Internet Threats Trend Report

October 2011

October 2011 Threat Report

The following is a condensed version of the October 2011 Commtouch

Internet Threats Trend Report

You can download the complete report at www.commtouch.com/threat-report-Oct2011

Copyright© 2011 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch. U.S. Patent No. 6,330,590 is owned by Commtouch.

October 2011 Threat Report

Key Highlights

Trends Malware, Spam, Web Security, Compromised Websites and Zombies

Feature What is behind the huge return of email malware?

1

2

3

Key Highlights for Q3 2011

Key Security Highlights

Average daily spam/phishing emails sent

93 billion

Average daily spam continues to decline

Lowest levels in years

336,000 Zombies

Spam Zombie daily turnover

Key Security Highlights

Q3 saw a slight decline from the 377,000 in Q2

(Zombie turnover is the number of zombies turned off and on daily)

Most popular blog topic on user generated content sites

Streaming media/ downloads (24%)

Key Security Highlights

Streaming media & downloads increased its share to nearly one quarter of all UGC

Includes sites with MP3 files or music related sites such as fan

pages (these might also be categorized as entertainment)

Key Security Highlights

Most popular spam topic

Pharmacy Ads (29%)

After decreasing for 6 consecutive quarters, Pharmacy Ads increased 5% in Q3

Country with the most Zombies

India (18%)

Key Security Highlights

India continues to top the list again in Q3

Website category most likely to be compromised with malware

Parked Domains

Key Security Highlights

“Pornographic and sexually explicit sites” (1st in Q2) was pushed into 3rd spot by “Parked

Domains” and “Portals”

Feature…

What is behind the huge return of email malware?

• In August, Commtouch Labs registered major malware email outbreaks

• The following Chart shows the scale of these attacks

Q3 Malware Trends

Malware email levels – June to Sept 2011

• Campaigns have been successful • Infection rate generally linear

• More malware emailed = more infections • Range of malware families detected in outbreaks

• Variants of Sasfis, SpyEye, Zeus, fake antivirus, and others

• In most cases the malware contacts external servers and downloads additional malware files to run on the infected machine

Q3 Malware Trends

Analysis of August 2011 Outbreaks

At present, no clear reason for the build-up in bots 1. No increase in spam

• A common result of large malware outbreaks 2. Most of the malware seen generally associated

with specific attacks (e.g., Zeus – banking fraud) • So far, no increase in these attacks

Possible reasons for new bot network • Large scale banking fraud • Facebook/Gmail/Yahoo account theft • Distributed denial of service (DDOS) • Other criminal activity

Analysis cont…

Q3 Malware Trends

Q3 Malware Trends

Top 10 Malware of Q3 2011

Rank Malware name Rank Malware name

1 W32/Oficla.FO 6 W32/Patched.G

2 W32/RAHack.A.gen!Eldorado 7 W32/Damaged_File.B.gen!Eldorado

3 W32/Adware.PAP 8 W32/Bredolab.AP.gen!Eldorado

4 W32/Sality.gen2 9 W32/MalwareF.AFPRH

5 JS/Pdfka.BG 10 W32/Heuristic-210!Eldorado

Source: Commtouch

Q3 Malware Trends

For a complete analysis of Malware in Q3 and the specific attacks employed, download the complete

October 2011 Internet Threats Trend Report www.commtouch.com/threat-report-Oct2011

Trends in Q3 2011…

Spam Trends

Q3 Spam Trends • Spam levels remain at their lowest in years

following the Rustock botnet takedown in March • Aug and Sept attacks had no effect on spam levels • Q3 average spam levels near 93 billion email

messages/day

Mar Apr May Jun Jul Aug Sep

• Spam averaged 76% of all emails sent during Q3 (excluding emails with malware attachments)

Q3 Spam Trends

Mar Apr May Jun Jul Aug Sep

Q3 Spam Trends

Top Faked (Spoofed) Spam Sending Domains*

Source: Commtouch

* The domains that are used by spammers in the “from” field of the spam emails.

• Gmail.com once again the most spoofed domain

• 14th place again held by ups.com due to the very large numbers of fake UPS notification emails sent as part of the Q3 outbreaks

Compromised Accounts

• In addition to spoofed emails (shown above), a percentage of emails from Gmail, Hotmail and Yahoo come from genuine accounts – compromised accounts (though some are accounts specifically created by spammers for spamming)

• In the Q2 2011 Trend Report, Commtouch revealed an increased use of compromised accounts to spread spam (Compromised accounts offer several advantages, including the fact that they are difficult to block using IP reputation implemented by many anti-spam solutions)

Compromised Accounts Analysis of spam “from” Gmail & Hotmail – Q2/Q3 2011

• Hotmail: 28-35% of the spam from Hotmail actually comes from compromised or spammer Hotmail accounts

• Gmail: Most Gmail Spam (96-97%) comes from zombies that simply forge Gmail addresses

• Q3 saw growth in use of Hotmail & Gmail compromised accounts in comparison to Q2

Source: Commtouch

Compromised Accounts

Compromised Accounts Analysis

• Having observed greater use of compromised accounts, Commtouch undertook primary research into the use of these accounts for sending spam

• The research included the surveying of people whose accounts had been compromised

• Results confirm Commtouch observations with regard to the increased use of compromised accounts for sending spam

Compromised Accounts

• Mort than half of the accounts were used to send spam or scams

• 23% of respondents not sure what their accounts were used for

• Compromised Facebook accounts generally used to further the spread of malware or post links to marketing scam websites

What Compromised Accounts Used For

Compromised Accounts

1. Which accounts were affected 2. How accounts were compromised 3. Activity account was used for – e.g., spam, scam, etc. 4. How account owners found out 5. Action owners took to regain control of their account

Full results of the survey can be found at http://www.commtouch.com/hacked-accounts-

report-Oct2011

Review the full survey report and find out…

Compromised Accounts Survey

Q3 Spam Trends

• Top topic “pharmacy spam” stopped its downward slide of the past six quarters, adding 5% to reach 29% of all spam

• “Enhancers” added 5 points, accounting for > 17% of spam

Source: Commtouch

Spam Topics

Q3 Spam Trends

Find out more about Spam Trends in Q3 by downloading the complete October2011

Internet Threats Trend Report www.commtouch.com/threat-report-Oct2011

Trends in Q3 2011…

Web Security

Q3 Facebook Threats

Exploits in Q3 2011

Facebook continues to draw the attention of malware authors

Q3 Facebook Threats

August 2011 “Friend” malware

• A range of “friend request” emails were sent to draw recipients to download a banking Trojan

Q3 Facebook Threats

September 2011 “Like” Scams

How scams worked The Trap: Offers to get “free” merchandise

“The First 50.000 participants Get an iPhone 4 for free” “The first 25,000 that signup get a free pair of Beats by Dre headphones” “The first 1,000 participants Will Get An Facebook Phone for Free” “The First 25,000 Participants Will Get A Free Facebook Hoodie”

What Facebook users had to do:

Like several pages, provide their shipping addresses and forward the invite on to 100 or so friends (thus ensuring the spread of the scam)

Result: Pages liked by hundreds of thousands of users

Q3 Facebook Threats

Example of “Like” scam

Q3 Facebook Threats

How the Scammers Benefitted

Improved visibility/promotion of the scammer page: • Like appears on the Liker’s Wall and may appear in News Feeds • Liker displayed on the Page that was liked and ads about Page • Liked Facebook Pages can post updates to the Liker’s News Feed

or send them messages • Liker’s connection to the page may also be shared with apps on

the Facebook Platform

Also… • Scammers got people’s shipping addresses (helpful in ID theft) • “Facebook Hoodie” offer linked to external site with further

links to marketing scams brining the scammer per-click revenues

Q3 Web Security Threats

Learn more about other Web Security Threats in Q3:

• PHP Thumbs exploit • Others

Download the complete October 2011 Internet Threats Trend Report for more details

www.commtouch.com/threat-report-Oct2011

Website categories infected with malware

Q3 Compromised Websites

Portals category includes sites offering free homepages, which are abused to host phishing and malware content or redirects to other sites with this content

• Pornographic and sexually explicit sites were pushed down to the 3rd spot by parked domains and portals (As noted in previous reports, the hosting of malware may well be the intention of the owners of the parked domains and pornography sites)

Rank Category Rank Category

1 Parked Domains 6 Business 2 Portals 7 Computers & Technology

3 Pornography/Sexually Explicit 8 Health & Medicine 4 Education 9 Shopping

5 Entertainment 10 Travel Source: Commtouch

Q3 Compromised Websites

Portals category includes sites offering free homepages, which are abused to host phishing and malware content.

Website categories infected with phishing

Rank Category Rank Category

1 Games 6 Sports 2 Portals 7 Leisure & Recreation

3 Shopping 8 Business 4 Fashion & Beauty 9 Health & Medicine

5 Education 10 Entertainment

Source: Commtouch

• This is an analysis of which categories of legitimate Web sites were most likely to be hiding phishing pages (usually without the knowledge of the site owner)

• Games retained ranking as highest, similar to last Q2 2011

Trends in Q3 2011…

Zombie Trends

Q3 Zombie Trends

• Q3 saw an average turnover of 336,000 zombies each day that were newly activated for sending spam

• Slight decrease compared to the 377,000 from Q2

Daily Turnover of Zombies in Q3

Source: Commtouch

Q3 Zombie Trends Worldwide Zombie Distribution in Q2

• India once again claimed the top zombie producer title, increasing its share to over 18%

• Brazil dropped to 3rd position by decreasing its share of global zombie population by nearly 3%

• The US and Iran joined top 15, displacing Poland and Italy

Source: Commtouch

Trends in Q3 2011…

Web 2.0 Trends

Q3 Web 2.0 Trends

• “Streaming media and downloads” was again the most popular blog or page topic in Q3 (up to 24% of all UGC)

Web 2.0 Trends

Source: Commtouch

Rank Category Percentage Rank Category Percentage

1 Streaming Media & Downloads 24%

8 Arts 5%

2 Entertainment 9% 9 Sports 4% 3 Computers & Technology 8% 10 Education 4%

4 Pornography/Sexually Explicit 6%

11 Leisure & Recreation 3%

5 Fashion & Beauty 5% 12 Health & Medicine 3% 6 Religion 5% 13 Games 3%

7 Restaurants & Dining 5% 14 Sex Education 2%

The streaming media & downloads category includes sites with MP3 files or music related sites such as fan pages (these might also be categorized as entertainment).

Review of Q3 2011

Review of Q3 2011

Source: Commtouch

July August September

Spam ratio reaches low of

74%

Email-malware outbreaks

start

25 billion malware emails in one day

Twitter notifications

lead to spam

Gap Athleta

fake order malware

Most spam per day: 120

billion Lowest spam per day: 64 billion

PHP Thumbs Web explot Right-to-Left

override used in

malware

Android malware added

to extended Wildlist

Facebook friend

notifications led to

malware

“map of love” email malware

Facebook “like” scams

Download the complete October 2011 Internet Threats Trend Report

at www.commtouch.com/threat-report-Oct2011

For more information contact: info@commtouch.com

650 864 2000 (Americas) +972 9 863 6895 (International)

Web: www.commtouch.com

Blog: http://blog.commtouch.com