Symantec Global internet Security threat report
the previous volume of the Symantec Global Internet Security Threat Report surmised that the growing gap in email propagation was because malicious code authors may not have been experiencing as much success with attacks using email attachments as in past years.170 increased user awareness and greater vigilance and accuracy for email protection mechanisms may be a factor in this decrease. Another factor in the decrease in email attachment propagation is that there was a 23 percent increase in malicious code variants propagating through email in 2009, but only half the email per variant, resulting in an overall decrease in malicious email.171
One specific example of the propagation of malicious code through email was through the pandex botnet in 2009.172 this botnet sent approximately 3.6 billion spam messages containing the Bredolab trojan per day in October 2009 alone. Bredolab was the third-ranked top new malicious software threat in 2009.
With over 87 percent of all email reported as spam, the prevalence of distributing malicious threats through email remains a viable propagation method. to limit the propagation of email-borne threats, administrators should ensure that all email attachments are scanned at the gateway. Additionally, all executable files originating from external sources such as email attachments or those downloaded from websites should be treated as suspicious. All executable files should be checked by antivirus scanners using the most current definitions.
the propagation of malicious code by remotely exploiting vulnerabilities doubled between 2008 and 2009. this potentially can be explained by the success of the Downadup worm. in 2009, Downadup and Downadup.B were both highly ranked malicious code threats and accounted for a significant increase in the propagation by remote vulnerabilities.
Malicious code that exploits vulnerabilities
Assessing the proportion of malicious code that exploits vulnerabilities helps to show how popular this technique is for distributing new variants of malicious code. the popularity of exploiting vulnerabilities (and especially vulnerabilities that have available fixes) as a means of malicious code propagation illustrates the need for administrators to apply patches in a timely manner. Applying all available patches in a timely manner can greatly reduce propagation through vulnerabilities.
in 2009, 6 percent of the 1,560 documented malicious code instances exploited vulnerabilities.173 this is an increase from the 3 percent proportion of the malicious code instances documented for 2008. in 2009, four of the top 50 global malicious threats exploited vulnerabilities, up from three in 2008. the effectiveness of this method of propagation is borne out by the fact it was the fourth-ranked propagation mechanism in both 2008 and 2009.
Malicious threats that do not themselves exploit vulnerabilities to propagate may still be installed on computers through threats that do. the primary example of this is with modular threats. One example is worms that exploit vulnerabilities to gain initial access to a computer and then download and install further threats. Another example is drive-by downloads, in which the exploitation of a vulnerability in a Web browser allows a modular threat to also download and install further threats.
170 171 172 173
h t t p : / / e v a l . s y m a n t e c . c o m / m k t g i n f o / e n t e r p r i s e / w h i t e _ p a p e r s / b - w h i t e p a p e r _ i n t e r n e t _ s e c u r i t y _ t h r e a t _ r e p o r t _ x i v _ 0 4 - 2 0 0 9 . e n - u s . p d f : p . http://www.messagelabs.com/mlireport/2009MLiAnnualreport_Final_printresolution.pdf : p. 30 http://www.symantec.com/connect/blogs/2009-year-worth-learning the number of documented malicious code instances differs from the number of malicious code submissions; documented malicious code instances are those that have been analyzed and documented within the Symantec malicious code database. 6 9