Symantec Global internet Security threat report
Other notable botnets that decreased considerably in 2009 were Gheg,213 Cimbot, and Warezov_stration.214 Gheg, which had been responsible for 15 percent of all spam in 2008, was responsible for less than 2 percent of spam in 2009. Cimbot and Warezov_stration were each responsible for 10 percent of observed spam in 2008, but only responsible for less than 1 percent each of observed spam in 2009. As discussed above, it is likely that attackers moved away from these botnets in favor of newer botnets that are more difficult to detect and less susceptible to being taken offline. Symantec believes that the newer p2p botnets will continue to be dominant in 2010 and that older, less sophisticated botnets will be rebuilt or discontinued.
in 2009, two new botnets were observed: Maazben and Festi. Maazben began low-volume spamming in March and continued spamming erratically until it reached a peak during August and September. in total, Maazben was responsible for just under 1 percent of all spam in 2009. Festi was first detected by Symantec in August 2009 and has steadily continued broadcasting, albeit with low volumes, up to the end of 2009. Festi accounted for less than 1 percent of all spam in 2009.
Phishing, underground economy servers, and spam—protection and mitigation
Symantec recommends that enterprise users protect themselves against phishing threats by filtering email at the server level through the mail transfer agent (MtA). Although this will likely remain the primary point of filtering for phishing, organizations can also use ip-based filtering upstream, as well as Http filtering.
DnS block lists also offer protection against potential phishing emails.215 Organizations could also consider using domain-level or email authentication in order to verify the actual origin of an email message. this can protect against phishers who are spoofing email domains.216
to protect against potential phishing activity, administrators should always follow Symantec best practices as outlined in “Appendix A” of this report. Symantec also recommends that organizations educate their end users about phishing.217 they should also keep their employees notified of the latest phishing attacks and how to avoid falling victim to them, as well as provide a means to report suspected phishing sites.218
Organizations can also employ Web-server log monitoring to track if and when complete downloads of their websites, logos, and images are occurring. Such activity may indicate that someone is attempting to use the legitimate website to create an illegitimate website for phishing.
Organizations can detect phishing attacks that use spoofing by monitoring non-deliverable email addresses or bounced email that is returned to non-existent users. they should also monitor the purchasing of cousin domain names by other entities to identify purchases that could be used to spoof their corporate domains.219 So-called typo domains and homographic domains should also be monitored.220 this can be done with the help of companies that specialize in domain monitoring; some registrars also provide this service.
213 214 215
216 217 218 219
http://www.messagelabs.com/mlireport/MLireport_2009.06_June_FinAL.pdf http://www.symantec.com/security_response/writeup.jsp?docid=2006-091012-5303-99 A DnS block list (sometimes referred to as a black list) is simply a list of ip addresses that are known to send unwanted email traffic. it is used by email software to either allow or reject email coming from ip addresses on the list. Spoofing refers to instances where phishers forge the “From:” line of an email message using the domain of the entity they are targeting with the phishing attempt. See basic guidelines on how to avoid phishing at the United States Federal trade Commission: http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.htm See http://www.antiphishing.org for information on the latest phishing threats. “Cousin domains” refers to domain names that include some of the key words of an organization’s domain or brand name; for example, for the corporate domain “bigbank.com”, cousin domains could include “bigbank-alerts.com”, ”big-bank-security.com”, and so on. typo domains are domain names that use common misspellings of a legitimate domain name; for example, the domain “symatnec.com” would be a typo domain for “symantec.com”. A homographic domain name uses numbers that look similar to letters in the domain name; for example, the character for the number “1” can look like the letter “l”.