In the past few weeks, my colleagues and I have been exchanging views about the changes we’ve seen in the threat landscape in 2010.

It didn’t come as a surprise therefore that Web threats dominated the threat landscape throughout the entire year. As the general public further integrated Internet usage into their everyday lives, so did cybercriminals with their malicious attacks. The prevalence of Web threats was further amplified by the rampant use of malicious toolkits, which enabled even less-technically savvy malicious users to come up with fairly sophisticated schemes. We expect to see more of similar threats in 2011 and aim to keep users protected with the help of the Trend Micro™ Smart Protection Network™.

So, just to bring everyone up to speed, here is a complete list of our “2010 in Review” posts:

• 2010 in Review: The Hype and Reality of STUXNET: To help users better understand the most talked-about threat in 2010, Ivan Macalintal puts the STUXNET threat in proper context, at least in terms of what is considered a real and present danger for users today.
• 2010 in Review: New and Better Ways of Stealing Information: ZeuS’ success undeniably continued into 2010, allowing it to remain one of the most serious threats throughout the year.
• 2010 in Review: The Vulnerability Landscape: The continued and effective usage of vulnerabilities by cybercriminals in launching attacks is a clear indication of how important it is for users to keep their systems updated, especially third-party applications.
• 2010 in Review: No Recession for Cybercrime: It was business as usual for the cybercrime underground in 2010 even amid the economic problems that affected most of the world.
• 2010 in Review: Same Old Spammers: No new spamming techniques or tricks emerged in 2010. However, the spammers kept the spam threat alive and kicking by recycling old tricks and by combining popular techniques seen in the past.
• 2010 in Review: 2010′s Most Dangerous List: From infected hardware to social networks, users were plagued by threats from different vectors in 2010.
• 2010 in Review: 10 Most Remarkable Malware in 2010: Several malware families made headlines in 2010, all with their own noteworthy characteristics. Senior threat researcher David Sancho listed down 10 of the most remarkable malware in 2010.

The end of 2010 is near and I thought I’d take the time out to recap how the year has been malware-wise. This is my list of the top 10 most remarkable malware families that surfaced in 2010:

1. STUXNET. It was remarkable because of its sophistication and use for espionage. It was thought to have been programmed to halt Iran’s nuclear program. I don’t think it will be the last malware family that will be used to spy on others and/or for industrial sabotage. It was a big deal also because of its heavy use of previously undiscovered software vulnerabilities in Windows.
2. Aurora. It hit Google and other big software companies last Christmas and it was remarkable because it managed to steal sensitive information from these giants.
3. ZeuS. It’s a do-it-yourself (DIY) botnet toolkit that has become very popular in the underground. It has spawned lots of different botnets that have stolen millions of dollars from home users and companies alike. The fact that it’s an off-the-shelf piece of software hints at the current state of malware as a multipurpose weapon.
4. SpyEye. Touted as ZeuS’ successor, recent accounts tell how it will carry ZeuS’ source code into a more sophisticated code base. It has a similar concept to ZeuS and also comes in the form of a DIY toolkit.
5. KOOBFACE. It was remarkable because it spread through social networks from Facebook to Twitter. It caused enough headaches for Facebook that the social networking giant finally decided to add a CAPTCHA to its link-submitting form.
6. BREDOLAB. A botnet that was used to spread other malware, it acted as some sort of malware-deploying platform. It was remarkable because it was taken down by the Dutch police in October 2010 after its Armenian creator amassed millions of dollars thanks to it.
7. TDSS/Allurion. A very sneaky rootkit that managed to cause bluescreen errors on a lot of computers in February 2010 when a new Microsoft update changed the files that it used to infect the systems. It had one of the most complex rootkit components ever seen and apparently a very shrewd development team behind it.
8. Mebroot. A spamming botnet that used a rootkit that could survive Windows reinstallation. It hides very deep in a system so it loads even before Windows does. It’s responsible for a big percentage of all of the spam traffic worldwide.
9. FAKEAV. Though strictly not a virus, it’s the scam of choice of most of modern malware so all infections have a fake antivirus scam as a visible payload. The creation of Russian partnerkas (or affiliation programs) let third parties get money for every successful scam job performed. This enabled fake antivirus groups to become the con artists of the year helped by virus creators everywhere.
10. Boonana. The Mac version of KOOBFACE in the sense that it copied KOOBFACE’s method of spreading via social networks. It was remarkable because it brought most of KOOBFACE’s functionality to the Mac platform, making it a whole different beast that could open a new can of worms in the growing platform.

Have a great 2011 and stay safe.

As 2010 comes to a close, here’s a list of the riskiest items we encountered in the past year:

• Hardware: The riskiest hardware device used in 2010 was the German identification card reader. These cards contain encoded private information such as fingerprints. Unfortunately, the information on them can be quite easily stolen by using certain card readers.
• Website software: The riskiest software used by websites in 2010 was the popular blogging platform WordPress. Tens of thousands of unpatched WordPress blogs were used by cybercriminals for various schemes, primarily as part of redirection chains that led to various malware attacks or other blackhat search engine optimization (SEO)-related schemes.
• IP: The most dangerous IP used in 2010 was Internet Relay Chat (IRC). Thirty percent of all botnets used IRC to communicate with infected machines and their command-and-control (C&C) servers. Fortunately, blocking IRC use in networks reliably stops botnets.
• OS: The riskiest OS used was Apple’s Mac OS X. In November, Apple sent users a massive maintenance release that weighed in at at least 644.48MB. The weighty upgrade included fixes for multiple security vulnerabilities since the previous update released in mid-June. Apple’s penchant for secrecy and longer patch cycles also increased the risk for users.
• Website: The most dangerous website in the world was Google. Its tremendous popularity led cybercriminals to target it specifically for blackhat SEO-related schemes, which in turn, led users to significant malware threats, particularly FAKEAV. In addition, Google’s ad network was also frequently victimized by malvertisements.
• Social network: In another case wherein popularity led to danger, Facebook could be considered the most dangerous social networking site around. Everything from survey scams to KOOBFACE malware proliferation ensued on the site, as cybercriminals went where the people were, that is, Facebook.
• Top-level domain: The most dangerous top-level domain in the world was CO.CC, which allowed cybercriminals to register thousands of domains on the fly with very little in the way of verification. This, along with Russian ISPs that routinely refused to shut down malicious sites, made for a very dangerous combination.
• File format: PDF was the riskiest file format in 2010, as Adobe Acrobat and Reader vulnerabilities routinely became part of exploit toolkits.
• Runtime environment: The most dangerous runtime environment for users in 2010 was Internet Explorer (IE) with scripting enabled. Even today, most browser exploits specifically target IE. However, Java is quickly becoming a more prominent target and could become the prime target in 2011.
• Infection channel: The most common infection channel was still the browser, as more than two-thirds of all infections used this as infection vector. Previous infection methods like flash disks and spammed messages were still around but were less prominent than before.

2010 has been an active year both for spammers and anti-spammers alike. No new spamming techniques or tricks were used in 2010. However, the spammers kept the spam threat alive and kicking by recycling old tricks and combining popular spamming techniques seen in the past. Here are some of the notable spam types and techniques that continued to circulate this past year.

Pharmaceutical and other health-related spam remained the most notorious type throughout the year. This spam type was not limited to selling pharmaceutical products online, the spammers also used these messages to disguise their phishing and malware attacks.

Phishing attacks not only targeted banks. Phishers gradually switched their focus to target popular social networking sites such as Facebook, Twitter, MySpace, and the like. Sometimes, links in email messages redirected users to fake sites where their credentials were stolen. At other times, the links led to affiliate marketing sites such as online pharmacies or replica product websites.

Social engineering was on the rise all year long using different noteworthy events and topics like the tax season, Wikileaks, and social networking sites to spread malware.

Online gambling and casino-related spammed messages were especially prevalent in Europe where such activities were less strictly regulated than in North America. This spam type was frequently seen written in Spanish. Similarly, German was used in many spammed messages selling replicas in the third quarter as well. Other non-English spammed messages contained dating, adult, and commercial content.

Nigerian scams and fake lottery notifications also continued to proliferate in 2010. We saw multiple variants presented in different styles and used varying techniques.
Read the rest of this entry »

The last time a significant ZeuS/ZBOT development cropped up in the threat landscape, a new ZeuS-LICAT variant was identified. It was also not too long ago when news of a possible merger between the creator of ZeuS and SpyEye made headlines. This time, it is interesting to see an earlier version of the notorious malware recently making its rounds online.

A spammed message, purportedly from the Executive Office of the President of the United States, spreads holiday cheer with a message and links to what is supposedly a greeting card. Clicking the link, however, leads users to a website injected with malicious iframe tags, which Trend Micro detects as HTML_IFRAME.SMAX. Viewing the malicious HTML page leads to the download of a .ZIP file, which contains the malware detected as TSPY_ZBOT.XMAS.

This particular variant exhibits routines that ZeuS version 1.x are known for. Apart from the typical information theft routines, it modifies HOSTS files to prevent affected victims from accessing antivirus-related websites. The technique of using important events to lure potential victims to open the spammed messages is not new either. While some targeted victims may have an idea that the these types of messages may be malicious, some people simply rely on their antivirus programs. The cybercriminals behind this attack took advantage of this fact by ensuring that the file was heavily packed and was not yet detected by most antivirus programs, leaving unknowing users vulnerable.

Trend Micro customers are protected by the Trend Micro™ Smart Protection Network™,  which detects and blocks the malicious components of this threat.

Special thanks to threat analyst Edgardo Diaz, Jr. for initially bringing this threat to light and to anti-spam research engineer Mary Aquino for the spam sample analysis.