MessageLabs Intelligence: 2009 Annual Security Report

http://www.messagelabs.co.uk/mlireport/2009MLIAnnualReport_Final_PrintResolution.pdf

Welcome to this 2009 annual security report in which we review the threat landscape over the last year. 2009 was a tough year for businesses around the globe with no respite from cyber criminals who generated an influx and variation of spam and malware that many traditional security technologies were ill-equipped to handle.

In this report we take a closer look at the major factors and key developments over the course of the year and their impact on the security landscape, looking ahead to 2010 to provide insight into key threats and areas of concern. The key points to note from this report include the following:

• The MessageLabs Intelligence report for 2009 highlights turbulent spam activity throughout the year, with average spam levels reaching 87.7%, but with highs and lows of 90.4% in May and 73.3% in February respectively. With compromised computers issuing 83.4% of the 107 billion spam messages distributed globally per day on average, the shutdown of botnet hosting ISPs, such as McColo in late 2008 and Real Host in August 2009 appeared to make botnets re-evaluate and enhance their command and control backup strategy to enable recovery to take hours, rather than weeks or months. It is predicted that in 2010 botnets will become more autonomous and intelligent, with each node containing an inbuilt self-sufficient coding in order to coordinate and extend its own survival.
• Botnets continued to rule the cyber security landscape in 2009 with the ten major heavyweight spam-sending botnets, including Cutwail, Rustock and Mega-D, now controlling at least five million compromised computers. Cutwail was a dominating force across both spam and malware in 2009, responsible for issuing 29% of all spam or 8,500 billion spam messages between April and November 2009. Cutwail also used its strength to spam out emails containing the Bredolab Trojan dropper, disguised in the form of a .ZIP file attachment.
• One of the major threats of 2009, the Bredolab Trojan, was designed to give the sender complete control of the target computer which then could be used to deploy other botnet malware, adware or spyware onto the victims’ computer. The percentage of spam distrib- uting the Bredolab Trojan dropper increased steadily in late 2009 and reached its highest levels in October 2009 when it was estimated that approximately 3.6 billion Bredolab malware emails were in circulation.
• In 2009, 90.6% of spam contained a URL, or hyperlink, driven predominately by an up- surge in the second half of the year of using shortened URLs in spam runs, which helped disguise the true website that the user would be visiting and making it harder for tradi- tional anti-spam filters to identify the messages as spam. URL-shortening was frequently used on social networking and micro-blogging sites and is popular among online criminals because of the inherent trust relationships that exist between users of these sites.
• Other than the global credit crisis, world events, festivities and news stories also contrib- uted to many spam themes in 2009 including St. Valentine’s Day, the H1N1 flu pandemic and the deaths of celebrities including singer Michael Jackson and actor Patrick Swayze. Malware writers and even 419-type advance fee fraud campaigners also got in on the act. For example after the death of Michael Jackson, we saw Brazilian banking Trojans distributed via malicious hyperlinks, appearing in the days following his death.
• Finally, CAPTCHAs (Completely Automated Public Turing test to tell Computer and Humans Apart), came under increased scrutiny this year as CAPTCHA-breaking tools have been readily traded in the underground economy, allowing cyber criminals to create large numbers of real accounts for webmail, instant messaging and social networking websites. There has been an emergence of businesses that specialize in providing real people to create real accounts on major webmail services on a 24-hour basis. Often advertized as a data processing job, each worker can be expected to receive approximately two to three U.S. dollars per 1,000 accounts created; accounts are then sold on to spammers for around $30 to $40. Some major sites are already investigating alternatives to the swirling letters and numbers, such as large libraries of photographic images, in which the user must be able to analyze or interact with the image in such a way that would be very challenging for a computer program.