threats_2009Q4_final

Report

McAfee Threats Report: Fourth Quarter 2009

By McAfee? Labs?

Key Findings

Spam headlines are often outrageous. Spammers will try anything to get victims to pay attention.

Most headlines are related to current events and celebrity news, from disasters to the death of Michael Jackson.

Lots of spam is an introduction to scams. The 2010 soccer World Cup, Swine Flu, and rampant unemployment are lures to get money out of users’ pockets.

Spam volume fell significantly during the fourth quarter, by 24 percent compared with the third quarter, but the respite will likely be short lived. In spite of this decline, volume is up 35 percent since a year ago.

Malware continues to grow, with 2009 figures increasing more rapidly than those in 2008. Fake security software, AutoRun USB infections, and especially social networking attacks contributed to the totals.

Starting in November we saw dangers on the web greatly increase, with phishing, continuous activity from Koobface, many new Trojans and PUPs, and a sudden spike in suspicious domains registering during the week of December 20.

McAfee Labs observed numerous SQL-injection attacks aimed at vulnerabilities in web server applications. Due to their popularity, Adobe Flash and Acrobat Reader are a huge target for hackers looking for weaknesses in client applications.

Robot networks (botnets) are evolving from vulnerable single command centers to more distributed control using peer-to-peer and HTTP structures. Bot masters will have to put more effort into building their botnets, but they will enjoy greater anonymity for their criminal activities.

Law enforcement has enjoyed some notable successes in fighting cybercrime this quarter. Both the FBI and Romanian authorities have made arrests to break up criminal rings. Unfortunately, it gets easier all the time to become a cybercriminal. Online toolkits, often originating in Russia, make it easy for first-time crooks to get into the botnet business.

Political hacktivism has shown up in more countries. Attacks in Poland, Latvia, Denmark, Switzerland, and even on Twitter have responded to local politics by defacing websites.

Table of Contents

Key Findings 2

Headlining 4“CEO hung himself” 4“Video of officer murdered” 4“Last seconds of plane” 4“Rockets out of control!” 4“Bomb Blast” 5“How US provoked crisis” 6“Michael Jackson” 6

Spams and Scams 7 World Cup phishing 7 H1N1 vaccination leads to infection? 7 Desperate times, desperate measures 9 Cooler temperatures, cooler spam volumes 10

Malware Tsunami 12

Web Threats Ring the World 14

Injecting the Network 15 Botnets Evolve 16 From IRC to P2P to HTTP 17 Bot numbers 18

Cybercrime Takes a Hit 19 Software updates 21 Hacktivism 22

About the Authors 23

About McAfee Labs?23

About McAfee, Inc. 23

Headlining

Spammers often use a technique called headlining to grab a recipient’s attention. Within days or even hours after a popular news story breaks, spam campaigns use aspects of the story to craft a wild headline that will appear as the subject of the message. The body of the message won’t necessarily have anything to do with the subject (usually the message body is unchanged from the current

spam campaign), but it can often trick the victim of the spam to take an extra moment to look at

the message.

Let’s look back at some news stories in 2009 that generated major spam headlining from spammers. Don’t be surprised if you haven’t heard about these exact stories. They tend to be wholly fictional.“CEO hung himself”

General Motors filed for bankruptcy protection on June 1 having failed to restructure the company to meet a government-imposed deadline. GM had been in the news long before that, with government intervention keeping the company afloat until the worst of the financial crisis had passed. There had been much talk of filing for bankruptcy protection, and in June it finally happened.

Six days later, many of us saw an email with the subject “GM’s CEO hung himself.” The email itself was typical pharmacy spam with a Chinese-registered domain name (the most common type of spam mail at the time); only the subject was different.

“Video of officer murdered”

During the same time as the GM headline and in roughly the same volume was a spam subject about a murdered police officer.

The likely source of this spam headline was probably not a murdered officer, but the other way around. News stories in late May documented the case of a transit police officer in Northern California accused of murder for shooting a suspect in the back as the latter lay face down. This story involves talk of cell phone video footage taken by witnesses on the train platform.

The story generated a lot of attention because of the video footage, which immediately draws the public to view the incident. The story inspired “Video of officer murdered” in two rounds of spam.

“Last seconds of plane”

An Air France Airbus 330 went down in turbulent weather while flying from Brazil to France on June 1. This event immediately set off a huge news frenzy with theories and blame aplenty. Eight days after the crash we saw spam headlining related to the tragedy. The message bodies themselves were standard Chinese newsletter pharmacy spam, but the subjects were based on the incident.

Several of the most common subjects associated with this disaster were “A-330 blackbox record,” “Another plane crushed,” and “Last seconds of plane.”

“Rockets out of control!”

On April 5, North Korea launched a long-range rocket that they claimed was a satellite. The weeks leading up to this test were filled with an abundance of patriotic and militaristic announcements by the North Korean government. During the run-up to the launch spammers relied on news junkies to eagerly look at messages that included “North Korean submarine fired a missle [sic].”

The launch was internally promoted by the government as a sign of great advancement and achievement for the North Koreans. After the attempt was widely viewed by the international community as a failure, the North Korean government allegedly executed its ambassador to South Korea and continued to fire off missiles until everyone was impressed.

This led to the round of spam in late May “Rockets out of control! Korea.”

“Bomb Blast”

In March a group of spam mails carried a subject citing a bombing. Although we can’t know exactly which bomb blast they were referring to (there were many, unfortunately), we can assume that it

occurred before the start of the campaign, which began March 16. A likely possibility is the combination of two separate (seemingly unrelated) blasts that occurred on March 5. One was an explosion in Russia that killed six police officers who were working to defuse a terrorist device they found in a city cemetery; the other was an explosion in Iraq that killed 12 Iraqi citizens. Though the claim of 18 deaths could be an arbitrary number, the date between the explosions and the beginning of the multisubject spam campaign make the two events likely triggers for the spam that followed.

The campaign’s headlines included the following:

? Bomb blast

? Bomb was blasted in your town

? At least 18 killed in your city

? Bombing killed 18 citizens

? Bomb killed 18 citizens

? Bomb explosion

? Why did they explode bomb there?

M a r c h 14M a r c h 15M a r c h 16M a r c h 17M a r c h 18M a r c h 19M a r c h 20M a r c h 21M a r c h 22M a r c h 23M a r c h 24M a r c h 25M a r c h 26M a r c h 27M a r c h 28M a r c h 29M a r c h 30M

a r c

h 31A p r i l 1A p r i l 2A p r i l 3A p

r

i

l

4

0.0%

0.5%

1.0%

1.5%

2.0%2.5%

3.0%

3.5%

%

o f

T o

t

a

l

S p

a

m

Bomb Blast

Figure 1: Apparently unrelated bombings in early March brought about this spam campaign.

“How US provoked crisis”

In the third week of May, U.S. President Barack Obama made his first trip to the Middle East. His agenda included the Palestinian-Israeli and the Syrian-Lebanese conflicts and Iran’s nuclear program.

The United States extensive international involvement makes it a possible scapegoat for any issue on the planet. Thus it is not possible to determine the exact crisis to which some spam subjects refer, but the president’s trip to the Middle East was one of the most prominent U.S. foreign policy events leading up to the spam campaign.

One of the keys to the trip was a message to Islamic countries stating his hopes for peace in the region. That message was targeted by two spam subjects that appeared during this period: “Dangerous Obama’s joke” and “Strange Obama’s speech.”

On June 4 Obama gave a speech in Cairo to the Muslim world. It was quickly followed by these spam headlines: “Shocking Obama’s speech,” “Obama cursed by Pope,” “Super Obama’s pants,” and

“Obama sued for his speech.” The spam authors were clearly watching the trip carefully, though what they learned from it leaves much to be desired.

“Michael Jackson”

The King of Pop has always been a big draw for spam, with his life a constant drama of wealth, intrigue, and secrecy set against an awesome soundtrack. After his death on June 25, spammers were ready only two days later with their first round of subjects:

? Michael Jackson dead? NO!!!

? All M. Jackson’s faces

? Who killed Michael Jackson?

? Jackson is still alive: proof

Other headlines followed in waves, taking advantage of continued interest in Jackson’s incredible and tragic life. The mails themselves were as usual predominantly pharmaceutical offers.

F e b 28M a r c h 10M a r c h 20M a r c h 30A p r i l 9A p r i l 19A p r i l 29M a y 9M a y 19M a y 29J u n

e

8J u n e 18J u n e 28J u l y 8J u l y 18J u l y 28A u g 7A u g 17A

u g 27S e p

6S e p 16S e p 26O c t 6O c t 16O c t

26N o v 5N o v 15N

o

v

25

0.0%

0.2%

0.4%

0.6%

0.8%

1.0%1.2%

1.4%

1.6%

% o f

T o

t a

l

S

p a

m Michael Jackson

Figure 2: Michael Jackson has long been a spammer’s delight. His death on June 25 set off spam aftershocks for weeks.

Spams and Scams

World Cup phishing

The biggest event for sports fans around the world is the FIFA soccer World Cup. With the recent announcement of the final draw for the games that will take place in South Africa in June and July, interest in the event and how to obtain tickets is now in full swing. Ever the opportunists, cybercriminals have started distributing World Cup–themed phishing scams to trick fans out of their sensitive information.

Figure 3: This particular scam is not related to World Cup tickets, although the first line of the message might lead you to believe that it is. It is merely operating as bait to get potential victims to continue reading.

As the tension builds for this immensely popular tournament, the number and quality of related scams is sure to increase. This is too big an event for criminals to ignore. We can anticipate their sending emails with links to malicious web sites and poisoning the results from search engines for World Cup–related topics. These attempts will try to get you to give up your credit card details or infect your PC with malware. If you are interested in purchasing tickets or travel packages to the event, visit a travel agent you trust and go to the https://www.sodocs.net/doc/2a2702821.html, website for more information. (FIFA says very few travel agents will have tickets.) Never assume that links in unsolicited emails are legitimate. Always go directly to the source if you want to ensure that the tickets you purchase are not part of a scam.

H1N1 vaccination leads to infection?

In the McAfee Threats Report Third Quarter 2009 we discussed how the Internal Revenue Service was being exploited.1 Criminals used the IRS label as a ploy to get users to download a malicious application that would purportedly allow them to fix an error in their tax filing which resulted in their income being underreported. This quarter another government agency—the Centers for Disease Control and Prevention (CDC)—was spoofed by cybercriminals in a broad spam campaign.

The glut of information both online, in print, and in broadcast media regarding the “Swine Flu” has created worldwide anxiety about the truths and myths of the disease. Spammers have set up a scam that leads users to believe that the CDC had created a campaign for people to verify their vaccination records via an online profile.

1. The Report is available in nine languages at https://www.sodocs.net/doc/2a2702821.html,/us/threat_center/white_paper.

Figure 4: Spammers have spoofed a government health agency to play on fears of the H1N1 (Swine Flu) epidemic.

Clicking the link to create a “vaccination profile” takes victims to a very official looking website where they receive a temporary ID for their vaccination profiles. The site instills a sense of urgency that visitors need to

fill out their profiles quickly, and offers a link to download what is needed to complete the profiles.

Figure 5: This link from the “CDC” actually downloads a Zeus Trojan variant.

What users really receive is one of the Zeus Trojans, an easily created malware that has lowered the bar of sophistication required to create a network of infected computers. Downloading this malware will place victims’ computers in a remotely controlled botnet.

Federal government agencies such as the CDC and IRS will never conduct official business such as this via email. These agencies have no knowledge or need of your email address to communicate with you. If

you are interested in official announcements from the CDC, visit them directly at https://www.sodocs.net/doc/2a2702821.html,.

Desperate times, desperate measures

During the recent worldwide economic downturn the unemployment rate in the United States has risen to 10 percent, with 21.9 percent of those unemployed having been so for 27 weeks or more.2 Mix this with the pressures of the holiday shopping season and we have a dangerous cocktail for criminals to take advantage of vulnerable people in precarious situations. And even for those still employed, who wouldn’t mind a little extra money for the holidays? In response, we observed a number of phony get-rich-quick and work-at-home scams this quarter, particularly in early December.

Some of these were what security professionals call a blended threat: one that leverages multiple technologies to deliver the scam. In one case the spammer used a combination of email and Twitter status updates from an account set up solely for spam. By doing this, spammers can include only minimal information within the body of the email and include more “spammy” content on the Twitter page. This scam rides on the widespread use of Twitter to get users to click the link to the “status update,” and it also attempts to increase inbox deliveries.

Get-rich-quick schemes have been around for years. They are not new, but we must be aware of their existence and the fact that cybercriminals frequently employ them.

Figure 6: Today’s economic conditions make quick-money scams immensely popular with criminals.

The scam in Figure 6 appears to promise that for only US$1 a respondent will receive a kit that explains the best ways to make money online using Google, and that the viewer is one of the lucky few who can take advantage of the opportunity. It goes on to show how much more effective the Google system can be when compared with other online money-making methods such as paid surveys and contests. The VeriSign logo in the bottom right corner proves its legitimacy! This pitch sounds great until victims give 2. Figures as of November 2009, courtesy of the U.S. Department of Labor.

card–specific information, and isn’t concerned with billing or shipping addresses. You can bet that card data will be used to create new cards that will be sold to the criminal underground for profit. The only people who will make money in this scheme are the bad guys.

Cooler temperatures, cooler spam volumes

As the calendar moved from the hot summer months to cooler autumn, spam volumes similarly cooled down. After reaching a record 175 billion spam messages per day in the third quarter of 2009, we observed a decline in the fourth quarter to 133 billion per day. This represents a quarter over quarter decline of 24 percent. This decrease is likely to be short lived, however, as volumes have increased during the second half of December. The primary catalyst was a 40 percent increase in spam on just one day: December 14. Although this leap could be related to a final holiday shopping season push by spammers, history has shown that the holiday push generally extends well into the first quarter of the following year. Thus the higher traffic is likely not solely related to the holidays.

Billions of Spam Messages per Day

% of Spam

02040608010012014016018020020092009

200920092008200820082008200720072007200720062006200620060%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Global Spam Volumes

Figure 7: Global spam volumes and spam as a percentage of all mail.

Even though we saw a decline this quarter, the overall historical trend still points upward. Compared with the fourth quarter of 2008, volume is up 35 percent. Despite the ebbs and flows that we saw throughout the year, 2009 still averaged approximately 135.5 billion spam messages per day, an

11 percent increase over the average volume of 122 billion per day in 2008 and a 77 percent increase over the 76.5 billion per day in 2007.

01,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

New Zombies Sending Spam

Figure 8: The appearance of new botnet zombies, which send spam worldwide, has shown a slow

but steady decline since June.

Zombie production in the United States fell notably during the quarter as China, which maintained its level, took over the number-one ranking by country. Brazil held onto third place, and Russia, which had dropped in both the second and third quarters, bounced back to fourth.

Top 10 Countries Producing Zombies

Q4 2009Q3 2009Q2 2009

Country Percent of Total Country Percent of Total Country Percent of Total China12.0United States13.1United States 15.7

United States9.5China12.2China9.3

Brazil8.5Brazil8.0Brazil8.2 Russia7.0Germany7.3Russia 5.6 Germany 6.0Rep. of Korea 5.1Germany 5.3

Rep. of Korea 5.0Italy 4.3Italy 4.0

Italy 3.5India 3.4Rep. of Korea 3.8

United Kingdom 3.2Russia 3.0India 3.2 Taiwan 3.0United Kingdom 2.9United Kingdom 3.0

Spain 2.6Spain 2.6Spain 2.6

Total60.3Total61.9Total60.7

Figure 9: Top 10 countries of newly created zombie computers, by quarter. These systems are hijacked to send spam to millions of email addresses.

The United States remains number one in spam production, but the country’s lead slipped significantly this quarter due to the worldwide decline in spam. The total for the Top 10 countries continued to fall as botnet distribution by country changes slowly. Seven of the top countries from last quarter remain in the group. Romania returned to the Top 10, and Ukraine and Germany joined the list for the first time in 2009.

Top 10 Countries Producing Spam

Q4 2009Q3 2009Q2 2009Q1 2009

Country Percent

of Total Country

Percent

of Total Country

Percent

of Total Country

Percent

of Total

United States15.6United States25.0United States25.5United States35.0 Brazil11.2Brazil12.1Brazil9.8Brazil7.3 India 5.6India 5.3Turkey 5.8India 6.9 Venezuela 4.4Poland 4.5India 5.6Rep. of Korea 4.7 Rep. of Korea 3.8Rep. of Korea 3.1Poland 4.9China 3.6 Ukraine 3.7Venezuela 3.1Rep. of Korea 4.6Russia 3.4 Poland 3.6Turkey 2.9Russia 2.4Turkey 3.2 Romania 3.3Argentina 2.2Romania 2.3Thailand 2.1 Germany 2.9Colombia 1.9Spain 2.1Romania 2.0 Russia 2.4Russia 1.8Czech Rep 1.9Poland 1.8

Total56.5Total61.9Total64.9Total70.0 Figure 10: Spam volumes were down markedly this quarter, with the United States showing the biggest decrease. A little more than half of all global spam originated in just ten countries.

Malware Tsunami

Last year will go down in history for many things. Economic crisis, climate issues, health care, and even Internet threats have gained massive media attention this year.

There were plenty of computer threats prior to 2009 to be sure: mydoom, blaster, robot networks, and spam, to name just a few. Yet 2009 was both a transformative and evolutionary year for computer threats.Aside from the sheer increase in the volume of threats we saw in 2009—namely that we now face tens of thousands daily—more and more of these threats are Internet based, including website-driven/based attacks and Web 2.0 technology-centric attacks. We also saw portable storage device threats at an all-time high as well as rogue security software that has truly gotten out of control.

At the source of this malware tsunami is money. Threats and malware make money. Bots make money. Fake security software makes tons of money. The lures and methods criminals use differ; however, they reflect common online user behaviors more than ever before. When a celebrity dies or a catastrophic weather event happens, people want information on it. The cybercriminal knows that people will go to the Internet to get this information and they react rapidly to the opportunity. Almost all high-impact news will lead to many of the same threats—fake websites and poisoned search results with the same goal in mind: data theft.

Let’s look at some specifics:

Total Malware in McAfee Labs’ Database

35,000,000

30,000,000

25,000,000

20,000,000

15,000,000

10,000,000

5,000,000

J a n 08F e b 08M a r 08A p r 08M a y 08J u n 08J u l 08A u g 08S e p 08O c t 08N o v 08D e c 08J a n 09F e b 09M a r 09A p r 09M a y 09J u n 09J u l 09A u g 09S e p 09O c

t 09N o v

09D

e

c

09

Figure 11: In the final quarter of 2009 McAfee Labs saw the continued rise of malware that we had predicted for 2009.

400,000

350,000300,000

250,000

200,000

150,000

100,000

50,000

J a n 08F e b 08M a r 08A p r 08M a y 08J u n 08J u l 08A u g 08S e p 08O c t 08N o v 08D e c 08J a n 09F e b 09M a r 09A p r 09M a y 09J u n 09J u l 09A u g 09S e p

09O c t 09N o

v 09D

e

c

09Unique Fake Security Software Samples Discovered

Figure 12: Rogue security software of all types continues to be a major threat to computer users. Driven by significant profits from sales of these fake security products, malware authors and distributors push them constantly.

160,000

140,000

120,000

100,000

80,000

60,000

40,000

20,000

J a n 08F e b 08M a r 08A p r 08M a y 08J u n 08J u l 08A u g 08S e p 08O c t 08N o v 08D e c 08J a n 09F e b 09M a r 09A p r 09M a y 09J u n 09J u l

09A u g 09S e p 09O c t 09N o

v

9D

e

c

09Unique AutoRun Samples Discovered

Figure 13: The immense popularity of portable USB storage devices has brought parasitic malware to the fore. Much

nastier and far more complex than Trojans or fake security products, parasitic infectors are true viruses that modify files by injecting code into them. When the user runs the infected file, the virus runs too. The great danger with USB infectors is that Windows will often run them automatically when the device is inserted—no user action required!

30,000

25,000

20,000

15,000

10,000

5,000

Jan 09Feb 09Mar 09Apr 09May 09Jun 09Jul 09Aug 09Sep 09Oct 09

Nov 09Dec 09Unique Koobface Samples Discovered

Figure 14: Malware that targets the users of social networking sites was busier than ever this quarter. Koobface continues to be one of the most prevalent threats due to the tremendous popularity of sites such as Facebook and MySpace.

Web Threats Ring the World

This has been a record year for web-based threats and the fourth quarter finished with a bang. Starting in November we saw dangers on the web greatly increase, with phishing, continuous activity from Koobface, many other Trojans and PUPs, and a sudden spike in suspicious domains registering during the week of December 20. Figure 15 charts the last item.

Oct 12009Oct 82009Oct 152009Oct 222009Oct 292009Nov 52009Nov 122009Nov 192009Nov 262009Dec 32009Dec 102009Dec 172009Dec 242009Dec 31

2009

2,500

5,000

7,500

10,000

12,500

15,000

17,500

20,000

New “Bad” URLs

Figure 15: New websites with malicious reputations, reported daily. This quarter saw a spike of more than 16,000 new sites in a single day.

Koobface activity has picked up considerably during the last half of the year. We have counted 41,582 new unique variations in this quarter. And the increase in URLs that distribute Koobface shows no sign of stopping. The methods have been so effective that we now see copycats making use of Koobface tactics for distribution. We expect those attacks will increase as well.

2%

2%Figure 16: Not only is Koobface growing rapidly (see Figure 14), it is a global phenomenon. The worm is hosted by servers in 46 countries.

Now let’s take a look at the geographic distribution of web threats—either on compromised machines or on malicious servers and hosts. We found that North America continues to be the leader in hosting malicious content, with Europe/Middle East/Africa in second place, surpassing Asia/Pacific. North America finished first primarily due to the United States. In Europe, Germany leads, followed by the Netherlands and Italy. In Asia it’s no surprise that China is the chief host, followed by Russia and South Korea. Brazil is the top hosting country in Latin and South America, followed by Argentina.

In North America spam URLs make up 41 percent of the total, followed by malicious sites and suspected malicious sites. Within Europe/Middle East/Africa, spam and phishing URLs each make up 31 percent of the total, with malicious sites filling out another 29 percent. This balance is similar in Latin and South America, where we find 36 percent of the URLs associated with spam hosting, while 30 percent host phishing sites, and 25 percent host other sorts of malicious websites. In Asia/Pacific, on the other hand, 31 percent of the total is made up of questionable sites—those servers registered in such a way that the site should be closely monitored. (We expect that figure to diminish due to the changes underway with top-level domain registration in that region.) Spam URLs make up the next largest group at 29 percent, followed by malicious sites at 24 percent.

Injecting the Network

SQL-injection attacks continued to rise this quarter. Between September and December, McAfee Labs’ live sensors recorded the on-going exploitation of web servers that were specifically targeted for their badly written or badly configured web applications. These attacks came from all over the world, but China was by far the number one country hosting these assaults. Most of these attacks stemmed from publicly known SQL-injection techniques. We also noticed remnants of the Damnec botnet in some of the attempts, reminding us that automated web server exploitation continues to thrive.

Figure 17: SQL-injection attacks are global in scope, but China leads the world in volume by a large margin.

Looking at client-targeted attacks, our sensors picked up many attempts to exploit Adobe applications, primarily Flash and Acrobat reader.

CVE Identifier Attack Identifier

CVE-2009-1537DirectX Null Byte Overwrite Vulnerability

CVE-2009-0658Adobe Acrobat Reader PDF JBIG2 Remote Code Execution

CVE-2009-1862Adobe Flash Multiple Products Vulnerability

CVE-2007-5020Adobe Acrobat Reader PDF Mailto Vulnerability

Figure 18: Vulnerabilities in Adobe applications have become the most popular client-software targets for attackers.

A pair of zero-day attacks caused a stir this quarter. We saw exploitations of the DirectShow vulnerability (CVE-2009-1537),3 which was found in the wild in the second quarter, and the Microsoft Internet Explorer Style Object Code Execution Vulnerability (CVE-2009-3672).4 Patches for these have already been issued but exploitations appear to still be active—indicating that some people still need to patch their systems.

Botnets Evolve

Robot networks, controlled by bot herders or bot masters, are one of the most common means of distributing spam and malware. The robots are the millions of compromised machines around the world. Botnets have evolved considerably during the past six years. In 2004 the most popular botnets ran the Internet Relay Chat protocol. Bot masters scanned networks looking for machines with vulnerabilities, which the herders exploited to take control and increase the size of their botnets. Once a machine was compromised, it received instructions from its master to run a denial-of-service attack against a website, take screenshots of its host, download an updated bot, and so on. Some bots can obey more than

100 commands.

Bot behavior passed a milestone in 2004-2005. In April 2004 we observed up to 900 variants or more of a single bot. Within a year, the number of variants had almost doubled. The reason for this rapid growth was that by 2005 the source code for creating bots was widely available on underground Internet forums. The source code itself did not cause the explosion, but with the release of a GUI application that allowed point-and-click construction, the rules changed. Even people who didn’t know how to develop could now create their own versions.

3. https://www.sodocs.net/doc/2a2702821.html,/technet/security/advisory/971778.mspx

4. https://www.sodocs.net/doc/2a2702821.html,/technet/security/advisory/977981.mspx

Figure 19: IRC-based bots were the first to appear and still remain common today.

The first bots ran only on Microsoft Windows systems, but a hacker group in Brazil soon created a localized version—using the script language Perl—that ran on Unix and Linux machines. The group, Atrix-Team, was not part of any criminal organization, but real “script kids.” Due their open-source format, we still see these versions today.

From IRC to P2P to HTTP

IRC botnets are still in action, but they suffer from a single point of failure: the IRC server. Once an IRC server is shut down, the bot master loses control of the bots. In 2007 a new kind of botnet appeared using a peer-to-peer (P2P) protocol such as for downloading music (Kazaa, eMule, etc.) The P2P botnet arrived via the malware W32/Nuwar (a.k.a. StormWorm), which was based on the eDonkey protocol. The advantage of the P2P approach is more distributed control, making it harder to shut down a botnet. Due its complexity, however, the creation and management of a P2P network is difficult.

Recently, we’ve seen a change in how bots are controlled, moving from IRC channels to websites, using the common HTTP. This change began with the advent of exploit kits, mostly developed by Russian cybercriminals. Mpack, ICEPack, and Fiesta are a few of the leading kits. They can install software on remote machines and control them from a remote website. All hackers have to do is send spam with links, which lead victims to a website where the exploit kit is installed. Once there, the exploit kit can determine which exploit to use—depending on a system’s country, operating system, browser, and

multiple client application versions.

Figure 20: Online toolkits allow even inexperienced criminals to create and spread botnets.

One special case using HTTP control is the Zeus botnet, which specializes in stealing bank credentials. Zeus consists of both a client and a server element. For the client, Zeus offers a builder that helps anyone create a variant of the PWS-ZBot Trojan, which infects machines and connects them to a remote website running the Zeus server.

Bot numbers

Security professionals continue to find new ways to detect and fight botnets. During the last quarter,

50 percent of all botnet infections were carried out by only three variants: Cutwail, Bagle-CB, and Grum. Botnets operating in Brazil, Russia, India, and Vietnam were jointly responsible for 25 percent of all infections. Other countries contributed far smaller numbers.

We noticed last quarter, especially during the holidays, that the Grum, Lethic, and Cutwail botnets are on the rise, meaning that those are the fastest-growing botnets. Even a relatively modest growth rate for

a botnet the size of Cutwail still represents a whole lot of new bots.

Cybercrime Takes a Hit

During this quarter, various police forces have scored some significant victories. In October, after a two-year investigation, Federal Bureau of Investigation agents in the United States announced the results

of Operation Phish Phry.5 They described this computer phishing identity-theft scam as the biggest cybercrime investigation in U.S. history. More than 50 individuals in California, Nevada, and North Carolina, and nearly 50 Egyptians have been charged with crimes including computer fraud, conspiracy to commit bank fraud, money laundering, and aggravated identify theft. The gang victimized hundreds and possibly thousands of account holders by stealing their financial information and using it to transfer about US$1.5 million to bogus accounts they controlled. They sent out phishing email messages directing victims to malicious web pages designed to look like legitimate banking sites.

Figure 21: FBI investigators have charged more than 50 Americans with crimes related to identity theft.

(Source: Associated Press)

In the United States, three California residents were the alleged ringleaders, according to the FBI. This trio directed associates to recruit runners who set up the bank accounts.6

Also this quarter, Romania’s national Directorate for Countering Organized Crime caught 19 members of an alleged international ring of bank-card skimmers that has been active in Switzerland, Italy, France, and the United States.7 The police had been secretly watching the gang for nine months, and moved in after they intercepted, in November, a package containing tiny circuit boards designed to surreptitiously intercept and store data from magnetic-stripe swipes. In addition to these fake ATM components, the police found card readers, cloned cards, documents showing wire transfers as well as luxury cars, lots of cash, and handguns.

5. “Operation Phish Phry: Major Cyber Fraud Takedown,” Federal Bureau of Investigation. https://www.sodocs.net/doc/2a2702821.html,/page2/oct09/phishphry_100709.html

6. Indictment after the FBI’s Phish Phry operation: https://www.sodocs.net/doc/2a2702821.html,/securityfix/phishfryInidictment.pdf

7. “Falsificatori de carduri, s?lta?i din Craiova,” Gazeta de Sud. http://www.gds.ro/Eveniment/2009-11-04/Falsificatori+de+carduri%2C+saltati+d in+Craiova

Figure 22: Romanian police recently arrested 19 members of an alleged bank-card-skimming group and seized card readers, fake cards, and other hardware. (Source: Gazeta de Sud)

In November, a group of Russian and Estonian hackers were indicted by a U.S. federal grand jury on charges of conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, and aggravated identity theft. In November 2008, they allegedly obtained unauthorized access

to the computer network of RBS WorldPay, the U.S. payment-processing division of the Royal Bank

of Scotland Group PLC, located in Atlanta. The indictment alleges that the group used sophisticated hacking techniques to compromise the data encryption protecting customer data on payroll debit cards.8 Once the encryption was compromised, the hacking ring allegedly raised the account limits on compromised accounts, and then provided a network of “cashers” with 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from over 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan, and Canada. The $9 million loss occurred within a span of fewer than 12 hours.9

Law enforcement continues its work after indictments and arrests. In our McAfee Threats Report: Third Quarter 2009 we discussed Albert Gonzalez, who was indicted in the TJX and Heartland Payment Systems data-loss incidents.10 He called his credit card theft ring “Operation Get Rich or Die Tryin.” In December, Stephen Huntley Watt, a software engineer who was working for Morgan Stanley at the time of the events, pleaded guilty to creating the sniffing program. Named “blabla,” this crimeware was used by Gonzalez and his alleged accomplices to steal millions of credit and debit card numbers from TJX and other companies. In 2002, Watt was known in black hacker circles as “Jim Jones” and “Unix Terrorist.” He and his friends managed to hack into the accounts of a number of prominent “white hat” hackers and publish their private files and emails. At the 2002 DefCon hacker conference, Watt took the stage with two friends to personally share some of the hacked emails.11

Arrests aren’t the only way to counter cybercriminals. Facebook filed a lawsuit against three men allegedly responsible for phishing and spamming their social network members. According to the lawsuit, the men sent “wall spams” containing links for fake goods and services, such as colon cleansers, Macy’s gift cards, and debt solutions.12 Macy’s is one of the premier retailers in the United States. The company did not authorize this campaign and contacted Facebook to request assistance in stopping these deceptive advertisements.

8. Indictment filed by the U.S. District Court for the Central District of California. https://www.sodocs.net/doc/2a2702821.html,/images_blogs/threatlevel/2009/11/rbs-worldpay-indictment.pdf

9. “The $9 Million World-Wide Bank Robbery,” CyberCrime & Doing Time blog. https://www.sodocs.net/doc/2a2702821.html,/2009/11/9-million-world-wide-bank-robbery.html

10. McAfee Threats Report: Third Quarter 2009: https://www.sodocs.net/doc/2a2702821.html,/us/local_content/reports/7315rpt_threat_1009.pdf

11. TJX Hacker Was Awash in Cash; His Penniless Coder Faces Prison: https://www.sodocs.net/doc/2a2702821.html,/threatlevel/2009/06/watt

12. https://www.sodocs.net/doc/2a2702821.html,/documents/12/facebook_lawsuit_2808.pdf