Thursday, January 01, 2009

2008: Looking back on a Year of Spam and Malware

Happy New Year! As we get ready for the New Year, there are quite a few security folks making predictions for 2009. I think my friend Dan Clemens covered that pretty well in his PacketNinjas Yearly Security Predictions. I'm going to limit myself to saying the criminals will continue to innovate, data breaches will become even more commonplace, and corporate America will continue to TALK about security without making the necessary fundamental changes to actually BE secure.

I'd rather spend this morning looking back on 2008, and some of the highlights that we discovered at UAB Computer Forensics as I and my staff spent the year analyzing spam, phishing, and malware and sharing what we found with you.

Last year we shared 102 Blog entries with you. Rather than tell you what *I* thought was most interesting, I thought I'd share with you what *YOU* seemed to think was the most interesting, based on the visits to each blog entry.

We'll hit these Top Ten Style . . . which means we start with . . .

Number Ten

Internet Landfill McColo Corporation

November 12, 2008

Perhaps one of the top accomplishments by "the good guys" this year was the closing of McColo. This story coined the term "Internet Landfill" to describe those networks which exist only to host trash, filth, and crime on the Internet. Championing Journalist Brian Krebs lead the charge, and the Internet should send him a big Thank You. Perhaps more importantly than shutting down McColo, which resulted in a 2/3rds drop in Spam volumes world-wide, was the proof that we CAN do something about spam if we work together.

Number Nine

Demise of Index1.php PornTube Video malware

Number Eight

Enom Phishing Continues

October 29, 2008

Both Enom and Network Solutions, two major network domain registrars, had phishing campaigns against them back-to-back. We believe this lead to quite a few domain take overs later in the year, including financial services company Check Free. Using the stolen userids and passwords for the people who rightly control the domain name information, criminals logged in and redirected dozens of domains to a server they controlled.

Number Seven

CNN Lends Authenticity to News Spam

August 7, 2008

After several weeks of fake news headlines tricking readers into clicking on links which infected their computer, the spammers got a huge boost in their infection rates when they began to imitate CNN.

Number Six

Anti-Virus Products Still Fail on Fresh Malware

August 12, 2008

Three examples in this blog showed that current anti-virus products fail miserably when detecting fresh spam. Some of our examples, "in the wild" as evidenced by us finding them in our spam, were detected by as few as 5 out of 36 anti-virus products tested.

Number Five

Governor Palin's Email Security Questions in the Facebook Age

September 22, 2008

When 20-year-old David Kernell broke into Governor Palin's Yahoo account by Googling up the answers to her security questions, we took a minute to point out how foolish this security practice is in this time when everyone's personal information is online.

Number Four

More than 1 Million Ways to Infect Your Computer

December 23, 2008

A criminal uses malware to load thousands of websites with search terms to Open Redirector on many websites, including and This results in many search terms showing up in Google with the number one hit being a redirector that will infect the visitor with a fake anti-virus.

Number Three

Storm Worm: Amero to replace Dollar?

July 22, 2008

Remember the Storm Worm? In July it pretended to be a warning that the US Dollar was being replaced by a gold coin. The continued popularity of this page actually has nothing to do with security. Rumor after rumor has circulated that the "Amero" proves that Bush was planning to merge Canadanian, US, and Mexican currencies, and desparate tinfoil hat types keep Googling up my page.

Number Two

Computer Virus Masquerades as Obama Speech

November 5, 2008

A criminal who has been stealing userids and passwords since May gained perhaps his biggest collection yet as he creating a fake Obama acceptance speech which was widely spammed the morning after the election. If anyone visited the website to view the video, they would be trojaned and begin sending all of their login data to a computer in the Ukraine. This same criminal did dozens of spam and social engineering campaigns this year, primarily pretending to be a new "Digital Certificate" for your bank.

Number One

MSNBC "Breaking News" replaces CNN Spam Wave

August 13, 2008

One of the tricks the spammer's used to get people to infect themselves was to promise to show them videos. We later found malware which actually searched real news sites to select headlines which were then stuffed into the spam messages to give the spam timely relevance to the spam readers. When the spam began imitating MSNBC's Breaking News alerts, even more people found themselves infected, causing their own computers to begin sending spam as well.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.