2009 Security threat report: Spam

Spam still popular

Spam remains a significant problem for business, with Sophos research revealing that an incredible 97 percent of all business email is spam. Sophos receives millions of new messages every day from its global network of spam traps.

Spam by country

Spam was sent from 240 countries in 2008. The US has decreased its contribution to the spam problem, relaying 17.5 percent of all spam compared to 22.5 percent in 2007. However, it still has much work to do to tackle the problem.

Top 12 spam relaying countries for 2008:
US 17.5%
Russia 7.8%
Turkey 6.9%
China (inc HK) 6.0%
Brazil 4.4%
South Korea 3.7%
Italy 3.3%
UK 3.1%
Poland 3.0%
India 2.9%
Spain 2.8%
Germany 2.7%
Other 35.9%

The US then is still responsible for most of the world’s unwanted emails – some of which will have malware attached, or link to malicious or infected websites. Most of this spam will come from unwitting home users, whose computers are part of a botnet.

However, the botnet problem is truly global. It is clear that more computers require up-to-date anti-virus protection and the latest security patches, and that the general public needs to be better educated about how to avoid putting their personal data and computers at risk.

Are you a spammer?

Virtually all spam comes from compromised computers (called “bots” or “zombies”) that have been successfully attacked and now, unbeknown to their owners, are sending out large volumes of spam, launching distributed denial-of-service attacks, or stealing confidential information.

Having up-to-date anti-virus protection, installing and running a firewall, and ensuring that all security patches are in place for both the operating system and any installed applications will significantly lower the likelihood of being compromised.

Sophos ZombieAlert™ Service32 identifies business computers that have been hijacked and which are sending out emails on behalf of the spammers.

Spam by continent

Asia delivers more than one-third of all spam, and when combined with Europe accounts for almost two-thirds of the world’s unwanted emails.

Spam relayed by continent in 2008:
Asia 36.6%
Europe 27.1%
North America 20.7%
South America 13.4%
Africa 1.1%
Oceania 0.7%
Unclassified 0.4%

Blog spam

Spam is not just sent via email. Increasingly, internet blogs, which invite visitors to leave comments are also used, typically by automated bots that hunt for vulnerable pages.

It is estimated that over 85 percent of all submitted blog comments are in fact spam33, although many blogs use free tools to try to filter it out before publication.

Spam and social networks

Spammers proved themselves to be unafraid of trying new methods of distributing their marketing messages and malware during 2008. Social networking websites, such as Facebook and Twitter, have increasingly popular with them.

Typically, hackers steal members’ usernames and passwords and then bombard the victims’ friends and family with thinly disguised marketing messages, directing them to third-party
webpages.

An interesting trend has also emerged in exploiting social networks. Conmen are breaking into innocent Facebook accounts to pose as an individual. They then spam out messages to that person’s friends claiming that while holidaying in a foreign city, they have been mugged and lost
their wallet and return airline ticket. They then ask for funds to be wired to them via Western Union34.

Computer users who would normally be suspicious of similar emails arriving in their regular inbox, may be more susceptible when they are communicated via Facebook from a contact they believe to be a friend. Scammers can exploit the network further by having an ongoing conversation with their intended victim, using information from the compromised account. For instance, if the owner of the hacked account has told his Facebook friends via a status message that he is traveling to a particular country, it makes the story of the mugging all the more believable.

Internet users need to become more sceptical and cynical about such messages if they are going to avoid such confidence tricks in the future.

In November 2008, Facebook was awarded US $873 million in a court judgement against a Montreal-based spammer who was said to have sent more than four million messages to its users via compromised accounts35. Sophos has seen an escalation in the amount of spam being sent via social networking websites and expects to see this continue to rise.

Other trends in spam

“Newsletter” spam is proving a popular method of delivery, with spammers copying the templates and design of legitimate email newsletters. Hackers also use webmail accounts like Gmail, Hotmail and Yahoo to spew spam to the world, having broken the CAPTCHA (completely automated procedure for telling computer and humans apart) system.

Sophos.com

2009 Security threat report: Malware

Fear of infection

One significant method used by cybercriminals to make money during 2008 was the use of fake anti-virus software, also known as scareware or rogueware. Such attacks prey on IT security fears and fool users into believing their computer has a problem when it has nothing of the kind.

Typically, scareware is planted on websites in the form of pop-up adverts, or disguised downloads. However, there have also been occasions when hackers have spammed out
scareware, or links to it, using traditional social engineering tricks to fool users into clicking on the attachment or link. In just one of its spam traps, Sophos detected approximately 5000 such emails every day.

Scareware-linked websites often carry security software that pretends to be bona fide, complete with bogus reviews concerning its fake effectiveness at killing off viruses. Sometimes the websites steal users’ credit card details.

Hacking gangs have become proficient at rapidly producing professional-looking bogus websites posing as legitimate security vendors. On average Sophos identifies five new scareware websites every day, with the figure rising to over 20 a day on occasions. Even established security brands
such as Norton AntiVirus18 and AVG have been targeted.

Some legitimate software companies may even be embroiled in the scams, with rogue advertising affiliates using scareware to increase sales of the legitimate product.

The motivation for the gangs responsible for the scareware problem is apparent in the case of Lee Shin-ja, the former CEO of a Korean anti-virus company. Lee is said to have earned over US $9.8 million since 2005 with a free antispyware program that displayed fake security warnings
and directed users to purchase her company’s Doctor Virus clean-up solution19.

It is worth noting that the scareware problem is not limited to Windows computers. In February 2008, Sophos encountered scareware campaigns that targeted both Windows and Apple Mac users20.

Malware on the move

Malware transferred via USB memory sticks is also on the rise. Perhaps the most bizarre USB malware-related story which emerged during 2008 was that of astronauts infecting computers on the international space station because of lax security measures21.

Malware attacks via social networking

2008 saw much more interest in using social networking websites to spread malware. In August, Facebook admitted that up to 1800 users had had their profiles defaced by an attack that secretly installed a Trojan while displaying an animated graphic of a court jester blowing a
raspberry22 and 23.

Facebook members are also receiving messages from friends’ hacked accounts via the social network, linking to third-party websites designed to infect the recipient’s computer24. Hackers have found value in compromising Facebook accounts, stealing usernames and passwords, and then using the profiles as a launching pad for massdistributing malware attacks and spam25.

There are also third-party Facebook applications designed to present irritating pop-up adverts26. However, these appear to have become less of a threat since Facebook changed
its user interface, making third-party applications less prominent.

Exploiting wider programs

Instead of simply looking for operating system and browser vulnerabilities to exploit, hackers are also exploring security holes in other widely used programs and tools such as Adobe Flash and PDFs.

The rise in malicious Flash and PDF files can be partly explained by the use of malware construction kits that build web attack pages incorporating booby-trapped code. The inclusion of the Flash and PDF content targets vulnerabilities that have been found in the widely used Adobe browser plug-ins, underlining the importance of keeping these up to date.

In addition, there was a 46 percent increase in the amount of kernel mode rootkits during 2008. These rootkits attempt to evade detection by traditional security products by cloaking themselves using sophisticated low-level operating system techniques.

Malware by location

Research by SophosLabs identified malware written in a total of 44 different languages, although it was not possible to extract location information on 47.9 percent of the malware samples examined.

China accounts for 11.6 percent of all malware. This is a smaller proportion than 2007 when the republic’s hackers accounted for 21 percent of malicious code identified as coming from a particular region. The exact language breakdown is:

• English-speaking world – 24.5 percent
• Chinese – 11.6 percent
• German – 3.7 percent
• French – 3.1 percent
• Russian – 3.0 percent
• Brazilian Portuguese – 1.6 percent
• Other – 4.6 percent

The analysis also revealed some interesting differences in the motives and tactics used by different hacking groups around the globe.

Much of the Chinese malware takes the form of backdoor Trojans, but there is also a proportion of Chinese malware whose motive is to steal passwords from online gamers.

The majority of malicious code written in Brazil is Trojans designed to steal information from online banks. Russian hackers, meanwhile, appear to be concentrating largely on creating botnets and opening backdoors to give cybercriminals remote access to compromised computers.

A tale of three internet companies

Atrivo
This Californian-based ISP (also known as Intercage)
was disconnected from the internet in September after
evidence was published showing that large parts of
its network were being used to peddle fake anti-virus
software (or scareware) and malware27.

ESTDomains
Shortly afterwards, questions were raised about
Vladimir Tsastsin, an ethnic Russian living in Estonia28.
Tsastsin was the founder of EstDomains, a domain
registrar service and, coincidentally, a customer of
Atrivo. His company was accused of providing a safe
harbor to criminals registering domains for malicious
activity, ensuring that their activities were not shut down
when EstDomains received abuse reports.

After the Estonian government pressed charges against
Tsastsin for credit card fraud, money laundering and
other offences, ICANN withdrew his firm’s license as a
domain registrar.

McColo
Another Russian-owned network, McColo was widely
believed to be hosting command and control centres
for five major botnets: Srizbi (Zlob), Mega-D, Rustock,
Dedler and Storm.

When McColo was disconnected from the internet at
13.23 on 11 November 200829, the botnets went
offline resulting in a huge drop in spam levels. Spam
volumes plunged 75 percent30 immediately after McColo
was taken offline. Since then hackers have tried to
regain control of these botnets, with some success31.

It has been shown by these examples that the security
community working together can severely disrupt
cybercriminal activities on a global scale. Indeed, the
takedown of McColo has had more of an impact on
global spam levels (even if temporarily) than any hacker
arrest by the authorities has ever achieved.

Sophos.com

2009 Security threat report: Email threats

Attachment-based threats on increase

In recent years, the number of threats spread via email attachment has declined.

Year__Emails with infected attachments (average)
2005......1 in 44
2006......1 in 337
2007......1 in 909
2008......1 in 714

However, while web-based threats have tended to dominate the malware agenda in the last 12 months, there were five times as many malicious email attachments at the end of 2008 than at the beginning.

The increase is most apparent when shown by month – from a low of 1 in 3333 in the first quarter of the year to a high of 1 in 200 by September.

Percentage of infected email attachments in 2008, month by month:
Jan 0.05% (1 in 2000)
Feb 0.04% (1 in 2500)
Mar 0.03% (1 in 3333)
Apr 0.04% (1 in 2500)
May 0.03% (1 in 3333)
Jun 0.03% (1 in 3333)
Jul 0.05% (1 in 2000)
Aug 0.17% (1 in 588)
Sep 0.50% (1 in 200)
Oct 0.39% (1 in 256)
Nov 0.26% (1 in 384)

Sophos identified that much of this increase can be attributed to several large-scale malware attacks made by spammers from August 2008 onwards. High profile attacks during this period included the Invo-Zip Trojan horse which masqueraded as a notice of a failed parcel delivery from firms such as FedEx and UPS10, the Agent-HNY Trojan that was spammed out disguised as the Penguin Panic Apple iPhone arcade game11, and the EncPk-CZ Trojan, which pretended to be a Microsoft security patch12.

Top 10 email attachment-based malware for 2008:
Troj/Agent 31%
Troj/Invo 18.1%
Mal/EncPk 13.8%
W32/Netsky 4.4%
Troj/Pushdo 4.3%
Troj/Doc 2.9%
Troj/FakeVir 2.2%
Mal/Iframe 1.8%
Troj/VidRar 1.6%
Troj/DwnLdr 1.5%
Other 18.4%

The scale of the email attacks in the second half of 2008 can be seen in the Pushdo Trojan13 (which posed as naked pictures of Angelina Jolie and Nicole Kidman) that accounted for 31 percent of all reports in the first half of the year.

Troj/Agent’s and Troj/Invo’s rapid dominance of the email attachment-based malware chart – accounting for almost 50 percent – is notable for outstripping the Netsky worm, which has consistently plagued the higher positions of the chart since it was released in early 200414. Whereas Netsky contains self-replicating code to duplicate itself and spread across the internet, the Agent and Invo Trojans can not travel under their own steam but rely on spam – usually
from a compromised computer.

Malicious links

As well as using malicious email attachments, cybercriminals continue to embed malicious links in emails and spam out creative and timely attacks designed to prey on users’ curiosity.

For example, in August 2008 Sophos warned of a widespread wave of spam messages claiming to be breaking news alerts from MSNBC and CNN15. Each email encouraged users to click on a link to read the news story, but instead took them to a malicious webpage that infected Windows computer with the Mal/EncPk-DA Trojan.

In September 2008, an email was widely spammed containing a link to what was said to be a pornographic video of US presidential candidate Barack Obama16. However, the webpage really installed the Mal/Hupig-D malware.

On the day after Obama’s presidential victory, another spammed-out malware campaign invited recipients to click on a web link to watch a video of the successful Democratic candidate17. In reality, visiting the website could lead to information being stolen from the victim’s computer and sent to a server in Kiev in the Ukraine.

Sophos.com

2009 Security threat report: Web threats

Exploiting legitimate websites

In the last couple of years the web has become a majorvector of attack for cybercriminals, replacing their previous reliance on email systems. By exploiting poorly secured legitimate websites hackers have been able to implant malicious code onto them, which then attempts to infect every visitor. One of the reasons the web is so popular is that legitimate websites can attract large numbers of visitors, all of whom are a potential victim.

Many well known organizations and brands have fallen victim to this kind of attack during 2008. Both large and small organizations have been targeted, emphasizing the importance of proper web security across the board.

January 2008: Thousands of websites belonging to Fortune 500 companies, government agencies and schools were infected with malicious code.

February 2008: UK broadcaster ITV was the victim of a poisoned web advert campaign, designed to deliver scareware to Windows and Mac users.

March 2008: A site selling tickets for the Euro 2008 football championship was hacked2, while anti-virus firm Trend Micro found some of its webpages had been compromised

April 2008: Cambridge University Press’s website was compromised so that visitors to its online dictionary were subject to unauthorized hacker scripts

June 2008: As the Wimbledon tennis tournament opened in the UK, the Association of Tennis Professionals site was infected

July 2008: Sony’s US PlayStation website suffered an SQL injection assault which put visiting consumers at risk from a scareware attack

September 2008: BusinessWeek magazine was infected with an SQL injection attack that attempted to download malware from a Russian-based server

October 2008: An area of the Adobe website designed to offer support to video bloggers was compromised by an SQL injection attack

SQL injection attacks

One of the major headline grabbers of 2008 was the SQL injection attack. Such attacks exploit security vulnerabilities and insert malicious code (in this case script tags) into the database
running a site. When user input, for instance via a web form, is not correctly filtered or checked, the code peppers the database with malicious instructions. Recovery can be difficult, and there are numerous cases of website owners cleaning up their database only to be hit again a few hours later

Automated systems

Hackers have developed automated tools that use search engines such as Google to identify potentially vulnerable websites, and then inject code into the servers. Websites are rarely specifically targeted, and are often just unfortunate enough to have been discovered by the cybercriminals’ malware distribution tool.

Cybercriminals are also building their own malwareinfected websites, often using free web-hosting services which do not require users to go through a rigorous identification process. They then use automated systems to plant malicious links on legitimate blogs and web forums,
pointing at these infected sites.

For instance, during 2008 Sophos encountered many examples of legitimate blogs and message boards carrying comments which linked to websites pretending to offer adult videos, but which actually demanded a browser plugin upgrade before anything could be seen. The updated
fake codec or bogus Flash Player software that the user downloaded was in reality scareware that attempts to frighten the user into purchasing fake security software.

Top 10 countries hosting malware on the web

2008 showed the US, China and Russia accounting for almost three quarters of all the world’s websites that spread malware. However, it would be misleading to believe that other countries are not also contributing to the problem.

The top 10 malware hosting countries:
US 37.0%
China (inc HK) 27.7%
Russia 9.1%
Germany 2.3%
South Korea 2.1%
Ukraine 1.8%
UK 1.7%
Turkey 1.5%
Czech Republic 1.3%
Thailand 1.2%
Other 14.3%

Sophos research reveals that there is a “long tail” effect with more than 150 countries identified as hosting malware on webpages based within their borders. Of these affected webpages, 85 percent are on legitimate websites that have been hacked by criminals.

User resistance

Although web security is designed to protect against malware and other threats, some users have responded negatively and taken steps to subvert the protection. This is particularly true where companies and organizations filter URLs to particular websites for policy reasons, such as
blocking social networking or video websites.

Anonymizing proxies

Some users have responded to web filtering by using anonymizing proxies9, which disguise the true nature of a website in order to trick an organization’s web filter into allowing access.

Information about public anonymizing proxies is shared freely on thousands of blogs, forums and websites, and there are an unknown number of private anonymizing proxies built for the use of an individuals or small groups. This makes it extremely easy for users to access an anonymizing proxy, but difficult and time-consuming for administrators to track and block them. If users are browsing via anonymizing proxies, then in addition to bypassing URL filtering, they are also
circumnavigating content scanning at the perimeter, which dramatically increases the chance of infection.

Sophos has even identified anonymizing proxies that are themselves infected with malware. It’s not possible to tell whether the anonymizing proxies are the innocent victims of infection, or have been set up with malware embedded inside them. But regardless of whether the infection is
deliberate or not, anyone using them runs the real chance of infecting their computer and the network it is connected to.

Anonymizing proxy use appears to be particularly prevalent among educational establishments, where technology-savvy students attempt to subvert acceptable use policies. Sophos actively tracks internet forums to discover new anonymizing proxy services, and incorporates real-time detection of private anonymizing proxies through traffic inspection in its web appliance.

Malware chart rundown

The US tops the chart with just under three in every eight infected webpages based there. This shows an increase over 2007, when it accounted for less than one in four (23.4 percent) .

China, which was responsible for hosting more than half (51.4 percent) of all the world’s malware
in 2007, has now almost halved its proportional contribution to the problem.

The Czech Republic is a new entrant on the list and hosts over one percent of all the world’s malware on the web.

Poland, France, Canada, Netherlands were present in positions six, eight, nine and ten respectively in 2007, but now have too few malicious websites to appear on the chart.

Sophos.com

2009 Security threat report: Overview

On 2 November 1988 a 22-year old Cornell University student called Robert Morris released an internet worm capable of exploiting vulnerabilities in the UNIX operating system. It is estimated that it infected 10 percent of the internet. Twenty years on, the scale of the malware problem
has grown astronomically. Today’s internet attacks are organized and designed to steal information and resources from consumers and corporations. Although there have been
instances of attacks driven by politics and religion, the main motivation is financial.

The web is now the primary route by which cybercriminals infect computers, mainly due to the fact that increasing numbers of organizations have secured their email gateways. As a consequence, cybercriminals are planting malicious code on innocent websites. This code then simply lies in wait and silently infects visiting computers.

The scale of this global criminal operation has reached such proportions that Sophos discovers one new infected webpage every 4.5 seconds – 24 hours a day, 365 days a year. In addition, SophosLabs, our global network of threat analysis centers, is sent some 20,000 new samples of
suspect code every single day.

2008 proved that malware is more than just a Microsoft problem. Although the sheer number of Windows threats far outweighs attacks against any other platform, cybercriminals are turning their attention to other operating systems such as Apple Macintosh, and vulnerable crossplatform
software. This seems likely to continue in 2009, with the increasing popularity of portable devices such as the iPhone, iPod Touch, Google Android phone and ultramobile netbooks.

It remains paramount that organizations defend themselves at all levels of their business, not just at the email and web gateways. Networks, desktops, laptops and mobile devices must be comprehensively secured to defend against the myriad threats posed by the criminal underground.

2008 at a glance

Biggest malware threats – SQL injection attacks against websites and the rise of scareware.

New web infections – one new infected webpage discovered by Sophos every 4.5 seconds.

Malicious email attachments – five times more at the end of 2008 than at the beginning.

Spam-related webpages – one new webpage discovered by Sophos every 15 seconds.

New scareware websites – five identified every day.

Top malware-hosting country – US with 37 percent.

Top spam-relaying continent – Asia with 36.6 percent.

Amount of business email that is spam – 97 percent.

Sophos.com

2008 Security threat report: The future

Predicting the future in such a rapidly evolving scene is near impossible. One only needs to look at the virus scene five years ago to see how quickly the threat has become more serious in a short period of time. Indeed, a Sophos poll revealed that 70 percent of those surveyed believed that 2008 would actually be just as bad or worse for IT security than 2007.

It does seem inevitable that the variety and number of attacks will continue to escalate, driven by organized crime’s desire to break into computers to steal information, identities and resources. Sophos expects computer users will continue to face challenges in securing and controlling their computers as criminals attempt to capitalize on new technology to make money and cause disruption. In addition, threats like identity theft and fraud will still be occurring far into the future because of human mistakes.

However, if managed properly, the problem should not be insurmountable as sound security practices, up-to-date protection and an active commitment to keep informed can all help defend business networks in the year ahead.

The good news is that security software is getting better all the time. Proactive detection of new, unknown malware threats is at an all-time high, and computer users who are sensible and properly defended can dramatically reduce the risks.

Sophos.com

2008 Security threat report: Arrests and the law

The repercussions for cybercriminals are finally coming in line with the severity of their crimes. With international computer crime authorities joining efforts in a bid to bring down hackers, malware authors and spammers, the past 12 months have seen more arrests and harsher sentencing for criminals involved in high-profile crimes.

Below are some of the cases that made the news in just in the second half of 2007.

August 2007: 27-year-old Christopher Smith was sentenced to 30 years in prison in the US for selling millions of dollars worth of medications online to customers without prescriptions or a license.

August 2007: Jacob Vincent Green-Bressler was sentenced to seven years in prison for buying stolen data from hackers43. Armed with account numbers, identification numbers (PINs), passwords and social security numbers, 21-year-old Green-Bressler was able to create counterfeit credit cards and withdraw money from cash machines.

September 2007: A Chinese court found four men guilty of writing and selling the Fujacks worm, which converted icons of infected files into joss-stick-burning pandas. The malware was designed to steal usernames and passwords from online gamers, details which would fetch a high price on the black market. The men were sentenced to between two and half and four years in jail, but not before they wrote and gave the authorities a fix for the infection.

October 2007: James R Schaffer and Jeffrey A Kilbride were each sentenced to five years in jail and fined $100,000 for their part in sending innocent internet users sexually explicit images, a crime that netted them over $2 million.

November 2007: A 17-year-old was arrested in The Netherlands following claims that almost $6,000 worth of virtual furniture was stolen from users of a popular teenage gaming website. Virtual furniture at Habbo Hotel is purchased with credits that cost real currency. The teenager created fake Habbo Hotel websites, captured the players’ login details and used the information to break into the real website and steal virtual furniture.

With hacking, phishing and web threats on the increase, Sophos looks expectantly to 2008 for further improvements in solving computer crime cases, but warns that authorities should not become complacent if they are to keep users safe.

Sophos.com

2008 Security threat report: State-sponsored cybercrime

During 2007 it became more common for countries to openly accuse each other of engaging in spying via the internet – even though it can be extraordinarily difficult to prove an attack is being sponsored by a government.

In April, a large-scale distributed denial-of-service attack against websites belonging to the Estonian prime minister, banks and schools, were claimed to be masterminded by the Kremlin39 after Estonia decided to remove a statue of a Soviet-era soldier that comprised part of a World War II memorial. Estonian Minister of Defence, Jaak Aaviksoo, accused the Russian government of launching the attack and called on NATO to amend its protocols to recognize the attack as a form of military action. However, no proof was presented that the attacks could be traced back to the Kremlin.

In another example in December 2007, it was revealed that MI5, the British secret service, had written a secret letter to 300 chief executives warning them that they were under attack from “Chinese state organizations”40. According to reports, the Chinese government was behind electronic espionage against British firms designed to give China a commercial advantage.

Three months earlier, newspapers reported that the Chinese military were being blamed for a cyberattack which targeted a Pentagon computer system serving the office of US defense secretary, Robert Gates. Unnamed sources claimed that the People’s Liberation Army (PLA) were blamed in an internal investigation for perpetrating the attempted hack. The British and German governments were also said to have been subject to similar probes by hackers working for the PLA.

When Sophos asked in a poll41 in September 2007 who people believed were likely to have been responsible for the attack the results were:

Believed responsible------------------% of respondents
Chinese-------------------------------45%
Impossible to say---------------------36%
Someone pretending to be Chinese----19%

The Chinese foreign ministry vigorously denied the claims, and said it works hard to fight cybercrime.

2008 is likely to bring more claims of countries attacking and spying on each other via the internet, but so far there has been no convincing evidence released to the public proving that attacks are backed by foreign governments. It must be remembered that internet hackers can hide their tracks, hopping from computer to computer, and leapfrogging around the world, making it very hard sometimes to determine precisely who is behind an attack. There is no doubt, however, of the importance of securing critical computers inside government from hackers whether motivated by politics, espionage or money.

Sophos.com

2008 Security threat report: Securing the business network

Identity theft – a corporate problem

Countless news stories, from TJ Maxx losing details of around 90 million customers over a two-year period35, and the November 2007 debacle of the UK’s HMRC (Her Majesty’s Revenue and Customs) losing sensitive data about 25 million families in Britain36, indicate that even large organizations are at risk.

In August 2007 it was revealed that employment search website Monster.com had lost personal information about more than 1 million people37. Attackers used the usernames and passwords of professional recruiters to access Monster.com’s resumé database, and then spammed out phishing emails and malware to innocent job searchers.

Payment card industry compliance

In response to serious data breaches, the payment card industry security standards council (PCI DSS) was formed and has since put in place 12 requirements with which organizations that deal with credit and debit card transactions must be compliant.

It has been reported that only one third of retailers are PCI compliant.

The cost of a data breach, both in resource and software terms, can be huge, and many companies without a detailed security strategy and the right information may be paying a premium to secure their networks. By properly securing and controlling their computers and the access to its network, an organization can significantly reduce the chances of a security breach happening. In addition, regulations that deal with the human aspect of mishandling data – accidental or otherwise – must be put in place to combat lax security.

NAC – helping enforce compliance

Leading security analysts such as Gartner and IDC agree that companies need to start their investigations now into network access control solutions and how they can integrate into the security framework. Integration of security point-solutions at the heart of the organization - the desktop and file server - is the recommended route forward, simplifying the management for administrators while using less resource on the network.

What does NAC do?

NAC (network access control) helps reduce the risk of compromising your network security.

• Works alongside anti-malware and firewall products and meet the following criteria:
• Stops unauthorized, guest or non-compliant systems accessing your network
• Ensures all computers conform to a defined security policy
• Is simple to deploy and easy to use
• Allows easy identification and isolation of unmanaged computers.

Sophos.com

2008 Security threat report: Social networking

A procrastinator’s paradise or an identity thief’s dream?

Social networking websites like Facebook, Bebo, Orkut,
and MySpace have become phenomenally popular – not
just with teenagers trying to keep in touch and internet-savvy pop groups, but also with hackers interested in stealing information from individuals and companies. So organizations are facing the dual concerns of social networking websites causing productivity issues by distracting employees from their work, and the risk of malware being introduced to the workplace.

Productivity threat

Users openly brag about logging in to their Facebook accounts rather than work. The “I have dossed around on Facebook all day and consequently have done no work” group for instance has more than 220 members. Sophos research into how addictive social networking can become,
showed that one in seven users were logged into their Facebook profile virtually all the time during office hours.

How often employees access Facebook from work:
Once or twice a day --> 37.2%
Up to ten times a day --> 8%
Virtually all the time --> 14.8%
I only access Facebook from home, never at work --> 40%

Identity theft threat

Sophos also conducted research into the dangers of irresponsible behavior on Facebook. Using a fake profile. Sophos was able to discover information about other Facebook users, such as their date of birth, current email address or phone number. Sophos also gained access to further personal facts including employer details, complete resumés and one user even divulged his mother’s maiden name – information often requested by websites in order to retrieve account details.

Giving up so much information about their interests and personal life, along with detailed information about their companies online, is playing into the cybercriminals’ hands. 32 percent of people use the same password for every website they access – if criminals guess it in one place,
they may well be guessing it for the company network too. In order to protect their data and their reputations, organizations need to act quickly to set up guidelines for employees who are posting on these sites.

Do you use the same password for every website you access?:
Yes, all the time --> 32%
I have a few different passwords --> 48%
No, never --> 20%

The social networking sites themselves also need to address the problem. While Facebook has been commended for the strict security options available31, it needs to do more to educate its users on securing profiles, and consider changing its own default settings

Sophos.com

2008 Security threat report: Mobile phones and Wi-Fi devices

Mobile security threats

There are approximately 200 malware threats for mobile phones, compared to over 300,000 for Windows. The risk of being infected on a mobile phone is tiny in comparison.

Nevertheless, the mobile malware threat has been growing steadily over the last few years and more businesses are now looking to secure confidential data against potential attacks at all endpoints. In a Sophos web poll, in November 2006, 81 percent of business IT administrators expressed concern that malware and spyware targeting mobile devices will become a significant threat in the future. However, 64 percent also said they currently have no solution in place to secure company smartphones and PDAs.

Ultimately the main vulnerability on any system is the user and Sophos expects to see messages sent to mobile users luring them to fake webpages on which they will be instructed to enter confidential data, in just the same way that desktop email users are trapped.

IT managers should not only be looking to protect their PDAs and mobile phones from malware, but also be investigating data encryption and access control. It is also wise to invest in user education on how to safely browse online. Those with mobile devices need to understand that many of the web threats affect them as well, regardless of the device or operating system they are using.

Ultra-mobile PCs, iPhones and Wi-Fi devices

The wider availability of wireless internet services has increased the attractiveness of Wi-Fi-enabled devices.

Although simple Trojans have been seen, the Apple iPhone has not yet been the target of commercially motivated hackers. The fact that most versions of the phone/music player/browser are locked to particular service providers and lengthy contracts has, however, limited its appeal to the mass-market and may mean iPhone adopters have some breathing space before attacks begin in earnest.

Flaws have been found in Apple’s mobile email application and Safari browser and it is more likely that attacks would be focused on these areas than the underlying operating system. But cybercriminals seeking a larger return are likely to stick mostly to Windows desktops for the foreseeable future.

The iPod Touch is more affordable than the iPhone, and shares its Safari web browser. As both the iPhone and iPod Touch are designed to connect to the internet, and can retrieve email and visit websites, it is theoretically possible that hackers will target them more in the future. At the moment, Safari appears to be the most likely place where vulnerabilities would be exploited.

Meanwhile, 2008 looks set to be the year of increased take-up of ultra-mobile PCs (UMPCs). UMPCs, like the Asus EEE subnotebook, have shaken up the laptop market with their low price, usability and portability.

Interestingly, this new range of UMPCs does not necessarily come with a version of Windows pre-installed (in the case of the Asus EEE, it comes with the Xandros flavor of UNIX). For this reason, UMPCs are automatically immune to the vast majority of spyware, adware and malware attacks – but if such devices continue to increase in popularity the situation might change.

Of course, as has been pointed out earlier, a lot of hacking attacks actually have very little to do with technology, but with vulnerabilities in the human operating the computer. So it is perfectly possible right now for users of any of these mobile devices to receive spammed phishing messages, follow the link and enter their confidential data.

Sophos.com

2008 Security threat report: Apple

Apple and threats and the future

One of the most significant developments of 2007 was the rise of malware for Apple Mac computers. Although malware for Apple Macs, and even the Mac OS X operating system, has been seen before23 it has not encountered anything like the number of viruses, Trojans and worms that run on Microsoft Windows. This is largely because malware writers have not felt it necessary to infect the computers of Apple Mac owners when there have been so many poorly protected Windows users available.

Now, however, financially motivated gangs have begun to think that there is a viable reason to infect Macs alongside Windows PCs.

In November 2007, Mac OS X malware made the headlines. The functionality of the malicious program, known as OSX/RSPlug24, was fairly simple. It modified settings to redirect DNS requests to a server under the hacker control, allowing hackers to serve up fake websites requiring usernames and passwords, display adverts and so on.

OSX/RSPlug is connected to a widespread family of Windows malware called Zlob25, which promises to display pornographic material when the user loads a new codec (a program that allows internet users to watch video content).

Clicking on malicious email or web links takes the unwitting computer user to a site hosting malware. The malicious website examines the request made by the user’s web browser and responds appropriately, depending on whether the computer visiting the site is a Mac or Windows PC. Apple Mac computers receive the OSX/RSPlug-Gen file, which is not able to infect the Windows platform. A Windows PC, however, receives the Zlobar-Fam Trojan.

This approach means that the malware authors can target a much wider range of users with a single set of links – while the Trojans themselves are not cross-platform, the delivery mechanism is. Sophos has seen Mac malware planted on a large number of websites, with many variants of the Trojan being distributed.

Although Macintoshes have a long way to go before they overtake PCs in popularity, particularly in the office environment, analysts are reporting that an increasing number of consumers are open to considering purchasing a Mac computer rather than a PC in future. This may drive the emergence of more financially motivated malware for this platform.

It is concerning that the Mac has become the focus of at least one malware gang. Ultimately, future Mac malware attacks will be driven by how effective the attackers are at infecting Apple Mac users. The criminal hacking gangs are in business to make money, so if they do not see a return on their investment, they will not invest more effort.

For this reason, it is essential that Apple Mac users ensure they are properly defended - and stay clued-up about the various attack mechanisms that cybercriminals can use to break into their computers.

2008 Security threat report: Spam

Spam remains a significant problem for business, with Sophos research revealing that 95 percent of all email is spam. Sophos conducts analysis of all the spam messages received in the company’s global network of spam traps. Millions of new messages from these honeypots are analyzed automatically every day, and are used to refine and update existing spam rules.

Occasionally, new techniques are used to try to bypass even the most successful spam filters. When a message is sufficiently different from any previously analyzed by the Sophos spam engines, analysis by researchers establishes whether the message is legitimate or not. Illegitimate emails using new techniques are immediately fed into the spam rules, ensuring that customers are protected against any campaigns using these new techniques.

Dirty dozen

2007 brings some interesting changes to the chart of the 12 countries relaying the most spam.

Dirty Dozen: the top spam-relaying countries in 2007:

• United States 22.5%
• South Korea 6.5%
• China (incl HK) 6.0%
• Poland 4.9%
• Russia 4.7%
• Brazil 3.8%
• France 3.5%
• Germany 3.5%
• Turkey 3.1%
• Spain 2.7%
• Italy 2.7%
• India 2.6%
• Other 33.5%

The top three this year have led the chart since the inception of the threat report in 2005.

The United States, responsible for sending about a fifth of all the spam in the world for the last few years, needs to tackle this problem urgently. Not only is the problem polluting our inboxes with unwanted emails – some of which will go to malicious or infected websites – it also means that a large number of US computers, most likely those run by home users, are infected. Educating users on how to protect their system against a compromise is paramount to the US’s success in its war against spam.

Despite holding onto the same chart positions, the proportion of spam-relaying reported from China has significantly diminished. In 2006, Chinese compromised machines sent more than 15 percent of the world’s spam, whereas in 2007, they more than halved this number.
In contrast, the US and South Korea have made no significant impact on the problem of spam being relayed via their countries.

Pump-and-dump spam

Pump-and-dump stock campaigns remain a significant problem. They work by spammers purchasing stock at a cheap price and then artificially inflating it by encouraging others to purchase more (often by spamming “good news” about the company to others). The spammers then sell off their stock at a profit.

August 2007 saw a colossal spike in spam volume for 24 hours due to a single pump-and-dump campaign that urged potential investors worldwide to purchase stock in a company called Prime Time Group.

Prior to 2007, pump-and-dump spam campaigns typically attempted to influence the stock price of small North American companies. During 2007, however, Sophos experts noticed a shift in tactics as cybercriminals increasingly tried to manipulate European stocks.

This increased targeting of non-American companies might well be because US authorities have taken stronger action to defuse the criminal activity. For instance, in March 2007, in “Operation Spamalot”, the Securities and Exchange Commission (SEC) suspended trading on 35 companies mentioned in stock manipulation campaigns.

As security vendors have become more proficient in intercepting stock spam at email gateways, stock-manipulating hackers have turned to more elaborate methods to get their messages in front of internet users. For example, PDF files, JPGs and other image attachments are used to carry the message in the hope that this type of file will be harder to identify as spam.

One of the more bizarre schemes was seen in October 2007 when a pump-and-dump spam campaign used MP3 music files in an attempt to manipulate share prices20. Files posing as music from stars such as Elvis Presley, Fergie and Carrie Underwood actually contained a monotone voice encouraging people to buy shares in a little-known company.

User response to spam

One of the main reasons spammers invest their resources into devising new techniques is that spam works – and looks increasingly successful. In a Sophos web poll conducted in February 2007, 5 percent of respondents admitted to buying goods sold via spam. In a second poll conducted in November 2007, the figure had risen to a concerning 11 percent.

Are you a spammer?

Virtually all spam comes from compromised computers (called “bots” or “zombies”) that have been successfully attacked and now, unbeknown to their owners, are sending out large volumes of spam, launching distributed denial-of-service attacks, or stealing confidential information.

Having up-to-date anti-virus protection, installing and running a firewall, and ensuring that all security patches are in place for both the operating system and any installed applications, will significantly lower the likelihood of being compromised.

Sophos ZombieAlert Service22 identifies business computers that have been hijacked and which are sending out emails on behalf of the spammers.

Sophos.com

2008 Security threat report: Malware

Where is malware written?

Forensic analysis by SophosLabs to determine where malware has been written has revealed some interesting differences in the motives and tactics used by different hacking groups around the globe. For instance, 21 percent of all malware is written in China. This is a smaller proportion than in 2006 when the republic’s hackers accounted for 30 percent of the malicious code seen.

China, % of malware written: 21.0%
Brazil, % of malware written: 12.5%
Russia, % of malware written: 9.2%

Most of the Chinese malware takes the form of backdoors, but there is also a proportion of Chinese malicious software whose motive is to steal passwords from online gamers.

Brazil accounts for 12.5 percent of the malware that has been analyzed by SophosLabs. The majority of the code written in the South American country is Trojan horses, designed to steal information from online banks. Russian hackers, meanwhile, are responsible for 9.2 percent of
the malware seen, mostly creating backdoors that allow cybercriminals to gain access to compromised computers.

Rootkits

SophosLabs estimates that threats from rootkit technology account for about 7 percent of all malware, including highprofile malware, such as Pushdo and Dorf.

There is a renewed interest in rootkits, thanks to hardwareassisted virtualization technologies available in both Intel and AMD processors. Proof-of-concept source code of a hardware virtualization rootkit known as Blue Pill was made publicly available at the Black Hat conference in Las Vegas in August 2006. Virtualization rootkits are supposed to sit deviously between the host hardware and the virtualized subsystem (the guest) to make malware hard or impossible
to detect.

In spite of this, SophosLabs does not anticipate that hardware-assisted virtualization-based rootkits will become a significant threat in the near future as they are very complex and rely heavily on hardware extensions that vary from processor to processor. Standard detection techniques, such as on-access scanning, are well suited for detection of malicious hypervisors before install (as the malware arrives on the system).

Detection evasion

There is an arsenal of techniques that can be used to try to evade detection by anti-malware products. One of the most common techniques is server-side polymorphism.

Viruses have used polymorphic technology since the early 1990s to mutate their appearance on each infection, in effect making each sample of the malware unique. Server-side polymorphism, however, uses code on the webserver to generate mutated malware. In the past, anti-malware
vendors could detect polymorphic viruses by identifying the mutation engine’s code. However, with server-side polymorphism, the code which mutates the malware is left on the web server, making it impossible to identify the mutation engine as it is not present in the brand new oneoff
variant of the malware.

Other techniques often used by malware include encryption, obfuscation and rapidly changing code with potentially automated builds. Obfuscation is particularly frequently used in script-based malware.

These techniques are often used to prevent generic detection techniques. For example, the author of Pushdo – a hacker who spent much of 2007 attempting to infect unwary computer users with the promise of naked pictures of Angelina Jolie15 – often adds junk (do nothing) instructions, changes the first few bytes of the code, uses encryption of strings commonly present in malicious software and reorders the sequence and the way of calling Windows
system functions.

Detection techniques

Alongside the growing amount of new malware which tries to bypass security measures, there have also been significant technological advances in detection techniques.

To combat the threat of zero-day attacks, and new malware and spyware attacks, security leaders have been looking at behavioral or proactive protection as a method to stop unknown malware from running on a victim machine. This type of protection looks at what a piece of code wants to do, decides whether the action is legitimate or malicious, and acts accordingly.

Unfortunately the implementation of this technology is not trivial and the different approaches taken by some of the industry leaders had varying degrees of success, as can be seen in the results of tests performed by independent testing laboratories, such as AV-Test.org.

Proactive detection rates of new in-the-wild malware, Source: AV-Test.org test, July–September 2007:

• Sophos 86%
• Kaspersky 69%
• Trend Micro 68%
• F-Secure 67%
• Symantec 66%
• McAfee 55%
• Microsoft 48%
• ClamAV 42%

Sophos.com

2008 Security threat report: Email threats

Threats spreading via email file attachment continued their decline, as hackers and malicious code writers turn to the web to host their attacks:

2005, No of emails with infected attachments: 1 in 44
2006, No of emails with infected attachments: 1 in 337
2007, No of emails with infected attachments: 1 in 909

However, although malicious email attachments have reduced in percentage terms, emails containing links to malicious websites continue to pose a growing problem to computer users.

Top ten threats spread by email attachments in 2007:

• Mal/HckPk 23.7%
• W32/Netsky 19.9%
• W32/Mytob 13.2%
• Troj/Dorf 10.1%
• W32/Zafi 4.8%
• W32/Stratio 4.6%
• W32/Sality 3.4%
• W32/MyDoom 3.4%
• W32/Bagle 2.6%
• Troj/Pushdo 2.0%
• Others 12.3%

Top of the chart of malware threats spreading via email file attachments, and responsible for about a quarter of all such threats seen in the last year, is HckPk. It gets its name from the use that it makes of encryption and packing technology to try to bypass security filters. Like Mytob and Dorf (also known as Storm) there are thousands of variants that make up this family.

Netsky, Mytob, Zafi, MyDoom and Bagle are well- established malware families that have been around
for several years and continue to spread on
unprotected computers.

Although mass-mailing worms have dropped from malware writers’ favor, Dorf blended this older technique with other newer techniques to infect computers.

Storm of Malware – a chronology

The Storm worm, also known as Dref or Dorf, was 2007’s most disruptive threat, with around 50,000 variants seen over the course of 2007.

The criminals behind the Storm attack used topical news stories, electronic greeting cards, videos and fear tactics to lure people into opening their widely spammed-out emails and click on their malicious links.

Early January 2007: Starting as Happy New Year malware which spread malicious greetings via email attachments, the hackers changed their tack in January using news-related events to encourage recipients to click on what claimed to be video content. One of these disguises, which had subject lines such as “230 dead as storm batters Europe”, gave the worm its popular name of Storm.

Late January 2007: The Storm worm turned to love in a major new attack as St Valentine’s Day approached7, and in the run-up to US Independence Day on 4th of July8 the malware gang aggressively took advantage of the celebrations with another malicious ecard campaign.
On this occasion, the email contained a web link to compromised zombie computers hosting a Trojan horse.

August 2007: Storm used a wave of malicious emails which posed as links to YouTube videos9, and then posed as links to music videos of popstars like Beyoncé, Rihanna and The Eagles. If infected, hackers could use victims’ computers to steal personal information, spam out malware
and junk email, or launch distributed denial-of-service attacks against innocent parties.

September 2007: The Storm worm took advantage of the NFL Kickoff weekend10 and spammed out an email campaign with links to a hacked website, which would drop malicious code onto insufficiently protected computers.

November 2007: The hackers tried to scare email users into believing their telephone conversations were being recorded11, but the ruse was designed to get people to buy bogus security software. In reality, however, the attached MP3 file was a malicious executable program that installed further malware onto the victim’s computer which it downloaded from a dangerous website. Amongst these was a piece of scareware which displayed a fake Windows
Security Center alert and tried to convince the victim to purchase bogus security software.

December 2007: The criminal hackers behind the Storm malware showed no signs of letting up and continued their offensive attacks, sending emails claiming to point to websites offering pictures of a stripping “Mrs Clause”12 and Happy New Year messages.

2008 Security threat report: Web threats

Web threats in 2007

Web threats continue to be cybercriminals’ preferred approach for delivering malware. Sophos currently sees 6,000 new infected webpages each day – one infected page every 14 seconds. Only about 1 in 5 of these sites is a hacker site, i.e. malicious in intent; 83 percent are hacked
sites, or legitimate websites that have been compromised by an unauthorized third-party.

Surfers are often lured to these compromised webpages via emails which use social engineering tactics to attract unsuspecting users1. In other examples, hackers place their malicious code on sites which they know have a high number of visitors. Once the site is infected, unwary visitors
without web security, firewall or patches on their PCs, can themselves be infected.

The content of these sites varies dramatically. Just some examples of the wide variety of sites that SophosLabs has seen hacked to host malware in a typical month are:

• Art galleries
• Christian ministry
• Computer network cabling
• Escort agencies
• Holiday property rental
• Ice-cream making
• Landscape gardening
• Museums
• Organic produce
• Oven cleaning
• Pilates
• Poker event organization
• Political activism
• Printing and graphics
• Tyre supply
• Web design.

Because of the range of subjects that hacked sites cover, blocking sites by content is not sufficient to protect users against these threats. A security solution to protect innocent computer users can help block web access to sites hosting malware.

Accounting for over half of all web-based threats in January to December 2007, was Mal/Iframe, which has dominated the charts from April. Particularly rampant in China, although also seen affecting websites hosted elsewhere, a growing number of web-based attacks look for
vulnerabilities on legitimate hosted websites and injecting malicious code onto the site.

In June 2007, Mal/Iframe was found to have infected more than 10,000 legitimate Italian websites, including sites belonging to high-profile organizations like city councils, employment services and tourism sites. Most of the affected pages appeared to be hosted by one of the largest ISPs in Italy2.

Mal/ObfJS, an obfuscated malicious script, has also affected many legitimate websites, for example the US Consulate General’s in St Petersburg, Russia in October3 (despite the fact that protection had been available in anti-virus products since May 2007).

The US Consulate General removed the malicious code quickly and efficiently, but the fact that such a knowledgeable and security-conscious organization could become infected highlights the seriousness of the web threat.

Where is malware hosted?

The results of research into which countries contain the most malware-hosting websites reveal some significant changes over last year’s top ten list.

Top ten malware hosting countries in 2007:
China 51.4%
United States 23.4%
Russia 9.6%
Ukraine 3.0%
Germany 2.3%
Poland 0.9%
United Kingdom 0.7%
France 0.7%
Canada 0.7%
Netherlands 0.7%
Others 6.6%

China has moved from second place in 2006, when it accounted for just over 30 percent of infected websites, and now dominates the chart, with more than 50 percent of infected websites. Unfortunately whether a website is based in China is not necessarily obvious from its domain name, and so just avoiding websites ending in .cn will not significantly reduce your chances of being attacked by a China-hosted website.

The US has dropped from the top position, where it accounted for 34 percent of malware-infected websites in 2006, and accounts for less than a quarter this past year.

Poland is a new addition to this list, with 1 in 100 malicious webpages being hosted there. The Netherlands, which held fourth position in 2006, has managed to drop to tenth place, but still accounts for unusually large number of malicious sites, given its population and infrastructure. Sophos worked with computer crime authorities in The Netherlands last year to help them identify websites hosting malware so that they could be dealt with.

Making your web server more secure

• Don’t install any unnecessary components on the server – more code means more vulnerabilities for hackers to exploit.
• Sign up to your operating system security notifications.
• Patch all operating systems and any applications with official security fixes.
• Run up-to-date anti-virus software on the web server, regardless of what operating system you
• are using.

IIS users:

• Do not enable directory browsing unless you really need it –why show visitors (malicious or legitimate) all the files on your system?
• Disable any FrontPage server extensions that are not being used.

Apache users:

• Deny “all resources” by default and only allow the necessary functionality to each specific resource.
• Log all web requests to allow you to spot suspicious activity.

Writing safer code:

• Always initialize global variables (avoiding the danger of them being initialized by a fake GET or POST request).
• Turn off error reporting and log to file instead (making it more difficult for hackers to get the information they need).
• Never trust any user input or output, so use filter functions to strip out special SQL characters and escape sequences.

For further advice on securing your web server read the SophosLabs technical paper Securing Websites.

What web servers are being infected?

At the end of 2007, SophosLabs looked at a snapshot of the millions of web servers infected worldwide, closely examining over 50,000 to see what operating system they were running. The findings are in line with research done by Sophos in the first half of 2007, with almost 50 percent of the malware found on servers running Apache, and about 40 percent running Microsoft IIS.

As evidenced in other areas, malware affecting web servers is not just a Windows problem. A large number of Apache servers are hosted on Linux or some flavor of UNIX, and many administrators consider these systems to be much less vulnerable to attacks. While it is true that there is less malware written to target Linux and UNIX, the websites are not necessarily safe from attack. This is because the attacks target the website – not just the server – and often attempt to embed secret scripts or redirection malicious code.

2008 Security threat report: Overview

2007 at a glance

Hackers use the web to infect users – malicious code increasingly embedded on high-traffic websites or adverts.

Web threats – one new infected webpage discovered by Sophos every 14 seconds, or 6,000 a day.

Cybercrime reaches Apple – Mac users being targeted by financially motivated hackers for the first time, proving malware is not just a Windows problem.

Threats to mobile and Wi-Fi users – iPhones, iPod Touches, ultra-mobile PCs and others at greater risk of attack and may encourage exploitation of browser vulnerabilities.

Information theft soars – scammers using stolen data to craft targeted emails.

State-sponsored cyberwarfare cited – but no evidence of the danger made public.

Pessimism reigns – public not confident that IT security will improve in 2008 following
headline-making incidents.

International authorities stepping up to the mark – law-enforcement around the world at last seeing punishment fit the crime.

Security threat report: 2008 - Overview

The world of malware fundamentally changed in 2007, as hackers fully embraced the web as their primary route for infecting computers. As more computer users have defended their email gateways with security solutions, cybercriminals are planting malicious code on innocent websites, lying in wait for victims to come to them and be silently infected.

Whereas virus writers of ten years ago were typically creating code for mischief, today’s attacks are organized, commercial endeavors designed to steal information and resources from the computers of victims for one reason above any other: to make money. The scale of their global criminal operations have reached such a height that Sophos discovers a new infected webpage every 14 seconds – 24 hours a day, 365 days a year.

It has also become clear that malware is more than a Microsoft problem. Although the number of Windows threats overshadows attacks against any other platform, financially-motivated cybercriminals are turning their attention to alternative platforms such as Apple Macintosh and web servers running Apache. This trend seems likely to continue in 2008, and we may see the emergence of new threats against portable Wi-Fi enabled devices such as the iPhone, iPod Touch and ultra-mobile PCs.

It remains paramount for businesses to defend themselves at all levels of their organization - not only do they need to secure their email and web gateways, but also to ensure that networks and endpoints are comprehensively protected in 2008 against the myriad of threats posed by the
criminal underground.

Zombies

A zombie is a computer that is remotely controlled and used for malicious purposes, without the legitimate user’s knowledge.

A virus or Trojan can infect a computer and open a “back door” that gives other users access. As soon as this happens, the virus sends a message back to the virus writer, who can now control the computer remotely via the internet. From now on, the computer is a “zombie”, doing the bidding of others, although the user is unaware. Collectively, such computers are called a “botnet”.

The virus writer can share or sell access to control his or her list of compromised computers, allowing others to use them for malicious purposes.

For example, a spammer can use zombie computers to send out spam mail. Up to 80% of all spam is now distributed in this way. This enables the spammers to avoid detection and to get around any blocklisting applied to their own servers. It can also reduce their costs, as the computer’s owner is paying for the internet access.

Hackers can also use zombies to launch a “denial-of-service” attack. They arrange for thousands of computers to attempt to access the same website simultaneously, so that the web server is unable to handle all the requests reaching it. The website thus becomes inaccessible.

See also Denial-of-service attack, Spam, Backdoor Trojan.

Sophos.com

Voice phishing

Voice phishing is the use of bogus phone numbers to trick people into revealing confi dential information.

Phishing originally involved sending out emails that include links to bogus websites, where victims are asked to enter account details or other confi dential information. Voice phishing (also known as vishing, v-phishing or phone phishing) asks the victim to call a phone number, rather than visit a website, but the intention is the same: to steal details for fi nancial gain.

An example is the PayPal voice phishing email. The email appears to come from PayPal, the electronic payment service, and claims that the user’s account may have been used fraudulently. It warns that the account will be suspended unless the user calls a phone number to “verify” their details. When the user calls, an automated message asks for their card number. Criminals can then misuse the number for their own gain.

Users may be wary of following links in unexpected email, and they can ensure that they enter the correct web address when they visit a fi nancial services site. They are less likely to know the company’s phone number, though.

To protect against phone phishing, you should use anti-spam software, which can detect phishing mails, and always treat unsolicited email cautiously.

Sophos.com

Virus hoaxes

Virus hoaxes are reports of non-existent viruses.

Hoaxes are usually in the form of emails that do some or all of the following:
• Warn you that there is an undetectable, highly destructive new virus.
• Ask you to avoid reading emails with a particular subject line, e.g. Budweiser Frogs.
• Claim that the warning was issued by a major software company, internet provider or
government agency, e.g. IBM, Microsoft, AOL or the FCC.
• Claim that a new virus can do something improbable, e.g. The A moment of silence hoax says that “no program needs to be exchanged for a new computer to be infected”.
• Use techno-babble to describe virus effects, e.g. Good Times says that the virus can put the PC’s processor into “an nth-complexity infi nite binary loop”.
• Urge you to forward the warning.

If users do forward a hoax warning to all their friends and colleagues, there can be a deluge of email. This can overload mail servers and make them crash. The effect is the same as that of the real Sobig virus, but the hoaxer hasn’t even had to write any computer code.

It isn’t just end users who overreact. Companies who receive hoaxes often take drastic action, such as closing down a mail server or shutting down their network. This cripples communications more effectively than many real viruses, preventing access to email that may be really important.

False warnings also distract from efforts to deal with real virus threats.

Hoaxes can be remarkably persistent too. Since hoaxes aren’t viruses, your anti-virus software can’t detect or disable them.

Sophos.com

Viruses

Viruses are computer programs that can spread by making copies of themselves.

Computer viruses spread from one computer to another, and from one network to another, by making copies of themselves, usually without your knowledge.

Viruses can have harmful effects, ranging from displaying irritating messages to stealing data or giving other users control over your computer.

A virus program has to be run before it can infect your computer. Viruses have ways of making sure that this happens. They can attach themselves to other programs or hide in code that is run automatically when you open certain types of fi le. Sometimes they can exploit security fl aws in your computer’s operating system to run and spread themselves automatically.

You might receive an infected fi le in a variety of ways, including via an email attachment, in a download from the internet, or on a disk. As soon as the fi le is launched, the virus code runs. Then the virus can copy itself to other fi les or disks and make changes on your computer.

Sophos.com

Trojan horses

Trojan horses are programs that pretend to be legitimate software, but actually carry out hidden, harmful functions.

A Trojan program claims to have one function (and may even appear to carry it out), but actually does something different, usually without your knowledge. For example, DLoader-L arrives in an email attachment and claims to be an urgent update from Microsoft for Windows XP. If you run it, it downloads a program that uses your computer to connect to certain websites, in an attempt to overload them (this is called a “denial-of-service” attack).

Trojans cannot spread as fast as viruses because they do not make copies of themselves. However, they now often work hand-in-hand with viruses. Viruses may download Trojans that record keystrokes or steal information – and some Trojans are used as a means of infecting a computer with a virus.

See also Backdoor Trojans.

Sophos.com

Spyware

Spyware is software that enables advertisers or hackers to gather information without your permission.

Spyware programs are not viruses (they do not spread to other computers) but they can have undesirable effects.

You can get spyware on your computer when you visit certain websites. A pop-up message may prompt you to download a software utility that you “need”, or software may be downloaded automatically without your knowledge.

The spyware then runs on the computer, tracking your activity (for example, visits to websites) and reports it to others, such as advertisers. It may also change the home page displayed when you start your internet browser, or use a dial-up modem to call premium-rate phone numbers. Spyware also consumes memory and processing capacity, which may slow or crash the computer.

Good anti-virus programs can detect and remove spyware programs, which are treated as a type of Trojan.

Sophos.com

Spoofing

Spoofi ng is sending email that appears to come from one sender but has actually been sent by another.

If a company’s mail server allows connections to the SMTP port, anyone can connect to that port and send email that appears to be from an address on that site; the address can be a genuine email address or a fi ctitious address. This is called “spoofi ng”.

Spoofi ng can be put to a number of malicious uses.

Phishers, criminals who trick users into revealing confi dential information, use spoof sender addresses to make it appear that their email comes from a trusted source, such as your bank. The email can redirect you to a bogus website (e.g. an imitation of an online banking site), where your account details and password can be stolen.

Phishers can also send email that appears to come from inside your own organization, e.g. from a system administrator, asking you to change your password or confi rm your details.

Criminals who use email for scams or frauds can use spoof addresses to cover their tracks and avoid detection.

Spammers can use a spoof sender address to make it appear that an innocent individual or company is sending out spam. Another advantage for them is that they are not inundated with non-delivery messages to their own email address.

You can avoid spoofi ng in various ways.

You can confi gure your mail system to prevent anyone from connecting to your SMTP port.

You can also use encryption to send authenticated email. This ensures that messages come from the senders they appear to be from, and that the message has not been modifi ed.

Ensure that your mail delivery system allows logging and is confi gured to provide suffi cient logging to assist you in tracking the origin of spoofed email.

Consider a single point of entry for email to your site. You can implement this by confi guring your fi rewall so that SMTP connections from outside your fi rewall must go through a central mail hub. This will provide you with centralized logging, which may assist in detecting the origin of mail spoofi ng attempts to your site.

Sophos.com

Spear phishing

Spear phishing is the use of spoof emails to persuade people within a company to reveal their usernames and passwords.

Unlike phishing, which involves mass-mailing, spear phishing is small-scale and well-targeted. The spear phisher mails users in a single business. The emails appear to come from another member of staff at the same company and ask you to confi rm a username and password. A common tactic is to pretend to be from a trusted department that might plausibly need such details, such as IT or Human Resources. Sometimes you are redirected to a bogus version of the company website or intranet. When you reply, the phisher takes the details and misuses them.

The spear phisher can easily generate the victims’ addresses by using spammers’ software that combines given names and family names, for example. He or she also needs to send emails to only a single domain, which makes it less likely that the email will be detected as spam.

Sophos.com

Spam

Spam is unsolicited commercial email, the electronic equivalent of the junk mail that comes through your letterbox.

The commonest types of spam concern:
• prescription drugs, drugs that enlarge or enhance body parts, herbal remedies, or weight-loss drugs
• get-rich-quick schemes
• fi nancial services, e.g. mortgage offers or schemes for reducing debts
• qualifi cations, e.g. university degrees, or professional titles available for purchase
• online gambling
• cut-price or pirated software.

Spam sometimes comes in disguise, with a subject line that reads like a personal message, e.g. “Sorry about yesterday”, a business message, e.g. “Your account renewal now due”, or a non-delivery message.

Spammers often disguise their email in an attempt to evade anti-spam software (see Obfuscated spam).

People send spam because it is profi table. Spammers can send millions of emails in a single campaign at a negligible cost (and if they can hijack other people’s computers to send the mail, the cost is even less). If even one recipient out of ten thousand makes a purchase, the spammer can turn a profi t.

Does spam matter?
• Spam wastes staff time. Users without anti-spam protection have to check which email is spam and then delete it.
• Users can easily overlook or delete important email, confusing it with spam.
• Spam, like hoaxes or email viruses, uses bandwidth and fi lls up databases.
• Some spam offends users. Employers may be held responsible, as they are expected to provide a safe working environment.
• Spammers often use other people’s computers to send spam (see Zombies).

Sophos.com

Share price scams

Spammers now send out tips to push up the price of shares that can then be sold at a profi t.

Share price scams, also known as “pump-and-dump” schemes, involve mass-mailing misleading tips about “high-performing” companies. Victims are encouraged to invest in a company’s shares, pushing up the price artifi cially; the scammer then sells their own shares at a profi t, before the price collapses.

Pump-and-dump mail has all the characteristics of spam. It is unsolicited commercial mail, usually distributed from “zombie” PCs that have been taken over by hackers, and it uses obfuscation techniques to avoid anti-spam software (e.g. the subject line may use “st0ck” instead of “stock”). These emails also make inaccurate claims, although they may include some genuine information from the featured company to appear more plausible.

These scams harm both investors and small companies. When the bubble bursts and share prices plummet, investors lose their money. The collapse in value can also be devastating for companies that have limited assets.

The advice for dealing with these scams is the same as for any other spam: don’t buy, don’t try, don’t reply.

Sophos.com

Rootkit

A rootkit is a piece of software that hides programs or processes running on a computer. It is often used to conceal misuse of the computer or data theft.

When malicious software, such as an internet worm, gains access to your computer, it sometimes installs a rootkit. This is often used to hide the presence of utilities that allow a hacker to open a “back door” that gives continuing access to the computer. The hidden utilities may also give the hacker rights to carry out functions that can usually only be performed by a user with special privileges. (On UNIX and Linux computers, such users are called “root”, and hence the name rootkit).

A rootkit can hide keystroke loggers or password sniffers, which capture confi dential information and send it to hackers via the internet. It can also allow hackers to use the computer for illicit purposes, e.g. launching a “denial-of-service” attack against other computers, or sending out spam mail, without the user’s knowledge.

Even if a rootkit is not installed with malicious intent (as in the case of Sony’s Digital Rights Management, used to prevent pirating of music CDs), it can make the computer vulnerable to hackers.

Detecting rootkits is diffi cult. Once a rootkit is running on the computer, you cannot reliably identify all the processes running on that computer, or all the fi les in a directory – so traditional anti-virus software may not fi nd evidence of the rootkit’s presence. A rootkit may also suspend its activity until the software has fi nished its scanning. A sure method of fi nding the rootkit is to turn off the computer, restart it from a rescue CD and then use anti-virus software to scan the computer. As the rootkit is not running, it cannot hide itself.

Anti-virus programs can detect the Trojans or worms that typically install the rootkit, of course, and some programs can now detect the rootkit itself while it is running.

Sophos.com