Botnet, Trojan Activity Increased in February

 
 
By Fahmida Y. Rashid  |  Posted 2011-03-04
 
 
 

Trojan-based attacks continue to be the biggest malware threat in February, but PDF exploits aren't far behind, according to several security reports.

About 1 in 290 e-mails in February were malicious, making the month one of the most prolific periods for the threats, according to Symantec's February 2011 MessageLabs Intelligence Report. The global ratio of spam in e-mail traffic was 81.3 percent, an increase of 2.7 percent since January, the report found. The recent decline in spam appears to have reversed for the time being, according to the report.

There was a lot of botnet activity in February, and the perpetrators appeared to be working together to some extent to distribute Trojans, according to Symantec. There were signs of integration across Zeus, Bredolab and SpyEye, as techniques associated with one malware family were being used by others, Symantec said in the report.

The attacks were well-timed and used carefully targeted techniques, suggesting a "common origin" for these infected messages. One day, the messages would be propagating mainly Zeus variants, followed by a day dedicated to distributing SpyEye variants and later with Bredolab, in an alternating pattern, according to Paul Wood, MessageLabs Intelligence senior analyst. By the middle of the month, the variants propagated simultaneously with an advanced package that evaded traditional antivirus detection, he said.

All the attacks used a .ZIP archive attachment containing malicious code. About 1.5 percent of blocked malware had malicious .ZIP attachments, and 79.2 percent of those files were connected to the Bredolab, Zeus and SpyEye attacks, researchers said.

Contrary to recent belief, Bredolab is not dead, as MessageLabs identified at least 40 variants of malware associated with Bredolab in February, accounting for at least 10 percent of e-mail-borne malware blocked by MessageLabs Intelligence that month.

SpyEye also appeared on FortiNet's Threat Landscape report for the first time, signaling new activity and techniques.

"We're likely to see similar ongoing activity by the SpyEye group, such as routine obfuscation of their data and command and control transmissions," said Derek Manky, senior security strategist at Fortinet. "SpyEye developers are also working to make their product more efficient in terms of management and automation, which is evidenced by the bot's new Automatic Transfer System."

Both GFI Software and Symantec researchers said Trojans were the main threat in February but that PDF exploits are on the rise. Trojans accounted for six of the top 10 malware threats of February, according to GFI Software's monthly report.

Malicious PDF files now account for a larger proportion of document types used in attacks, according to Symantec. Based on current trends, Symantec predicted 76 percent of targeted malware could be used for PDF-based attacks by mid-2011.

"PDF-based targeted attacks are here to stay and are predicted to worsen as malware authors continue to innovate in the delivery, construction and obfuscation of the techniques necessary for this type of malware," Wood said.

China was the most spammed country in February, followed by the United States, Canada and the United Kingdom. Spam levels were 81.4 percent for the United States, compared with China's 86.2 percent. The most spammed industry sector continued to be the automotive sector, with 84.3 percent of e-mail, followed by education and pharmaceuticals.

However, governmental organizations were the most targeted for malware, with 1 in 41.1 e-mails being blocked as malicious, according to Symantec.

While virus activity increased slightly, the volume of e-mails with links to malicious Websites declined from January, Symantec said. Of the malicious domains blocked in February by MessageLabs Intelligence, 38.9 percent were new, a decline of about 2 percent since January, Symantec said. An average of 4,098 new Websites harboring malware was identified per day, a decrease of almost 14 percent since January, according to the report.

Despite more malware flooding networks, actual infection rates may be dropping, Panda Security researchers said. The security firm based its results on data gathered by Panda ActiveScan, a free online scanner available on the company's Website. Of the computers scanned in February, only 39 percent were infected with malware, compared with 50 percent in January, Panda Security said. Of the infected computers, Trojans were the most common malware found; they are responsible for 61 percent of infections.

 


Rocket Fuel