Symantec: China Main Source of Targeted Attacks

A new report from Symantec's MessageLabs analyzed targeted attacks this month and found that nearly a third originate from senders in China.

A new report from Symantec names China as the world's primary source of targeted malware the month of March.

The high stakes of such attacks were brought into focus for many earlier this year with the Aurora attack on Google and dozens of other companies. According to Symantec (PDF), while most of the malware (36.6 percent) came from the United States in terms of mail server location, an analysis of the sender's IP address put the attacker's location in China 28.2 percent of the time, followed by Romania (21.1 percent) and then the United States (13.8 percent).

"When considering the true location of the sender rather than the location of the e-mail server, fewer attacks are actually sent from North America than it would at first seem," said Paul Wood, intelligence senior analyst with Symantec's MessageLabs, in a statement. "A large proportion of targeted attacks are sent from legitimate webmail accounts which are located in the U.S. and therefore, the IP address of the sending mail server is not a useful indicator of the true origin of the attack. Analysis of the sender's IP address, rather than the IP address of the e-mail server reveals the true source of these targeted attacks."

Symantec found that the top five targeted roles are: Director, Senior Official, Vice President, Manager, and Executive Director, and the individuals that receive the most targeted malware are typically responsible for foreign trade and defense policy involving Asian countries.

Mikko Hypponen, chief researcher officer at F-Secure, noted in a conversation with eWEEK that targeted attacks are often preceded by real-world espionage where the hackers dig into the backgrounds of their targets, searching for information such as where they live, what language they speak and what information they have access to.

"Who are their colleagues? What area are they working (in)? What kind of computers are they using, what kind of security systems they have in place...once you have all that information, then you can launch the actual attacks," he said.

According to Symantec, the city Shaoxing in China seems to be a major source for attacks, accounting for 21.3 percent. Taipei in Taiwan and London in the U.K. accounted for 16.5 percent and 14.8 percent, respectively.

Symantec's analysis found the most common file types attached to malicious e-mails are .XLS and .DOC, though the most dangerous file type is .RAR files, which are a proprietary compressed archive format. .XLS and .DOC file types each accounted for 15.4 percent of file attachments in e-mail in March.

The most compromised file type for the month were encrypted .RAR files, which accounted for roughly 1 in 312 malicious files attached to e-mails. While encrypted .RAR files are relatively uncommon, Symantec reported that 96.8 percent attached to e-mails were found to be malicious.

"By comparison, unencrypted .RAR files are rarely exploited and occur in 1.1 percent of e-mails," Wood said. "Although they are more common than encrypted .RAR files, they are far less likely to be seen attached to malicious e-mail."

The .EXE file type is the most likely to arouse suspicion when attached to an e-mail, however, in March executable file types accounted for just 6.7 percent of files attached to e-mail and were found to be compromised 15 percent of the time. The most common file extensions, .XLS, .DOC, .ZIP and .PDF, as attachments, were the least likely to be infected, due to the sheer number of e-mails using them as attachments, Symantec reported.

These attacks often come through spoofed e-mails with all the calling cards of legitimate messages.

"In many cases these e-mails are very convincing...talking about projects by numbers and codenames, talking about highly specific details that the person is working with and they have an attachment...which when opened will actually show you a real file which is again relevant in most cases, but at the same time it will drop an exploit through a backdoor," Hypponen explained.