Symantec Global internet Security threat report
the decreased proportion of overall malicious activity for the United States is attributable to increased activity in other countries and to its lower percentage for spam zombies. this is similar to the decrease in 2008, as discussed in Volume XiV of the Symantec Global Internet Security Threat Report.32 in 2009, the Federal trade Commission shut down an internet service provider (iSp) that was known to host or actively distribute malicious code, bot C&C servers, and illegal pornography, among other content.33
One of the botnets linked to this iSp was pandex (a.k.a., Cutwail).34 this botnet was responsible for as much as 35 percent of spam observed globally before dropping to 8 percent after the iSp was shut down.35 Spam zombies that lack a critical command system are unable to send out spam. Additionally, a security researcher allegedly attacked and disabled 250,000 computers associated with the Ozdok (a.k.a., Mega-D) botnet.36 the volume of spam sent by both botnets recovered several days afterwards because unaffected zombies were instructed to significantly increase their spam output, indicating that these events may have been a large factor in the decrease of spam zombies in the United States.
China had the second highest amount of overall worldwide malicious activity in 2009, accounting for 8 percent of the total; this is a decrease from 9 percent in 2008. China’s rankings within most specific category measurements remained consistent with those of 2008, except for spam zombies. For example, its rank for phishing hosts and attack origin remained unchanged, while its rank for malicious code and bot- infected computers dropped by one place for each. For spam zombies, China dropped from fourth in 2008 to eighth in 2009.
China’s rank may decline further in 2010 because of an enhanced domain registration procedure introduced by China’s internet network information Center (CnniC) on December 11, 2009.37 the changes require domain applications to include paper copies of the application form, the official business seal, and the registrant’s personal identification. prior to this change, registrants could register a .cn domain in the guise of a legitimate company and send spam from that domain, which could be interpreted by the spam recipient as coming from a legitimate source. Early observations indicate that the daily volume of spam originating from .cn domains fluctuated around 20 percent after the changes were implemented, down from an average of around 40 percent prior to the changes.
Brazil ranked third for malicious activity in 2009 with 6 percent of the total. this is an increase from 4 percent in 2008 and is the first time since Symantec introduced this metric in 2006 that a country other than the United States, China, or Germany has ranked in the top three. Brazil became more prominent in all of the specific category measurements except for spam zombies, where it was already the top-ranked country. Brazil’s significant increases across all categories are related to the growing internet infrastructure and broadband usage there, as has been discussed in previous versions of the Symantec Global Internet Security Threat Report.38
32 33 34 35 36
h t t p : / / e v a l . s y m a n t e c . c o m / m k t g i n f o / e n t e r p r i s e / w h i t e _ p a p e r s / b - w h i t e p a p e r _ i n t e r n e t _ s e c u r i t y _ t h r e a t _ r e p o r t _ x i v _ 0 4 - 2 0 0 9 . e n - u s . p d f : p . http://www.ftc.gov/opa/2009/06/3fn.shtm http://www.symantec.com/security_response/writeup.jsp?docid=2007-042001-1448-99 http://searchsecurity.techtarget.com.au/articles/32685-rogue-iSp-shutdown-slows-spam-torrent See http://www.symantec.com/security_response/writeup.jsp?docid=2008-021215-0628-99, http://www.networkworld.com/news/2009/111009-fireeye-moves-quickly-to-quash.html, and http://blog.fireeye.com/research/2009/11/smashing-the-ozdok.html http://www.symantec.com/connect/blogs/drop-cn-spam http://www.point-topic.com 1 8