Video Screencast Help

Symantec Intelligence

Showing posts in English
Paul Wood | 03 Feb 2011 | 1 comment

Posted on behalf of Nick Johnston, Senior Software Engineer,


As we extensively covered on the MessageLabs Intelligence blog last year, the 2010 soccer FIFA World Cup in South Africa, enjoyed by millions, was also used by both 419/advance fee fraud scammers and malware authors to lure unsuspecting victims into handing over money or installing malware.

Last December we saw two scams which claimed the recipient had won a lottery supposedly connected with 2014 World Cup, to be hosted in Brazil. We were surprised to see scams promoting an event so far in the future, so we were especially surprised to recently see a scam promoting the 2022 World Cup in Qatar. Evidently scammers are not concerned by the fact that the tournament is over ten years away, with tournaments in Brazil and Russia before.

The scam itself is fairly normal. The mail contains very little content in the body; it simply encourages recipients to open the...

MarissaVicario | 20 Jan 2011 | 1 comment

Posted on behalf of Martin Lee, Senior Software Engineer,

Occasionally, MessageLabs Intelligence is lucky enough to find an email thread contained within a malicious email that allows us to examine the conversation leading up to the attack. This particular email exchange between the attacks and intended target allows us to understand the social engineering that leads to an attack.

The initial contact is from an individual claiming to be a journalist from a well known American newspaper sent to a media contact for a large professional services company.

Despite the  name given in the email, the language used does not appear to be that of a native English speaker. The name used in the header ‘From’ address is non-English and does not correspond with the name used in the email signature.  These are surprising lapses...

MarissaVicario | 10 Jan 2011 | 5 comments

Posted on behalf of Mathew Nisbet, Malware Analyst, Symantec Hosted Services and Matt Sergeant, Senior Anti-Spam Technologist, Symantec Hosted Services

On December 25, 2010, Rustock, the largest of the spam botnets, went quiet. Why this happened, we don't know but what we do know is that global spam levels dropped massively as a result. MessageLabs Intelligence analysts did not expect this respite to last, and sadly we were right.
Since around 00:00 (UTC) on January 10, Rustock has resumed activity, and appears set to continue where it left off on December 25 as the biggest source of global spam.

As Rustock has now returned, this means the overall level of spam has increased. MessageLabs Intelligence honeypot servers have seen an increase of roughly 98 percent in spam traffic between 00:00 and 10:00 today compared to the same period on...

Paul Wood | 04 Jan 2011 | 0 comments

Posted on behalf of Mathew Nisbet, Malware Data Analyst

Over the 2010 Christmas holiday, the level of spam in circulation has dropped drastically. For example, at the time of writing, the amount of spam hitting our spam honeypots is the lowest it has been since McColo, the rogue ISP, was shut down in November 2008. As can be seen from the global spam level estimates in figure 1 below, the amount of spam worldwide has dropped dramatically since 25th December 2010.

Figure 1 - Global spam volumes


The main cause of this drop is a from a huge reduction in output from the Rustock botnet, by far the most dominant spam botnet of 2010. Since 25th December, Rustock seems to have all but shut down, with the amount of spam coming from it consistently accounting for below 0.5% of all spam worldwide. Further  contributing to the massive reduction in spam levels...

MarissaVicario | 21 Dec 2010 | 0 comments

Posted on behalf of Martin Lee, Senior Software Engineer, Symantec Hosted Services

Information security is all about maintaining the confidentiality, integrity and availability of data. At this time of year, no information security asset is more important than Santa’s ‘naughty or nice’ list.

This data set lists the personal details of billions of individuals along with highly sensitive details of their private life. This database is almost certainly a high profile target for criminal gangs. The details may be used to blackmail high profile individuals or to compromise employees with access to sensitive or further confidential information. Any unauthorized disclosure of this information may also breach North Pole data protection laws.

The integrity of this data is also of vital importance, unauthorized access may allow criminal gangs to alter statuses from ‘naughty’ to ‘nice’ for financial...

MarissaVicario | 17 Dec 2010 | 0 comments

Posted on behalf of Matt Sergeant, Senior Anti-spam Technologist, Symantec Hosted Services

As of this week, Canada joins the rest of the G8 countries with its very own anti-spam law. Until now, Canada has been the only G8 country without anti-spam legislation. Bill C-28, the new Fighting Internet and Wireless Spam Act, will require businesses to follow best practices and aims to prevent unsolicited commercial e-mail distribution in Canada

First introduced in 2009 as Bill C-27, the Electronic Commerce Protection Act died when parliament was prorogued in December 2009 but was reintroduced earlier this year as Bill C-28. After much debate, it was finally approved by the Senate on December 15, 2010.

This legislation differs from the CAN SPAM Act in the U.S., which requires opt-out protocol. Canada’s powerful spam law requires businesses to obtain opt-in consent from recipients before sending commercial emails and other electronic...

MarissaVicario | 17 Dec 2010 | 0 comments

Posted on behalf of Nicholas Johnston, Senior Software Engineer, Symantec Hosted Services

This year's soccer FIFA World Cup in South Africa, enjoyed by millions, was also used by both 419/advance fee fraud scammers and malware authors to lure unsuspecting victims into handing over money or installing malware. World Cup interest has been briefly re-ignited by FIFA's recent announcement of the host nations for the 2018 and 2022 tournaments.

However, the host for the 2014 tournament, Brazil, had already been decided. Even though the tournament is over 1,200 days away and many of the stadiums are that will be used to stage matches are being redeveloped, 419/advance fee fraud lottery scams have already started using this event to try to trick victims into handing over money to claim fake lottery winnings.

MessageLabs Intelligence recently saw two examples of this. Both contain attachments claiming that the recipient has won a...

MarissaVicario | 10 Dec 2010 | 0 comments

Posted on behalf of Nicholas Johnston, Senior Software Engineer, Symantec Hosted Services

Spammers abusing free hosting sites by using them for hosting spam-related content is nothing new, but this abuse has turned into much more sophisticated, multi-layer abuse.

Instead of just including a link to a free hosting site, and hosting spam-related content there, spammers are increasingly using URL shortening services. These services allow spammers to create an almost unlimited number of links, allowing each individual spam message sent to contain a new link. Increasingly, these links do not point directly to a spam-related site. Instead, they point to a free hosting site, often with extra randomized "junk" parameters added to the end of the URL like this:

MarissaVicario | 07 Dec 2010 | 0 comments

Posted on behalf of Tony Millington, Malware Operations Engineer, Symantec Hosted Services

On Friday 3rd December at 12:41 Skeptic stopped a new virus that we had not seen before, a targeted attack against a government body using WikiLeaks as social engineering to get the user to open the document.

File Details:
    Name: WikiLeaks.pdf
    Md5sum: 8be9d8ad72d2ac5a0e0eb59292bd41a9
    Commercial Scanner Detection: 9/43



The email had been sent from a compromised account and, as is often the case, the social engineering didn’t have a lot of thought behind it. Because the above sentence within the email doesn’t make much sense, the recipient is led to believe the pdf attachment may lead to more information.

However, the attachment has an encrypted executable embedded in it...

Daren Lewis | 06 Dec 2010 | 0 comments


Tomorrow (December 7) we will release our MessageLabs Intelligence 2010 Annual Security Report looking back at the changes in the threat landscape during 2010. We also use the opportunity to look ahead at potential trends for next year. In the days leading up to the publication of the report we have shared a number of these trends. This trend is the final in this series of posts:

Cybercriminals Usurp URL Shortening Services

URL Shortening services are becoming critical to the operation of social networks, particularly those that apply a character limit to user updates. In 2010 we saw a number of exploits using URL shortening services that lead to compromised sites.

In 2011 we expect to see more sophisticated attacks using URL shortening services either by a criminal enterprise gaining control of a significant URL shortening service or one of these groups setting up a service which appears legitimate, and operates in a legitimate...