Make a New Year security resolution

As we fix our sights on the year ahead, criminal gangs involved in spam creation, phishing and virus attacks continue to engage new tactics that take advantage of our relaxed, less cautious frame of mind.

With one in 100 emails containing a virus, people are unwittingly receiving viruses daily. During the holidays, the bad guys will seize the chance to disguise their attacks, capitalising on an increase in genuine well-wishing e-cards and the upsurge in online shopping. To compound this, when we return to work in the New Year it’s often to a cluttered inbox and we spend the first few days checking messages and surfing the web with a little less caution. Historically, this is a time when a new breed of attacks emerge.

Botnets come of age
On January 19 2007, MessageLabs intercepted the first copies of the “Storm” trojan, taking its name from emails purporting to relate to news about the weather in northern Europe at the time. That weekend, MessageLabs stopped more than a million copies, with many different variants. Its chief purpose appeared to be for the creation of a new botnet.

2007 proved to be a prolific year for this StormWorm with its botnet now estimated to comprise approximately 1.8 million computers worldwide. The botnet has been used to send spam, host phishing sites and also launch DDoS (distributed denial of service) attacks against rival sites.

A DDoS attack occurs when a large number of requests are made to the same website in such a volume that the web server can’t respond to legitimate requests and the site becomes unavailable. Not since the Bagle, Netsky, MyDoom botwars of 2004 have two rival spam gangs attacked each other so openly on the world stage.

These newer-style botnets have become much more resistant to disruption and interference than their predecessors, and are almost self-healing in their ability to recover from any interference. They are able to use DDoS attacks as a form of self defence when they detect any prying. Traditional botnet countermeasures aren’t very effective against these new breeds and new methods had to be devised.

Storm botnet attacks included outreach with both attachments and the increase in web links as a new attack vector.

Targeted attacks
Similarly 2006 kicked off with a sharp rise in targeted attacks. Previously, targeted, personalised attacks were predominantly directed at public sector bodies, military organisations and other large businesses particularly in the aerospace, petroleum, legal, and human rights fields. But as we entered 2006, no industry sector could be considered safe.

Most of the early attacks preyed on vulnerabilities in Microsoft Word, but these attacks soon progressed to exploit Microsoft PowerPoint and Excel. Microsoft Word still remains the main vector for attack with 69 percent of attacks preferring this vehicle.

Each targeted attack is tailored to particular needs in terms of which exploit is used, the social engineering techniques employed as well as which source IPs are used and what the targets will be. Generically, there’s no single feature that could distinguish a targeted attack from a low-scale trojan deployment. However preventing targeted attacks automatically is still possible since they expose themselves in similar ways to other malware.

Throughout 2006 MessageLabs continued to see an increase in the level of sophistication in the nature of the targeted attacks facing businesses worldwide. The number of targeted attacks rose from one per week in 2005 to approximately two per day in 2006. Since early 2007, MessageLabs has intercepted around 10 targeted attack attempts daily.

Virus predictions for 2008
2006 was also the first year not punctuated by a really major virus outbreak on the scale of Sobig, Mydoom or Netsky. The almost notable exception was the New Year’s rather bland Nyxem.E (a.k.a. MyWife.D, Blackworm or Kama Sutra). This virus was unique in that each infected computer generated a request to a web page, and in this way Nyxem.E represented a chance to track the spread of the virus, and also the scale of the clean-up operation that quickly followed. MessageLabs intercepted more than four million copies of Nyxem.E during the first week of the outbreak.

During 2007 a number of major new players began to dominate the threat landscape; cyber-criminals who may be perceived as inspirational to their more amateur peers. Responsible for one of the largest botnets in the world, the Storm botnet is an experienced and professional team which MessageLabs predicts will have further impact early in 2008, through its own activities and the antics of new players.

MessageLabs experts also anticipate targeted attack attempts of increased sophistication during early 2008. 2007 was undoubtedly the year of targeted attacks, rising from 10 per day in May to more than 1100 within 16 hours in September, with the rewards obviously outweighing the research required to develop such targeted and personal attacks.

Tis’ the season to be spamming
One of the main drivers of the increased spam towards the start of 2007 was from a trojan dubbed “SpamThru”. This trojan is responsible for a great deal of the botnet activity behind increased levels of spam over the Christmas/New Year period. SpamThru makers are releasing new strains at regular intervals to bypass traditional anti-virus signature detection. Using the “spam cannon” technique, SpamThru utilises a template for each spam it sends and by combining it with a list of email addresses; each zombie then pumps out millions of spam emails.

It’s not only botnet technology that has evolved; spam also has become more inventive. In 2007 spammers waged stock pump-and-dump campaigns on the public using Adobe Acrobat PDF format files in order to evade traditional defences. Later in the year this moved up a gear by using other file attachment formats, including Microsoft Excel, Word, ZIP and more notably, MP3. The latter example comprised an audio file attachment where the recipient could listen to the spam message being relayed to them.

Spam predictions for 2008
The cyber-criminals toolboxes will continue to expand as more file attachments and approaches are adopted. Towards the end of 2007 we saw MP3 files used for the first time for stock spam purposes. MessageLabs experts predict video file formats will be the next on the cyber-criminals’ list of scams, and spammers will follow the example of malware writers with PowerPoint attachments.

As spammers learn from the virus writers’ targeted approach, MessageLabs predicts spam will increase in intelligence in early 2008. Spam-run sizes will remain vast but the content will be more targeted and stickier with the end goal of increasing the currently very low conversion rate.

As with spam, phishing email is typically seasonal, with a marked increase in activity leading up to Christmas and the New Year. 2008 is no exception. Messagelabs has observed phishing activity and early projections indicate levels will reach a high of around one in 70 messages December-January. If you’re dependent on anti-virus and anti-spyware software to protect you (instead of a managed service such as MessageLabs that’s always up to date), keep this software up to date during the holidays and download all updates.

MessageLabs recommends a few tips to be safe online this holiday new year season:
1. Be skeptical of all unsolicited email. The most common phishing email being sent currently will be worded in an urgent or dramatic tone, asking the recipient for immediate action (eg confirming online account details for a bank or other portals such as eBay or Paypal). No online bank or portal would ever solicit personal information this way. Also be wary of “spoofed” messages. The sending domain may appear legitimate, but unless the message is correctly digitally signed there’s no guarantee that the message isn’t a fake.
2. Don’t be fooled by a personally addressed email.
3. Check the security of the website and keep your browser up to date. Confirm the integrity of the host site. Secure connections are denoted with a https:// at the beginning of the address bar rather than just http:// and the “padlock” icon should appear at the bottom right of your browser window. Ensure your browser is running the most up-to-date version and that your security settings are active – if using Microsoft’s Internet Explorer, check for updates via http://www.microsoft.com/security/
4. Never click on links within an untrusted email you think may not be authentic. Avoid completing online forms wanting financial information unless absolutely sure of the integrity of the host site.
5. Check your online accounts regularly. If you see suspicious transactions contact your bank immediately.