Sym IntelligenceReport

SYMANTEC INTELLIGENCE REPORT
SEPTEMBER 2013
p. 2
Symantec Corporation
Symantec Intelligence Report :: SEPTEMBER 2013
CONTENTS
CONTENTS
3 Executive Summary
4 BIG NUMBERS
7 TIMELINE
10 TARGETED ATTACKS
11 Targeted Attacks in 2013
11 Targeted Attacks per Day
11 Anatomy of Latest Watering Holes
12 First Attacks Logged by Month
12 Top 10 Industries Attacked
13 Attacks by Size of Targeted Organization
13 File Extensions of Attachments
13 First Attacks Logged by Size
14 Q&A on Hidden Lynx
16 Social Media
17 Top 5 Social Media Attacks, 2013
18 DATA BREACHES
19 Top 5 Data Breaches by Type of Information Exposed
19 Timeline of Data Breaches, 2013
20 MOBILE
21 Mobile Malware by Type
22 Cumulative Mobile Android Malware
23 VULNERABILITIES
24 Total Vulnerabilities Disclosed by Month
24 Browser Vulnerabilities
24 Plug-in Vulnerabilities
25 SPAM, PHISHING, & MALWARE
26 Spam
26 Top 5 Activity for Spam Destination by Geography
26 Global Spam Volume Per Day
26 Top 5 Activity for Spam Destination by Industry
27 Top 10 Sources of Spam
27 Average Spam Message Size*
27 Top 5 Activity for Spam Destination by Company Size
27 Spam by Category
27 Spam URL Distribution Based on Top Level Domain Name*
28 Phishing
28 Top 10 Sources of Phishing
28 Top 5 Activity for Phishing Destination by Company Size
28 Top 5 Activity for Phishing Destination by Industry
28 Top 5 Activity for Phishing Destination by Geography
29 Phishing Distribution in September
29 Organizations Spoofed in Phishing Attacks
30 Malware
30 Proportion of Email Traffic in Which Virus Was Detected
30 Top 10 Email Virus Sources
31 Top 5 Activity for Malware Destination by Industry
31 Top 5 Activity for Malware Destination by Geographic Location
31 Top 5 Activity for Malware Destination by Company Size
32 Endpoint Security
32 Top 10 Most Frequently Blocked Malware
33 Policy Based Filtering
33 Policy Based Filtering
34 Contributors
34 About Symantec
34 More Information
p. 3
Executive Summary
Welcome to the September edition of the Symantec Intelligence
report. Symantec Intelligence aims to provide the latest analysis of
cyber security threats, trends, and insights concerning malware,
spam, and other potentially harmful business risks.
In this months report we take a detailed look at targeted attacks in 2013 so far. What weve found
is that attackers have continued to refine their techniques, adding new tricks to attack methods
such as watering holes and spear phishing in order to increase the likelihood of snaring their
intended targets.
We also take a look at targeted attack trends over the last three years to get a better feel for how
attackers are operating. While weve noticed is that attacks per day are lower compared to last
year, attacks are up 13 percent over a three year period. We also take a look at the times of the year
attackers are more likely to kick off targeted attack campaigns, who theyre targeting, and the type
of malicious payloads theyre using.
While looking at targeted attacks, I sat down with one of our leading threat researchers to talk
about a targeted attack group recently discussed in a new Symantec whitepaper. We talk about
who the Hidden Lynx group is, how they operate, and what theyre after, as well as what the future
might hold for these attackers.
Also, this months timeline focuses on stories surrounding targeted attacks during the month of
September, recapping what happened and what that means to you.
We hope that you enjoy this months report and feel free to contact us with any comments or
feedback.
Ben Nahorney, Cyber Security Threat Analyst
symantec_intelligence@symantec.com
p. 4
B
I
G

N
U
M
B
E
R
S
p. 5
Overall Email Phishing Rate: Overall Email Phishing Rate:
1 in 736
1 in 626
1 in 1,056
Aug
Jul
Sep
HIGHER NUMBER = LOWER RISK
Overall Email Virus Rate: Overall Email Virus Rate:
1 in 465
Jul
Aug
Sep
HIGHER NUMBER = LOWER RISK
1 in 340
1 in 383
Estimated Global
Email Spam Rate Per Day
Estimated Global
Email Spam Rate Per Day
SPAM AS PERCENT OF ALL EMAIL
Jul Aug Sep
0
10
20
30
40
50
60
70
80
90
100
65
%
66
%
68
%
New Vulnerabilities New Vulnerabilities
469 469
Aug
561
July
549 549
Sep
Aug
2
July
3
Sep
7
Mobile
Vulnerabilities
Mobile
Vulnerabilities
p. 6
Data Breaches Data Breaches
144
Number of Breaches
(Year-to-Date)
91,247,719
Number of Identities
Exposed (Year-to-Date)
Mobile Malware Variants Mobile Malware Variants
V
A
R
I
A
N
T
S

(
C
U
M
U
L
A
T
I
V
E
)
161
213
Sep Aug Jul
161
213
249
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
S A J J M A M F JAN
2013
D N O S
7,101 7,101
p. 7
T
I
M
E
L
I
N
E
p. 8
September Targeted Attacks Timeline
September04
Attackers took advantage of this months G20 summit in St.
Petersburg in Russia to target multiple groups. This campaign
targeted financial institutions, financial services companies,
government organizations, and a number of other organizations
involved in economic development.
The attackers sent emails that claimed to come from a G20
representative. The email thanked the targets for circulating
updated building blocks, referring to the theme of multiple
documents discussing the UK governments feedback on how
to address development, anti-corruption and employment. The
message continued, saying that the UK government has made
comments on these documents and the sender claims that they
are attached in the email.
Symantec detects the executable as Backdoor.Darkmoon, a
remote access Trojan that has previously been used in a number
of targeted attack campaigns including the Nitro Attacks.
September 06
A new banking Trojan has been found targeting online banking
users in a variety of countries. The Trojan was part of a
campaign where the attackers posed as a legitimate organization
and sent emails with disguised malicious attachments to
victims. These emails either claimed that postal tracking
information or an invoice was attached.
The attackers were aiming to obtain login credentials to gain
access to victims online bank accounts using the Trojans
keystroke logging capabilities. The malware could inject
malicious code into targeted banks Web pages. Security
researchers also said that the Trojan attempted to trick victims
into installing a mobile app in order to bypass two-factor
authentication to log into bank accounts. After a victims
computer was infected, a malicious Web page appeared and
asked them to input their mobile device model and number. The
attackers then sent a text message linking to the malicious app.

September09
Malicious actors are always quick to exploit our desire to be
informed of the latest news, often using current affairs as email
subject lines or topics in order to target victims with malware.
As expected, the current situation in Syria is being used in this
way. Symantec Security Response has published a blog detailing
a targeted attack campaign that used the recent chemical attack
in Syria as a lure. The email referred to a recently published
article by the Washington Post, taking the text directly from
the original news item and placing it in a malicious Word
document. The malicious document contained Backdoor.Korplug
and exploited the Microsoft Internet Explorer Use-After-Free
Remote Code Execution Vulnerability (CVE-2013-2551).
September12
An ongoing cyber espionage campaign was found targeting
South Korean entities, such as government and military think-
tanks, supporters of Korean unification and a variety of shipping
companies. The campaign used malware that allowed attackers
to spy on victims and steal data.
While the researchers havent confirmed how victims
computers were infected, they suspect that the attackers
used spear-phishing emails that contained a Trojan dropper
to download additional malware. The operation used a lot of
different malicious programs and each one implemented a
single spying function. Symantec detects the malware cited in
this report as Trojan.Kisuky.
p. 9
September18
Microsoft reported a critical vulnerability in Internet Explorer
which could enable remote code execution on an affected
computer if the user visits a website containing malicious
content directed towards the browser. This typically happens
when an attacker compromises the security of trusted websites
that Internet Explorer users visit frequently, or convinces
someone to click on a link in an email, or via a social networking
site, or in an instant message.
While the vulnerability has since been patched, Microsoft
stated that all supported versions of Internet Explorer were
affected;moreover, there were also reports of a limited number
of targeted attacks specifically directed at versions 8 and 9. For
more details about preventing this threat see the blog entry,
New Internet Explorer Zero-day Found in Targeted Attacks.
September26
Security researchers reported on a small group of hackers for
hire called Icefog that have potentially performed surgical
hit and run operations against several organizations across
the globe. The attacks used custom cyberespionage tools to
compromise Windows and Mac OS X computers, which were
used to locate and steal specific information before abandoning
the infected computer. The attackers sent spear-phishing emails
and used exploits for known vulnerabilities in their campaigns.
Once the targeted computers were compromised, the attackers
placed back-doors and other data-stealing tools on them. They
could then gather sensitive documents, email credentials and
other passwords that could be used to gain access to even more
data.
Unlike many other advanced persistent threats (APTs), which
compromise computers for months in order to continuously
steal data, the Icefog attackers seemed more interested
in carrying out quick, surgical strikes to gather specific
information. Symantec detects the threats used in this campaign
as Backdoor.Hormesu.
p. 10
T
A
R
G
E
T
E
D

A
T
T
A
C
K
S
p. 11
Targeted Attacks in 2013
So far in 2013 few new attack techniques have been seen in the
realm of targeted attacks. Instead weve seen a shoring up of
attack methods. Since the techniques used in the last couple of
years still continue to reap rewards, attackers probably see little
reason to change them. Rather weve seen efforts to refine their
strategies.
For instance, in past watering hole attacks an attacker
would compromise a legitimate website that the
target is known to use and then lie in wait for them to
visit it. Attackers continue to use such techniques this
year, but are lying in wait on multiple sites in order to
compromise more diverse set of targets. While each
of these sites may be used to snare a different target
profile, they all redirect to the same exploit. This allows the
attackers to leverage one vulnerability in multiple campaigns, or
easily swap out exploits, cutting down on overall administration
for the attackers.
Weve also seen an increase in more aggressive spear-phishing
attacks. In these cases the attacker sends an email and then
follows up with a phone call directly to the target, such as the
Francophoned attack from this summer. The attacker may
impersonate a high ranking employee, and request that the target
open an attachment immediately. This assertive method of attack
Targeted Attacks per Day
Source: Symantec
2013 2013 TREND (Projected) 2011 2012
T
A
R
G
E
T
E
D

A
T
T
A
C
K
S

0
25
50
75
100
125
150
175
200
225
250
DEC NOV OCT SEP AUG JUL JUN MAY APR MAR FEB JAN
Anatomy of Latest Watering Holes
Source: Symantec
Exploit
Location
Target
Visits Website
Compromised
Websites
p. 12
has been reported more often
in 2013 than in previous
years.
With these refined
techniques, attackers may be
taking more time to ensure
an attack is successful. Our
overall attack numbers
appear to support this.
For instance, the average
number of attacks per day is
down 41 percent in the first
nine months of 2013 when
compared to the same period
last year. Our projections
for the rest of the year show
attacks per day dropping in
the last quarter of 2013 if
this trend were to continue.
However, this is still a 13
percent increase over the averages during the same period in
2011, showing targeted attacks are still trending upwards over a
longer period of time.
While these numbers show the sheer volume of targeted attacks,
it doesnt tell us much about when new attack campaigns are
kicked off. To look at this, we filtered out multiple attacks
against the same company to see when organizations first
logged an attack during 2013. These first attacks appear to be
trending up month on month in 2013. Of particular note is that
the month of May saw a significant increase in the number
of new attacks. Using this as a marker for kicking off targeted
attack campaigns, and looking back at our attacks per day
numbers, this increase is followed with an uptick in volume of
daily targeted attacks during the summer months of this year.
In terms of targets, it appears that manufacturing is no longer
the leading industry on the receiving end of targeted attacks,
having dropped from 24 percent of attacks in 2012 to 8.7
percent so far in 2013. Taking its place near the top of our
charts are service-related industries, both professional (22%)
and non-traditional (15%).
1

Why have service-related industries risen this year? Much of
this could be related to supply chain attacks, where attackers
look for the easiest point of entry and work their way up the
First Attacks Logged by Month
Source: Symantec
0
100
200
300
400
500
600
700
800
900
1000
1100
1200
S A J J M A M F JAN
2013
Top 10 Industries Attacked
Source: Symantec
Industry Percent
Services - Professional 22.2%
Public Administration 19.2%
Services - Non-Traditional 14.8%
Finance, Insurance & Real Estate 13.0%
Transportation, Communications, Electric, & Gas 9.1%
Manufacturing 8.7%
Wholesale 4.2%
Logistics 2.1%
Retail 1.0%
Mining 1.0% 1 The Professional category includes services such as Legal, Accounting, Health, and
Education. Non-Traditional includes Hospitality, Recreational, and Repair services.
p. 13
Attacks by Size of Targeted Organization
Source: Symantec
Company Size Percent
1-250 24.1%
251-500 11.8%
501-1000 10.8%
1001-1500 2.9%
1501-2500 9.5%
2500+ 40.8%
First Attacks Logged by Size
Source: Symantec
1-250 48.3%
251-500 11.4%
501-1000 9.4%
1001-1500 5.1%
1501-2500 5.6%
2500+ 20.3%
File Extensions of Attachments
Source: Symantec
File Extension Percent
.exe 35.7%
.scr 24.2%
.doc 9.6%
.pdf 7.0%
.class 5.1%
.dmp 3.6%
.dll 2.4%
.xls 1.7%
.pif 1.4%
.jar 0.8%
chain. Attackers will often direct their efforts to the areas
that they see as having the laxest security. The shift from
manufacturing to service as an attack target could be due to
these industries being seen as an easier avenue into a supply
chain.
Moreover, most of the manufacturing companies being targeted
in 2012 were in the Defense or Engineering industries. Increased
awareness and tighter security countermeasures mean the
criminals have to adapt, and this is perhaps what we have seen
in 2013 so far.
In terms of the size of organizations, it appears as though the
swing from targeting large enterprises to smaller organizations
has continued this year. So organizations with over 2500+
employees is down approximately 9 percentage points, from 50
percent in 2012, to 41 percent so far this year. SMBs continue
to make up the largest percent of smaller organizations,
though there appears to be a shift into the 251-500 and 501-
1000 ranges, which have increase 7 and 8 percentage points
respectively.
If we look at the first attacks over the year, similar to how we did
attacks per day, we see a definite shift towards targeting smaller
businesses. In fact the 1-250 employee range comprises over 48
percent of all unique attacks so far this year.
In terms of email-based targeted attacks, executables still top
the list of attachment types. While it seems at face value that
document formats, like .pdf and .doc files, would have a larger
measure of success from a social engineering standpoint. It
turns out that that isnt necessarily the case, since roughly
64 percent of attachments are executables. In fact, weve seen
specific cases where attackers have sent .pdf files that go
unopened within the target organization. However, in a follow-
up targeted email that included a run-of-the-mill .exe file, the
file was opened and the payload executed.
These attachment types continue to roll in with the same, time-
tested subject matter as well: invoices, calls for research papers,
resumes, etc. It appears that so long as these methods continue
to trick the targets, attackers see no reason to change their
techniques.
p. 14
Q&A on Hidden Lynx
Earlier this year, details of a hack against security vendor Bit9
emerged. Hackers had gained access to the companys digital code-
signing certificates, and succeeded in signing their malware with
it. This signed malware was then distributed in targeted attack
campaigns.
The roots of this attack, and the group behind it, go back much
further. Symantec Security Response looked closely at the attack
and those behind it, and recently published a whitepaper detailing
the activities of a hacking group, dubbed Hidden Lynx.
Stephen Doherty, a Senior Threat Intelligence Analyst and one of
the primary investigators, lead the investigation into Hidden Lynx.
I sat down and talked with him about who this hacking group is,
how theyre structured, and just how brazen theyve become.
Who are the Hidden Lynx group?
Hidden Lynx is a group weve been tracking for the last
number of years. The group itself is a targeted attack group
who is based in China. They have been involved in attacks
since at least 2009, including the high-profile attacks involving
Bit9. We think its a professional organization, with lots of
experience, using cutting edge techniques. They do a pay-per-
order service, where a client will contact the group and ask
them to pursue some specific information that is of use to
them.
How do they compare to your typical hacking group?
They are more capable than the typical groups you might
see in many targeted attacks. They managed to get onto
[Bit9s] machines and sign their malicious Trojans with Bit9
certificates. This happened around the same time as a number
of zero days were distributing these Trojans, so we thought it
was a worthwhile exercise to go and have a look at exactly what
these guys were doing, who they target, and why they target
certain industries, in order to build up an overall picture of their
capabilities.
Who are the primary targets that they appear to be going after?
They tend to go after both private industry and governmental
organizations in the wealthiest and most technologically
advanced countries. Their range of targets is wide, which
suggests that there are lots of requests for different types of
information.
In terms of industries, they tend to go after quite specific
organizations within the financial industry. Theyll target asset
management agencies or companies that would be involved in
investment banking, like mergers and acquisitions.
What is the goal of the attacks carried out by the Hidden Lynx
group?
The overall goals are quite varied. At the moment theyre
focusing on Japan and South Korea. The large campaign
mentioned in the paper was VOHO, which was focused in the US,
so their targets shift quite regularly. This could be a case of not
bringing too much focus to the group: if they continue to attack
in certain locations, it can bring a lot of heat on them. They
might move around for that reason, or it could be just a case
where that campaign was run. They got the required information
and now theyve moved to another country to get information
there. So their overall goals are probably financially motivated,
but the goals of an attack will change based on what information
theyre after.
What are their primary attack methods?
Theyre cutting edge in what they do. They have access to the
latest exploits. Weve seen them using spear phishing attacks,
and VOHO was a large watering hole campaign. To get into quite
hard to reach places they have used supply chain attacks.
Theyve also been observed attacking vulnerable applications
on public-facing servers that a company might have. Thats how
they got into Bit9: they located a public-facing server and used
SQL-injection attacks to install a Trojan. From there they were
able to obtain passwords and move through the network, where
they eventually gained access to their code-signing certificate
and signed some of their malware. This is quite a large win on
their behalf. Just having the audacity to go in and gain access like
this, most attackers wouldnt even consider it.
We think [Hidden Lynx]
is a professional
organization, with lots of
experience, using cutting
edge techniques.
p. 15
In your paper you mention that the Hidden Lynx group has
carried out one of the largest and most successful watering-
hole attacks to date. What makes these watering hole attacks
different than those weve seen in the past?
The VOHO attacks are the most significant in terms of size. RSA
had examined the access logs from the webserver and saw that
the payload was delivered to 4,000 machines, which is typically
much higher than a normal watering hole attack.
They compromised ten legitimate websites to redirect to this
exploit that they were hosting. Each of these watering holes had
slightly different expected visitors to each site. They rerouted
all these watering hole websites to one exploit. In many cases
watering holes typically just infect one legitimate website and
wait for the unsuspecting user to visit, where as this one was
much larger in scale.
You mention two distinct threats, Trojan.Naid and Backdoor.
Moudoor, used and maintained by what appear to be two
separate attack teams within the Hidden Lynx group. What are
the differences between these two teams and why do you think
the group would be organized in such a way?
To begin with Naid has been around since 2009. That dates all
the way back to when we saw the attacks involving Aurora, and
thats been used right up to today. Then you have Moudoor,
which is a more recent Trojan, which first surfaced in 2011.
We see Moudoor in larger-scale infections. We believe this is
operated by a team who is larger in size. Theyll infect a lot
more varied targets and have a much higher distribution rate.
Naid is seen in much more limited use, and we think that this is
their Trojan that they reserve for special operationsif theyre
finding a specific target difficult to penetrate, they typically send
in Trojan.Naid. This is why we think there is a more elite team
within the Hidden Lynx group that operates this Trojan.
There appear to be ties between the Hidden Lynx group and
Operation Aurora. What are these connections, and is the
Hidden Lynx group the latest iteration of a long running
hacking campaign?
Hidden Lynx is definitely a long-running hacking campaign.
The more familiar Trojan with Aurora was Trojan.Hydraq, but
we believe Naid was also participating in this attack. When the
command and control domains and the organizations targeted
were examined, its very likely that both these Trojans were used
in this attack. So we think Hydraq would have been the initial
backdoor that was downloaded onto the machine via the exploit,
and then Trojan.Naid was then subsequently installed on the
infected machines.
Does this mean Naid is unique to this attack group?
Yes, we dont believe Naid is available to any other attack groups.
Its a very specific Trojan. We dont see widespread distribution,
so this is another reason we believe that it was this group that
participated in the Aurora attacks.
Now that the Hidden Lynx groups tactics are out in the open,
what do you think the next steps will be for these attackers?
The obvious thing would be similar to what happened with
Aurora: Hydraq disappeared within a matter of months and they
just persisted with different Trojans. We expect the same thing
to happen. Theyll swap the Trojans that they use, but theyll
continue to attack in the same manner.
Were already looking into Trojans that look like theyre being
used by this group at this time. We certainly know of one:
Backdoor.Fexel. It shares some infrastructure that was used
during the Hidden Lynx campaign and is using the most recent
zero-day, obviously post-publication of the paper.
In your experience, do you think well be seeing more or less of
this group as time goes on?
I think well see at least as much, considering their experience
and their capabilities. There are lots and lots of attack groups
that come from China, but this would be one of the stand-out
groups. I think for that fact theyre not going to go away any time
soon. Even with some of the major focus on the group, theyre
still attacking to this day.
Theyre not going to go
away any time soon.
Even with some of the
major focus on the
group, theyre still
attacking to this day.
p. 16
S
O
C
I
A
L

M
E
D
I
A
p. 17
Social Media
At a Glance
82 percent of all social
media attacks so far in
2013 have been fake
offerings. This is up from
56 percent in 2012.
Fake Plug-ins are the
second-most common
type of social media
attacks at 7.3 percent, up
from fifth place in 2012,
at 5 percent.
Fake Apps have risen
overall in 2013, now
making up 1.9 percent of
social media attacks. In
2012, this category was
ranked sixth.
Methodology
Fake Offering. These scams invite social network users to join a fake event or group with
incentives such as free gift cards. Joining often requires the user to share credentials with
the attacker or send a text to a premium rate number.
Fake Plug-in Scams. Users are tricked into downloading fake browser extensions on their
machines. Rogue browser extensions can pose like legitimate extensions but when installed
can steal sensitive information from the infected machine.
Likejacking. Using fake Like buttons, attackers trick users into clicking website buttons
that install malware and may post updates on a users newsfeed, spreading the attack.
Fake Apps. Applications provided by attackers that appear to be legitimate apps; however,
they contain a malicious payload. The attackers often take legitimate apps, bundle malware
with them, and then re-release it as a free version of the app.
Manual Sharing Scams. These rely on victims to actually do the hard work of sharing the
scam by presenting them with intriguing videos, fake offers or messages that they share
with their friends.
Top 5 Social Media Attacks, 2013
Source: Symantec
Top 5 Social Media Attacks Top 5 Social Media Attacks
7.3
%
4.9
%
1.9
%
1.7
%
Fake
Offering
Manual Sharing
Likejacking
Fake Plug-in
Fake Apps
82
%
p. 18
D
A
T
A

B
R
E
A
C
H
E
S
p. 19
Data Breaches
At a Glance
September appears to
contain the least data
breach activity this year
in terms of identities
exposed. However, this
number may change as
further breaches are
disclosed.
There were a number of
breaches reported during
September that occurred
earlier in the year. This
brings the total number of
breaches to 144 for so far
in 2013.
Of the reported breaches
so far in this year, the top
three types of information
exposed are a persons
real name, birth date, and
government ID number
(e.g. Social Security).
Timeline of Data Breaches, 2013
Source: Symantec
N
U
M
B
E
R

O
F

I
N
C
I
D
E
N
T
S
I
D
E
N
T
I
T
I
E
S

B
R
E
A
C
H
E
D

(
M
I
L
L
I
O
N
S
)
INCIDENTS IDENTITIES BREACHED
0
5
10
15
20
25
30
35
40
45
50
55
60
S A J J M A M F JAN
2013
D N O S
0
8
16
24
32
40
48
Top 5 Data Breaches by Type of Information Exposed
Source: Symantec
41%
42%
34%
31%
66%
Real Names
Gov ID numbers (Soc Sec)
Birth Dates
Home Address
Medical Records
Information Exposed in Breaches Information Exposed in Breaches
% OF ALL BREACHES
Methodology
This data is procured from the Norton Cybercrime Index (CCI).
The Norton CCI is a statistical model that measures the levels
of threats, including malicious software, fraud, identity theft,
spam, phishing, and social engineering daily. The data breach
section of the Norton CCI is derived from data breaches that
have been reported by legitimate media sources and have
exposed personal information.
In some cases a data breach is not publicly reported during the
same month the incident occurred, or an adjustment is made in
the number of identities reportedly exposed. In these cases, the
data in the Norton CCI is updated. This causes fluctuations in
the numbers reported for previous months when a new report is
released.
Norton Cybercrime Index
http://us.norton.com/protect-yourself
p. 20
M
O
B
I
L
E
p. 21
Mobile
At a Glance
So far in 2013, 37 percent
of mobile malware tracks
users, up from 15 percent
in 2012.
Traditional threats,
such as back doors and
downloaders are present
in a fifth of all mobile
malware threats.
Risks that collect data,
the most common risk
in 2012, is down 12
percentage points to 20
percent of risks.
Seven new mobile
malware families were
discovered in September,
along with 249 new
variants.
20%
37%
7%
14%
26%
20%
Track User
Risks that spy on the individual using the
device, collecting SMS messages or
phone call logs, tracking GPS coordinates,
recording phone calls, or gathering
pictures and video taken with the device.
Traditional Threats
Threats that carry out traditional
malware functions, such as back
doors and downloaders.
Adware/Annoyance
Mobile risks that display advertising or
generally perform actions to disrupt
the user.
Send Content
These risks will send text messages
to premium SMS numbers, ultimately
appearing on the bill of the devices
owner. Other risks can be used to send
spam messages.
Change Settings
These types of risks attempt to elevate
privileges or simply modify various
settings within the operating system.
Collect Data
This includes the collection of both
device- and user-specific data, such as
device information, configuration data,
or banking details.
Mobile Malware by Type
Source: Symantec
p. 22
Cumulative Mobile Android Malware
Source: Symantec
VARIANTS FAMILIES
40
80
120
160
200
240
280
320
360
400
S A J J M A M F JAN
2013
D N O S
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
F
A
M
I
L
I
E
S

(
C
U
M
U
L
A
T
I
V
E
)

V
A
R
I
A
N
T
S

(
C
U
M
U
L
A
T
I
V
E
)
p. 23
V
U
L
N
E
R
A
B
I
L
I
T
I
E
S
p. 24
Vulnerabilities
At a Glance
There were 549 new
vulnerabilities discovered
in September, bringing
the total for the year up
to 4864, a 16 percent
increase compared to the
same period in 2012.
There were 45
vulnerabilities discovered
in mobile operating
systems during the month
of September.
Googles Chrome
browser continues to
lead in reporting browser
vulnerabilities, while
Oracles Java leads
in reported plug-in
vulnerabilities.
Two zero-day
vulnerabilities were
disclosed during the
month of September.
Total Vulnerabilities Disclosed by Month
Source: Symantec
100
200
300
400
500
600
700
800
S A J J M A M F JAN
2013
D N O S
Plug-in Vulnerabilities
Source: Symantec
0%
10%
20%
30%
40%
50%
60%
Adobe Acrobat Reader
Adobe Flash Player
Apple QuickTime
Oracle Sun Java
Browser Vulnerabilities
Source: Symantec
0%
5%
10%
15%
20%
25%
30%
35%
40%
Apple Safari
Google Chrome
Microsoft Internet Explorer
Mozilla Firefox
Opera
p. 25
S
P
A
M
,

P
H
I
S
H
I
N
G
,

&

M
A
L
W
A
R
E
p. 26
At a Glance
The global spam rate
increased 1.2 percentage
points in September to
66.4 percent, up from 65.2
percent in August.
Pharmaceuticals were
the most commonly
targeted industry, knocking
Education from the top
spot this month.
The top-level domain (TLD)
for Russia, .ru, has topped
the list of malicious TLDs
in September. The TLD for
Poland, which previously
held the top spot, has
dropped from the charts.
Sex/Dating spam continues
to be the most common
category, at 88.5 percent.
Job-related spam comes in
second at 6.5 percent.
Spam
Global Spam Volume Per Day
Source: Symantec
10
20
30
40
50
S A J J M A M F JAN
2013
D N O S
B
I
L
L
I
O
N
S
Top 5 Activity for Spam Destination by Geography
Source: Symantec
Geography Percent
Sri Lanka 79.7%
China 72.6%
Saudi Arabia 71.9%
Hungary 71.6%
Greece 70.5%
Top 5 Activity for Spam Destination by Industry
Source: Symantec
Industry Percent
Chem/Pharm 68.5%
Education 68.4%
Manufacturing 67.3%
Marketing/Media 67.1%
Non-Profit 66.9%
p. 27
Top 10 Sources of Spam
Source: Symantec
Source Percent of All Spam
United States 7.75%
Spain 6.75%
Italy 5.92%
Finland 5.69%
India 5.67%
Argentina 5.27%
Brazil 4.72%
Canada 4.15%
Iran 3.60%
Peru 3.17%
Spam URL Distribution Based on Top Level Domain Name*
Source: Symantec
*Month .ru .com .biz .net
Aug 44.2% 30.9% 7.4% 5.5%
*Data lags one month
Average Spam Message Size*
Source: Symantec
*Month 0Kb 5Kb 5Kb 10Kb >10Kb
Aug 33.1% 34.1% 32.9%
Jul 21.1% 28.2% 50.7%
*Data lags one month
Spam by Category
Source: Symantec
Category Percent
Sex/Dating 85.5%
Jobs 6.5%
Pharma 3.9%
Watches 2.3%
Software 1.0%
Top 5 Activity for Spam Destination by Company Size
Source: Symantec
1-250 65.9%
251-500 66.3%
501-1000 66.2%
1001-1500 66.5%
1501-2500 66.3%
2501+ 66.7%
p. 28
At a Glance
The global phishing rate is down in September, comprising one in
1055.7 email messages. In August this rate was one in 625.6.
Financial themes continue to be the most frequent subject matter,
with 76.8 percent of phishing scams containing this theme.
South Africa has the highest rate in September, where one in 471
emails was a phishing scam.
The United States tops the list of sources of phishing emails,
responsible for distributing 42 percent of phishing scams.
The Public Sector was the most targeted industry in September,
with one in every 189.5 emails received in this industry being a
phishing scam.
Phishing
Top 5 Activity for Phishing Destination by Geography
Source: Symantec
Geography Rate
South Africa 1 in 470.7
United Kingdom 1 in 517.3
Netherlands 1 in 672.6
Australia 1 in 725.4
Canada 1 in 914.6
Top 5 Activity for Phishing Destination by Industry
Source: Symantec
Industry Rate
Public Sector 1 in 189.5
Education 1 in 656.0
Finance 1 in 701.8
Accom/Catering 1 in 737.1
Non-Profit 1 in 877.4
Top 5 Activity for Phishing Destination by Company Size
Source: Symantec
Company Size Rate
1-250 1 in 753.0
251-500 1 in 1,325.8
501-1000 1 in 1,886.2
1001-1500 1 in 1,100.6
1501-2500 1 in 2,168.6
2501+ 1 in 1,011.4
Top 10 Sources of Phishing
Source: Symantec
Source Percent
United States 41.96%
United Kingdom 17.38%
Australia 8.93%
South Africa 8.28%
Ireland 7.02%
Japan 5.00%
Germany 2.77%
Sweden 1.30%
Canada 1.09%
Hong Kong 0.83%
p. 29
43.1%
5.2%
3.6%
1.0%
47.1%
Automated Toolkits
Other Unique Domains
IP Address Domains
Free Web Hosting Sites
Typosquatting
Phishing Distribution: Phishing Distribution:
Phishing Distribution in September
Source: Symantec
16.0%
5.2%
1.9%
0.8%
76.8%
Financial
Information Services
Retail
Computer Software
Communications
Organizations Spoofed
in Phishing Attacks:
Organizations Spoofed
in Phishing Attacks:
Organizations Spoofed in Phishing Attacks
Source: Symantec
p. 30
Malware
1 in 50
1 in 100
1 in 150
1 in 200
1 in 250
1 in 300
1 in 350
1 in 400
1 in 450
1 in 500
S A J J M A M F JAN
2013
D N O S
Proportion of Email Traffic in Which Virus Was Detected
Source: Symantec
Top 10 Email Virus Sources
Source: Symantec
Geography Percent
United Kingdom 41.19%
Ireland 21.48%
United States 18.49%
Australia 3.11%
Netherlands 2.32%
South Africa 1.63%
France 1.46%
India 1.39%
Brazil 1.12%
Canada 1.08%
At a Glance
The global average virus rate in September was one in 383.1
emails, compared to one in 340.1 in August.
The United Arab Emirates topped the list of geographies, with one
in 159.2 emails containing a virus.
The United Kingdom was the largest source of virus-laden emails,
making up 41.2 percent of all email-based viruses.
Small-to-medium size businesses with 1-250 employees were
the most targeted company size, where one and 340.8 emails
contained a virus.
p. 31
Top 5 Activity for Malware Destination by Industry
Source: Symantec
Industry Rate
Public Sector 1 in 106.4
Recreation 1 in 116.8
Transport/Util 1 in 191.7
Accom/Catering 1 in 262.4
Education 1 in 305.5
Top 5 Activity for Malware Destination by Company Size
Source: Symantec
Company Size Rate
1-250 1 in 340.8
251-500 1 in 372.1
501-1000 1 in 547.8
1001-1500 1 in 416.1
1501-2500 1 in 691.4
2501+ 1 in 352.8
Top 5 Activity for Malware Destination by Geographic Location
Source: Symantec
Geography Rate
United Arab Emirates 1 in 159.2
United Kingdom 1 in 192.6
Austria 1 in 299.2
Netherlands 1 in 312.2
Italy 1 in 409.9
p. 32
At a Glance
Variants of W32.Ramnit accounted for 17.6 percent of all malware
blocked at the endpoint.
In comparison, 7.3 percent of all malware were variants of
W32.Sality.
Approximately 39.0 percent of the most frequently blocked
malware last month was identified and blocked using generic
detection.
Endpoint Security
Top 10 Most Frequently Blocked Malware
Source: Symantec
Malware Percent
W32.Ramnit!html 6.98%
W32.Sality.AE 6.62%
W32.Ramnit.B 5.90%
W32.Ramnit.B!inf 4.05%
W32.Almanahe.B!inf 3.67%
W32.Downadup.B 3.28%
W32.Virut.CF 2.29%
Trojan.Zbot 1.75%
Trojan.Maljava 1.39%
W32.SillyFDC 1.29%
p. 33
Policy Based Filtering
Source: Symantec
Category Percent
Social Networking 48.07%
Advertisement & Popups 20.35%
Hosting Sites 4.15%
Streaming Media 3.46%
Computing & Internet 3.29%
Peer-To-Peer 2.66%
Chat 2.58%
Search 2.40%
Gambling 1.70%
Portal 1.20%
Policy Based Filtering
At a Glance
The most common trigger for policy-based filtering applied by
Symantec Web Security .cloud for its business clients was for the
Social Networking category, which accounted for 48.1 percent
of blocked Web activity in September.
Advertisement & Popups was the second-most common trigger,
comprising 20.4 percent of blocked Web activity.
p. 34
About Symantec
Contributors
More Information
Security Response Publications: http://www.symantec.com/security_response/publications/
Internet Security Threat Report Resource Page: http://www.symantec.com/threatreport/
Symantec Security Response: http://www.symantec.com/security_response/
Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer/
Norton Cybercrime Index: http://us.norton.com/cybercrimeindex/
Special thanks to Stephen Doherty and Gavin OGorman for their contributions this month.
Symantec protects the worlds information and is a global leader in security, backup, and
availability solutions. Our innovative products and services protect people and information
in any environmentfrom the smallest mobile device to the enterprise data center to cloud-
based systems. Our world-renowned expertise in protecting data, identities, and interactions
gives our customers confidence in a connected world. More information is available at
www.symantec.com or by connecting with Symantec at go.symantec.com/socialmedia.
Copyright 2013 Symantec Corporation.
All rights reserved. Symantec, the Symantec Logo,
and the Checkmark Logo are trademarks or registered
trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may
be trademarks of their respective owners.
For specific country offices and contact numbers,
please visit our website.
For product information in the U.S.,
call toll-free 1 (800) 745 6054.
Symantec Corporation World Headquarters
350 Ellis Street
Mountain View, CA 94043 USA
+1 (650) 527 8000
1 (800) 721 3934
www.symantec.com
Confidence in a connected world.

Sym IntelligenceReport

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Sym IntelligenceReport

Caricato da

Copyright:

Formati disponibili

SYMANTEC INTELLIGENCE REPORT

Potrebbero piacerti anche