarian crisis of the Haiti earthquake is, sadly, a prime target for these scammers. They count on the public’s good nature, concern, and desire to help, and hope that they won’t see through the scam email which they are reading. The desire to help...

Paul Wood | 14 Jan 2010 | 0 comments

This post is made on behalf of Nicholas Johnston, Senior Anti-Spam Engineer, Symantec Hosted Services.

Earlier today we saw a 419 or advance fee fraud scam claiming to be sent by Hassan Ali Abdul Mutallab, the brother of Umar Farouk Abdul Mutallab, who allegedly attempted to blow up Northwest Airlines flight 253 over Detroit on Christmas Day.

The message (see screenshot) has a subject of "Take my Salaam and respect", and the scammer purporting to be Umar Farouk Abdul Mutallab's brother claims he is looking for a "Muslim brother/sister" to help retrieve funds belonging to the alleged bomber. Without replying to scammer it's impossible to be sure exactly how the scam works, but we have every suspicion that it operates like most 419 scams. Before the non-existent money can be released, various increasingly inventive fees and charges have to be paid. These fees continue until the victim of the scam eventually realizes that they have no chance...

MarissaVicario | 30 Dec 2009 | 0 comments

Posted on behalf of Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec Hosted Services

Happy New Year! The uncertainty of what 2010 will bring news-wise is exactly what makes the spam landscape, well, interesting and unpredictable. Although we can predict general threat trends as we have in our 2010 Security Predictions, we can never foresee spam’s entire future which makes everyday a virtual crap-shoot – to an extent – for our MessageLabs Intelligence Team.

Let’s take a look back at the events that shaped the 2009 spam landscape:

The global credit crisis and the election of US President Barack Obama provided two major themes to much of the spam blocked in early 2009. Other events, festivities and news stories also contributed to many spam themes in 2009, including:

•    St. Valentine’s Day on...

MarissaVicario | 23 Dec 2009 | 0 comments

Posted on behalf of Dan Bleaken, Malware Data Analyst, Symantec Hosted Services

Globally, for the past month, spam accounts for roughly 75 percent of all email in circulation. And about 75 percent of that spam is sent from one of the ten to 20 heavyweight botnets, which are huge networks of infected PCs, in some cases more than 1 million strong, sending spam 24/7.  The remaining 25 percent of spam is sent via some other technique such as

•    spam sent manually/automatically in large volumes using possibly thousands of newly generated, automatic CAPTCHA-broken, free webmail accounts

•    spam sent manually/automatically using a compromised private webmail account e.g. a company webmail, university webmail etc

•    spam sent manually/automatically using servers with a weak SMTP AUTH password, which the spammers have guessed

•    spam sent manually/automatically...