Global Threat Report July Key Highlights Total Web based malware

Global Threat Report July 2008 Key Highlights     Total Web-based malware blocks increased 87% in July 2008 compared to the previous month; 83% of July 2008 Web-based malware blocks resulted from compromised websites; 75% of July Web malware blocks were the result of SQL injection compromise; Clickthrough of malicious links in email represented 1.3% of malware blocks and impacted 95% of customers July 2008 also bore witness to an increase in social engineering email scams designed to install malware on victims computers. 95% of ScanSafe customers fell for the scams and attempted to clickthrough to the malicious site, which represented 1.3% of all malware blocks for the month. Had the clickthroughs not been blocked, the resulting malware would have included backdoor trojans and rogue scanners—software that erroneously claims the system is infected in an attempt to elicit payment for removal. While the email involved characteristics typically associated with the Storm botnet, the timing of the attacks and other characteristics indicate a possible link to Asprox. ScanSafe customers were and continue to be protected from the attacks discussed herein. W eb-based malware has increased significantly in 2008. In June 2008, ScanSafe reported a 278% increase for the first six months of the year. That alarming trend continued in July with the number of Web-based malware blocks increasing another 87% over the previous month. The majority of the increase in Web-based malware resulted from ongoing website compromises which represented 83% of all malware blocks for the month. 75% of all malware blocks were the result of SQL injection attacks, the majority of which were related to the Asprox fast flux botnet. The Asprox botnet is believed to have origins in Russia and has commercial interests ranging from spam and clickfraud to rogue anti-spyware software and backdoor Trojans. Web-based Malware Malware Block Stage Type of Malware Other 24% Exploit 54% Iframe 22% Observations The majority of malware blocks resulted from compromised websites; 82% of blocks were for malicious iframes and javascript source references and the exploit code called by those references. Types of Compromise/Exposure Storm Scams 1% Other Malware Blocks 17% Top Ten File Types Blocked Longtail / Other Compromise 7% SQL Attacks 75% Observations Overall, 83% of all malware blocks were the result of compromised websites. Viewed from a total blocks perspective, compromise via SQL injection attacks compromised 75% of all malware blocks. The bulk of these SQL injection attacks are carried out through the use of automated tools , via fast flux botnets. A corresponding increase in malicious spam, typical of botnets, was also observed in July. Clickthrough of malicious links in email believed to be related to the Storm botnet compromised just over 1% of ScanSafe malware blocks for the month. Global Distribution Severe High Moderate Low About ScanSafe Web SaaS ScanSafe’s Web security-as-a-service (SaaS) protects organizations of all sizes against Web-based malware attacks and enables the safe, productive use of the Web without incurring hardware, upfront capital, or IT management costs. Top Ten Malware Hosts (All Blocks) United States China Germany France Netherlands United Kingdom Italy Spain Brazil Canada 27% 15% 7% 5% 4% 3% 3% 3% 2% 2% Real-time proxy-based Web scanning stops web-based malware at the Internet level, before it reaches corporate networks. Inbound scanning protects against new malware threats and outbound detection alerts to malware communications resulting from pre-existing infections. The Web Filtering service enables the creation, enforcement, and monitoring of Web usage policies. It includes streamlined configuration through a graphical dashboard, real-time rules-based filters, and a bestin-class URL database. ScanSafe IM Control enables customers to control the rapidly growing Top Ten Zero-Day Malware Hosts United States China France Germany United Kingdom Netherlands Italy Russia Brazil Spain 27% 17% 8% 8% 7% 6% 5% 4% 3% 2% use of public IM, such as AOL, Yahoo!, and Windows Live, in corporate networks. With IM Control, you can control and standardize your IM network; monitor, log, and audit IM use and generate customizable scheduled reports; and access compliance logging that integrates with your organization’s email archiving solutions. About Outbreak Intelligence™ ScanSafe’s Web security applications are built on Outbreak Intelligence (OI™), a proprietary security platform that detects both new and known malware threats. By leveraging its unique position at the Internet level and processing several terabytes of Web data each day, OI has unmatched visibility of global Web data to proactively identify zero-day malware threats. OI uses multiple signature-based anti-malware scan engines, multiple reputation and behavior detection engines, and automated machinelearning parameter development to detect new malware and avoid false positives. This combination of multiple, correlated detection technologies, automated machine-learning heuristics, and the industry’s largest Web data Observations The heatmaps above depict the location of all malware hosts (including botnet infected computers) which may be used to host malware or (more likely) to act as part of a fast flux network in order to mask the true origin of the hosted malware binaries. The first chart below reflects the geo-locale of malicious binary hosting domains excluding these botnet infected computers. The second chart below also excludes bot-infected computers and shows the geo-locale of password stealers and backdoor trojan hosts. Top Ten Malware Hosts Minus Botnet Sources China United States Germany France Netherlands Spain Italy United Kingdom Brazil Russia 22% 18% 10% 5% 5% 4% 4% 3% 3% 1% set makes OI the most effective solution against new Web-based malware attacks. Contact ScanSafe ScanSafe US 999 Baker Way, Suite 410 San Mateo, CA 94404 T: +294 650 3450 F: +294 650 3451 E: info@scansafe.com ScanSafe EMEA The Connection 198 High Holborn London, WC1V 7BD T: +44 (0) 20 7959 0630 F: +44 (0) 20 7959 0631 E: info@scansafe.com Top Ten PWS & Backdoor Malware Hosts China United States Germany Italy Spain Brazil France Canada United Kingdom Turkey 39% 12% 11% 7% 6% 5% 4% 1% 1% 1% Subscribe to the GTR To receive ScanSafe’s Global Threat Report each month, visit: http://www.scansafe.com/threat_center/global_threat_reports_sign_up STAT Blog Timely, expert analysis and insight on the latest Web-borne threats and scams, tips on how to protect corporate assets from infection and observations on the threat landscape. Visit http://blog.scansafe.com.