The rise of crimeware

Nearly two billion people today use the Internet and in doing so, expose themselves to an extensive and growing number of malware threats.

CA researchers identified more than 400 new families of threats, led by rogue security software, downloaders and backdoors. Trojans were found to be the most prevalent category of new threats, accounting for 73 percent of total threat infections reported around the world. Importantly, 96 percent of Trojans found were components of an emerging underground trend towards organized cybercrime, or “Crimeware-as-a-Service.”

The most notable threats and trends of 2010 to-date include:

Rogue or fake security software: Also known as scareware or Fake AV, the first half of 2010 saw this category of malware continue its dominance. Google became the preferred target for distribution of rogue security software through Blackhat SEO, which manipulates search results to favor links to infected websites domains.

Rogue security software displays bogus alerts following installation and will coerce users to pay for the fake product/service. An interesting trend observed recently is the prevalence of rogue security software cloning, whereby the software employs a template that constructs its product name based on the infected system’s Windows operating system version, further enhancing its perceived legitimacy.

Crimeware: 96 percent of Trojans detected in H1 2010 functions as a component of a larger underground market-based mechanism which CA has termed “Crimeware-as-a-Service.” Crimeware essentially automates cybercrime through collecting and harvesting of valuable information through a large-scale malware infection that generates multiple revenue streams for the criminals. It is an on-demand and Internet-enabled service that highlights cloud computing as a new delivery model. This crimeware is primarily designed to target data and identity theft in order to access user’s online banking services, shopping transactions, and other Internet services.

Cloud-based delivery: Research revealed cybercriminals’ growing reliance on using cloud-based web services and applications to distribute their software. Specifically, cybercriminals are using web and Internet applications (e.g. Google Apps), social media platforms (e.g. Facebook, YouTube, Flickr, and WordPress), online productivity suites (Apple iWorks, Google Docs, and Microsoft Office Live), and real-time mobile web services (e.g. Twitter, Google Maps, and RSS Readers).

For example, recent malicious spam campaigns are posing as email notifications targeting Twitter and YouTube users, luring targets to a click on malicious links or visit compromised websites. The Facebook ecosystem has been an attractive platform for abusive activity including cyberbullying, stalking, identity theft, phishing, scams, hoaxes and annoying marketing scams.

Social media as the latest crimeware market: CA Technologies recently observed viral activities and abusive applications in popular social media services such as Twitter and Facebook – the result of a strong marketing campaign in the underground market. There is a black market evolving to develop and sell tools such as social networking bots. Underground marketers promote new social networking applications and services that include account checkers, wall posters, wall likers, wall commenters, fan inviters, and friend adders. These new crimeware-as-a-service capabilities became evident as observed from the latest Facebook viral attacks and abusive applications that are now being widely reported.

Spamming Through Instant Messaging (SPIM): One new vector used to target Internet users is SPIM, a form of spam that arrives through instant messaging. There is an active proliferation of unsolicited chat messages on Skype.

Email spam trends: When examining email spam trends, the Internet Security team tracked the usage of unique IP addresses in an effort to determine the source of the most prevalent spam bot regions. Based upon its observation, the EU regions ranked as the number one source of spam recording 31 percent, followed by 28 percent in Asia Pacific and Japan (APJ), 21 percent in India (IN), and 18 percent in the United States (US).

Mac OS X threats: Attackers gaining interest remains during the first half of 2010, the ISBU witnessed Mac-related security threats including traffic redirection, Mac OS X ransomware ‘blocker’ and notable spyware ‘OpinionSpy’.