Symantec’s Cybercrime Intelligence Report Aug 2009

The news on the cybercrime front remains grim. According to Symantec’s MessagLabs report for Aug 2009, cybercriminals continue to expand their reach and hone their tactics; botnets are so sophisticated, they can be back up and running 48 hours after a crippling distribution blow; criminals now optimize for efficiency – and favor repurposing malware rather than developing new tactics. Scammers continue targeting ‘hot topics’ for their campaigns – and have the botnet capacity to distribute billions of spam a day.

If that didn’t leave you unsettled, here’s a closer look at Symantec’s MessageLabs findings for August:

  • Cutwail, one of the largest botnets globally, is responsible for approximately 15 to 20 percent of all spam today.
    • Following the shutdown of an ISP in Latvia, Cutwail’s volumes fell by as much as 90 percent, and global spam volumes fell by as much as 38 percent in the subsequent 48-hour period.
    • In a matter of days Cutwail was back to its former self, demonstrating just how powerful the botnet really is in recovering and reinventing itself.
  • Despite the brief downturn in spam levels, the figures for August remain fairly steady at 88.5%, due to the activity levels of other major botnets
  • Another prolific botnet called Donbot distributed ten billion emails in just one day using shortened URLs in its spam runs. Note: Shortened URL services are invaluable on services like Twitter where only 140 characters are available – many URL’s are longer than that. However, they mask the real website being pointed to and are therefore very appealing to internet criminals.
    • Leveraging the heightened interest in health related issues, Donbot email subjects include ‘Health care – get meds now’, ‘Save 89% on Meds’, ‘Purchase Meds Online’.
  • The ongoing use of shortened-URLs as a delivery mechanism has resulted in a number of URL-shortening services being forced to close their businesses due to their inability to handle the malicious use of their tools.
  • Cybercriminals are three times as likely to favor repurposing malware across numerous domains rather than developing new tactics.
    • In August, of 3,510 websites being blocked daily, 36.1 percent of domains were new. Similar analysis of malware being blocked each day highlights that only 11.9 percent was newly developed malware.

We can read this sobering report and throw up our hands, or we look for additional countermeasures to help in thwarting these exploits.

I was particularly struck by the high level of repurposing of malware. It makes of course the best business sense from a criminal’s point of view, but perhaps it opens another avenue for countermeasures.

As an industry, companies need to work more closely together to block cybercriminals ability to repurpose exploits across various services and technologies. Far too often when an exploit first arises – let’s say in email – we see email providers scramble to create solutions; then the exploit pops up in IM; and then in one or more social networking sites; and so on.

We need to figure out how to work better across companies and services segments to stop the repurposing in its tracks and reduce the opportunity for financial gains by the criminals behind these exploits.

Click to read the full report.



Comments are closed.

%d bloggers like this: