Q4 2008 Threat Summary
Another record breaking year in the growth of malicious software
- Growth in amounts of malicious software
- Growth in infections
- Growth in the number of botnets
- Growth in criminal profits
- Call for growth in punishment
Detection numbers have tripled
The silent acceleration of malicious software (malware) continues and 2008 has been another groundbreaking year. The year 2007 doubled our overall detection count and that count has now tripled during the year 2008. An additional one million database signatures were added during the year, bringing our total number of signature based detections to approximately 1.5 million.
Historical Detection Count
|Time Period||Total Number of Detections||Detection Signatures Added|
|1987 - 2006||250,000||250,000|
Explosive sample growth
Coupled with the rapid growth of signature detections has been a corresponding growth in our sample collections. Adding signature based malware detections to our databases first requires that copies of the malicious applications be collected for analysis. We have seen vast amounts of suspicious files discovered during 2008.
Our current malware sample management system contained many millions of suspicious applications at the end of last year. During this year, our unique malicious sample totals increased by almost 350percent. Tens of millions of suspicious samples have been imported, scanned, indexed, classified and categorized by our Response Lab systems. There were well over ten million unique samples collected this year, and there were tens of millions more redundant samples that our systems were required to handle. Our Lab Development team has been very busy maintaining and enhancing the system infrastructure to handle the load. This raw number of incoming samples shows no signs of decreasing anytime soon.
Test file expansion
Such rapid growth of malicious software has demanded an expansion of our database test collection files. Releasing quality databases to our customers is one of our most important responsibilities and we are today testing with five times the amount of files compared to one year ago. This trend will definitely continue into 2009 and we fully expect to expand our test collection by another 500 percent next year.
White list collections
With the introduction of DeepGuard 2.0 into our product line, our non-malicious (clean) file collection is an increasing priority. DeepGuard 2.0 moves part of our security technologies into our cloud based Real-time Protection Network.
Network lookups now allow our DeepGuard behavioral engine to query for the reputation of applications that are being launched on our customers' computers. Good applications are allowed to launch and malicious applications are blocked. Unknown applications undergo behavioral analysis. This technology has altered our processes and our Security Labs are now collecting legitimate files as fast as they are collecting malicious files. Our aim is to expand our clean file collections by ten times the current amount during 2009. Having a huge set of known good applications will allow our behavioral engine heuristics to act more aggressively against the ever increasing amounts of unknown malicious threats.
Exponential growth curves
All of our systems, collections, and databases experienced exponential growth during 2008 and we fully expect this trend to continue into next year.
2008 saw increasing amounts of botnet activity around the world. Botnets are a remotely controlled "robot network" of infected computers, also known as zombies. Botnets are very typically made up of infected consumer computers. The infected zombie computers very often do not display any local symptoms, except possibly lower performance. Just how many bots are there in existence? There are no exact measurements but the potential numbers are staggering.
Worldwide, there are now approximately 1.2 billion computers in use. One of the largest ISPs in Finland estimates that one percent of its customer base exhibits some bot-like behavior. Finland ranks among the safest countries in the world with very low malware infection rates. Finnish ISPs actively police their networks and there are strong regulatory controls provided to authorities. One percent is an extremely low figure compared to worldwide infection rates. Applying just a one percent bot infection rate to 1.2 billion computers yields 12 million potential bots in active operation. This is a very conservative estimate and we would not be at all surprised to discover that the actual figure is many times higher.
Image 1 / Image 2
It is important to note that not all active bots actually have botmasters (a controlling remote server telling the bot what to do). Many of the world's bots are orphans without a master, their command and control servers having been discovered, abused, and taken out of service. However, even without a master, the bots continue to exist and they do still attempt to call home. They may also attempt to continuously carry out their last assignment and to defend themselves. These orphaned bots are a plague of wasted computing resources and bandwidth.
As for the bots that are still under criminal control - they are a dangerous and growing threat to consumers and businesses everywhere.
During 2008 our Response Lab conducted a small research project focusing on approximately 60 orphaned botnets. Listening to the communication attempts of these bots yielded over 200,000 unique IP addresses within a 24 hour period. We know that 200,000 is just the tip of the iceberg and are planning for more extensive research and anti-bot services during 2009.
Three London area hospitals experienced a worm outbreak this November.
The Register (November 19, 2008):
IT systems at St Bartholomew's (Barts), the Royal London Hospital in Whitechapel and the London Chest Hospital in Bethnal Green were taken down on Tuesday following infection by the Mytob worm. The three hospitals make up the Barts and the London NHS Trust.
The US Department of Defense has banned USB drives.
Wired (November 20, 2008):
Malware even made its way into space during 2008.
BBC News (August 27, 2008):
Scareware scams on the rise
Rogue security software scams have grown to become a major consumer issue during 2008. Fake security products using strong-arm fear tactics have been produced in bulk. New websites to promote their installation and purchase appear every day.
Scareware affiliates, who are paid a large percentage of the sale for each purchase, use very nasty techniques to ensure installation. Rootkit techniques are common and variants will attack and uninstall rival affiliates.
The unfortunate consumers who enter into the trap can spend hours trying to remove the rogues. Many surrender and attempt to resolve the issue by making the purchase.
The situation has created enough concern that Microsoft and Washington State are suing scareware pushers in the United States.
Washington Post (September 29, 2008):
"We're absolutely certain that consumers across the country have been deeply affected by this."
SQL injection attacks targeted Chinese language sites
Our mid-year security summary noted the use of SQL injection attacks to inject sites with malicious code. As hosts to the 2008 Olympics, China saw a surge of such attacks focused on Chinese language sites.
News from the Lab (August 8, 2008):
With all the attention on China these days, especially in conjunction with the Beijing 2008 Olympics Games, and with "China" being one of the more popular search engine keywords at the moment, it makes sense for malware writers to focus their attention on the Chinese web - and we've been seeing some interesting examples of SQL injection attacks specifically targeting websites designed for a Chinese audience, whether from the mainland or overseas.
Like most SQL injection attacks, these attacks begin with a compromising script being injected into a legitimate site, compromising it and redirecting its users to a malicious website. This website then takes advantage of the vulnerabilities available on the user's computer to download and execute malicious programs.
Malware is driven by profit and we can clearly see that criminals will focus their efforts on a new audience if it develops enough of a market presence.
Attacks continue against high profile targets
Our previous security summaries have noted targeted attacks. During the recent presidential election in the United States the computer systems of both candidates were hit by targeted attacks.
Newsweek (November 5, 2008)
On the morning after Obama's win, there were massive amounts of malicious e-mails using the election and fictitious videos of the President-elect as bait to tempt people to click on a link and install malware.
Such targeted attacks are not new and are expected to continue to be carried out in 2009.
Crime and punishment
Our earlier security summaries have highlighted the challenges involved in bringing cyber criminals to justice. The second half of this year has seen some moderate successes against the business of online crime.
For several years the Estonian domain registrar EstDomains was the largest registrar used by online criminals for their domain name registration needs. In October, the Internet Corporation for Assigned Names and Numbers (ICANN) pulled the plug on EstDomains, and started removing EstDomains from the list of ICANN-accredited registrars.
We first encountered EstDomains in 2005, while we were investigating the infamous WMF vulnerability. Initially the main site distributing malicious WMF files, unionseek.com, was registered via this, then new, Estonian registrar.
Since 2005, tens of thousands of malicious domains have been registered with EstDomains. They included drive-by-download sites, botnet command-and-control servers, spammed domains and so on. Many of the recent fake antivirus tools as well as rogue codecs have been running via EstDomains.
The EstDomains operation was run by Mr. Vladimir Tšaštšin, from the EstDomains office in downtown Tartu. Vladimir Tatin was sentenced earlier this year to six months of jail for credit card fraud, money laundering, and related charges.
This conviction allowed ICANN to exercise its authority and start the termination process. There were some small interruptions to that process, but at this point EstDomains is no longer accredited. Certainly there are other registrars that will be willing to take on dubious domains, but we at least will not miss EstDomains.
Rogue service providers
In September the criminal enabling ISP Atrivo / Intercage had its upsteam service access terminated. The result was a noticeable drop in worldwide spam output.
The take down of Atrivo helped to end the life of the infamous Storm worm botnet which lost a few key components during the termination. Storm was a very successful botnet which utilized an advanced structure and innovative technologies.
A reporter from the Washington Post, Brian Krebs, almost singlehandedly got rid of 2/3 of e-mail spam on the Internet in November. The San Jose (California, USA) based Internet service provider McColo hosted the Command and Control (C&C) servers for several large botnets that were used to send massive amount of spam to millions of users around the world. Mr. Krebs gathered evidence against McColo and convinced the companies providing bandwidth to the ISP to shut down the connections. In a matter of hours the amount of spam being distributed worldwide dropped by 66percent.
However, the botnet owners were able to update the network and change the location of the command and control servers to an ISP in Russia. The amount of spam being sent remained at a low level for two weeks but by the end of November they were back up to 70percent of the original level.
As noted earlier, killing the botmaster doesn't disinfect the bot. The cyber criminals involved are now attempting to reestablish control or to build new botnets. Spam volumes will eventually return to previous levels.
Nevertheless, anything that disrupts the operations of cyber criminals and reduces their profits is a win. More actions like this should be taken. Investigative journalism armed with information from security experts pushed McColo's upsteam providers to kill its connections. F-Secure believes that it is time for a professional, authoritative, investigative group to be established.
In an example of what aggressive law enforcement action can accomplish, the FBI announced in October the conclusion of a two-year undercover operation targeting an online carding forum (a criminal service dealing with e.g. stolen credit card information), resulting in 56 arrests. The operation was conducted in cooperation with law enforcement agencies around the world. The sting also resulted in over USD 70 million in fraud being prevented.
FBI (October 16, 2008):
Cyber criminals using this forum represented a virtual transnational criminal network spanning numerous countries who were involved with the buying and selling of stolen financial information including credit card data, login credentials (user names and passwords), as well as equipment used in carrying out certain financial crimes. At its peak the Dark Market website had over 2,500 registered members.
With the take down of Dark Market, there have been numerous arrests, including many in the U.K.
With all of the growth in malware and in online crime, we would like to see growth in the number of arrests and jail sentences for cyber criminals during 2009.
There will be continued growth in the quantity of online threats with a continued incremental evolution of the malware involved. Crimeware is firmly established. Online crime is a business and we do not predict radical shifts in tactics. There are likely to be hundreds of millions to billions of dollars lost each year to crime. A good percentage of that is involved with online transactions in one form or another. With such a record of successful growth, we don't expect the formula to change very much.
The number of smartphones globally has grown from approximately 300 million in 2007 to approximately 475 million by end of 2008. These figures are expected to continue growing, meaning there is an increasing number of people with both personal and business related information such as contacts, photos or e-mails, stored on their smartphones. Even thought there has not been a significant increase in malware for mobile phones, it is important to secure the data in case the smartphone is lost or stolen with anti-theft solutions.
We have seen a small but increasing number of Mac OSX trojans during 2008. The latest, Trojan-Downloader:OSX/Jahlev.A, includes functionality to install future malware components.
We predict that we'll see additional Mac trojans during 2009, and that we will also see new security solutions and vendors entering the Mac OSX market.
Botnets will grow and will adopt new technologies such as the Peer to Peer (P2P) functions exhibited by the Storm worm. Recent successes against rogue ISPs will prompt malware authors to develop disaster recovery plans.
Additional successes in cutting off command and control servers could incite an online territory war as online gangs compete for existing resources.
We predict that authorities will recognize the value in fighting online crime and the need will increase for the establishment of an international agency tasked with enforcement knowledge or investigative assistance. The call for the establishment of "Internetpol" by Mikko Hypponen, Chief Research Officer at F-Secure, has been received with great interest internationally.