True to form, the industry that's boomed through the economic downturn is malware, with a number of new threats identified in the first six months of this year.
In December, Symantec offered a number of predictions for the year ahead and has come up with an updated six-month review.
The number of new malware variants continues to explode, the security company says, with Symantec security researchers blocking an average of more than 245-million attempted malicious code attacks across the globe each month. The vast majority of these are never-seen-before threats and delivered via the Web.
Malware attackers continue to shift away from mass distribution of a small number of threats to micro distribution of millions of distinct threats. Many of these new strains of malware consist of thousands of distinct threats that come from known, unique families through a variety of methods such as file sharing, email and removable media. This creates the potential for an unlimited number of unique malware instances.
These new and emerging threats have given rise to the need for new, complementary detection methods such as heuristics, behavior blocking and reputation-based security models.
The global economic crisis has been the basis of many new attacks in 2009. Attacks have included phishing and spam attacks targeting the unemployed. In addition to the fictitious “work at home” schemes Symantec predicted last year, new variations targeting classifieds and job boards have also emerged. We continue to see scams that prey on people who have had homes foreclosed or are seeking mortgages or refinancing. In addition, a number of scams exploiting the US economic stimulus package have also occurred.
Social networking sites remain a popular target for phishers, as they have come to appreciate the impact of using social context within their attacks. For example, there was a recent and well-publicised set of attacks on a popular social networking site, in which phishers took one compromised user account and used it as a launch pad for targeting that user’s friends. Another recent attack is a new game that appears on a popular blogging site. Participants asked to reveal personal information about themselves such as the street they grew up on, or their mother’s maiden name. It all seems to be in good fun until the user realises that the operators of the “game” have collected some potentially lucrative information about the user.
In 2008, Symantec saw a 65% drop in spam between the 24 hours prior to the McColo shutdown and 24 hours after, but predicted that levels would rise back to about 75% to 80%. In early June, Symantec reported that the FTC had worked with others to shut down the Internet service provider Pricewert LLC. While this was a good example of how security professionals can work together in the fight against cybercrime, spam volumes remained at a very high level throughout June, averaging 90% of all email messages. Recent current events used by spammers have included the recent passing of Michael Jackson, the H1N1 flu outbreak and the Italian earthquake.
While Symantec predicted several trends for 2009, there were a number of additional trends observed in the first half of the year.
In the first half of 2009, some of the more recent and highly publicised threats incorporated attack methods used in previous years. The large scale distribution of a small number of threats that were characteristics of the CodeRed and Nimda attacks were components of the attack techniques employed by the Koobface worm, which continues to propagate via social networks, and the Conficker worm, one of the most complex and widely spread threats to hit the Internet in several years.
The vast majority of attacks in recent years have been financially motivated (ex. stealing personal data, distributing rogue anti-virus, propagating spam). Similar to attacks seen in previous years, the purpose behind the recent Trojan.Dozer distributed denial of service (DDoS) attacks appears to be notoriety and/or mischief.
As older attack techniques continue to resurface in current threats, we believe that a multi-layered defense combining traditional detection methods with complementary detection such as reputation-based security models will be essential.
As attacks have become increasingly sophisticated, a greater level of industry coordination is required to quickly combat widespread threats. In February 2009, the formation of the Conficker Working Group, comprised of technology industry leaders and academia was announced in an effort to implement a coordinated, global response to the Conficker worm. Together with security researchers, Internet Corporation for Assigned Names and Numbers (ICANN) and operators within the domain name system, several industry vendors coordinated a response designed to disable domains targeted by Conficker.
We are likely to see additional collaborative efforts across industries, acadamia and government organisations to address today’s security threats.
Today’s attackers are increasingly sophisticated and organised, and continue to employ deceptive methods that imitate traditional business practices.
Malicious ads or “malvertisements,” usually in the form of “flash” ads, redirect the user to fake scan Web pages. Mainstream Web sites, as well as less reputable sites, are susceptible to these threats. Fake and misleading applications, also known as “scareware” parade as antivirus scanners and promise to secure or clean a user’s computer.
Once installed, these misleading applications attempt to scare the user into believing that his or her computer is infected with dozens or more threats. This is done using constant pop-ups, task bar notification icons, etc. These applications usually start off with a fake scan of the system and then proceed to report non-existent threats on the system. The goal is to try to lure the user into buying the fake product, which promises to clean up all of those made-up threats.
Those who fall for the bait are usually redirected to an order page, where they are lured for payment.