Symantec ‘s July 2011 Symantec Intelligence Report reveals a significant increase in activity related to what may be described as a aggressive and rapidly changing form of generic polymorphic malware.
With one in 280,9 e-mails identified as malicious in July, the rise accounted for 23,7% of all e-mail-borne malware intercepted in July; more than double the same figure six months ago, indicating a much more aggressive strategy on the part of the cybercriminals responsible.
“The number of variants, or different strains of malware involved in each attack has grown dramatically, by a factor of 25 times, when compared to the previous six months. This is a disturbing proliferation in such a short time, increasing the risk profiles of many organisations as these new strains are much harder to detect using traditional security defences,” says Paul Wood, senior intelligence analyst at Symantec.cloud.
The report shows that the malware is frequently contained inside an executable within the attached ZIP archive file, and often disguised as a PDF file or an office document, for example. “This new aggressive approach to distributing generic polymorphic malware on such a scale should be concerning for many businesses, particularly for those who rely solely on more traditional security countermeasures, which this type of malware is designed to evade. One example of this technique involves changing the startup code in almost every version of the malware; subtly changing the structure of the code and making it harder for emulators built-in to many anti-virus products to identify the code as malicious,” adds Wood.
Further analysis also reveals that phishing attacks have been seeking various means to exploit vulnerable cell phone users. According to Wood, “Two key areas in which we can see this trend are, firstly, the increase in phishing against wireless application protocol (WAP) pages, which are lightweight Web pages designed for smaller mobile devices such as cell phones; and secondly, the use of compromised domain names that have been registered for mobile devices, for example, using the .mobi top-level domain.”
Symantec has identified phishing sites spoofing such Web pages and has been monitoring the trend. In July, social networking and information services brands were frequently observed in these phishing sites. The primary motive of these attacks continues to be identity theft. Targeting cell phone users is just part of a new strategy for achieving the same result.
Other report highlights include:
* In July 2011, the global ratio of spam in e-mail traffic rose to 77,8% (one in 1,29 emails); an increase of 4,9 percentage when compared with June 2011.
* Phishing: In July, phishing e-mail activity increased by 0,01 percentage points since June 2011; one in 319,3 emails (0,31%) comprised some form of phishing attack.
* E-mail-borne threats: The global ratio of email-borne viruses in email traffic was one in 280,9 emails (0,333%) in July, an increase of 0,01 percentage points since June 2011.
* Web-based malware threats: In July, Symantec Intelligence identified an average of 6 797 Web sites each day harbouring malware and other potentially unwanted programs including spyware and adware; an increase of 25,5% since June 2011.
* Endpoint threats: The most frequently blocked malware for the last month was W32.Ramnit!html. This is a generic detection for .HTML files infected by W32.Ramnit, a worm that spreads through removable drives and by infecting executable files. The worm spreads by encrypting and then appending itself to files with .DLL, .EXE and .HTM extensions. Variants of the Ramnit worm accounted for 17,3% of all malicious software blocked by endpoint protection technology in July.