The State of Spam. Paul Wood Senior Analyst, MessageLabs Intelligence Symantec Hosted Services

Transcription

1 The State of Spam Paul Wood Senior Analyst, MessageLabs Intelligence Symantec Hosted Services

2 Agenda 1 Introduction 2 Malware & The Underground Shadow Economy 3 Spam Patterns & Trends 4 Technology & Botnets 4 Q&A State of Spam 2

3 Introduction State of Spam 3

4 Symantec acquired MessageLabs in 2008: Symantec Hosted Services 30,000 businesses with 9 million users in 100 countries 5 billion connections per day 1 billion web connections per day 14 data centres spanning 4 continents State of Spam 4

5 The Changing Face of Spam During the Last Decade INCREASED COMPLEXITY AND SOPHISTICATION IN GREATER VOLUMES Symantec MessageLabs Intelligence Reports % 2010 State of Spam

6 Evolving Threat Landscape Threats now span multiple protocols Spoofed with Web Link Fraudulent IM with Web Link Compromised Website Hosting Malware State of Spam Comprehensive Protection Needed Across , Web, and IM

7 Malware & The Underground Shadow Economy State of Spam 7

8 Underground Economy Main Drivers of Cybercrime Greater levels of innovation and technology improvements Competition between criminal groups Increased diversity in money-making operations They employ smart people Cybercrime is a business! Making a lot of money 8

9 Underground Economy Beating the Bad Guys Stay ahead of the curve Multiple layers of technology continually adapting and evolving What works today is less effective tomorrow and may be useless in a week We also employ smart people! It s effectively an arms race 9

10 New Zero Hour Threats Increasing Increases are due to: Specialization of participants in the shadow economy There is a lot of money to be made Use of toolkits to create viruses/attacks Greater pressure on traditional signature-based protection Detection, signatures and updates are difficult to create quickly before a threat disappears Sophistication of high end threats is evolving rapidly Targeted threats which attack specific companies, persons or systems In Signatures per day In ,934 Signatures per day State of Spam

11 In 2009, we blocked phish relating to 1079 organisations Just 8 organisations made up 50% of the phish blocked 83 organisations made up 95% of the phish blocked million phish s sent every day On average that approximate 1 phish per broadband user, every day State of Spam 11

12 Phishing: Anatomy of an Attack Malicious URLs appear in s designed to appear legitimate Spoofed or compromised website is used to capture account information or install malware

13 Targeted Attacks 1 Attacker performs reconnaissance 3 Attacker sends personalized 2 Attacker collects relevant and personal information (remarkably easy!) State of Spam 13

14 Low Volume, Highly Damaging Jul 2008 Jul 2009 Jul 2010 Typically 1 in 1,000,000 mails globally 60% of recipients are of a high/medium seniority Watch out Gov/Public Sector... 34% of all attacks State of Spam 14

15 Typical Example of a Targeted Attack On 8 September 2010, the existence of a new zero-day vulnerability in a popular version of a.pdf viewer was disclosed (CVE ) Skeptic blocked the first examples of exploits in the wild on 1 September 2010 as JS/Generic Sep 02-Sep 03-Sep 04-Sep 05-Sep 06-Sep 07-Sep 08-Sep The attack arrived as a.pdf file containing embedded JavaScript. The JavaScript was heavily obfuscated using a custom encryption technique to conceal the payload. There was a social engineering aspect to the attack too, which varied according to the individual and organization being targeted. 15

16 Malware: Providing the Air-supply for Spam million malicious s sent every day On average that s approximately 1-2 malicious s per broadband user, every day 25% of all viruses are missed by signature AV scanners when received State of Spam 16

17 Malware: Recent Example - W32.Imsolk.B@mm (aka Here you have ) Many business users likely saw something like this in their inboxes on 09 Sept 2010 MessageLabs Intelligence 17

18 Typical Window of Vulnerability: Imsolk.B Here you have worm MessageLabs Intelligence 18

19 Web Security: Web-based Malware Drive-by Downloads and BHSEO * Lead the Way 1. Hacker Inserts Malicious URL User visits good web site 3. User re-directed to Bad Web Site 4. Bad web site sends obfuscated exploit for vulnerability on user s system 5. Malware is installed without the user noticing 5 80% of malicious websites blocked in 2009 were legitimate, but compromised * Black Hat Search Engine Optimisation State of Spam 19

20 Common Web attacks: Rogue Security Software - Rogue AV, Fake AV, ScareWare $49.95 x 1,000s State of Spam 20

21 Average 1 block/client/day. More than 3,000 new sites/day Users may browse to malicious websites, or they could be led to the threat via other websites, s, instant messages... Poor Risk Awareness To reduce the risk of malware infection in your business, users should only visit legitimate, mainstream websites State of Spam 21 21

22 Endpoint Security beyond the gateway Inside and outside your organisation: PCs/networks/laptops Malware may penetrate an organization in many ways Last line of defence: Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering Malware W32.Sality.AE 8.3% W32.Downadup.B 5.0% W32.SillyFDC 3.4% W32.Mabezat.B 3.0% W32.Almanahe.B!inf 2.4% W32.Gammima.AG 1.6% W32.SillyDC 1.6% W32.Changeup 1.2% W32.Imaut 1.1% Infostealer.Gampass 1.0% Employee use of removable drives, mobile users, webmail Acceptable Usage Policies Single infection spreads across network and externally State of Spam 22

23 Spam Patterns & Trends State of Spam 23

24 State of Spam 24

25 157 >9 out of 10 s are spam On average, spam for every man, woman, and child, every day On average, spam for every broadband user, every day State of Spam 25

26 The Importance of Social Engineering Current Events Leveraged More Than Ever 26

27 Types of Spam Watches/Jewelry 10.3% Unsolicited Newsletters 7.0% Adult/Sexual/Dating 5.6% Software 2.3% Unknown/Unclassified 1.9% Casino/Gambling 1.4% Other 8.0% Scams/Lottery/419s 0.9% Weight Loss 0.9% Pharmaceutical 66.7% Missing Person 0.5% Degrees/Diplomas 0.5% Jobs/Careers 0.5% Phishing 0.5% Mobile Phones 0.5% Malware 0.5% State of Spam 27

28 Spam Trends: Language Translation Non-English Spam Increasing Automated Tools Doesn t always work State of Spam 28

29 Regional Variations Language of spam Unknown 2.4% French Portuguese Russian 0.55% 0.53% 0.65% German 0.28% 95.3% English Chinese Japanese Spanish Italian other known language 0.10% 0.05% 0.05% 0.04% 0.02% State of Spam 29

30 Spam: Social Media, URL Shorteners, Blogging 30

31 The Value of Real Accounts and Breaking CAPTCHAs

32 Percentage of spam that contains a shortened URL hyperlink State of Spam 32

33 Country of Origin Top-10 August 2010 January 2010 U.S. 24% 24% India 6% 5% U.K. 5% 2% Netherlands 5% 5% Brazil 5% 6% Germany 4% 5% Vietnam 3% - France 3% - Australia 2% - Romania 2% 3% Spam originating from this country has increased Spam originating from this country has decreased No change in the percentage of spam from this country State of Spam 33

34 Technology & Botnets State of Spam 34

35 Botnets, or robot NETworks, are the collective name given to groups of computers around the world that are infected with remote access Trojan malware. Different criminal groups control a variety of botnets, each uniquely identifiable by certain individual characteristics. State of Spam 35

36 State of Spam 36

37 PCs That Are Part of a Botnet UK, USA, Germany: 1 in 200 India: 1 in 30 Brazil: 1 in 20 Vietnam: 1 in 10 State of Spam 37

38 Botnets Responsible for 95% of Spam Botnet % of Spam Spam/ Day Spam/ Min Spam/ Bot/ Min Estimated Botnet Size Country of Infection Rustock 40.99% 46.2 bn 32,077, k to 1540k USA (14%), Germany (8%), UK (8%) Grum 16.36% 18.4 bn 12,798, k to 1100k Cutwail 6.99% 7.9 bn 5,468, k to 720k Mega-D 5.63% 6.3 bn 4,405, k to 180k Lethic 2.28% 2.6 bn 1,787, k to 350k Vietnam (16%), India (14%), Russia (12%) India (13%), Russia (7%), Rep. Korea (7%) Russia (12%), Ukraine (11%), Brazil (10%) Netherlands (11%), Rep. Korea (7%), Israel (7%) Storm 1.98% 2.2 bn 1,553, k to 84k USA (81%), Canada (5%), UK (4%) Bobax 1.80% 2.0 bn 1,410, k to 140k India (27%), Russia (13%), Ukraine (7%) Asprox 1.23% 1.4 bn 960, k to 12k USA (45%), UK (8%), India (8%) Xarvester 0.43% 487 m 338, k to 36k Italy (9%), Germany (8%), UK (8%) Gheg 0.04% 43 m 30, k to 12k Other, smaller Botnets Unclassified Botnets Total Botnet Spam 0.07% 300 m 208, k to 70k 17.64% 19,9 bn 13,803, k to 850k Columbia (13%), Romania (13%), Philippines (10%) 95.44% bn 74,842, m to 5.1m USA (11%), India (7%), Brazil (5%) Non-botnet Spam 4.56% 4.9 bn 3,408,333 State of Spam 38

39 Proportion of Spam from Major Spam Botnets XARVESTER Other botnets STORM LETHIC GHEG State of Spam 39

40 Botnet Distribution: Rustock (USA/Europe) State of Spam 40

41 Botnet Distribution: Cutwail (Asia/Europe) State of Spam 41

42 Botnet Resilience: Disrupting Botnets and Rogue ISPs Nov 2008: Jun 2009: Aug 2009: Nov 2009: McColo: Srizbi, Mega-D, Rustock PriceWert-3FN: Cutwail RealHost: Cutwail Mega-D x x x x 42

43 Botnet Technology Evolution 1. Botnet malware C&C is separate to C&C for spam component. Used to update spam engine software and other modules using separate C&C channels 2. Use of Encryption for C&C (e.g. simple encryption /encoding symmetric keys, base64, XOR etc.). Digital signatures to authenticate new downloads and updates 3. Use of fast-flux and P2P to hide C&C activity. HTTP C&C with algorithms for computing dynamic DNS domain names 4. Rootkit kernel drivers (load before AV) and perform process injection to avoid disk writing and support other rootkit operations 5. Use of optimized spam templates for mail-merge, pre-fetching MX and mail server IP addresses to reduce DNS overhead and include data with mail-merge data 6. Use of multiple processes and threads to optimise throughput and scalability 7. Self-protection, repair and monitoring of critical processes. Sometimes includes counter-surveillance techniques to disrupt research of botnet activity from outside agencies 8. Support for additional modules for other activities, e.g. sniff network traffic on port 25, install other malware, spyware ad-popups, fake security s/w and CAPTCHA breaking bots onto infected machines State of Spam 43

44 Summary State of Spam 44

45 Threats include: Spam: Products, scams Malicious Malware Phish Targeted attacks Web User browse Led by link Web Instant Message Social Media / Blogging Endpoint Removable drive Roaming Webmail Spread across network Consequences include: Loss of personal data Passwords Bank details Loss of corporate data Fake Anti Virus etc Recruit PC to botnet Send spam Mass infect websites DDos attacks Spy/Monitor Competitive advantage Harm reputation Blackmail Hold to ransom Launch further attacks Instant message Targeted attacks Dormant control 45

46 AS Technologies Reputation Global Intelligence Network Open Proxies/Zombies Safe/Good/Trusted Suspect/Spam-like Connection Classification Fastpass Directory Harvest Attack Heuristics Header Language Content Structural (MIME, HTML) Arbitrary/updateable (RBE) Image Signatures URL (hash and regex) Body (hash, fuzzy, regex) Attachment (hash, fuzzy, regex) Arbitrary/updateable (RBE) Statistical/Template Authentication/Encryption BATV DKIM SPF SenderID SMTP over TLS Content Encryption User Allow and Block IP Domain/ Language Filters FP/FN Submission Admin Allow and Block IP/CIDR /Domain Language Filters 3 rd Party IP Lists FP/FN Submission Managed by Symantec Managed by customers (optional) State of Spam 46

47 Security In The Cloud Multiple Levels of Filtering Threats & legitimate business 56.9% 26.3% 1.4% 0.03% 0.02% Traffic Shaping SMTP Heuristics User Validation Commercial Scanners Skeptic Connection Management Anti-Virus 2.3% 4.4% Commercial Scanner Skeptic Anti-Spam 9.8% Legitimate business Source: MessageLabs Intelligence August

48 About Symantec Hosted Services and SaaS Internet Solution Analyse Global Traffic Predictive Converged Threat Analysis Strong SLAs Processing Power Desktop Solution Analyse own traffic Greater reliance on signatures Performance v Accuracy State of Spam 48

49 Beyond Converged Threat Analysis and SaaS Symantec s MessageLabs clients can also benefit from a multilayer defense against attacks of this nature Threat via another vector Blocked the If required would have blocked the link & download If required would have blocked the code execution with link Hosted AntiVirus Skeptic Web Hosted Security Endpoint Service Protection Skeptic Users Converged Threat Analysis Since our services share information via Converged Threat Analysis detection in one service results in protection across all services MessageLabs Intelligence 49

50 Where To Go Next? messagelabs.com/intelligence symantec.com/spam On the messagelabs.com and symantec.com websites: and web stats on homepage Analysis on MessageLabs Intelligence site Register to receive latest reports and information All MessageLabs Intelligence Reports and Press Releases Podcasts, Blog and links to Twitter Podcasts

51 Thank You! Any Questions? State of Spam 51