"It seems that these constant attacks alternate the use of different malware families," says Paul Wood, an analyst at MessageLabs Intelligence. "For example, one day they could be dedicated to specially propagating variants of Zeus (known as Zbot), while another day they could devote themselves to distributing variants of SpyEye. On February 10, these attacks have multiplied further and have been spread simultaneously, using each malware family its own polymorphic packager to better evade the detection of traditional antiviruses."
Although the vast majority of attacks were related to Zeus and SpyEye, many of them share similarities with the well-known Bredolab Trojan, indicating that some of the features associated with Bredolab are also used in Zeus and SpyEye. All of these attacks use a ZIP attachment containing an executable with malicious code. In February, 1.5% of the blocked malware contained attachments with ZIP files and subsequent analysis showed that 79.2% of them were related to the latest wave of attacks by Bredolab, Zeus and SpyEye.
"During the first two weeks of February, MessageLabs Intelligence identified at least four different polymorphic engines that use these packagers on servers to change the code structure of the Zeus, Bredolab and SpyEye malwares and to increase the number of variants of each of them," wood says. "Given the technical difficulties in maintaining this number of polymorphic engines and that each evolves rapidly to generate a huge number of variants in these three families, this is one of the first times that MessageLabs Intelligence has identified malware collaborating on a technical level on a large scale and volume."
Over the past year, malicious executable files have increased in frequency alongside PDF files – the most popular file format for malware distribution. PDFs now account for a larger proportion of the document file types used as attack vectors. In 2009, approximately 52.6% of attacks targeting specific users used PDF files, compared to 65% in 2010, an increase of 12.4%. Despite the decline this month, if the trend continues in the same way it has over the past year, 76% of malware targeting specific users could be used for PDF-based attacks by mid-2011.
"Attacks targeting specific PDF-based users have arrived and are not going away. What's more, it is estimated that they will become more dangerous as malware authors continue to innovate in the provision, construction and obfuscation of the techniques necessary for this type of malware," says Wood.
Other highlights:
Spam: In February 2011, the global share of spam in email traffic from new and previously unknown bad sources was 81.3% (1 in 1.23 emails), an increase of 2.7% percentage points since January.
Viruses: The global share of email-borne viruses in email traffic from new and previously unknown bad sources was 1 in 290.1 emails (0.345%) in February, an increase of 0.07% percentage points since January. In February, 63.5% of email-borne viruses contained links to malicious websites, down 1.6% percentage points from January.
Endpoint threats: Threats against terminal devices, such as laptops, PCs, and servers, can penetrate an organization through a variety of mechanisms, including pass-by-visit attacks on infected websites and Trojan and worm attacks that spread by copying to replaceable drives. The most frequently blocked malware scans over the past month indicated that the Sality.AE virus was the most prevalent. Sality.AE spreads through executable files and tries to download malicious files on the Internet.
Phishing: In February, phishing activity was 1 in 216.7 emails (0.462%), an increase of 0.22% percentage points since January.
Web Security: Analyses of Web security activity show that 38.9% of blocked malicious domains were new in February, a decrease of 2.2% percentage points since January. Also, 20.3% of all blocked web-based malware was new in February, down 2.2% percentage points from last month. MessageLabs Intelligence also identified an average of 4,098 new websites per day that host malware and other potentially unwanted programs such as spyware and adware, a 13.7% decrease since January.
Geographic trends:
China received the most spam in February, with a rate of 86.2%.
In the U.S. and Canada, 81.4% of email was spam. Spam levels in the UK were 81.1%.
In the Netherlands, spam accounted for 82.2% of email traffic, while spam levels reached 81.2% in Germany, 81.7% in Denmark and 81.0% in Australia.
Spam levels in Hong Kong reached 82.8% and 80.4% in Singapore. Spam levels in Japan were 78.5%. In South Africa, spam accounted for 81.6% of email traffic.
South Africa remained the country most affected by email-borne malware, with 1 in 81.8 emails blocked as malicious in February.
In the UK, 1 in 139.0 emails contained malware. In the U.S. virus levels were 1 in 713.6 and 1 in 328.8 in Canada. In Germany, virus levels reached 1 in 393.1; 1 in 451.1 in Denmark and 1 in 910.4 in the Netherlands.
In Australia, 1 in 365.8 emails were malicious, and 1 in 455.3 in Hong Kong; in Japan it was 1 in 1,331.0 compared to 1 in 828.9 in Singapore and 1 in 457.0 in China.
Vertical trends:
In February, the sector that received the most spam - with a rate of 84.3% - remained the automotive sector.
The levels of spam in education were 82.6%; 81.7% for the chemical and pharmaceutical sector; 81.4% for IT services; 80.8% for commercial establishments; 80.1% for the public sector and 80.2% for the financial sector.
In February, the public/government sector remained the hardest hit by malware, with 1 in 41.1 emails blocked as malicious.
Virus levels in the chemical and pharmaceutical sector were 1 in 458.3; 1 in 394.4 for the IT services sector; 1 in 514.3 for commercial establishments; 1 in 137.2 in education and 1 in 436.9 in the financial sector.
Full report: http://www.messagelabs.co.uk/mlireport/MLI_2011_02_February_FINAL-en.PDF
Sources: CanalPDA e.Security and Symantec MessageLabs
