Press Releases

McAfee Reports 2011 Q1 More Malware, Less Spam

Cybercriminals kicked off 2011 with a bang, with the first quarter of 2011 resulting in the most active first quarter in malware history. According to McAfee’s Q1 Threats Report, released today, while malware soared, spam took a huge dip, due in part to the biggest botnet takedown in history.

Canadian consumers are definitely concerned about the problem of increasing malware when surfing the Web today. According to May 2011 statistics from Leger Marketing, only 21.6 per cent of Canadians believe they are protected from today’s malware threats, such as increased activity in the number of domains, IP addresses and URLs with malicious

McAfee’s Q1 2011 Threats Report highlights the newest threats attacking various platforms, as well as the most popular malware and spam trends, both globally and regionally.

Specifically, the report findings reveal that:

  • There were six million unique samples of recorded malware, the most active first quarter in malware history
  • Spam is at its lowest levels since 2007, due in part from the Rustock botnet takedown
  • Symbian and Android environments are the most popular for mobile malware
  • Spam promoting products was the most popular lure in most global regions


McAfee Q1 Threats Report Reveals Surge in Malware and Drop in Spam

Symbian and Android the most popular mobile malware environments; Spam dips due to Rustock takedown

SANTA CLARA, Calif. – June 1, 2011 – McAfee today released the McAfee Threats Report: First Quarter 2011. With six million unique samples of recorded malware, Q1 2011 was the most active first quarter in malware history. The report revealed many of the trends that had a significant impact on the threat landscape, such as the takedown of the Rustock botnet, which resulted in spam remaining at its lowest levels since 2007, and confirmed that mobile malware is the new frontier of cybercrime.

“The Q1 Threats Report indicates that it’s been a busy start to
2011 for cybercriminals,” said Vincent Weafer, senior vice president of McAfee Labs. “Even though this past quarter once again showed that spam has slowed, it doesn’t mean that cybercriminals aren’t actively pursuing alternate avenues. We’re seeing a lot of emerging threats, such as Android malware and new botnets attempting to take over where Rustock left off, that will have a significant impact on the activity we see quarter after quarter.”

Busiest Quarter in History for Malware
With more than six million unique malware samples in Q1, this period far exceeds any first quarter in malware history. February 2011 saw the most new malware samples of the quarter, at approximately 2.75 million.

Fake anti-virus software had a very active quarter as well, reaching its highest levels in more than a year, totaling 350,000 unique fake-alert samples in March 2011.

Malware Attacks on Android Devices
Malware no longer affects just PCs. As Android devices have grown in popularity, the platform solidified its spot as the second most popular environment for mobile malware behind Symbian OS during the first three months of the year.

A McAfee Labs mobile application security whitepaper, released toda y in conjunction with this McAfee Threats Report, discusses how most Android devices allow the “side-loading’ of apps and are not restricted to getting them from a centralized app store, and there is no centralized place where Google can check all apps for suspicious behaviour. (See Downloading from Mobile App Stores Is a Risky Business at:
The researcher Lompolo recently found a series of Android applications carrying backdoor Trojans in the Android Market, and with the estimated download rate of tens of thousands to the hundreds of thousands, the number of users who could be affected is significant. In Q1 2011 McAfee Labs found that the most prominent types of Android mobile malware were Android/DrdDream, Android/Drad, Adnroid/StemySCR.A and AndroidBgyoulu, which affected everything from games to apps to SMS data.

The cybercriminals behind the Zeus crimeware toolkit have also directed attacks toward the mobile platform, creating new versions of Zitmo mobile malware for both Symbian and Windows Mobile systems to steal user bank-account information.

Rustock and Zeus Takedowns Result in Spam Decline The takedown of the Rustock botnet resulted in the shutoff of major zombies and command structures that caused spam volumes to fall all over the world. Spam, which has been at its lowest levels since 2007 in the past few quarters, significantly dropped once again to less than half of what it was only a year ago -at approximately 1.5 trillion messages per day, outnumbering legitimate email traffic by only a 3:1 ratio.

Although Zeus botnet development has declined, the author has apparently shifted efforts to merging the Zeus source code with the SpyEye botnet, resulting in large-scale threats affecting banking and online transactions. As of March 2011, the most recent SpyEye botnet can thrive on more than 150 modules, such as USB thumb drives, instant messaging and Firefox certificates.

Spam may be at its lowest levels in years, but many botnets are in the position to fill the gap left by the decline of Rustock and Zeus; the competition includes Maazben, Bobaz, Lethic, Cutwail and Grum. There was a strong uptick in new botnet infections toward the end of Q1, most likely due to the reseeding process, where cybercriminals slow down activity in order to spend time rebuilding botnets. The botnet takedowns have resulted in an increase in the price of sending spam on the underground marketplace, showing the laws of supply and demand also apply to cybercrime.

Popular Lures
Cybercriminals often disguise malicious content by using popular “lures” to trick unsuspecting users. Spam promoting phony or real products was the most popular lure in most global regions. In Russia and South Korea, drug spam was the most popular; and in Australia and China, fake delivery status notifications were among the most popular. Q1 also brought a new trend among “banker” Trojans, malware that steal passwords and other data, that use popular lures in their spam campaigns such as UPS, FedEx, USPS and the IRS.

McAfee Labs saw some significant spikes in malicious web content that corresponded with high-impact news events such as the Japanese earthquake and tsunami and major sporting events, with an average of
8,600 new bad sites per day. In the same vein, within the top 100 results of each of the daily top search terms, nearly 50 per cent led to malicious sites, and on average contained more than two malicious links.

For more information on trends related to cybercrime, hacktivism, web threats, vulnerabilities and network attacks, please download a full copy of the McAfee Threats Report: First Quarter 2011 at

About McAfee
McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world’s largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse and shop the Web more securely. Backed by its unrivaled Global Threat Intelligence, McAfee creates innovative products that empower home users, businesses, the public sector and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security.
McAfee is relentlessly focused on constantly finding new ways to keep our customers safe.

McAfee Canada is headquartered in Markham, Ontario, with regional offices across Canada. The company’s Consumer Software Research and Development facility in based in Waterloo, Ontario.