SOURCE: Symantec


March 25, 2010 08:00 ET

Symantec Announces March 2010 MessageLabs Intelligence Report

Targeted Attacks Originate in China and .RAR File Attachments Deemed Most Malicious

MOUNTAIN VIEW, CA--(Marketwire - March 25, 2010) -  Symantec Corp. (NASDAQ: SYMC) today announced the publication of its March 2010 MessageLabs Intelligence Report. Analysis of the origins of targeted attacks, malicious emails sent in small volumes aimed at gaining access to sensitive corporate data, reveals that the majority of targeted malware sent this month, originated in the United States (36.6 percent) based on mail server location, but when analyzed by sender location, more targeted attacks actually originated in China (28.2 percent), Romania (21.1 percent) and United States (13.8 percent).

"When considering the true location of the sender rather than the location of the email server, fewer attacks are actually sent from North America than it would at first seem," said Paul Wood, MessageLabs Intelligence Senior Analyst. "A large proportion of targeted attacks are sent from legitimate webmail accounts which are located in the US and therefore, the IP address of the sending mail server is not a useful indicator of the true origin of the attack. Analysis of the sender's IP address, rather than the IP address of the email server reveals the true source of these targeted attacks."

Further analysis of targeted attacks shows that the top five targeted roles are Director, Senior Official, Vice President, Manager, and Executive Director and the individuals that receive the most targeted malware are responsible for foreign trade and defense policy, especially in relation to Asian countries.

While the most common file types attached to all malicious emails were .XLS and .DOC file types, the most dangerous file type identified was encrypted .RAR files, a proprietary compressed archive format. .XLS and .DOC file types each accounted for 15.4 percent of file attachments to email in March and the top four most common file types -- .XLS, .DOC, .ZIP and .PDF accounted for 50 percent of files attached to emails. Encrypted .RAR files accounted for approximately 1 in 312 (0.32 percent) malicious files attached to emails in March. Although a relatively uncommon file type, it is compromised 96.8 percent of the time when attached to an email.

"By comparison, unencrypted .RAR files are rarely exploited and occur in 1.1 percent of emails," Wood said. "Although they are more common than encrypted .RAR files, they are far less likely to be seen attached to malicious email."

The .EXE file type is the most likely to cause suspicion as being be compromised when attached to an email. However, in March executable file types accounted for 6.7 percent of files attached to email and were found to be compromised 15 percent of the time. Although there are a great number of malicious emails that use the most common file extensions, .XLS, .DOC, .ZIP and .PDF, as attachments, they are more often included as attachments to emails that are safe.

Finally in March, MessageLabs Intelligence observed that the Rustock botnet had been sending considerably more spam using TLS (Transport Layer Security). Approximately, 77 percent of spam sent from the Rustock botnet used secure TLS connections during March.

The average additional inbound and outbound traffic due to TLS requires an overhead of around one kilobyte. Many spam emails are often much lower than one kilobyte in size. Spam using TLS accounted for approximately 20 percent of all spam in March, peaking at 35 percent on March 10.

"TLS is a popular way of sending email through an encrypted channel," Wood said. "However, it uses far more server resources and is much slower than plain-text email and requires both inbound and outbound traffic. The outbound traffic frequently outweighs the size of the spam message itself and can significantly tax the workload on corporate email servers."

Other report highlights:

Spam: In March 2010, the global ratio of spam in email traffic from new and previously unknown bad sources was 90.7 percent (1 in 1.10 emails), an increase of 1.5 percentage points since February.

Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 358.3 emails (0.28 percent) in March, an decrease of 0.05 percentage points since February. In March, 16.8 percent of email-borne malware contained links to malicious websites, a decrease of 13.7 percentage points since February.

Phishing: In March, phishing activity was 1 in 513.7 emails (0.19 percent), a decrease of 0.02 percentage points since February. When judged as a proportion of all email-borne threats such as viruses and Trojans, the proportion of phishing emails had increased by 8.4 percentage points to 64.6 percent of all email-borne threats.

Web security: Analysis of web security activity shows that 14.9 percent of all web-based malware intercepted was new in March, an increase of 1.6 percentage points since February. MessageLabs Intelligence also identified an average of 1,919 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, a decrease of 61.6 percent since February.

Geographical Trends:

  • Spam levels in Hungary rose to 95.7 percent in March positioning it as the most spammed country. 
  • In the US, 91.1 percent of email was spam and 89.5 percent in Canada. Spam levels in the UK rose to 90.1 percent.
  • In the Netherlands, spam accounted for 93.0 percent, while spam levels reached 90.1 percent in Australia and remained at 91.3 percent in Germany. 
  • Spam levels in Hong Kong reached 92.0 percent and spam levels in Japan were at 87.5 percent.
  • Virus activity in Taiwan was 1 in 90.9 emails, making it the most targeted country for email-borne malware in March.
  • Virus levels for the US were 1 in 551.4 and 1 in 492.8 for Canada. In Germany, virus levels were 1 in 462.0, 1 in 834.7 for the Netherlands, 1 in 351.6 for Australia, 1 in 505.5 for Hong Kong, 1 in 1063.3 for Japan and 1 in 504.1 for Singapore.
  • UK was the most active country for phishing attacks in March with 1 in 254.8 emails.

Vertical Trends:

  • In March, the most spammed industry sector with a spam rate of 94.7 percent was the Engineering sector.
  • Spam levels for the Education sector were 91.9 percent, 91.1 percent for the Chemical & Pharmaceutical sector, 91.6 percent for IT Services, 91.8 percent for Retail, 89.1 percent for Public Sector and 89.5 percent for Finance.
  • In March, the Public Sector remained the most targeted industry for malware with 1 in 77.1 emails being blocked as malicious. 
  • Virus levels for the Chemical & Pharmaceutical sector were 1 in 642.9, 1 in 510.9 for the IT Services sector, 1 in 728.6 for Retail, 1 in 189.1 for Education and 1 in 301.8 for Finance.

The March 2010 MessageLabs Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends. The full report is available at

Symantec's MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence provides a range of information on global security threats based on live data feeds from our control towers around the world scanning billions of messages each week.

About Symantec
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at

NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at All prices noted are in U.S. dollars and are valid only in the United States.

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

Contact Information

    U.S.: Marissa Vicario
    Symantec Corp.
    +1 646 519 8116
    Email Contact

    EMEA: Paul Wood
    + 44 (0) 1452 627705
    Email Contact

    APAC: Andrew Antal
    +61 2 908 68239
    Email Contact