Vulnerabilities / Threats
12/8/2010
01:48 PM
50%
50%

Rustock Most Prolific Botnet

Phishing attacks are down from 2009, but spam, viruses, and malicious web sites are on the rise, reports Symantec.

How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions
Spam is on the rise. From 2009 to 2010, spam moved from comprising 88% of all email to 89.1%. In the same timeframe, the number of malicious Web sites discovered per day increased by 24% and virus-borne emails increased by 58%, while -- thankfully -- the number of emails containing phishing attacks actually dropped by 27%.

Those results come from a new MessageLabs Intelligence report released by Symantec Hosted Services on Tuesday.

The report also found that the world's most prolific botnet is now Rustock, which pumps out 44 billion spam emails per day. To keep the spam flowing, operators of the leading botnets -- Rustock, Cutwail, and Grum -- continue to innovate.

"With successful and resilient botnet operations established in prior years... cybercriminals experimented with many tactics to keep spam campaigns active and fresh this year," said Paul Wood, MessageLabs Intelligence senior analyst at Symantec Hosted Services. "From leveraging newsworthy events like the FIFA World Cup to taking advantage of the widespread popularity of URL shortening services and social networks... spammers deployed a variety of tricks to bypass spam filters and lure potential victims."

Botnet operators are also getting more practiced at sneaking their malware past security scanners. MessageLabs said it saw 339,600 different strains of malware sent via email in 2010 -- an increase of a hundred-fold from 2009. The sharp rise is due to the emergence of polymorphic malware variants such as Bredolab. Bredolab's polymorphic engine, for example, alters the code it generates when propagating copies of itself, disguising itself to avoid detection by security software.

More than other malware, MessageLabs said that Bredolab has been pushing the state of the art to evade detection through techniques such as including junk code, disabling antivirus, and immobilizing itself when added to a debugging environment for testing to foil researchers.

While high-volume, botnet-distributed attacks are on the rise, so are very small, discrete, and targeted attacks. MessageLabs said that in 2005, it saw perhaps one or two targeted attacks per week. But by the end of 2010, it saw an average of 77 attacks per day.

"Typically, between 200 and 300 organizations are targeted each month, but the industry sector varies and high-seniority job roles are most frequently targeted -- yet often by way of a general or assistant's mailbox," said Wood. "While five years ago, large and well-known organizations were often targeted, today the scope of targeted organizations has expanded and now no organization is safe from attack."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2184
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

CVE-2014-3619
Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

CVE-2014-8121
Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

CVE-2014-9712
Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

CVE-2015-0658
Published: 2015-03-27
The DHCP implementation in the PowerOn Auto Provisioning (POAP) feature in Cisco NX-OS does not properly restrict the initialization process, which allows remote attackers to execute arbitrary commands as root by sending crafted response packets on the local network, aka Bug ID CSCur14589.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.