5. Q2 Malware Trends
Blended attacks mix brands and malware
The attacks all included similar characteristics:
• Well-crafted emails matching those of known companies which were sent
out in large volumes.
• The emails included links to multiple compromised websites which then
redirected to the malware hosting websites.
• The compromised websites were often based on the WordPress content
management system.
• The malware itself was mostly hosted on various .ru domains.
• The malware pages showed simple messages such as “Please Wait –
Loading” (black text on white).
• The same Flash and Adobe Reader exploits were used in most of the
malware
7. Q2 Malware Trends
Movie ticket hoax hides malware on Dropbox
• Email offers free movie tickets
• Clicking on the links leads to several redirects and scripts
• Download of file “entrada_cine.zip” from the following link:
• https://dl.dropbox.com/u/689--025/bts/entrada_cine.zip
8. Q2 Malware Trends
Email-attached malware
• Increase over Q1 levels
• Sample attacks:
• DHL tracking
• “why did you put this photo online”
9. Q2 Malware Trends
Top 10 Malware of Q2 2012
Rank Malware name Rank Malware name
1 W32/RLPacked.A.gen!Eldorado 6 W32/Sality.gen2
2 W32/InstallCore.A2.gen!Eldorado 7 W32/RAHack.A.gen!Eldorado
3 W32/Sality.C.gen!Eldorado 8 W32/OnlineGames.FL.gen!Eldorado
4 W32/HotBar.L.gen!Eldorado 9 W32/Vobfus.AD.gen!Eldorado
5 W32/Heuristic-210!Eldorado 10 JS/Pdfka.EV.gen
Source: Commtouch
10. Q2 Malware Trends
For a complete analysis of Malware in Q2 and the
specific attacks employed, download the complete July
2012 Internet Threats Trend Report
http://www.commtouch.com/threat-report-july-2012
12. Q2 Compromised Websites
Malware and spam campaigns used
compromised sites extensively
• Sample LinkedIn email leads to simple notice while malware is
downloaded
• Legitimate site continues to function normally
Source: Commtouch
13. Q2 Compromised Websites
Website categories infected with malware
• Pornographic sites disappeared from the top 10 as many legitimate sites
from different categories found themselves hacked and hosting malware
Rank Category Rank Category
1 Education 6 Sports
2 Travel 7 Leisure & Recreation
3 Business 8 Health & Medicine
4 Entertainment 9 Fashion and beauty
Streaming media and
5 Restaurants and dining 10
downloads
Source: Commtouch
14. Q2 Compromised Websites
Phishing campaigns also using
compromised sites
• Sample – Yahoo phishing uses compromised photography site from
Romania
• Legitimate site continues to function normally
Source: Commtouch
15. Q2 Compromised Websites
Website categories infected with phishing
• During the second quarter of 2012, Commtouch analyzed which categories
of legitimate Web sites were most likely to be hiding phishing pages
(usually without the knowledge of the site owner).
• Portals (offering free website hosting) remained at the highest position.
Rank Category Rank Category
1 Portals 6 Business
2 Fashion & Beauty 7 Arts
Streaming media and
3 Sports 8
downloads
Computers and
4 Shopping 9
technology
5 Education 10 Travel
Source: Commtouch
16. Q2 Web Security
Download the complete July 2012 Internet
Threats Trend Report for more details
http://www.commtouch.com/threat-report-july-2012
18. Q2 Spam Trends
Spammers invent “Facebook Social”
Links lead via
compromised sites to
pharmacy sites
Source: Commtouch
19. Q2 Spam Trends
Phony MySpace, Facebook emails
Links lead to the
“wikipharmacy”
Source: Commtouch
20. Q2 Spam Trends
Spam Levels
• Marginal decrease compared to previous quarter
• Average daily spam levels dropped to 91 billion spam and phishing
emails/day
Spam levels – Jan to June 2012
Source: Commtouch
21. Q2 Spam Trends
Spam %
• Spam averaged 76% of all emails in Q2
Spam % of all emails – Jan to June 2012
Source: Commtouch
23. Q2 Spam Trends
Spam Topics in Q2
• Pharmacy spam continued to increase, as it did last quarter, to nearly
41% of all spam (~3% more than the previous quarter)
• Enhancer and diet-themed spam increased while replica spam dropped
almost 8%
Source: Commtouch
24. Q2 Spam Trends
Top Faked (Spoofed) Spam Sending Domains*
Source: Commtouch
* Domains used by spammers in the “from”
field of the spam emails.
25. Q2 Spam Trends
Find out more about Spam Trends in Q2 by
downloading the complete July
Internet Threats Trend Report
http://www.commtouch.com/threat-report-july-2012
27. Q2 Zombie Trends
Daily Turnover of Zombies in Q2
• Average turnover: 303,000 newly activated each day sending spam
(increase from 270,000 in Q1 2012)
Daily newly activated spam zombies: Jan to June 2012
Source: Commtouch
28. Q2 Zombie Trends
Worldwide Zombie Distribution in Q2
Source: Commtouch
• India again claimed top zombie producer title, moving above 20%
• Poland, Italy, and Indonesia dropped out of the top 15, replaced
by Saudi Arabia, Romania, and more surprisingly, Germany –
which has stayed well out of the top 15 for over one and a half
years.
29. Q2 Zombie Trends
Download the complete July 2012 Internet
Threats Trend Report for more details
http://www.commtouch.com/threat-report-july-2012
30. For more information contact:
info@commtouch.com
650 864 2000 (Americas)
+972 9 863 6895 (International)
Web: www.commtouch.com
Blog: http://blog.commtouch.com