Symantec Intelligence Report July 2011: Aggressive use of rapidly changing malware leads to rise in sophisticated socially engineered attacks; twist in phishing attacks bait mobile phone users

Symantec Corp. announced the publication of its July 2011 Symantec Intelligence Report, now combining the best research and analysis from the MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. This month’s analysis reveals a significant increase in activity related to what may be described as a aggressive and rapidly changing form of generic polymorphic malware. With one in 280.9 emails identified as malicious in July, the rise accounted for 23.7 percent of all email-borne malware intercepted in July; more than double the same figure six months ago, indicating a much more aggressive strategy on the part of the cyber criminals responsible.”The number of variants, or different strains of malware involved in each attack has grown dramatically, by a factor of 25 times, when compared to the previous six months. This is a disturbing proliferation in such a short time, increasing the risk profiles of many organizations as these new strains are much harder to detect using traditional security defenses,” said Paul Wood, senior intelligence analyst, report shows that the malware is frequently contained inside an executable within the attached ZIP archive file, and often disguised as a PDF file or an office document, for example. “This new aggressive approach to distributing generic polymorphic malware on such a scale should be concerning for many businesses, particularly for those who rely solely on more traditional security countermeasures, which this type of malware is designed to evade. One example of this technique involves changing the startup code in almost every version of the malware; subtly changing the structure of the code and making it harder for emulators built-in to many anti-virus products to identify the code as malicious,” added Wood.Further analysis also reveals that phishing attacks have been seeking various means to exploit vulnerable cell phone users. According to Wood, “Two key areas in which we can see this trend are, firstly, the increase in phishing against wireless application protocol (WAP) pages, which are lightweight Web pages designed for smaller mobile devices such as cell phones; and secondly, the use of compromised domain names that have been registered for mobile devices, for example, using the .mobi top-level domain.”Symantec has identified phishing sites spoofing such Web pages and has been monitoring the trend. In July, social networking and information services brands were frequently observed in these phishing sites. The primary motive of these attacks continues to be identity theft. Targeting cell phone users is just part of a new strategy for achieving the same result.Other report highlights:Spam: In July 2011, the global ratio of spam in email traffic rose to 77.8 percent (one in 1.29 emails); an increase of 4.9 percentage when compared with June 2011.Phishing: In July, phishing email activity increased by 0.01 percentage points since June 2011; one in 319.3 emails (0.313 percent) comprised some form of phishing attack.E-mail-borne Threats: The global ratio of email-borne viruses in email traffic was one in 280.9 emails (0.333 percent) in July, an increase of 0.01 percentage points since June 2011.Web-based Malware Threats: In July, Symantec Intelligence identified an average of 6,797 Web sites each day harboring malware and other potentially unwanted programs including spyware and adware; an increase of 25.5 percent since June 2011.Endpoint Threats: The most frequently blocked malware for the last month was W32.Ramnit!html. This is a generic detection for .HTML files infected by W32.Ramnit2, a worm that spreads through removable drives and by infecting executable files. The worm spreads by encrypting and then appending itself to files with .DLL, .EXE and .HTM extensions. Variants of the Ramnit worm accounted for 17.3 percent of all malicious software blocked by endpoint protection technology in July.Geographical Trends:Spam

  • As the global spam level declined in July 2011, Saudi Arabia remained the most spammed geography, with a spam rate of 85.6 percent Russia remained the second most-spammed.
  • In the US, 78.0 percent of email was spam and 77.7 percent in Canada.
  • The spam level in the UK was 78.2 percent.
  • In The Netherlands, spam accounted for 78.8 percent of email traffic, 77.9 percent in Germany, 77.6 percent in Denmark and 75.8 percent in Australia.
  • In Hong Kong, 76.8 percent of email was blocked as spam and 75.7 percent in Singapore, compared with 74.7 percent in Japan.
  • Spam accounted for 76.9 percent of email traffic in South Africa and 78.7 percent in Brazil.


  • Phishing attacks in the UK increased to overtake South Africa and become the most targeted geography for phishing emails in July, with one in 127.9 emails identified as phishing attacks. Phishing in South Africa fell slightly to make it the second most targeted country, with one in 163.1 emails identified as phishing attacks.
  • Phishing levels for the US were one in 1,237 and one in 192.6 for Canada.
  • In Germany phishing levels were one in 798.3, one in 1,448 in Denmark and one in 526.9 in The Netherlands.
  • In Australia, phishing activity accounted for one in 850.8 emails and one in 2,503 in Hong Kong; for Japan it was one in 13,167 and one in 872.9 for Singapore.
  • In Brazil, one in 382.4 emails were blocked as phishing attacks.

E-mail-borne threats

  • Email-borne malware attacks rose in South Africa as the country became the geography with the highest ratio of malicious emails in July, overtaking the UK as one in 125.2 emails was identified as malicious in July; in the UK one in 127.0 emails was malicious.
  • In the US, virus levels for email-borne malware were one in 634.8 and one in 255.9 for Canada.
  • In Germany virus activity reached one in 482.1, one in 1,033 in Denmark and in The Netherlands one in 451.3.
  • In Australia, one in 654.8 emails were malicious and one in 748.7 in Hong Kong; for Japan it was one in 2,093, compared with one in 761.8 in Singapore.
  • In Brazil, one in 332.1 emails in contained malicious content.

Vertical Trends:

  • In July, the Automotive industry sector remained the most spammed industry sector, with a spam rate of 80.7 percent.
  • Spam levels for the Education sector reached 80.3 percent and 77.9 percent for the Chemical & Pharmaceutical sector; 77.8 percent for IT Services, 77.8 percent for Retail, 77.0 percent for Public Sector and 77.0 percent for Finance.
  • The Public Sector remained the most targeted by phishing activity in July, with one in 73.2 emails comprising a phishing attack.
  • Phishing levels for the Chemical & Pharmaceutical sector were one in 799.0 and one in 566.2 for the IT Services sector; one in 482.3 for Retail, one in 87.8 for Education and one in 396.7 for Finance.
  • With one in 62.1 emails being blocked as malicious, the Public Sector remained the most targeted industry in July.
  • Virus levels for the Chemical & Pharmaceutical sector were one in 438.9 and one in 390.0 for the IT Services sector; one in 418.3 for Retail, one in 79.1 for Education and one in 443.5 for Finance.

The July 2011 Symantec Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends. The full report is available here.About Symantec Intelligence ReportThe Symantec Intelligence report combines the best research and analysis from the MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. The new integrated report, the Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this combined report includes data from June and July 2011.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.