Cisco Reports Rustock Botnet and LinkedIn Spam Most Prevalent in Q3 2010

Cisco's Global Threat Report examines the most prevalent Web malware, e-mail attacks, exploits and other cyber-crime incidents from July to September 2010.

Botnet activity, malicious spam and resurgence of SQL injection attacks were some of the most significant cyber-crime threats during the third quarter of 2010, according to a multiteam report from Cisco released Nov. 17.

According to the report, enterprise users experienced an average of 133 Web malware encounters per month. August was the most prolific, peaking to more than 140 malware encounters, Cisco researchers said. Spam volumes were also the highest in August, compared to the rest of the quarter.

The Rustock botnet was the most frequently encountered, according to Cisco Remote Operations Services, who remotely monitor, alert, and remediate threats for enterprise customers. The botnet is believed to be one of the largest sources of spam, especially pharmaceutical spam, said Mary Landesman, market intelligence manager at Cisco. Rustock activity peaked in late August 2010, and declined in September, the researchers said.

In fact, pharmaceutical and chemical industries were most at risk for Web malware in the third quarter, according to the report, followed by energy and oil, and agriculture and mining. The least at risk were the aviation and automotive industries.

Cisco ROS also reported that Stuxnet exploiting the Windows Print Spooler vulnerability was the "fifth most prevalent event" the team detected during the quarter. Rustock was the most prevalent, accounting for 21 percent of all events handled by ROS, compared to Stuxnet's five percent, during the third quarter.

Stuxnet hit the United Kingdom the most, with 38 percent of users affected in that region, followed by 25 percent in Hong Kong.

The volume of spam dropped in September for eight of the top 10 countries, but the amount of spam sent increased for Russia and the Ukraine, according to the report.

Malicious LinkedIn spam spreading the Zeus Trojan dominated September activity, accounting for 31.26 percent of all spam during that period.

The report examined the "Here You Have" e-mail worm outbreak, noting that 79 percent of the clicks occurred during the first three hours of the worm's spread and that it accounted for 10 percent of total spam volume before it was taken offline.

The most common exploits during the first half of 2010 was those targeting Adobe Reader, Acrobat, Sun Java, and Adobe Flash, according to Cisco. That trend held true for Sun Java, as exploits targeting that application platform increased from five percent of all malware encounters in July to seven percent in September, said Landesman.

However, despite reports of various PDF-related threats during the quarter, attacks targeting Adobe Reader and Acrobat actually declined over the quarter, said Landesman.

Cisco IPS reported four types of SQL infection attacks, including encoded words embedded within HTTP requests, causing a stack overflow in MSSQL, generic SQL keywords within HTTP, and SQL injection attacks from the Asprox botnet. The botnet recurred briefly in the first half of August, according the report, targeting Web sites using ASP.

Approximately 10 percent of Web malware was encountered via search engine traffic and services, researchers found. Over seven percent of Web malware encounters resulted from Google referrers, followed by Yahoo at two percent and Bing at one percent.

The Cisco 3Q10 Global Threat Report covers the third quarter, from July 1 to Sept. 30. The report contains information from multiple Cisco teams, including Cisco Remote Management Services, Cisco IPS, Cisco IronPort for e-mail security, and ScanSafe for Web security, according to Landesman.