Video Screencast Help
Symantec Intelligence
Showing posts in English
MarissaVicario | 15 Jan 2010

On 31 December 2009 MessageLabs Intelligence began tracking a new botnet, named 'Lethic'. At that time, it accounted for 2.5 percent of all spam. On 1 January 2010 it rose to just under 4 percent of all spam and carried on at roughly around that level for another six days. On 8 January, it peaked at 5.25 percent of all spam (which is around 5.25 billion spam globally per day), then over the next 2 days its traffic dropped off to nothing and has yet to return.

The last spam MessageLabs Intelligence tracked from Lethic was received on the 9 January. This drop off is due to community action by Neustar and several ISPs and seems to have effectively 'killed' Lethic.

lethic stats.gif

The spam Lethic has been sending is roughly an even mix of Pharma (all linking to Canadian pharmacy websites as usual) and replica watches. The pharma websites linked to are all hosted in Beijing, the replica watch...

Paul Wood | 14 Jan 2010

Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services

People all over the world are currently feeling a great deal of sympathy for the people of Haiti, who were recently hit by a severe earthquake. Humanitarian aid is being offered by many countries around the globe, and aid charities are looking for donations so that they can send all the help they can.
 
And then there are people who don’t want to help and will use any means to try and get those donations. '419' advance fee fraud scams are common and the perpetrators are always looking for new attention-grabbing topics which will trick people into handing over their money. Something like the humanitarian crisis of the Haiti earthquake is, sadly, a prime target for these scammers. They count on the public’s good nature, concern, and desire to help, and hope that they won’t see through the scam email which they are reading. The desire to help...

Paul Wood | 14 Jan 2010 | 0 comments

This post is made on behalf of Nicholas Johnston, Senior Anti-Spam Engineer, Symantec Hosted Services.

Earlier today we saw a 419 or advance fee fraud scam claiming to be sent by Hassan Ali Abdul Mutallab, the brother of Umar Farouk Abdul Mutallab, who allegedly attempted to blow up Northwest Airlines flight 253 over Detroit on Christmas Day.

The message (see screenshot) has a subject of "Take my Salaam and respect", and the scammer purporting to be Umar Farouk Abdul Mutallab's brother claims he is looking for a "Muslim brother/sister" to help retrieve funds belonging to the alleged bomber. Without replying to scammer it's impossible to be sure exactly how the scam works, but we have every suspicion that it operates like most 419 scams. Before the non-existent money can be released, various increasingly inventive fees and charges have to be paid. These fees continue until the victim of the scam eventually realizes that they have no chance...

MarissaVicario | 30 Dec 2009 | 0 comments

Posted on behalf of Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec Hosted Services

Happy New Year! The uncertainty of what 2010 will bring news-wise is exactly what makes the spam landscape, well, interesting and unpredictable. Although we can predict general threat trends as we have in our 2010 Security Predictions, we can never foresee spam’s entire future which makes everyday a virtual crap-shoot – to an extent – for our MessageLabs Intelligence Team.

Let’s take a look back at the events that shaped the 2009 spam landscape:

The global credit crisis and the election of US President Barack Obama provided two major themes to much of the spam blocked in early 2009. Other events, festivities and news stories also contributed to many spam themes in 2009, including:

•    St. Valentine’s Day on...

MarissaVicario | 23 Dec 2009 | 0 comments

Posted on behalf of Dan Bleaken, Malware Data Analyst, Symantec Hosted Services

Globally, for the past month, spam accounts for roughly 75 percent of all email in circulation. And about 75 percent of that spam is sent from one of the ten to 20 heavyweight botnets, which are huge networks of infected PCs, in some cases more than 1 million strong, sending spam 24/7.  The remaining 25 percent of spam is sent via some other technique such as

•    spam sent manually/automatically in large volumes using possibly thousands of newly generated, automatic CAPTCHA-broken, free webmail accounts

•    spam sent manually/automatically using a compromised private webmail account e.g. a company webmail, university webmail etc

•    spam sent manually/automatically using servers with a weak SMTP AUTH password, which the spammers have guessed

•    spam sent manually/automatically...

MarissaVicario | 23 Dec 2009 | 4 comments

Posted on behalf of Dan Bleaken, Malware Data Analyst, Symantec Hosted Services

Globally, for the past month, spam accounts for roughly 75 percent of all email in circulation. And about 75 percent of that spam is sent from one of the ten to 20 heavyweight botnets, which are huge networks of infected PCs, in some cases more than 1 million strong, sending spam 24/7.  The remaining 25 percent of spam is sent via some other technique such as:

•    spam sent manually/automatically in large volumes using possibly thousands of newly generated, automatic CAPTCHA-broken, free webmail accounts
•    spam sent manually/automatically using a compromised private webmail account e.g. a company webmail, university webmail etc
•    spam sent manually/automatically using servers with a weak SMTP AUTH password, which the spammers have guessed
•    spam sent manually/automatically via...

MarissaVicario | 21 Dec 2009 | 0 comments

Posted on behalf of Dan Bleaken, Malware Data Analyst, Symantec Hosted Services

Symantec Hosted Web Security Service blocks millions of web requests every day to protect employees from content that is either against company policy, or malicious.  In a typical week Messagelabs Intelligence performs 50 million blocks on 10 million distinct URLs for several thousand clients.  That’s tens of thousands of blocks per client per week.  

99.95% of blocked URLs are policy based. Of these, by far the greatest proportion is for advertising, mostly pop-up ads or auto-forwarding to ads.  Also, Messagelabs Intelligence blocks sites related to Games, Chat, Personals & Dating, Adult/Sexually Explicit material, Violence, Tasteless & Offensive material, Weapons, Criminal Activity, Gambling, Illegal Drugs and so on.  Clients have full control over what they consider to be against company policy.  Each day, roughly 39% of clients have...

Paul Wood | 17 Dec 2009 | 1 comment

Posted on behalf of Dan Bleaken, Malware Data Analyst, Symantec Hosted Services

MP3 Spam Returns to Attract Recipients to Canadian Pharmacy Website

I remember the excitement in the MessageLabs anti-spam team when the first spam with an MP3 file was intercepted, back on 18 October 2007.  At that time we were watching particularly carefully for the appearance of new file types in spam.  Image spam had been huge over the Summer of 2007, especially images containing randomised pixels (an attempt to bypass traditional signature-based detection).  Later in the same year, PDF files were also being used as well as some other file types that hadn’t been seen in spam before.  At that time it seemed as though spammers were keen to explore the use of new attachment types; anything to keep their spam runs varied and shifting. 

Today of course, we still see various file formats being used in spam messages, but not nearly...

MarissaVicario | 16 Dec 2009 | 0 comments

Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services

“Pump-and-dump” stock spamming is a technique that has been around for a long time now, where spammers attempt to artificially raise the price of a particular company’s shares. It was extremely popular throughout 2007 and the early part of 2008, but after that it dropped off to almost nothing. However, on the 14th December it returned in large volumes, being sent out by the Donbot botnet. Throughout 2009 there has been very little ‘stock spam,’but when Donbot ramped up its activity on the December 14, it pump and dump scams shot up to over 4.5% of spam for that day, which is an estimated 5 billion messages globally (based on the Symantec average daily spam volume estimate for 2009), in just one day.

20091216_pumpanddump_01.gif

The purpose of these “pump-and-dump” emails...

MarissaVicario | 14 Dec 2009 | 0 comments

Posted on behalf of Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec Hosted Services

Without a doubt, 2009 was the Year of the Botnet. As reported in the MessageLabs Intelligence Annual Report, by the end of 2009, 83.4 percent of spam originated from botnets. While each botnet varies in size and has its own unique characteristics and capabilities, one thing they share in common is the ability to spam in large quantities.

With approximately 151 billion unsolicited messages each day being distributed by compromised computers, understanding who is responsible for such unprecedented levels is always of interest to MessageLabs Intelligence, much like the threat landscape, the botnet landscape is ever changing.
The top botnets of 2009 are listed in this table with two recent newcomers – Maazben and Festi.

...