All Spammed Up has a nice little summary wrap up of the year 2009. I have my own summary, it is a condensed version of an article that will appear in next month’s edition of Virus Bulletin.
There are a lot of stories that could have gone into this that I had to cut, like Canada’s (near) passage of an antispam bill, ICANN’s decision to release more gTLDs, the abuse of URL shortening services and Geocities going the way of the dodo. But in the end, I think that the following stories are a good reflection of what happened in 2009 in the world of cyber-security.
1. Come together, right now
Conficker is a piece of malware that appeared in late 2008 and initial patches for it were released even then. But the story of Conficker didn’t heat up until 2009. The story is noteworthy not because of the impact of Conficker, which in itself was large; instead, the story is important because of the way the industry responded to the problem. In January 2009, representatives from various security companies, along with the anti-botnet Shadowserver Foundation, met together and designed a strategy to counteract Conficker, forming the Conficker Working Group. One month later, the group had a plan to register as many domains as possible and assign them to a sinkhole, a server designed to capture and analyze malware traffic.
The fight against Conficker is not over, however, it does illustrate the fact that people working together can make a difference in the fight against malware.
2. Why can’t I tweet today?
In August, users of Twitter discovered that their favorite 140 character messaging service was offline and unavailable. “What’s going on?” they asked. “People need to know what I had for breakfast!” It turned out that it was a co-ordinated Distributed Denial of Service (DDoS) attack against a number of social networking sites including Twitter, Facebook, LiveJournal, YouTube and Blogger. But whereas the other sites were able to repel the attacks, Twitter was not.
An analysis turned out that it appeared to be a targeted attack on one particular blogger by the name of Cyxymu, or Сухуми (Sukhumi), which is the capital of the Georgian breakaway region of Abkhazia. In the 21st century, politics and cyberattacks are very closely intertwined. But August’s Twitter attack wouldn’t mark the last time that hacktivism would make a splash on the political scene in 2009.
3. The shutdowns continue
The top story of 2008 was when an ISP based in California, McColo, was taken offline after a story. Almost immediately after the shutdown, global spam levels plummeted. 2009 also had its share of ISPs taken offline. In June, the United States Federal Trade Commission filed a motion of complaint to have Pricewert LLC taken down, an American ISP. In August, Latvian ISP Real Host, responsible for botnet command-and-control centers, was similarly disconnected. But the major story of these two disablements was not how much spam decreased, but how little impact this had on global spam volume.
The short lived elation of seeing McColo removed has now worn off to the grim reality of knowing that spammers are coming back more resilient than previously known.
4. The Little Empire Strikes Back!
In November, the small security company FireEye was able to disable a botnet that at one point was responsible for perhaps a third of the world’s spam. Security researchers from the company analyzed the workings of the huge botnet, known as Mega-D (and sometimes Ozdok) and managed to infiltrate its command-and-control structure. They were able to send a new set of instructions to all of the zombie hoards that make up the Mega-D botnet. After doing this, spam from Mega-D slowed to a crawl. FireEye had succeeded. Not bad for a little guy.
5. Colonel Mustard in the ballroom with the candlestick…?
Over the 4th of July weekend, Americans were celebrating their extra day off with backyard barbeques and fireworks. However, for various government employees, the hamburgers and potato salads would have to wait. That weekend, a large scale DDoS attack hit the Federal Trade Commission, the US Department of Transportation and the US Treasury. The US Secret Service, Department of Homeland Security and the State Department were also hit. So were several government websites in South Korea.
So who was behind these attacks? Shortly after they occurred, South Korean officials blamed North Korea, or at the very least, pro-Pyongyang forces. North Korea, of course, did not confess to anything and denied involvement. What obfuscates the problem is that it need not be government sponsored. It could have equally been the work of pranksters or industrial spies. Did the North Koreans do it? Maybe they did, maybe they didn’t. But perhaps the US and South Korean governments need to join up with Twitter and form a support group.
6. The Long Arm of the Law
2009 saw some pretty heavy hitting in the legal arena in the spam world. In June of this year, spam king Alan Ralsky plead guilty to a stock fraud case where he pumped up Chinese penny stocks. He did not get off easy. In November of 2009, he was fined $250,000 and sentenced to four years in jail. Many anti-spam advocates doubt that this is enough.
Across the ocean, another spammer was also hit with a huge fine. In November, the US Federal Trade Commission fined Lance Atkinson $15 million. Atkinson is thought to be behind the spam affiliate Affking, the folks who bring you such delightful products as the Canadian Pharmacy’s cheap drugs and Herbal King’s wonderful line of weight loss pills.
Even Facebook got into the game this year. In October, a judge in San Jose, CA, awarded Facebook a $711 judgment against alleged spammer Sanford Wallace.
So, while in general spammers do get away with what they are doing, sometimes it does catch up with them. And we, in the antispam and eSecurity community, can enjoy a little bit of schadenfreude, if only for a little while.
7. Black SEO
One of the biggest trends in spam over the past two years has been Black Search Engine Optimization, or Black SEO. 2009 was not the year it started but it certainly was the year in which it really accelerated.
Black SEO comes in two main flavors:
- Malvertising – This is when sponsored links at the side of the screen in search engines come up, and they are links to malware (which you have the honor of paying for if you so desire).
- Page Rank Optimization – This is when a spammer uses various sundry techniques to get his spammy pages near the top of a search result, such as when a user searches for ‘Jessica Biel’. Of course, there is no ‘Jessica Biel’ but instead is a spam landing page.
Black SEO in each flavor destroys the confidence of the end user. As spam became less profitable except to the elite spammers, they moved onto other techniques and Black SEO is the growth industry of 2009.
8. Going rogue
The story of rogue antivirus software is not new to 2009. It has been going on for a while. What makes the story of rogue antivirus software so news worthy for 2009 is that it is still a big problem and is getting worse. As spammers have started encountering more difficultly in spewing out spam, they have shifted gears and moved into other avenues of deception.
Social engineering is the tactic of choice to accomplish this. Two of the primary emotions that are targeted are the same as the ones that drive the stock market: fear and greed. One example is for spammers to spoof a well-known piece of software such as Microsoft’s Windows Security Center (see screenshot below of FakeXPA). The user, recognizing Microsoft’s splash page reminding them that they have no anti-virus protection, can’t resist the lure of cheap or free software to protect them from the nefarious world out there. A few clicks later and a botnet is born. Not good. And not improving much, either.
9. Microsoft Security Essentials for free
Long criticized for its insecure software, or rather, the perception of insecure software, Microsoft made a splash into the home user market by releasing Microsoft Security Essentials, a free antivirus software program for registered users of Windows. What makes Security Essentials different is that it is free; the company now offers services for anti-spam and antimalware, putting it on par with other traditional security vendors such as McAfee or Symantec.
In another post, I have recommended this software as I use it personally. If you aren’t running something out there, and you have a legitimate copy of Windows, seriously… use this.
10. Lots and lots of hactivism
In October, the technology blog Neowin had an unusual article posted – it was a large posting containing approximately 10,000 usernames and passwords belonging to Hotmail users. Many theories floated about. Whose usernames are these? What were they used for? What complicated the problem further was that Yahoo Mail and Gmail (Google Mail in Europe) accounts were also compromised with various user accounts from those services posted.
While some hacker somewhere broke into a bunch of people’s email accounts, in December, another news story broke. A hacker had broken into a server used by the Climatic Research Unit (CRU) used by the University of East Anglia in Norwich, England. The hacker stole and disseminated over a thousand emails and other documents that were compiled over the course of 13 years. To the skeptics, the emails and documents are proof that the scientists who assert that global warming is real engaged in a massive conspiracy to hide or manipulate data in order to support their conclusions. To the proponents, the emails were used out of context.
The fallout from all of this is entirely political; the emails can mean different things to different people. It does drive home the point, though, that we need to be careful what we say lest those with a certain set of computer skills do something to us.
So that’s the way I saw 2009. Make sure you stay tuned to this blog when I do the 2010 end-of-year wrap-up!