The Security Response team has compiled the top security trends of 2009. We pulled data from the Global Intelligence Network and the experiences of the thousands of analysts and security experts at Symantec to come up with the top trends for the year. While none of these trends will be a surprise to anyone even casually following the threat landscape, when compiled and summarized, it is clear that the breadth of security problems in the past year was pretty stunning.
• Toolkits and threat recycling have made malware easier to create than ever
• Polymorphic technology is being applied to make threats harder to catch
• Botnets, large and small, are used as the foundation of attacks making most attacks complex
• All major news events are used for social engineering
• Major brands are being appropriated by cybercriminals to lure online victims
But, it’s the numbers we saw that really show the size of the problem:
• A 9x increase in the amount of spam messaging containing malware
• More than 43 million rogue security software installations
• 14.4 million drive-by download attempts in one two-month period
• In May 2009, 95% of all email was spam
• 403 data breaches in 2009, resulting in 220 million exposed records
If you add it all up, it was a frightening year for security issues. But, it’s not all bad news. We’ve been saying that cross-industry cooperation would be critical to deal with the major threats out there. And with the Conficker Working Group and Digital Crimes Consortium, we are seeing that happen. Conficker brought back memories to the security community of the old-school, large-scale threats from years past. And while Symantec customers were protected and benefitted from Symantec’s breadth of experience in dealing with mass-distributed threats, Conficker served as a reminder that while threats of this nature are rare these days, they are not extinct.
So, there is reason for hope. In addition to the cooperation around Conficker, the global cooperation needed to catch criminals that move virtually across borders is starting to happen. The FBI’s Operation Phish Phry is a great example of the security industry working together to thwart cybercrime. And new approaches to security have emerged. At Symantec we’re looking at reputation-based security to be a significant factor in blocking malware in 2010.
The steps above can make a difference—things can only get better from here. For a complete list of security trends from 2009, read on:
Top Internet Security Trends of 2009
• Malware-Bearing Spam – Spam is usually thought of in the context of annoying, but not necessarily dangerous. However, between September and October 2009, on average, more than two percent of spam email messages had attached malware; this represents a nine-fold increase in the number of spam messages actually containing malware.
• Social Networking Site Attacks Become Commonplace – 2009 was the year attacks against both social networking sites themselves and the users of those sites became standard practice for criminals. The latter half of 2009 saw attacks utilizing social networking sites increase in both frequency and sophistication. Such sites combine two factors that make for an ideal target for online criminal activity: a massive number of users, and a high level of trust among those users.
• Rogue Security Software – Symantec has identified 250 distinct misleading applications that pretend to be legitimate security software—quite convincingly so in many instances—but which actually provide little or no protection and can in reality infect a computer with the very malware it purports to protect against. From July 1, 2008, to June 30, 2009, Symantec received reports of 43 million rogue security software installation attempts.
• Ready-Made Malware – 2009 saw malware become easier than ever to create. This was largely due to the availability of popular user-friendly toolkits, such as Zeus, that enable even novice hackers to create malware and botnets. Many ready-made threats are in reality a conglomeration of components from other, more established malware (for example, Dozer, which contained components from MyDoom and Mytob). This trend has also made malware more disposable, with a threat appearing then disappearing—sometimes within just a 24 hour period.
• Bot Networks Surge – Bot networks are quickly becoming the foundation of all cyber crime. Symantec has observed that the majority of today’s malware contains a bot command-and-control channel. In 2009, we even saw botnet designers expand their forte by using social networking sites as communication channels.
• Intra- and Cross-Industry Cooperation to Stamp Out Internet Threats – With the anniversary of the first variant of the Conficker threat upon us, we’re reminded of how the increasing organization and sophistication of cybercrime has led to greater cooperation among security vendors, law enforcement, and Internet service providers. Examples seen in 2009 include the Conficker Working Group (CWG), the FBI’s “Operation Phish Phry” bust, and the Digital Crimes Consortium (which had its inaugural gathering in October).
• Current Events Leveraged More Than Ever – Valentine's Day, NCAA March Madness, H1N1 Flu, the crash of Air France Flight 447, Serena Williams, balloon boy, and the deaths of Michael Jackson and Patrick Swayze. Each of these events—along with countless others—were used by malware authors and spammers in 2009 to try and lure unsuspecting Internet users into downloading malware, buying products, and falling for scams. We’ve reached a stage where no popular story goes unnoticed, and we can expect more of the same as major world events such as the 2010 FIFA Soccer World Cup and Winter Olympics get nearer.
• Drive-by-Downloads Lead the Way – The number of attackers secretly infecting Internet surfers by compromising legitimate websites continued to increase. In 2008, Symantec observed a total of 18 million drive-by download infection attempts; however, from just August to October of 2009 alone, Symantec observed 17.4 million.
• The Return of Spam to Pre-McColo Levels – Symantec saw a 65 percent decrease in total spam messages between the 24 hours prior to the late 2008 McColo shutdown and the 24 hours after, resulting in spam levels dropping to just 69.8 percent of all email. In 2009 however, overall spam volumes returned to an average of 87.4 percent of all email, reaching a maximum of 95 percent of all messages at the end of May.
• The Rise of Polymorphic Threats – Polymorphism denotes the ability to mutate. Therefore, polymorphic threats are those in which every instance of the malware is slightly different than the one before it. The automated changes in code made to each instance do not alter the malware’s functionality, but virtually render traditional antivirus detection technologies all but useless against them. Symantec has observed polymorphic threats such as Waladac, Virut, and Sality become more common as online criminals seek to expand their repertoire of ways to circumvent conventional antivirus technology.
• An Increase in Reputation Hijacking – Geocities was a common brand name hijacked by spammers in an attempt to dupe computer users, but with Yahoo’s late October shutdown of the Web hosting service, Symantec has witnessed a vast increase in the number of smaller free Web services, such as URL-shortening sites whose names, and legitimate reputations, are being abused by spammers. This has no doubt been aided by advances in CAPTCHA-breaking technology, which makes it easier for malicious characters to establish multiple disposable accounts and profiles used for spamming. Symantec has even observed that some of these smaller Web services companies’ sites actually shut their own sites down as the only way to stop the spam.
• Data Breaches Continue – As of October 13, 2009, 403 data breaches have been reported for the year, exposing more than 220 million records, according to the Identity Theft Resource Center. Well-meaning insiders continue to represent the bulk of data loss incidents with 88% of all data loss incidents caused by insiders such as employees and partners, according to The Ponemon Institute. There are rising concerns, however, about malicious data loss. Fifty-nine percent of ex-employees admitted that they took company data when they left their jobs, according to another study by Ponemon. While organizations are increasingly focused on preventing data loss, it’s clear that more needs to be done to prevent sensitive information from leaving an organization.