by Tony Millington, Associate Software Engineer, and Dan Bleaken, Malware Data Analyst, Symantec Hosted Services
A few days ago Symantec Hosted Services released its March Messagelabs Intelligence Report, which was picked up by a number of other technology news sites. We were quite surprised that they seemed to pick up on the information we published about the location of the sender. This is nothing new, really. We've used this information for a long time in various facets of our detection to facilitate more accurate judgments on the nature of a potentially harmful email.
The data published in the Messagelabs Intelligence report (http://www.messagelabs.com/mlireport/MLI_2010_03_Mar_FINAL-EN.pdf) in regards to the source of the targeted attacks we intercept, is in a good proportion of all the targeted attacks we intercept.
Out of 601 targeted samples analysed for this report, we identified the IP address of the sender from 451 of them; approximately 75 percent. Whilst it is possible that these addresses point to botnet-infected computers, in relation to targeted attacks, they are frequently sent from the same IP addresses.
Further analysis would suggest that the majority of these attacks are not sent from any of the large spam-sending botnets used by mainstream spammers. While there have been times when botnets have been used to send targeted attacks across webmail services (even using the Bredolab malware to achieve this), l there is an obvious difference between the malware sent via a botnet and that which is sent directly or through a compromised computer.
This still leaves 25 percent of the emails without an the sender IP address contained in the headers, so where are they coming from?
Well, 1 percent of the samples we studied are sent from compromised computers, suggesting this approach isn’t often used to send targeted attacks. The other 24 percent come from free-to-use web mail services that don't include the IP address of the sender in their headers. Whether the computer that connects to the web mail service is actually a compromised computer or part of a botnet it is impossible to tell, since they appear to all intents and purposes to be identical to a real person using that computer. It is very interesting to note where they originate from, however. Overall these are the free-to-use web mail services that are frequently used by hackers and cyber criminals. They are smart people and write very sophisticated malware and are almost certainly aware that there are a number of free-to-use web mail services available that will not reveal their true location to the recipient of the mail. This offers a reasonable explanation as to why they favor them now and why they will continue to use them in the future.