Symantec Internet Security Threat Report - 2011

Introduction | 2011 In Review | 2011 In Numbers | Executive Summary | Safeguarding Secrets: Industrial Espionage in Cyberspace | Against the Breach: Securing Trust and Data Protection | Consumerization and Mobile Computing: Balancing the Risks and Benefits in the Cloud | Spam Activity Trends | Malicious Code Trends | Closing the Window of Vulnerability: Exploits and Zero-day Attacks | Conclusion: What’s Ahead in 2012

Malicious Code Trends

Malware in 2011

By analyzing malicious code we can determine which threats types and attack vectors are being employed. The endpoint is often the last line of defense, but it can often be the first-line of defense against attacks that spread using USB storage devices, insecure network connections and compromised, infected websites. Symantec’s cloud-based technology and reputation systems can also help to identify and block new and emerging attacks that haven’t been seen before, such as new targeted attacks employing previously unknown zero-day exploits. Analysis of malware activity trends both in the cloud and at the endpoint can help to shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers.
Corresponding to their large internet populations, the United States, China and India remained the top sources for overall malicious activity. The overall average proportion of attacks originating from the United States increased by one percentage point compared with 2010, while the same figure for China saw a decrease by approximately 10 percentage points compared with 2010.
The United States was the number one source of all activities, except for malicious code and spam zombies, where India took first place. Around 12.6% of bot activity originated in the USA as did 33.5% of web-based attacks, 16.7 % of network attacks and 48.5% of phishing websites.

Website malware

Drive-by attacks continue to be a challenge for consumers and businesses. They are responsible for hundreds of millions of attempted infections every year. This happens when users visit a website that is host to malware. It can happen when they click on a link in an email or a link from social networking site or they can visit a legitimate website that has, itself, been infected.
Attackers keep changing their technique and they have become very sophisticated. Badly-spelled, implausible email has been replaced by techniques such as ‘likejacking’ where a user visits a website to watch a tempting video and the attackers use that click to post a comment to all the user’s friends on Facebook, thereby enticing them to click on the same malicious link.
Based on Norton Safe Webxxxi data – Symantec technology that scans the Web looking for websites hosting malware – we’ve determined that 61% of malicious sites are actually regular Web sites that have been compromised and infected with malicious code.
By category, the top-5 most infected websites are:
  1. Blogs and Web communications
  2. Hosting/Personal hosted sites
  3. Business/Economy
  4. Shopping
  5. Education and Reference.
It is interesting to note that Web sites hosting adult/pornographic content are not in the top five, but ranked tenth.The full list can be seen in figure 16.
Moreover, religious and ideological sites were found to have triple the average number of threats per infected site than adult/pornographic sites. We hypothesize that this is because pornographic website owners already make money from the internet and, as a result, have a vested interest in keeping their sites malware-free – it’s not good for repeat business.
Figure 13: Average number of malicious Web sites identified per day, 2011. Source:
In 2011, the Symantec VeriSign website malware scanning servicexxxii scanned over 8.2 Billion URLs for malware infection and approximately 1 in 156 unique websites were found to contain malware. Websites with vulnerabilities are more risk of malware infection and Symantec began offering its SSL customers a website vulnerability assessment scan from October 2011. Between October and the end of the year, Symantec identified that 35.8% of websites had at least one vulnerability and 25.3% had a least one critical vulnerability.

Email-borne Malware

The number of malicious emails as a proportion of total email traffic increased in 2011. Large companies saw the greatest rise, with 1 in 205.1 emails being identified as malicious for large enterprises with more than 2,500 employees. For small to medium-sized businesses with up to 250 employees, 1 in 267.9 emails were identified as malicious.
Criminals disguise the malware hidden in many of these emails using a range of different attachment types, such as PDF files and Microsoft Office documents. Many of these data file attachments include malicious code that takes advantage of vulnerabilities in the parent applications, and a number of these attacks have exploited zero-day vulnerabilities in Adobe PDF readers.
Malware authors rely on social engineering to make their infected attachments more clickable. For example, recent attacks appeared to be messages sent from well-known courier and parcel delivery companies regarding failed deliveries. In another example, emails purporting to contain atachments of scanned images sent from network-attached scanners and photocopiers. The old guidance about not clicking on unknown attachments is, unfortunately, still relevant.
Figure 14: Ratio of malware in email traffic, 2011. Source:
Moreover, further analysis revealed that 39.1% of email-borne malware comprised hyperlinks that referenced malicious code, rather than malware contained in an attachment. This is an escalation on the 23.7% figure in 2010, and a further indication that cybercriminals are attempting to circumvent security countermeasures by changing the vector of attacks from purely email-based, to using the Web.

Border Gateway Protocol (BGP) Hijacking

In 2011 we investigatedxxxiii a case where a Russian telecommunications company had had its network hijacked by a spammer. They were able to subvert a fundamental Internet technology - the Border Gateway Protocol - itself to send spam messages that appeared to come from a legitimate (but hijacked) source. Since spam filters rely, in part, on blacklists of known spam senders, this technique could allow a spammer to bypass them. Over the course of the year, we found a number of cases like this. Even though this phenomenon remains marginal at this time, compared to spam sent from large botnets, it is one to watch in the coming year.

Polymorphic threats

Polymorphic malware or specifically, “server-side” polymorphism is the latest escalation in the arms race between malware authors and vendors of scanning software. The polymorphic technique works by constantly varying the internal structure or content of a piece of malware. This makes it much more challenging for traditional pattern-matching based anti-malware to detect. For example, by performing this function on a Web server, or in the cloud, an attacker can generate a unique version of the malware for each attack.
In 2011, the email scanner frequently identified a polymorphic threat, Trojan.Bredolab, in large volumes. It accounted for 7.5% of all email malware blocked, equivalent to approximately 35 million potential attacks throughout the whole year. It used a range of techniques for stealth including server-side polymorphism, customized packers, and encrypted communications. Figure 15 below, illustrates this rise in Bredolab polymorphic malware threats being identified using cloud-based technology. This chart shows detection for emails that contained a document-style attachment purporting to be an invoice or a receipt, and prompting the user to open the attachment.
Figure 15: Rise in email-borne Bredolab polymorphic malware attacks per month, 2011. Source:

Exploiting the Web: Attack toolkits, rootkits and social networking threats

Attack toolkits, which allow criminals to create new malware and assemble an entire attack without having to write the software from scratch, account for nearly two-thirds (61%) of all threat activity on malicious websites. As these kits become more widespread, robust and easier to use, this number is expected to climb. New exploits are quickly incorporated into attack kits. Each new toolkit version released during the year is accompanied with increased malicious Web attack activity. As a new version emerges that incorporates new exploit functionality, we see an increased use of it in the wild, making as much use of the new exploits until potential victims have patched their systems. For example, the number of attacks using the Blackhole toolkit, which was very active in 2010, dropped to a few hundred attacks per day in the middle of 2011, but re-emerged with newer versions generating hundreds of thousands of infection attempts per day towards the end of the year.
On average, attack toolkits contain around 10 different exploits, mostly focusing on browser independent plug-in vulnerabilities like Adobe Flash, Adobe PDF Reader and Java. Popular kits can be updated every few days and each update may trigger a wave of new attacks.
They are relatively easy to find and sold on the underground black market and web forums. Prices range from $40 to $4,000.
Attackers are using Web attack toolkits in two main ways:
  • Targeted attacks. The attacker selects a type of user he would like to target. The toolkit creates emails, IMs, blog posts to entice the target audience to the infected content. Typically, this will be a link to a malicious website that will install the malware on the victim’s system.
  • Broadcast attacks. The attacker starts by targeting a broad range of websites using SQL injection, web software, or server exploitation. The objective is to insert a link from an infected website to a malicious site that will infect visitors. Once successful, each subsequent visitor will be attacked.


A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality. Rootkits have been around for some time—the Brain virus was the first identified rootkit to employ these techniques on the PC platform in 1986—and they have increased in sophistication and complexity since then.
Rootkits represent a small percentage of attacks but they are a growing problem and, because they are deeply hidden, they can be difficult to detect and remove. The current frontrunners in the rootkit arena are Tidserv, Mebratix, and Mebroot. These samples all modify the master boot record (MBR) on Windows computers in order to gain control of the computer before the operating system is loaded. Variants of Downadup (aka Conficker), Zbot (aka ZeuS), as well as Stuxnet all use rootkit techniques to varying degrees.
As malicious code becomes more sophisticated it is likely that they will increasingly turn to rootkit techniques to evade detection and hinder removal. As users become more aware of malicious code that steals confidential information and competition among attackers increases, it is likely that more threats will incorporate rootkit techniques to thwart security software.

Social media threats

With hundreds of millions of people on social networking sites, it is inevitable that online criminals would attack them there. A social medium is perfect for social engineering: it’s easier to fool someone when they think they’re surrounded by friends. More than half of all attacks identified on social networking Web sites were related to malware hosted on compromised Blogs/Web Communications Web sites. This is where a hyperlink for a compromised Web site was shared on a social network. It is also increasingly used for sending spam messages for the same reasons.
All social media platforms are being exploited and in many different ways. But Facebook, as the most popular, provides some excellent examples on how social engineering flourishes in social media. Criminals take advantage of people’s needs and expectations. For example, Facebook doesn’t provide a ‘dislike’ button or the ability to see who has viewed your profile, so criminals have exploited both concepts.

Quick Response (QR) codes

QR codes have sprung up everywhere in the last couple of years. They are a way for people to convert a barcode into a Web site link using a camera app on their smartphone. It’s fast, convenient and dangerous. Spammers are already using it to promote black-market pharmaceuticals and malware authors have used it to install a trojan on Android phones. In combination with link shortening, it can be very hard for users to tell in advance if a given QR code is safe or not, so consider a QR reader that can check a Web site’s reputation before visiting it.
Once the bait has been taken the victim must be reeled in. The next step in these attacks fools the user into taking an action to propagate the threat, for example installing an app, downloading ‘update’ to your video software or clicking on a button to prove you’re human. The attackers persuade their victims to infect themselves and spread the bait to everyone in their social circles.
It must be stated that this is not just a Facebook issue; variations of these threats run on all social media platforms. The number of threats on each of these platforms is directly proportional to the number of users on these sites. It is not indication of the “security” or safety of a site.

Dangerous Web sites

Figure 16: Most dangerous Web site categories, 2011. Source: Symantec

Macs are not immune

The first known Mac-based bot network emerged in 2009 and 2011 saw a number of new threats emerge for Mac OS X, including trojans like MacDefender, a fake anti-virus program. It looks convincing and it installs without requiring admin permission first. Mac users are exposed to sites that push trojans by means of SEO poisoning and social networking. In May 2011, Symantec found a malware kit for Mac (Weyland-Yutani BOT) the first of its kind to attack the Mac OS X platform, and Web injections as a means of attack. While this type of crime kit is common on the Windows platform, this new Mac kit is being marketed as the first of its kindxxxiiv. In addition, many attack tools have become cross-platform, exploiting Java exploits whether they are on Macs or Windows PCs. As a result of these trends, Mac users need to be more mindful of security risks and can’t afford to assume that they are automatically immune from all threats.
Figure 17: MacDefender trojan screenshot. Source: Symantec
xxxiFor more information on Norton Safe Web, please visit

xxxiiFor more information on the Symantec website vulnerability assessment service:

xxxiiiFurther information can be found in Appendix C: Spam and Fraud Activity Trends