Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Threat Summaries

 

Q4 2008 Threat Summary

 

Another record breaking year in the growth of malicious software

  • Growth in amounts of malicious software
  • Growth in infections
  • Growth in the number of botnets
  • Growth in criminal profits
  • Call for growth in punishment

 

Detection numbers have tripled

The silent acceleration of malicious software (malware) continues and 2008 has been another groundbreaking year. The year 2007 doubled our overall detection count and that count has now tripled during the year 2008. An additional one million database signatures were added during the year, bringing our total number of signature based detections to approximately 1.5 million.

 

Historical Detection Count

Time Period Total Number of Detections Detection Signatures Added
1987 - 2006 250,000 250,000
2007 500,000 250,000
2008 1,500,000 1,000,000

 

Explosive sample growth

Coupled with the rapid growth of signature detections has been a corresponding growth in our sample collections. Adding signature based malware detections to our databases first requires that copies of the malicious applications be collected for analysis. We have seen vast amounts of suspicious files discovered during 2008.

Our current malware sample management system contained many millions of suspicious applications at the end of last year. During this year, our unique malicious sample totals increased by almost 350percent. Tens of millions of suspicious samples have been imported, scanned, indexed, classified and categorized by our Response Lab systems. There were well over ten million unique samples collected this year, and there were tens of millions more redundant samples that our systems were required to handle. Our Lab Development team has been very busy maintaining and enhancing the system infrastructure to handle the load. This raw number of incoming samples shows no signs of decreasing anytime soon.

Test file expansion

Such rapid growth of malicious software has demanded an expansion of our database test collection files. Releasing quality databases to our customers is one of our most important responsibilities and we are today testing with five times the amount of files compared to one year ago. This trend will definitely continue into 2009 and we fully expect to expand our test collection by another 500 percent next year.

White list collections

With the introduction of DeepGuard 2.0 into our product line, our non-malicious (clean) file collection is an increasing priority. DeepGuard 2.0 moves part of our security technologies into our cloud based Real-time Protection Network.

Network lookups now allow our DeepGuard behavioral engine to query for the reputation of applications that are being launched on our customers' computers. Good applications are allowed to launch and malicious applications are blocked. Unknown applications undergo behavioral analysis. This technology has altered our processes and our Security Labs are now collecting legitimate files as fast as they are collecting malicious files. Our aim is to expand our clean file collections by ten times the current amount during 2009. Having a huge set of known good applications will allow our behavioral engine heuristics to act more aggressively against the ever increasing amounts of unknown malicious threats.

Exponential growth curves

All of our systems, collections, and databases experienced exponential growth during 2008 and we fully expect this trend to continue into next year.



Malware 2008


Busy Botnets

2008 saw increasing amounts of botnet activity around the world. Botnets are a remotely controlled "robot network" of infected computers, also known as zombies. Botnets are very typically made up of infected consumer computers. The infected zombie computers very often do not display any local symptoms, except possibly lower performance. Just how many bots are there in existence? There are no exact measurements but the potential numbers are staggering.

Worldwide, there are now approximately 1.2 billion computers in use. One of the largest ISPs in Finland estimates that one percent of its customer base exhibits some bot-like behavior. Finland ranks among the safest countries in the world with very low malware infection rates. Finnish ISPs actively police their networks and there are strong regulatory controls provided to authorities. One percent is an extremely low figure compared to worldwide infection rates. Applying just a one percent bot infection rate to 1.2 billion computers yields 12 million potential bots in active operation. This is a very conservative estimate and we would not be at all surprised to discover that the actual figure is many times higher.



Image 1 / Image 2

It is important to note that not all active bots actually have botmasters (a controlling remote server telling the bot what to do). Many of the world's bots are orphans without a master, their command and control servers having been discovered, abused, and taken out of service. However, even without a master, the bots continue to exist and they do still attempt to call home. They may also attempt to continuously carry out their last assignment and to defend themselves. These orphaned bots are a plague of wasted computing resources and bandwidth.

As for the bots that are still under criminal control - they are a dangerous and growing threat to consumers and businesses everywhere.

During 2008 our Response Lab conducted a small research project focusing on approximately 60 orphaned botnets. Listening to the communication attempts of these bots yielded over 200,000 unique IP addresses within a 24 hour period. We know that 200,000 is just the tip of the iceberg and are planning for more extensive research and anti-bot services during 2009.


Recent outbreaks

Three London area hospitals experienced a worm outbreak this November.

The Register (November 19, 2008):

Computer systems at three major London hospitals are largely back online on Friday morning, three days after a major computer virus outbreak forced staff to disconnect the network.

IT systems at St Bartholomew's (Barts), the Royal London Hospital in Whitechapel and the London Chest Hospital in Bethnal Green were taken down on Tuesday following infection by the Mytob worm. The three hospitals make up the Barts and the London NHS Trust.


The US Department of Defense has banned USB drives.

Wired (November 20, 2008):

The decision to terminate use of removable rewritable media is a key component in the strategy to defend against attacks and establish a baseline for information system protection. Memory sticks, thumb drives and camera flash memory cards have given the adversary the capability to exploit our poor personal practices and have provided an avenue of attack," the e-mail continues. "Malicious software (malware) programmed to embed itself in memory devices has entered our systems. Only through a layered defense of training, technology, procedures and personal recognizance, can we regain the high ground.


Malware even made its way into space during 2008.

BBC News (August 27, 2008):

NASA has confirmed that laptops carried to the ISS in July were infected with a virus known as Gammima.AG.

  

Scareware scams on the rise

Rogue security software scams have grown to become a major consumer issue during 2008. Fake security products using strong-arm fear tactics have been produced in bulk. New websites to promote their installation and purchase appear every day.



Scareware affiliates, who are paid a large percentage of the sale for each purchase, use very nasty techniques to ensure installation. Rootkit techniques are common and variants will attack and uninstall rival affiliates.

The unfortunate consumers who enter into the trap can spend hours trying to remove the rogues. Many surrender and attempt to resolve the issue by making the purchase.

The situation has created enough concern that Microsoft and Washington State are suing scareware pushers in the United States.

Washington Post (September 29, 2008):

Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of "scareware" purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software.

"We're absolutely certain that consumers across the country have been deeply affected by this."



We know of consumers worldwide that have been affected.



Image 1 / Image 2
 

 


SQL injection attacks targeted Chinese language sites

Our mid-year security summary noted the use of SQL injection attacks to inject sites with malicious code. As hosts to the 2008 Olympics, China saw a surge of such attacks focused on Chinese language sites.



News from the Lab (August 8, 2008):

With all the attention on China these days, especially in conjunction with the Beijing 2008 Olympics Games, and with "China" being one of the more popular search engine keywords at the moment, it makes sense for malware writers to focus their attention on the Chinese web - and we've been seeing some interesting examples of SQL injection attacks specifically targeting websites designed for a Chinese audience, whether from the mainland or overseas.

Like most SQL injection attacks, these attacks begin with a compromising script being injected into a legitimate site, compromising it and redirecting its users to a malicious website. This website then takes advantage of the vulnerabilities available on the user's computer to download and execute malicious programs.

Malware is driven by profit and we can clearly see that criminals will focus their efforts on a new audience if it develops enough of a market presence.

 

Attacks continue against high profile targets

Our previous security summaries have noted targeted attacks. During the recent presidential election in the United States the computer systems of both candidates were hit by targeted attacks.

Newsweek (November 5, 2008)

At the Obama headquarters in midsummer, technology experts detected what they initially thought was a computer virus [...]. But by the next day, both the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system.



On the morning after Obama's win, there were massive amounts of malicious e-mails using the election and fictitious videos of the President-elect as bait to tempt people to click on a link and install malware.

Such targeted attacks are not new and are expected to continue to be carried out in 2009.

 

 

Crime and punishment

Cyber Victories

Our earlier security summaries have highlighted the challenges involved in bringing cyber criminals to justice. The second half of this year has seen some moderate successes against the business of online crime.

 

EstDomains

For several years the Estonian domain registrar EstDomains was the largest registrar used by online criminals for their domain name registration needs. In October, the Internet Corporation for Assigned Names and Numbers (ICANN) pulled the plug on EstDomains, and started removing EstDomains from the list of ICANN-accredited registrars.

We first encountered EstDomains in 2005, while we were investigating the infamous WMF vulnerability. Initially the main site distributing malicious WMF files, unionseek.com, was registered via this, then new, Estonian registrar.

Since 2005, tens of thousands of malicious domains have been registered with EstDomains. They included drive-by-download sites, botnet command-and-control servers, spammed domains and so on. Many of the recent fake antivirus tools as well as rogue codecs have been running via EstDomains.

The EstDomains operation was run by Mr. Vladimir Tšaštšin, from the EstDomains office in downtown Tartu. Vladimir Tatin was sentenced earlier this year to six months of jail for credit card fraud, money laundering, and related charges.



This conviction allowed ICANN to exercise its authority and start the termination process. There were some small interruptions to that process, but at this point EstDomains is no longer accredited. Certainly there are other registrars that will be willing to take on dubious domains, but we at least will not miss EstDomains.

Rogue service providers

In September the criminal enabling ISP Atrivo / Intercage had its upsteam service access terminated. The result was a noticeable drop in worldwide spam output.

The take down of Atrivo helped to end the life of the infamous Storm worm botnet which lost a few key components during the termination. Storm was a very successful botnet which utilized an advanced structure and innovative technologies.

A reporter from the Washington Post, Brian Krebs, almost singlehandedly got rid of 2/3 of e-mail spam on the Internet in November. The San Jose (California, USA) based Internet service provider McColo hosted the Command and Control (C&C) servers for several large botnets that were used to send massive amount of spam to millions of users around the world. Mr. Krebs gathered evidence against McColo and convinced the companies providing bandwidth to the ISP to shut down the connections. In a matter of hours the amount of spam being distributed worldwide dropped by 66percent.

However, the botnet owners were able to update the network and change the location of the command and control servers to an ISP in Russia. The amount of spam being sent remained at a low level for two weeks but by the end of November they were back up to 70percent of the original level.

As noted earlier, killing the botmaster doesn't disinfect the bot. The cyber criminals involved are now attempting to reestablish control or to build new botnets. Spam volumes will eventually return to previous levels.

Nevertheless, anything that disrupts the operations of cyber criminals and reduces their profits is a win. More actions like this should be taken. Investigative journalism armed with information from security experts pushed McColo's upsteam providers to kill its connections. F-Secure believes that it is time for a professional, authoritative, investigative group to be established.

Dark Market

In an example of what aggressive law enforcement action can accomplish, the FBI announced in October the conclusion of a two-year undercover operation targeting an online carding forum (a criminal service dealing with e.g. stolen credit card information), resulting in 56 arrests. The operation was conducted in cooperation with law enforcement agencies around the world. The sting also resulted in over USD 70 million in fraud being prevented.

FBI (October 16, 2008):

The FBI, in conjunction with many partners in international law enforcement, today announced the conclusion of a two-year undercover operation targeting members of the online "carding" forum known as Dark Market.

Cyber criminals using this forum represented a virtual transnational criminal network spanning numerous countries who were involved with the buying and selling of stolen financial information including credit card data, login credentials (user names and passwords), as well as equipment used in carrying out certain financial crimes. At its peak the Dark Market website had over 2,500 registered members.



With the take down of Dark Market, there have been numerous arrests, including many in the U.K.

 

 

With all of the growth in malware and in online crime, we would like to see growth in the number of arrests and jail sentences for cyber criminals during 2009.


Predictions


Crimeware

There will be continued growth in the quantity of online threats with a continued incremental evolution of the malware involved. Crimeware is firmly established. Online crime is a business and we do not predict radical shifts in tactics. There are likely to be hundreds of millions to billions of dollars lost each year to crime. A good percentage of that is involved with online transactions in one form or another. With such a record of successful growth, we don't expect the formula to change very much.
 


Smartphones

The number of smartphones globally has grown from approximately 300 million in 2007 to approximately 475 million by end of 2008. These figures are expected to continue growing, meaning there is an increasing number of people with both personal and business related information such as contacts, photos or e-mails, stored on their smartphones. Even thought there has not been a significant increase in malware for mobile phones, it is important to secure the data in case the smartphone is lost or stolen with anti-theft solutions.

 


Apple

We have seen a small but increasing number of Mac OSX trojans during 2008. The latest, Trojan-Downloader:OSX/Jahlev.A, includes functionality to install future malware components.

We predict that we'll see additional Mac trojans during 2009, and that we will also see new security solutions and vendors entering the Mac OSX market.
 


Botnets

Botnets will grow and will adopt new technologies such as the Peer to Peer (P2P) functions exhibited by the Storm worm. Recent successes against rogue ISPs will prompt malware authors to develop disaster recovery plans.

Additional successes in cutting off command and control servers could incite an online territory war as online gangs compete for existing resources.
 

 

Punishment

We predict that authorities will recognize the value in fighting online crime and the need will increase for the establishment of an international agency tasked with enforcement knowledge or investigative assistance. The call for the establishment of "Internetpol" by Mikko Hypponen, Chief Research Officer at F-Secure, has been received with great interest internationally.