internet security tHreAt rePOrt GOVernMent 2013

internet security tHreAt rePOrt 

GOVernMent 2013 

2012 Trends, Volume 18, Published April 2013

p. 2 

Symantec Corporation 

Internet Security Threat Report 2013 :: Volume 18 

CONTENTS 

03 Introduction 

04 Executive Summary 

06 2012 Security Timeline 

09 2012 in Numbers 

13 Targeted Attacks, Hacktivism, and Data Breaches 


14 Data 

17 DDoS Used as a Diversion 

17 Data Breaches 

19 Analysis 

19 Cyberwarfare, Cybersabotage, and Industrial Espionage 

20 Advanced Persistent Threats and Targeted Attacks 

20 Social Engineering and Indirect Attacks 

21 Watering Hole Attacks 

23 Vulnerabilities, Exploits, and Toolkits 


24 Data 

26 Analysis 

26 Web-based Attacks on the Rise 

27 The Arms Race to Exploit New Vulnerabilities 

27 Malvertising and Website Hacking 

28 Web Attack Toolkits 

29 Website Malware Scanning and Website 

Vulnerability Assessment 

29 The Growth of Secured Connections 

29 Norton Secured Seal and Trust Marks 

29 Stolen Key-signing Certificates 

31 Social Networking, Mobile, and the Cloud 


32 Data 

35 Analysis 

35 Spam and Phishing Move to Social Media 

37 Mobile Threats 

38 Cloud Computing Risks 

40 Malware, Spam, and Phishing 


42 Data 

42 Spam 

45 Phishing 

46 Malware 

48 Website Exploits by Type of Website 

49 Analysis 

49 Macs Under Attack 

50 Rise of Ransomware 

51 Long-term Stealthy Malware 

51 Email Spam Volume Down 

51 Advanced Phishing 

53 Looking ahead 

56 Endnotes 

57 Appendix

p. 3 



Introduction 

Symantec has established some of the most 

comprehensive sources of Internet threat 

data in the world through the Symantec 

Global Intelligence Network, which is made 

up of approximately 69 million attack 

sensors and records thousands of events 

per second. This network monitors threat 

activity in over 157 countries and territories 

through a combination of Symantec 

products and services such as Symantec 

DeepSight Threat Management System, 

Symantec Managed Security Services and 

Norton consumer products, and other 

third-party data sources. 

In addition, Symantec maintains one of the world’s most 

comprehensive vulnerability databases, currently consisting of 

more than 51,644 recorded vulnerabilities (spanning more than 

two decades) from over 16,687 vendors representing over 43,391 

products. 

Spam, phishing, and malware data is captured through a variety 

of sources, including the Symantec Probe Network, a system 

of more than 5 million decoy accounts; Symantec.cloud and 

a number of other Symantec security technologies. Skeptic, 

the Symantec.cloud proprietary heuristic technology, is able to 

detect new and sophisticated targeted threats before reaching 

customers’ networks. Over 3 billion email messages and more 

than 1.4 billion Web requests are processed each day across 

14 data centers. Symantec also gathers phishing information 

through an extensive antifraud community of enterprises, 

security vendors, and more than 50 million consumers. 

Symantec Trust Services provides 100 percent availability and 

processes over 4.5 billion Online Certificate Status Protocol 

(OCSP) look-ups per day, which are used for obtaining the 

revocation status of X.509 digital certificates around the world. 

These resources give Symantec’s analysts unparalleled sources 

of data with which to identify, analyze, and provide informed 

commentary on emerging trends in attacks, malicious code 

activity, phishing, and spam. The result is the annual Symantec 

Internet Security Threat Report, which gives enterprises, small 

businesses, and consumers the essential information to secure 

their systems effectively now and into the future.

p. 4 



Executive Summary 

Internet security threats are a growing and unique challenge to governments and public 

sector organizations. First, they must protect themselves against the same threats as the 

business sector: malware, data theft, vandalism, and hacktivism. Then they are targets in 

their own right for persistent attacks, espionage, and potentially even cyber attacks. Finally, 

government bodies, in collaboration with the private sector, have a responsibility to protect 

citizens, the economy, and national infrastructure against attack by hostile governments and 

non-state actors such as terrorist groups, often in collaboration with the private sector. 

In a recent speech to business executives, 1 the U.S. Secretary of Defense summarized the 

threat in powerful terms: 

“I know that when people think of cybersecurity today, they worry about hackers and criminals 

who prowl the Internet, steal people’s identities, steal sensitive business information, steal 

even national security secrets. Those threats are real and they exist today. But the even 

greater danger – the greater danger facing us in cyberspace goes beyond crime and it goes 

beyond harassment. A cyber attack perpetrated by nation states [and] violent extremists 

groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyberterrorist 

attack could virtually paralyze the nation.” 

The most important trends in 2012 were: 

Cyberespionage and Targeted Attacks on the Rise 

We saw a 42 percent increase in targeted attacks with more 

attacks aimed at smaller businesses, perhaps using them 

as a Trojan horse into their customers. This suggests that 

organizations need to pay attention to the security of their 

entire supplier ecosystem as well as their own systems. 

Attackers focus their attacks on junior employees just as 

much (if not more) as they do on executives and VIPs, 

often because their accounts are less well protected. 

Attackers continued to develop increasingly sophisticated ways 

to infiltrate protected systems. For example, they started using 

watering hole attacks, a technique where malware on infected 

third-party websites is used to target employees who might visit 

those websites. In this type of attack, attackers might infect 

lobby groups or policy think tanks to infect government workers 

who might browse their sites. 

Specialist Information Brokers 

It looks increasingly likely that specialist information brokerage 

businesses are the hired guns of cyberespionage. The scope and 

scale of attacks suggest that well-resourced organizations are 

able to attack dozens of targets simultaneously and continuously 

research new zero-day attacks and attack software. 

Attackers Moving Away from Email 

Spam rates are down 29 percent, phishing attempts are down to 

one in 608 emails, and one in 291 emails contains a virus. While 

these attacks are in relative decline, social media is a new and 

growing battlefield. On the face of it, social networking doesn’t 

appear to be a threat for the public sector but in reality it gives 

attackers a treasure trove of personal information for identity 

theft and targeted attacks. It’s also a new way to install 

malware on people’s computers.

p. 5 



Ill-protected Websites Put Us at Risk 

We saw a threefold increase in the number of Web-based 

attacks. Online criminals are using different techniques 

to infect legitimate websites, including attack toolkits and 

malvertising. A line or two of code on a Web page can be very 

difficult to detect and it can infect thousands of visitors a day. 

Websites that are not well protected put other Web users at 

risk. As with watering hole attacks, the vulnerability of websites 

provides attackers with new and rapidly evolving ways to target 

individuals and organizations. 

Zero-day Vulnerabilities 

There were more zero-day vulnerabilities found actively being 

exploited in the wild than in years past. These are cases where an 

attack exploits a previously unknown vulnerability, as opposed 

to after a patch is made available by the vendor. While there were 

8 zero-day vulnerabilities discovered in 2011, 14 were found in 

2012. The rise of zero-day attacks and polymorphic malware 

renders moot any defense based purely on virus signature 

recognition; organizations need multi-layered defenses. 

Mac Attacks 

2012 was the end of the era in which Mac® computer users 

could plausibly claim immunity from malware. At least 600,000 

Mac users were infected with the Flashback threat via a Java 

vulnerability. Having said that, beyond this one prevalent threat, 

Mac threats do not appear to have increased to any great extent. 

While the number of unique threats targeted at the Mac are up, 

only about 2.5 percent of the threats targeted Mac OS; the rest 

targeted Windows. 

Data Breaches Gain Focus 

At first glance, the numbers for data breaches paint a picture 

of an attack method in decline: there were fewer high-profile 

attacks, and the average number of identities exposed is down 

significantly. Where there were 1.1 million identities exposed 

per breach in 2011, this number decreased by nearly half, 

to 604,826 in 2012. These numbers are likely down due to a 

concerted effort by hacker groups Anonymous and LULZSec to 

publicize hacks during 2011—something that was not seen to 

the same extent in 2012. However, the global median is up, from 

2,400 to 8,350 identities stolen per breach. Government agencies 

are particularly attractive targets for data thieves because they 

often hold valuable intellectual property (for example, patent 

offices) or personal information (for example, tax offices). 

The U.S. government has been warning public sector 

organizations for several years about the whole spectrum of 

Internet security threats. More recently, other governments 

have started addressing the issue. Governments around the 

world are waking up to the need to educate their constituents 

about security and devote resources to improving defenses. 

Failure threatens more than a “cyber Pearl Harbor”; it could 

mean a loss of economic competitiveness and long-term 

economic decline.

p. 6 



2012 SECURITY TIMELINE

p. 7 



2012 Security Timeline 

01 

January 

02 

February 

03 

March 

Data breach: 

24 million identities stolen in data breach at 

Zappos apparel company. 

Malcode: 

A scam involving malicious browser plug-ins for 

Firefox and Chrome is discovered. 

Botnet: 

Kelihos botnet returns, four months after being 

taken down. 

Mobile: 

Google announces Google Bouncer, an app 

scanner for the Google Play market. 

Botnet: 

Researchers take down new variant of the Kelihos 

botnet, which reappears in a new form later in 

the month. 

Hacks: 

Six individuals are arrested as alleged members 

of the hacking collective LulzSec. 

Botnet: 

Security researchers take down key servers for 

the Zeus botnet. 

Data breach: 

A payment processor for a number of wellknown 

credit card companies, including Visa and 

MasterCard was compromised, exposing details 

of 1.5 million accounts. 2 

Mobile: 

A non-malware-based scam involving the 

Opfake gang is found that targets iPhone users. 

04 April 

05 May 

06 June 

Mac: 

Over 600,000 Mac computers are infected 

by the OSX.Flashback Trojan through an 

unpatched Java exploit. 

Mac: 

A second Mac Trojan is discovered, 

OSX.Sabpab, which also uses Java exploits 

to compromise a computer. 

Social networking: 

Scammers are discovered leveraging social 

networks Tumblr and Pinterest. 

Malware: 

The cyberespionage threat W32.Flamer is 

discovered. 

Certificate Authorities: 

Comodo, a large Certificate Authority, 

authenticated and issued a legitimate codesigning 

certificate to a fictitious organization 

run by cybercriminals. This was not 

discovered until August. 

Data breach: 

LinkedIn suffers data breach, exposing millions 

of accounts. 

Malware: 

A Trojan by the name of Trojan.Milicenso is 

discovered, which causes networked printers 

to print large print jobs containing illegible 

characters.

p. 8 



07 July 

08 

August 

Botnet: 

Security researchers disable the Grum botnet. 

Malware: 

Windows malware is discovered in Apple’s App 

Store, embedded in an application. 

Mac: 

A new Mac threat called OSX.Crisis opens a back 

door on compromised computers. 

Botnet: 

DNS servers, maintained by the FBI in order to 

keep computers previously infected with the 

DNSChanger Trojan safe, are shut off. 

Malware: 

A Trojan used to steal information from the 

Japanese government is discovered after 

being in operation for two years. 

Malware: 

A second printer-related threat called 

W32.Printlove, which causes large print jobs to 

print garbage, is discovered. 

Hacks: 

Reuters news service suffers a series of hacks 

resulting in fake news stories posted on its 

website and Twitter account. 

Malware: 

Crisis malware is discovered targeting VMware® 

virtual machine images. 

Malware: 

W32.Gauss is discovered. The scope of the threat 

is concentrated in the Middle East, in a similar 

way to W32.Flamer. 

Certificate Authorities: 

Comodo incident from May discovered and 

details published. 

09 

September 

10 

October 

11 

November 

12 

December 

Malware: 

A new version of the Blackhole attack toolkit, 

dubbed Blackhole 2.0, is discovered. 

Botnet: 

Security researchers disable an up-and-coming 

botnet known as “Nitol.” 

Mobile: 

A vulnerability is discovered in Samsung’s 

version of Android that allows a phone to be 

remotely wiped. 

DDoS: 

FBI issues warning about possible DDoS attacks 

against financial institutions as part of a 

“distraction” technique. 3 

Malware: 

A ransomware threat distributed through Skype 

IM is discovered. 

Data breach: 

Customer data is stolen from Barnes & Noble 

payment keypads. 

Attackers are discovered using a DDoS attack 

as a distraction in order to gather information 

that allowed them to later steal money from a 

targeted bank. 

Hacks: 

Burglars found using a known exploit in a brand 

of hotel locks to break into hotel rooms. 

Malware: 

Infostealer.Dexter Trojan horse discovered 

targeting point-of-sale systems. 

Hacks: 

Attackers exploit a vulnerability in Tumblr, 

spreading spam throughout the social network.

p. 9 



2012 IN NUMbERS

p. 10 



2012 IN NUMbERS 

2012 in Numbers 

Targeted 

Attacks Attacks 

in 2012 2012 

New Vulnerabilities 

2010 

6,253 

2011 

4,989 

Mobile 

Vulnerabilities 

42 % INCREASE 

2012 

5,291 

2010 163 

Average Average Number of 

Identities Exposed 

Per Breach Breach in 2012 2012 

604,826 

2012 415 

2011 315

p. 11 




Estimated Global Global 

Email Spam Per Day 

(in (in billions) 

62 89% 

42 75% 

30 69% 

OVERALL SPAM RATE 

2010 

2011 

2012 

% of All Spam 

with Dating 

& Sexual 

Overall Email Virus Rate, 1 In: 

2010 

2011 

2012 

291 

Overall Email Phishing Rate, 1 In: 

2010 

2011 

2012 

3 % 

2010 

15 % 

2011 

55 % 

2012 

282 

442 

414 

% of All Email 

Malware as 

URL URL 

239 

299 

24 % 

2010 

39 % 

2011 

23 % 

2012

p. 12 




Bot Zombies 

(in millions) millions) 

Mobile Malware 

Families Increase Increase 

2011–2012 

2011 

2010 

3.1 

2012 3.4 

58 % 

4.5 

New Zero-Day 

Vulnerabilities 

14 8 14 

2010 2011 2012 

Web Web Attacks 

Blocked Per Day 

2011 

2012 

190,370 

247,350 

New Unique 

Malicious Web Domains 

2010 43,000 

2011 55,000 

2012 74,000

p. 13 



TaRgETEd aTTaCkS 

haCkTIVISM 

aNd daTa bREaChES

p. 14 



TaRgETEd aTTaCkS, haCkTIVISM, aNd daTa bREaChES 

Introduction 

“Just as nuclear was the strategic warfare of the industrial 

era, cyberwarfare has become the strategic war of the 

information era,” says U.S. Secretary of Defense Leon Panetta. 4 

Cyberespionage and cybersabotage are already a reality. 

Outside the realm of states and their proxies, corporate spies 

are using increasingly advanced techniques to steal company 

secrets or customer data for profit. Hactivists with political and 

antibusiness agendas are also busy. 

The string of media revelations about security breaches this 

year suggests that the business world is just as vulnerable to 

attack as ever. 

data 

Targeted attacks Per day in 2012 

Source: Symantec 

250 

225 

200 

175 

150 

125 

100 

75 

50 

25 

JAN 

FEB 

MAR 

APR 

MAY 

JUN 

We witnessed one large attack in April against a single client that 

more than doubled the number of attacks per day for that month; 

and while events like this are extremely rare, we have not included 

it in this calculation in order to portray a more realistic outlook. This 

incident would have skewed the global annual average number of 

attacks per day from 116 to 143. 

JUL 

AUG 

SEP 

at a glance 

• Targeted attack global average per day: 116. 

• Increasing levels of industrial espionage and data theft. 

• More insidious targeted attacks, with new “watering hole” 

attacks and sophisticated social engineering. 

• Fewer big data breaches, but the median number of identities 

stolen per breach has increased by 3.5 times. 

OCT 

NOV 

DEC 

This client was a large banking organization, who had not previously 

been a Symantec customer, and approached Symantec for help to 

remove an existing infection. The infection was removed; however, 

a large wave of targeted attacks followed as the attackers sought to 

regain access, ultimately failing.

p. 15 




Top 10 Industries attacked in 2012 


Manufacturing 24% 

Finance, Insurance & Real Estate 19 

Services – Non-Traditional 17 

Government 12 

Energy/Utilities 10 

Services – Professional 8 

Aerospace 2 

Retail 2 

Wholesale 2 

Transportation, 

Communications, Electric, Gas 1 

0 5 10 15 20 25% 

Manufacturing was the most-targeted sector in 2012, with 24 percent of targeted attacks destined for this 

sector, compared with 15 percent in 2011. Attacks against government and public sector organizations 

fell from 25 percent in 2011, when it was the most targeted sector, to 12 percent in 2012. It’s likely the 

frontline attacks are moving down the supply chain, particularly for small to medium-sized businesses. 

(Categories based on Standard Industrial Classification codes.)

p. 16 




attacks by Size of Targeted Organization 


50% 2,501+ 50% 1 to 2,500 

50% 

50% 

Employees 

2,501+ 

in 2011 31% 

Organizations with 2,501+ employees were the 

most targeted with 50 percent of targeted attacks 

destined for this size of organization, almost 

exactly the same percentage as in 2011. 

The volume of targeted attacks against 

organizations with 2,501+ employees doubled 

compared with 2011, although its overall 

percentage remains the same at 50 percent. 

50% 1 to 2,500 

9% 

2% 

3% 

5% 

31% 

18% 

in 2011 

1,501 to 2,500 

1,001 to 1,500 

501 to 1,000 

251 to 500 

1 to 250 

Targeted attacks destined for Small Business 

(1 to 250 employees) accounted for 31 percent 

of all attacks, compared with 18 percent in 2011, 

an increase of 13 percentage points. 

The volume of attacks against SMBs increased 

threefold, compared with 2011, resulting in its 

percentage almost doubling from 18 percent 

to 31 percent.

p. 17 




Targeted attack Recipients by Role in 2012 


2011 

2012 % CHANGE 

Chief Exec. or Board Level 

PR and Marketing 

Personal Assistant 

Research & Development 

Human Resources 

Sales 

Senior Management 

Shared Mailbox 

info@, sales@, etc. 

DDoS Used as a Diversion 

-15% -10% -5 0 5 10 15 20 25 30% 

In September, the FBI issued a warning to financial institutions 

that some DDoS attacks are actually being used as a “distraction.” 

These attacks are launched before or after cybercriminals engage 

in an unauthorized transaction and are an attempt to avoid 

discovery of the fraud and prevent attempts to stop it. 

In these scenarios, attackers target a company’s website with 

a DDoS attack. They may or may not bring the website down, 

but that’s not the main focus of such an attack; the real goal is 

to divert the attention of the company’s IT staff towards the 

DDoS attack. Meanwhile, the hackers attempt to break into the 

company’s network using any number of other methods that may 

go unnoticed as the DDoS attack continues in the background. 5 

Data Breaches 

The overall number of data breaches is down by 26 percent, 

according to the Norton Cybercrime Index, 6 though over 93 

million identities were exposed during the year, a decrease of 60 

percent over last year. The average number of identities stolen 

is also down this year: at 604,826 per breach, this is significantly 

smaller than the 1.1 million per breach in 2011. 

In 2012, the most frequently 

targeted job role was in R&D, 

which accounted for 27 

percent of attacks (9 percent 

in 2011). The second most 

notable increase was against 

sales representatives, probably 

because their contact details 

are more widely available in the 

public domain, with 24 percent 

of attacks in 2012 versus 12 

percent in 2011. In 2011, 

C-level executives were the most 

targeted, with 25 percent, but 

this number fell to 17 percent 

in 2012. 

So why are the number of breaches and identities stolen down in 

2012? For starters, there were five attacks in which more than 10 

million identities were stolen in 2011. In 2012 there was only one, 

which results in a much smaller spread from the smallest to the 

largest data breach. However, the median number—the midpoint 

of the data set—increased by 3.5 times in 2012, from 2,400 to 

8,350 per breach. Using the median is a useful measure because 

it ignores the extremes, the rare events that resulted in large 

numbers of identities being exposed, and is more representative 

of the underlying trend. 

Part of the wide difference between data breaches in 2011 and 

2012 is likely down due to a concerted effort by the notorious 

hacker groups Anonymous and LulzSec to publicize hacks 

during 2011—something that was not seen to the same extent in 

2012. It’s possible that companies are paying more attention to 

protecting customer databases or that hackers have found other, 

more valuable targets, or that they are still stealing the data but 

not being detected.

p. 18 




Healthcare, education, and government accounted for nearly 

two-thirds of all identities breached in 2012. This suggests 

that the public sector should further increase efforts to 

protect personal information, particularly considering 

how these organizations are often looked upon as the 

custodians of information for the most vulnerable in society. 

Alternatively, this could indicate that the private sector may 

not be reporting all data breaches, given how many public 

sector organizations are required by law to report breaches. 

The vast majority (88 percent) of reported data breaches 

were due to attacks by outsiders. But it is safe to assume that 

unreported data breaches outnumber reported ones. Whether 

it is lost laptops, misplaced memory sticks, deliberate data 

theft by employees or accidents, the insider threat also 

remains high. To illustrate this point, the UK Information 

Commissioner’s Office fined and prosecuted more businesses 

because of insider slipups than because of outsider attacks. 

Most SMBs should worry about someone in accounts just as 

data breaches by Sector in 2012 


Education 

16% 

Healthcare 

36% 

Government 

13% 

9% Accounting 

6% Computer Software 

6% Financial 

5% Information Technology 

4% Telecom 

3% Computer Hardware 

3% Community and Nonprofit 

much as they should worry about an anonymous hacker. At 36 percent, the healthcare industry continues to be the 

sector responsible for the largest percentage of disclosed 

data breaches by industry. 

Timeline of data breaches 


January saw the largest number 

of identities stolen in 2012, due 

to one breach of over 24 million 

identities, while the numbers 

of the rest of the year mostly 

fluctuated between one and 

12 million identities stolen per 

month. 

The average number of breaches 

for the first half of the year was 

11, and rose to 15 in the second 

half of the year– a 44 percent 

increase. 

SUM OF IDENTITIES BREACHED (MILLIONS) 

35 

30 

25 

20 

15 

10 

5 

0 

JAN 

JAN 

31 

MILLION 

BREACHES IN JAN. 

FEB 

FEB 

MAR 

MAR 

APR 

APR 

MAY 

MAY 

JUN 

JUN 

JUL 

JUL 

AUG 

AUG 

SEP 

SEP 

OCT 

OCT 

NOV 

NOV 

DEC 

DEC 

INCIDENTS SUM 

35 

30 

25 

20 

15 

10 

5 

0 

NUMBER OF INCIDENTS

p. 19 




average Cost Per Capita of a data breach 7 


Country Average Cost Per Capita 

u.s. $194 

Denmark $191 

France $159 

Australia $145 

Japan $132 

uK $124 

italy $102 

indonesia $42 

At US$194, the United States is the country with highest in cost 

per capita, with Denmark a close second at $191 per capita. 

analysis 

Cyberwarfare, Cybersabotage, 

and Industrial Espionage 

Targeted attacks have become an established part of the threat 

landscape and safeguarding against them has become one of 

the main concerns of CISOs and IT managers. Targeted attacks 

are commonly used for the purposes of industrial espionage to 

gain access to the confidential information on a compromised 

computer system or network. They are rare but potentially the 

most difficult attacks to defend against. 

It is difficult to attribute an attack to a specific group or a 

government without sufficient evidence. The motivation and 

the resources of the attacker sometimes hint to the possibility 

that the attacker could be state sponsored, but finding clear 

evidence is difficult. Attacks that could be state sponsored, 

but appear to be rare in comparison with regular cybercrime, 

have often gained more notoriety. They can be among the 

most sophisticated and damaging of these types of threats. 

Governments are undoubtedly devoting more resources to 

Top Causes of data breaches in 2012 


0 10 20 30 40 50 

8 % 

6 % 

1 % 

Fraud 

23 

23 % 

Insider theft 

Unknown 

40 % 

Hackers 

% Accidentally 

made public 

Theft or loss 

of computer 

or drive 

Hackers continue to be responsible for the largest number of 

data breaches, making up 40 percent of all breaches. 

defensive and offensive cyberwarfare capabilities. In 2012, it 

was still unlikely that most businesses would encounter such 

an attack, and the greatest risk comes from the more prevalent 

targeted attacks that are created for the purposes of industrial 

espionage. Increasingly, small to medium-sized businesses 

(SMB) are finding themselves on the frontline of these targeted 

attacks as they have fewer resources to combat the threat 

and a successful attack here may subsequently be used as the 

springboard to further attacks against a larger organization to 

which they may be a supplier. 

Malware such as Stuxnet in 2010, Duqu in 2011, and Flamer and 

Disttrack in 2012 show increasing levels of sophistication and 

danger. For example, the malware used in the Shamoon attacks 

on a Saudi oil firm had the ability to wipe hard drives. 8 

The same techniques used by cybercriminals for industrial 

espionage, may also be used by states and state proxies for 

cyber attacks and political espionage. Sophisticated attacks may 

be reverse-engineered and copied so that the same or similar

p. 20 




Timeline of Targeted attacks 9 


Ghostnet 

• March 2009 

• Large-scale 

Cyberspying 

Operation 

2009 

Hydraq 

• January 2010 

• Operation “Aurora” 

Stuxnet 

• June 2010 

2010 

RSA Attacks 

• August 2011 

techniques can be used in less discriminate attacks. A further 

risk is that malware developed for cybersabotage may spread 

beyond its intended target and infect other computers in a kind 

of collateral damage. 

Advanced Persistent Threats and Targeted Attacks 

Targeted attacks combine social engineering and malware to 

target individuals in specific companies with the objective 

of stealing confidential information such as trade secrets or 

customer data. They often use custom-written malware and 

sometimes exploit zero-day vulnerabilities, which makes them 

harder to detect and potentially more infective. 

Targeted attacks use a variety of vectors as their main delivery 

mechanism, such as malware delivered in an email, or driveby 

downloads from an infected website the intended recipient 

is known to frequent, a technique known as a ”watering hole” 

attack. 

APTs are often highly sophisticated and more insidious than 

traditional attacks, relying on highly customized intrusion 

techniques. While targeted attacks are growing increasingly 

more common, the resources required to launch an advanced 

Nitro Attacks 

• July–October 2011 

• Against Chemical 

Industry 

2011 

Sykipot / Taidoor 

Attacks 

• Targeting Defense 

Industry and 

Governments 

Flamer & Gauss 

• May 2012 – Aug 2012 

• Highly Sophisticated 

Threat 

• Targets Middle East 

persistent threat campaign means they are limited to wellfunded 

groups attacking high-value targets. 

Symantec saw a 42 percent increase in the targeted attack rate 

in 2012 compared with the preceding 12 months. While the 

manufacturing industry has become the main target accounting 

for 24 percent of attacks, we also saw a wide range of companies 

coming under attack, not only large businesses, but increasingly 

SMBs as well. In 2011, 18 percent of targeted attacks were aimed 

at companies with fewer than 250 employees, but by the end of 

2012, they accounted for 31 percent. 

Social Engineering and Indirect Attacks 

2012 

Elderwood Project 

• September 2012 

• Main Target: Defense. 

Same group identified 

using Hydraq (Aurora) 

in 2009 

Attackers may be targeting smaller businesses in the supply 

chain because they are more vulnerable, have access to 

important intellectual property, and offer a stepping stone 

into larger organizations. In addition, they are also targeted 

in their own right. They are more numerous than enterprises, 

have valuable data, and are often less well-protected than 

larger companies. For example, an attacker may infiltrate a 

small supplier in order to use it as a spring board into a larger 

company. They might use personal information, emails, and files 

from an individual in such a smaller company to create a well-

p. 21 




Web Injection Process Used in Watering hole attacks 10 


Watering Hole Attacks 

1. Attacker Attacker profiles victims and 

the kind of of websites websites they they go to. 

2. Attacker Attacker then tests tests these websites 

for vulnerabilities. 

vulnerabilities. 

3. When the attacker finds a website 

that he can compromise, he injects 

JavaScript or HTML, redirecting the 

victim to a separate site that hosts the 

exploit code for the chosen vulnerability. 

4. The compromised website is 

now “waiting” to infect the profiled 

victim with a zero-day exploit, 

just like a lion waiting at a 

watering hole. 

crafted email aimed at someone in a target company. 

In 2012, we saw a big increase in attacks on people in 

R&D and sales roles compared to the previous year. 

This suggests that attackers are casting a wider net and 

targeting less senior positions below the executive level in 

order to gain access to companies. The increase in attacks 

has been particularly high overall in these two areas. Still, 

attacks in other areas, such as back-office roles, are still a 

significant threat. 

Attackers continue to use social engineering techniques 

in targeted attacks. For example, messages impersonating 

EU officials, messages that appear to come from security 

agencies in the United States and target other government 

officials, or messages that piggyback announcements 

about new procurement plans from potential government 

clients such as the U.S. Air Force. This shows extensive 

research, a sophisticated understanding of the motivation 

of recipients, and makes it much more likely that victims 

will open attachments that contain malware. 

Watering Hole Attacks 

The biggest innovation in targeted attacks was the 

emergence of watering hole attacks. This involves 

compromising a legitimate website that a targeted victim 

might visit and using it to install malware on their 

computer. For example, this year we saw a line of code in a 

tracking script 11 on a human rights organization’s website 

with the potential to compromise a computer. It exploited 

a new, zero-day vulnerability in Internet Explorer® to 

infect visitors. Our data showed that within 24 hours, 

people in 500 different large companies and government 

organizations visited the site and ran the risk of infection. 

The attackers in this case, known as the Elderwood 

Gang, used sophisticated tools and exploited zero-day 

vulnerabilities in their attacks, pointing to a wellresourced 

team backed by a large criminal organization 

or a nation state. 12

p. 22 




Recommendations 

Assume You’re a Target. 

Small size and relative anonymity are not defenses against the 

most sophisticated attacks. Targeted attacks threaten small 

companies as well as large ones. Attackers could also use your 

website as a way to attack other people. If you assume you 

are a potential target and improve your defenses against the 

most serious threats, you will automatically improve your 

protection against other threats. 

Defense in Depth. 

Emphasize multiple, overlapping, and mutually supportive 

defensive systems to guard against single-point failures in 

any specific technology or protection method. This should 

include the deployment of regularly updated firewalls, as well 

as gateway antivirus, intrusion detection, intrusion protection 

systems, and Web security gateway solutions throughout the 

network. Endpoints must be secured by more than signaturebased 

antivirus technology. 

Educate Employees. 

Raise employees’ awareness about the risks of social 

engineering and counter it with staff training. Similarly, good 

training and procedures can reduce the risk of accidental data 

loss and other insider risks. Train staff about the value of 

data and how to protect it. 

Data Loss Prevention. 

Prevent data loss and exfiltration with data loss protection 

software on your network. Use encryption to protect data in 

transit, whether online or via removable storage.

p. 23 



VULNERabILITIES 

ExPLOITS 

aNd TOOLkITS

p. 24 



VULNERabILITIES, ExPLOITS, aNd TOOLkITS 

Introduction 

Recent research by the Ponemon Institute suggests that the 

cost of cybercrime rose by six percent in 2012 with a 42 percent 

increase in the number of cyberattacks. The cost is significant 

with businesses incurring an average cost of $591,780. 13 Given 

the increase availability of vulnerabilities and exploits it comes 

as no surprise that the cybercriminals have increased their 

ability to make a profit. 

Quite a few diverse skills are needed to find vulnerabilities, 

create ways to exploit them, and then run attacks using them. 

Fortunately for the cybercriminal, a black market exists where 

these skills can be purchased in the form of toolkits. Hackers 

find and exploit and or sell vulnerabilities. Toolkit authors find 

or buy exploit code and incorporate it into their “products.” 

Cybercriminals in turn buy or steal the latest versions of toolkits 

which allow them to run massive attacks without the trouble of 

learning the skills needed to run the whole operation. 

data 

browser Vulnerabilities 2010 – 2012 


50% 

45 

40 

35 

30 

25 

20 

15 

10 

5 

2010 

Apple Safari 

Google Chrome 

Mozilla Firefox 

Microsoft Internet Explorer 

Opera 

2011 

2012 

at a glance 

• Usage of zero-day vulnerabilities is up, from 8 to 14 in 2012. 

• There is an increasingly sophisticated black market serving a 

multi-billion dollar online crime industry. 

• These vulnerabilities are later commercialized and added 

to Web-attack toolkits, usually after they become published 

publicly. 

• In 2012, drive-by Web attacks increased by one third, possibly 

driven by malvertising. 

• Around 600,000 Macs were infected with Flashback malware 

this year. 

• The Sakura toolkit, which had little impact in 2011, now 

accounts for approximately 22 percent of Web-based toolkit 

attacks, overtaking Blackhole during some points of the year. 

Plug-in Vulnerabilities 2010 – 2012 


50% 

45 

40 

35 

30 

25 

20 

15 

10 

5 

2010 

Adobe Flash Player 

Oracle Sun Java 

Adobe Acrobat Reader 

Apple QuickTime 

2011 

2012

p. 25 




Total Vulnerabilities 


600 

500 

400 

300 

200 

100 

0 



3 

2 

1 

JAN 

JAN 

FEB 

FEB 

MAR 

MAR 

APR 

APR 

MAY 

MAY 

JUN 

JUN 

JUL 

JUL 

AUG 

AUG 

SEP 

SEP 

OCT 

OCT 

NOV 

NOV 

DEC 

DEC 

• There were 5,291 

vulnerabilities reported in 

2012, compared with 4,989 

in 2011. 

• Reported vulnerabilities per 

month in 2012 fluctuated 

roughly between 300 and 

500 per month. 

• In 2012, there were 85 

public SCADA (Supervisory 

Control and Data Acquisition) 

vulnerabilities, a massive 

decrease over the 129 

vulnerabilities in 2011. 

• There were 415 mobile 

vulnerabilities identified in 

2012, compared with 315 in 

2011. 

• A zero-day vulnerability is 

one that is reported to have 

been exploited in the wild 

before the vulnerability is 

public knowledge and prior 

to a patch being publicly 

available. 

• There were 14 zero-day 

vulnerabilities reported in 

2012. 

• There were up to 3 zero-day 

vulnerabilities reported each 

month.

p. 26 




analysis 

Web-based Attacks on the Rise 

We have seen the number of Web-based attacks increase by 

almost a third. These attacks silently infect enterprise and 

consumer users when they visit a compromised website. In 

other words, you can be infected simply by visiting a legitimate 

website. Typically, attackers infiltrate the website to install their 

attack toolkits and malware payloads, unbeknown to the site 

owner or the potential victims. 

The malware payload that is dropped by Web-attack toolkits 

is often server-side polymorphic or dynamically generated, 

rendering enterprises that rely on signature-based antivirus 

protection unable to protect themselves against these silent 

attacks. A hidden piece of JavaScript or a few lines of code 

linking to another website can install malware that is very 

difficult to detect. It then checks the system of each visitor for 

browser or operating system vulnerabilities until it finds one 

that is likely to succeed and it uses that to install malware on 

the visitor’s computer. 

These attacks are successful because enterprise and consumer 

systems are not up to date with the latest patches for browser 

plug-ins, such as Adobe’s Flash Player® and Acrobat Reader®, 

as well as Oracle’s Java platform. While a lack of attentiveness 

can be blamed for consumers remaining out of date, often in 

larger companies, older versions of these plug-ins are required 

to run critical business systems, making it harder to upgrade 

to the latest versions. Such patch management predicaments, 

with slow patch deployment rates, make companies especially 

vulnerable to Web-based attacks. 

It’s important to note that the volume of vulnerabilities doesn’t 

correlate to increased levels of risk. One single vulnerability in 

an application may present a critical risk to an organization, 

if exploited successfully. Analysis of risk from vulnerabilities 

exploited in Web-based attack toolkits is an area that Symantec 

will explore further in 2013. 

The key is that it’s not the latest zero-day vulnerability that is 

responsible for the widespread success of Web-based attacks. 

The rate of attacks from compromised websites has increased 

by 30 percent, while the rate of discovery of vulnerabilities has 

only increased by 6 percent. In a nutshell, it’s older, non-patched 

vulnerabilities that cause most systems to get compromised. 

The Arms Race to Exploit New Vulnerabilities 

We have witnessed an increase in zero-day vulnerabilities this 

year. There were 14 unreported vulnerabilities first seen being 

used in the wild in 2012. This is up from 8 in 2011. Overall, 

reported vulnerabilities are up slightly in 2012, from 4,989 in 

2011 to 5,291 in 2012. Mobile vulnerabilities are also up, from 

315 in 2011 to 415 reported in 2012. 

Organized groups, such as the team behind the Elderwood 

attacks, have worked to discover new weaknesses in everyday 

software such as Web browsers and browser plug-ins. When one 

vulnerability becomes public, they are able to quickly deploy 

a new one, which speaks to the sophistication of the groups 

creating vulnerabilities. 

There is an arms race between Internet criminals and legitimate 

software developers. Criminals’ ability to quickly find and 

exploit new vulnerabilities is not matched by software vendors’ 

ability to fix and release patches. Some software companies 

only patch once a quarter; others are slow to acknowledge 

vulnerabilities. Even if they do a good job with updates, 

companies are often slow to deploy them. 

While zero-day vulnerabilities present a serious security threat, 

known (and even patched) vulnerabilities are dangerous if ignored. 

Many companies and consumers fail to apply published updates 

in a timely way. Toolkits that target well-known vulnerabilities 

make it easy for criminals to target millions of PCs and find the 

ones that remain open to infection. In fact, the vulnerabilities that 

are exploited the most often are not the newest.

p. 27 




Malvertising and Website Hacking 

How does a hacker add his code to a legitimate website? Toolkits 

are available that make it easy. For example, in May 2012, the 

LizaMoon toolkit used a SQL injection technique to affect at 

least a million websites. 14 Other approaches include: 

• Exploiting a known vulnerability in the website hosting or 

content management software 

• Using phishing, spyware, or social engineering to get the 

webmaster’s password 

• Hacking through the Web server backend infrastructure, 

such as control panels or databases 

• Paying to host an advertisement that contains the infection 

This last technique, known as malvertising, means that legitimate 

websites can be impacted without even being compromised. This 

form of attack appears to be very common. Using experimental 

scanning software (see “Website Malware Scanning and Website 

Vulnerability Assessment” later in this section), Symantec found 

that half of the tested sites were infected by malvertising. 

Malvertising opens an avenue of attack that hackers can use 

to compromise a website without having to directly hack 

the website itself. Using these malicious ads allows them to 

silently infect users, often installing dynamically created 

malware that antivirus alone is unable to detect. 

A sign of the seriousness of the problem is that Google 

and other search engines scan for malware and blacklist 

sites that contain malware. There have been occasions 

when prominent advertising networks have fallen prey to 

malvertising, impacting some of the biggest names in online 

media. 15 Situations like this can have a serious impact on 

websites whose bottom line often depends on revenue, even 

diminishing their credibility in the eyes of their readers. 

With dozens of advertising networks and constantly rotating 

adverts, tracking malvertising and preventing it is a huge 

challenge. 

Online advertisement for a malware toolkit.

p. 28 




Web Attack Toolkits 

It’s one thing to discover new vulnerabilities, but another 

matter to implement a way to exploit them. Criminal 

entrepreneurs turn them into toolkits that less sophisticated 

users can buy and use. Like commercial software, they even 

include support and warranties. Authors accept payments 

using online payment services with anonymous numbered 

accounts. 

Attack toolkits exist for creating a variety of malware and 

for attacking websites. The popular Blackhole toolkit is a 

notorious example. This updating strategy suggests that it has 

a kind of brand loyalty and that the authors are building on 

that in the same way that legitimate software vendors do with 

their updates and new editions. 

Blackhole continued to make its presence felt in 2012, 

making up for 41 percent of all Web-based attacks. We also 

saw the release of an updated version of the toolkit, dubbed 

Blackhole 2.0, back in September. However, Blackhole’s overall 

dominance may have begun to decline, as another Web attack 

toolkit surpassed Blackhole during a few months in the latter 

half of 2012. Sakura, a new entrant to the market, at its peak 

made up as much of 60 percent of all toolkit activity, and 22 

percent of overall toolkit usage in 2012. 

Web attack Toolkits Over Time 


90% 

80 

70 

60 

50 

40 

30 

20 

10 

JAN 

FEB 

MAR 

APR 

MAY 

JUN 

JUL 

AUG 

Top Web attack Toolkits by Percent 


Sakura 

22% 

Blackhole 

41% 

Others 

20% 

10% Phoenix 

7% Redkit 

Approximately 41 percent of Web-based toolkit attacks 

in 2012 related to the Blackhole toolkit, compared with 

44 percent in 2011. The Sakura toolkit was not in the 

top 10 for 2011, and now accounts for approximately 

22 percent of Web-based toolkit attacks, overtaking 

Blackhole at some points in the year. 

SEP 

OCT 

NOV 

DEC 

Others 

Blackhole 

Sakura 

Nuclear 

Redkit 

Phoenix

p. 29 




Website Malware Scanning and Website 

Vulnerability Assessment 

In 2012, Symantec’s Trust Services (formerly VeriSign) 

technology scanned over 1.5 million websites as part of its 

Website Malware Scanning and Vulnerability Assessment 

services. Over 130,000 URLs were scanned for malware each 

day, with 1 in 532 of websites found to be infected with 

malware. The most common form of compromise was for 

the use of drive-by downloads. 

Furthermore, in assessing potentially exploitable vulnerabilities 

on websites, over 1,400 vulnerability scans were performed each 

day. Approximately 53 percent of websites scanned were found 

to have unpatched, potentially exploitable vulnerabilities (36 

percent in 2011), of which 24 percent were deemed to be critical 

(25 percent in 2011). The most common vulnerability found was 

for cross-site scripting vulnerabilities. 

The Growth of Secured Connections 

One of the ways to judge the growth of usage for SSL is to 

monitor the change in statistics for OCSP (Online Certificate 

Status Protocol, which is used for obtaining the revocation 

status of a digital certificate) and CRL (Certificate Revocation 

List) lookups. When an SSL secured connection is initiated, a 

revocation check is performed using OCSP or CRL and we track 

the number of lookups that go through our systems. This is a 

growth indicator for the number of SSL secured sessions that 

are performed online. This implies that more people are going 

online and using secured connections (for example, representing 

a growth of eCommerce transactions on the Web). It also may 

show the impact of the adoption of SSL more widely, in more 

places and for more uses, such as the growing use of Extended 

Validation SSL Certificates, which trigger browsers to indicate 

whether a user is on a secured site by turning the address bar 

green, and for “Always On SSL” (adopted heavily through 2012 

by social networks, search services, and online email providers). 

Further, it may be a result of devices other than traditional 

desktops and laptops that enable online access; for example, 

smartphones and tablets. 

In 2012, Symantec identified the average number of OCSP 

lookups grew by 31 percent year on year between 2011 and 

2012, with more than 4.8 billion lookups performed each day in 

2012. The high-water-mark of OCSP lookups was 5.8 billion in 

a single day in 2012. It is worth noting that OCSP is the modern 

revocation checking methodology. 

Additionally, Symantec’s CRL lookups increased by 45 percent 

year on year between 2011 and 2012, with approximately 

1.4 billion per day, and a high-water-mark of 2.1 billion. 

CRL is the older lookup technology that OCSP supersedes. 

Norton Secured Seal and Trust Marks 

In 2012, more consumers were visiting websites with trust 

marks (such as the Norton Secured Seal) in 2012. Based on 

analysis of the statistics from Symantec’s own trust marks, we 

saw an 8 percent increase in 2012. The Symantec trust mark 

was viewed up to 750 million times a day in 2012 as more online 

users are necessitating stronger security to safeguard their 

online activities. 

Stolen Key-signing Certificates 

2012 continued to show that organizations large and small were 

susceptible to becoming unwitting players in the global malware 

distribution network. We’ve seen increased activity of malware 

being signed with legitimate code-signing certificates. Since the 

malware code is signed, it appears to be legitimate, which make 

it easier to spread. 

Malware developers often use stolen code-signing private 

keys. They attack Certificate Authorities and once inside 

their networks, they seek out and steal private keys. In other 

cases, poor security practices allow them to buy legitimate 

certificates with fake identities. For example, in May 2012, 

Comodo, a large Certificate Authority, authenticated and 

issued a legitimate code-signing certificate to a fictitious 

organization run by cybercriminals. 16

p. 30 





Use a Full Range of Protection Technology. 

If the threat landscape was less advanced, then file scanning 

technology (commonly called antivirus) would be sufficient 

to prevent malware infections. However, with toolkits for 

building malware-on-demand, polymorphic malware and 

zero-day exploits, antivirus is not enough. Network-based 

protection and reputation technology must be deployed on 

endpoints to help prevent attacks. And behavior blocking and 

scheduled file scanning must be used to help find malware 

that avoid preventative defense. 

Protect Your Public-facing Websites. 

Consider Always On SSL to encrypt visitors’ interactions 

with your site across the whole site, not just on the checkout 

or sign-up pages. Make sure you update your content 

management system and Web server software just as you 

would a client PC. Run vulnerability and malware scanning 

tools on your websites to detect problems promptly. To protect 

these credentials against social engineering and phishing, use 

strong passwords for admin accounts and other services. Limit 

login access to important Web servers to users that need it. 

Protect Code-signing Certificates. 

Certificate owners should apply rigorous protection and 

security policies to safeguard keys. This means effective 

physical security, the use of cryptographic hardware security 

modules, and effective network and endpoint security, 

including data loss prevention on servers involved in signing 

code, and thorough security for applications used to sign code. 

In addition, Certificate Authorities need to ensure that they 

are using best practices in every step of the authentication 

process. 

Adopting an Always On SSL approach helps to safeguard 

account information from unencrypted connections and thus 

render end users less vulnerable to a man-in-the-middle attack. 

Be Aggressive on Your Software Updating and Review 

Your Patching Processes. 

The majority of Web-based attacks exploit the top 20 most 

common vulnerabilities. Consequently, installing patches for 

known vulnerabilities will prevent the most common attacks. 

It’s essential to update and patch all your software promptly. 

In particular, with risks like the Flashback attacks that used 

Java, it’s important to run the latest version of that software 

or do without it altogether. This is equally true for CIOs 

managing thousands of users, small business owners with 

dozens of users, or individual users at home. 

Update, patch, and migrate from outdated and insecure 

browsers, applications, and browser plug-ins to the latest 

available versions using the vendors’ automatic update 

mechanisms, especially for the top software vulnerabilities 

being exploited. Most software vendors work diligently 

to patch exploited software vulnerabilities; however, such 

patches can only be effective if adopted in the field. Be wary of 

deploying standard corporate images containing older versions 

of browsers, applications, and browser plug-ins that are 

outdated and insecure. Consider removing vulnerable plug-ins 

from images for employees that have no need for that software. 

Wherever possible, automate patch deployments to maintain 

protection against vulnerabilities across the organization.

p. 31 



SOCIaL NETWORkINg 

MObILE 

aNd ThE CLOUd

p. 32 



SOCIaL NETWORkINg, MObILE, aNd ThE CLOUd 

Introduction 

Online criminals and spammers are less interested in email as 

an infection vector than they were. Why? Because social media 

is becoming so popular and it gives them many new ways to 

steal people’s identities or personal information and infect their 

computers with malware. 

Social media combines two behaviors that are useful for 

criminals: social proof and sharing. Social proofing is the 

psychological mechanism that convinces people to do things 

because their friends are doing it. For example, if you get a 

message on your Facebook wall from a trusted friend, you’re 

more likely to click on it. 

Sharing is what people do with social networks: they share 

personal information such as their birthday, home address, and 

other contact details. This type of information is very useful for 

identity thieves. For example, your social media profile might 

contain clues to security questions a hacker would need to reset 

your password and take control of your account. 

People are spending more time online, and the most popular 

activity is for social networking. Furthermore, younger users are 

more commonly using mobile devices to access the Internet and 

social media applications. 17 

data 

Top 5 Social Media attacks in 2012 


1 

22 

3 

44 

5 

56 % 

18 % 

10 % 

5 % 

3 % 

Manual 

Sharing 

Likejacking 

Fake Plug-in 

Copy and Paste 

Fake 

Offering 

Moreover, many mobile applications frequently rely on cloudbased 

storage, and without an Internet connection are often 

limited in their functionality. Many more people and businesses 

are routinely using cloud-based systems, sometimes without 

even realising it. 

The bank robber Willie Sutton famously explained why he robbed 

banks: “Because that’s where the money is.” Online criminals 

target social media because that’s where the victims are. 

Facebook users can report potential Facebook phishing 

scams to the company through the following email address: 

phish@fb.com. 

at a glance 

• Scammers continue to use social media as spam and phishing 

tools, including newer sites such as Pinterest and Instagram. 

• Mobile malware has increased significantly in 2012 with new 

threats such as mobile botnets. 

• Thirty-two percent of all mobile malware steals information 

from the compromised device. 

• Fast-growing trends towards cloud computing, bring your 

own device, and consumerization create additional risks for 

businesses. 

• Fake Offering. These scams invite social network users to join a fake 

event or group with incentives such as free gift cards. Joining often 

requires the user to share credentials with the attacker or send a 

text to a premium rate number. 

• Manual Sharing Scams. These rely on victims to actually do the 

hard work of sharing the scam by presenting them with intriguing 

videos, fake offers or messages that they share with their friends. 

• Likejacking. Using fake “Like” buttons, attackers trick users into 

clicking website buttons that install malware and may post updates 

on a user’s newsfeed, spreading the attack. 

• Fake Plug-in Scams. Users are tricked into downloading fake 

browser extensions on their machines. Rogue browser extensions 

can pose like legitimate extensions but when installed can steal 

sensitive information from the infected machine. 

• Copy and Paste Scams. Users are invited to paste malicious 

JavaScript code directly into their browser’s address bar in the 

hope of receiving a gift coupon in return.

p. 33 




Mobile Vulnerabilities 


120 

100 

80 

60 

40 

20 

JAN 

FEB 

Mobile Threats in 2012 


MAR 

APR 

32 % 

121 

MOBILE 

VULNERABILITIES 

IN MARCH 

MAY 

Steal Information 

25 % 

Traditional Threats 

15 % 

Track User 

JUN 

JUL 

AUG 

SEP 

OCT 

NOV 

13 % 

Send Content 

8 % 

DEC 

Reconfigure Device 

8 Adware/Annoyance 

% 

• March was the most active 

month of 2012, with 121 

vulnerabilities reported. 

• There were 415 mobile 

vulnerabilities identified 

in 2012, compared with 

315 in 2011. 

Information stealing tops the list 

of activities carried out by mobile 

malware, with 32 percent of all 

threats recording some sort of 

information in 2012.

p. 34 




Cumulative Mobile android Malware, Families and Variants 2010 to 2012 


FAMILIES (CUMULATIVE) 

200 

180 

160 

140 

120 

100 

80 

60 

40 

20 

0 

Mobile Threats by device Type in 2012 


Device Type 

JAN, 2010 

Android malware 103 

symbian malware 3 

Windows Mobile malware 1 

iOs malware 1 

JAN 2011 

JAN, 2011 

Number of Threats 

JAN 2012 

JAN, 2012 

VARIANTS FAMILIES 

• 2012 saw a 58 percent increase in mobile malware families compared to 2011. The year’s total 

now accounts for 59 percent of all malware to-date. 

• At the same time the number of variants within each family has increased dramatically, from 

an average ratio of variants per family of 5:1 in 2011 to 38:1 in 2012. This indicates that threat 

authors are spending more time repackaging or making minor changes to their threats, in order 

to spread them further and avoid detection. 

In contrast to vulnerabilities, 

Android was by far the most 

commonly targeted mobile 

platform in 2012, comprising 

103 out of 108 unique threats. 

5,000 

4,500 

4,000 

3,500 

3,000 

2,500 

2,000 

1,500 

1,000 

500 

0 

VARIANTS (CUMULATIVE)

p. 35 




Mobile Vulnerabilities by OS 


Platform 

Apple iOs 387 

Android 13 

BlackBerry 13 

nokia 0 

LG electronics 0 

Windows Mobile 2 

analysis 

Documented Vulnerabilities 

Spam and Phishing Move to Social Media 

In the last few years, we’ve seen a significant increase in spam 

and phishing on social media sites. Criminals follow users to 

popular sites. As Facebook and Twitter have grown in popularity 

for users, they have also attracted more criminal activity. 

However, in the last year, online criminals have also started 

targeting newer, fast-growing sites such as Instagram, 

Pinterest, and Tumblr. 

Typical threats include fake gift cards and survey scams. These 

kinds of fake offer scams account for more than half (56 percent) 

of all social media attacks. For example, in one scam the victim 

sees a post on somebody’s Facebook wall or on their Pinterest 

feeds (where content appears from the people they follow or in 

specific categories) that says “Click here for a $100 gift card.” 

When the user clicks on the link, they go to a website where 

they are asked to sign up for any number of offers, turning over 

personal details in the process. The spammers get a fee for each 

registration and, of course, there’s no gift card at the 

end of the process. 

The vast majority of vulnerabilities 

on mobile systems were on the iOS 

platform. However, the higher number 

of vulnerabilities is not indicative of a 

higher level of threat, because most 

mobile threats have not used software 

vulnerabilities. 

Typical social media scam. 

Fake website with bogus survey.

p. 36 




Phishing site spoofing a social networking site promoting soccer star Lionel Messi. 

We also documented a similar spam campaign on 

the popular photo-sharing app Instagram. 18 

Another trick is to use a fake website to persuade a victim to 

reveal their personal details and passwords; for example, their 

Facebook or Twitter account information. These phishing 

scams are insidious and often exploit people’s fascination with 

celebrities such as professional athletes, film stars, or singers. 

We have seen an increase in phishing scams that target specific 

countries and their celebrities. 

In 2012, we have seen ever more threats targeted on social 

media websites as well as more and more new channels and 

platforms opening up, especially those that are available only as 

mobile applications. It is likely that these mobile social channels 

will become more targeted in 2013, especially those that are 

aimed specifically at teenagers and young adults, who may not 

know how to recognize such attacks and may be a little freer 

with their personal details.

p. 37 




Mobile Threats 

In the last year, we have seen a further increase in mobile 

malware. This correlates with increasing numbers of Internetconnected 

mobile devices. Android has a 72 percent market 

share with Apple® iOS a distant second with 14 percent, 

according to Gartner. 19 As a result of its market share and more 

open development environment, Android is the main target for 

mobile threats. 

Typically, people use phones to store personal information and 

contact information and increasingly they have high-speed 

Internet connections. The smartphone has become a powerful 

computer in its own right, and this makes these attractive 

devices to criminals. They also have the added advantage of 

being tied to a payment system—the owner’s phone contract— 

which means that they offer additional ways for criminals to 

siphon off money from the victim. 

We’ve seen a big rise in all kinds of mobile phone attacks: 

• Android threats were more commonly found in Eastern 

Europe and Asia; however, during the last year, the number 

of Android threats in the rest of Europe and the United 

States has increased. 

• Privacy leaks that disclose personal information, including 

the release of surveillance software designed to covertly 

transmit the owner’s location. 20 

• Premium number fraud where malicious apps send expensive 

text messages. This is the quickest way to make money from 

mobile malware. One mobile botnet Symantec observed 

used fake mobile apps to infect users and by our calculation 

the botmaster is generating anywhere between $1,600 to 

$9,000 per day and $547,500 to $3,285,000 per year. 21 

• Mobile botnets. Just as spammers have linked networks of 

PCs into botnets to send out unwanted email, now criminals 

have begun using Android botnets the same way. 22 This 

suggests that attackers are adapting techniques used on 

PCs to work on smartphones. 

Historically, malware infected smartphones through rogue app 

markets and users sideloading apps directly onto their devices. 

However, legitimate app stores are not immune. In 2012, we saw 

rogue software masquerading as popular games on the Google® 

Play market, having bypassed Google’s automated screening 

process. 23 

Businesses are increasingly allowing staff to “bring your 

own device” (BYOD) to work, either by allowing them to use 

personal computers, tablets, or smartphones for work, even 

subsidizing their purchase. Even when companies provide their 

own equipment, the trend towards consumerization means 

that companies often turn to consumer technology, such as 

file-sharing websites, and devices, such as consumer laptops 

or tablets, to reduce costs. These two trends open the door to 

a greater risk to businesses from mobile devices because they 

often lack security features such as encryption, access control, 

and manageability. 

We have seen far more vulnerabilities for the iOS platform, 

which makes up 93 percent of those published, than for Android 

in 2012, but yet Android dominates the malware landscape, with 

97 percent of new threats. 

While seemingly contradictory at first, there is a good reason 

for this: jailbreaking iOS devices. In order to install applications 

that are not available on the Apple App Store, a user must run 

an exploit against a vulnerability in the software. While not the 

safest approach from a security standpoint, this is the only way 

to install applications that are not available through the Apple 

App Store. 

In contrast, the Android platform provides the option to 

install apps from unofficial markets by simply changing settings 

in the operating system. Since no exploit is needed, the same 

incentives aren’t present as there are on iOS. Android users are 

vulnerable to a whole host of threats; however, very few have 

utilized vulnerabilities to spread threats. 

While Android clocks in with 103 threats in 2012, this number 

may appear small compared to other estimates on the scope of 

the mobile threat landscape. Many estimates are larger because 

they provide a count of overall variants, as opposed to new, 

unique threats. While many of these variants simply undergone 

minor changes in an attempt to avoid antivirus scanners 

detecting them, Symantec counted at least 3,906 different 

mobile variants for the year. 

There’s an important distinction between old and new Android 

versions regarding security features. Google added a feature in 

Android version 4.x to allow users to block any particular app 

from pushing notifications into the status bar. This came in 

response to feedback from users of older versions, annoyed by 

ad platforms that push notifications to the status bar. 

Also, due to the rise of threats that silently send premium text 

messages—Android.Opfake, Android.Premiumtext, Android. 

Positmob, and Android.Rufraud, for instance—Google added a 

feature in Android 4.2 to prompt the user to confirm sending 

such premium text messages. This can be very helpful in 

protecting most users. 

However, at around 10 percent market penetration at the end of 

2012, 24 Android 4.2 devices account only for a small percentage

p. 38 




of the total devices out there. The Android ecosystem makes it 

harder to keep everyone up to date. Google released the official 

platform that works out of the box only on Nexus devices— 

Google’s own branded device. From there each manufacturer 

modifies and releases its own platform, which is in turn picked 

up by mobile network operators who also customize those 

platforms. 

This makes it impossible for any change coming from Google 

to be quickly available to all in-field devices. Any change to the 

platform requires thorough testing by each manufacturer and 

then each operator, all adding to the time needed to reach users. 

Having so many device models also multiplies the amount of 

resources all these companies have to allocate for each update, 

leading to infrequently released updates or in some cases no 

updates for older devices. 

For most exploits in the OS, Google released quick fixes; 

however, users still had long waits before they received the 

fix from their network operators. Some exploits are not in the 

original OS itself but in the custom modifications made by 

manufacturers, such as the exploit for Samsung models that 

appeared in 2012. Samsung was quick to fix it, but the fix still 

had to propagate through network operators to reach users. 

Tighter control from Google over the platform can solve some of 

the “fragmentation” issues, but this could affect the relationship 

it has with manufacturers. A cut-off point for older Android 

users could help to mitigate the risk, but it is usually the 

manufacturers that do this. 

Cloud Computing Risks 

The cloud services market was expected to grow by 20 percent 

in 2012, according to Gartner. 25 Cloud computing promises 

businesses a way to enhance their IT without heavy upfront 

capital costs and, for smaller businesses, it offers access to 

enterprise-class business software at an affordable price. On 

a fundamental level, it offers huge and growing economies of 

scale as Internet bandwidth and processing power continue to 

increase rapidly. 

Cloud computing offers some potential security benefits, 

especially for smaller companies without dedicated IT security 

staff. Well-run cloud applications are more likely to be patched 

and updated efficiently. They are also more likely to be resilient, 

secure, and backed up than on-premises systems. 

However, cloud computing presents some security concerns, too: 

• Privacy. Well-run cloud companies will have strong 

policies about who can access customer data (for example, 

for troubleshooting) and under what circumstances. 

Information should only be entrusted to a third party over 

the Internet where there is sufficient assurance as to how 

that data will be managed and accessed. 

• Data Liberation. Cloud computing businesses make it easy 

to get started, and reputable companies make it easy to 

extract your data (for example, archived emails or customer 

records) if you want to change providers. Before entrusting 

their data to a cloud provider, potential users should 

fully evaluate the terms and conditions of extracting and 

recovering that data at a later date. 

• Eggs in One Basket. As we have seen from large-scale data 

breaches in the last few years, attackers tend to go where 

they can score the most data for the least effort. If a cloud 

services provider stores confidential information for a 

large number of customers, it becomes a bigger target for 

attackers. A single breach at a cloud provider could be a 

gold mine of personal data for an attacker. 

• Consumerization. Companies face a significant risk of 

accidental or deliberate data loss when their employees 

use unapproved cloud systems on an ad-hoc basis. For 

example, if company policies make it difficult to email 

large files to third parties, employees may decide to use 

free online file sharing applications instead. The risk is 

that these systems may fall short of company standards 

for security. For example, one popular file-sharing site left 

all its user accounts unlocked for four hours. 26 In addition, 

where employees use unauthorized cloud applications for 

their work, such as social networking sites for marketing 

purposes, they open up the company to attack from Webbased 

malware. 

• Infrastructure. Although not in the wild, there is a 

theoretical risk that in a virtualized, multi-tenant 

architecture, a malicious user could rent a virtual machine 

and use it to launch an attack against the system by 

exploiting a vulnerability in the underlying hypervisor and 

use this to gain access to other virtual machines running in 

the same environment. Consideration should also be given to 

data encryption within the virtual machine to minimize the 

risk from unauthorized access to the physical hard disks.

p. 39 





Social Media Threats Are a Business Issue. 

Companies are often unwilling to block access to social 

media sites altogether, but they need to find ways to protect 

themselves against Web-based malware on these and other 

sites. This means multi-layer security software at the gateway 

and on client PCs. It also requires aggressive patching and 

updating to reduce the risk of drive-by infections. Lastly, user 

education and clear policies are essential, especially regarding 

the amount of personal information users disclose online. 

Cloud Security Advice. 27 

Carry out a full risk assessment before signing up. Secure 

your own information and identities. Implement a strong 

governance framework. 

Protect Your Mobile Devices. 

Consider installing security software on mobile devices. 

Also, users need to be educated about the risks of 

downloading rogue applications and how to use their privacy 

and permission settings. For company-provided devices, 

consider locking them down and preventing the installation 

of unapproved applications altogether.

p. 40 



MaLWaRE 

SPaM 

aNd PhIShINg

p. 41 



MaLWaRE, SPaM, aNd PhIShINg 

Introduction 

Malware, spam, and social engineering continue to be massive, 

chronic problems. Although they have been around for a long 

time, attacks continue to evolve and they still have the potential 

to do serious damage to consumers and businesses. 

In addition, they hurt everyone by undermining confidence 

in the Internet. These chronic threats do not get much news 

coverage because they are “background noise” but that doesn’t 

mean that they are unimportant. A useful comparison is the 

difference between plane crashes and car crashes. A single plane 

crash makes the national news, but the daily death toll on the 

roads goes unreported despite killing significantly more people 

each year. 28 

The popularity of ransomware is an example of all these themes. 

It permanently locks people out of their computer unless they 

pay a swinging “fine” to the perpetrators. It’s corrosive to trust, 

expensive to remedy, and reveals a new level of ruthlessness and 

sophistication. 

The numbers are telling. In one example, malware called 

Reveton (aka Trojan.Ransomlock.G), was detected attempting 

to infect 500,000 computers over a period of 18 days. According 

to a recent Symantec survey of 13,000 adults in 24 countries, 

average losses per cybercrime incident are $197. 29 In the last 12 

months an estimated 556 million adults worldwide experienced 

some form of cybercrime. 

at a glance 

• With ransomware, malware has become more vicious and more 

profitable. 

• Email spam volumes fall again, down 29 percent in 2012, as 

spammers move to social media. 

• Phishing becomes more sophisticated and targets social 

networking sites. 

Irreversible ransomware locks 

people out of their computer 

unless they pay a “fine,” which 

in most cases does not unlock 

the computer.

p. 42 




data 

Spam 

Spam rates declined for a second year in a row, dropping from 

75 percent in 2011 to 69 percent of all email in 2012. In 2011 

we were reluctant to call this decrease in spam a permanent 

trend. Botnets can be rebuilt, new ones created. But several 

factors appear to be keeping spam rates lower than in previous 

years. 

The takedowns of spam botnets continued in 2012. In March 

2012 a resurrected Kelihos botnet was taken down for a second 

time. In July the Grum botnet was taken down. While both were 

significant spam botnets and contributed to the reduction in 

spam, undoubtedly email spammers are still feeling the pain 

of botnet takedowns from 2011. 

Additionally, pharmaceutical spam continues to decline, 

apparently unable to recover from the loss of the major players 

in the online pharmaceutical business. 30 Given advancements 

in anti-spam technology, plus the migration of many users to 

social networks as a means of communication, spammers may 

be diversifying in order to stay in business. 

This is not to say that the problem of spam has been solved. 

At 69 percent of all email, it still represents a significant 

amount of unwanted messages. 

As email spam rates continue to decline, we see the same social 

engineering techniques that have been used in email spam 

campaigns increasingly being adopted in spam campaigns and 

being promoted through social networking channels. 

Top 5 activity for Spam destination by geography 

Country % 

saudi Arabia 79% 

Bulgaria 76% 

chile 74% 

Hungary 74% 

china 73% 

Top 5 activity for Spam destination by Industry 

Industry % 

Marketing/Media 69% 


recreation 69% 

Agriculture 69% 

chemical/Pharmaceutical 69% 

Top 5 activity for Spam destination by Company Size 

Organization Size % 

1-250 68% 

251-500 68% 

501-1,000 68% 

1,001-1,500 69% 

1,501-2,500 69% 

2,501+ 68%

p. 43 




global Spam Volume Per day in 2012 


60 

50 

40 

30 

20 

10 

global Spam Rate – 2012 vs 2011 


90% 

80 

70 

60 

50 

40 

30 

20 

10 

0 

JAN 

JAN 

BILLIONS 

FEB 

FEB 

MAR 

MAR 

APR 

APR 

MAY 

MAY 

JUN 

JUN 

JUL 

JUL 

AUG 

AUG 

SEP 

SEP 

OCT 

OCT 

NOV 

NOV 

DEC 

DEC 

2011 2012 

• Spam volumes were 

highest in August. 

• The estimated projection 

of global spam volumes 

decreased by 29 percent, 

from 42 billion spam emails 

per day in 2011, to 30 

billion in 2012. 

The overall average global spam 

rate for 2012 was 69 percent, 

compared with 75 percent in 

2011.

p. 44 




Pharmaceutical Spam – 2012 vs 2011 


70% 

60 

50 

40 

30 

20 

10 

JAN 

FEB 

MAR 

APR 

adult/Sex/dating Spam – 2012 vs 2011 


90% 

80 

70 

60 

50 

40 

30 

20 

10 

JAN 

FEB 

MAR 

APR 

MAY 

MAY 

JUN 

JUN 

JUL 

JUL 

AUG 

AUG 

SEP 

SEP 

OCT 

NOV 

DEC 

2011 2012 

OCT 

NOV 

DEC 

2011 2012 

• Pharmaceutical spam makes 

up 21 percent of all spam, but 

was overtaken by the Adult/ 

Sex/Dating category, which 

now makes up 55 percent of 

spam. 

• Pharmaceutical spam in 2012 

declined by approximately 19 

percentage points compared 

with 2011. 

• Adult/Dating spam in 2012 

increased by approximately 

40 percentage points 

compared with 2011. 

• This suggests an almost 

direct correlation 

between the decline in 

pharmaceutical spam and 

the increase in dating spam. 

• The proportion of adult/ 

sex/dating spam was 

greater in 2012 than for 

pharmaceutical spam in 

2011, but the actual volume 

of adult/sex/dating spam 

in 2012 was lower than for 

pharmaceutical spam in 

2011, since overall spam 

volumes were lower in 2012 

than in the previous year.

p. 45 




Phishing 

Email phishing rates are also down this year, from one in 

299 emails in 2011 to one in 414 in 2012. 

The decline in the use of email as a method to spread spam 

and carry out phishing attacks does not likely indicate a 

drop in activity by attackers. Rather, it appears that we 

are seeing a shift in activity from email to other forms 

of online communication, such as social networks. 

Top 5 activity for Phishing destination by Industry 

Industry 1 in 

Public sector 1 in 95 

Finance 1 in 211 

education 1 in 223 

Accommodation/catering 1 in 297 

Marketing/Media 1 in 355 

Phishing Rate – 2012 vs 2011 


1 in 100 

1 in 200 

1 in 300 

1 in 400 

1 in 500 

1 in 600 

JAN 

FEB 

MAR 

APR 

MAY 

JUN 

JUL 

AUG 

Top 5 activity for Phishing destination by geography 

Country 1 in 

netherlands 1 in 123 

south Africa 1 in 177 

united Kingdom 1 in 191 

Denmark 1 in 374 

china 1 in 382 

Top 5 activity for Phishing destination by Company Size 

Company Size 1 in 

1-250 1 in 294 

251-500 1 in 501 

501-1,000 1 in 671 

1,001-1,500 1 in 607 

1,501-2,500 1 in 739 

2,501+ 1 in 346 

SEP 

OCT 

NOV 

DEC 

2011 2012 

• Phishing rates have dropped 

drastically in 2012, in many 

cases less than half the 

number for that month in 

the previous year. 

• The overall average phishing 

rate for 2012 was 1 in 414 

emails, compared with 

1 in 299 in 2011.

p. 46 




Malware 

One in 291 emails contained a virus in 2012, which is down from 

one in 239 in 2011. Of that email-borne malware, 23 percent of 

it contained URLs that pointed to malicious websites. This is 

also down from 2011, where 39 percent of email-borne malware 

contained a link to a malicious website. 

Much like the drop in spam and phishing rates, a drop in emails 

that contain viruses does not necessarily mean that attackers 

have stopped targeting users. Rather, it more likely points to a 

shift in tactics, targeting other online activities, such as social 

networking. 

Top 5 activity for Malware destination by geography 

Country 1 in 

netherlands 1 in 108 

Luxembourg 1 in 144 

united Kingdom 1 in 163 

south Africa 1 in 178 

Germany 1 in 196 

Proportion of Email Traffic in Which Virus Was detected – 2012 vs 2011 


1 in 50 

1 in 100 

1 in 150 

1 in 200 

1 in 250 

1 in 300 

1 in 350 

1 in 400 

JAN 

FEB 

MAR 

APR 

MAY 

JUN 

JUL 

AUG 

Top 5 activity for Malware destination by Industry 

Industry 1 in 

Public sector 1 in 72 

education 1 in 163 

Finance 1 in 218 

Marketing/Media 1 in 235 

Accommodation/catering 1 in 236 

Top 5 activity for Malware destination by Company Size 

Company Size 1 in 

1-250 1 in 299 

251-500 1 in 325 

501-1,000 1 in 314 

1,001-1,500 1 in 295 

1,501-2,500 1 in 42 

2,501+ 1 in 252 

SEP 

OCT 

NOV 

DEC 

2011 2012 

• Overall numbers declined, 

with one in 291 emails 

containing a virus. 

• In 2011, the average rate for 

email-borne malware was 

1 in 239

p. 47 




Proportion of Email Traffic Containing URL Malware – 2012 vs 2011 


70% 

60 

50 

40 

30 

20 

10 

JAN 

FEB 

MAR 

Website Malware blocked Per day 


THOUSANDS 

400 

350 

300 

250 

200 

150 

100 

50 

0 

JUL 

AUG 

SEP 

OCT 

NOV 

APR 

DEC 

MAY 

JAN 

FEB 

JUN 

MAR 

JUL 

APR 

MAY 

AUG 

JUN 

JUL 

SEP 

OCT 

NOV 

DEC 

2011 2012 

AUG 

SEP 

OCT 

NOV 

DEC 

2011 2012 

• Emails that contained a 

malicious URL dropped 

significantly in 2012. In 

some months it was more 

than half the rate as it was 

that month in 2011. 

• In 2012, approximately 23 

percent of email malware 

contained a URL rather than 

an attachment, compared 

with 39 percent in 2011. 

• In 2012, approximately 

247,350 Web-based attacks 

were blocked each day. 

• In 2011, this figure was 

approximately 190,370 

per day. This represents an 

increase of 30 percent.

p. 48 




Website Exploits by Type of Website 

Based on Norton Safe Web data, the Symantec technology that 

scans the Web looking for websites hosting malware, we’ve 

determined that 61 percent of malicious sites are actually 

regular websites that have been compromised and infected 

with malicious code. 

We see Business, which covers consumer and industrial goods 

and service sectors, listed at the forefront this year. This could 

be due to the contribution of compromised sites from many 

SMBs that do not invest in appropriate resources to protect 

them. Hacking, which includes sites that promote or provide the 

means to carry out hacking activities, jumped to second, though 

it didn’t appear in the top 15 in 2011. 

Although the Technology and Telecommunication category, 

which provides information pertaining to computers, the 

Internet and telecommunication, ranks third this year, it sees 

5.7 percent of the total compromised sites, only a 1.2 percent 

drop from 2011. Shopping sites that provide the means to 

purchase products or services online remain in the top five, 

but Shopping sees a drop of 4.1 percent. 

It is interesting to note that Hosting, which ranked second 

in 2011, has moved down to seventh this year. This covers 

services that provide individuals or organizations access to 

online systems for websites or storage. Due to this increase in 

reliable and free cloud-based hosting solutions, provided by 

the likes of Google, Dropbox and others, we see usage moving 

away from unreliable hosting solutions, which could have 

contributed towards the drop. Blogging has also experienced a 

significant drop in 2012, moving down to fourth position. This 

could support the theory that people are moving towards social 

networking and exchanging information through such networks. 

Malware developers find it easy to insert malicious code in such 

sites and spread them using various means. 

Website Exploits by Type of Website 


Rank 

Top Domain Categories that 

Got Exploited by # of Sites 

1 Business 7.7% 

2 Hacking 7.6% 

3 technology and telecommunication 5.7% 

4 Blogging 4.5% 

5 shopping 3.6% 

6 Known Malware Domain 2.6% 

7 Hosting 2.3% 

8 Automotive 1.9% 

9 Health 1.7% 

10 educational 1.7% 

Top 10 Malware in 2012 


Rank Malware Name % 

1 W32.sality.Ae 6.9% 

2 W32.ramnit.B 5.1% 

3 W32.Downadup.B 4.4% 

4 W32.Virut.cF 2.2% 

5 W32.sillyFDc 1.1% 

6 W32.Mabezat.B 1.1% 

7 W32.Xpaj.B 0.6% 

8 W32.changeup 0.6% 

9 W32.Downadup 0.5% 

10 W32.imaut 0.4% 

# of Infected 

Sites/Total # of 

Infected Sites

p. 49 




analysis 

Macs Under Attack 

Historically, Mac users have felt less vulnerable to malware than 

PC users. As Apple has gained market share, Macs have become 

a more attractive target. In fact, 2012 saw the first significant 

Mac malware outbreak. The Flashback attack exploited a 

vulnerability in Java to create a cross-platform threat. 31 It was 

incorporated into the Blackhole attack toolkit and used by 

criminals to infect 600,000 Macs, 32 which is approximately one 

Mac in 100. Like more and more attacks in 2012, as discussed in 

the “Web Attack Toolkits” section, it spread when users visited 

infected websites. Although the Flashback malware was mainly 

used for advertising click fraud, it had other capabilities, such as 

giving hackers remote access to infected computers. 33 Because 

most Mac users do not have antivirus software, the chances of 

detection, once infected, were small. 

10 

9 

8 

7 

6 

5 

4 

3 

2 

1 

2007 

2008 

2009 

2010 

Does this indicate that hackers are going to start paying further 

attention to Macintosh computers as a platform to target? Not 

necessarily. While Mac users may encounter an occasional 

threat here or there, the vast majority of what they encounter is 

malware aimed at Windows computers. In fact, of all the threats 

encountered by Symantec customers who used Mac computers 

in the last quarter of 2012, only 2.5 percent of them were 

actually written specifically for Macs. 

This isn’t to say that Macs are a safer alternative to PCs; as we’ve 

seen, they’re just as susceptible to attacks. There were more 

threats created specifically for the Mac in 2012 than in years 

past and the trend appears to be rising. 

10 

MAC THREAT 

FAMILIES IN 2012 

2011 

2012 

There were more unique threats 

for OS X in 2012 than any year 

previously.

p. 50 




Rise of Ransomware 

Ransomware became a bigger challenge in 2012 as its popularity 

among malware authors increased. Unlike scareware, which 

encouraged you to buy fake antivirus protection, ransomware 

just locks your computer and demands a release fee. The 

malware is often quite sophisticated, difficult to remove, and in 

some cases it persists in safe mode, blocking attempts at remote 

support. 

Victims usually end up with ransomware from drive-by 

downloads when they are silently infected visiting websites 

that host Web attack toolkits. This ransomware is often from 

legitimate sites that have been compromised by hackers who 

insert the malicious download code. Another source of infection 

is malvertisements where criminals buy advertising space 

on legitimate websites and use it to hide their attack code, as 

discussed in the malvertisement section. 

Typical ransomware locking screen showing a fake police warning. 

The perpetrators use social engineering to increase the chances 

of payment. The locking screen often contains a fake warning 

from local law enforcement and the ransom is presented as a 

fine for criminal activity online. In some cases, ransomware also 

takes a photo of the victim using a webcam and displays this 

image in the locking screen, which can be unnerving for victims. 

Criminals use anonymous money transfer systems or prepaid 

credit cards to receive the payments. The ransom typically 

ranges between $50 and $400. In many cases, payment doesn’t 

unlock the computer. Symantec monitored a ransomware 

command and control server and saw 5,300 computers infected. 

About three percent of victims paid the ransom, which netted 

the criminals about $30,000.

p. 51 




Long-term Stealthy Malware 

Internet criminals are also making money from malware that 

stays hidden on the victims’ computers. Operating in botnets 

with many thousands of computers acting collectively, these 

stealthy programs send out spam or generate bogus clicks on 

website advertisements (which generate referral income for the 

site owners). These techniques don’t generate rapid returns like 

ransomware; however, they are much less likely to be discovered 

and, thanks to clever coding, are more difficult to remove. 

Consequently, they can generate a constant stream of revenue 

over time. 

Email Spam Volume Down 

After decreases in 2011, this year saw a further reduction in the 

volume of email spam from 76 percent of all email messages 

to 69 percent. There are several reasons for this. First, law 

enforcement action has closed down several botnets, reducing 

the number of messages being sent. 34 Second, spammers are 

increasingly redirecting their efforts to social media sites 

instead of email. Lastly, spammers are improving the quality and 

targeting of their spam messages in an effort to bypass filters 

and this has led to a reduction in the overall numbers being sent. 

Advanced Phishing 

While spam has declined slightly in 2012, phishing attacks have 

increased. Phishers are using very sophisticated fake websites— 

in some cases, perfect replicas of real sites—to trick victims into 

revealing personal information, passwords, credit card details, 

and bank credentials. In the past they relied more on fake 

emails, but now those emails coupled with similar links posted 

on social media sites are used to lure the victim to these more 

advanced phishing websites. 

Typical fake sites include banks and credit card companies, as 

you’d expect, but also popular social media sites. The number 

of phishing sites that spoofed social network sites increased 

123 percent in 2012. 

If criminals can capture your social media login details, they can 

use your account to send phishing emails to all your friends. A 

message that seems to come from a friend appears much more 

trustworthy. Another way to use a cracked social media account 

is to send out a fake message to someone’s friends about some 

kind of emergency. For example, “Help! I’m stuck overseas 

and my wallet has been stolen. Please send $200 as soon as 

possible.” 

In an attempt to bypass security and filtering software, 

criminals use complex website addresses and nested URL 

shortening services. They also use social engineering to 

motivate victims to click on links. In the last year, they have 

focused their messages around celebrities, movies, sports 

personalities, and attractive gadgets such as smartphones 

and tablets. The number of phishing websites that used SSL 

certificates in an attempt to lull victims into a false sense of 

security increased by 46 percent in 2012 compared with the 

previous year. 

We saw a significant (threefold) rise in non-English phishing in 

2012. In particular, we saw a significant increase in South Korea. 

The non-English languages that had the highest number of 

phishing sites were French, Italian, Portuguese, Chinese, 

and Spanish.

p. 52 





Protect Yourself Against Social Engineering. 

For individuals as well as for businesses, it’s essential that 

people learn to spot the telltale signs of social engineering, 

which can include undue pressure, titillation or a false sense 

of urgency, an offer that is literally too good to be true, bogus 

“officialese” in an attempt to make something look authentic 

(for example, lengthy reference numbers), implausible 

pretexts (for example, a Microsoft “representative” calls to 

tell you that your computer has a virus), and false quid-proquo 

offers (for example, receive a free gift when you provide 

personal or confidential information). 

Avoid Ransomware. 

Avoid marginal websites and, in particular, pirate software 

and adult sites. Do not install unsolicited plug-ins or 

executables if prompted to do so, even on legitimate websites. 

Consider using advertising blocker software in your browser. 

Ensure that your computer is up to date with the latest 

patches and updates to increase your resistance to drive-by 

Web infections. Keep backups and recovery disks so you can 

unlock your computer in an emergency. And, of course, have 

effective, up-to-date security software. 

Think Before You Click. 

That unsolicited email from a known acquaintance, such as 

your mother or coworker, may not be legit. Their account 

may have been compromised, if they’ve fallen for a social 

engineering trick. 

Antivirus on Endpoints Is Not Enough. 

On endpoints (desktops/laptops), signature-based antivirus 

alone is not enough to protect against today’s threats and 

Web-based attack toolkits. Deploy and use a comprehensive 

endpoint security product that includes additional layers of 

protection, including: 

• Endpoint intrusion prevention that protects against 

unpatched vulnerabilities from being exploited, protects 

against social engineering attacks, and stops malware 

from ever making it onto endpoints; 

• Browser protection for protection against obfuscated Webbased 

attacks; 

• Heuristic file-based malware prevention to provide more 

intelligent protection against unknown threats; 

• File and Web-based reputation solutions that provide a 

risk-and-reputation rating of any application and website 

to prevent rapidly mutating and polymorphic malware; 

• Behavioral prevention capabilities that look at the 

behavior of applications and malware and prevent 

malware; 

• Application control settings that can prevent applications 

and browser plug-ins from downloading unauthorized 

malicious content; 

• Device control settings that prevent and limit the types of 

USB devices to be used.

p. 53 



LOOkINg ahEad

p. 54 



Looking ahead 

“Never make predictions,” said a wise man, “especially about the future.” But we can 

extrapolate from this year’s data to speculate on future trends in the hope that this will help 

organizations and individuals protect themselves more effectively. Looking ahead, here are 

our priorities and concerns for the coming year: 

More State-sponsored Cyber Attacks 

The last few years have seen increasingly sophisticated and 

widespread use of cyber attacks. In peacetime, they provide 

plausible deniability; in wartime, they could be an essential 

tool. Cyber attacks will continue to be an outlet where tensions 

between countries are played out. Moreover, in addition to 

state-sponsored attacks, non-state sponsored attacks, including 

attacks by nationalist activists against those whom they perceive 

to be acting against their country’s interest, will continue. 

Security companies and businesses need to be prepared for 

blowback and collateral damage from these attacks and, as 

ever, they need to make strenuous efforts to protect themselves 

against targeted attacks of all kinds. 

Sophisticated Attack Techniques Trickle Down 

Know-how used for industrial espionage or cyberwarfare will be 

reverse-engineered by criminal hackers for commercial gain. For 

example, the zero-day exploits used by the Elderwood Gang will 

be exploited by other malware authors. Similarly the “opensourcing” 

of malware toolkits such as Zeus (also known as Zbot), 

perhaps in an effort to throw law enforcement off the trail of the 

original authors, will make it easier for authors to create new 

malware. 

Websites Will Become More Dangerous 

Drive-by infections from websites will become even more 

common and even harder to block without advanced security 

software. Criminals will increasingly attack websites, using 

malvertising and website attack kits, as a means of infecting 

users. Software vendors will come under pressure to increase 

their efforts in fixing vulnerabilities promptly. Users and 

companies that employ them will need to be more proactive 

about maintaining their privacy and security in this new social 

media world. 

Social Media Will Be a Major Security Battleground 

Social media websites already combine elements of an 

operating system, a communications platform, and an 

advertising network. As they go mobile and add payment 

mechanisms, they will attract even more attention from online 

criminals with malware, phishing, spam, and scams. Traditional 

spam, phishing, and malware will hold steady or decline 

somewhat; however, social media attacks will grow enormously. 

As new social media tools emerge and become popular, criminals 

will target them. Further, we think that the intersection of 

smartphones and social media will become an important 

security battleground as criminals target teenagers, young 

adults, and other people who may be less guarded about their 

personal data and insufficiently security-minded to protect their 

devices and avoid scams. 

Attacks Against Cloud Providers Will Increase 

So far, the very big data breaches have occurred in businesses 

that collect a lot of personal data, such as healthcare providers, 

online retailers or games companies. In 2013 we expect to see a 

variety of attacks against cloud software providers. 

Increasingly Vicious Malware 

Malware has advanced from being predominantly about data 

theft and botnets (although both are still very common) through 

fake antivirus scams to increased ransomware attacks in 2012. 

We expect to see these attacks become harder to undo, more 

aggressive, and more professional over time. Once criminals 

see that they can get a high conversion rate from this kind of 

extortion, we may see other manifestations, such as malware 

that threatens to and then actually deletes the contents of 

your hard disk. This was the case of the Shamoon attacks that 

occurred in August and erased data from the infected computer. 

Essentially, if it is possible, someone will try it; if it is profitable, 

many people will do it.

p. 55 



Mobile Malware Comes of Age 

Just as social media is becoming the new “operating system” for 

computers, mobile phones and tablets are becoming the new 

hardware platform. Tablet adoption and smartphone market 

penetration will continue and this will attract criminals. What 

has evolved over a decade on PCs is emerging more rapidly on 

smartphones and tablets. We’ll see ransomware and drive-by 

website infections on these new platforms in the coming year. 

For businesses that use these new devices or allow employees 

to bring their own to work, this will present a serious security 

problem in 2013. 

Persistent Phishing 

Identities are valuable, so criminals will continue to try to steal 

them. Phishing attacks will continue to get smarter and more 

sophisticated. For example, we’ll see more perfect site replicas 

and SSL-encryption phishing sites. Phishing will become more 

regional and it will appear in a wider variety of languages, 

making it harder to block and more effective. It will continue 

its spread on social media websites where it will exploit the 

medium’s virality and trusted messaging.

p. 56 



Endnotes 

01 See http://www.defense.gov/transcripts/transcript.aspx?transcriptid=5136. 

02 See http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/. 

03 See http://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf.f 

04 Aviation Week & Space Technology, October 22, 2012, 82. 

05 See http://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf. 

06 The data for the data breaches that could lead to identity theft is procured from the Norton Cybercrime Index (CCI). The Norton CCI 

is a statistical model that measures the levels of threats including malicious software, fraud, identity theft, spam, phishing, and 

social engineering daily. Data for the CCI is primarily derived from Symantec Global Intelligence Network and for certain data from 

ID Analytics. The majority of the Norton CCI’s data comes from Symantec’s Global Intelligence Network, one of the industry’s most 

comprehensive sources of intelligence about online threats. The data breach section of the Norton CCI is derived from data breaches 

that have been reported by legitimate media sources and have exposed personal information, including name, address, Social 

Security numbers, credit card numbers, or medical history. Using publicly available data the Norton CCI determines the sectors that 

were most often affected by data breaches, as well as the most common causes of data loss. 

07 See http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-global.en-us.pdf. 

08 See http://www.symantec.com/connect/blogs/shamoon-attacks. 

09 Internet Security Threat Report, April 2012, “Targeted Attacks,” 16. 

10 See http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf. 

11 See http://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid. 

12 See http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf. 

13 See http://www.symantec.com/connect/blogs/cost-cybercrime-2012. 

14 See http://www.symantec.com/connect/blogs/lizamoon-mass-sql-injection-tried-and-tested-formula. 

15 See http://www.symantec.com/connect/blogs/danger-malware-ahead-please-not-my-site. 

16 See http://www.securityweek.com/comodo-certificates-used-sign-banking-trojans-brazil. 

17 See http://blog.nielsen.com/nielsenwire/social/2012/. 

18 See http://www.symantec.com/connect/blogs/instaspam-instagram-users-receive-gift-card-spam. 

19 See http://www.gartner.com/it/page.jsp?id=2237315. 

20 See http://en.wikipedia.org/wiki/FinFisher and http://www.nytimes.com/2012/08/31/technology/finspy-software-is-trackingpolitical-dissidents.html?_r=1. 

21 See http://www.symantec.com/connect/blogs/androidbmaster-million-dollar-mobile-botnet. 

22 See http://www.symantec.com/connect/blogs/androidbmaster-million-dollar-mobile-botnet. 

23 See http://news.cnet.com/8301-1009_3-57470729-83/malware-went-undiscovered-for-weeks-on-google-play. 

24 See http://developer.android.com/about/dashboards/index.html. 

25 See http://www.gartner.com/it/page.jsp?id=2163616. 

26 See http://www.wired.com/threatlevel/2011/06/dropbox/. 

27 For more advice about cloud adoption, see https://www4.symantec.com/mktginfo/. 

28 In the United States, for example, the NTSB reports that 472 people died in aircraft accidents in 2010 compared with 32,885 in 

highway accidents. See http://www.ntsb.gov/data/index.html. 

29 See http://www.symantec.com/about/news/release/article.jsp?prid=20120905_02. 

30 See http://www.npr.org/blogs/money/2013/01/15/169424047/episode-430-black-market-pharmacies-and-the-spam-empire-behindthem. 

31 See http://www.symantec.com/security_response/writeup.jsp?docid=2012-041001-0020-99. 

32 See http://www.symantec.com/connect/blogs/flashback-cleanup-still-underway-approximately-140000-infections. 

33 See http://www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once. 

34 See http://krebsonsecurity.com/tag/planet-money/.

internet security tHreAt rePOrt 

APPenDiX 2013 

2012 Trends, Volume 18, Published April 2013

p. 58 



CONTENTS 

61 Appendix :: A 

Threat Activity Trends 

63 Malicious Activity by Source 

64 Malicious Activity by Source: Overall Rankings, 2011–2012 

65 Malicious Activity by Source: Malicious Code, 2011–2012 

65 Malicious Activity by Source: Spam Zombies, 2011–2012 

66 Malicious Activity by Source: Phishing Hosts, 2011–2012 

66 Malicious Activity by Source: Bots, 2011–2012 

67 Malicious Activity by Source: Web Attack Origins, 2011–2012 

67 Malicious Activity by Source: Network Attack Origins, 2011–2012 

69 Malicious Web-based Attack Prevalence 

69 Malicious Website Activity, 2011–2012 

71 Analysis of Malicious Web Activity 

by Attack Toolkits 

71 Malicious Website Activity: Attack Toolkit Trends, 2012 

72 Malicious Website Activity: 

Overall Frequency of Major Attack Toolkits, 2012 

73 Analysis of Web-based Spyware, Adware, 

and Potentially Unwanted Programs 

73 Potentially Unwanted Programs: 

Spyware and Adware Blocked, 2012 

75 Analysis of Web Policy Risks 

from Inappropriate Use 

75 Web Policies that Triggered Blocks, 2011–2012 

77 Analysis of Website Categories Exploited 

to Deliver Malicious Code 

77 Malicious Web Activity: 

Categories that Delivered Malicious Code, 2012 


Malicious Code by Number of Infections Per Site, 2012 

78 Malicious Web Activity: Fake Antivirus by Category, 2012 

79 Malicious Web Activity: Browser Exploits by Category, 2012 


Social Networking Attacks by Category, 2012 

81 Bot-infected Computers 

82 Table of Top 10 Bot Locations by Average Lifespan of Bot, 

2011–2012 

83 Analysis of Mobile Threats 

83 Android Mobile Threats: Newly Discovered Malicious Code, 

2011–2012 

84 Android Mobile Threats: Cumulative Number of Malware Families, 

2010–2012 

85 Mobile Threats: Malicious Code by Type, 2012 

85 Mobile Threats: Malicious Code by Type – Additional Detail, 2012 

86 Documented Mobile Vulnerabilities, 2012 

89 Data Breaches that Could Lead to Identity Theft 

90 Timeline of Data Breaches 

Showing Identities Breached in 2012, Global 


(Top 10 Sectors by Number of Data Breaches) 


(Top 10 Sectors by Number of Identities Exposed) 

91 Average Number of Identities Exposed Per Data Breach 

by Notable Sector 


by Number of Breaches 


by Number of Identitites Exposed 

93 Average Number of Identities Exposed Per Data Breach by Cause 

93 Type of Information Exposed in Deliberate Breaches 

94 Threat Activity Trends Endnotes

p. 59 



95 Appendix :: B 

Malicious Code Trends 

97 Top Malicious Code Families 

98 Overall Top Malicious Code Families, 2012 

99 Relative Volume of Reports of Top 10 Malicious Code Families 

in 2012 by Percentage 

99 Relative Proportion of Top 10 Malicious Code Blocked in Email 

Traffic by Symantec.cloud in 2012 by Percentage and Ratio 

100 Trend of Malicious Code Blocked in Email Traffic by Symantec.cloud 

– 2011 vs 2012 

100 Relative Proportion of Top 10 Malicious Code Blocked in Web 

Traffic by Symantec.cloud in 2012 by Percentage and Ratio 

102 Analysis of Malicious Code Activity by Geography, 

Industry Sector, and Company Size 

102 Proportion of Email Traffic Identified as Malicious, 

by Industry Sector, 2012 

103 Proportion of Email Traffic Identified as Malicious 

by Organization Size, 2012 

103 Proportion of Email Traffic Identified as Malicious 

by Geographic Location, 2012 

105 Propagation Mechanisms 

106 Propagation Mechanisms 

108 Industrial Espionage: Targeted Attacks 

and Advanced Persistent Threats (APTs) 

109 Average Number of Targeted Email Attacks Per Day, 2012 

111 Targeted Attacks by Company Size, 2012 

111 Targeted Attacks Against Job Function, 2012 

112 Breakdown of Document Types Being Attached 

to Targeted Attacks, 2012 

113 Analysis of Targeted Attacks by Top 10 Industry Sectors, 2012 

114 Malicious Code Trends Endnotes 

115 Appendix :: C 

Spam and Fraud Activity Trends 

117 Analysis of Spam Activity Trends 

117 Global Spam Volume in Circulation, 2012 

118 Proportion of Email Traffic Identified as Spam, 2011–2012 

119 Analysis of Spam Activity by Geography, 


119 Proportion of Email Traffic Identified as Spam 

by Industry Sector, 2012 





122 Analysis of Spam Delivered by Botnets 

122 Percentage of Spam Sent from Botnets in 2012 

123 Analysis of Spam-sending Botnet Activity, 2012 

124 Significant Spam Tactics 

124 Frequency of Spam Messages by Size, 2012 

125 Proportion of Spam Messages Containing URLs, 2012 

125 Analysis of Top-level Domains Used in Spam URLs, 2012 

126 Spam by Category 

127 Spam by Category, 2012 

128 Spam by Category, 2012 

129 Phishing Activity Trends 

129 Phishing Rates, 2011–2012 

130 Phishing Category Types, Top 200 Organizations, 2012 

130 Tactics of Phishing Distribution, 2012 

132 Analysis of Phishing Activity by Geography, 


132 Proportion of Email Traffic Identified as Phishing 

by Industry Sector, 2012

p. 60 







135 Spam and Fraud Activity Endnotes 

136 Appendix :: D 

Vulnerability Trends 

138 Total Number of Vulnerabilities 

139 Total Vulnerabilities Identified, 2006–2012 

139 New Vulnerabilities Month by Month, 2011 and 2012 

140 Most Frequently Attacked Vulnerabilities in 2012 

142 Zero-day Vulnerabilities 

142 Volume of Zero-day Vulnerabilities, 2006–2012 

143 Zero-day Vulnerabilities Identified in 2012 

144 Web Browser Vulnerabilities 

144 Browser Vulnerabilities, 2011 and 2012 

146 Web Browser Plug-in Vulnerabilities 

147 Browser Plug-in Vulnerabilities in 2011 and 2012 

148 Web Attack Toolkits 

149 SCADA Vulnerabilities 

150 Vulnerability Trends Endnotes 

151 Appendix :: E 

Government Threat Activity Trends 

153 Malicious Activity 

by Critical Infrastructure Sector 

153 Malicious Activity by Critical Infrastructure Sector 

154 Sources of Origin 

for Government-targeted Attacks 

154 Sources of Origin for Government-targeted Attacks 

156 Attacks by Type – 

Overall Government and Critical Infrastructure Organizations 

157 Attacks by Type – 

Notable Critical Infrastructure Sectors 

158 Government Threat Activity Endnotes 

159 About Symantec 

159 More Information

p. 61 



APPENDIX :: A 

ThREAT ACTIVITy 

TRENDS

p. 62 



ThREAT ACTIVITy TRENDS 

Threat Activity Trends 

The Symantec Global Internet Security Threat Report provides an analysis of threat activity, 

as well as other malicious activity, data breaches, and Web-based attacks that Symantec 

observed in 2012. The malicious activity discussed in this section not only includes threat 

activity, but also phishing, malicious code, spam zombies, bot-infected computers, and 

attack origins. 

Attacks are defined as any malicious activity carried out over a network that has been 

detected by an intrusion detection system (IDS) or firewall. Definitions for the other 

types of malicious activities can be found in their respective sections within this report. 

This section covers the following metrics and provides analysis and discussion of the trends indicated by the data: 

• Malicious Activity by Source 

• Malicious Web-based Attack Prevalence 

• Analysis of Malicious Web Activity by Attack Toolkits 

• Analysis of Web-based Spyware, Adware, and Potentially Unwanted Programs 

• Analysis of Web Policy Risks from Inappropriate Use 

• Analysis of Website Categories Exploited to Deliver Malicious Code 

• Bot-infected Computers 

• Analysis of Mobile Threats 

• Data Breaches that Could Lead to Identity Theft

p. 63 




Malicious Activity by Source 

Background 

Malicious activity usually affects computers that are connected 

to high-speed broadband Internet because these connections are 

attractive targets for attackers. Broadband connections provide 

larger bandwidth capacities than other connection types, 

faster speeds, the potential of constantly connected systems, 

and a typically more stable connection. Symantec categorizes 

malicious activities as follows: 

Malicious code: This includes programs such as viruses, 

worms, and Trojans that are covertly inserted into programs. 

The purposes of malicious code include destroying data, 

running destructive or intrusive programs, stealing sensitive 

information, or compromising the security or integrity of a 

victim’s computer data. 

Spam zombies: These are remotely controlled, compromised 

systems specifically designed to send out large volumes of 

junk or unsolicited email messages. These email messages 

can be used to deliver malicious code and phishing attempts. 

Phishing hosts: A phishing host is a computer that provides 

website services in order to illegally gather sensitive user 

information while pretending that the attempt is from a 

trusted, well-known organization by presenting a website 

designed to mimic the site of a legitimate business. 

Bot-infected computers: Malicious programs have been 

used to compromise these computers to allow an attacker 

to control the targeted system remotely. Typically, a remote 

attacker controls a large number of compromised computers 

over a single, reliable channel in a botnet, which can then be 

used to launch coordinated attacks. 

Network attack origins: This measures the originating 

sources of attacks from the Internet. For example, attacks 

can target SQL protocols or buffer overflow vulnerabilities. 

Web-based attack origins: This measures attack sources 

that are delivered via the Web or through HTTP. Typically, 

legitimate websites are compromised and used to attack 

unsuspecting visitors. 

Methodology 

This metric assesses the sources from which the largest amount 

of malicious activity originates. To determine malicious activity 

by source, Symantec has compiled geographical data on 

numerous malicious activities, namely: malicious code reports, 

spam zombies, phishing hosts, bot-infected computers, network 

attack origins, and Web-based attack origins. The proportion 

of each activity originating in each source is then determined. 

The mean of the percentages of each malicious activity that 

originates in each source is calculated. This average determines 

the proportion of overall malicious activity that originates 

from the source in question and the rankings are determined 

by calculating the mean average of the proportion of these 

malicious activities that originated in each source.

p. 64 




Data 

Figure A.1. Malicious Activity by Source: Overall Rankings, 2011–2012 


Geography 

1 

4 

2012 

World Rank 

2012 

Overall 

Average 

8 6 5 

7 

10 

2011 

World Rank 

3 

2 

9 

2011 

Overall 

Average 

Change 

united states 1 22.7% 1 21.1% 1.6% 

china 2 11.0% 2 9.2% 1.8% 

india 3 6.5% 3 6.2% 0.3% 

Brazil 4 4.0% 4 4.1% -0.1% 

Germany 5 3.4% 5 3.9% -0.5% 

netherlands 6 2.7% 20 1.1% 1.6% 

italy 7 2.4% 9 2.7% -0.3% 

united Kingdom 8 2.4% 7 3.2% -0.8% 

taiwan 9 2.3% 8 3.0% -0.7% 

russia 10 2.2% 6 3.2% -1.0%

p. 65 




Figure A.2. Malicious Activity by Source: Malicious Code, 2011–2012 


Geography 

Figure A.3. Malicious Activity by Source: Spam Zombies, 2011–2012 


Geography 

2012 

Malicious 

Code Rank 

2012 

Spam 

Zombies Rank 

2012 

Malicious 

Code % 

2012 

Spam 

Zombies % 

2011 

Malicious 

Code Rank 

2011 

Spam 

Zombies Rank 

2011 

Malicious 

Code % 

2011 

Spam 

Zombies % 

Change 

united states 1 17.2% 2 13.3% 3.9% 

india 2 16.2% 1 15.3% 0.9% 

china 3 6.1% 4 5.1% 0.9% 

indonesia 4 3.9% 3 8.0% -4.1% 

Japan 5 3.4% 11 2.2% 1.2% 

Vietnam 6 3.0% 6 3.8% -0.8% 

Brazil 7 2.9% 8 2.8% 0.0% 


egypt 9 2.6% 7 3.4% -0.8% 

Germany 10 2.5% 15 1.5% 1.0% 

Change 

india 1 17.1% 1 17.5% -0.3% 

saudi Arabia 2 7.0% 19 1.5% 5.6% 

netherlands 3 6.5% 27 0.7% 5.8% 

Brazil 4 5.5% 5 6.0% -0.5% 

united states 5 4.2% 15 1.8% 2.4% 

spain 6 4.0% 21 1.4% 2.6% 

Argentina 7 3.8% 12 2.2% 1.6% 

Germany 8 3.6% 23 1.2% 2.4% 

china 9 3.1% 9 2.6% 0.5% 

russia 10 2.7% 3 7.8% -5.0%

p. 66 




Figure A.4. Malicious Activity by Source: Phishing hosts, 2011–2012 


Geography 

Figure A.5. Malicious Activity by Source: Bots, 2011–2012 


Geography 

2012 

Phishing 

Hosts Rank 

2012 

Bots Rank 

2012 

Phishing 

Hosts % 

2012 

Bots % 

2011 

Phishing 

Hosts Rank 

2011 

Bots Rank 

2011 

Phishing 

Hosts % 

2011 

Bots % 

Change 

united states 1 50.0% 1 48.5% 1.4% 

Germany 2 6.2% 2 6.8% -0.6% 

united Kingdom 3 3.9% 3 3.6% 0.2% 

Brazil 4 3.6% 8 2.3% 1.3% 

china 5 3.2% 5 3.1% 0.2% 

canada 6 2.9% 4 3.3% -0.4% 

France 7 2.7% 7 2.4% 0.3% 

russia 8 2.4% 9 2.3% 0.0% 

netherlands 9 2.3% 6 2.4% -0.1% 

Poland 10 1.6% 12 1.6% -0.1% 

Change 

united states 1 15.3% 1 12.6% 2.8% 

china 2 15.0% 6 6.6% 8.4% 

taiwan 3 7.9% 2 11.4% -3.5% 

Brazil 4 7.8% 3 8.9% -1.1% 

italy 5 7.6% 4 8.3% -0.7% 

Japan 6 4.6% 8 4.6% 0.0% 

Poland 7 4.4% 7 5.4% -1.0% 

Hungary 8 4.2% 9 4.3% -0.1% 

Germany 9 4.0% 5 7.0% -2.9% 

spain 10 3.2% 11 2.6% 0.6%

p. 67 




Figure A.6. Malicious Activity by Source: Web Attack Origins, 2011–2012 


Geography 

Figure A.7. Malicious Activity by Source: Network Attack Origins, 2011–2012 


Geography 

2012 Web 

Attacking 

Countries 

Rank 

2012 

Network 

Attacking 

Countries 

Rank 

2012 Web 

Attacking 

Countries % 

2012 

Network 

Attacking 

Countries % 

2011 Web 

Attacking 

Countries 

Rank 

2011 

Network 

Attacking 

Countries 

Rank 

2011 Web 

Attacking 

Countries % 

2011 

Network 

Attacking 

Countries % 

Change 

united states 1 34.4% 1 33.5% 0.9% 

china 2 9.4% 2 11.0% -1.6% 

Korea, south 3 3.0% 3 4.4% -1.4% 

Germany 4 2.6% 4 3.5% -0.9% 

netherlands 5 2.4% 8 2.0% 0.5% 

india 6 1.7% 14 1.0% 0.6% 

Japan 7 1.6% 6 2.2% -0.6% 

russia 8 1.5% 7 2.1% -0.6% 


Brazil 10 1.3% 11 1.3% 0.0% 

Change 

china 1 29.2% 1 26.9% 2.3% 

united states 2 14.9% 2 16.9% -1.9% 

russia 3 3.7% 5 3.4% 0.3% 


Brazil 5 3.0% 6 3.2% -0.2% 

netherlands 6 2.6% 21 0.8% 1.8% 

Japan 7 2.4% 8 2.5% 0.0% 

india 8 2.4% 11 2.0% 0.4% 

italy 9 2.4% 7 2.8% -0.4% 

France 10 2.3% 10 2.1% 0.2%

p. 68 




Commentary 

• In 2012, corresponding with their large Internet 

populations, the United States and China remained the 

top two sources overall for malicious activity: The overall 

average proportion of attacks originating from the United 

States in 2012 increased by 1.6 percentage points compared 

with 2011, while the same figure for China saw an increase 

by 1.8 percentage points compared with 2011. Malicious 

activity in the Netherlands also increased by 1.6 percentage 

points, resulting in the country being ranked in sixth 

position, compared with twentieth in 2011. 

• 29.2 percent of network attacks originated in China: China 

has the largest population of Internet users 1 in the Asia 

region, with its Internet population growing to 564 million 

in 2012. 

• 50.0 percent of phishing websites were hosted in the 

United States: In 2012, with approximately 275 million 

Internet users, the United States has the second largest 

population of Internet users in the world. 

• The United States was ranked in first position for the 

source of all activities except for spam zombies and network 

attacks, for which India was ranked in first position for 

spam zombies and China the latter. 

• 15.3 percent of bot activity originated in the United States: 

The United States was the main source of bot-infected 

computers, an increase of 2.8 percentage points compared 

with 2011. 

• 34.4 percent of Web-based attacks originated in the United 

States: Web-based attacks originating from the United 

States increased by 0.9 percentage points in 2012. 

• 17.1 percent of spam zombies were located in India, a 

decrease of 0.3 percentage points compared with 2011: 

The proportion of spam zombies located in the United 

States rose by 2.4 percentage points to 4.2 percent, resulting 

in the United States being ranked in fifth position in 2012, 

compared with fifteenth position in 2011. 

• 17.2 percent of all malicious code activities originated 

from the United States, an increase of 3.9 percentage 

points compared with 2011, overtaking India as the 

main source of malicious code activity in 2012: With 

16.2 percent of malicious activity originating in India, 

the country was ranked in second position. India has 

approximately 150 million Internet users, which is the 

third largest population of Internet users in the world.

p. 69 




Malicious Web-based Attack Prevalence 

Background 

The circumstances and implications of Web-based attacks vary 

widely. They may target specific businesses or organizations, 

or they may be widespread attacks of opportunity that exploit 

current events, zero-day vulnerabilities, or recently patched and 

publicized vulnerabilities that many users have yet to protect 

themselves against. While major attacks may have individual 

importance and often receive significant attention when they 

occur, examining overall Web-based attacks provides insight 

into the threat landscape and how attack patterns may be 

shifting. Analysis of the underlying trend can provide insight 

into potential shifts in Web-based attack usage and can assist 

in determining if attackers are more or less likely to employ 

Web-based attacks in the future. To see which vulnerabilities 

are being exploited by Web-based attacks, see Appendix D: 

Vulnerability Trends. 

Data 

Figure A.8. Malicious Website Activity, 2011–2012 


THOUSANDS 

400 

350 

300 

250 

200 

150 

100 

50 

0 

JUL 

AUG 

SEP 

OCT 

NOV 

DEC 

JAN 

FEB 

MAR 

APR 

MAY 

JUN 

Methodology 

This metric assesses changes to the prevalence of Web-based 

attack activity by comparing the overall volume of activity and 

the average number of attacks per day in each month during the 

current and previous reporting periods. 

JUL 

AUG 

SEP 

OCT 

NOV 

DEC 

2011 2012

p. 70 




Commentary 

• The average number of malicious websites blocked each 

day rose by approximately 30 percent for all of 2012 to an 

average of 247,350, compared with 190,370 in the second 

half of 2011. A rise in attacks at the beginning of the year 

contributed in large part to this increase. 

• The average number of websites blocked each day in the 

first half of 2012 compared with the second half of 2011, 

rose by 48 percent to an average of 281,283. 

• The average number of websites blocked each day in the 

second half of 2012 compared with the second half of 2011 

rose by 12 percent to an average of 213,417. 

• The peak rate of malicious activity was 339,078 blocks per 

day in March 2012, when the number of malicious blocks 

was 37 percent higher than the annual average. 

• The lowest rate of malicious activity was 125,384 blocks 

per day in December 2012, when the number of malicious 

blocks was 49 percent lower than the annual average. 

• Further analysis of malicious code activity may be found in 

Appendix B: Malicious Code Trends: Overall Top Malicious 

Code Families, 2012.

p. 71 




Analysis of Malicious Web Activity by Attack Toolkits 

Background 

The increasing pervasiveness of Web browser applications, 

along with increasingly common, easily exploited Web browser 

application security vulnerabilities, has resulted in the 

widespread growth of Web-based threats. Attackers wanting to 

take advantage of client-side vulnerabilities no longer need to 

actively compromise specific networks to gain access to those 

computers. These attacks work by infecting enterprise and 

consumers that visit mainstream websites hosting Web-attack 

toolkits, and silently infect them with a variety of malware. 

Symantec analyzes attack activity to determine which types 

of attacks and attack toolkits attackers are utilizing. This can 

provide insight into emerging Web attack trends and may 

indicate the types of attacks with which attackers are having 

the most success. 

Data 

Figure A.9. Malicious Website Activity: Attack Toolkit Trends, 2012 


90% 

80 

70 

60 

50 

40 

30 

20 

10 

JAN 

FEB 

MAR 

APR 

MAY 

JUN 

JUL 

AUG 

Methodology 

This metric assesses the top Web-based attack activity grouped 

by exploit “Web kit” families. These attacks originated from 

compromised legitimate sites and intentionally malicious sites 

set up to target Web users in 2012. To determine this, Symantec 

ranked attack activity by the number of associated incidents 

associated with each given Web kit. 

SEP 

OCT 

NOV 

DEC 

Others 

Blackhole 

Sakura 

Nuclear 

Redkit 

Phoenix

p. 72 




Figure A.10. Malicious Website Activity: Overall Frequency of Major Attack Toolkits, 2012 


45% 

40 

35 

30 

25 

20 

15 

10 

5 

0 

41 

BLACKHOLE 

Commentary 

22 

SAKURA 

10 

PHOENIX 

7 

REDKIT 

• Blackhole continues to be the most dominant Web attack kit 

in 2012, accounting for 40.7 percent of attacks blocked from 

Web attack toolkits, compared with 44.3 percent in 2011. 

The Sakura toolkit was ranked second, accounting for 22 

percent of attacks blocked and was not ranked in the top 

10 in 2011. 

• The Sakura Web attack kit was updated to version 1.1 in 

early 2012. And many of the more common attack toolkits 

were updated in 2012 to include exploits for the Java 

Runtime Environment, including CVE-2012-0507, CVE- 

2012-1723, and CVE-2012-4681. 

• The Blackhole kit was updated frequently and the code is 

highly obfuscated. It is often used to deploy ransomware 

and fake security software. 

3 

NUCLEAR 

17 

OTHERS

p. 73 




Analysis of Web-based Spyware, Adware, and Potentially Unwanted Programs 

Background 

One of the main goals of a drive-by Web-based installation is the 

deployment of malicious code, but often a compromised website 

is also used to install spyware or adware code. This is because 

the cybercriminals pushing the spyware and adware in this way 

are being paid a small fee for each installation. However, most 

adware vendors, such as those providing add-in toolbars for 

Web browsers, are not always aware how their code came to be 

installed on the users’ computers. The expectation is that it is 

with the permission of the end user, when this is typically not 

the case in a drive-by installation and may be in breach of the 

vendors’ terms and conditions of use. 

Data 

Figure A.11. Potentially Unwanted Programs: Spyware and Adware Blocked, 2012 

Source: Symantec.cloud 

Rank Top 10 Potentially Unwanted Programs % 

Methodology 

1 Application.DirectDownloader.A 94.2% 

2 spyware.PcAcme 1.5% 

3 Adware.Js.script.c 0.2% 

4 Application:Android/counterclank.A 0.2% 

5 Application.installcore.e 0.2% 

6 Adware:W32/cDn.A 0.2% 

7 Adware.solimba.c 0.2% 

8 spyware.Ardakey 0.2% 

9 Adware:Android/AirPush.A 0.2% 

10 spyware.Keylogger 0.1% 

This metric assesses the prevalence of Web-based spyware and 

adware activity by tracking the trend in the average number of 

spyware and adware related websites blocked each day by users 

of Symantec.cloud Web security services. Underlying trends 

observed in the sample data provide a reasonable representation 

of overall malicious Web-based activity trends.

p. 74 




Commentary 

• It is sometimes the case that potentially unwanted 

programs are legitimate programs that have been 

installed as part of a drive-by download and the installation 

is performed without the permission of the user. This is 

typically when the third party behind the installation 

is being rewarded for the number of installations of a 

particular program, irrespective of whether the user has 

granted permission and is often without the knowledge of 

the original vendor, and may be in breach of their affiliate 

terms and conditions. 

• The most frequently blocked installation of potentially 

unwanted programs in 2012 was for the DirectDownload 

software. 

• Similarly, Counterclank 2 was ranked fourth in 2012, and was 

one of two Android-based potentially unwanted programs 

blocked. Due to the combined behavior of the applications 

and negative feedback from users who installed the 

applications, Symantec attempted to have Counterclank 3 

removed from the Android Market in 2012, but Google 

replied quickly, informing us the applications met their 

Terms of Service and they will not be removed. We expect in 

the future there may be many similar situations where we 

will inform users about an application, but the application 

will remain in the Google Android Market. 

• In 2012, three of the top 10 potentially unwanted programs 

were classified as spyware, compared with two in 2011. 

• Figure A.11 accounts for approximately 19 percent of all 

spyware and adware blocked in 2012. The remainder was 

blocked using generic detection techniques.

p. 75 




Analysis of Web Policy Risks from Inappropriate Use 

Background 

Many organizations implement an acceptable usage policy 

to limit employees’ use of Internet resources to a subset of 

websites that have been approved for business use. This enables 

an organization to limit the level of risk that may arise from 

users visiting inappropriate or unacceptable websites, such as 

those containing sexual images and other potentially illegal 

or harmful content. Often there will be varying degrees of 

granularity imposed on such restrictions, with some rules being 

applied to groups of users or rules that only apply at certain 

times of the day; for example, an organization may wish to 

limit employees access to video sharing websites to only Friday 

lunchtime, but may also allow any member of the PR and 

marketing teams access at any time of the day. This enables 

an organization to implement and monitor its acceptable usage 

policy and reduce its exposure to certain risks that may also 

expose the organization to legal difficulties. 

Data 

Figure A.12. Web Policies that Triggered Blocks, 2011–2012 


Methodology 

Rank Top 10 Category 2012 2011 Change 

1 Advertisement and Pop-ups 31.8% 46.6% -14.8% 

2 social networking 24.1% 22.7% 1.4% 

3 streaming Media 9.0% 18.9% -9.9% 

4 chat 4.7% 3.2% 1.5% 

5 computing and internet 4.0%

p. 76 




Commentary 

• 31.8 percent of Web activity blocked through policy 

controls was related to advertisement and pop-ups. Webbased 

advertisements pose a potential risk though the use 

of “malvertisements,” or malicious advertisements. These 

may occur as the result of a legitimate online ad-provider 

being compromised and a banner ad being used to serve 

malware on an otherwise harmless website. 

• The second most frequently blocked traffic was categorized 

as social networking, accounting for 24.1 percent of 

policy-based filtering activity blocked, equivalent to 

approximately one in every four websites blocked. Many 

organizations allow access to social networking websites, 

but in some cases implement policies to only permit access 

at certain times of the day and block access at all other 

times. 

• Activity related to streaming media policies resulted in 9 

percent of policy-based filtering blocks in 2012. Streaming 

media is increasingly popular when there are major 

sporting events or high profile international news stories. 

This activity often results in an increased number of blocks, 

as businesses seek to preserve valuable bandwidth for other 

purposes. This rate is equivalent to one in every 11 websites 

blocked. The proportion of streaming media blocks made 

in 2012 was half of the 2011 figure, despite the London 

Olympics.

p. 77 




Analysis of Website Categories Exploited to Deliver Malicious Code 

Background 

As organizations seek to implement appropriate levels of control 

in order to minimize risk levels from uncontrolled Web access, it 

is important to understand the level of threat posed by certain 

classifications of websites and categories in order to provide 

better understanding of the types of legitimate websites that 

may be more susceptible to being compromised and potentially 

expose users to greater levels of risk. 

Web-based malware is increasingly more likely to be found on 

a legitimate website that has been compromised and used to 

host malicious content. It is therefore increasingly important 

that proactive security countermeasures are able to block 

such malware before it can reach a company’s network. This 

technique has also been employed in some targeted attacks, 

known as a “watering hole” attack, where the intended recipient 

is known to frequent a particular website and that website has 

been compromised. 

Data 

Figure A.13. Malicious Web Activity: Categories that Delivered Malicious Code, 2012 


Rank 

Top 10 Most Frequently Exploited 

Categories of Websites 

1 Business 7.7% 

2 Hacking 7.6% 

3 technology and telecommunication 5.7% 

4 Blogging 4.5% 

5 shopping 3.6% 

6 Known Malware Domain 2.6% 

7 Hosting 2.3% 

8 Automotive 1.9% 

9 Health 1.7% 

10 educational 1.7% 

Methodology 

This metric assesses the classification of malicious websites 

blocked by users of Norton Safe Web technology. 4 Data is 

collected anonymously from over 50 million computers 

worldwide, where customers voluntarily contribute to this 

technology, including Norton Community Watch. Norton 

Safe Web is processing more than two billion real-time rating 

requests each day, and monitoring over 12 million daily. 

Reputation ratings are being tracked for more than 25 million 

websites. 

This metric provides an indication of the levels of infection of 

legitimate websites that have been compromised or abused for 

malicious purposes. The malicious URLs identified by the Safe 

Web technology were classified by category using the Symantec 

Rulespace5 technology. RuleSpace proactively categorizes 

websites into more than 80 categories in 17 languages. 

% of Total Number of 

Infected Websites

p. 78 




Figure A.14. Malicious Web Activity: Malicious Code by Number of Infections Per Site, 2012 


Rank 

Top 10 Potentially Most 

Harmful Categories of 

Websites 

Average Number of 

Threats Found on Infected 

Website 

Major Threat Type 

Detected 

1 Pornography 4.4 trojans: 82% 

2 Placeholder 3.3 Pay Per click: 73% 

3 Plagiarism 3.2 Malware: 49% 

4 Automotive 3.1 Pay Per click: 66% 

5 Gore 3.0 Fake Antivirus: 74% 

6 Military 3.0 Malware: 53% 

7 Lifestyles 2.8 Fake Antivirus: 53% 

8 Automated Web Application 2.8 Malware: 100% 

9 Abortion 2.8 Malware: 79% 

10 Art and Museums 2.7 Fake Antivirus: 54% 

Figure A.15. Malicious Web Activity: Fake Antivirus by Category, 2012 


Rank 


Harmful Categories of 

Websites - Fake Antivlrus 

% of Threats Found 

Within Same Category 

1 religion 43% 4% 

2 sports 41% 5% 

3 shopping 39% 18% 

4 Health 34% 7% 

5 Business 29% 28% 

6 travel 29% 4% 

7 educational 22% 5% 

8 Blogging 20% 11% 

9 

technology and 

telecommunication 

15% 10% 

10 Hacking 9% 8% 

% of Fake Antivirus 

Attacks Found Within 

Top 10 Categories

p. 79 




Figure A.16. Malicious Web Activity: Browser Exploits by Category, 2012 


Rank 


Harmful Categories 

of Websites - Browser 

Exploits 

% of Threats Found 

Within Same Category 

1 Anonymizer 32% 8% 

2 Blogging 30% 61% 

3 Known Malware Domain 6% 7% 

4 Dynamic 4% 2% 

5 Hosting 4% 4% 

6 Hacking 2% 8% 

7 educational 2% 1% 

8 Business 1% 5% 

9 

technology and 

telecommunication 

1% 3% 

10 shopping 1% 1% 

Figure A.17. Malicious Web Activity: Social Networking Attacks by Category, 2012 


Rank 

Top 10 Potentially Most Harmful 

Categories of Websites - Social 

Networking 

1 Blogging 43% 

2 Hacking 14% 

3 Dynamic 11% 

4 Business 5% 

5 Hosting 4% 

% of Browser Exploits 

Found Within 

Top 10 Categories 

% Used to Deliver Social Networking 

Attacks

p. 80 




Commentary 

• Approximately 63 percent of websites used to distribute 

malware were identified as legitimate, compromised 

websites that could be classified, an increase of two 

percentage points compared with 2011. This figure excludes 

URLs that contained just an IP address and did not include 

general domain parking and pay-per-click websites. 

• 7.7 percent of malicious website activity was classified in 

the Blogging category. 

• Websites classified as pornography were found to host the 

greatest number of threats per site than other categories, 

with an average of 4.4 threats per website, the majority of 

which related to Trojans (82 percent). 

• Analysis of websites that were used to deliver drive-by fake 

antivirus attacks revealed that 4 percent of threats found 

on compromised religion sites were related to fake antivirus 

software. 43 percent of fake antivirus attacks were found on 

compromised religion sites. 28 percent of attacks found on 

compromised business sites were fake antivirus. 

• Analysis of websites that were used to deliver attacks using 

browser exploits revealed that 8 percent of threats found 

on compromised anonymizer sites were related to browser 

exploits. 32 percent of browser exploit attacks were found 

on compromised anonymizer sites. 59 percent of browser 

exploits were found on compromised blogging sites. 

• 43 percent of attacks used on social networking websites 

were related to malware hosted on compromised blogging 

sites. This is where a URL hyperlink for a compromised 

website is shared on a social network. Websites dedicated to 

the discussion of hacking accounted for 14 percent of social 

networking attacks. 

• The Hacking category is used to classify websites 

that promote or provide the means to practice illegal 

or unauthorized acts of computer crime or related 

programming skills. 

• The Dynamic category is used to classify websites that have 

been found to contain both appropriate and inappropriate 

user-generated content, such as social networking or 

blogging websites. Also, websites in which the page content 

changes based how the user is interacting with it 

(for example, an Internet search). 

• The Known Malware Domain category are sites that have 

no specific broad classification, but where the domain 

was found to either contain malware or take advantage of 

other exploits to deliver adware, spyware or malware. For 

example, underground websites that may be used to openly 

discuss and share malcode and related research. 

• The Placeholder category refers to any domain name that is 

registered, but may be for sale or has recently expired and 

is redirected to a domain parking page.

p. 81 




Bot-infected Computers 

Background 

Bot-infected computers, or bots, are programs that are covertly 

installed on a user’s machine in order to allow an attacker to 

control the targeted system remotely through a communication 

channel, such as Internet relay chat (IRC), P2P, or HTTP. These 

channels allow the remote attacker to control a large number 

of compromised computers over a single, reliable channel in a 

botnet, which can then be used to launch coordinated attacks. 

Bots allow for a wide range of functionality and most can be 

updated to assume new functionality by downloading new code 

and features. Attackers can use bots to perform a variety of 

tasks, such as setting up denial-of-service (DoS) attacks against 

an organization’s website, distributing spam and phishing 

attacks, distributing spyware and adware, propagating malicious 

code, and harvesting confidential information that may be used 

in identity theft from compromised computers—all of which 

can lead to serious financial and legal consequences. Attackers 

favor bot-infected computers with a decentralized C&C6 model 

because they are difficult to disable and allow the attackers to 

hide in plain sight among the massive amounts of unrelated 

traffic occurring over the same communication channels, such 

as P2P. Most importantly, botnet operations can be lucrative for 

their controllers because bots are also inexpensive and relatively 

easy to propagate. 

Methodology 

A bot-infected computer is considered active on a given day if 

it carries out at least one attack on that day. This does not have 

to be continuous; rather, a single such computer can be active 

on a number of different days. A distinct bot-infected computer 

is a distinct computer that was active at least once during the 

period. Of the bot-infected computer activities that Symantec 

tracks, they can be classified as actively attacking bots or bots 

that send out spam; for example, spam zombies. 

Distributed denial-of-service (DDoS) campaigns may not always 

be indicative of bot-infected computer activity, DDoS activity can 

occur without the use of bot-infected computers. For example, 

systems that participated in the high-profile DDoS Operation 

Payback attacks in 2010 and 2011 used publically available 

software such as Low Orbit Ion Cannon (LOIC) in a coordinated 

effort to disrupt many businesses, website operations. Users 

sympathetic to the Anonymous cause could voluntarily 

download the free tool from the Web and participate en masse in 

a coordinated DDoS campaign and required very little technical 

knowledge. 

The analysis reveals the average lifespan of a bot-infected 

computer for the highest populations of bot-infected computers. 

To be included on the list, the geography must account for at 

least 0.1 percent of the global bot population.

p. 82 




Data 

Figure A.18. Table of Top 10 Bot Locations by Average Lifespan of Bot, 2011–2012 


Rank - 

2012 

Geography 

Average Lifespan 

of Bot (Days) - 

2012 

% of World Bots - 

2012 

Average Lifespan 

of Bot (Days) - 

2011 

% of World Bots - 

2011 

1 romania 24 0.16% 29 0.14% 1 

2 Bulgaria 17 0.10% 14 0.13% 2 

3 united states 13 15.34% 13 12.56% 3 

4 indonesia 12 0.12% 10 0.14% 6 

5 israel 11 1.34% 5 1.64% 29 

6 egypt 10 0.11% 8 0.11% 14 

7 Korea, south 10 0.99% 12 0.99% 4 

8 Pakistan 10 0.12% 9 0.25% 10 

9 Philippines 10 0.16% 10 0.18% 6 

10 ukraine 10 0.15% 10 0.20% 6 

Commentary 

• Bots located in Romania were active for an average of 24 

days in 2012, compared with 29 days in 2011; 1 in 622 of 

bots were located in Romania, compared with 1 in 737 in 

2011. 

• It takes almost twice as long to identify and clean up a botinfected 

computer in Romania than in the United States, 

although the number of infections in the United States is 

on a magnitude of more than a hundred times greater than 

that of Romania. One factor contributing to this disparity 

may be a low level of user-awareness of the issues involved 

combined with the lower availability of remediation 

guidance and support tools in the Romanian language. 

• In the United States, which was home to 1 in 7 (15 percent) 

of global bot-infected computers, the average lifespan for a 

bot was 13 days, unchanged from 2011. 

• All other countries outside the top ten had a lifespan 

of 9 days or less. The overall average lifespan was 6 days. 

• Additionally, 68 percent of bots were controlled using 

HTTP-based command and control channels, compared 

with 65 percent in 2011. 

Rank - 2011

p. 83 




Analysis of Mobile Threats 

Background 

Since the first smartphone arrived in the hands of consumers, 

speculation about threats targeting these devices has abounded. 

While threats targeted early “smart” devices such as those based 

on Symbian and Palm OS in the past, none of these threats 

ever became widespread and many remained proof of concept. 

Recently, with the growing uptake in smartphones and tablets, 

and their increasing connectivity and capability, there has 

been a corresponding increase in attention, both from threat 

developers and security researchers. 

While the number of immediate threats to mobile devices 

remains relatively low in comparison to threats targeting PCs, 

there have been new developments in the field. And as malicious 

code for mobile begins to generate revenue for malware authors, 

there will be more threats created for these devices, especially as 

people increasingly use mobile devices for sensitive transactions 

such as online shopping and banking. 

As with desktop computers, the exploitation of a vulnerability 

can be a way for malicious code to be installed on a mobile device. 

Data 

Figure A.19. Android Mobile Threats: Newly Discovered Malicious Code, 2011–2012 


24 

22 

20 

18 

16 

14 

12 

10 

8 

6 

4 

2 

0 

JAN 

APR 

JUL 

OCT 

JAN 

APR 

Methodology 

In 2012, there was a significant number of vulnerabilities 

reported that affected mobile devices. Symantec documented 

415 vulnerabilities in mobile device operating systems in 2012, 

compared to 315 in 2011 and 163 in 2010; an increase of 32 

percent. 

Symantec tracks the number of threats discovered against 

mobile platforms by tracking malicious threats identified by 

Symantec’s own security products and confirmed vulnerabilities 

documented by mobile vendors. 

Currently, most malicious code for mobile devices consists of 

Trojans that pose as legitimate applications. These applications 

are uploaded to mobile application (“app”) marketplaces in the 

hope that users will download and install them, often trying to 

pass themselves off as legitimate apps or games. Attackers have 

also taken popular legitimate applications and added additional 

code to them. Symantec has classified the types of threats into a 

variety of categories based on their functionality. 

JUL 

OCT 

TREND 

2011 2012

p. 84 




Figure A.20. Android Mobile Threats: Cumulative Number of Malware Families, 2010–2012 


200 

180 

160 

140 

120 

100 

80 

60 

40 

20 

0 

JAN 

DEC JAN 

DEC 

2011 2012

p. 85 




Figure A.21. Mobile Threats: Malicious Code by Type, 2012 


Figure A.22. Mobile Threats: Malicious Code by Type – Additional Detail, 2012 


Steals Device Data 27 

Spies on User 

Sends Premium SMS 

Downloader 

Back Door 

Tracks Location 

Modifies Settings 

Spam 

Steals Media 

Elevates Privileges 

Banking Trojan 

SEO Poisoning 

Adware/Annoyance 

DDoS Utility 

Hacktool 

32% 

Steal Information 

25% 

Traditional Threats 

15% 

Track User 

3 

2 

2 

3 

2 

p. 86 




Figure A.23. Documented Mobile Vulnerabilities, 2012 


140 

120 

100 

80 

60 

40 

20 

0 

9 

JAN 

46 

FEB 

121 

MAR 

18 

APR 

MAY 

JUN 

JUL 

AUG 

Platform Documented Vulnerabilities % 

Apple iOs/iPhone/iPad 387 93.3% 

Android 13 3.1% 

BlackBerry 13 3.1% 

nokia 0 0% 

WebOs 0 0% 

Windows Mobile 2 0.5% 

TOTAL 415 

36 

23 

72 

1 

77 

SEP 

4 5 3 

OCT 

NOV 

DEC

p. 87 




The following are specific definitions of each subcategory: 

• Collects Device Data gathers information that is specific 

to the functionality of the device, such as IMEI, IMSI, 

operating system, and phone configuration data. 

• Spies on User intentionally gathers information from the 

device to keep monitor a user, such as phone logs and SMS 

messages, and sends them to a remote source. 

• Sends Premium SMS sends SMS messages to premium-rate 

numbers that are charged to the user’s mobile account. 

• Downloader can download other risks on to the 

compromised device. 

• Back door opens a back door on the compromised device, 

allowing attackers to perform arbitrary actions. 

• Tracks Location gathers GPS information from the device 

specifically to track the user’s location. 

• Modifies Settings changes configuration settings on the 

compromised device. 

• Spam sends spam email messages from the compromised 

device. 

• Steals Media sends media, such as pictures, to a remote 

source. 

• Elevates Privileges attempts to gain privileges beyond those 

laid out when installing the app bundled with the risk. 

• Banking Trojan monitors the device for banking 

transactions, gathering the sensitive details for further 

malicious actions. 

• SEO Poisoning periodically sends the phone’s browser to 

predetermined URLs in order to boost search rankings. 

• Adware/Annoyance contains mobile adware that uses 

techniques to place advertising in the device’s photo 

albums and calender entries, and may push messages to the 

notification bar. It may even replace the default ringtone 

with an ad. 

Apps with malicious intentions can present serious risks to 

users of mobile devices. These metrics show the different 

functions that these bad mobile apps performed during the 

year. The data was compiled by analyzing the key functionality 

of malicious mobile apps. Symantec has identified five primary 

mobile risk types: 

• Collect Data. Most common among bad mobile apps was the 

collection of data from the compromised device. This was 

typically done with the intent to carry out further malicious 

activities, in much the way an information-stealing Trojan 

might. This includes both device- and user-specific data, 

ranging from configuration data to banking details. This 

information can be used in a number of ways, but for the 

most part, it is fairly innocuous with IMEI 7 and IMSI 8 

numbers taken by attackers as a way to uniquely identify 

a device. More concerning is data gathered about the 

device software, such as operating system (OS) version or 

applications installed, to carry out further attacks (say, by 

exploiting a software vulnerability). Rarer, but of greatest 

concern is when user-specific data, such as banking 

details, is gathered in an attempt to make unauthorized 

transactions. While this category covers a broad range of 

data, the distinction between device and user data is given 

in more detail in the subcategories below. 

• Track User. The next most common purpose was to track a 

user’s personal behavior and actions. These risks take data 

specifically to spy on the individual using the phone. This 

is done by gathering up various communication data, such 

as SMS messages and phone call logs, and sending them to 

another computer or device. In some instances they may 

even record phone calls. In other cases these risks track GPS 

coordinates, essentially keeping tabs on the location of the 

device (and their user) at any given time. Gathering pictures 

taken with the phone also falls into this category. 

• Send Content. The third-largest group of risks is bad apps 

that send out content. These risks are different from the 

first two categories because their direct intent is to make 

money for the attacker. Most of these risks will send a text 

message to a premium SMS number, ultimately appearing 

on the mobile bill of the device’s owner. Also within this 

category are risks that can be used as email spam relays, 

controlled by the attackers and sending unwanted emails 

from addresses registered to the device. One threat in this 

category constantly sent HTTP requests in the hopes of 

bumping certain pages within search rankings. 

• Traditional Threats. The fourth group contains more 

traditional threats, such as back doors and downloaders. 

Attackers often port these types of risks from PCs to mobile 

devices. 

• Change Settings. Finally, there are a small number of risks 

that focus on making configuration changes. These types 

attempt to elevate privileges or simply modify various 

settings within the operating system. The goal for this 

final group seems to be to perform further actions on the 

compromised devices.

p. 88 




Commentary 

In 2012, Android users especially were potentially vulnerable to 

a wider variety of threats, predominantly due to the widespread 

popularity of the Android platform. However, very few of these 

threats have utilized vulnerabilities in the Android OS in order 

to spread. Rather, the threats tend to masquerade as legitimate 

apps and attempt to coerce the user into installing them. 

Exploits accounted for a minority of the infections, but there 

are certainly more of them for older platforms (for example, 

2.x.x), so a lot of these users were more vulnerable to malicious 

apps that carry these exploits and use then to obtain “root” 

super-user privileges (examples of threats that do this include 

Basebridge, Bmaster, Gonfu.D, Gmaster, and Zeahache). 

There are two important distinctions between older and newer 

Android versions regarding security features: 

• In response to feedback from users annoyed by advertising 

platforms that push notifications to the status bar, Google 

added a feature in 4.x to identify the app that generates a 

certain notification and even block that app from pushing 

notifications. 

• Owing to the rise of threats that silently send premium text 

messages (Opfake, Premiumtext, Positmob, Rufraud, etc.), 

Google added in 4.2 a feature to prompt the user to confirm 

sending such premium text messages (they compiled a 

list of ranges of short-code numbers for many countries). 

This can be very helpful in protecting most users, however 

Android 4.2 devices account only for 1.4 percent of users at 

the time of writing. 9 

We haven’t seen a large number of Android vulnerabilities in 

2012, and phone manufacturers pushed (over the air) updates 

for the more serious ones. The Android ecosystem makes it 

more challenging to keep everyone up to date. Google controls 

the official reference platform that works out of the box only 

on Nexus devices. From there each manufacturer modifies 

and releases its own platform updates, which are picked up by 

mobile network operators, which in turn also customize for their 

platforms. 

This makes it very difficult for any change coming from Google 

to be pushed out quickly to in-the-field devices. Any change to 

the platform requires thorough testing, which is performed by 

each manufacturer and operator, all adding to the time required 

to deploy to the end users. 

Having so many device models also multiplies the amount of 

resources all these companies have to allocate for each update, 

which may partly explain why these updates are infrequently 

released. Another factor is that the newest platforms are 

optimized for the latest, more powerful hardware, which could 

actually degrade the performance on older models if pushed 

out universally. Of course, some commentators argue that 

manufacturers and operators are not really motivated to release 

so many updates in order to encourage people to purchase 

the newer phones, but we cannot comment on this. For most 

exploits in the OS, Google quickly releases the fixes, but it still 

entails a long time for most users to receive the appropriate fix 

for their device from their network operators. 

Some exploits are not in the original OS itself, but in the custom 

modifications made by manufacturers, such as the recent 

Samsung exploit for Galaxy S2/S3, Note, etc. Although they were 

quick to fix it, the fix still had to propagate through network 

operators to reach users. In the event that a major vulnerability 

appeared that was being exploited in huge numbers of older 

versions of Android, we don’t think Google (or the phone 

manufacturers) would have any choice but to release an OTA 

patch for it. The question is would it reach all Android users and 

how long would it take? 

Tighter control from Google over the platform may resolve some 

of the “fragmentation” issues, but this could have a knock-on 

effect and in turn impact the relationship it has with the device 

manufacturers. And there is an argument about drawing a line 

and forcing a cut-off point for older Android users, but it is 

usually the manufacturers that determine this; they are the ones 

to say whether or not they will continue to upgrade a particular 

model to support a newer version of Android. As devices pass 

their end-of-life support period, they may still be usable and 

adequately functional, but they are unlikely to receive support 

from the manufacturers in terms of updates and patches. In 

general, Google would only have to win from having most users 

using up-to-date versions of Android, but with the current 

model, they may not have much say in the matter.

p. 89 




Data Breaches that Could Lead to Identity Theft 

Background 

Hacking continued to be the primary way data breaches occurred 

in 2012, in much the same way as it was in 2011. However, where 

politically motivated hacktivism in 2011 resulted in some of the 

biggest data breaches we’ve seen, such activity waned somewhat 

in 2012. This is most apparent when looking at the biggest 

caches of stolen identities. In 2011, there were five data breaches 

that netted hackers 10 million or more identities, the largest of 

which was a massive breach of 70 million identities. In contrast, 

2012 saw only one breach larger than 10 million identities. 

As a result the overall average size of breaches has dropped 

significantly, down from 1.1 million to 604,826 identities per 

breach. 

That’s not to say that the threat posed by data breaches has 

dropped in the last year. While the average size has declined, the 

medium number of identities stolen is up, and significantly at 

that. Where the median number of identities stolen was 2,400 

per breach in 2011, this number is up to 8,350 in 2012. That’s 

an increase of around 3.5 times. Using the median is a useful 

measure because it ignores the extremes, the rare events that 

resulted in large numbers of identities being exposed, and is 

more representative of the underlying trend. 

There were many high-profile hacking breaches last year that 

received lots of media attention for obvious reasons. Hacking 

can undermine institutional confidence in a company, and 

loss of personal data can result in damage to an organizations 

reputation. Despite the media hype around these breaches, 

hacking came in second to old-fashioned theft as the greatest 

source of data breaches last year according to the Norton 

Cybercrime Index data. 10 In the event of a data breach, many 

countries have existing data breach notification legislation 

that regulates the responsibilities of organizations conducting 

business after a data breach has occurred. 

Methodology 

The data for the data breaches that could lead to identity theft 

is procured from the Norton Cybercrime Index (CCI). The Norton 

CCI is a statistical model that measures the levels of threats, 

including malicious software, fraud, identity theft, spam, 

phishing, and social engineering daily. The majority of the 

Norton CCI’s data comes from Symantec’s Global Intelligence 

Network, one of the industry’s most comprehensive sources of 

intelligence about online threats. 11 The data breach section of 

the Norton CCI is derived from data breaches that have been 

reported by legitimate media sources and have exposed personal 

information, including name, address, Social Security numbers, 

credit card numbers, or medical history. Using publicly available 

data, the Norton CCI determines the sectors that were most 

often affected by data breaches, as well as the most common 

causes of data loss. 

The sector that experienced the loss along with the cause of loss 

that occurred is determined through analysis of the organization 

reporting the loss and the method that facilitated the loss. 

The data also reflects the severity of the breach by measuring 

the total number of identities exposed to attackers, using the 

same publicly available data. An identity is considered to be 

exposed if personal or financial data related to the identity 

is made available through the data breach. Data may include 

names, government-issued identification numbers, credit card 

information, home addresses, or email information. A data 

breach is considered deliberate when the cause of the breach is 

due to hacking, insider intervention, or fraud. A data breach is 

considered to be caused by hacking if data related to identity 

theft was exposed by attackers, external to an organization, 

gaining unauthorized access to computers or networks. (Hacking 

is an intentional act with the objective of stealing data that can 

be used for purposes of identity theft or other fraud.) 

It should be noted that some sectors may need to comply with 

more stringent reporting requirements for data breaches than 

others do. For instance, government organizations are more likely 

to report data breaches, either due to regulatory obligations or 

in conjunction with publicly accessible audits and performance 

reports. 12 Conversely, organizations that rely on consumer 

confidence may be less inclined to report such breaches for fear 

of negative consumer, industry, or market reaction. As a result, 

sectors that are not required or encouraged to report 

data breaches may be under-represented in this data set.

p. 90 




Figure A.24. Timeline of Data Breaches Showing Identities Breached in 2012, Global 

Source: Based on data provided by Norton Cyber Crime Index 

SUM OF IDENTITIES BREACHED (MILLIONS) 

35 

30 

25 

20 

15 

10 

5 

31 

JAN 

1 

FEB 

.1 

MAR 

3 

APR 

1 

MAY 

8 

JUN 

13 

JUL 

4 

AUG 

SEP 

12 

6 

OCT 

12 

NOV 

DEC 

INCIDENTS SUM 

Data and Commentary for Data Breaches that Could Lead to Identity Theft by Sector 

Figure A.25. Data Breaches that Could Lead to Identity Theft (Top 10 Sectors by Number of Data Breaches) 


Education 

16% 

Healthcare 

36% 

Government 

13% 

9% Accounting 


6% Financial 


4% Telecommunications 

3% Computer Hardware 

3% Community and Non-profit 

2 

35 

30 

25 

20 

15 

10 

5 

NUMBER OF INCIDENTS 

• Healthcare and education 

sectors ranked top for 

number of data breaches, 

making up just over 

50 percent of all data 

breaches. However, retail 

and the government sectors 

represent more than half of 

the identities exposed. 

• This indicates that the 

sectors responsible for the 

most data breaches don’t 

necessarily result in the 

largest caches of stolen 

identities.

p. 91 




Figure A.25. Data Breaches that Could Lead to Identity Theft (Top 10 Sectors by Number of Identities Exposed) 


Government 

24% 

Computer 

Hardware 

14% 

Retail 

27% 

10% Telecommunications 


7% Accounting 

3% Financial 

2% Healthcare 


2% Social Networking 

Figure A.26. Average Number of Identities Exposed Per Data Breach by Notable Sector 


Retail 

Telecom 

Accounting 

Government 

Social Networking 

Financial 

Computer Software 

Information Tech 

Hospitality 

Computer Hardware 

.1 

.6 

.5 

.4 

.3 

1.4 

1.2 

1.7 

3.1 

0 2 4 6 8 10 12 

MILLIONS 

12 

The largest 

number of identities 

exposed per breach 

in 2012 occurred 

in the retail sector, 

where one breach 

topped 10 million 

identities.

p. 92 




Data and Commentary for Data Breaches that Could Lead to Identity Theft by Cause 

Figure A.27. Data Breaches that Could Lead to Identity Theft by Number of Breaches 


Accidentally 

Made Public 

23% 

Hackers 

40% 

Theft or Loss 

of Computer 

or Drive 

23% 

8% Insider Theft 

6% Unknown 

0.6% Fraud 

Figure A.27. Data Breaches that Could Lead to Identity Theft by Number of Identitites Exposed 


Hackers 

79% 

Theft or Loss 

of Computer 

or Drive 

23% 

3% Accidentally Made Public 

1% Unknown 

0.3% Insider Theft 

Hackers were the top cause 

for data breaches: The most 

frequent cause of data breaches 

(across all sectors) that could 

facilitate identity theft in 2012 

was hacking attempts, which 

accounted for 40 percent of 

breaches that could lead to 

identities being exposed and 

this equated to approximately 

18.5 million identities exposed 

in total.

p. 93 




Figure A.28. Average Number of Identities Exposed Per Data Breach by Cause 


Theft or Loss of 

Computer or Drive 

Hackers 1,192,092 

Unknown 

Accidentally 

Made Public 

Insider Theft 

Fraud 

138,295 

77,028 

21,801 

p. 94 




Threat Activity Trends Endnotes 

01 Internet population and penetration rates in 2012 courtesy of Internet Word Stats http://www.internetworldstats.com. 


03 See http://www.symantec.com/connect/blogs/update-androidcounterclank. 

04 For more details about Norton Safe Web, please visit http://safeweb.norton.com/. 

05 For more details about Symantec Rulespace, please visit http://www.symantec.com/theme.jsp?themeid=rulespace. 

06 Command and control. 

07 International Mobile Equipment Identity. 

08 International Mobile Subscriber Identity. 

09 See http://developer.android.com/about/dashboards/index.html. 

10 See http://www.nortoncybercrimeindex.com/. 

11 See http://www.idanalytics.com/. 

12 For example, the Fair and Accurate Credit Transactions Act of 2003 (FACTA) of California. For more on this act, please see 

http://www.privacyrights.org/fs/fs6a-facta.htm. Another example is the Health Insurance Portability and Accountability Act of 

1996. For more information see: http://www.cms.hhs.gov/HIP AAGenInfo/.

p. 95 



APPENDIX :: B 

MALICIOUS CODE 

TRENDS

p. 96 



MALICIOUS CODE TRENDS 

Malicious Code Trends 

Symantec collects malicious code information from our large global customer base through 

a series of opt-in anonymous telemetry programs, including Norton Community Watch, 

Symantec Digital Immune System, and Symantec Scan and Deliver technologies. Well over 

133 million clients, servers, and gateway systems actively contribute to these programs. New 

malicious code samples, as well as detection incidents from known malicious code types, are 

reported back to Symantec. These resources give Symantec’s analysts unparalleled sources 

of data with which to identify, analyze, and provide informed commentary on emerging 

trends in malicious code activity in the threat landscape. 

Reported incidents are considered potential infections if an infection could have occurred in 

the absence of security software to detect and eliminate the threat. 

In this section, the following malicious code trends are analyzed for 2012: 

• Top Malicious Code Families 

• Analysis of Malicious Code Activity by Geography, Industry Sector, and Company Size 

• Propagation Mechanisms 

• Industrial Espionage: Targeted Attacks and advanced Persistent Threats (APTs)

p. 97 




Top Malicious Code Families 

Background 

Malicious code threats are classified into four main types— 

backdoors, viruses, worms, and Trojans: 

• Backdoors allow an attacker to remotely access 

compromised computers. 

• Viruses propagate by infecting existing files on affected 

computers with malicious code. 

• Worms are malicious code threats that can replicate on 

infected computers or in a manner that facilitates them 

being copied to another computer (such as via USB storage 

devices). 

• Trojans are malicious code that users unwittingly install 

onto their computers, most commonly through either 

opening email attachments or downloading from the 

Internet. Trojans are often downloaded and installed by 

other malicious code as well. Trojan horse programs differ 

from worms and viruses in that they do not propagate 

themselves. 

Many malicious code threats have multiple features; for 

example, a backdoor will always be categorized in conjunction 

with another malicious code feature. Typically, backdoors are 

also Trojans; however, many worms and viruses also incorporate 

backdoor functionality. In addition, many malicious code 

samples can be classified as both worm and virus due to the way 

they propagate. One reason for this is that threat developers 

try to enable malicious code with multiple propagation vectors 

in order to increase their odds of successfully compromising 

computers in attacks. 

Symantec analyzes new and existing malicious code families 

to determine which threat types and attack vectors are being 

employed in the most prevalent threats. This information also 

allows system administrators and users to gain familiarity with 

threats that attackers may favor in their exploits. Insight into 

emerging threat development trends can help them to bolster 

security measures and mitigate future attacks. 

The endpoint is often the last line of defense and analysis; 

however, the endpoint can often be the first line of defense 

against attacks that spread using USB storage devices and 

insecure network connections. The threats found here can shed 

light on the wider nature of threats confronting businesses, 

especially from blended attacks and threats facing mobile 

workers. Attacks reaching the endpoint are likely to have already 

circumvented other layers of protection that may already be 

deployed, such as gateway or cloud-based filtering. 

Methodology 

A malicious code family is initially compromised up of a distinct 

malicious code sample. As variants to the sample are released, 

the family can grow to include multiple variants. Symantec 

determines the most prevalent malicious code families by 

collating and analyzing anonymous telemetry data gathered for 

the reporting period. 

Malicious code family rankings tend to be weighted towards fileinfecting 

threats due to their nature. These threats tend to infect 

large numbers of executable files in the hopes that they will 

spread or be shared out to other computers. This propagation 

approach increases their overall presence when looking at 

the total number of malicious files in the threat landscape. In 

contrast, a threat like a Trojan, which doesn’t use automatic 

propagation techniques, will not rank as highly. As a result, 

malicious code families that include file-infecting functionality 

are picked up by antivirus sensors more frequently and will rank 

higher in overall numbers. 

Overall, the top ten list of malicious code families accounted for 

41.2 percent of all potential infections blocked in 2012.

p. 98 




Figure B.1. Overall Top Malicious Code Families, 2012 


Rank Name Type 

1 W32.ramnit Virus/Worm 

2 W32.sality Virus/Worm 

3 W32.Downadup Worm/Backdoor 

Propagation 

Mechanisms 

executable files and 

removable drives 

executable files and 

removable drives 

P2P/ciFs/remote 

vulnerability 

4 W32.Virut Virus/Backdoor executables 

5 W32.sillyFDc Worm removable drives 

6 W32.Almanahe Virus/Worm 

7 W32.Mabezat Virus/Worm 

ciFs/mapped drives/ 

removable drives/ 

executables 

sMtP/ciFs/removable 

drives 

8 W32.chir Worm sMtP engine 

9 W32.changeup Worm 

10 W32.Xpaj Virus 

removable and mapped 

drives/file sharing 

programs/Microsoft 

vulnerability 

executables/removable, 

mapped, and network 

drives 

Impacts/Features 

infects various file types, including executable files, and 

copies itself to removable drives. it then relies on AutoPlay 

functionality to execute when the removable drive is accessed 

on other computers. 

uses polymorphism to evade detection. Once running on 

an infected computer, it infects executable files on local, 

removable, and shared network drives. it then connects to a 

P2P botnet, downloads and installs additional threats. the 

virus also disables installed security software. 

the worm disables security applications and Windows 

update functionality and allows remote access to the infected 

computer. exploits vulnerabilities to copy itself to shared 

network drives. it also connects to a P2P botnet and may 

download and install additional threats. 

infects various file types, including executable files, and 

copies itself to local, removable, and shared network drives. it 

also establishes a backdoor that may be used to download and 

install additional threats. 

Downloads additional threats and copies itself to removable 

drives. it then relies on AutoPlay functionality to execute when 

the removable drive is accessed on other computers. 

Disables security software by ending related processes. it also 

infects executable files and copies itself to local, removable, 

and shared network drives. the worm may also download and 

install additional threats. 

copies itself to local, removable, and shared network drives. 

infects executables and encrypts various file types. it may 

also use the infected computer to send spam email containing 

infected attachments. 

searches across the network and accesses files on other 

computers. However, due to a bug, these files are not modified 

in any way. 

the primary function of this threat is to download more 

malware on to the compromised computer. it is likely 

that the authors of the threat are associated with affiliate 

schemes that are attempting to generate money through the 

distribution of malware. 

infects .dll, .exe, .scr, and .sys files on the compromised 

computer. 

% 

Overall 

15.4% 

7.6% 

5.4% 

3.7% 

3.1% 

2.1% 

1.5% 

1.2% 

0.6% 

0.6%

p. 99 




Figure B.2. Relative Volume of Reports of Top 10 Malicious Code Families in 2012 by Percentage 


Others 

59% 

W32.Ramnit 

15% 

8% W32.Sality 

5% W32.Downadup 

4% W32.Virut 

3% W32.SillyFDC 

2% W32.Almanahe 

2% W32.Mabezat 

1% W32.Chir 

1% W32.Changeup 

1% W32.Xpaj 

Figure B.3. Relative Proportion of Top 10 Malicious Code Blocked in Email Traffic by Symantec.cloud in 2012 by Percentage and Ratio 


Rank Malware % of Email Malware Equivalent Ratio in Email 

1 exploit/spoofBBB 1.58% 1 in 63.4 

2 trojan.Bredolab 1.46% 1 in 68.7 

3 eML/Worm.XX.dam 0.85% 1 in 117.5 

4 exploit/suspLink 0.78% 1 in 127.9 

5 exploit/LinkAliasPostcard-4733 0.66% 1 in 151.0 

6 W32/netsky.c-mm 0.58% 1 in 171.1 

7 trojan.sasfis.dam 0.53% 1 in 187.5 

8 exploit/Link-FakeAcHupdate 0.52% 1 in 190.7 

9 exploit/FakeAttach 0.51% 1 in 194.7 

10 W32/netsky.P-mm 0.51% 1 in 196.7

p. 100 




Figure B.4. Trend of Malicious Code Blocked in Email Traffic by Symantec.cloud – 2011 vs 2012 


1 in 50 

1 in 100 

1 in 150 

1 in 200 

1 in 250 

1 in 300 

1 in 350 

1 in 400 

JAN 

FEB 

MAR 

APR 

MAY 

JUN 

JUL 

AUG 

SEP 

OCT 

NOV 

DEC 

2011 2012 

Figure B.5. Relative Proportion of Top 10 Malicious Code Blocked in Web Traffic by Symantec.cloud In 2012 by Percentage and Ratio 


Rank Name % of Email Malware Equivalent Ratio in Email 

1 trojan.Js.iframe.AOX 10.6% 1 in 9.5 

2 trojan.iframe.Xi 7.1% 1 in 14.2 

3 infostealer.Gampass 5.2% 1 in 19.3 

4 Dropped:rootkit.49324 4.6% 1 in 21.6 

5 exploit.Link-Javascript-4cda 4.4% 1 in 22.9 

6 exploit.Link-Javascript-3f9f 4.0% 1 in 25.1 

7 suspicious.emit 3.3% 1 in 30.1 

8 trojan.script.12023 3.2% 1 in 31.5 

9 

Dropped:trojan.PWs. 

OnlineGames.KDVn 

3.1% 1 in 32.0 

10 W32.Almanahe.B 2.2% 1 in 46.3

p. 101 




Commentary 

• Ramnit again beats Sality to become the most prevalent 

malicious code family in 2012. Ranked first again in 2011, 

the top malicious code family by volume of potential 

infections in 2012 was Ramnit. 

Samples of the Ramnit family of malware were responsible 

for significantly more potential infections (15.4 percent) 

than the second ranked malicious code family in 2012, 

Sality (7.6 percent). 

First discovered in 2010, W32.Ramnit has been a prominent 

feature of the threat landscape since then, often switching 

places with Sality throughout the year as the two families 

jockey for first position. 

Ramnit spreads by encrypting and then appending itself 

to DLL, EXE, and HTML files. It can also spread by copying 

itself to the recycle bin on removable drives and creating 

an AUTORUN.INF file so that the malware is potentially 

automatically executed on other computers. This can occur 

when an infected USB device is attached to a computer. The 

reliable simplicity of spreading via USB devices and other 

media makes malicious code families such as Ramnit, and 

Sality (as well as SillyFDC and others) effective vehicles for 

installing additional malicious code on computers. 

• The Sality family of malware, ranked second, remains 

attractive to attackers because it uses polymorphic 

code that can hamper detection. Sality is also capable 

of disabling security services on affected computers. 

These two factors may lead to a higher rate of successful 

installations for attackers. Sality propagates by infecting 

executable files and copying itself to removable drives such 

as USB devices. Similar to Ramnit, Sality also relies on 

AUTORUN.INF functionality to potentially execute when 

those drives are accessed. 

• Downadup gains a bit of momentum: Downadup (a.k.a. 

Conficker) was ranked in third position in 2012, compared 

with 2011 when it was ranked fourth-most malicious code 

family by volume of potential infections in 2011. Downadup 

propagates by exploiting vulnerabilities in order to copy 

itself to network shares. Downadup was estimated to have 

infected slightly more than 2 million PCs worldwide at the 

end of 2012, 1 compared with approximately 3 million at the 

end of 2011. 

• Overall in 2012, 1 in 281.8 emails was identified as 

malicious, compared with 1 in 238.8 in 2011; 22.5 percent 

of email-borne malware comprised hyperlinks that 

referenced malicious code, in contrast with malware that 

was contained in an attachment to the email. This figure 

was 39.1 percent in 2010, an indication that cybercriminals 

are attempting to circumvent security countermeasures 

by changing the vector of attacks from purely email to the 

Web. 

• In 2012, 12.6 percent of malicious code detected was 

identified and blocked using generic detection technology. 

Many new viruses and Trojans are based on earlier versions, 

where code has been copied or altered to create a new strain, 

or variant. Often these variants are created using toolkits 

and hundreds of thousands of variants can be created from 

the same piece of malware. This has become a popular 

tactic to evade signature-based detection, as each variant 

would traditionally need its own signature to be correctly 

identified and blocked. By deploying techniques, such as 

heuristic analysis and generic detection, it’s possible to 

correctly identify and block several variants of the same 

malware families, as well as identify new forms of malicious 

code that seek to exploit certain vulnerabilities that can be 

identified generically. 

• Exploit/SpoofBBB was the most frequently blocked 

malware in email traffic by Symantec.cloud in 2012, with 

Trojan.Bredolab taking the second position. 

• Trojan.JS.Iframe.AOX was the most frequently blocked 

malicious activity in Web traffic filtered by Symantec.cloud 

in 2012. Detection for a malicious IFRAME is triggered in 

HTML files that contain hidden IFRAME elements with 

JavaScript code that attempts to perform malicious actions 

on the computer; for example, when visiting a malicious 

Web page, the code attempts to quietly direct the user to a 

malicious URL while the current page is loading. 

• Stuxnet in 2012: Despite being developed for a very specific 

type of target, the number of reports of potential Stuxnet 

infections observed by Symantec in 2012 placed the 

worm at a rank beyond 30 among malicious code families, 

compared with 18 in 2011. The Stuxnet worm generated 

a significant amount of attention in 2010 because it was 

the first malicious code designed specifically to attack 

Programmable Logic Controller (PLC) industry control 

systems. 2 Notably, Stuxnet was the first malicious code 

family that may directly affect the physical world and 

proves the feasibility for malicious code to cause potentially 

dramatic physical destruction.

p. 102 




Analysis of Malicious Code Activity by Geography, Industry Sector, and Company Size 

Background 

Malicious code activity trends can also reveal patterns that 

may be associated with particular geographical locations, or 

hotspots. This may be a consequence of social and political 

changes in the region, such as increased broadband penetration 

and increased competition in the marketplace that can drive 

down prices, increasing adoption rates. Of course, there may 

also be other factors at work, based on the local economic 

conditions that may present different risk factors. Similarly, the 

industry sector may also have an influence on an organization’s 

risk factor, where certain industries may be exposed to different 

levels of threat, by the nature of their business. 

Moreover, the size of an organization can also play a part in 

determining their exposure to risk. Small to medium-sized 

businesses (SMBs) may find themselves the target of a malicious 

attack by virtue of the relationships they have with other 

organizations; for example, a company may be subjected to 

an attack because they are a supplier to a larger organization 

and attackers may seek to take advantage of this relationship 

Data 

in forming the social engineering behind subsequent attacks 

to the main target, using the SMB as a springboard for these 

later attacks. SMBs are perceived to be a softer target because 

they are less likely to have the same levels of in-depth 

defenses as a larger organization, which is more likely to 

have greater budgetary expenditure applied to their security 

countermeasures. 

Methodology 

Figure B.6. Proportion of Email Traffic Identified as Malicious by Industry Sector, 2012 


Gov/Public Sector 

Education 

Finance 

Marketing/Media 

Accom/Catering 

Non-Profit 

Estate Agents 

Chem/Pharm 

Recreation 

Prof Services 

1 in 

400 

1 in 

350 

1 in 

300 

1 in 

250 

1 in 

200 

1 in 

150 

Analysis of malicious code activity based on geography, 

industry, and size are based on the telemetry analysis from 

Symantec.cloud clients for of threats detected and blocked 

against those organizations in email traffic during 2012. 

This analysis looks at the profile of organizations being 

subjected to malicious attacks, in contrast to the source of the 

attack. 

1 in 

100 

1 in 

50 

2011 2012

p. 103 




Figure B.7. Proportion of Email Traffic Identified as Malicious by Organization Size, 2012 


1-250 

251-500 

501-1000 

1001-1500 

1501-2500 

2501+ 

1 in 

450 

1 in 

405 

1 in 

360 

1 in 

315 

1 in 

270 

1 in 

225 

1 in 

180 

1 in 

135 

Figure B.8. Proportion of Email Traffic Identified as Malicious by Geographic Location, 2012 


Netherlands 

Luxenbourg 

United Kingdom 

South Africa 

Germany 

Australia 

Bahrain 

Austria 

Hungary 

Canada 

1 in 

400 

1 in 

350 

1 in 

300 

1 in 

250 

1 in 

200 

1 in 

150 

1 in 

90 

1 in 

45 

2011 2012 

1 in 

100 

1 in 

50 

2011 2012

p. 104 




Commentary 

• The rate of malicious attacks carried by email has increased 

for four of the top 10 geographies being targeted and 

decreased for the other six; malicious email threats fell in 

2011 for organizations in Luxembourg, United Kingdom, 

South Africa, Bahrain, Hungary, and Canada. 

• Businesses in the Netherlands were subjected to the highest 

average ratio of malicious email-borne email in 2012, with 

1 in 108.0 emails blocked as malicious, compared with 1 in 

266.8 in 2011. 

• Globally, organizations in the Government and Public sector 

were subjected to the highest level of malicious attacks in 

email traffic, with 1 in 72.2 emails blocked as malicious in 

2012, compared with 1 in 41.1 for 2011. 

• Malicious email threats have increased for all sizes of 

organizations, with 1 in 252.1 emails being blocked as 

malicious for large enterprises with more than 2,500 

employees in 2012, compared with 1 in 205.1 in 2011. 

• 1 in 299.2 emails were blocked as malicious for SMBs 

with between 1-250 employees in 2012, compared with 

1 in 267.9 in 2011

p. 105 




Propagation Mechanisms 

Background 

Worms and viruses use various means to spread from one 

computer to another. These means are collectively referred to as 

propagation mechanisms. Propagation mechanisms can include 

a number of different vectors, such as instant messaging (IM), 

Simple Mail Transfer Protocol (SMTP), Common Internet File 

System (CIFS), peer-to-peer file transfers (P2P), and remotely 

exploitable vulnerabilities. 3 Some malicious code may even use 

other malicious code as a propagation vector by locating 

a computer that has been compromised through a backdoor 

server and using it to upload and install itself. 

Methodology 

This metric assesses the prominence of propagation 

mechanisms used by malicious code. To determine this, 

Symantec analyzes the malicious code samples that propagate 

and ranks associated propagation mechanisms according to 

the related volumes of potential infections observed during the 

reporting period. 4

p. 106 




Data 

Figure B.9. Propagation Mechanisms 


Rank Propagation Mechanisms 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

EXECUTABLE FILE ShARING. the malicious code creates copies of itself or infects 

executable files. the files are distributed to other users, often by copying them to 

removable drives such as usB thumb drives and setting up an autorun routine. 

FILE TRANSFER, CIFS CIFS. this is a file sharing protocol that allows files and other 

resources on a computer to be shared with other computers across the internet. One 

or more directories on a computer can be shared to allow other computers to access 

the files within. Malicious code creates copies of itself on shared directories to affect 

other users who have access to the share. 

REMOTELy EXPLOITABLE VULNERABILITy. the malicious code exploits a 

vulnerability that allows it to copy itself to or infect another computer. 

FILE TRANSFER, EMAIL ATTAChMENT. the malicious code sends spam email that 

contains a copy of the malicious code. should a recipient of the spam open the 

attachment, the malicious code will run and their computer may be compromised. 

FILE TRANSFER, P2P. the malicious code copies itself to folders on an infected 

computer that are associated with P2P file sharing applications. When the 

application runs, the malicious file will be shared with other users on the same P2P 

network. 

FILE TRANSFER, NON-EXECUTABLE FILE ShARING. the malicious code infects nonexecutable 

files. 

FILE TRANSFER, hTTP, EMBEDDED URL, INSTANT MESSENGER. the malicious code 

sends or modifies instant messages with an embedded uri that, when clicked by the 

recipient, will launch an attack and install a copy of the malicious code. 

SQL. the malicious code accesses sQL servers, by exploiting a latent sQL 

vulnerability or by trying default or guessable administrator passwords, and copies 

itself to the server. 

FILE TRANSFER, INSTANT MESSENGER. the malicious code sends or modifies 

instant messages that contain a copy of the malicious code. should a recipient of the 

spam open the attachment, the malicious code will run and their computer may be 

compromised. 

FILE TRANSFER, hTTP, EMBEDDED URI, EMAIL MESSAGE BODy. the malicious code 

sends spam email containing a malicious uri that, when clicked by the recipient, will 

launch an attack and install a copy of the malicious code. 

2012 

Percentage 

Change 

71% -5% 76% 

33% -10% 43% 

26% -2% 28% 

8% -6% 14% 

4% -3% 7% 

3% +1% 2% 

3% +2% 1% 

1% -0% 1% 

1% -4% 5% 

p. 107 




Commentary 

As malicious code continues to become more sophisticated, 

many threats employ multiple mechanisms. 

• Executable file sharing activity decreases: In 2012, 71 

percent of malicious code propagated as executables, 

a decrease from 76 percent in 2011. This propagation 

mechanism is typically employed by viruses and some 

worms to infect files on removable media. For example, 

variants of Ramnit and Sality use this mechanism, and both 

families of malware were significant contributing factors in 

this metric, as they were ranked as the two most common 

potential infections blocked in 2012. 

• Remotely exploitable vulnerabilities decrease: The 

percentage of malicious code that propagated through 

remotely exploitable vulnerabilities in 2012 at 26 percent 

was 2 percentage points lower than in 2011. Examples of 

attacks employing this mechanism also include Downadup, 

which gains a bit of momentum and is still a major 

contributing factor to the threat landscape, ranked third 

position in 2012. 

• File transfer using CIFS is in decline: The percentage of 

malicious code that propagated through CIFS file transfer 

fell by 10 percentage points between 2011 and 2012, a 

deeper decline than the one seen in 2011. Fewer attacks 

exploited CIFS as an infection vector in 2012. 

• File transfer via email attachments continues to decline: It 

is worth noting the continued decline in the percentage of 

malicious code that propagated through email attachments 

for the fifth year running. Between 2011 and 2012, the 

proportion of malware using this mechanism fell by six 

percentage points. 

• While this propagation mechanism is still effective, it was 

expected that this downward trend would contine; however, 

the shift towards using malicious URLS that was observed 

in 2011 did not continue as expected into 2012.

p. 108 




Industrial Espionage: Targeted Attacks and Advanced Persistent Threats (APTs) 

Background 

With targeted attacks and advanced persistent threats being 

very much in the news in 2012, in this section we review 

targeted attacks and look more closely at what has been 

described as “advanced persistent threats” or APTs. Terms such 

as APT have been overused and sometimes misused, but APTs 

are a real threat to some companies and industries. 

As noted earlier in this section, overall in 2012, 1 in 281.8 

emails were identified as malicious, but approximately 0.2 

percent of those were highly targeted. This means that highly 

targeted attacks, which may be the precursor to an APT, account 

for approximately one in every two million emails, still a rare 

incident rate. However, targeted malware in general has grown 

in volume and complexity in recent years, but as it is designed 

to steal company secrets, it can be very difficult for recipients 

to recognize, especially when the attacker employs compelling 

social engineering techniques, as we highlight in this report. 

Targeted attacks have been around for a number of years now, 

and when they first surfaced back in 2005, Symantec.cloud 

identified and blocked approximately one attack each week. 

Over the course of the following year, this number rose to one 

or two per day, and over the following years it rose still further. 

The global average number of attacks per day in 2012 was 

116, compared with 82 in 2011 and 77 in 2010. We witnessed 

one large attack in April (see Figure B.10). Events like this are 

extremely rare, and this particular attack resulted in a large 

jump for that month. Without adjusting for this, the global 

average would be nearer to 143 per day with this company 

included. 

A highly targeted attack is typically the precursor to an APT, 

and the typical profile of a highly targeted attack will commonly 

exploit a maliciously crafted document or executable, which is 

emailed to a specific individual, or small group of individuals. 

These emails will be dressed up with a social engineering 

element to make it more interesting and relevant. 

The term “APT” has evolved to describe a unique category 

of targeted attacks that are specifically designed to target a 

particular individual or organization. APTs are designed to stay 

below the radar, and remain undetected for as long as possible, 

a characteristic that makes them especially effective, moving 

quietly and slowly in order to evade detection. Unlike the fastmoney 

schemes typical of more common targeted attacks, APTs 

may have international espionage and/or sabotage objectives. 

The objective of an APT may include military, political or 

economic intelligence gathering, confidential or trade secret 

threat, disruption of operations, or even the destruction of 

equipment. 

Another characteristic of an APT is that it will be part of a 

longer-term campaign and not follow the opportunistic “smashand-grab” 

approach typical of most malware in circulation today. 

Its purpose will be to remain undetected for as long as possible, 

perhaps using a variety of attacks over that period. If one attack 

fails, then a different approach—one more likely to succeed—will 

be taken in the weeks to come. If successful, an attacker can 

use the compromised systems as a beachhead for subsequent 

attacks. 

All of which illustrate how these attacks can be both advanced 

and persistent threats. They are advanced because of the 

methods employed to avoid detection, such as the use of 

zero-day exploits, and the means used to communicate with 

the command and control network; command and control 

instructions often involve encrypted traffic, typically sent in 

small bursts and disguised as normal network traffic. The key to 

ensuring that any stolen information can be exfiltrated without 

detection requires the attacker to avoid using easily detectable 

encryption, and to use common protocol channels that would 

not look out of place, but while making sure the data remains 

hidden. 

Furthermore, they can be described as persistent because 

the aim is to maintain a foothold within the compromised 

company’s infrastructure, and in order to achieve this, the 

attacker will use numerous methods. The attackers have a very 

clear and specific objective, they are well-funded and wellorganized, 

and without the right protection in place, these 

threats have both the capability and the intent to achieve their 

desired goals. 

Methodology 

Defining what is meant by targeted attacks and APT is 

important in order to better understand the nature of this 

mounting threat and to make sure that you have invested in the 

right kinds of defenses for your organization. 

The types of organizations being targeted are often thought to 

be large, well-known multi-national organizations, often within 

particular industries, including the public sector, defense, 

energy, and pharmaceutical. In more recent years the scope has 

widened to include almost any organization, including SMBs. 

But what do we really mean by targeted attacks and advanced 

persistent threats? 

An attack can be considered as targeted if it is intended for 

a specific person or organization, typically created to evade 

traditional security defenses and frequently using advanced

p. 109 




social engineering techniques. However, not all targeted attacks 

lead to an APT; for example, the Zeus banking Trojan can be 

targeted and will use social engineering in order to trick the 

recipient into activating the malware. But Zeus is not an APT. 

The attacker doesn’t necessarily care about who the individual 

recipient is; they may have been selected simply because the 

attacker is able to exploit information gathered about that 

individual, typically harvested through social networking 

websites. 

Social engineering has always been at the forefront of many of 

these more sophisticated types of attack. Without strong social 

engineering, or “head-hacking,” even the most technically 

sophisticated attacks are unlikely to succeed. Many socially 

engineered attacks are based on information harvested through 

social networking and social media websites. Once the attackers 

are able to understand their targets’ interests, hobbies, with 

whom they socialize, and who else may be in their networks, 

they are often able to construct more believable and convincing 

attacks. 

The data in this section is based on analysis of targeted email 

malware identified and blocked by Symantec.cloud on behalf of 

its customers in 2012. 

Figure B.10. Average Number of Targeted Email Attacks Per Day, 2012 


250 

200 

150 

100 

50 

JAN 

FEB 

MAR 

APR 

MAY 

JUN 

JUL 

AUG 

Data and Commentary 

Malware such as Stuxnet in 2010, Duqu in 2011, and Flamer 

and Disttrack in 2012 show increasing levels of sophistication 

and danger. For example, the Disttrack malware used in the 

Shamoon attacks on a Saudi oil firm had the ability to wipe hard 

drives. 5 

The same techniques used by cybercriminals for industrial 

espionage may also be used by states and state proxies for cyber 

attacks and political espionage. Sophisticated attacks may 

be reverse-engineered and copied so that the same or similar 

techniques can be used in less discriminate attacks. A further 

risk is that malware developed for cybersabotage may spread 

beyond its intended target and infect other computers in a kind 

of collateral damage. 

SEP 

OCT 

NOV 

DEC

p. 110 




Targeted attacks have become an established part of the threat 

landscape and safeguarding against them has become one of 

the main concerns of CISOs and IT managers. Targeted attacks 

are commonly used for the purposes of industrial espionage to 

gain access to the confidential information on a compromised 

computer system or network. They are fewer but potentially the 

most difficult attacks to defend against. It is difficult to attribute 

an attack to a specific group or a government without sufficient 

evidence. The motivation and the resources of the attacker 

sometimes hint to the possibility that the attacker could be 

state sponsored, but finding clear evidence is difficult. Attacks 

that could be state sponsored appear to be rare in comparison 

with regular cybercrime, though they have often gained 

more notoriety. They can be among the most sophisticated 

and damaging of these types of threats. Governments are 

undoubtedly devoting more resources to defensive and offensive 

cyberwarfare capabilities. In 2012, it was still unlikely that most 

businesses would encounter such an attack, and the greatest risk 

comes from the more prevalent targeted attacks that are created 

for the purposes of industrial espionage. Increasingly, SMBs are 

finding themselves on the frontline of these attacks as they have 

fewer resources to combat the threat and a successful attack here 

may subsequently be used as the springboard to further attacks 

against a larger organization to which they may be a supplier. 

To understand the nature of targeted attacks, Symantec collected 

data on over 55,000 attacks that could clearly be identified 

as targeted. These attacks were email-based and contained a 

malicious payload. 

We saw a 41.5 percent increase in targeted attacks with more 

attacks aimed at companies with fewer than 250 staff members. 

One possible explanation is that attackers have accelerated their 

use of small companies as a way to infiltrate larger organizations 

further up the supply chain. Attackers started using watering 

hole attacks, a technique where malware on infected third-party 

websites is used to target employees of companies who might 

visit those websites. 

The total number of attacks aimed at organizations with fewer 

than 2,500 employees is roughly equal to attacks aimed at 

organizations with greater than 2,500 employees. 

R&D, sales, C-level, and senior employees were the most targeted 

in the same order. 

Attackers want to capture the knowledge workers who have 

access to intellectual property (IP), but they don’t have to attack 

them directly to get the information they want. 

Too often organizations think that if they are not the target of a 

high profile attack, or if one attack has been blocked, that their 

troubles are over. However, our research shows that a targeted 

attack can go on for months. The attack will change over time, 

with new social engineering, new malware, and often leveraging 

multiple zero-day vulnerabilities. What our research does not 

show is attackers giving up after one attempt to breach an 

organization. 

The Characteristics of a Targeted Attack 

When comparing the number of targeted attacks directed at 

companies with 2,500 or more employees and companies with 

fewer than 2,500, we see an equal split. 

Thirty-five percent of all targeted attacks are targeted at 

companies with fewer than 500 employees, as illustrated in 

figure B.13. And despite the commonly held belief of small 

businesses that they would never be the victims of a targeted 

attack, 30.8 percent of all targeted attacks are directed at 

companies with up to 250 employees.

p. 111 




Figure B.11. Targeted Attacks by Company Size, 2012 


2,501+ 

50% 

1-250 

31% 

Figure B.12. Targeted Attacks Against Job Function, 2012 


Chief Exec. or Board Level 

PR and Marketing 

Personal Assistant 

Research and Development 

Human Resources 

Sales 

Senior Management 

Shared Mailbox 

info@, sales@, etc. 

5% 251-500 

3% 501-1,000 

2% 1,001-1,500 

9% 1,501-2,500 

2011 

2012 

% CHANGE 

-15% -10% -5 0 5 10 15 20 25 30%

p. 112 




While 55 percent of the mailboxes targeted for attack are 

high-level executives, senior managers and people in R&D, the 

majority of targets are people that are unlikely to have such 

information. Why then are they targeted? 

As we’ve said, they provide a stepping stone to the ultimate 

target. And in the case of personal assistants, sales and media 

(public relations), they work closely with people who are the 

ultimate target. But just as important, these people are also easy 

to find and research online: email addresses for public relations 

people, shared mailboxes, and recruiters are commonly found on 

a company’s website. 

Additionally, these people are used to being contacted by people 

they do not know. And in many cases part of the job requires 

them to open unsolicited files from strangers. Think of how 

many resumes a recruiter receives each day in a document or 

PDF file attachment. Finally, under the illusion that targeted 

attacks are only aimed at high-level executives or those working 

with the company’s intellectual property (IP), they are less 

likely to have their guard up against social engineering. 

In Figure B.16, we can see that malicious EXEs are largely 

used in targeted attacks (over one-third of attacks). However, 

malicious DOCs and PDFs are commonly used by attackers 

(44.4 percent of the attacks). 

Looking at the break out of targeted attacks by industry, 

Manufacturing was the most-targeted sector in 2012, with 24.3 

percent of targeted attacks destined for this sector, compared 

with 15 percent in 2011. Attacks against government and public 

sector organizations fell from 25 percent in 2011, when it was 

the most targeted sector, to 12 percent in 2012. It’s likely the 

frontline attacks are moving down the supply chain, particularly 

for small to SMBs. 

Conclusion 

Figure B.13. Breakdown of Document Types Being Attached to Targeted Attacks, 2012 


45% 

40 

35 

30 

25 

20 

15 

10 

5 

39% 

EXE 

34% 

DOC 

11% 

PDF 

5% 

XLS 

SCR 

BIN 

LNK 

Targeted attacks should be concern for all organization, large 

and small. While C-level executives and those that work with 

a company’s IP should be careful, everyone in an organization 

is at risk of being targeted. This is especially true of workers 

who in the course of their jobs typically receive email from 

people they don’t know. In the end, no matter the size or type 

of organization you have or your role in that organization, you 

are at risk and best practices must be followed to protect the 

organization. Don’t become the weakest link in the supply chain. 

2% 2% 2% 2% 1% 1% 

CHM 

DMP 

DLL

p. 113 




Figure B.14. Analysis of Targeted Attacks by Top 10 Industry Sectors, 2012 



Finance, Insurance 

and Real Estate 

19% 

Services - Non-Traditional 

17% 

Government 

Energy/Utilities 

Services - Professional 

Aerospace 

Retail 

Wholesale 

Transportation, 

Communications, 

Electric, Gas, and Sanitary 

2% 

2% 

2% 

1% 

8% 

10% 

12% 

5% 10% 15% 20% 25% 30%

p. 114 




Malicious Code Trends Endnotes 

01 See http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking#toc15. 


03 CIFS is a file sharing protocol that allows files and other resources on a computer to be shared with other computers across the 

Internet. One or more directories on a computer can be shared to allow other computers to access the files within. 

04 Because malicious code samples often use more than one mechanism to propagate, cumulative percentages may exceed 100 

percent. 

05 See http://www.symantec.com/connect/blogs/shamoon-attacks.

p. 115 



APPENDIX :: C 

SPAM AND FRAUD 

ACTIVITy TRENDS

p. 116 



SPAM AND FRAUD ACTIVITy TRENDS 

Spam and Fraud Activity Trends 

Phishing is an attempt by a third party to solicit confidential information from an individual, 

group, or organization by mimicking (or spoofing) a specific, usually well-known brand. 

Phishers attempt to trick users into disclosing personal data, such as credit card numbers, 

online banking credentials, and other sensitive information, which they can then use to 

commit fraudulent acts. Phishing generally requires victims to provide their credentials, 

often by duping them into filling out an online form. This is one of the characteristics that 

distinguish phishing from spam-based scams (such as the widely disseminated “419 scam” 1 

and other social engineering scams). 

Spam is usually defined as junk or unsolicited email sent by a third party. While it is certainly 

an annoyance to users and administrators, spam is also a serious security concern because 

it can be used to deliver Trojans, viruses, and phishing attacks. Spam can also include URLs 

that link to malicious sites that, without the user being aware of it, attack a user’s system 

upon visitation. Large volumes of spam could also cause a loss of service or degradation in 

the performance of network resources and email services. 

This section covers phishing and spam trends. It also discusses activities observed on underground economy servers because that is 

where much of the profit is made from phishing and spam attacks. 

• Analysis of Spam Activity Trends 

• Analysis of Spam Activity by Geography, Industry Sector, and Company Size 

• Analysis of Spam Delivered by Botnets 

• Significant Spam Tactics 

• Spam by Category 

• Phishing Activity Trends 

• Analysis of Phishing Activity by Geography, Industry Sector, and Company Size

p. 117 




Analysis of Spam Activity Trends 

Background 

This section discusses the patterns and trends relating to spam 

message volumes and the proportion of email traffic identified 

as spam during 2012 

Methodology 

The analysis for this section is based on global spam and overall 

email volumes for 2012. Global values are determined based on 

the statistically representative sample provided by Symantec’s 

Brightmail 2 operations and spam rates include spam blocked by 

Symantec.cloud. 


Figure c.1. Global Spam Volume in Circulation, 2012 


60 

50 

40 

30 

20 

10 

0 

JAN 

BILLIONS 

FEB 

MAR 

APR 

MAY 

JUN 

Grum Botnet 

Takedown reduced 

spam activity – 

July 15-17. 

JUL 

AUG 

SEP 

Spam dip seen due to 

quiet FESTI botnet in 

October, but active in 

early September. 

OCT 

NOV 

DEC 

There were approximately 

30 billion spam emails in 

circulation worldwide each day 

overall in 2012, compared with 

42.1 billion in 2011; a decrease 

of 28.6 percent in global spam 

volume.

p. 118 




Figure c.2. Proportion of Email Traffic Identified as Spam, 2011–2012 


90% 

80 

70 

60 

50 

40 

30 

20 

10 

JAN 

FEB 

MAR 

APR 

MAY 

JUN 

JUL 

AUG 

SEP 

OCT 

NOV 

DEC 

2011 2012 

Overall for 2012, 68.5 percent 

of email traffic was identified 

as spam, compared with 75.1 

percent in 2011; a decrease of 

6.6 percentage points.

p. 119 




Analysis of Spam Activity by Geography, Industry Sector, and Company Size 

Background 

Spam activity trends can also reveal patterns that may be 

associated with particular geographical locations or hotspots. 

This may be a consequence of social and political changes in the 

region, such as increased broadband penetration and increased 

competition in the marketplace that can drive down prices, 

increasing adoption rates. Of course, there may also be other 

factors at work based on the local economic conditions that may 

present different risk factors. Similarly, the industry sector may 

also have an influence on an organization’s risk factor, where 

certain industries may be exposed to different levels of threat 

based on the nature of their business. 


determining their exposure to risk. SMBs may find themselves 

Data 

Figure c.3. Proportion of Email Traffic Identified as Spam by Industry Sector, 2012 



Manufacturing 

Recreation 

Agriculture 

Chem/Pharm 

Building/Cons 

Telecoms 

IT Services 

Wholesale 

Professional Services 

the target of a spam attack because SMBs are perceived to be 

softer targets because they are less likely to have the same levels 

of security countermeasures as larger organizations, which are 

more likely to have greater budgetary expenditure applied to 

their anti-spam and security countermeasures. 

Methodology 

0 10 20 30 40 50 60 70 80 90% 

Analysis of spam activity based on geography, industry, and 

size is determined from the patterns of spam activity for 

Symantec.cloud clients for threats during 2012. 

2011 2012

p. 120 




Figure c.4. Proportion of Email Traffic Identified as Spam by Organization Size, 2012 


90% 

80 

70 

60 

50 

40 

30 

20 

15 

0.0 

1-250 

251-500 

501-1,000 

1,001-1,500 

1,501-2,500 

Figure c.5. Proportion of Email Traffic Identified as Spam by Geographic Location, 2012 


Saudi Arabia 

Bulgaria 

Chile 

Hungary 

China 

Sri Lanka 

Tanzania, United 

Republic of 

Qatar 

Brazil 

Oman 

2,501+ 

2011 2012 

10 20 30 40 50 60 70 80 90% 

2011 2012

p. 121 




Commentary 

• The spam rate has decreased across all top 10 geographies 

in 2012. The highest rate for spam is for organizations in 

Saudi Arabia, with an overall average spam rate of 79.1 

percent. In 2011, the highest rate was in Saudi Arabia, with 

an overall average spam rate of 80.9 percent. 

• The spam rate has decreased across all top 10 industry 

sectors in 2012. Organizations in the Marketing/Media 

sector were subjected to the highest spam rate of 69.3 

percent in 2012; in 2011, the automotive sector had the 

highest spam rate of 77.9 percent. 

• The spam rate has decreased for all sizes of organization in 

2012. 68.4 percent of emails sent to large enterprises with 

more than 2,500 employees in 2012 were identified as spam, 

compared with 75.2 percent in 2011. 

• 68.4 percent of emails sent to SMBs with up to 250 

employees in 2012 were identified as spam, compared with 

74.6 percent in 2011.

p. 122 




Analysis of Spam Delivered by Botnets 

Background 

This section discusses botnets and their use in the sending of 

spam. Like ballistics analysis in the real world can reveal the 

gun used to fire a bullet, botnets can similarly be identified 

by common features within the structure of email headers 

and corresponding patterns during the SMTP transactions. 3 

Spam emails are classified for further analysis according to the 

originating botnet during the SMTP transaction phase. This 

analysis only reviews botnets involved in sending spam and does 

not look at botnets used for other purposes, such as for financial 

fraud or DDoS attacks. 

Data 

Figure c.6. Percentage of Spam Sent from Botnets in 2012 


90% 

80 

70 

60 

50 

40 

30 

20 

10 

JAN 

FEB 

MAR 

APR 

MAY 

JUN 

JUL 

AUG 

Methodology 

Symantec.cloud spam honeypots collected between 5–10 

million spam emails each day during 2011. These are classified 

according to a series of heuristic rules applied to the SMTP 

conversation and the email header information. 

A variety of internal and external IP reputation lists are also 

used in order to classify known botnet traffic based on the 

source IP address of the sending machine. Information is shared 

with other security experts to ensure data is up to date and 

accurate. 

SEP 

OCT 

NOV 

TREND 

DEC

p. 123 




Figure c.7. Analysis of Spam-sending Botnet Activity, 2012 


Botnet Name % of Botnet Spam Est. Spam Per Day Top Sources of Spam from Botnet 

LetHic 43.4% 9,632,000,000 india (14%) Vietnam (6%) Poland (5%) 

cutWAiL 21.8% 4,838,000,000 india (15%) russia (6%) Brazil (6%) 

GruM 16.2% 3,585,000,000 india (18%) Vietnam (13%) Pakistan (10%) 

Festi 15.0% 3,331,000,000 saudi Arabia (39%) india (24%) turkey (12%) 

MAAZBen 1.3% 277,000,000 Brazil (12%) india (10%) united states (8%) 

GHeG 0.7% 149,000,000 indonesia (14%) india (12%) Vietnam (9%) 

KeLiHOs 0.6% 140,000,000 india (20%) Peru (14%) turkey (12%) 

XArVester 0.4% 90,000,000 uK (13%) italy (8%) india (7%) 

WALeDAc 0.2% 52,000,000 india (10%) Kazakhstan (5%) Brazil (5%) 

BAGLe 0.2% 48,000,000 united states (20%) china (18%) Brazil (10%) 

Commentary 

• In 2011, approximately 78.8 percent of all spam was 

distributed by spam-sending botnets, compared with 88.2 

percent in 2011, a decrease of 9.4 percentage points. This 

was in large part owing to the disruption of the Rustock 

botnet on 16 March 2011. By the end of 2011, this number 

rose to 81.2 percent. 

• In the 7 days prior to the disruption of the Rustock botnet, 

each day approximately 51.2 billion spam emails were in 

circulation worldwide. In the 7 days following, this number 

fell to 31.7 billion, a decrease of 38.0 percent in global spam 

volume. 

• The global spam rate during the 7 days prior to when 

the Rustock botnet ceasing spamming was 78.2 percent, 

compared with 70.0 percent in the 7 days after. 

• During the second half of 2011, the change in frequency of 

botnet spam being distributed from botnets became much 

more noticeable, as shown in figure C.6. Large spam runs 

often lasted for only two or three days and when the spam 

run ceased, the volume of botnet-spam fell considerably; 

however, when Rustock was in operation during 2010 and 

during the first quarter of 2011, it was almost continually 

sending spam at a fairly regular and steady rate.

p. 124 




Significant Spam Tactics 

Background 

This section discusses significant spam tactics used throughout 

2012, including the size of spam messages and the languages 

used in spam emails. 

Size of Spam Messages 

Figure c.8. Frequency of Spam Messages by Size, 2012 


60% 

50 

40 

30 

20 

10 

49% 

100 KB 

• In 2012, 49 percent of spam 

messages were less than 5 

KB in size. For spammers, 

smaller file sizes mean more 

messages can be sent using 

the same resources. 

• Increased sizes are often 

associated with malicious 

activity, where email 

attachments contain 

malicious executable code.

p. 125 




Proportion of Spam Messages Containing URLs 

Figure c.9. Proportion of Spam Messages Containing URLs, 2012 


100% 

90 

80 

70 

60 

50 

40 

30 

20 

10 

Top-level Domains (TLD) Identified in Spam URLs 

Figure c.10. Analysis of Top-level Domains Used in Spam URLs, 2012 


70% 

60 

50 

40 

30 

20 

10 

82 

JAN 

63% 

COM 

77 

FEB 

78 

MAR 

8% 

RU 

84 86 86 85 

APR 

MAY 

5% 7% 6% 

INFO 

JUN 

JUL 

NET 

91 

AUG 

82 

SEP 

ORG 

96 

OCT 

88 

NOV 

3% 

BR 

95 

TREND 

DEC 

In 2012, 85.3 percent of spam 

messages contained at least 

one URL hyperlink, compared 

with 86.2 percent in 2011, a 

decrease of 0.9 percentage 

points.

p. 126 




Spam by Category 

Background 

Spam is created in a variety of different styles and complexities. 

Some spam is plain text with a URL; some is cluttered with 

images and/or attachments. Some comes with very little in 

terms of text, perhaps only a URL. And, of course, spam is 

distributed in a variety of different languages. It is also common 

for spam to contain “Bayes poison” (random text added to 

messages that has been haphazardly scraped from websites to 

“pollute” the spam with words bearing no relation to the intent 

of the spam message itself). Bayes poison is used to thwart spam 

filters that typically try to deduce spam based on a database of 

words that are frequently repeated in spam messages. 

Any automated process to classify spam into categories would 

need to overcome this randomness issue. For example, the 

word “watch” may appear in the random text included in 

a pharmaceutical spam message, posing a challenge as to 

classifying the message as pharmaceutical spam or in the 

watches/jewelry category. Another challenge occurs when a 

pharmaceutical spam contains no obvious pharmaceuticalrelated 

words, but only an image and a URL. 

Spammers attempt to get their messages through to recipients 

without revealing too many clues that the message is spam. 

Clues found in the plain text content of the email can be 

examined using automated anti-spam techniques. A common 

way to overcome automated techniques is by using random text. 

An equally effective way is to include very little in the way of 

extra text in the spam, instead including a URL in the body of 

the message. 

Spam detection services often resist classifying spam into 

different categories because it is difficult to do (for the reasons 

above) and because the purpose of spam detection is to 

determine whether the message is spam and to block it, rather 

than to identify its subject matter. The most accurate way to 

overcome the ambiguity faced by using automated techniques 

to classify spam is to have someone classify unknown spam 

manually. While time-consuming, this process provides much 

more accurate results. An analyst can read the message, 

understand the context of the email, view images, follow URLs, 

and view websites in order to gather the bigger picture around 

the spam message. 

Methodology 

Once per month, several thousand random spam samples are 

collected and classified by Symantec.cloud using a combination 

of electronic and human analysis into one of the following 

categories: 

• Casino/Gambling 

• Degrees/Diplomas 

• Diet/Weight Loss 

• Jobs/Money Mules 

• Malware 

• Mobile Phones 

• Pharmaceutical 

• Phishing 

• Scams/Fraud/419s 

• Sexual/Dating 

• Software 

• Unknown/Other 

• Unsolicited Newsletters 

• Watches/Jewelry

p. 127 




Data 

Figure c.11. Spam by Category, 2012 


Category 2012 2011 Change 

Pharmaceutical 21.1% 39.6% -18.5% 

Watches/Jewelry 9.2% 18.6% -9.4% 

sexual/Dating 54.6% 14.7% 39.9% 

unsolicited newsletters 7.4% 10.1% -2.7% 

casino/Gambling 1.6% 7.9% -6.3% 

Diet/Weight Loss 1.0% 3.5% -2.5% 

Malware 1.9% 3.0% -1.1% 

unknown/Other 2.4% 2.8% -0.4% 

scams/Fraud/419s 0.4% 1.8% -1.4% 

software 2.1% 0.8% 1.3% 

Jobs/Money Mules 4.4% 0.5% 3.9% 

Degrees/Diplomas 0.3% 0.4% -0.1% 

Mobile Phones 0.6% 0.3% 0.4% 

Phishing 0.4% 0.3% 0.2%

p. 128 




Figure c.12. Spam by Category, 2012 


Pharmaceutical 

Watches/Jewelry 

Sexual/Dating 

Unsolicited Newsletters 

Casino/Gambling 

Diet/Weight Loss 

Malware 

Unknown/Other 

Scams/Fraud/419s 

Software 

Jobs/Money Mules 

Degrees/Diplomas 

Mobile Phones 

Phishing 

Commentary 

0 5 10 15 20 25 30 35 40 45 50 55 60% 

• Adult spam dominates this year, with more than half (54.6 

percent) of all spam in 2012 related to adult spam, an 

increase of 39.9 percentage points compared with 2011. 

These are often email messages inviting the recipient to 

connect to the scammer through instant messaging, or a 

URL hyperlink where they are then typically invited to a 

pay-per-view adult-content Web cam site. Often any IM 

conversation would be handled by a bot responder, or a 

person working in a low-pay, offshore call center. 

• The disruption of the Grum and Festi botnet in July and 

October 2012 respectively had a major impact on the 

decline in pharmaceutical spam products. 

• A category with a low percentage still means millions of 

spam messages. Although it is difficult to be certain what 

the true volume of spam in circulation is at any given time, 

Symantec estimates that approximately 30 billion spam 

2011 2012 

emails were sent globally each day in 2012. Where some of 

the categories listed earlier represent 0.4 percent of spam, 

this figure equates to more than 120 million spam emails in 

a single day. 

• Spam in the categories Watches/Jewelry, Casino/Gambling, 

Unsolicited Newsletters, and Scams/Fraud all decreased.

p. 129 




Phishing Activity Trends 

Background 

This section discusses the proportion of malicious email activity 

that is categorized as phishing attacks and looks more closely 

at emerging trends, particularly social engineering techniques 

and how attackers can automate the use of RSS news feeds to 

incorporate news and current affairs stories into their scams. 

Data 

Figure c.13. Phishing Rates, 2011–2012 

Source: 

0 

Symantec.cloud 

1 in 100 

1 in 200 

1 in 300 

1 in 400 

1 in 500 

1 in 600 

JAN 

APR 

JUL 

OCT 

JAN 

APR 

Methodology 

The data for this section is based on the analysis of email traffic 

collected from Symantec.cloud global honeypots and from the 

analysis of malicious and unwanted email traffic data collected 

from customers worldwide. The analysis of phishing trends 

is based on emails processed by Symantec.cloud Skeptic 4 

technology and analysis of phishing emails collected in spam 

honeypots. Symantec.cloud spam honeypots collected between 

2–5 million spam emails each day during 2012. 

JUL 

OCT 

2011 2012

p. 130 




Figure c.14. Phishing Category Types, Top 200 Organizations, 2012 


Financial 

69% 

Information 

Services 

27% 

Figure c.15. Tactics of Phishing Distribution, 2012 


Automated Toolkits 

54% 

Other Unique 

Domains 

39% 

5% Other 

Computer 

Software 

34% 

0.2% Government 

4% Free Web-hosting Sites 

3% IP Address Domains 

1% Typosquatting 

22% Communications 

20% Telecom 

12% Retail 

10% Entertainment

p. 131 




Commentary 

• Overall for 2012, 1 in 414.3 emails was identified and 

blocked as a phishing attack, compared with 1 in 298.9 in 

2011; an decrease of 0.09 percentage points. 

• 67.3 percent of phishing attacks in 2012 related to spoofed 

financial organizations, compared with 85.2 percent in 

2011. 

• Phishing attacks on organizations in the Information 

Services sector accounted for 27.2 percent of phishing 

attacks in 2012. 

• Phishing URLs spoofing banks attempt to steal a wide 

variety of information that can be used for identity theft 

and fraud. Attackers seek information such as names, 

government-issued identification numbers, bank account 

information, and credit card numbers. Cybercriminals are 

more focused on stealing financial information that can 

make them large amounts of money quickly versus goods 

that require a larger time investment, such as scams. 

• Phishing schemes continued to use major events to entice 

recipients: 

One scam featured references to increased numbers 

of Syrian refuges in southern Turkey as a result of the 

ongoing struggle in Syria, stating, “But you must assure 

me that you will use at least 50 percent of my wealth 

to help the Syrian refugees in Turkey. Turkish Disaster 

Management Agency (AFAD) said that the Syrian refugees 

in southern Turkey has risen to 101, 834. You must promise 

me that you will use 50 percent of my wealth to help the 

Syria people that are suffering in Turkey.” 

The Syrian conflict again featured in scams such as, “I am 

Sgt Douglas Miller Owen, a U.S Army being deployed from 

Afghanistan to Damascus, Syria on a 6 month mission 

before i finally return back home […] Out of the total fund 

my share was $12,000,000 (Twelve Million US Dollars)” 

The Libyan revolution and Arab Spring continued to be 

referenced in scams during 2012, including, “My name is 

Aisha daughter of Shukri Ghanem. We fled from Libya last 

year following the uprising against Col Muammar Gaddafi. 

[...] My father’s death is no longer news but my mother’s 

deteriorating health made me want to do this despite the 

fact that I barely know you.” 

• 53.7 percent of phishing attacks were conducted through 

the use of phishing toolkits.

p. 132 




Analysis of Phishing Activity by Geography, Industry Sector, and Company Size 

Background 

Phishing activity trends can also reveal patterns that may be 

associated with particular geographical locations or hotspots, 

for example, the industry sector may also have an influence on 

an organization’s risk factor, where certain industries may be 

exposed to different levels of threat because of the nature of 

their business. 


determining their exposure to risk. SMBs may find themselves 

the target of a spam attack because SMBs are perceived to be 

softer targets because they are less likely to have the same levels 

of in-depth defenses, while larger organizations are more likely 

to have greater budgetary expenditure applied to their antispam 

and security countermeasures. 

Methodology 

Figure c.16. Proportion of Email Traffic Identified as Phishing by Industry Sector, 2012 


Gov/Public Sector 

Finance 

Education 

Accom/Catering 


Non-Profit 

General Services 

Unknown 

Estate Agents 

Agriculture 

1 in 

500 

1 in 

450 

1 in 

400 

1 in 

350 

1 in 

300 

1 in 

250 

1 in 

200 

Analysis of phishing activity based on geography, industry, 

and size is determined from the patterns of spam activity for 

Symantec.cloud clients for threats during 2012. 

1 in 

150 

1 in 

100 

1 in 

50 

2011 2012

p. 133 




Figure c.17. Proportion of Email Traffic Identified as Phishing by Organization Size, 2012 


1 in 0 

1 in 100 

1 in 200 

1 in 300 

1 in 400 

1 in 500 

1 in 600 

1 in 700 

1 in 800 

1-250 

251-500 

501-1,000 

1,001-1,500 

1,501-2,500 

Figure c.18. Proportion of Email Traffic Identified as Phishing by Geographic Location, 2012 


Netherlands 

South Africa 

United Kingdom 

Denmark 

China 

Canada 

Australia 

Cook Islands 

Ireland 

Italy 

2,501+ 

2011 2012 

1 in 1,200 1 in 1,000 1 in 800 1 in 600 1 in 400 1 in 200 

2011 2012

p. 134 




Commentary 

• The phishing rate has significantly increased for six of 

the top 10 geographies in 2012. The highest average rate 

for phishing activity in 2012 was for organizations in the 

Netherlands, with an overall average phishing rate of 1 in 

123.1. In 2011, the highest rate was also for South Africa, 

with an overall average phishing rate of 1 in 96.3. 

• The phishing rate has decreased across nine of the top 10 

industry sectors in 2012, except for Finance. Organizations 

in the Government and Public Sector were subjected to the 

highest level of phishing activity in 2012, with 1 in 95.4 

emails identified and blocked as phishing attacks. In 2011 

the sector with the highest average phishing rate was also 

the Government and Public Sector, with a phishing rate of 1 

in 49.4. 

• The phishing rate has decreased for all sizes of organization 

in 2012. 1 in 346.0 emails sent to large enterprises with 

more than 2,500 employees in 2012 were identified and 

blocked as phishing attacks, compared with 1 in 250.5 in 

2011. 

• 1 in 293.8 emails sent to businesses with up to 250 

employees in 2012 were identified and blocked as phishing 

attacks, compared with 1 in 266.1 in 2011.

p. 135 




Spam and Fraud Activity Endnotes 

01 See http://www.symantec.com/connect/blogs/419-oldest-trick-book-and-yet-another-scam. 

02 See http://www.symantec.com/security_response/landing/spam/. 

03 Simple Mail Transfer Protocol. 

04 See http://www.symanteccloud.com/sv/se/globalthreats/learning_center/what_is_skeptic

p. 136 



APPENDIX :: D 

VULNERABILITy 

TRENDS

p. 137 



VULNERABILITy TRENDS 

Vulnerability Trends 

A vulnerability is a weakness that allows an attacker to compromise the availability, 

confidentiality, or integrity of a computer system. Vulnerabilities may be the result of a 

programming error or a flaw in the design that will affect security. Vulnerabilities can affect 

both software and hardware. It is important to stay abreast of new vulnerabilities being 

identified in the threat landscape because early detection and patching will minimize the 

chances of being exploited. 

This section covers selected vulnerability trends and provides analysis and discussion of the trends indicated by the data. 

The following metrics are discussed: 

• Total Number of Vulnerabilities 

• Zero-day Vulnerabilities 

• Web Browser Vulnerabilities 

• Web Browser Plug-in Vulnerabilities 

• Web Attack Toolkits

p. 138 




Total Number of Vulnerabilities 

Background 

The total number of vulnerabilities for 2012 is based on research 

from independent security experts and vendors of affected 

products. The yearly total also includes zero-day vulnerabilities 

that attackers uncovered and were subsequently identified 

post-exploitation. Calculating the total number of vulnerabilities 

provides insight into vulnerability research being conducted in 

the threat landscape. There are many motivations for conducting 

vulnerability research, including security, academic, promotional, 

software quality assurance, and, of course, the malicious 

motivations that drive attackers. Symantec gathers information 

on all of these vulnerabilities as part of its DeepSight 

vulnerability database and alerting services. Examining these 

trends also provides further insight into other topics discussed in 

this report. 

Discovering vulnerabilities can be advantageous to both sides 

of the security equation: legitimate researchers may learn 

how better to defend against attacks by analyzing the work of 

attackers who uncover vulnerabilities; conversely, cybercriminals 

can capitalize on the published work of legitimate researchers 

to advance their attack capabilities. The vast majority of 

vulnerabilities that are exploited by attack toolkits are publicly 

known by the time they are exploited. 

Methodology 

Information about vulnerabilities is made public through 

a number of sources. These include mailing lists, vendor 

advisories, and detection in the wild. Symantec gathers 

this information and analyzes various characteristics of 

the vulnerabilities, including technical information and 

ratings in order to determine the severity and impact of the 

vulnerabilities. This information is stored in the DeepSight 

vulnerability database, which houses over 52,795 distinct 

vulnerabilities spanning a period of over 20 years. As part of 

the data gathering process, Symantec scores the vulnerabilities 

according to version 2.0 of the community-based CVSS (Common 

Vulnerability Scoring System). 1 Symantec adopted version 2.0 of 

the scoring system in 2008. The total number of vulnerabilities 

is determined by counting all of the vulnerabilities published 

during the reporting period. All vulnerabilities are included, 

regardless of severity or whether or not the vendor who produced 

the vulnerable product confirmed them.

p. 139 




Data 

Figure D.1. Total Vulnerabilities Identified, 2006–2012 


6,000 

5,000 

4,000 

3,000 

2,000 

1,000 

Figure D.2. New Vulnerabilities Month by Month, 2011 and 2012 


600 

500 

400 

300 

200 

100 

JAN 

4,842 

2006 

FEB 

4,644 

2007 

MAR 

APR 

5,562 

2008 

MAY 

JUN 

4,814 

2009 

JUL 

6,253 

AUG 

2010 

SEP 

4,814 

2011 

OCT 

NOV 

5,291 

2012 

DEC 

2011 2012

p. 140 




Figure D.3. Most Frequently Attacked Vulnerabilities in 2012 


MILLIONS 

70 

60 

50 

40 

30 

20 

10 

62 

BID 31874 

BID Detail 

11 11 11 11 

BID 8234 

BID 10127 

BID 6005 

BID 8811 

BiD 31874 Microsoft Windows server service rPc Handling remote code execution Vulnerability 

BiD 8234 Microsoft Windows rPc service Denial of service Vulnerability 

BiD 10127 Microsoft Windows rPcss DcOM interface Denial of service Vulnerability 

BiD 6005 Microsoft Windows rPc service Denial of service Vulnerability 

BiD 8811 Microsoft Windows rPcss Multi-thread race condition Vulnerability 

Commentary 

• Actual number of new vulnerabilities reported is up, 

and trend is still upwards: The total number of new 

vulnerabilities reported in 2012 stood at 5,291. This figure 

works out to approximately 101 new vulnerabilities a 

week. Compared with the number from 2011, which was 

4,989, it represents an increase of 6 percent from that 

of 2011. We can see that the overall pattern is still on an 

upward trajectory. The number of vulnerabilities reported 

in January 2013 amounts to 503, which is more than the 

numbers reported in the same month last year. 

• The most often exploited vulnerabilities are not the 

newest: From observation of in-field telemetry, we can see 

that the most frequently used vulnerability in attacks is 

not the newest. Our data show that the most commonly 

attacked component by a wide margin is the Microsoft 

Windows RPC component. The attacks against this 

component are mostly using the Microsoft Windows Server 

Service RPC Handling Remote Code Execution Vulnerability 

(BID 31874 2 ). This vulnerability was first reported back in 

October 2008 and Symantec blocked 61.9 million attempts 

to exploit it in 2012. This figure represents 5.7 times the 

volume of the second most exploited vulnerability, the 

Microsoft Windows RPCSS DCOM Interface Denial of 

Service Vulnerability (BID 8234 3 ), from July 2003. 

• The next two most often used vulnerabilities are the 

Microsoft Windows RPCSS DCOM Interface Denial of

p. 141 




Service Vulnerability (BID 10127 4 ), dating from April 2004, 

and the Microsoft Windows RPC Service Denial of Service 

Vulnerability (BID 6005 5 ), from October 2002. 

• Finally, the fifth most exploited vulnerability is the 

Microsoft Windows RPCSS Multi-thread Race Condition 

Vulnerability (BID 8811 6 ), reported in October 2003. 

• All of the top five vulnerabilities are several years old 

with patches available: So why are they used so often even 

several years after patches are available? There could be 

several reasons why this is the case: 

• Trading of vulnerabilities 7 either through legitimate or 

clandestine channels has given exploitable vulnerabilities 

a significant monetary value. Because of the restricted 

information available on some of these new vulnerabilities, 

criminals may not be able to take advantage of them unless 

they are willing to pay the often substantial asking prices. 

If they are unable or unwilling to pay, they may resort to 

existing, widely available, tried-and-tested vulnerabilities 

to achieve their goals, even if it may potentially be less 

effective. 

• For those willing to pay, they will want to ensure maximum 

return on their investment. This could mean they will use it 

discretely and selectively rather than making a big splash 

and arousing the attention of security vendors and other 

criminal groups looking for new vulnerabilities to use. 

• Older vulnerabilities have a more established malware 

user base and so account for a greater amount of traffic. 

For example, widespread and well-established malware 

threats, such as W32.Downadup 8 and its variants, use the 

Microsoft Windows Server Service RPC Handling Remote 

Code Execution Vulnerability (BID 31874), which continues 

to register over 150,000 hits each day. Because these threats 

use vulnerabilities to spread in an automated fashion, the 

number of attacks they can launch would generally be far 

higher than for targeted attacks. 

• For various reasons, not all of the user population applies 

security patches quickly or at all. This means older 

vulnerabilities can often still be effective, even years after 

patches are available. Because of this, there will always a 

window of opportunity for criminals to exploit and they are 

all too aware of this. 

• File-based vulnerabilities: The most commonly exploited 

data file format is the PDF file format. One of the PDF 

related vulnerabilities, Adobe Acrobat, Adobe Reader, and 

Adobe Flash Player Remote Code Execution Vulnerability 

(BID 35759 9 ) registered as the fifth most often used 

vulnerability in 2011 with just over 1 million attacks 

reported. PDF files containing vulnerabilities are often 

associated with Advanced Persistent Threat (APT 10 ) style 

attacks, rather than self-replicating malware. However, 

in this particular case, the vulnerability in question was 

most often used in Web toolkit-based attacks. This attack 

scenario involves creating malicious websites to host 

exploit code. Users may then be tricked into visiting these 

malicious toolkit websites either by website redirection (for 

example, malicious IFRAMEs), SEO poisoning or by sending 

out spam emails, instant messages or social media updates 

with links to the malicious website. More information 

on Web browser vulnerabilities can be found later in this 

report. 

• One thing to note, websites hosting malicious toolkits often 

contain multiple exploits that can be tried against the 

visitor. In some cases, the kit will attempt to use all exploits 

at its disposal in a non-intelligent fashion whereas in more 

modern advanced kits, the website code will attempt to 

fingerprint the software installed on the computer before 

deciding which exploit(s) to send to maximize the success 

rate. The fact that there are so many Web-kit-based exploit 

attempts made using this old vulnerability may suggest that 

a considerable number of users have not updated their PDF 

readers to a non-vulnerable version.

p. 142 





Background 

A zero-day vulnerability is one that is reported to have been 

exploited in the wild before the vulnerability is public knowledge 

and prior to a patch being publicly available. The absence 

of a patch for a zero-day vulnerability presents a threat to 

organizations and consumers alike, because in many cases 

these threats can evade purely signature-based detection until a 

patch is released. The unexpected nature of zero-day threats is a 

serious concern, especially because they may be used in targeted 

attacks and in the propagation of malicious code. 

Data 

Figure D.4. Volume of Zero-day Vulnerabilities, 2006–2012 


20 

15 

10 

5 

13 

2006 

15 

2007 

9 

2008 

12 

2009 

14 

2010 

Methodology 

Zero-day vulnerabilities are a sub-set of the total number of 

vulnerabilities documented over the reporting period. A zeroday 

vulnerability is one that appears to have been exploited in 

the wild prior to being publicly known. It may not have been 

known to the affected vendor prior to exploitation and, at the 

time of the exploit activity, the vendor had not released a patch. 

The data for this section consists of the vulnerabilities that 

Symantec has identified that meet the above criteria. 

8 

2011 

14 

2012

p. 143 




Figure D.5. Zero-day Vulnerabilities Identified in 2012 


CVE Detail 

cVe-2012-0003 Microsoft Windows Media Player “winmm.dll” MiDi File Parsing remote Buffer Overflow Vulnerability 

cVe-2012-0056 Linux Kernel cVe-2012-0056 Local Privilege escalation Vulnerability 

cVe-2012-0507 Oracle Java se remote Java runtime environment code execution Vulnerability 

cVe-2012-0767 Adobe Flash Player cVe-2012-0767 cross site scripting Vulnerability 

cVe-2012-0779 Adobe Flash Player cVe-2012-0779 Object type confusion remote code execution Vulnerability 

cVe-2012-1535 Adobe Flash Player cVe-2012-1535 remote code execution Vulnerability 

cVe-2012-1856 Microsoft Windows common controls ActiveX control cVe-2012-1856 remote code execution Vulnerability 

cVe-2012-1875 Microsoft internet explorer cVe-2012-1875 same iD Property remote code execution Vulnerability 

cVe-2012-1889 Microsoft XML core services cVe-2012-1889 remote code execution Vulnerability 

cVe-2012-4792 Microsoft internet explorer “cDwnBindinfo” use-After-Free remote code execution Vulnerability 

cVe-2012-4969 Microsoft internet explorer image Arrays use-After-Free remote code execution Vulnerability 

cVe-2012-5076 Oracle Java se cVe-2012-5076 remote Java runtime environment Vulnerability 

cVe-MAP-nOMAtcH Parallels Plesk Panel unspecified remote security Vulnerability 

cVe-MAP-nOMAtcH Microsoft Windows Digital certificates spoofing Vulnerability 

Commentary 

• 2012 sees an increase in number of zero-day vulnerabilities 

compared to 2011. There was a 75 percent increase in 

vulnerabilities seen in 2012 compared with 2011. However, 

the number of vulnerabilities seen in 2012 was inflated due 

to Microsoft file-based vulnerabilities whereas Adobe basedvulnerabilities 

total up to three compared to four in 2011, 

when they topped the chart. 

• There were three zero-day browser vulnerabilities seen in 

2012, an increase of 2 from 2011. This corresponds with 

the dramatic increase in browser vulnerabilities compared 

to the total seen in 2011. With the trend moving into 

Web attacks, more and more browser vulnerabilities are 

leveraged by the attackers. 

• While the overall number of zero-day vulnerabilities is up, 

attacks using these vulnerabilities continue to be successful. 

Some of these vulnerabilities are leveraged in targeted 

attacks. Adobe Flash Player and Microsoft Windows ActiveX 

Control vulnerabilities are widely used in targeted attacks, 

and vulnerabilities in Microsoft technologies accounted for 

almost 50 percent of the zero-day vulnerabilities seen in 

2012. 

• Most of the attack scenarios are planned in such a way that 

an attacker crafts a malicious Web page to leverage the issue 

and uses email or other means to distribute the page and 

entices an unsuspecting user to view it. When the victim 

views the page, the attacker-supplied code is run.

p. 144 




Web Browser Vulnerabilities 

Background 

Web browsers are ever-present components for computing 

for both enterprise and individual users on desktop and on 

mobile devices. Web browser vulnerabilities are a serious 

security concern due to their role in online fraud and in the 

propagation of malicious code, spyware, and adware. In addition, 

Web browsers are exposed to a greater amount of potentially 

untrusted or hostile content than most other applications and 

are particularly targeted by multi-exploit attack kits. 

Web-based attacks can originate from malicious websites as 

well as from legitimate websites that have been compromised 

to serve malicious content. Some content, such as media files or 

documents are often presented in browsers via browser plugin 

technologies. While browser functionality is often extended 

by the inclusion of various plug-ins, the addition of plug-in 

components also results in a wider potential attack surface for 

client-side attacks. 

Data 

Figure D.6. Browser Vulnerabilities, 2011 and 2012 


600 

500 

400 

300 

200 

100 

APPLE SAFARI 

GOOGLE 

CHROME 

MICROSOFT 

INTERNET EXPLORER 

Methodology 

Browser vulnerabilities are a sub-set of the total number of 

vulnerabilities cataloged by Symantec throughout the year. To 

determine the number of vulnerabilities affecting browsers, 

Symantec considers all vulnerabilities that have been publicly 

reported, regardless of whether they have been confirmed by 

the vendor. While vendors do confirm the majority of browser 

vulnerabilities that are published, not all vulnerabilities may 

have been confirmed at the time of writing. Vulnerabilities that 

are not confirmed by a vendor may still pose a threat to browser 

users and are therefore included in this study. 

MOZILLA FIREFOX 

OPERA 

2011 2012 

This metric examines the total 

number of vulnerabilities 

affecting the following Web 

browsers: 

• Apple Safari 

• Google Chrome 

• Microsoft Internet Explorer 

• Mozilla Firefox 

• Opera

p. 145 




Commentary 

• All vulnerabilities dramatically increased in 2012, except 

Opera and Microsoft Internet Explorer, which saw a slight 

increase. 

• Chrome vulnerabilities increased dramatically in 2012 

(268). This could be due to the series of exploits developed 

to prove that Chrome is not unbreakable. After a spike in 

2010 (191), the documented vulnerabilities for Chrome 

browser dropped to 62 for 2011, which is a similar level 

as in previous years. Several bug bounty programs were 

organized in 2012, which has contributed to the exposure 

of a lot of Chrome vulnerabilities. 

• These five browsers combined had 891 reported 

vulnerabilities in total in 2012, which is a strong increase 

from 351 in 2011. This increase is due to dramatically 

increased vulnerabilities seen in Safari, Chrome, and 

Firefox.

p. 146 




Web Browser Plug-in Vulnerabilities 

Background 

This metric examines the number of vulnerabilities affecting 

plug-ins for Web browsers. Browser plug-ins are technologies 

that run inside the Web browser and extend its features, such 

as allowing additional multimedia content from Web pages 

to be rendered. Although this is often run inside the browser, 

some vendors have started to use sandbox containers to execute 

plug-ins in order to limit the potential harm of vulnerabilities. 

Unfortunately, Web browser plug-ins continue to be one of 

the most exploited vectors for Web-based attacks and drive-by 

downloads silently infecting consumer and enterprise users. 

Many browsers now include various plug-ins in their default 

installation and provide a framework to ease the installation 

of additional plug-ins. Plug-ins now provide much of the 

expected or desired functionality of Web browsers and are often 

required in order to use many commercial sites. Vulnerabilities 

affecting these plug-ins are an increasingly favored vector for 

a range of client-side attacks, and the exploits targeting these 

vulnerabilities are commonly included in attack kits. Web attack 

kits can exploit up to 25 different browser and browser plug-in 

vulnerabilities at one time and then have full access to download 

any malware to the endpoint system. 

Some plug-in technologies include automatic update 

mechanisms that aid in keeping software up to date, which may 

aid in limiting exposure to certain vulnerabilities. Enterprises 

that choose to disable these updating mechanisms, or continue 

to use vulnerable versions, will continue to put their enterprises 

at considerable risk to silent infection and exploitation. With 

the hundreds of millions of drive-by download attacks that 

Symantec identified in 2011, Web attacks continue to be a 

favorite infection vector for hackers and malware authors to 

breach enterprises and consumer systems. To help mitigate 

the risk, some browsers have started to check for the version of 

installed third-party plug-ins and inform the user if there are 

any updates available for install. Enterprises should also check 

if every browser plug-in is needed and consider removing or 

disabling potentially vulnerable software. 

Methodology 

Web browser plug-in vulnerabilities comprise a sub-set of 

the total number of vulnerabilities cataloged by Symantec 

over the reporting period. The vulnerabilities in this section 

cover the entire range of possible severity ratings and include 

vulnerabilities that are both unconfirmed and confirmed by the 

vendor of the affected product. Confirmed vulnerabilities consist 

of security issues that the vendor has publicly acknowledged, 

by either releasing an advisory or otherwise making a public 

statement to concur that the vulnerability exists. Unconfirmed 

vulnerabilities are vulnerabilities that are reported by third 

parties, usually security researchers, which have not been 

publicly confirmed by the vendor. That a vulnerability is 

unconfirmed does not mean that the vulnerability report is 

not legitimate, only that the vendor has not released a public 

statement to confirm the existence of the vulnerability.

p. 147 




Data 

Figure D.7. Browser Plug-in Vulnerabilities in 2011 and 2012 


120 

100 

80 

60 

40 

20 

ADOBE ACROBAT 

READER 

ADOBE 

FLASH 

ACTIVE X 

APPLE 

QUICKTIME 

Commentary 

• In 2012, 312 vulnerabilities affecting browser plug-ins were 

documented by Symantec, a very slight increase compared 

to 308 vulnerabilities affecting browser plug-ins in 2011. 

• ActiveX vulnerabilities increased in 2012, which may be due 

to the increase in Internet Explorer vulnerabilities. 

• Adobe Flash Player and Java vulnerabilities increased in 

2012. This trend was already visible in 2011 and grew again. 

This is also reflected in the vulnerability usage in attack 

toolkits, which have focused around Adobe Flash Player, 

Adobe PDF Reader, and Java in 2012. 

FIREFOX 

EXTENSION 

ORACLE 

SUN JAVA 

2011 2012 

Symantec identified the 

following plug-in technologies 

as having the most reported 

vulnerabilities in 2012: 

• Adobe Reader 

• Adobe Flash Player 

• Apple QuickTime 

• Microsoft ActiveX 

• Mozilla Firefox extensions 

• Oracle Sun Java Platform 

Standard Edition (Java SE)

p. 148 




Web Attack Toolkits 

Background 

Web attack toolkits are a collection of scripts, often PHP files, 

which are used to create malicious websites that will use 

Web exploits to infect visitors. There are a few dozen known 

families used in the wild. Many toolkits are traded or sold on 

underground forums for US$100-1,000. Some are actively 

developed and new vulnerabilities are added over time, such as 

the Blackhole and Eleonore toolkits, which both added exploits 

for a variety of vulnerabilities during 2012. 

Each new toolkit version released during the year was 

accompanied with increased malicious Web attack activity. 

As a new version emerges that incorporates new exploit 

functionality, we see an increased use of it in the wild, making 

as much use of the new exploits until potential victims have 

patched their systems. 

Since many toolkits often use the same exploits, it is often 

difficult to identify the specific attack toolkit behind each 

infection attempt. On average, an attack toolkit contains around 

10 different exploits, mostly focusing on browser independent 

plug-in vulnerabilities found in applications such as Adobe 

Flash Player, PDF viewers, and Java. In general, older exploits 

are not removed from the toolkits, since some systems may still 

be unpatched. This is perhaps why many of the toolkits still 

contain an exploit for the old Microsoft MDAC RDS.Dataspace 

ActiveX Control Remote Code Execution Vulnerability (BID 

17462) from 2006. The malicious script will test all possible 

exploits in sequence until one succeeds. This may magnify the 

attack numbers seen for older vulnerabilities, even if they were 

unsuccessful. 

For more information on Web attack toolkits, please read 

Appendix A: Threat Activity Trends: Analysis of Malicious Web 

Activity by Attack Toolkits.

p. 149 




SCADA Vulnerabilities 

Background 

This metric will examine the SCADA (Supervisory Control and 

Data Acquisition) security threat landscape. SCADA represents 

a wide range of protocols and technologies for monitoring 

and managing equipment and machinery in various sectors of 

critical infrastructure and industry. This includes—but is not 

limited to—power generation, manufacturing, oil and gas, water 

treatment, and waste management. Therefore, the security 

of SCADA technologies and protocols is a concern related to 

national security because the disruption of related services can 

result in the failure of infrastructure and potential loss of life, 

among other consequences. 

Methodology 

This discussion is based on data surrounding publicly known 

vulnerabilities affecting SCADA technologies. The purpose 

of the metric is to provide insight into the state of security 

research in relation to SCADA systems. To a lesser degree, this 

may provide insight into the overall state of SCADA security. 

Vulnerabilities affecting SCADA systems may present a threat 

to critical infrastructure that relies on these systems. Due to the 

potential for disruption of critical services, these vulnerabilities 

may be associated with politically motivated or state-sponsored 

attacks. This is a concern for governments and/or enterprises 

that are involved in the critical infrastructure sector. While 

this metric provides insight into public SCADA vulnerability 

disclosures, due to the sensitive nature of vulnerabilities 

affecting critical infrastructure there is likely private security 

research conducted by SCADA technology and security vendors. 

Symantec does not have insight into any private research 

because the results of such research are not publicly disclosed. 

Data 

The number of SCADA vulnerabilities decreased dramatically 

in 2012. In 2012, there were 85 public SCADA vulnerabilities, a 

massive decrease when compared to the 129 vulnerabilities in 

2011. 

Commentary 

Since the emergence of Stuxnet in 2010, the security of SCADA 

systems has been an area of concern. SCADA systems are 

generally not designed to be connected to the public Internet, 

but as Stuxnet demonstrated, this is not always a guarantee 

of security as locally connected networks may become 

compromised and USB devices may also be used as an infection 

vehicle. As new vulnerabilities are discovered, the importance 

of providing a fix quickly is even greater for SCADA systems, 

but they can sometimes remain unpatched for longer than 

traditional software vulnerabilities.

p. 150 




Vulnerability Trends Endnotes 

01 See http://www.first.org/cvss/cvss-guide.html. 

02 See http://www.securityfocus.com/bid/31874. 





07 See http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/231900575/more-exploitsfor-sale-means-better-security.html. 



10 See http://go.symantec.com/apt.

p. 151 



APPENDIX :: E 

GOVERNMENT ThREAT 

ACTIVITy TRENDS

p. 152 



GOVERNMENT ThREAT ACTIVITy TRENDS 

Government Threat Activity Trends 

Whether the purposes behind government-targeted attacks involve disagreements 

with policies or programs, or are motivated by espionage or attempts to steal classified 

information for profit or other reasons, such attacks can have serious ramifications 

on organizations and those they serve. The Symantec Global Internet Security Threat 

Report provides an analysis of threat activity trends relating to government and Critical 

Infrastructure Protection (CIP), including malicious activity that Symantec observed in 2012. 

Attacks are defined as any malicious activity carried out over a network that has been 

detected by an intrusion detection system (IDS) or firewall. Definitions for the other 

types of malicious activities can be found in their respective sections within this report. 

This section covers the following metrics and provides analysis and discussion of the trends indicated by the data: 

• Malicious Activity by Critical Infrastructure Sector 

• Sources of Origin for Government-targeted Attacks 

• Attacks by Type: Notable Critical Infrastructure Sectors

p. 153 




Malicious Activity by Critical Infrastructure Sector 

Background 

This metric indicates the level to which government and critical 

infrastructure organizations may have been compromised and 

are being used by attackers as launching pads for malicious 

activity. These attacks could potentially expose sensitive and 

confidential information, which could have serious ramifications 

for government and critical infrastructure organizations. Such 

information could be used for strategic purposes in the case of 

state- or group-sponsored attacks, especially since attackers who 

use compromised computers for malicious activity can mask 

their actual location. 

Methodology 

This metric evaluates the amount of malicious activity 

originating from computers and networks that are known to 

belong to government and critical infrastructure sectors. To 

measure this, Symantec cross-references the IP addresses 

of known malicious computers with standard industrial 

classification (SIC 1 ) codes that are assigned to each industry and 

provided by a third-party service. 2 Symantec has compiled data 

on numerous malicious activities that were detected originating 

from the IP address space of these organizations. These 

activities include bot-infected computers, phishing hosts, 

spam zombies, and network attack origins. 

Data 

Figure e.1 Malicious Activity by Critical Infrastructure Sector 


Industry Sector 

% of CIP Source 

Activity 

Financial services 72.2% 9.6% 

Manufacturing 16.0% 71.5% 

Biotech / Pharmaceutical 4.7% 6.0% 

Government 2.2% 1.7% 

Aerospace 1.9% 7.3% 

Government - national 1.2% 0.8% 

Government - state 0.9% 0.8% 

utilities/energy 0.3% 0.3% 

internet service Provider 0.3% 1.7% 

telecommunications 0.1% 0.1% 

Government - Local

p. 154 




Sources of Origin for Government-targeted Attacks 

Background 

Attacks targeting government organizations may serve as a 

means of expressing disagreement with policies and programs 

that the government has developed and implemented. Such 

attacks are likely to be carried out for a variety of reasons, 

including blocking access to government Internet-based 

resources, gaining access to potentially sensitive information, 

and discrediting the government itself. In addition, attacks 

may be motivated by espionage and attempts to steal 

government-classified information. These attacks may result 

in the disruption of critical services, as with DoS attacks, 

or the exposure of highly sensitive information. An attack 

that disrupts the availability of a high-profile government 

organization website will get much wider notice than one 

that takes a single user offline. In addition, malicious code 

attacks targeting governments can be motivated by profit 

because governments store considerable amounts of personal 

identification data that could be used for fraudulent purposes, 

such as identity theft. Personal data can include names, 

addresses, government-issued identification numbers, and bank 

account credentials, all of which can be effectively exploited for 

fraud by attackers. Government databases also store information 

that could attract politically motivated attacks, including critical 

infrastructure information and other sensitive intelligence. In 

February, several attacks targeting a government organization 

consisted of spoofed emails sent to U.S. military officials 

with subjects like “U.S.Air Force Procurement Plan 2012” and 

“[UNCLASSIFIED]2012 U.S.Army orders for weapons.” This 

prompted recipients to click on a link, which would download 

malicious code in an attempt to steal confidential information. 3 

Methodology 

This metric will assess the top sources of origin for governmenttargeted 

attacks by determining the location of computers from 

which the attack occurred. It should be noted that attackers 

often attempt to obscure their tracks by redirecting attacks 

through one or more servers that may be located anywhere in 

the world; thus, the attacker may be located somewhere other 

than from where the attacks appear to originate. 

Data 

Figure e.2 Sources of Origin for Government-targeted Attacks 


Row Labels 

% of Source 

Activity 

united states 73.67% 16.73% 

china 11.88% 54.56% 

united Kingdom 2.23% 1.98% 

netherlands 2.17% 3.28% 

russia 2.10% 7.22% 

taiwan 1.92% 4.92% 

Brazil 1.68% 5.89% 

Germany 1.54% 2.47% 

Korea, south 1.41% 1.70% 

France 1.40% 1.25% 

Commentary 

% of Source IP 

Addresses 

• The United States and China were the top two sources of 

origin for attacks that targeted the Government sector in 

2012. 

• This could be a consequence of having large numbers of 

insecure systems in the United States and China, which may 

be used for staging an attack.

p. 155 




Attacks by Type: Notable Critical Infrastructure Sectors 

Background 

This section of the Symantec Government Internet Security 

Threat Report focuses on the types of attacks detected by 

sensors deployed in notable critical infrastructure sectors. 

Government and critical infrastructure organizations are the 

target of a wide variety of attack types. The ability to identify 

attacks by type assists security administrators in evaluating 

which assets may be targeted and may assist them in securing 

those assets receiving a disproportionate number of attacks. 

The following sectors will be discussed in detail: 

• Government 

• Biotech/Pharmaceutical 

• Healthcare 

• Financial Services 

• Transportation 

• Telecommunications 

• Utilities 

Methodology 

The following types of attacks are considered for this metric: 

Attacks on Web Servers: Web servers facilitate a variety of 

services for government and critical infrastructure sectors, such 

as hosting publicly available information, customer support 

portals, and online stores. Some Web servers also host remotely 

accessible interfaces that employees use to perform routine, 

job-related tasks from remote locations. Furthermore, a Web 

server may be a portal to an organization’s internal network and 

database systems. 

Attacks on Web Browsers: Web browsers are exposed to a 

greater amount of potentially untrusted or hostile content 

than most other applications. As the Internet has become 

commonplace among business and leisure activities, there is 

an increased reliance on browsers and their plug-ins. Attacks 

on Web browsers can originate from malicious websites as well 

as legitimate websites that have been compromised to serve 

malicious content. Browsers can also facilitate client-side 

attacks because of their use of plug-ins and other applications 

in handling potentially malicious content served from the Web, 

such as compromised documents and media files. 

Attacks on SMTP (Simple Mail Transfer Protocol): SMTP is 

designed to facilitate the delivery of email messages across 

the Internet. Email servers using SMTP as a service are likely 

targeted by attackers because external access is required to 

deliver email. While most services can be blocked by a firewall 

to protect against external attacks and allow access only to 

trusted users and entities, for email to function effectively 

for organizations, it has to be available both internally and 

externally to other email servers. The necessity of allowing both 

internal and external access increases the probability that a 

successful attack will improve the attackers’ chances of gaining 

access to the network. 

Denial-of-Service (DoS) Attacks: DoS attacks are a threat to 

government and critical infrastructures because the purpose 

of such attacks is to disrupt the availability of high-profile 

websites or other network services and make them inaccessible 

to users and employees. A successful DoS attack could result 

in the disruption of internal and external communications, 

making it practically impossible for employees and users to 

access potentially critical information. Because these attacks 

often receive greater exposure than those that take a single user 

offline, especially for high-profile government websites, they 

could also result in damage to the organization’s reputation. 

A successful DoS attack on a government network could also 

severely undermine confidence in government competence and 

impair the defense and protection of government networks. 

Backscatter: Generally, backscatter is considered to be a type of 

Internet background noise, which is typically ignored. While not 

a direct attack, backscatter is evidence that a DoS attack against 

another server on the Internet is taking place and is making use 

of spoofed IP addresses. When one of these spoofed IP addresses 

matches the address of a Symantec sensor, any error messages 

that the attacked server sends to the spoofed address will be 

detected by a Symantec sensor as backscatter. 

Shellcode/Exploit Attacks: Shellcode is a small piece of code 

used as the payload in the exploitation of a vulnerability. An 

attacker can exploit a vulnerability to gain access to a system, 

inject this code, and use a command shell to take control of a 

compromised machine. By remotely controlling a compromised 

system, an attacker can gain access to an organization’s network 

and, from there, perpetrate additional attacks. Moreover, this 

type of attack can monopolize valuable resources that may be 

critical to government operations.

p. 156 





Figure e.3 Attacks by Type – Overall Government and Critical Infrastructure Organizations 


Web (server) 

79% 

6% DoS 

5% Shellcode/Exploit 

7% P2P 

2% Web (browser) 

1% SMTP (email) 

• Web server attacks were the most common type of attack for 

government and critical infrastructure: In 2012, the most 

common attack type seen by all sensors in the government 

and critical infrastructure sectors related to attacks on Web 

servers and accounted for 78.48 percent of all attacks. 

• P2P attacks were the second-most common type of attack 

for government and critical infrastructure, accounting 

for 7.21 percent of attacks. P2P attacks are comprised of 

general ones such as DoS, Man-in-the-middle and Worm 

propagation attacks, and specific ones such as Rational 

attacks, file poisoning, etc. 

• DoS attacks are often associated with social and political 

protests, since they are intended to render a site 

inaccessible to legitimate users of those services. Man-inthe-middle 

attacks are where the attacker inserts himself 

undetected between two nodes. He can then choose to stay 

undetected and spy on the communication or more actively 

manipulate the communication. 

p. 157 




Figure e.4 Attacks by Type – Notable Critical Infrastructure Sectors 


Government 

Shellcode 

/Exploit 

51% 

Financial Services 

P2P 

20% 

Transportation 

Utilities 

Web 

(server) 

86% 

DoS 

81% 

Shellcode 

/Exploit 

21% 

Web 

(server) 

27% 

6% DoS 

23% SMTP (email) 

14% Web (server) 

5% DoS 

13% DoS 

1% Shellcode/Exploit 

p. 158 




• The Financial Services and Transportation sectors were 

predominantly targeted by Web server attacks in 2012. 

These two sectors contribute to the majority of Web server 

attacks seen in critical infrastructure sectors overall. This 

may indicate that attackers were specifically targeting these 

sectors and attempting to disrupt Web services, which are 

the backbone of these sectors. 

• Shellcode/Exploit attacks have become the most common 

for the government sector and healthcare. A shellcode is a 

small piece of code used as the payload in the exploitation 

of a software vulnerability. It is called “shellcode” because 

it typically starts a command shell from which the attacker 

can control the compromised machine. Shellcode can 

either be local or remote, depending on whether it gives an 

attacker control over the machine it runs on (local) or over 

another machine through a network (remote). 

• DoS attacks predominate Biotech, Telecommunications 

and Utilities sectors, attempting to disrupt services and 

communications within them. 

Government Threat Activity Endnotes 

01 SIC codes are the standard industry codes that are used by the United States Securities and Exchange Commission to identify 

organizations belonging to each industry. For more information, please see http://www.sec.gov/. 

02 See http://www.digitalenvoy.net/. 

03 See http://www.huffingtonpost.com/2011/01/05/white-house-christmas-email_n_804547.html.

p. 159 



About Symantec 

Symantec protects the world’s information and is a global leader in security, backup, and 

availability solutions. Our innovative products and services protect people and information 

in any environment—from the smallest mobile device to the enterprise data center to cloudbased 

systems. Our world-renowned expertise in protecting data, identities, and interactions 

gives our customers confidence in a connected world. More information is available at 

www.symantec.com or by connecting with Symantec at go.symantec.com/socialmedia. 

More Information 

• Symantec.cloud Global Threats: http://www.symanteccloud.com/en/gb/globalthreats/. 

• Symantec Security Response: http://www.symantec.com/security_response/. 

• Internet Security Threat Report Resource Page: http://www.symantec.com/threatreport/. 

• Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer/. 

• Norton Cybercrime Index: http://us.norton.com/cybercrimeindex/.

For specific country offices and contact numbers, 

please visit our website. 

For product information in the u.s., 

call toll-free 1 (800) 745 6054. 

Symantec Corporation World headquarters 

350 ellis street 

Mountain View, cA 94043 usA 

+1 (650) 527 8000 

1 (800) 721 3934 

www.symantec.com 

Copyright © 2013 Symantec Corporation. 

All rights reserved. Symantec, the Symantec Logo, 

and the Checkmark Logo are trademarks or registered 

trademarks of Symantec Corporation or its affiliates in 

the U.S. and other countries. Other names may 

be trademarks of their respective owners. 

03/13 21284431 

confidence in a connected world.

internet security tHreAt rePOrt GOVernMent 2013

Create successful ePaper yourself

Delete template?

Save as template?