Vulnerabilities / Threats
12/8/2010
01:48 PM
Connect Directly
RSS
E-Mail
50%
50%

Rustock Most Prolific Botnet

Phishing attacks are down from 2009, but spam, viruses, and malicious web sites are on the rise, reports Symantec.

How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions
Spam is on the rise. From 2009 to 2010, spam moved from comprising 88% of all email to 89.1%. In the same timeframe, the number of malicious Web sites discovered per day increased by 24% and virus-borne emails increased by 58%, while -- thankfully -- the number of emails containing phishing attacks actually dropped by 27%.

Those results come from a new MessageLabs Intelligence report released by Symantec Hosted Services on Tuesday.

The report also found that the world's most prolific botnet is now Rustock, which pumps out 44 billion spam emails per day. To keep the spam flowing, operators of the leading botnets -- Rustock, Cutwail, and Grum -- continue to innovate.

"With successful and resilient botnet operations established in prior years... cybercriminals experimented with many tactics to keep spam campaigns active and fresh this year," said Paul Wood, MessageLabs Intelligence senior analyst at Symantec Hosted Services. "From leveraging newsworthy events like the FIFA World Cup to taking advantage of the widespread popularity of URL shortening services and social networks... spammers deployed a variety of tricks to bypass spam filters and lure potential victims."

Botnet operators are also getting more practiced at sneaking their malware past security scanners. MessageLabs said it saw 339,600 different strains of malware sent via email in 2010 -- an increase of a hundred-fold from 2009. The sharp rise is due to the emergence of polymorphic malware variants such as Bredolab. Bredolab's polymorphic engine, for example, alters the code it generates when propagating copies of itself, disguising itself to avoid detection by security software.

More than other malware, MessageLabs said that Bredolab has been pushing the state of the art to evade detection through techniques such as including junk code, disabling antivirus, and immobilizing itself when added to a debugging environment for testing to foil researchers.

While high-volume, botnet-distributed attacks are on the rise, so are very small, discrete, and targeted attacks. MessageLabs said that in 2005, it saw perhaps one or two targeted attacks per week. But by the end of 2010, it saw an average of 77 attacks per day.

"Typically, between 200 and 300 organizations are targeted each month, but the industry sector varies and high-seniority job roles are most frequently targeted -- yet often by way of a general or assistant's mailbox," said Wood. "While five years ago, large and well-known organizations were often targeted, today the scope of targeted organizations has expanded and now no organization is safe from attack."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.