2007 Agtr

Annual Global
Threat Report
Trends for January 2007‐ December 2007
Published March 2008
SCANSAFE ANNUAL GLOBAL THREAT REPORT 2007
FOREWORD
From the first trans‐Atlantic cable laid in 1858 to the introduction of the hypertext transfer
protocol (HTTP) in 1992, mankind has repeatedly invested in the pursuit of seamless, distributed
communications. Today's World Wide Web fulfills that fundamental need to communicate in a
way that even its earliest conceivers likely could never have imagined. Thanks to modern
technology and its easy accessibility, the Web is no longer the static one‐way delivery device of
its creators, but rather a fully collaborative environment that allows the site owner and the site
visitors to interact in real‐time.
In essence, these advances place the site visitor in the role of developer, as their input, uploads,
and contributions help define and manipulate the Website experience, both for themselves and
for other visitors. Less overtly, but no less dynamically, third‐party content providers can also
influence the Website experience through targeted advertising, newsfeeds, and other dynamic
contributions.
This multi‐way flow of information is accomplished through so‐called "Web 2.0" technologies, a
collection of scripting languages and applications that shift the Web paradigm from a one‐to‐
many delivery tool to a many‐to‐many socially‐influenced global communication experience.
But there is a dark side.
Just as the modern Web and Internet technologies have fueled a bustling economy for the
purveyors of legitimate goods and services, Web 2.0 technologies have likewise facilitated a
bustling economy for more sinister purposes.
The end result might be termed ‘the Internet Paradox’ – that which can be enabling can also be
disabling. ScanSafe STAT has a front row seat to this contradictory nature of the Web, the
findings of which are outlined in this 2007 Annual Global Threat Report.
Mary Landesman, Senior Security Researcher, ScanSafe STAT
2

ABOUT SCANSAFE
ScanSafe is the largest global provider of Web Security‐as‐a‐Service, ensuring a safe and
productive Internet environment for businesses. ScanSafe solutions keep viruses and spyware off
corporate networks and allow businesses to control and secure the use of the Web and instant
messaging. As a fully managed service, ScanSafe's solutions require no hardware, upfront capital
costs or maintenance and provide unparalleled real‐time threat protection. Powered by its
proactive, multilayered Outbreak Intelligence TM threat detection technology, ScanSafe scans
more than 8 billion Web requests and blocks 80 million threats each month for customers in over
50 countries.
With offices in London and San Mateo, California, ScanSafe is privately owned. The company
received a 2007 CODiE award for Best Software as a Service Solution, the 2007 SC Magazine
Europe Award for Best Content Security Solution and was named one of Red Herring’s Top 100
Technology companies. For more information, visit www.scansafe.com.
The ScanSafe Security Threat Alert Team (STAT) is a key part of the ScanSafe Threat Center, which
monitors the global state of Web traffic, 24 hours a day, seven days a week. STAT is comprised of
a group of malware experts dedicated to analyzing trends and anomalies in Web traffic scanned
by the ScanSafe Threat Center and the more than 80 million Web threats it blocks each month.
The team performs ongoing expert analysis of Internet threats including viruses, key loggers, bot
networks, spyware, phishing attacks and other malware and identifies trends in new malware
tactics and how to prevent them.
STAT also provides timely information on significant, newly emerging Web‐borne threats via the
ScanSafe STAT blog (http://blog.scansafe.com) —a tool designed to provide readers with the
pulse on the overall Web threat landscape.

ScanSafe EMEA
The Connection, 198 High Holborn, London, WC1V 7BD
Tel: +44 (0) 20 7959 0630 | Fax: +44 (0) 20 7990 8416 | info@scansafe.com
ScanSafe US
999 Baker Way, Suite 410, San Mateo, CA 94404
Tel: +1 650‐294‐3450 | Fax: +1 650‐294‐3451 | info@scansafe.com
3

TABLE OF CONTENTS

FOREWORD 2
ABOUT SCANSAFE 3
TABLE OF CONTENTS 4
1. WHY THIS REPORT? 5
1.1 KEY HIGHLIGHTS 6
2. OUTBREAK INTELLIGENCETM 7
3 THE 2007 STATE OF THE WEB 8
3.1 IN THE NEWS 8
3.2 ABOUT THE DATA 9
3.3 THE LIFE AND TIMES OF SITES HOSTING MALICIOUS CODE 9
3.4 BREAKING DOWN THE MALWARE 11
3.5 TYPECASTING 14
3.6 FEAR‐BASED & SOCIALLY ENGINEERED SCAMS 16
3.7 RETRO THREATS 17
3.8 WHY JOHNNY CAN’T WON’T WRITE (GOOD CODE) 18
3.9 WHO WRITES THIS STUFF? 19
4. 2008 SECURITY THREAT PREDICTIONS 21
APPENDIX 1: GLOSSARY 24
4

SCAN
NSAFE ANNU
UAL GLOBAL THREAT REP
PORT 2007
1. WHY TTHIS REPO RT?
The ScanSafee Global Threaat Report is ann analysis of m
more than 80 billion Web reequests proceessed
in 2007 by th
he ScanSafe Th on behalf of the company’ss corporate clients in over 5
hreat Center o 50
countries acrross five contiinents.
Our leading pposition of pro
oviding security ‘in‐the‐cloud’ gives us in
nsight into thee real‐world W
Web
traffic our co
orporate custoomers are sen
nding and receeiving. This reepresents the world’s largest This rep
port
security analysis of real‐world Web trafffic. represents the
world’s larggest
provides a view
This report p w of the threaats which busiinesses actuallly face, rather than the onees
security analysis
experienced in labs or artiificial environments. Our d
data is gathere
ed from real‐ttime analysis bby
TM
of real‐woorld
our proprietaary threat dettection techno ology, Outbreak Intelligence (OI) of every single Weeb
Web traffic.
request ScannSafe scanned d in 2007.
This approacch differs to trraditional metthods of gatheering informattion on Web‐b based malwarre
such as distributed ‘honeyy‐pot’ networks. The artificcial and contriived nature off such method ds
can lead to aa skewed visioon of the data which does n not reflect the
e threats that user are actuaally
facing.
At ScanSafe wwe recognize that Web seccurity requiress a proactive aapproach from
m a number of
perspectivess – Network Im
mpact, Technical Characteriistics and Useer Behavior.
Netwo ork
User Behavior
Impaact
Technicaal
Characteristics

By using the analysis data generated byy OI to protectt our custome
ers, ScanSafe ccan report on the
threats that our users wouuld have been
n exposed to h had they not u
used our serviices.
5

1.1 KEY HIGHLIGHTS
Among the report’s findings are:

KEY FINDINGS BUSINESS IMPACT
1. The number of malicious Web events Increased risk of exposure to malware, corporate
increased 61% from 1H07 to 2H07. reputational losses as well as compromised control
over network assets.
2. The amount of time a malicious Website Increased likelihood of exposure to malware. Risk of
remained live increased 62% from 18 days TTL financial and reputational losses as well as
(Appendix 1: Glossary) in 1H07 to 29 days TTL confidentiality and compliance breaches.
in 2H07.
3. The amount of time a site hosting zero‐day Increased risk of exposure to malware for which there
threats remained live increased 190% from 21 is no existing signature, opening businesses to financial
days in 1H07 to 61 days in 2H07. and reputational losses, legal liability, breaches of
confidentiality and compliance violations.
4. On average, 21% of all ScanSafe Outbreak Increased likelihood of exposure to malware for which
Intelligence (OI) blocks were for zero‐day anti‐virus signatures do not exist, posing legal,
threats. confidentiality and compliance risks.
5. Password‐stealing Trojans and backdoors Exposure to financial, legal, confidentiality and
targeting online gamers were the most compliance risks as well as negative effect on
frequent final stage infectors. productivity.
The key findings of our report above all highlight an increased risk and security threat to
businesses, their networks and their employees. In general corporations today face a variety of
risks which can negatively impact their operations, productivity and security. The nature of the
threats and the impact on businesses can be characterized as follows:
• Increased Security Risks ‐ Security breaches to corporate networks can result in
significant financial and reputational losses as well as compromise control over network
assets.
• Productivity Risks ‐ Business productivity is at increased risk from unfiltered and
unmonitored use of the Internet including use of IM, VoIP and chat room facilities which
can severely limit time at work and waste precious IT resources through increased
troubleshooting, support and bandwidth congestion.
• Legal Risks ‐ Uncontrolled use of network resources can raise a variety of legal issues,
including possible disclosure of proprietary information and exposure to unwanted and
often offensive content, claims from transmissions of viruses as well as claims for denial
of service.
• Confidentiality Risks ‐ Refers to the impact of unauthorized access and distribution of
information assets, such as client information, passwords and research data.
• Compliance Risks ‐ Refers to impact of failure to meet the increasingly complex and
growing scope of government regulations relating to effective systems and processes for
data control. Regulations include: Sarbanes‐Oxley Act, Gramm‐Leach Bliley Act, Basel II,
HIPAA and SAS 70.
6

2. OUTBREAK INTELLIGENCE TM
ScanSafe’s Web security services are powered by Outbreak IntelligenceTM (OI), a proprietary
security platform that detects zero‐hour and known malware threats.
OI provides the
most effective
solution against
new and known
Web malware.
OI uses multiple signature‐based anti‐malware scan engines and multiple heuristic detection
engines to scan inbound and outbound Web traffic in real‐time for new and known Web
malware. OI’s signature‐based scanning detects known Web malware residing on reputable and
uncategorized Web pages. Signature detection utilizes multiple, industry‐leading anti‐malware
scan engines, covers all known spyware and viruses, updates hourly and immediately in
emergencies, receives new signatures within two hours of new malware detection, and is
supported by 24/7 global malware research conducted by the world’s largest malware
laboratories and collection networks.
ScanSafe’s proprietary heuristic engines utilize non‐signature detection techniques and
automated machine‐learning technologies to dynamically generate several thousand fine‐grained
heuristic parameters that reach beyond the scope of security researchers’ prior knowledge of
malware. In addition, OI uses a range of behavior and reputation‐based technologies. As a result,
more that 20% of the threats ScanSafe OI routinely detects are zero‐day threats for which
traditional signatures are not yet available. The URL reputation engine assesses the reputation of
a Web page by examining parameters such as IP address information, country of the Web server,
history and age of the URL, domain registration information, network owner information, traffic
rank of the Web site, URL categorization information, and types of content present.
OI’s traffic behavior engine analyzes network traffic patterns to identify suspicious, atypical
traffic which would suggest malicious code exploiting a vulnerability or malware
communications, for example, from an infected notebook computer to a botnet command‐and‐
control computer. A code behavior engine determines the behavior of the code by modeling
program logic, behavioral rules, and contextual parameters that taken together would suggest
good or bad intentions. The OI code reputation engine examines the Web code itself to
determine if it is unusual and possibly malicious. It compares information such as type of code,
history and age of the code, frequency of the code, file structure/header/content patterns, and
program logic patterns, to code that is known to be good or bad in ScanSafe’s massive Web data
set. The multiple detection engines give their assessments of the code, and these assessments
are then combined to produce a comprehensive view of whether or not the new code is
malicious.
7

3 THE 2007 STATE OF THE WEB
Preparing an annual threat report provides ample opportunity to reflect back upon changes
which have occurred during the previous year and glean some insight into what the future may
We may be in for
hold. Assuming that past performance is reflective of future behavior, it appears we may be in for
a rough ride in
a rough ride in 2008.
2008.

3.1 IN THE NEWS
Throughout 2007, several high profile incidents occurred. Some, such as the SQL injection attacks
that developed in late December 2007, were most notable for the sheer number of sites
victimized by the compromise. Others, such as the MySpace transparent image ruse, were
notable only because the page resided on a well‐known social network.
Following is a brief timeline of some of the higher profile incidents occurring throughout the
year:

8

SCAN
NSAFE ANNU
PORT 2007
3.2 ABOU T THE DAT

TA
With data neetwork providers in the Uniited States, Euurope and Asia, ScanSafe sccanned more than
8 billion Webb requests andd blocked more than 800 m million Web th hreats in 2007 on behalf of Analysis b
based
corporate cuustomers in ovver 50 countries. This globaal view of real‐‐time Web‐baased threats iss on ove er 80
unique to ScaanSafe. The 2007 Annual G Global Threat R
Report is baseed on malwaree data collected in billion Web
the processinng of those blocks. Analyzeed data includees access timees, source and
d referral URLL, and requuests.
specifics regaarding the botth the cause aand the means of each blocck event.
3.3 THE L IFE AND TIMES

T OF SITES
S HOS
STING MAL
LICIOUS C ODE
In 2007, not only did the n
number of maalicious eventss increase, the
ere was a marrked increase in
the amount oof time a site hosting maliccious code rem
mained live (re
eferred to herreafter as TTL).
There w
was a
marked incrrease
007 Malware EEvents
20 in the amount of
time a maliccious

% site remaained
80 live.
60
40 61%
20 39%

0
1H07 2H07
Chart #1

To calculate TTL for this reeport, the firstt attempted aaccess and lastt attempted aaccess times w were
used. Though h imperfect, the methodolo ogy errs on thhe conservativve side. Thus aactual TTL is likely
considerablyy longer than rrepresented in n this report.
The TTL is siggnificant for o
obvious reason
ns: the longerr a malicious site remains acctive, the greaater
the risk that more visitors will be expossed and thus tthe larger the potential victtim base becoomes.
Note that ScaanSafe uses m
multiple detecction disciplinees. Both signaature‐specific detections an
nd
zero‐day block events are presented. Inn 100% of the cases discusssed below and d through a
combination of technologies, ScanSafe customers weere protected d from the onsset of the obseerved
attack.
9

SCAN
NSAFE ANNU
PORT 2007
Malicious Weebsite TTL forr all malware b
blocks was an average of 244 days persisttence in 2007,,
increasing 62
2% from 18 daays TTL in 1H007 to 29 days TTL in 2H07.
2007 Averaage TTL for All Blocked Site
es
70
60
Days of TTL
50
40
29
30
20 18
10
0
1H07 2H07
2

Chart #2

On average, 21% of the th hreats detecteed by ScanSafee are zero‐dayy events, threats for which
traditional signatures are not yet availaable.
2007 Co
omposition o
of OI Blocks
21%
79%
Zero‐Daay Threat Deteection Signature‐D
Detected Malware

Chartt #3

10

SCAN
NSAFE ANNU
PORT 2007
day events was an
Granularly viiewing just theese zero‐day blocks, malicious Website TTTL for zero‐d
average of 41 days in 2007 7, increasing 1
190% from 21 1 days in 1H07
7 to 61 days in
n 2H07.
Top ten mmalware
familiess, based
A
Average TTL fo
or Zero‐Day SSites vs. All Blo
ocked Sites
on TTTL, were
70
7 conssistently
6
60 61 Zero‐Daay emplo oyed for
5
50
Days of TTL
TTL nearlyy 97% of
4
40
th
he year.
3
30 21 TTL
2
20 21
1
10 18
0
1H07 2H07

Chart #4

3.4 BREAK
KING DOW
WN THE MA
ALWARE
The nature o
of OI and its em
mphasis on eaarly‐stage attaack detection is such that the ratio of typ
pe of
threat remained constant throughout 2 2007:
Malware Block C
Categories
3% 4% 4%
7%
34%
6%
21%
21
1%
D
Downloader/D
Dropper Zero‐day Thrreats Exploit & iFrame
Backdoor & PW
WS Trojan ‐ General Clickfraud Trojan
Virus & Worm Rogue Scann
ner

Chart ##5

11

SCAN
NSAFE ANNU
PORT 2007
However, wh hen observingg the detections from the perspective of the malware,, the results w were

significant. TThe observed TTTL of specificc malware fam
milies was an aaverage of 213 days – or 58 8% of
the year. Thee top ten malw ware families,, based on TTLL, were consisstently employyed for nearlyy 97%
of the year, aas seen in the chart below.
Top TTen Malware Families by T
TTL
Wiin32.Rbot
Winn32.Klone
Proxy.W
Win32.Delf
SymbOSS.Comwar
Win32.OnLineGames
Virus
VBS.Redlof
Win
n32.Agent
Win332.Nimda
Win332.Allaple
WIN32.DNSChanger
330
0 340 350 360 370
Days of TTL

Chart #6
6

Continued on nline presence isn’t necessarily indicativve of prevalence. By gaugingg the numberr of
detected sitees hosting thee respective m
malware, we arre able to calcculate the preevalence of a
particular fam
mily. The top ten based on the number o of malicious sites is seen in the chart below:

Top Ten M
Malware Fam
milies Based o
on Number o
of Malicious Sites
THREAT FAMILY NAME TYPE % MA

ALICIOUS SITES
Win
n32.Allaple Network wo
orm
4.16%
Win32.Banload Password ste

ealer 2.91%
Win
n32.Fujack
Worm 1.99%
Win32.DNSChanger Trojan 1.59%
Win32.Mefir Worm 1.14%
Win32.OnLineGames Password ste

ealer 0.94%
Win32.Agent Virus 0.83%
W
Win32.Rbot Backdoorr 0.77%
VB
BS.Redlof Virus 0.74%
MiniC
Commander Backdoorr 0.71%
12

SCAN
NSAFE ANNU
PORT 2007
The number of blocks is in ndicative of th
he number of access attemp pts; thus provviding a
measuremen nt of risk of exxposure. The ffollowing charrt reflects the top ten malw ware based on n the
percentage oof access attem mpts that (lefft unprotected Note that family
d) could lead tto infection. N
names may eencompass multiple types o of threats, thu
us the specificc type blockedd for that family is
also included
d in the chart above as welll as in the chart below.

Top Ten Malware Baased on Attempts
T FAMILY NAME
THREAT TYPE % BLOCKS
Win32.OnLineGames ealer
Password ste 2.27%
n32.Allaple
Win orm
Network wo 1.07%
n32.Fujack
Win Worm 0.97%
Win32.Agent Proxy 0.95%
n32.Nilage
Win ealer
Password ste 0.79%
Win32.Mefir Worm 0.76%
n32.Slaper
Win Proxy 0.52%
Win32.Banload Password ste

ealer 0.39%
Win32.DNSChanger Trojan 0.33%
Win32.Agent Backdoorr 0.31%
An additionaal measurement is to view tthe intended m
malware, disrregarding explloits, and
downloader//dropper Trojans used to deliver the finaal payload. Whhen excludingg these deliverry
mechanisms, the followingg exposure rissk was appareent throughouut 2007:
Blo
ocks by Type C
Category
DNS Channger
Virus
General Tro
ojan
Network wo orm
Virus
Backdoor
Prroxy
Wo orm
P
Password‐stea aler
0 % 10% 20 % 30 % 40 %
Blocks

Chart #7
13

SCAN
NSAFE ANNU
PORT 2007
Case Stud
dy: India Times Website
In Novemberr 2007, email and other serrvices on the
IndiaTimes W
Website were compromised d by a
n attack that resulted in
redirection/ccode injection
ware installatiion (so‐called drive‐by
forcible malw
downloads). In the coursee of the infectiion, visitors w
were
subjected to a wide assorttment of dow wnloader and
dropper Trojans, as well as an assortmeent of backdoors
and passworrd‐stealing Troojans. In total,, over 430 filees
were offload
ded to victims’’ computers.
To render the compromisee, attackers exploited weakknesses in the e redirection m
mechanism
employed wh hen visitors lo
ogged out of aaffected servicces offered on
n the site.
3.5 TYPEC
CASTING
As seen in th
he chart beloww, executable file types (wh hich include sccripts and other active conttent)
represent the largest risk (71%). It is intteresting, how
wever, to notee that image tyypes, which
represent 200% of blocks, aare a greater rrisk than compressed file tyypes which represent only 9 9%.
2007 Blocks by Type Category
9%
20%
71%
%
Com
mpressed Image Executable

Chaart #8

14

SCAN
NSAFE ANNU
PORT 2007
The followingg chart depictts all blocks byy file type, exccluding .htm* files:
en 2007 Blockks by File Type
Top Te e
JAAR
ZZIP
SW
WF
CA AB
File Type
D
DLL
G
GIF
JPPG
JS

EXE
PHP
0 % 10 % 20 % 30 % 40 %
% 50 %
%
Blocks

Ch
hart #9

In terms of zero‐day blockks, the file types blocked ch
hange somewh
hat as seen beelow:
Top Ten Zero‐Day Blocks by File Tyype
SSWF
GIF
Quickttime
JAR
File Type
ZIP
JPG
DLL
JS

EXE
PHP
0 % 10 % 20 % 30 % 40 % 50 %
Blo
ocks

Chaart #10

15

SCAN
NSAFE ANNU
PORT 2007
early stage of compromise. The
The perspecttive of specificc exploits provvides a betterr view to the e
top exploits blocked in 200 07 were heavvily dominated d by the image e handling exp ploits describeed in
MS07‐017, so omething nott readily apparent when vieewing blocks b based on file ttype alone.
2007 Top EExploits Blockked
In 2007, several high
MS05‐0001
profile sporrts sites
WM MF
unwittinglyy served
QuuickTime Playeer
malicioous ads,
xmlCorre
including WWebsites
MS05‐0113
Exploits
for the
e Miami
Adobe Flassh
Dolphins, NNational
MS06‐0113
Hockey Leaggue, and
Javva class objectts

Major League
A
ADODB stream m …
Baaseball.
MS07‐0117
0 % 10 % 20 % 30 % 40 %
Blocks

Ch
hart #11

3.6 FEAR--BASED & SOCIALLY

Y ENGINEE
ERED SCAM
MS
Cross‐site scrripting (XSS), redirection atttacks, requesst forgeries an nd attacks on tthe Web serveer
itself all provvide an avenue for comprom mise of legitim
mate sites. But often times it is human
weakness, an nd not technoology, that leads to the pressence of maliccious code on otherwise
reputable Websites. Busy moderators m may not adequately screen comments leeft on their blo ogs
and forums, thus commen nt spam contaaining maliciou us links are intertwined witth legitimate
comments frrom site particcipants. This lends the com mment spam an air of legitim macy – thus
increasing th ollow the link. It also increases the poten
he likelihood aa visitor will fo ntial for the
maliciously p placed commeent to increasee in search en ngine rankingss, thus widening the net of
potential victtims. Overall, however, com mment spam (which includes malicious fforum posts)
represented less than 0.1% % of all blockss.
A far more prevalent means of exploitin ng human weaknesses lies in the compleex affiliate
advertising relationships. AAdvertising neetworks strivee to make it as simple as po ossible to
consummatee the relationsship between the site owneer and the advvertiser. One rogue partnerr, and
large numbeers of sites cann begin delivering maliciouss advertising w which then exxposes tens off
millions of visitors to any o
of the sites paarticipating wiith that particcular advertising partner.
16

SCAN
NSAFE ANNU
PORT 2007
Malicious Addobe Flash con ntained in ban nner advertiseements was thhe 5th most prrevalent explo

oit,
representingg 6% of exploitt blocks. Depeending on broowser configurration, patch levels, and tru
ust DNS cchanger
relationship with the visiteed site, these malicious bannner ads can rresult in the automatic Trojans increased
download an nd installation
n of malware. by 249
9% from
1H07 to 2H07.
Social engineeering, i.e. thee exploitation of human weeakness, is also o often affectted through banner
advertisements. Rogue scaanners typically employ an initial fear tactic to convince the visitor their
system is infeected. Clickingg through on the misleadin ng popup or baanner leads th he user to a siite
operated by the scammerr where a (usu ually) fictitiouss scan of theirr computer takes place. In
reality, the p
pretended scam is often notthing more th han a Flash filee or some other form of
animation. O Once completee, the ‘scanneer’ provides a bogus list of infections allegedly found o on the
victim’s computer. The vicctim is then asssured the roggue scanner can clean these imaginary
threats if theey purchase th he product. During 2007, 4% % of ScanSafee OI blocks weere for rogue
scanners.
Where social engineering fails, DNS chaangers are increasingly beinng used to forcibly divert ussers
to sites other than they exxpected. DNS changers worrk by changingg the nameserver designatiion to
a fixed IP und
der the controol of the attaccker. DNS changer Trojans iincreased by 2
249% from 1H H07 to
2H07.
3.7 RETRO
O THREAT
TS
The followingg block inform
mation is provvided solely ass an item of interest. Collectively, these
threats repreesent less than 0.1% of all b
blocks and, baased on their nnature, wouldd be grossly un nder‐
represented when viewed d from the perrspective of non‐native We eb traffic.
Macro virusees spread by in nfecting other Microsoft Offfice files and these file typ
pes are largelyy
supplanted oon the Web byy PDF or simply HTML. Of the macro viru uses that weree detected, 56 6%
were for a vaariant of W97M.Thus, a maacro virus
that deletes all files on thee system on D
December
th Top EEmail Worms Blocked on th he
13 and whicch includes a routine to encrypt or Web in 2 2007
overwrite certain other files during the remainder
of the year. 14% 7%7
15%
36%
As with macrro viruses, emmail worms aree a category 17%
of threats that would by n nature be under‐
represented on the Web. Still, it was intteresting to
My Doom
M Netsky
observe thatt of those deteected, Netsky (36%) and
B
Bagle Storm
Bagle (17%) wwere the mosst predominan nt, with W
Warezov
Storm comin ng in third at 1
15%.
Ch
hart #12

17

3.8 WHY JOHNNY CAN’T WON’T WRITE (GOOD CODE)
Possibly the single largest misconception surrounding cybercrime is that it is organized. That is
not to say that there are no organized criminals on the Internet, or that no form of traditional
organized crime exists on the Internet. It is to say, however, that evidence suggests the vast Internet‐enabled
majority of Internet‐enabled crime is just as likely to be carried out by a 17‐year‐old living in crime is just as
Kansas or a 14‐year‐old living in Romania as it is to be carried out by a formalized crime ring likely to be carried
operating out of Nigeria or Russia. Internet‐enabled crime exists not as a matter of organization, out by a 14‐year‐
but rather as a matter of opportunity and access, and is facilitated by the same tools and old living in
technologies enjoyed for legitimate purposes. Romania as by a
formalized crime
Consider, as an example, a first time Web designer tackling the implementation of a new
ring operating out
Website. Internet search engines would reveal a wide array of software available to create a
of Nigeria or
database‐driven ecommerce site, build a user forum, render a blog, and embed revenue‐
Russia.
enhancing advertising – all with little effort. Should the Web designer require assistance, each
offered application generally includes a support forum or knowledgebase and often the
opportunity to contact the developer directly should the need occur. In short, the Web designer
has at their fingertips all the tools needed for a turnkey operation, simply by typing in the
appropriate search queries.
In the malware arena, would‐be criminals enjoy these same Internet‐enabled perks. A password
stealing Trojan undetectable by traditional signature scanners can be purchased online for under
40USD, including technical support. Lists of compromised user accounts are also bartered online,
as are ‘no questions asked’ mailing list services and affiliate advertising programs. An assortment
of free automated vulnerability scanners that look for viable exploits in Web application software
and servers are also available, as are similar tools which search for custom, often zero‐day
vulnerabilities. Additionally, space on botnets or access to already compromised machines can be
leased regardless of the intended actions of the purchaser.
Thus for relatively low startup costs, attackers can quickly outfit themselves with fully supported
tools, including custom exploits and Trojans, and put that malware in front of potential victims,
A password
through whatever vector selected (IM, email, compromised Website, or existing compromised
stealing Trojan
PC). And just as is the case with the legitimate Web designer, the attacker likely did not engage a
undetectable by
single source for each of these components, but rather scoured the ‘net and obtained each from
traditional
a disparate, unconnected (i.e., not organized) source.
signature scanners
As in its non‐virtual counterpart, motivators for Internet‐enabled malicious activity include both can be purchased
monetary gain and political/cultural beliefs. The underlying cause may be poverty, addiction, online for under
anger, or even simply just a matter of opportunity. Also on par with its non‐virtual counterpart, 40USD.
there may be a disassociation on the part of the attacker who may not view themselves as a
criminal or may justify their actions due to economic or political circumstances.
18

3.9 WHO WRITES THIS STUFF?
Much of the malware being circulated on the back channels of the Internet isn’t the product of
modern‐day cybercriminals. More often, it is a revised version of pre‐existing malware for which
source code was previously made available. Much of this malware was introduced at a time when Much of the
viruses, worms and Trojans were developed for ill‐gained notoriety versus any desire for profit. malware being
Revising and recompiling the binary, then compressing it often multiple times can often produce circulated on the
a variant that bypasses traditional signature‐based scanners. Or it is delivered in conjunction with back channels of
a vulnerability that momentarily cripples the installed desktop protection, seating the infection the Internet isn’t
and then covering its traces with a rootkit. the product of
modern‐day
Other factors that frustrate traditional protection measures include unprecedented numbers of cybercriminals.
new or revised malware, such that tens of thousands of these new variants require attention
each month. Given that the goal of the attacker is not to infect tens of thousands of computers,
but rather to compromise a small handful, even a small number of the tens of thousands
bypassing detection can spell s‐u‐c‐c‐e‐s‐s.
Indeed, the money trail often follows not the malware creator, but the discoverer of a previously
unknown security vulnerability which can be exploited to deliver the malware. Termed zero‐day
vulnerabilities, these can fetch upwards of 10,000USD each.
Whereas in previous generations of malware evolution, the severity bar was dictated by the
number of active infections, today it is the severity of the malware that should be used for
determination. Unlike the cyber‐pranksters of yesteryear who created mischievous (though often
destructive) malware, today’s criminal coders are deliberately stealing usernames, passwords,
account numbers, and other personal details. The stolen credentials are repeatedly sold to other
criminals and used for everything from credit card fraud to outright identity theft.
Online gamers suffer a double whammy. The bartering of virtual property for real world dollars is
a thriving business interest in third world countries. Cyber sweatshops may be one means,
whereby workers are paid to ‘play the game’, power leveling characters and farming gold or
other in‐game items for eventual auction. But many of the illegally traded items are stolen from
account holders by password‐stealing Trojans that deliberately target specific online games. The bartering of
Game targeting Trojans can cause very real distress to their innocent victims who may deeply virtual property
associate with their online characters. for real world
dollars is a
Further, many of the game targeted Trojans being sold to potential attackers have been outfitted
thriving business.
with a backdoor. While the purchaser collects game credentials, the same Trojan may be
collecting bank‐related information from those same victims, surreptitiously sending those
details to the original author, unbeknownst to the intended attacker.
Indeed, seldom are today’s attacks single‐purposed. Instead, a cocktail of compromise is
delivered in stages. Typically, initial exploit of a security vulnerability or via social engineering
scam leads to the installation of a downloader Trojan. That Trojan leads to the eventual
installation of a backdoor or bot and generally some form of a password‐stealing Trojan. Other
common types of malware include proxies which cause the infected machine to act as a relay for
spam, illicit file hosting, or to redirect local traffic to bogus DNS servers. In the process, e‐mail
accounts will likely be harvested of addresses, thus setting up co‐workers, family members, and
19

friends of the victims for future increased risk of exposure to spam, scams, and other malicious
activity.
In summation, there is no ‘who’, no ‘what, no ‘when’ and no specific ‘where’. With the wide
adoption of Web 2.0 technologies, today’s Websites are merely an exploit away from
compromise. And as the data presented in this report indicates, the methods – and the malware
– are becoming increasingly insidious and far more likely to be encountered on the Web.

20

4. 2008 SECURITY THREAT PREDICTIONS
The 2008 threat landscape highlights the continued growth in malware hidden on Web 2.0 sites
and heightened security risks related to the growing number of remote and roaming workers.
The full list of predictions includes:
Heightened
• Cyber criminals follow the money: Web 2.0 will continue to fuel high profile attacks security risks
• Remote and roaming security becomes a mounting pain point for businesses related to the
• Continued pressure to end public disclosure of “Whois” Information growing number of
• Growing underground market for warehousing and selling of stolen database remote and
information roaming workers.
• Storm worm hangover continues well into 2008
Cybercrime is estimated to be a 100 billion dollar‐a‐year industry. According to the SANS
Institute, the average lifetime of an unprotected PC on the Internet is 30 minutes before over 55
percent of them are infected with some form of spyware. With odds such as this, users and
corporations alike must be vigilant. The 2008 threat landscape further highlights the need for
improved user education and awareness. At the same time, solutions need to find a balance
between security and usability, making it as easy as possible for people to integrate security into
their everyday business and consumer communication habits.
1. Web 2.0 Will Continue to Fuel High Profile Attacks
The explosion in popularity of Web 2.0 applications has made Web 2.0 sites an increasingly rich
target for cyber criminals. MySpace alone boasts more than 200 million users. Web 2.0
applications will remain a key source of Web‐based malware in 2008 and beyond. Examples
include:
• Gaming and Other Virtual Environments Become a Growing Target: The continued
popularity of massive multiplayer online games (MMOs) like World of Warcraft, City of
Heroes, Ragnarok Online, and other MMOs will continue to fuel a black market economy
in in‐game currency and rare items. This economy will be supported through the use of
backdoors, bots, and password‐stealing Trojans that target the users of these games,
compromising their account details and trafficking the stolen goods to less talented
players seeking instant status.
• Malware Authors Will Continue to Leverage Online Advertising to Seed Attacks: In
2007, ScanSafe identified numerous instances of malware hidden in banner ads,
including a Trojan‐laced banner ad displayed on high profile Web 2.0 sites such as
MySpace and PhotoBucket. The ad required no user interaction to activate infection.
The complex network of ad providers and ad affiliates has made it easy for attackers to
surreptitiously insert malware in online ads.
• Second Life Sites Emerge as a Hacker Target: Second Life and other avatar‐driven
virtual worlds will likely emerge as targets for pranksters or malware authors. Second
Life residents logged 24 million usage hours in September 2007, according to an October
Reuters report on the virtual 3‐D world. Residents have already been plagued with bots
21

such as the CopyBot, which fleeces the virtual avatar of items they have purchased or
developed in‐game.
• Social Engineering Tactics Evolve With Web 2.0: User communities have sprung up
around today’s interactive and highly social Websites. These communities bond based
on common interests; physical proximity boundaries are removed and this paves the
way for trust relationships between virtual strangers. As a result, malware writers are
able to bait a captive end user audience that is desensitized to invites or links from
"unknown" user names based on their history of accepting links from "Friends of
Friends" on sites like Facebook and MySpace.
• Social Networks Present Continued Risks to Corporate Reputation and Data Leakage:
Social networks, blogs, wikis and other collaborative sites pose an ongoing risk of
employees deliberately or inadvertently discussing proprietary corporate information,
office gossip or posting inappropriate information. For example, in 2007, the CEO of
Whole Foods posted disparaging comments about a competitor on a financial blog.
• Hackers Leverage Implicit Trust of Known and Brand Name Websites: Additionally, the
trust relationship the user has with the site itself may cause them to automatically trust
content coming from that site. For example, a user would understandably be more likely
to allow ActiveX controls or allow javascript from a site which they visited frequently or
a site with a well known brand name. If the site has been compromised in some way,
either through exploit of a vulnerability or via third‐party delivered content, this blanket
trust can lead to so‐called drive‐by infections – even from otherwise perfectly legitimate
sites.
2. Remote and Roaming Security a Mounting Pain Point for Businesses
The workforce has expanded well beyond the four walls of the office. According to research from
WorldatWork, 45 million Americans work from various locations outside the office including
home, hotels, airports, cars and other hotspots. As more employees are required to work
remotely, and as many companies offer telecommuting as a job perk, it has become increasingly
challenging for IT administrators to enforce policies for appropriate use of corporate resources—
including use of the Internet on corporate‐issued laptops. While employees enjoy the benefits of
being un‐tethered from the office, IT departments are left to address the unique security
challenges that the roaming worker and an increasingly elastic network perimeter present, and
that are beyond the scope of a VPN tunnel.
3. Continued Pressure to End Public “Whois” Information
Expect the heated debate over whether or not to continue to make “Whois” database
information—the information that ties an Internet domain name (www.mywebsite.com) to the
owner of the site—public to continue in 2008. Privacy advocates and others are urging ICANN,
the international body that overseas domain names, to end the ability for anyone to do a
“Whois” lookup, arguing it infringes on Website owners’ privacy. Current methods provide a
means for legitimate users to suppress public display of their private information. The real
beneficiaries of the removal of “Whois” will be the attackers themselves. As criminal profits
continue to soar on the Internet, these same entities will likely actively lobby for and pursue
changes that create an Internet environment even more conducive to carrying out online crime.
22

4. Growing Underground Market for Warehousing and Selling of Stolen Database
Information
In 2007, data theft hit new records. Discount retailer T.J. Maxx, parent of T.K. Maxx, reported
data theft involving 45.7 million credit and debit cards. In late November, the British
Government announced that the personal data of 25 million individuals had been inadvertently
lost—the largest data loss in the country’s history. Given the frequency of such large scale data
vulnerabilities, expect to see a growing underground market for confidential personal
information. ScanSafe predicts an increase in the selling and servicing of stolen contact
databases, mimicking what is seen in 'legitimate' data warehousing.
5. ‘Storm Worm’ Hangover Continues Well Into 2008
The Storm Worm dominated the security landscape in 2007 and its effects will continue to be felt
in 2008. However, there have been several misconceptions about Storm. Contrary to popular
belief, the Storm family of threats evolved in 2006. In January 2007, one of the variants was
spread in an email bearing the subject line “230 dead as storm batters Europe.” This email
coincided with a very real and deadly storm in Europe, earning its nickname “Storm worm.” The
real take‐away from Storm is that it is a well thought out, extremely organized series of attacks
that have led to the creation of one of the largest botnets, estimated to be well over 1.5 million
infected machines at any given time. Expect this botnet to be leveraged by cyber criminals in
2008 and beyond.

23

APPENDIX 1: GLOSSARY
Backdoor A Trojan which provides surreptitious and unwanted access to a remote
computer or device.
Compromised site A site which has been the victim of exploit of vulnerabilities, resulting in
the distribution of malware.
Heuristic An algorithm which may be signature or behavior‐based, designed to
detect a characteristic or specific set of criteria consistent with
previously observed malware.
Malicious site Website distributing malware, whether intentionally or through
compromise.
Malware Software distributed for malicious intent.
OI ScanSafe Outbreak Intelligence; a collection of technologies designed to
detect both known, heuristic, and zero‐day threats.
Password‐stealer A Trojan that monitors keystrokes or captures screenshots, sending the
captured details to attackers.
SDT Signature delivery time; the number of days between initial detection
of a zero‐day threat and subsequent delivery of specific signature(s) for
consistent detection.
Signature An algorithm used by signature‐based scanners to detect a specific
threat or specific family of threats
Trojan A non‐replicating program which has intentionally malicious behavior.
TTL Time‐to‐life; the number of days a site is observed to deliver malware.
TTL Risk Number of days during which a site is delivering malware.
Virus Code which infects other files or programs.
Worm Code that spontaneously copies itself to other folders, drives, shares, or
accessible sites.
Zero‐day A vulnerability or malware for which no patch, signature, or intelligence
is available preliminary to initial detection.

24

Contact ScanSafe About ScanSafe
ScanSafe US Founded in 1999, ScanSafe is the leading global

provider of Web Security‐as‐a‐Service, ensuring a
999 Baker Way, Suite 410 safe and productive Internet environment for
San Mateo, CA 94404 businesses. As a fully managed service, ScanSafe’s
solutions require no hardware, upfront capital

costs, or maintenance and provide unparalleled
T: 650 294 3450 real‐time threat protection. Powered by our
F: 650 294 3451 proactive Outbreak Intelligence™ heuristic
E: info@scansafe.com technology, ScanSafe scans billions of Web
requests and blocks millions of threats each month
ScanSafe EMEA for our valued customers in over 50 countries.
The Connection, 198 High Holborn For more information visit www.scansafe.com
London WC1V 7BD
T: 020 7959 0630
F: 020 7959 0631
E: info@scansafe.com
25

2007 Agtr

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2007 Agtr

Uploaded by

Copyright:

Available Formats

1.1 KEY HIGHLIGHTS

3.1 IN THE NEWS

3.2 ABOU T THE DAT

3.3 THE L IFE AND TIMES

However, wh hen observingg the detections from the perspective of the malware,, the results w were

THREAT FAMILY NAME TYPE % MA

Win32.Banload Password ste

Win32.DNSChanger Trojan 1.59%

Win32.Mefir Worm 1.14%

Win32.OnLineGames Password ste

Win32.Agent Virus 0.83%

Win32.Agent Proxy 0.95%

Win32.Mefir Worm 0.76%

Win32.Banload Password ste

Win32.DNSChanger Trojan 0.33%

Win32.Agent Backdoorr 0.31%

0 % 10% 20 % 30 % 40 %

0 % 10 % 20 % 30 % 40 % 50 %

3.6 FEAR--BASED & SOCIALLY

Malicious Addobe Flash con ntained in ban nner advertiseements was thhe 5th most prrevalent explo

3.8 WHY JOHNNY CAN’T WON’T WRITE (GOOD CODE)

3.9 WHO WRITES THIS STUFF?

ScanSafe US Founded in 1999, ScanSafe is the leading global

You might also like