Overall malware volume returned to pre-October levels this period, after two months of record activity driven by ZBot, Bredolab and Pushdo/Cutwail. Nonetheless, the Bredolab loader returned to top spot with a vengeance this period, accounting for a whopping 66.5% of total detected malware activity. Again, as we have seen time and time again these attack campaigns typically do not last longer than a couple of days, but can return quickly in mass volume. The seeding engines (largely the Cutwail spamming trojan) behind Bredolab certainly have a lot of horsepower as we have observed over recent months - so much that a single Bredolab seeding campaign can manipulate threat volume like a puppet on strings. Of course, sheer volume is not everything and such a drop should not create a false sense of security. In fact, this period we saw a rise in distinct malware, meaning more unique pieces of malicious code. ZBot attacks continue over the holiday season through the busiest time of year for online shopping - and likely online banking.
2010: The Perfect Storm The large spike of activity we observed from September to November 2009 was a familiar trend to one from 2008. As you can see here, we saw a similar trend in 2008 during the first large wave of Scareware that hit cyber space. Scareware was also a major component detected during this wave in 2009, though overall volume had significantly increased to record levels over 2008. So, what do we know? We know that Scareware has flourished over this time frame, not at all shaken by any take-down attempts: affiliate programs continue to make and pay out money. In December 2009, the Internet Crime Complaint Center (IC3) issued an alert that said the FBI is aware of an estimated loss (due to Scareware fraud) in excess of $150 million USD. In 2008, a hacker by the name of NeoN posted affiliate program details showing earnings of top affiliates in excess of $150,000 USD in one month for one individual. High profile botnets continue to stay alive - Conficker, Waledac, Pushdo/Cutwail, Virut, Bredolab and of course multiple Zeus/ZBot networks. To stay alive and effective, some are beginning to enhance their malicious code and communications (see our Pushdo analysis here) - a ZBot attack was recently observed to leverage database services in the cloud (Amazon RDS). The end result is a widespread, robust and healthy infrastructure available to cyber criminals leading into 2010.
With more digital convergence undoubtedly to occur in 2010 (for example, the US Government backing digital health records and Asia's e-Government initiative), there will be a wealth of opportunity for cyber crime. There is certainly no shortage of targets from governments and enterprise to end users and thriving social networks. There is also no shortage of infrastructure available to deliver attacks - as outlined above, malicious networks are firmly in place for use in addition to a growing array of legitimate services which can be leveraged. Finally, there is no shortage of vehicles through which to execute attacks. In 2009, we saw frequent exploitation of document formats (DOC, PDF, XLS) with many zero-days discovered and attacked in the wild. Crime services and crimeware continue to evolve and adapt, adding to the array of tools and techniques available to cyber criminals and their recruits. For example, CAPTCHAs are becoming less and less effective due to crime services leveraged by botnets like Koobface. For some more examples, refer to our blog post on adaptive crime services. With strong seeding engines in place as observed with Pushdo & Bredolab, already rampant Scareware can now quickly shift to Ransomware in high volume - leaving a potentially damaging trail in place. Digesting all of this, it becomes apparent that we are in for a wild ride in 2010 -- all the elements are in place for a perfect storm in cyberspace.