> Enterprise > Security Response > Internet Security Threat Report > View the Report > Threat Activity Trends

Threat Activity Trends

Threat Activity Trends | Spam and Fraud Activity Trends | Malicious Website Activity | Analysis of Malicious Web Activity by Attack Toolkits | Analysis of Web-based Spyware and Adware Activity | Analysis of Web Policy Risks from Inappropriate Use | Analysis of Website Categories Exploited to Deliver Malicious Code | Bot-infected Computers | Analysis of Mobile Threats | Data Breaches that Could Lead to Identity Theft

Spam and Fraud Activity Trends

Malicious activity usually affects computers that are connected to high-speed broadband Internet because these connections are attractive targets for attackers. Broadband connections provide larger bandwidth capacities than other connection types, faster speeds, the potential of constantly connected systems, and a typically more stable connection. Symantec categorizes malicious activities as follows:
  • Malicious code: This includes programs such as viruses, worms, and Trojans that are covertly inserted into programs. The purposes of malicious code include destroying data, running destructive or intrusive programs, stealing sensitive information, or compromising the security or integrity of a victim’s computer data.
  • Spam zombies: These are remotely controlled, compromised systems specifically designed to send out large volumes of junk or unsolicited email messages. These email messages can be used to deliver malicious code and phishing attempts.
  • Phishing hosts: A phishing host is a computer that provides website services in order to illegally gather sensitive user information while pretending that the attempt is from a trusted, well-known organization by presenting a website designed to mimic the site of a legitimate business.
  • Bot-infected computers: Malicious programs have been used to compromise these computers to allow an attacker to control the targeted system remotely. Typically, a remote attacker controls a large number of compromised computers over a single, reliable channel in a botnet, which can then be used to launch coordinated attacks.
  • Network attack origins: This measures the originating sources of attacks from the Internet. For example, attacks can target SQL protocols or buffer overflow vulnerabilities.
  • Web-based attack origins: This measures attack sources that are delivered via the Web or through HTTP. Typically, legitimate websites are compromised and used to attack unsuspecting visitors.


This metric assesses the sources from which the largest amount of malicious activity originates. To determine malicious activity by source, Symantec has compiled geographical data on numerous malicious activities, namely: malicious code reports, spam zombies, phishing hosts, bot-infected computers, network attack origins, and Web-based attack origins. The proportion of each activity originating in each source is then determined. The mean of the percentages of each malicious activity that originates in each source is calculated. This average determines the proportion of overall malicious activity that originates from the source in question and the rankings are determined by calculating the mean average of the proportion of these malicious activities that originated in each source.


Figure A.1. Malicious activity by source: Overall rankings, 2010-2011. Source Symantec
Figure A.2. Malicious activity by source: Malicious code, 2010-2011. Source: Symantec
Figure A.3. Malicious activity by source: Spam zombies, 2010-2011. Source: Symantec
Figure A.4. Malicious activity by source: Phishing hosts, 2010-2011. Source: Symantec
Figure A.5. Malicious activity by source: Bots, 2010-2011. Source: Symantec
Figure A.6. Malicious activity by source: Web attack origins, 2010-2011. Source: Symantec
Figure A.7. Malicious activity by source: network attack origins, 2010-2011. Source: Symantec


  • In 2011, the United States and China remained the top two sources overall for malicious activity. The overall average proportion of attacks originating from the United States in 2011 increased by 1.8 percentage points compared with 2010, while the same figure for China saw a decrease by approximately 7 percentage points compared with 2010.
  • The United States was ranked in first position for the source of all activities except for Malicious Code, Spam Zombies and Network Attacks, for which India was ranked in first position in the first two cases, and China the latter.
  • 12.6% of bot activity originated in The United States: The United States was already the main source of bot-infected computers for the Rustock until in March 20111, when the botnet was disrupted. Rustock had been one of the largest and most dominant botnets in 2010 and frequently associated with the Tidserv Trojan. Rustock was estimated to comprise of approximately 1.5 million bot-infected computers and was taken out of action in March 2011. This resulted in a seismic shift in the botnet landscape. By the end of 2011, other botnets with spam zombies in other parts of the world were able to take on a more dominant role in spam distribution.
  • 33.5% of Web-based Attacks originated in the United States: Web-based attacks originating from the United States increased by 26.0 percentage points in 2011. Factors that contributed to this activity include attacks related to the Blackhole and Phoenix Web attack kits, exploiting legitimate websites that have been compromised in order to conduct further attacks. Web-based attacks originating from China decreased by 55.8 percentage points in 2011.
  • 26.9% of Network Attacks originated in China. China has the largest population of Internet users2 in the Asia region, with approximately 513 million internet users in 2011. The internet penetration rate in China was 38.4% in 2011.
  • 48.5% of Phishing websites were hosted in the United States. In 2011, with approximately 245 million internet users, The United States had an internet penetration rate of 78.3%.
  • 17.5% of Spam Zombies were located in India, an increase of 11.0 percentage points compared with 2010. The proportion of spam zombies located in the United States fell by 6.4 percentage points to 1.8%, resulting in the United States being ranked in 15th position in 2011, compared with 2nd position in 2010. This decline was in large part as a result of the disruption of the Rustock botnet, which at its peak in 2010 had an estimated 1.5M computers under its control.
  • 15.3% of all Malicious Code activities originated from India, an increase of 2.7 percentage points compared with 2010. India is home to the second largest population of internet users in Asia in 2011, with an estimated 121.0 million users and an Internet penetration rate of 10.2%.
1, page 15

2Internet population and penetration rates in 2011 courtesy of Internet Word Stats -