SOURCE: Symantec


January 22, 2010 08:00 ET

Symantec Announces January 2010 MessageLabs Intelligence Report

2010 Kicks Off With High Spam Levels and New Zero-Day Threats

MOUNTAIN VIEW, CA--(Marketwire - January 22, 2010) - Symantec Corp. (NASDAQ: SYMC) today announced the publication of its January 2010 MessageLabs Intelligence Report. Analysis reveals spammers have launched new campaigns related to 2010 events to sustain the high levels of spam experienced toward the end of 2009. At the start of 2010, MessageLabs Intelligence saw the typical special New Year offers for pharmaceuticals, fashion accessories and watches, weight loss products, loans and jobs. At its peak, spam related to the New Year accounted for 7.7 percent of all spam on a single day and more than 50 percent of New Year related spam was sent by the Grum and Cutwail botnets combined. Spammers are now moving away from the New Year themes and are expected to next latch onto Valentine's Day-related spam topics. Spammers and phishers have also been quick to take advantage of the tragedy that struck Haiti to generate advanced-fee fraud scams. As many countries seek to offer humanitarian aid and relief, the scammers are looking for ways to exploit those donation efforts counting on the public's concern and desire to help to cloud their good judgment.

With 83.4 percent of spam originating from botnets at the end of 2009, MessageLabs Intelligence calculated that the remainder of spam, 0.9 percent -- the equivalent of 900 million spam emails, originated from free webmail accounts. More than 79 percent of webmail spam came from three well-known free webmail service providers.

"Despite the best efforts of the webmail providers to prevent this abuse of their services, there is still a viable market in the underground economy for buying and selling legitimate and usable webmail accounts," said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec Hosted Services.

In December 2009, a new zero-day vulnerability in a popular version of a .PDF viewer was disclosed of which MessageLabs Intelligence blocked the first versions in the wild in November 2009 protecting Symantec Hosted Services customers from the attack before it began. The attack targeted high level individuals in the public sector, education, financial services and large international corporations. Arriving as a .PDF file containing embedded Javascript, the attack also involved a social engineering aspect which varied according to the individual and organization being targeted.

In December 2009, MessageLabs began tracking a new botnet called Lethic, which quickly accounted for 2.5 percent of all spam. Within the first week of January, spam from Lethic increased to less than four percent of all spam and then peaked at 5.25 percent of all spam on 8 January before dropping off to nothing.

"Lethic seems to have disappeared almost as quickly as it arrived," Wood said. "The spam it had been sending was roughly an even mix of pharmaceutical and replica watch spam. Interestingly, the Bagle botnet was sending the exact same spam with the same hyperlinks as Lethic and over the same time period leading us to believe that Lethic possibly came from the same creators as Bagle or the people behind the spam may have hired the resources of more than one botnet gang to increase output."

Finally, MessageLabs Intelligence took a look at how the advertised price per 100 mg of the medication used to treat male impotence and commonly exploited in spam messages has changed over the past year and how the spammers may have been affected by last year's financial crisis. MessageLabs Intelligence found that the spammers' price peaked for the medication at $6 per 100 mg in early 2009 and then rapidly declined during June and July 2009 to between $2 and $3. The price stabilized at $1.60 at the end of 2009 and remained there through the beginning of 2010.

"While it's almost impossible to say this trend in pricing is a true reflection of the state of spam economy, MessageLabs Intelligence will continue to analyze this data to learn whether the prices return to their former high levels as the global economy continues on its recovery," Wood said.

Other report highlights:

Spam: In January 2010, the global ratio of spam in email traffic from new and previously unknown bad sources was 83.9 percent (1 in 1.2 emails), a decrease of 0.3 percent since December 2009.

Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 326.9 emails (0.31 percent) in January, a decrease of 0.03 percent since December 2009. In January 13.2 percent of email-borne malware contained links to malicious websites, a decrease of 5.9 percent since December.

Phishing: In January, phishing activity was 1 in 562.3 emails (0.18 percent), a decrease of 0.11 percent since December 2009. When judged as a proportion of all email-borne threats such as viruses and Trojans, the proportion of phishing emails had decreased by 14.3 percent to 65.3 percent of all email-borne threats.

Web security: Analysis of web security activity shows that 41.4 percent of all web-based malware intercepted was new in January, an increase of 0.6 percent since December. MessageLabs Intelligence also identified an average of 1,760 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, a decrease of 56.2 percent since December.

Geographical Trends:

--  Spam levels in Denmark fell by 0.6 percent in January, but Denmark
    remained the most spammed country with levels of 94.8 percent of all email.
--  In the US, spam decreased to 91.6 percent and to 89.7 percent in Canada.
    Spam levels fell to 90.0 percent in the UK.
--  In the Netherlands, spam levels reached 92.4 percent, while spam levels
    in Australia reached 90.6 percent.
--  Spam levels in Hong Kong reached 92.1 percent and spam levels in Japan
    were at 88.2 percent.
--  Virus activity in China rose by 0.13 percent to 1 in 121.4 emails,
    placing it at the top of the table for January.
--  Virus levels for the US were 1 in 440.3 and 1 in 383.1 for Canada. In
    Germany, virus levels were 1 in 271.6, 1 in 496.4 for the Netherlands, 1 in
    644.1 for Australia, 1 in 331.9 for Hong Kong and 1 in 396.5 for Japan.
--  The UK was the most active country for phishing attacks with 1 in 253.6

Vertical Trends:

--  In January, the most spammed industry sector with a spam rate of 95.1
    percent was the Engineering sector.
--  Spam levels for the Education sector were 92.1 percent, 91.0 percent for
    the Chemical & Pharmaceutical sector, 91.5 percent for IT Services, 92.3
    percent for Retail, 89.3 percent for Public Sector and 90.1 percent for
--  Virus activity in the Public sector fell by 0.33 percent but moved to the
    top of the table with 1 in 109.7 emails being infected in January.
--  Virus levels for the Chemical & Pharmaceutical sector were 1 in 230.9, 1
    in 353.4 for the IT Services sector, 1 in 607.2 for Retail, 1 in 187.7 for
    Education and 1 in 391.5 for Finance.

The January 2010 MessageLabs Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends. The full report is available at

Symantec's MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence provides a range of information on global security threats based on live data feeds from our control towers around the world scanning billions of messages each week.

About Symantec

Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at

NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at All prices noted are in U.S. dollars and are valid only in the United States.

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

Contact Information