Introduction | EMEA Malicious Activity by Geography | Attack Origin by Country | Top Malicious Code Samples
Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 64.6 million attack sensors and records thousands of events per. This network monitors attack activity in more than 200 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Threat Management System, Symantec Managed Security Services and Norton consumer products, and other third-party data sources.
In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 47,662 recorded vulnerabilities (spanning more than two decades) from over 15,967 vendors representing over 40,006 products.
Spam, phishing and malware data is captured through a variety of sources, including the Symantec Probe Network, a system of more than 5 million decoy accounts; Symantec.cloud and a number of other Symantec security technologies. Skeptic, the Symantec.cloud proprietary heuristic technology is able to detect new and sophisticated targeted threats before reaching customers’ networks. Over 8 billion email messages and more than 1.4 billion Web requests are processed each day across 15 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and more than 50 million consumers.
These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises and consumers the essential information to secure their systems effectively now and into the future.
In addition to gathering global Internet attack data, Symantec also analyses attack data that is detected by sensors deployed in specific regions. This report discusses notable aspects of malicious activity Symantec has observed in Europe, the Middle East and Africa (EMEA) for 2011.
EMEA Threat Activity TrendsThe following section of the Symantec Europe, the Middle East and Africa (EMEA) Internet Security Threat Report provides an analysis of threat activity, malicious activity, and data breaches that Symantec observed in EMEA in 2011. The malicious activity discussed in this section not only includes threat activity, but also phishing, malicious code, spam zombies, bot-infected computers, and network attack origins. Attacks are defined as any malicious activity carried out over a network that has been detected by an intrusion detection system (IDS) or firewall. Definitions for the other types of malicious activities can be found in their respective sections within this report.
This discussion is based on malicious threat activity detected by Symantec in the EMEA region in 2011.
Threat Activity Trends Metrics for Europe, the Middle East, and Africa
EMEA Malicious Code Activity TrendsSymantec collects malicious code information from its large global customer base through a series of opt in anonymous telemetry programs, including Norton Community Watch, Symantec Digital Immune System, and Symantec Scan and Deliver technologies. Well over 133 million clients, servers, and gateway systems actively contribute to these programs. New malicious code samples, as well as detection incidents from known malicious code types, are reported back to Symantec. Reported incidents are considered potential infections if an infection could have occurred in the absence of security software to detect and eliminate the threat.
Malicious code threats are classified into four main types— backdoors, viruses, worms, and Trojans:
- Backdoors allow an attacker to remotely access compromised computers.
- Trojans are malicious code that users unwittingly install onto their computers, most commonly through either opening email attachments or downloading from the Internet. Trojans are often downloaded and installed by other malicious code as well. Trojan horse programs differ from worms and viruses in that they do not propagate themselves.
- Viruses propagate by infecting existing files on affected computers with malicious code.
- Worms are malicious code threats that can replicate on infected computers or in a manner that facilitates them being copied to another computer (such as via USB storage devices).
Many malicious code threats have multiple features. For example, a backdoor is always categorized in conjunction with another malicious code feature. Typically, backdoors are also Trojans; however, many worms and viruses also incorporate backdoor functionality. In addition, many malicious code samples can be classified as both worm and virus due to the way they propagate. One reason for this is that threat developers try to enable malicious code with multiple propagation vectors in order to increase their odds of successfully compromising computers in attacks.
This discussion is based on malicious code samples detected by Symantec in the EMEA region in 2011.