Video Screencast Help
Symantec Intelligence
Showing posts in English
Paul Wood | 15 Apr 2011 | 0 comments

Posted on behalf of Mat Nisbet, Malware Analyst,

On the 16th of March Rustock, the largest of the spamming botnets, was taken down. As you would expect,  global spam levels started to drop, as can be seen when you look at the number of mails being delivered  to one of our spamtraps.

However, on the 26th March we saw a large increase in the amount of data traffic hitting our spamtraps,  despite the number of actual emails continuing to decline.

Investigation revealed that the reason for this was that the Cutwail botnet had started sending much  more emails with zip file attachments than normal, meaning the average size of each mail was much  higher than normal. The chart below shows that there have been a couple of spikes in early March, which  may have...

Paul Wood | 06 Apr 2011 | 0 comments

Posted on behalf of Jason Zhang and Joseph Rabaiotti, Malware Research Analysts,


Portable document format (PDF) is one of the most commonly used file formats with which to exchange electronic documents across platforms and applications. Because of its popularity, it has been heavily used in both targeted and non-targeted attacks, as reported by MessageLabs Intelligence Monthly Report (PDF) in February 2011 and a blog post in January 2011. According to the report, PDFs now account for a larger proportion of document-based targeted attacks; in 2009 approximately 52.6% of targeted attacks used PDF exploits, compared with 65.0% in 2010.

In 2011, we have seen no sign of slowing down of this trend, more recently the attacks have widened to include...

MarissaVicario | 04 Apr 2011 | 0 comments

Posted on behalf of Mathew Nisbet, Malware Data Analyst,

Every year tax season is usually exploited by those who seek to make a profit preying on people's trust. Throughout the year MessageLabs Intelligence commonly sees phishing attacks, but there is always an increase around March, as the financial year draws to a close and tax season kicks into full swing.

The chart above shows tax-related phishing as a proportion of all malicious mail (not general spam)

As on can see, there was an increase in traffic in mid February, but even that is less than half of the volume of tax related scams seen throughout March.

Most of the scams that we are seeing are purporting to be from the UK's tax office, "Her Madjesty's Revenue and Customs", or the USA's tax...

Paul Wood | 22 Mar 2011 | 0 comments

On 21 March 2006, Jack Dorsey sent the first ever Twitter message or ‘tweet’ with five simple words “just setting up my twttr”.  Five years later, 140 million tweets are sent in a host of different languages every day via the micro-blogging service which boasts over 200 million registered users worldwide and is valued at an estimated $7.7 billion following an auction of shares in March 2011.

Although Twitter’s 100 million messages a day may seem paltry compared to the roughly 66 billion email messages sent each day on average in March 2011 before the Rustock botnet was disrupted; (52 billion of which were spam). The prolific growth of micro-blogging platforms...

Paul Wood | 17 Mar 2011 | 0 comments

Posted on behalf of Mat Nisbet, Malware Data Analyst,


Brian Krebs posted on KrebsonSecurity a report about the Rustock botnet apparently going quiet yesterday, and spam from the botnet ceasing. I can confirm that at around 15:30 UTC, on 16 March, spam identified as coming from the botnet known as Rustock ceased sending spam, as shown below:

In the chart above, the spike on this chart is actually normal behaviour for Rustock, as can be seen from this next chart, covering a longer time period:

For the last year or so, Rustock has been the dominant source of spam in the world, by the end of 2010, accounting for as much as 47.5% of all spam. At it’s peak it...

Paul Wood | 28 Feb 2011 | 1 comment

Posted on behalf of Nick Johnston, Senior Software Engineer,


Internationalized Domain Names (IDN) allow domain names to include Arabic, Chinese, Russian, Latin (with diacritics) and many other characters like 寿司and 한글. It has been possible to include these characters in some domains for several years, but until last year, top-level domains (like .ru for Russia) were not internationalized like this. Several top-level domains now have internationalized versions, for example .рф for Russia.

I recently saw some German pharmacy spam (targeted at Germany, Austria and Switzerland). The spam itself is fairly normal. It promotes erectile dysfunction drugs, and includes links to a popular URL shortening site:

Figure 1 – example of spam email using URL shortening service redirecting to IDN domain


Most of the spam is in...

Paul Wood | 25 Feb 2011 | 0 comments

Posted on behalf of Jo Hurcombe AV Operations Engineer,



Today, I identified a new targeted attack that for the first time makes reference to a discussion on the economic stakes in Libya’s current Crisis.

The email itself is very simple and is designed to appear as part of a discussion about the economic stakes in Libya's current crisis, with the sender claiming to agree with points raised in the attached document, as seen in the example given below.

Example of targeted email


The first example of this targeted attack was intercepted by on February 24, 2011 at 12:52 GMT. These attacks were targeted in nature and in total 27 individuals were targeted within six organizations. The emails were sent from four separate domains. All of the organizations targeted are involved in...

Paul Wood | 24 Feb 2011 | 1 comment

Posted on behalf of Nick Johnston, Senior Software Engineer,


As 419 or advance fee fraud scammers have demonstrated in recent days and weeks, they are particularly adept at using current events to their advantage. We've covered how scammers have also used Egypt's recent revolution to try to get money from their victims.

I recently identified a 419 scam message trying to take advantage of the unrest in Libya. It seems that as countries around the world scramble to evacuate their citizens from the deteriorating situation in the country, 419 scammers are also rushing to send out messages to capitalise on the unrest and publicity.

The scam message claims to be written by someone connected to Libya's Senussi crown (overthrown by Muammar al-Gaddafi in his 1969 coup d'état). The scam follows a fairly...

Paul Wood | 21 Feb 2011 | 0 comments

Posted on behalf of Sean Butler, Senior Malware Operations Engineer,


I recently saw a typical 419 scam mail which was different in one aspect, in that the email was written in Welsh.  Whilst we have seen 419 scam mails constructed in many different languages such as German and French, for example, this was the first time we have come across one of these scam mails written in Welsh.

419 scam mails or advance-fee fraud scam mails usually promise large amounts of money, but demand upfront fees or payments first.  This can leave any potential victims passing over money to the scammers believing this is for the fees, but they will never get the promised large amount of money.

The content of the mail is typical of a 419 scam mail.  In it the scammer posing as a widow of a Kuwaiti ambassador for the Ivory Coast has $2.5 million in a trust fund.  They then want their potential victim to...

Paul Wood | 17 Feb 2011 | 0 comments

Posted on behalf of Nick Johnston, Senior Software Engineer,


It has only been a few days since the resignation of Egypt's long-standing president, Hosni Mubarak, who resigned after intense political pressure following days of widespread protest across the country. As we've seen in the past, 419 or advance-fee fraud scammers (who typically promise large amounts of money, but demand upfront fees or payments first) are quick to react to current events. For example, in the aftermath of Haiti's devastating earthquake in January 2010, 419 scammers impersonated the Red Cross, requesting donations.

We recently saw a German language 419 scam claiming to be from the former Egyptian president's lawyer:


The scammer claimed that he needed the recipient's help to retrieve $2.5m of the president's funds, frozen in a Belgian...