Cisco Blogs

Cisco 1Q11 Global Threat Report

May 11, 2011 - 1 Comment

The Cisco 1Q11 Global Threat Report has been released. The report covers the period from 1 January 2011 through 31 March 2011 and features data from Cisco Security Intelligence Operations. This quarter’s contributors includes Cisco Intrusion Prevention System (IPS), IronPort, Remote Management Services (RMS), Security Research and Operations (SR&O), and ScanSafe.

Unique Web malware increased 46% from January to March 2011. 16% of encounters were via online searches and webmail. Likejacking, where users are tricked/forced into registering a click with the Facebook “Like” button, increased from 0.54% to 6% throughout the quarter.

As expected, Rustock activity declined significantly over 1Q11, but interestingly, the sharp decline commenced weeks prior to the botnet takedown. Following the 4Q10 declines, global spam volume increased and then subsequently decreased during 1Q11, but levels remained above that of December 2010. With an increase of 248%, Indonesia overtook the United States as the top spam-sending country in 1Q11.

Though far less successful than in years past, SQL injection attempts continued to be the most prevalent event firing (55%) observed by Cisco Remote Management Services in 1Q11. Malware activity related to the MyDoom worm was the 10th most frequently RMS-observed IPS event in 1Q11, demonstrating that legacy malware can still pose a threat to unprotected systems and that old worms never really die.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Mary Landesman
    I am a graduate student researching attribution challenges. I would like to use some of the graphics in the Cisco 1Q11 Global Threat Report, with appropriate attribution. Please let me know if this would be possible.