Web malware soars 139% in 2010, Cisco reports

Enterprise users experienced an average of 135 web malware encounters per month in 2010, with the highest number, 250 per month, occurring in October 2010. At 16,905, the number of unique web malware hosts was also highest in October, according to Cisco’s 4Q10 Global Threat Report.

In total, there were 38,811 unique web malware hosts resulting in 127,622 unique web malware URLs in the fourth quarter of 2010, the report noted.

Search engine-related traffic resulted in 8% of web malware encountered in the fourth quarter, with the majority occurring from Google (3.84%), down from 7% from Google in the third quarter. Collectively, malicious webmail resulted in only 1% of encounters for the fourth quarter.

“The most prevalent exploits in 2010 were Java, which were three and half times more prevalent than PDF exploits”, Mary Landesman, Cisco senior security threat researcher, told Infosecurity. “Even though Adobe received the lion’s share of attention, because of exploits targeting Adobe Reader and Acrobat, the reality is that exploits of Java caused a lot more problems over the year”, she added.

Landesman said that the malware environment is going through “concerning” changes today. “What we are seeing today with Stuxnet is a shift from profit-driven malware to political-driven malware”, she said.

In addition, the report found that spam volumes decreased “dramatically” in 2010. Average daily spam volumes dropped from around 380 billion messages per day in January to under 100 billion per day in December.

Cisco attributed the drop to the takedown of botnet segments related to Lethic, Waledac, Mariposa, and Zeus in the first quarter, followed by a branch of the Pushdo/Cutwail botnet in August 2010. Fourth quarter takedowns included segments of the Bredolab and Koobface botnets, as well as SpamIt.com.

“When you have a lot of shutdowns like that, you put the spammer on the defensive and disrupt their ability to do business”, Landesman said. The shutdown of SpamIt.com in October was the most significant spam-related development in the quarter. “SpamIt was the affiliate revenue facilitator for much of the world’s pharmaceutical spam. And pharmaceutical spam makes up the bulk of all spam. So that cut the pharmaceutical spammers off at their knees,” she added.

Landesman cautioned that a reduction in spam volume does not necessarily mean a reduction in risk. She noted that a spearfishing attack against government and military email addresses in December was very successful, even though the spam volume generated by the attack was low. The spam email masqueraded as a holiday greetings from the White House. The intent was to get users to click through to a malicious web site and infect computers with a variant of the Zeus trojan, which offloaded Word, Excel, and PDF files to the attacker's server. The attack was short lived, but the attacker stole two gigabytes of potentially sensitive information, she observed.

What’s Hot on Infosecurity Magazine?