No, this isn’t a comment on minimum wage… £6 ($8.94) is the cost of a botnet for an hour! The average cost is further reduced if you rent it for 24 hours. Just what can you do with a botnet, well they come with a number of services – most of which are aimed at taking down a legitimate site with various attacks, including ICMP, SYN and HTTP.
So, how many machines are in a botnet? Mariposa had 12.7 million PCs… which is a lot of computing power, no matter how you measure it. Many of them were company machines.
The problems with botnets have not diminished – vigilence is needed across the IT estate, and if you are allowing home/personal PCs to be used to access corporate networks (consumerization of IT) then a strategy should be in place to ensure that none contribute to a botnet and the problems they create.
A virus-infected network of nearly 13 million computers around the world has been smashed by Spanish police. The Mariposa, or Butterfly, botnet included PCs inside more than half of America’s 1,000 biggest companies and more than 40 major banks.
Our colleague Vikram Thakur recently wrote a blog about the threat. Symantec has been tracking the threat since October 2009. At that time, a security company had reported that a large number of Fortune 100 companies had been infected. The same firm has worked with authorities in arresting alleged key members of the botnet ‘ring’.
Symantec products detect this malicious worm under multiple names, the most prominent of which is W32.Pilleuz. Pilleuz and its variants have been extremely active over the past several months. The threat itself has multiple capabilities and is able to spread via USB devices, instant messaging clients, and P2P. It has the ability to steal credentials and personal information, as well as accept commands from its command-and-control (C&C) server. One such command could be to flood network traffic to a certain domain, thereby performing a distributed denial of service (DDoS).
Details about what role the arrested people played in Pilleuz’s day-to-day operations are still sketchy. We’re hopeful that the arrests will have a significant impact on the infections Symantec is seeing.
Two months into the New Year and we’re already starting to see a number of our 2010 cyber security predictions come true. At the start of the new decade, cybercriminals continue to be relentless in their pursuit of new and sophisticated attacks against consumers and enterprises.
Here are 10 serious facts about security that cannot be ignored in 2010:
- Cyber Attacks Hurt Businesses: 75 percent of enterprises have suffered a cyber attack in the past 12 months, losing an average of USD $2 million annually.
- Global Spam Shift: Asia Pacific and Japan and South America are taking spam share away from the traditional leaders of North America and EMEA.
- Malicious Activity Chart Topper: China is the top country for malicious activity, accounting for 25 percent of the global total.
- Credit Cards Are Number One Item for Sale: Credit Card information is the most commonly advertised item for sale on the underground economy, accounting for 18 percent of all goods and services.
- Banks Get Phished: 76 percent of brands used in phishing attacks in 2010 were in the financial sector.
- Out with Traditional Spam, in with Targeted Scams: The total number of scam and phishing messages came in at 21 percent of all spam, which is the highest level recorded since 2007.
- News Agenda Drives Attacks: The earthquake in Haiti sadly drove up the volume of scam and phishing messages as spammers used the tragic event for their benefit.
- Cybercriminals Follow the Masses: In Asia Pacific and Japan, the top web-based attack for Oct – Dec 2009 was related to the Microsoft® Internet Explorer® ADODB.Stream Object File Installation Weakness, which accounted for 41 percent of the total.
- Increasing Popularity of New Platforms will Drive New Attacks: Whilst an increase in iPad related search terms for SEO attacks and phishing attacks were observed during the Apple iPad launch.
- Cybercriminals After Information Rather than Infrastructures: Theft of intellectual property was reported as the top cyber loss for Singapore businesses.
Further details on the above statistics can be found in the below Symantec reports:
Cybercriminals can’t wait for the 2010 Vancouver Winter Olympic Games to get underway tonight. No, spamming, hacking and creating botnets haven’t become an Olympic sport, but these malicious attackers are greatly anticipating the millions of followers who will be going online to watch events, read news and obtain updates on the Games.
Key sporting events such as the Vancouver Olympics and the 2010 Football World Cup provide the perfect scenario to dupe victims around the world with Olympics-related spam emails, phishing attacks and other nasty Web tricks – with the sole purpose being to steal personal information and identities. Symantec anticipates seeing a rise in cybercrime activity during the 2010 Winter Games since, as is common surrounding high-profile events.
During the 2008 Beijing Olympic Games, spammers enticed users with newsworthy subject lines to open email messages prompting them to click on links hosting malware.
A few of those subject lines included:
• Are Chinese gymnasts too young for Olympics?
• Beijing Olympics cancelled
• Beijing postpones Olympics due to McCain-Dalai Lama meeting
To avoid being a victim during the 2010 Games, Symantec urges you to follow these best practices:
• Purchasing Official Olympic Tickets – When buying tickets online, even from an auction site, be sure it is a reputable online source. For instance, Vancouver2010.com is offering fan-to-fan tickets on a first come, first-served basis.
• If it sounds too good to be true, it probably is – Many cybercriminals use extravagant promises such as “exclusive” Olympic pins and merchandise to lure victims into clicking through to malicious sites and divulging personal information.
• Use caution when clicking links from within emails or IM messages – Links can contain viruses or Trojans, or lead users to infected websites. Never click a link in a suspicious email. Instead, make it a habit to type the full website URL, such as www.YouTube.com, into your Web browser.
• Never fill out forms in messages – Legitimate 2010 Winter Games organizers/sponsors will never ask for personal, financial or password information through an email message.
• Update your computer – Have a hacker –free Olympic experience by ensuring that all personal and work computers are protected with up-to-date antivirus software and the latest operating system and application patches.
Spammers have been capitalising on the shift towards online Christmas shopping, warns according to Symantec’s November State of Spam report outlines that sales of ‘luxury goods’ and counterfeit brands continue to dominate spam emails as the holiday season approaches. The top ten subject lines between October and November 2009 were:
- Sales receipt from Amazon
- Sales Order from walmart.com
- Incredible sale for luxury goods
- Re: what she wants for Christmas
- Give her luxury this holiday season
- Bling yourself up this Christmas
- Get the perfect gift for Christmas
- Impress your friends this holiday season
- Xmas on-line cookies
- Time limited Christmas promotion
In addition, fake airline ticket spam has also taken off during the holiday season with the promise of cheap deals on airfare used to attract attention from unsuspecting internet users.
British shoppers are expected to spend upwards of £6.8bn online this Christmas, and spammers are desperate to get a slice of the cake. To do this they are crafting subject lines that people are more likely to click on. The top two subject lines indicate that spammers are tricking people into believing that they have a transaction email from two well-known retailers. Although we usually see these types of subject lines associated with phishing or fraud messages, this tactic was actually re-directing users to a bogus online pharmacy site.
Other key findings from the State of Spam report, include a 9 per cent reduction in spam originating from the EMEA since June 2009 (the region now accounts for 25 per cent of all spam).
So how do you best safeguard yourself against falling victim to seasonal spam and phishing attacks:
- Use directions provided by your mail administrators to report missed spam if you have an option to do so
- Delete all spam
- Avoid clicking on suspicious links in email or IM messages as these may connect you to spoofed websites
- Type web addresses directly into the browser rather than relying upon links within your messages
- Always be sure that your operating system is up-to-date with the latest updates, and employ a comprehensive security suite
There is a new piece of malware doing the rounds, a Trojan called Zeus or ZBot (and according to one sourceit has infected 1% of PCs in the US and is now the source of the largest bot network in the world). Most of the larger anti-virus / anti-malware applications, including Symantec & Norton, detect Zeus and its variants – but you do need to keep up to date with the signature files (and therefore your subscription!)
These days, updates happen automatically – as long as you haven’t switched them off. Unfortunately people do switch off the automatic update feature – usually because they want to download something else or watch TV on the PC and they believe that the downloads will effect the speed / picture quality. Well, if you happen to be on a really, really slow line, then there is some truth in that, but for most people, this is no longer an issue – so switch those updates back on!
(And remember… don’t open attachments from people you don’t know – in and look closely at the attachment from those you do – if it looks like an application for example those files with the extension .EXE, or .MSI – then don’t open that either. The easiest way for malware, especially bots to be installed on your system is for you to be tricked into doing it!)
Last year we embarked on producing an occasional series of short video’s looking at common internet threats and issues. So far they have covered: Phishing, Botnets, The Underground Economy and Drive-by Downloads.
We wanted them to be educational and have some humour to better educate people using the web at home and at work about how to protect themselves from common threats and risks. So far the initial 4 video’s have gone down well, being posted on sites like YouTube and Facebook, as well as the Symantec website and even a number of online retailers.
The lastest two video’s in the series have just been finished. They are:
- Symantec Guide to Scary Internet Stuff – No 5 Misleading Applications
- Symantec Guide to Scary Internet Stuff – No 6 Denial of Service Attacks
Please have a look at them, and also the other videos in the series, and if you have any thoughts for new topics we should cover, let me know.
Symantec Security Response is continuing to monitor a cyber attack – a distributed denial of service (DDoS) – impacting multiple U.S. and South Korean government, financial and media Web sites. A portion of the attack is being carried out by a piece of malware Symantec has identified as W32.dozer and variants of the MyDoom worm that appear to be infecting computers globally.
We discovered a new element to the W32.Dozer threat on July 10. The threat contains code that instructs infected systems to erase critical content on the hard drive. When the infected system’s internal clock reaches July 10, 2009, the code will try to find and delete all files with the following extensions:
.accdb, .alz, .asp, .aspx, .c, .cpp, .cpp, .db, .dbf, .doc, .docm, .docx .eml, .gho, .gul, .hna, .hwp, .java, .jsp, .kwp, .mdb, .pas, .pdf, .php, .ppt, .pptx, .pst, .rar, .rtf, .txt, .wpd, .wpx, .wri, .xls, .xlsx, .xml, .zip
These file extensions are typically associated with office, business and development applications.
In addition to deleting data files, the code modifies the Master Boot Record so that when the system is rebooted, it renders the system inoperable.
W32.Dozer began spreading on July 4, creating a Distributed Denial of Service attack against government, financial and media sites in the U.S. and South Korea. W32.Dozer is a threat that is predominately distributed as an email attachment. Once a user clicks on the attachment, the threat downloads a package onto the system that contains the following:
· Trojan.Dozer, which is used to overtake the computer for the botnet
· A list of host sites, which instructs the botnet to which sites to attack
· MyDoom worm, which is currently believed to be used for its mass mailing capabilities to redistribute W32.Dozer
Initially, it was reported that the attack leveraged more than 50,000 computers. The growth of the botnet has slowed significantly as users have updated their systems to protect against the threat. The attached heat map shows the spread so far of W32.Dozer – it is no surprise that we have seen most activity in South Korean (red) and the US (green), but other areas of activity have included Canada, China and Australia. Areas experiencing less activity are dark blue.
To help stop this DDoS, Symantec encourages all computer users to update their security software with the latest definitions, keep their computer systems clean and continue to use general best practices for staying safe online. For additional information on this attack, please visit the Symantec Security Response Blog.