Advanced malware techniques boost the underground economy

Symantec announced the launch of its MessageLabs Intelligence 2008 Security Report which details how 2008 was a pivotal year for the cyber security landscape as revolutionary advances in malware and spam techniques made their mark on the underground “shadow” economy.

Total spam levels peaked at 82.7 percent in February 2008 and averaged 81.2 percent for the year, compared with 84.6 percent in 2007. As much as 90 percent of spam was being distributed by botnets, including the notorious Storm (Peacomm) botnet, which appeared on the threat landscape in early 2007 and all but disappeared by the end of the year, giving way to rival botnets like Srizbi and Cutwail (Pandex), until community action in September and November resulted in the takedown of two U.S. ISPs blamed for hosting the command and control channels for some of the largest botnets, including Mega-D (Ozdok) and Srizbi, which had been responsible for about 50 percent of all spam. With the exception of Srizbi, the affected botnets have since found alternative hosting, resulting in a return to spam levels close to those before the takedowns, with rival botnets such as Cutwail and Rustock taking-up the slack left by Srizbi’s absence.

In 2008, spammers developed an affinity for spamming from large, reputable web-based email and application services by defeating CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart) techniques to generate massive numbers of personal accounts from these services. In January, 6.5 percent of spam originated from these hosted webmail accounts, peaking in September when 25 percent of spam originated from these sources, averaging about 12 percent for the remainder of the year.

Complex web-based malware targeting social networking sites and vulnerabilities in legitimate websites, became widespread in 2008, resulting in malware being installed onto computers with no user intervention required. The daily number of new websites containing malware rose from 1,068 in January to its peak at 5,424 in November. The average number of new websites blocked daily rose to 2,290 in 2008 from 1,253 in 2007, largely due to increased attacks using SQL injection techniques.

As web-based attacks became more popular during 2008, email-based attacks rose by .15 percent compared with 2007. In 2008, 1 in 143.8 (0.70 percent) emails were malicious, compared with 1 in 117.7 (0.85 percent) for 2007. In addition, two distinct targeted attack patterns emerged during 2008. MessageLabs Intelligence noted the number of targeted Trojan attacks intercepted rose to 53 per day in 2008, peaking at 78 per day in April 2008, compared with one to two per week in 2005, 1 to 2 per day in 2006 and 10 per day in early 2007.

Emphasizing how threats of this kind have increased in popularity over the last year, one targeted Trojan spoofed the an organization involved with the Olympic Games in late July disguising malware hidden in a file attachment, using embedded JavaScript to drop a malicious executable program onto the target’s computer. The malware was sent to several participating nations’ sporting organizations and athletic representatives. Another targeted Trojan, distributed with the intent of corporate espionage, spoofed a well-known business organization purporting to relate to a complaint filed against the recipient, and involved approximately 900 targeted Trojans intended for senior executives worldwide.

Towards the end of 2008, the credit crisis generated many new finance related attacks as spammers and scammers sought to take advantage of the panic and uncertainty surrounding the changes on Wall Street and around the world.

Top Trends in 2008

Web Security: For 2008, the average number of new malicious websites blocked each day rose to 2,290 compared with 1,253 for 2007, an increase of 82.8 percent owing mostly to an increase in SQL injection attacks.

Spam: In 2008 the annual average spam rate was 81.2 percent, a decline of 3.4 percent on the 2007 statistic of 84.6 percent. In 2008, the majority of spam was made up of text-only or HTML content and an increasing proportion of spam originated from reputable web-based email and application service providers.

Viruses: The average virus level for 2008 was 1 in 143.8 emails (.70 percent) reflecting a .15 percent decrease on 2007 where levels averaged at 1 in 117.7 (.85 percent) emails. The decline can be attributed to the transition to spreading malware using malicious content hosted on websites and drive-by installs rather than favoring email as the primary means of distribution.

Phishing: The number of phishing attacks was 1 in 244.9 (.41 percent) emails across 2008, compared to 1 in 156 emails in 2007. Phishing activity peaked in February at 1 in 99.1, due partly to the increase in plug- and- play style phishing kits and the increased use of specialized botnets for phishing activity.