2008 Annual Security Report Table of Contents 1 Executive Summary and Overview 5 2 At a Glance: 2008 in Review 6 3 Spam: Top Threats of 2008 7 3.1 Spam Summary 7 3.2 New Techniques, changes etc 10 3.2.1 CAPTCHA Breaking 13 3.2.2 Social Networking Spam 22 3.2.3 IM Spam and Malware 24 3.2.4 Botnets – evolutions (part 1: spam) 25 4 Malware: Top Threats of 2008 30 4.1 Malware Summary 30 4.2 New Techniques, changes etc 31 4.2.1 Botnets – evolutions (part 2: malware) 32 4.2.2 Web-based Threats 32 4.2.3 Policy Controls – Legal Liability and Unsecured Web Access 34 4.2.4 Social Networking Malware 34 4.3 Targeted Attacks 36 4.4 Malware predictions for 2009 40 5 Fraud, Scams and Phishing: Top Threats of 2008 41 5.1 Phishing Summary 41 5.2 New Techniques, changes etc 41 5.2.1 Social Engineering 42 5.2.2 Advance-Fee Fraud, 419s 43 5.2.3 Botnets – evolutions (part 3: fraud, phishing) 45 5.3 Phishing predictions for 2009 46 6 Global and Business: Top Threats of 2008 48 6.1 Geographic breakdown: top-5 countries and industries targeted 48 6.1.1 Spam 48 6.1.2 Email Malware 48 6.2 Malware: top-5 threats 48 6.2.1 Email 48 6.2.2 Web 48 7 Conclusions 49 7.1 Cloud-based threats: Cloud-based solution 49 7.2 Key Emerging Markets – BRIC (Brazil, Russia, India and China) 49 About MessageLabs Intelligence & Symantec 51 4 1 Executive Summary and Overview Welcome to this 2008 annual security report in which we review the threat landscape over the last year. 2008 was a pivotal year for the cyber security landscape as revolutionary advances in malware and spam techniques first appeared.
We will see them continue to transform the underground1 “shadow” economy in 2009.
In this report we take a closer look at the major factors and key developments over the course of the year and their impact on the security landscape, looking ahead to 2009 to provide insight into key threats and areas of concern.
The key points to note from this report include the following:
Total spam levels peaked at 82.7% in February 2008 and averaged 81.2% for the year, compared with 84.6% in 2007.
Approximately 90% of spam was being distributed by botnets, including the notorious Storm (Peacomm) botnet, which appeared on the threat landscape in early 2007 and all but disappeared by the end of the year, giving way to rival botnets like Srizbi and Cutwail (Pandex). Community action in September and November resulted in the takedown of two U.S. ISPs blamed for hosting the command and control channels for some of the largest botnets, including MegaD (Ozdok) and Srizbi, which until then had been responsible for about 50% of all spam. With the exception of Srizbi, the affected botnets have since found alternative hosting, resulting in a return to spam levels closer to those before the takedowns, with rival botnets such as Cutwail (Pandex) and Rustock taking-up the slack left by Srizbi’s absence.
In 2008, spammers developed an affinity for spamming from large, reputable web-based email and application services by defeating CAPTCHA2 techniques to generate massive numbers of personal accounts from these services. In January, 6.5% of spam originated from these hosted webmail accounts, peaking in September when 25% of spam originated from these sources, averaging about 12% for the remainder of the year.
Complex web-based malware targeting social networking sites and vulnerabilities in legitimate websites became widespread in 2008, resulting in malware being installed onto computers with no user intervention required. The daily number of new websites containing malware rose from 1,068 in January to its peak at 5,424 in November. The average number of new websites blocked daily rose to 2,290 in 2008 from 1,253 in 2007, largely due to increased attacks using SQL injection techniques.
As web-based attacks became more popular during 2008, email-based attacks rose by 0.15% compared with 2007.
In 2008, 1 in 143.8 (0.70%) emails were malicious, compared with 1 in 117.7 (0.85%) for 2007. In addition, two distinct targeted attack patterns emerged during 2008. MessageLabs Intelligence noted the number of targeted Trojan attacks intercepted rose to 53 per day in 2008, peaking at 78 per day in April 2008, compared with one to two per week in 2005, 1 to 2 per day in 2006 and 10 per day in early 2007.
Finally, phishing underwent some notable transformations in 2008 as attacks from specialized botnets became commonplace. Toward the end of 2008, the credit crisis generated many new finance related attacks as spammers and scammers sought to take advantage of the panic and uncertainty surrounding the changes on Wall Street and around the world.
1 For more information on the underground “shadow” economy, please read the Symantec Report on the Underground Economy XII, downloadable here: www.symantec.com/en/uk/about/news/release/article.jspprid=20081124_2 CAPTCHA stands for “Completely Automated Public Turing test to Tell Computers and Humans Apart.” 2 At a Glance: 2008 in Review Email spam intercepted: Email viruses intercepted: Email viruses intercepted:
top 5 countries top 5 countries top Hong Kong 81.3% Switzerland 1.45% 1 in 69.0 Exploit/Link-aliaspostcard 13.8% Switzerland 79.8% France 1.34% 1 in 74.4 Link/HackedPacker-pe 9.9% France 78.3% Hong Kong 1.10% 1 in 91.3 Exploit/Link.gen 9.8% Link/HackedPackerAustria 78.2% India 1.09% 1 in 91.6 5.9% Malprotector Exploit/ Israel 76.9% United Kingdom 1.00% 1 in 99.8 5.2% SuspiciousLink Email spam intercepted: Email viruses intercepted:
A CAPTCHA* is the technology used to top 5 industries top 5 industries conduct a simple test for checking whether the user is human or an automated computer Manufacturing 80.7% Education 1.95% 1 in 51.program, such as a bot. Spammers place a Education 78.0% Accom/Catering 1.66% 1 in 60.2 premium on using accounts frommajor, free, reputable web-based email and application Agriculture 77.7% Gov/Public Sector 0.96% 1 in 104.service providers as spam is less likely to be blocked. In January 2008, 6.5% of spam Non-Profit 77.4% Marketing/Media 0.88% 1 in 113.was sent from accounts created in this way.
By November this increased to 12%.
IT Services 76.6% Chem/Pharm 0.85% 1 in 117.Websites blocked hosting malicious content and spyware (per day) 77.In 2008, vulnerabilities and weak security 68.5 68.in Web applications were being exploited New sites with spyware 61.59.4 58.54.New sites with web viruses 4000 by criminals to deploy web-based malware more widely. New toolkits, SQL injection attacks and specialized botnets were able to seek-out websites with weak security and target them.
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Web viruses intercepted: Web access blocked by policy: Web potentially unwanted programs top 5 top 5 intercepted: top Advertisements PUP:Server W32/ 49.7% 57.3% 27.6% & Popups FTP.Win32.Tftpd Winko.worm!cfg Chat 21.3% PUP:SaveNow 10.5% Iframe 22.7% Streaming Media 5.1% PUP:WhenU 6.5% New Malware.f 7.0% PUP:MyWeb Generic Games 2.6% 3.6% 4.2% Search Downloader.bk Personals & PUP:Remote 1.9% 3.4% JS/ForcePopup.A 4.0% Dating Admin.Win28Oct-10Nov * CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart." MessageLabs Intelligence draws on the billions of messages processed through the MessageLabs network everyday to provide real-time data and analysis. www.messagelabs.com 3 Spam: Top Threats of 3.1 Spam Summary The overall spam trend for 2008 shows a marked decrease toward the end of the year, with an average of around 81.2%, compared with 84.6% for 2007.
2007 was characterized by the rapid progression in attachment spam, such as.PDF files, Office documents and even.MP3 audio files, as reported in MesageLabs 2007 Annual Security Report. But the use of different file attachments didn’t continue into 2008 as expected. Instead, broken CAPTCHAs became the valuable keys to the spam kingdom.
CAPTCHA stands for “Completely Automated Public Turing test to Tell Computers and Humans Apart.” A CAPTCHA is the technology used to conduct a simple test for checking whether the user is human or an automated computer program, such as a bot.
Spammers place a premium on using accounts from free, reputable Web-based email and application service providers, as spam from these domains is less likely to be blocked, especially when being sent between each of the services.
Because the messages are carried by each service’s own mail servers, they are authenticated correctly, thus relying on the trust hierarchy that exists between them.
95% 85% 75% 65% 55% Spam rate 45% 2005 2006 2007 Average global proportion of spam in email traffic With the credit crisis affecting consumers and businesses, spammers and cyber-criminals sought to take advantage of the resulting panic and uncertainty. To capitalize, spammers increased the number of finance-related emails, including phishing attacks targeting banks and credit unions, lottery scams, loan and job offers and other financial enticements.
In late 2008, speculation about the future of many global banks ensued. Phishers exploited this uncertainty by increasing the volume of phishing emails targeting banks involved in proposed mergers and acquisitions, making reference to news of anticipated takeovers in their messages. Scammers swiftly updated their templates to reference other banks as news of which banks were involved in mergers changed.
Example of phishing attack exploiting the financial crisis at the end of Legal Intervention Responding to the increase in these email scams, law enforcement, federal agencies and ISPs have worked more closely together to identify, isolate and in some cases terminate the operations of some very prolific spammers.
Law enforcement has also stepped in to arrest notorious spammers. In January, following a three year federal investigation, U.S. authorities indicted3 spammer, Alan Ralsky, and 10 others for involvement in a “sophisticated and extensive” spamming operation that allegedly netted $3 million. Ralsky and his team purportedly launched a series of stock spam scams using botnets to send millions of spam emails daily over a 20-month period. Ralsky frequently topped the Spamhaus list of the worst spammers and had been implicated in sending stock spam as part of an aggressive pump-and-dump campaign to promote low-value stocks and shares, including those of Chinese companies.
After Ralksy’s arrest, stock spam levels fell to their all-time lowest level, less than 2% of all spam. However, as expected, the decrease was temporary and overall spam levels soon rose again.
In October, three New Zealanders were arrested4 following an anti-spam investigation conducted by the New Zealand Department of Internal Affairs, which worked closely with other international agencies. A business based in Christchurch, a major city in New Zealand, allegedly recruited affiliates worldwide to send spam offering pharmaceutical products and watches. The investigation ensued in December 2007 and the three men involved are now facing possible penalties of NZ$ 200,000 as a result of a September 2007 anti-spam law of which the men were in violation.
In the same month, the U.S. Federal Trade Commission (FTC) froze the assets and halted the operations of HerbalKing, a major international spam network alleged to have promoted prescription drugs, weight-loss pills and male-enhancement products and other herbal remedies. The network was identified as the “largest spam gang in the world” by the anti-spam organization Spamhaus. The FTC received more than 3 million spam complaints linked to this operation, estimated to have been responsible for billions of spam messages worldwide.
3 For more information on this case, please visit: www.usdoj.gov/criminal/cybercrime/ralskyIndict.htm 4 For more information on this case, please visit: www.dia.govt.nz/press.nsf/d77da9b523f12931cc256ac5000d19b6/fc151f926dba2cc2574e200723e07!OpenDocument In a more curious example, a German radio network uncovered documents revealing that DarkMarket5, an online marketplace for identify theft and credit card fraud, had been secretly run by the FBI for the past two years, until its voluntary shutdown in October 2008. Purportedly, cyber-criminals frequented DarkMarket as a forum to meet and conduct shady business deals in what they believed to be a trusted environment. Criminals could trade banking logins collected from phishing attacks, swap personal data used to conduct identity fraud and trade stolen credit card details.
In a similar sting in 2004, the U.S. Secret Service took over the online criminal forum, ShadowCrew, which also yielded a number of arrests.
Several major botnets were disrupted in September 2008 and again in November 2008, when Intercage and McColo, two California based ISP were “de-peered6,” or disconnected from the Internet by their upstream providers. Both ISPs were responsible for hosting the command and control (C&C) channels for a number of major botnets, diminishing the flow of spam for several days.
As law enforcement investigations result in further arrests, spammers will become more cautious about drawing attention to their operations. Spammers may begin to actively cleanse their address databases for the purpose of removing suspicious honeypot domains and defunct addresses. This will help ensure that they can maximize their resources and only send spam to genuine recipients.
Spam Trends - Shorter Spam Messages, News Headlines Inspire Spammers Following its peak at 20% in summer 2007, image spam declined to less than 2% of spam during 2008. The majority of spam is now made up of text-only or HTML spam. Spam messages have also become shorter and terser containing only one or two sentences and usually a link to a Web site. This makes it much harder to identify the true nature of the spam message using anti-spam techniques employing contextual analysis of the words in the message.
During the latter half of 2008, and prior to the disruption in November of the botnets responsible for much of the spam in circulation, spam messages had become shorter in length and predominantly using plain text or HTML content. With greater capacity available to the botnets, many of the individual spam runs had also increased in volume.
Материалы этого сайта размещены для ознакомления, все права принадлежат их авторам.
Если Вы не согласны с тем, что Ваш материал размещён на этом сайте, пожалуйста, напишите нам, мы в течении 1-2 рабочих дней удалим его.