Viruses changing at an alarming rate to evade traditional malware detection
Dubai, UAE – August 10, 2011– Symantec Corp. (Nasdaq: SYMC) today announced the publication
of its July 2011 Symantec Intelligence Report, now combining the best research and analysis from the
Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. This
month’s analysis reveals a significant increase in activity related to what may be described as an aggressive
and rapidly changing form of generic polymorphic malware. With one in 280.9 emails identified as
malicious in July, the rise accounted for 23.7 percent of all email-borne malware intercepted in July; more than
double the same figure six months ago, indicating a much more aggressive strategy on the part of the cyber
“The number of variants, or different strains of malware involved in each attack has grown dramatically, by a
factor of 25 times, when compared to the previous six months. This is a disturbing proliferation in such a short
time, increasing the risk profiles of many organizations as these new strains are much harder to detect using
traditional security defenses,” said Bulent Teksoz, Security Strategist at Symantec.
The report shows that the malware is frequently contained inside an executable within the attached ZIP archive
file, and often disguised as a PDF file or an office document, for example. “This new aggressive approach
to distributing generic polymorphic malware on such a scale should be concerning for many businesses,
particularly for those who rely solely on more traditional security countermeasures, which this type of malware
is designed to evade. One example of this technique involves changing the startup code in almost every version
of the malware; subtly changing the structure of the code and making it harder for emulators built-in to many
anti-virus products to identify the code as malicious,” added Teksoz.
Further analysis also reveals that phishing attacks have been seeking various means to exploit vulnerable cell
phone users. According to Wood, “Two key areas in which we can see this trend are, firstly, the increase in
phishing against wireless application protocol (WAP) pages, which are lightweight Web pages designed for
smaller mobile devices such as cell phones; and secondly, the use of compromised domain names that have
been registered for mobile devices, for example, using the .mobi top-level domain.”
Symantec has identified phishing sites spoofing such Web pages and has been monitoring the trend. In July,
social networking and information services brands were frequently observed in these phishing sites. The
primary motive of these attacks continues to be identity theft. Targeting cell phone users is just part of a new
strategy for achieving the same result.
Other report highlights:
Spam: While only producing 2.4% of global spam Saudi Arabia still remains the most spammed geography in
the World at 85.6%.
Phishing: In July, phishing email activity increased by 0.01 percentage points since June 2011; one in 319.3
emails (0.313 percent) comprised some form of phishing attack.
E-mail-borne Threats: The global ratio of email-borne viruses in email traffic was one in 280.9 emails (0.333
percent) in July, an increase of 0.01 percentage points since June 2011.
Web-based Malware Threats: In July, Symantec Intelligence identified an average of 6,797 Web sites each
day harboring malware and other potentially unwanted programs including spyware and adware; an increase of
25.5 percent since June 2011.
Endpoint Threats: The most frequently blocked malware for the last month was W32.Ramnit!html. This
is a generic detection for .HTML files infected by W32.Ramnit, a worm that spreads through removable
drives and by infecting executable files. The worm spreads by encrypting and then appending itself to files
with .DLL, .EXE and .HTM extensions. Variants of the Ramnit worm accounted for 17.3 percent of all
malicious software blocked by endpoint protection technology in July.
• As the global spam level declined in July 2011, Saudi Arabia remained the most spammed geography,
with a spam rate of 85.6 percent Russia remained the second most-spammed.
• In the US, 78.0 percent of email was spam and 77.7 percent in Canada.
• The spam level in the UK was 78.2 percent.
• In The Netherlands, spam accounted for 78.8 percent of email traffic, 77.9 percent in Germany, 77.6
percent in Denmark and 75.8 percent in Australia.
• In Hong Kong, 76.8 percent of email was blocked as spam and 75.7 percent in Singapore, compared
with 74.7 percent in Japan.
• Spam accounted for 76.9 percent of email traffic in South Africa and 78.7 percent in Brazil.
• Phishing attacks in the UK increased to overtake South Africa and become the most targeted
geography for phishing emails in July, with one in 127.9 emails identified as phishing attacks.
Phishing in South Africa fell slightly to make it the second most targeted country, with one in 163.1
emails identified as phishing attacks.
• Phishing levels for the US were one in 1,237 and one in 192.6 for Canada.
• In Germany phishing levels were one in 798.3, one in 1,448 in Denmark and one in 526.9 in The
• In Australia, phishing activity accounted for one in 850.8 emails and one in 2,503 in Hong Kong; for
Japan it was one in 13,167 and one in 872.9 for Singapore.
• In Brazil, one in 382.4 emails were blocked as phishing attacks.
• Email-borne malware attacks rose in South Africa as the country became the geography with the
highest ratio of malicious emails in July, overtaking the UK as one in 125.2 emails was identified as
malicious in July; in the UK one in 127.0 emails was malicious.
• In the US, virus levels for email-borne malware were one in 634.8 and one in 255.9 for Canada.
• In Germany virus activity reached one in 482.1, one in 1,033 in Denmark and in The Netherlands one
• In Australia, one in 654.8 emails were malicious and one in 748.7 in Hong Kong; for Japan it was one
in 2,093, compared with one in 761.8 in Singapore.
• In Brazil, one in 332.1 emails in contained malicious content.
• In July, the Automotive industry sector remained the most spammed industry sector, with a spam rate
of 80.7 percent.
• Spam levels for the Education sector reached 80.3 percent and 77.9 percent for the Chemical &
Pharmaceutical sector; 77.8 percent for IT Services, 77.8 percent for Retail, 77.0 percent for Public
Sector and 77.0 percent for Finance.
• The Public Sector remained the most targeted by phishing activity in July, with one in 73.2 emails
comprising a phishing attack.
• Phishing levels for the Chemical & Pharmaceutical sector were one in 799.0 and one in 566.2 for the
IT Services sector; one in 482.3 for Retail, one in 87.8 for Education and one in 396.7 for Finance.
• With one in 62.1 emails being blocked as malicious, the Public Sector remained the most targeted
industry in July.
• Virus levels for the Chemical & Pharmaceutical sector were one in 438.9 and one in 390.0 for the IT
Services sector; one in 418.3 for Retail, one in 79.1 for Education and one in 443.5 for Finance.
The July 2011 Symantec Intelligence Report provides greater detail on all of the trends and figures noted
above, as well as more detailed geographical and vertical trends. The full report is available here.