Vulnerabilities / Threats
12/8/2010
01:48 PM
Connect Directly
RSS
E-Mail
50%
50%

Rustock Most Prolific Botnet

Phishing attacks are down from 2009, but spam, viruses, and malicious web sites are on the rise, reports Symantec.

How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions
Spam is on the rise. From 2009 to 2010, spam moved from comprising 88% of all email to 89.1%. In the same timeframe, the number of malicious Web sites discovered per day increased by 24% and virus-borne emails increased by 58%, while -- thankfully -- the number of emails containing phishing attacks actually dropped by 27%.

Those results come from a new MessageLabs Intelligence report released by Symantec Hosted Services on Tuesday.

The report also found that the world's most prolific botnet is now Rustock, which pumps out 44 billion spam emails per day. To keep the spam flowing, operators of the leading botnets -- Rustock, Cutwail, and Grum -- continue to innovate.

"With successful and resilient botnet operations established in prior years... cybercriminals experimented with many tactics to keep spam campaigns active and fresh this year," said Paul Wood, MessageLabs Intelligence senior analyst at Symantec Hosted Services. "From leveraging newsworthy events like the FIFA World Cup to taking advantage of the widespread popularity of URL shortening services and social networks... spammers deployed a variety of tricks to bypass spam filters and lure potential victims."

Botnet operators are also getting more practiced at sneaking their malware past security scanners. MessageLabs said it saw 339,600 different strains of malware sent via email in 2010 -- an increase of a hundred-fold from 2009. The sharp rise is due to the emergence of polymorphic malware variants such as Bredolab. Bredolab's polymorphic engine, for example, alters the code it generates when propagating copies of itself, disguising itself to avoid detection by security software.

More than other malware, MessageLabs said that Bredolab has been pushing the state of the art to evade detection through techniques such as including junk code, disabling antivirus, and immobilizing itself when added to a debugging environment for testing to foil researchers.

While high-volume, botnet-distributed attacks are on the rise, so are very small, discrete, and targeted attacks. MessageLabs said that in 2005, it saw perhaps one or two targeted attacks per week. But by the end of 2010, it saw an average of 77 attacks per day.

"Typically, between 200 and 300 organizations are targeted each month, but the industry sector varies and high-seniority job roles are most frequently targeted -- yet often by way of a general or assistant's mailbox," said Wood. "While five years ago, large and well-known organizations were often targeted, today the scope of targeted organizations has expanded and now no organization is safe from attack."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4973
Published: 2014-09-23
The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in ESET Smart Security and ESET Endpoint Security products 5.0 through 7.0 allows local users to gain privileges via a crafted argument to a 0x830020CC IOCTL call.

CVE-2014-5392
Published: 2014-09-23
XML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.

CVE-2014-6646
Published: 2014-09-23
The bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6647
Published: 2014-09-23
The ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6648
Published: 2014-09-23
The iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio