With email more ubiquitous than the telephone at this time of year and one in 100 emails containing a virus, people are unwittingly receiving viruses on a daily basis. During the holiday season, the bad guys will seize the opportunity to disguise their attacks capitalising on an increase in genuine well-wishing e-postcards and the anticipated upsurge in online shopping. To compound this when we return to work in the New Year more often than not we do so to an inbox cluttered with holiday emails and spend the first few days checking messages and surfing the web with a little less caution.
Historically, this is a time when a new breed of attacks emerge.
Botnets come of age
On January 19 2007, MessageLabs intercepted the first copies of the “Storm” trojan, taking its name from the emails purporting to relate to news items about the weather conditions battering Northern Europe at the time. Over that weekend, MessageLabs stopped more than a million copies, with many different variants. Its chief purpose appeared to be for the creation of a new botnet.
2007 proved to be a prolific year for this StormWorm with its botnet now estimated to comprise approximately 1.8 million computers worldwide. The botnet has been used to send spam, host phishing sites and also launch DDoS (distributed denial of service) attacks against rival sites, including Warezov.
A DDoS attack occurs when a large number of requests are made to the same web site in such a volume that the web server is unable to respond to legitimate requests and the site becomes unavailable. Not since the Bagle, Netsky, MyDoom botwars of 2004 have two rival spam gangs attacked each other so openly on the world stage.
These newer style botnets have become much more resistant to disruption and interference than their predecessors, and are almost self-healing in their ability to recover from any interference. They are able to use DDoS attacks as a form of self-defence when they detect any prying. Traditional botnet countermeasures are not very effective against these new breeds and new methods had to be devised.
Storm botnet attacks included outreach with both attachments and the increase in web links as a new attack vector.
Similarly 2006 kicked off with a sharp rise in targeted attacks. Previously, targeted, personalised attacks were predominantly directed at public sector bodies, military organisations and other large businesses particularly in the aerospace, petroleum, legal, and human rights fields. But as we entered 2006, no industry sector could be considered safe.
Most of the early attacks preyed on vulnerabilities in Microsoft Word, but these attacks soon progressed to exploit Microsoft PowerPoint and Excel, however Microsoft Word still remains the main vector for attack with 69 per cent of attacks preferring this vehicle.
Each targeted attack is very much tailored to particular needs in terms of which exploit is used, the social engineering techniques employed as well as which source IPs are used and what the targets will be. Generically, there is no single feature that could distinguish a targeted attack from a low-scale trojan deployment. However preventing targeted attacks automatically is still possible since they expose themselves in similar ways to other malware.
Throughout 2006 MessageLabs continued to observe an increase in the level of sophistication in the nature of the targeted attacks facing businesses worldwide. The number of targeted attacks rose from one per week in 2005, to approximately two per day in 2006 and since early 2007, MessageLabs has intercepted around 10 targeted attack attempts daily
Virus Predictions for New Years
2006 was also the first year that passed without being punctuated by a really major virus outbreak on the scale of Sobig, Mydoom or Netsky. The almost notable exception was the New Year’s rather bland Nyxem.E (a.k.a. MyWife.D, Blackworm or Kama Sutra). This virus was unique in that each infected computer generated a request to a web page, and in this way Nyxem.E represented an opportunity to track the spread of the virus, and also the scale of the clean-up operation that quickly followed. MessageLabs intercepted more than four million copies of Nyxem.E during the first week of the outbreak.
During 2007 a number of major new players began to dominate the threat landscape; cyber-criminals who may be perceived as inspirational to their more amateur peers. Responsible for one of the largest botnets in the world, the Storm botnet is an experienced and professional team which MessageLabs predicts will have further impact early in 2008, through its own activities and the antics of new players attracted to the buoyant market.
MessageLabs experts also anticipate targeted attack attempts of increased sophistication during early 2008. 2007 was undoubtedly the year of targeted attacks with levels rising from 10 per day in May to levels in excess of 1,100 within 16 hours in September. With the rewards obviously outweighing the research required to develop such targeted and personal attacks.
Tis’ the season to be Spaming
One of the main drivers of the increased spam towards the start of 2007 was from a trojan dubbed “SpamThru”. This trojan is responsible for a great deal of the botnet activity behind increased levels of spam over the Christmas/New Year period. Analysis of SpamThru shows that the SpamThru makers are releasing new strains at regular intervals in order to bypass traditional anti-virus signature detection. Using the “spam cannon” technique, SpamThru utilises a template for each spam it sends and by combining it with a list of email addresses; each zombie is then able to pump out millions of spam emails.
It is not only botnet technology that has evolved; spam also has become more inventive. In 2007 spammers waged stock pump-and-dump campaigns on the public using Adobe Acrobat PDF format files in order to evade traditional defences. Later in the year this moved up a gear by using other file attachment formats, including Microsoft Excel, Word, ZIP and more notably, MP3. The latter example comprised of an audio file attachment where the recipient could at last listen to the spam message being relayed to them
Spam Predictions for 2008
The cyber-criminals toolboxes will continue to expand as we enter 2008 as more file attachments and approaches are adopted. Towards the end of 2007 we saw MP3 files used for the first time for stock spam purposes. MessageLabs experts predict that video file formats will be the next on the cyber-criminals list of scams, and spammers will follow the example of malware writers with PowerPoint attachments.
As spammers learn from the virus writers’ targeted approach, MessageLabs predicts that spam will increase in intelligence in early 2008. Spam-run sizes will remain vast but the content will be more targeted and stickier with the end goal of increasing the currently very low conversion rate.
As with spam, phishing email is typically seasonal showing a marked increase in activity in the run up to Christmas and the New Year. 2008 is no exception and Messagelabs has observed phishing activity early projections indicate that levels will reach a high of approximately 1 in 70 messages December - January.
If you are dependent on anti-virus and anti-spyware software to protect you (instead of a managed service that is always up to date), it’s critical that you keep this software up to date during the holidays and download all available updates. In addition, MessageLabs recommends a few basic tips to be safe online this holiday new year season:
1. Be skeptical of all unsolicited email. By far the most common type of phishing email being sent at the moment will be worded in an urgent or overly dramatic tone, prompting the recipient to take immediate action such as confirming online account details for a bank or other portals such as eBay or Paypal. It is important to keep in mind that no online bank or portal would ever solicit personal information in this manner. Also be wary of "spoofed" messages. Even though the sending domain (e.g. mybank.com) may appear to be legitimate, unless the message is correctly digitally signed there is no guarantee that the message is not a fake.
2. Don’t be fooled by a personally addressed email. In the past it was uncommon for phishing type messages to be personalised however this situation is changing - again always be skeptical of an unsolicited message, even if it appears to be personally addressed to you.
3. Check the security of the website and keep your browser up to date. Be sure to confirm the integrity of the host site. Secure connections are denoted with a https:// at the beginning of the address bar rather than just http:// and the "padlock" icon should appear and the bottom right of your browser window. In addition ensure you browser is running the most up-to-date version of the browser and that your security settings are active - if using Microsoft's Internet Explorer you can check for updates via the following url: http://www.microsoft.com/security/
4. Never click on links within an un-trusted email. Avoid clicking on any links within an email that you think may not be authentic. Similarly avoid completing any online forms requesting financial information unless you can be absolutely sure of the integrity of the host site.
5. Check your online accounts regularly. Do not allow long periods in-between checking your online account details. Check them as regularly as possible and if you see any suspicious transactions contact you bank or the company immediately.
Mark Sunner is the Chief Security Analyst for MessageLabs
A new year’s security resolution
By Mark Sunner on Jan 8, 2008 3:16PM