Symantec Intelligence Report: October 2012

Bangkok--30 Nov--Oasis Media Scammers take to Instagram; Spam rates drop by 10 percentage points; Ransomware evolves Report highlights - Spam — 64.8 percent (a decrease of 10.2 percentage points since September) - Phishing — One in 286.9 emails identified as phishing (a decrease of 0.059 percentage points since September) - Malware — One in 229.4 emails contained malware (a decrease of 0.04 percentage points since September) - Malicious websites — 933 websites blocked per day (an increase of 19.7 percent since September) - Scammers attempt to leverage Instagram - Why global spam rates are down this month - The evolution of Ransomware - Other stories in the threat landscape this month Report analysis Instaspam: Scammers take to Instagram by Ben Nahorney, Cyber Security Threat Analyst, Symantec As an amateur photographer and fan of image effects, I’ve taken a liking to Instagram. I’m far from alone in this, given how the photo app has recently crossed the 100 million user mark.1 Unfortunately, spammers have noticed this too and are attempting to take advantage of those using the popular service. They’re approaching it from a variety of angles, in much the same way as they have on other social networks. It all began when I received a notification on my phone about an Instagram comment. It came from an unfamiliar account, had nothing to do with the photo, and was obviously spam. So what led to this sudden popularity? Did I end up taking a particularly spectacular photo, garnering newfound fame, and eventually hitting Instagram’s Popular page? Or was something else in the mix here? All of these new followers had a few things in common: - They were all “women” with attractive profile pictures. - None of them had posted any photos. - Their profile Bios included a quote, followed by a shortened URL. It’s important to note that Instagram isn’t alone when it comes to scams like these, and most social networks have methods to deal with them. Posting spam clearly violates Instagram’s community guidelines and accounts found guilty of doing so are quickly disabled. In fact Instagram actively monitors for certain content and has put together a detailedprivacy and safety how-to covering how to report inappropriate comments and users.2 In addition to this, the following best practices will help you stay safe: - Set your account to Private. This way you have control over who follows you and who doesn’t. - Don’t follow arbitrary followers. If you suspect an account isn’t real, ignore it. - Don’t click shortened URLs unless you know where they lead. - Optional: Don’t follow or accept followers without photos. The exception to this rule is if you know the person. Some people do like to view photos, but don’t like to take them. - Finally, report any suspicious accounts or comments to Instagram and follow their Privacy & Safety guidelines.3 October spam fell by 10 percentage points We noticed something interesting this month when analyzing our spam rates: there’s been a 10 percentage point drop in the global spam rate for the month. We decided to take a closer look at what may be responsible for the drop. We took a look at the spam rates over seven day averages. These averages peaked in mid-September, at around 43 million messages per day, and then began their decline, bottoming out around the beginning of October. It appears that the Festi botnet has recently gone quiet and could be partly responsible for this sudden decline. This botnet was very active in early September before all but disappearing in October. Ransomware Evolution: The Journey Continues by Hon Lau, Security Response, Symantec This year has seen a ramping up in the presence of ransomware, not just in terms of the sheer numbers seen in the wild, but also in terms of the incorporation of new techniques. In the early days, ransomware creators were content with simply locking the screen and displaying simple and straight-forward messages asking for payment of a ransom to restore access to your computer. They may even encrypt files and request payment for a decryption key. These techniques tell of a lack of imagination, but at least the technique was tried and tested. They represented the initial efforts of cybercriminals to extort money from innocent users. The use of embarrassing materials, such as displaying pornographic images on the screen of a locked computer, was fairly effective and used often. More recently, ransomware purporting to be from law enforcement, with content localized to the country of the user, has become the norm. Typically, the lock-up screen in these examples uses social engineering to inform the user that they have been caught engaging in illegal online activity. The threats subsequently threaten to involve law enforcement or take legal action in order to coerce the user to comply. As shown in a report from November 2011,4 about 46 percent of adults in the US have acquired copyright materials through less than legitimate means. For the 18-29 age group, an even larger percentage of 70% have engaged in such activity. If these statistics do indeed reflect the reality on the ground, then you can be sure that this law enforcement-inspired social engineering trickery has a good chance of working, particularly when combined with other techniques, such as screen and input device locking. Other news in the Threat Landscape contributions by Eamonn Young and Jarrad Shearer At the beginning of the summer, Symantec analyzed a new threat by the name of W32.Flamer.8 The level of sophistication of this threat was only matched by that of W32.Stuxnet9 and W32.Duqu.10 It came to our attention that this threat had been operating for the past two years and had been primarily targeting computers in the Middle East.11 Recently, we discovered a new module of this threat.12 This is one of those previously unknown components using one of the supported protocols. We named this new component W32.Flamer.B,13 which opens a back door on a compromised computer and allows an attacker to steal information. A new version of the Blackhole toolkit14 also appeared in October. Deemed Blackhole 2.0, the newer version of the toolkit has removed previous patched vulnerabilities and is now providing a number of new features to make it harder for antivirus software to detect and defend against exploit attacks. For instance, the new version includes single-use URL generation, and can manage multiple domains from one administrative panel. Finally, some good new broke this month as authorities in Australia, Canada, and the US joined forces to shut down global tech support scams responsible for cold-calling users and erroneously telling them their computers are infected with viruses.15 Canadian authorities announced that they had shut down two companies16 and fined them over$500,000 in total. Meanwhile, US authorities announced that they froze the assets of six operators17 and initiated legalaction against 16 companies and 17 individuals. While a victory for the good guys, it won’t likely stop this type of scam entirely, as others will very well take their place. Remember to remain vigilant and know that tech companies won’t call unsolicited. If you receive a call from someone claiming to be a technical support agent, it’s likely a scam. Spam Analysis In October, the global ratio of spam in email traffic fell by 10.2 percentage point since September, to 64.8 percent (1 in1.54 emails). This follows the continuing trend of global spam levels diminishing gradually since the latter part of 2011. Global Spam Categories The most common category of spam in October is related to the Sex/Dating category, with 62.73 percent. Spam URL Distribution based on Top Level Domain Name The proportion of spam exploiting URLs in the .com top-level domain increased in October, as highlighted in the table below. This is in line with a modest decrease in .ru top-level domains this month. Average Spam Message Size In October, the proportion of spam emails that were 5Kb in size or less decreased by 20.3 percentage points. Furthermore, the proportion of spam messages that were greater than 10Kb in size increased by one percent Spam Attack Vectors October highlights the increase in spam emails resulting in NDRs (spam related non-delivery reports). In these cases, the recipient email addresses are invalid or bounced by their service provider. The proportion of spam that contained a malicious attachment or link increase, with periodic spikes of spam activity during the period, as shown in the chart below. Phishing Analysis In October, the global phishing rate decreased by 0.059 percentage points, taking the global average rate to one in 286.9 emails (0.35 percent) that comprised some form of phishing attack. Analysis of Phishing Websites The overall phishing decreased by about 22 percent this month. Unique domains decreased by about 13 percent as compared to the previous month. Phishing websites that used automated toolkits increased by 5 percent. Phishing websites with IP domains (for e.g. domains like http://255.255.255.255) decreased by about 30 percent. Webhosting services comprised of 4 percent of all phishing, a decrease of 4 percent from the previous month. The number of non- English phishing sites increased by 17 percent. Among non-English phishing sites, French, Italian, Portuguese, and Chinese were highest in September. Malware Analysis Email-borne Threats The global ratio of email-borne viruses in email traffic was one in 229.4 emails (0.44 percent) in October, a decrease of0.04 percentage points since September. In October, 23.5 percent of email-borne malware contained links to malicious websites, 1.3 percentage points higher than September. Frequently Blocked Email-borne Malware The table below shows the most frequently blocked email-borne malware for October, many of which relate to generic variants of malicious attachments and malicious hyperlinks distributed in emails. Approximately 35.4 percent of all email-borne malware was identified and blocked using generic detection. Malware identified generically as aggressive strains of polymorphic malware accounted for 15.2 percent of all email- borne malware blocked in October. The top-ten list of most frequently blocked malware accounted for approximately 55.9 percent of all email-borne malware blocked in October. Web-based Malware Threats In October, Symantec Intelligence identified an average of 933 websites each day harboring malware and other potentially unwanted programs including spyware and adware; an increase of 19.2 percent since September. This reflects the rate at which websites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity. As detection for Web-based malware increases, the number of new websites blocked decreases and the proportion of new malware begins to rise, but initially on fewer websites. Further analysis reveals that 38.5 percent of all malicious domains blocked were new in October; an increase of 1.63 percentage points compared with September. Additionally, 11.0 percent of all Web-based malware blocked was new in October; a decrease of 0.4 percentage points since September. Endpoint Security Threats The endpoint is often the last line of defense and analysis; however, the endpoint can often be the first-line of defense against attacks that spread using USB storage devices and insecure network connections. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering. For much of 2012, variants of W32.Sality.AE19 and W32.Ramnit20 had been the most prevalent malicious threats blocked at the endpoint. Variants of W32.Ramnit accounted for approximately 13.6% of all malware blocked at the endpoint in October, compared with 6.9 percent for all variants of W32.Sality. Approximately 12.7 percent of the most frequently blocked malware last month was identified and blocked using generic detection. Many new viruses and Trojans are based on earlier versions, where code has been copied or altered to create a new strain, or variant. Often these variants are created using toolkits and hundreds of thousands of variants can be created from the same piece of malware. This has become a popular tactic to evade signature-based detection, as each variant would traditionally need its own signature to be correctly identified and blocked. By deploying techniques, such as heuristic analysis and generic detection, it’s possible to correctly identify and block several variants of the same malware families, as well as identify new forms of malicious code that seek to exploit certain vulnerabilities that can be identified generically.