Malicious Web Activity Declined In April, Says Symantec

Spam volumes and the number of malicious Websites fell in April, according to the latest MessageLabs monthly report from Symantec.cloud.

Spam dropped 6.4 percent in April, making up 72.9 percent of all email traffic and the number of Websites blocked for carrying malware fell by nearly 20 percent, Symantec.cloud researchers wrote in the April MessageLabs Intelligence report. The spam decline may be the direct result of the shutdown of the Rustock botnet in mid-March, but it remained a problem.

Overall Drop In Malicious Activity

Overall malicious Web activity also declined. Although there was an average of 2,431 Websites harbouring malware, spyware and adware, there were 18.2 percent fewer sites than in March, the report found. A third of the malicious sites and 22.5 percent of all Web-based malware blocked were new in April, all lower than the March numbers.

Virus and phishing levels remained virtually unchanged in April. The most frequently blocked malware was the W32.Sality.AE virus, which spreads by infecting executable files. However, there was an increase in Bredolab, Sasfis, Zeus and Spyeye related malware, which accounted for 55.1 percent of all malware. These Trojans tend to spread as ZIP file attachments rather than hyperlinks.

Only 13.2 percent of email-borne malware contained links to a malicious Website in April, a drop of 50.3 percent since March. The decline is actually because the increased volume of malicious attachments “pushed down the relative proportion of attacks using hyperlinks”, the researchers wrote.

MessageLabs Intelligence identified 11 automated bots operating on a “popular micro-blogging service”, posting messages that used shortened URLs pointing to rogue Web sites. The bots randomly inserted Twitter handles into the spam messages to encourage users to click to find out why they were mentioned. The bots were also checking the trending topics and inserting those terms in their automated messages, according to the report.

Clicking on the links generally redirected users to a Website filled with advertisement links, which generated pay-per-clicks for the site owner.

After the shortened URL in the message was active for an hour, the bots would update the message to use a different link pointing to the same malicious portal, making it harder to be detected or blocked. Even if services like bit.ly try to shut down the link, the bots have already moved on.

Spear Phishing Increasing

The April report also examined some targeted attacks that occurred in March. The number of targeted attacks rose to 85 per day in March, a 10.5 percent increase over a six-month period, the report found.

“The trend in targeted attacks suggests there may be a seasonal pattern as the number of targeted attacks always seems to be higher at this time of year,” said Paul Wood, MessageLabs Intelligence Senior Analyst at Symantec.cloud.

Attackers may be moving away from wide-scale spam campaigns and focusing on targeted attacks on individuals and organisations. The number of targeted attacks per day in March 2011 was at the second-highest rate recorded by Symantec.cloud since the run-up to London’s G20 summit in March 2009, according to the report.

While the number of targeted attacks has increased, the overall number of attacks has not increased significantly, according to the report.

The report highlighted the recently discovered Adobe zero-day vulnerability (CVE-2011-0609), which could be exploited by a malicious Flash file embedded inside an Excel document. Adobe has patched the vulnerability. MessageLabs Intelligence researchers analysed one variant of the exploit and found that it downloaded a Poison Ivy backdoor Trojan, whose command-and-control server had a German IP address.

“Although sophisticated zero-day exploits are common, old-fashioned techniques are often used as well, and may be equally successful with the right level of social engineering, such as the use of ‘spear-phishing’,” the researchers wrote.