10pc of web malware unleashed via search, Cisco says

17 Nov 2010

Enterprise users experienced an average of 133 web malware encounters per month, peaking at more than 140 during the month of August, according to the Q3 Global Threat Report from Cisco. About 10pc of Web malware was encountered via search engine traffic.

During Q3, 7pc of all web malware encounters resulted from Google referrers, followed by Yahoo! at 2pc, according to the Q3 Threat Report.

“It is interesting to see that exploits targeting Sun Java increased from 5pc of all malware encounters in July 2010 to 7pc in September 2010,” said Mary Landesman, market intelligence manager at Cisco.

“However, PDF exploits targeting Adobe Reader and Acrobat actually declined over the quarter, from 3pc of all web malware blocks in July 2010 to 1pc in September 2010.”

Interestingly, the report reveals that companies in the pharmaceutical and chemical vertical were most at risk for web malware encounters in Q3, experiencing a heightened risk rating of 372pc.

Other higher risk verticals in Q3 included energy and oil (209pc), and agriculture and mining (169pc). The vertical least at risk during the quarter was aviation and automotive.

“We can also report that spam volumes were highest in August 2010 compared to the remainder of the quarter.

“The Rustock botnet was the most frequently encountered event handled by Cisco Remote Operations Services (ROS), peaking in late August. This botnet is believed to be one of the largest purveyors of spam and has been most predominantly affiliated with sending pharmaceutical and counterfeit watch spam, often in the form of a breaking news alert, a tactic first popularised by the Storm botnet,” adds Landesman.

LinkedIn spoofing

The report also shows that during the course of the largest LinkedIn spoofing in mid-September, the malicious LinkedIn email comprised a significant 31.26pc of all spam for that period.

Highlights of the report include:

  • Some 79pc of clicks on “Here You Have” email occurred within the first three hours of the worm’s spread.
  • Approximately 10pc of web malware was encountered via search engine traffic and/or services.
  • During 3Q10, 7pc of all web malware encounters resulted from Google referrers, followed by Yahoo at 2pc, Bing/MSN at 1pc and Sina at 0.1pc.
  • Exploits targeting Sun Java increased from 5pc of all web malware encounters in July 2010 to 7pc in September 2010.
  • Exploits targeting Adobe Reader and Acrobat declined over the quarter, from 3pc of all web malware blocks in July 2010 to 1pc in September 2010.
  • Some 38pc of those impacted with Stuxnet were located in the UK, 25pc in Hong Kong, and 13pc each in Brunei, the Netherlands, and Australia.
  • At 5pc, the Windows Print Spooler vulnerability exploited by Stuxnet was the fifth most prevalent event handled by Cisco Remote Operations Services (ROS) in 3Q10.
  • The Rustock Botnet was the highest occurring ROS event in 3Q10, at 21pc of events handled during the report period.
  • Peak Rustock activity occurred in late August 2010, declining in September 2010.
  • Among the top 10 spam-sending countries, volume of spam sent also dropped in September 2010 for eight of the top 10 countries. However, spam sent from Russia and the Ukraine increased in September 2010.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com