The March 2010 MessageLabs Intelligence Report, which analyzed the origins of targeted attacks and malicious emails sent in small volumes aimed at gaining access to sensitive corporate data, reveals that the majority of targeted malware sent this month originated in the US (36.6%), based on mail server location.
However, when the malware was analyzed by sender location, it was found that more targeted attacks actually originated in China (28.2%) Romania (21.1%) and then the US (13.8%).
Paul Wood, a senior analyst with MessageLabs, said that, when considering the true location of the sender rather than the location of the email server, fewer attacks are actually sent from North America than it would at first seem.
"A large proportion of targeted attacks are sent from legitimate webmail accounts which are located in the US and therefore, the IP address of the sending mail server is not a useful indicator of the true origin of the attack", he said.
"Analysis of the sender's IP address, rather than the IP address of the email server, reveals the true source of these targeted attacks", he added.
Further analysis of targeted attacks shows that the top five targeted roles are director, senior official, vice president, manager, and executive director, and the individuals that receive the most targeted malware are responsible for foreign trade and defense policy, especially in relation to Asian countries.
Delving into the research reveals that, while the most common file types attached to all malicious emails were XLS and DOC file types, the most dangerous file type identified was encrypted RAR files, a proprietary compressed archive format.
The study says that XLS and DOC file types each accounted for 15.4% of file attachments to email in March, and the top four most common file types – XLS, DOC, ZIP and PDF – accounted for 50% of files attached to emails.
Encrypted RAR files accounted for approximately 1 in 312 (0.32%) malicious files attached to emails in March. Although a relatively uncommon file type, researchers found it was compromised 96.8% of the time when attached to an email.
"By comparison, unencrypted RAR files are rarely exploited and occur in 1.1 percent of emails", said Wood.
"Although they are more common than encrypted RAR files, they are far less likely to be seen attached to malicious email", he added.
Over the last month, MessageLabs says it observed that the Rustock botnet had been sending considerably more spam using transport layer security (TLS). Approximately 77% of spam sent from the Rustock botnet used secure TLS connections during March.
Symantec says that the average additional inbound and outbound traffic due to TLS requires an overhead of around one kilobyte. Many spam emails are often much lower than one kilobyte in size.
"TLS is a popular way of sending email through an encrypted channel", said Wood, adding that it uses far more server resources and is much slower than plain-text email and requires both inbound and outbound traffic.
"The outbound traffic frequently outweighs the size of the spam message itself and can significantly tax the workload on corporate email servers", he explained.