2008 Security Trends

Author: CDW

August 2008

The overall trends in spam and malware can be characterized by a larger number of more targeted, stealthy and sophisticated attacks. Specific observations include:

• Spam volume increased 100 percent, to more than 120 billion spam messages daily worldwide. That's about 20 spam messages per day for every man, woman and child on the planet.
• Spam has become more dangerous. Earlier versions of spam attacks were primarily selling some type of product. In 2007, more than 83 percent of spam contained a URL to a rogue Web server that was frequently serving malware. In accordance with a trend towards the blending of different malware techniques, URL-based viruses increased 256 percent.
• The "Self Defending Bot Network" was introduced. The Storm Trojan is perhaps one of the most sophisticated botnets ever observed. It uses a peer-to-peer (P2P) control scheme to avoid a single control node that would give it away. When researchers or security vendors probe Storm-related Web servers, the Storm Trojan will launch a DDoS attack and relocate the Web server. The quality of the websites delivered by Storm, and the remarkable technical sophistication of the underlying peer-to-peer network, reflect that these threats are being developed by professional engineers.
• Viruses no longer make headlines, because virus writers have evolved from the previous mass distribution attacks such as Netsky and Bagel. In 2007, viruses where much more polymorphic and typically associated with the proliferation of very sophisticated botnets such as Feebs and Storm.

Spam Still Pays
2007 was the year of spam attachments. Spammers conducted trials of more than 20 different file attachment types to determine which had the best success rates. Rapid onset spam attacks became commonplace, with outbreaks spiking in volume very quickly and anti-spam companies scrambling to adapt. This left little reaction time, and many anti-spam customers found themselves reevaluating anti-spam products that could not adapt.

Many of the most malicious attacks start as a seemingly innocuous spam message with nothing more than a few words of text and a single URL. These messages often slip past traditional spam engines that are looking for keywords, or for graphics touting the latest stock spam. When they land in the recipient's inbox they have made it to the most sensitive part of the corporate network. All it takes is one errant click of the mouse and the payload is downloaded - providing full access to the user's computer, and possibly the internal network.

Malware Platforms
Storm and MPack dominated much of the Internet security news in 2007, but not just because of their size and scope. They both introduced new, more sophisticated techniques that demonstrate the refinement of malicious software. Malware creators are spending more time and resources developing an actual platform that is designed to last and be reused. Delivery methods are also changing, moving toward blended attacks that combine both email and Web services.

Attacks are now originating from directly inside the "protected" corporate network. Many administrators believe they have secured their infrastructures and that spam is nothing more than an irritant. The truth: spam is being used as a gateway, designed to lure users to dangerous sites. To respond, companies must deploy the most advanced email security systems to stop inbound threats, enforce strong classification and scanning of all user-initiated Web traffic and monitor closely for possible internal malware infections. Also being seen is a higher frequency of attacks, timed to coincide with popular events and major news stories in an attempt to both make the message seem more legitimate. These attacks are designed to maximize the spread of malicious content by piggy-backing on strong public interest in sports, political activities, or natural disasters.
The above article is an excerpt from “2008 Internet Security Trends:  A report on Emerging Attack Platforms for Spam, Viruses and Malware”, published by Cisco and IronPort.  For a complete copy of the report go to: http://www.ironport.com/securitytrends/

To find out how Cisco and Ironport products can help protect your organization, please contact CDW, John Uchaker at 513-677-4119.  CDW, drawing on strategic partnerships wit
h Cisco, IBM and Microsoft and the far-reaching experience of its hundreds of engineers, has assisted clients with a full range of technology solutions.  For other information, please visit www.berbee.com.