The cybercrime underground saw relatively few really revolutionary developments in 2010. However, while the rest of the world was in the economic doldrums, the cybercrime underground kept growing.
Researchers who monitored the cybercrime underground noted that the number of Trojans targeting information and credential theft significantly rose in 2010. This was not surprising, as we noted earlier that the number of new information-stealing malware families was on the rise.
One development in 2010, however, was the complete failure of certain domain registrars to properly police their customers. This allowed certain top-level domains to be heavily abused and used to host hundreds of thousands of malicious domains. Because of this, blocking a single domain name has been of limited value, as the domains became essentially disposable for the criminals using them.
While, in theory, these registrars are “legitimate,” their lax policies allow widespread abuse of their services by cybercriminals. To illustrate the scale of the problem, one of these registrars claimed on its front page that it had more than 7.5 million domains, very few of which are actually legitimate.
On a more positive note, there were some high-profile arrests and takedowns of cybercrime networks in 2010. In March, the Spanish authorities arrested the ringleaders of what was called the Mariposa botnet, which stole information from approximately 12.7 million users around the world. An even bigger operation codenamed Trident Breach led to arrests in the United States, Britain, and the Ukraine of more than 50 individuals involved in a ZeuS gang that targeted small and medium-sized businesses (SMBs). In late October, Armenian and Dutch law enforcement agencies worked together to arrest a 27-year-old man that was behind the Bredolab botnet.
Those arrests were noteworthy in large part because they arrested actual ringleaders of the gangs involved and not just low-ranking money mules. More than arresting mules or shutting down servers, arresting the criminals behind these attacks was necessary to stop these activities.
The futility of takedowns was seen when Pushdo/Cutwail was taken down earlier this year. Within days, it was back in business. Similarly, security researchers were able to take down the Waledac botnet in March but, as we noted at the time, the spam levels remained unchanged.
The lesson is that shutting down a botnet by purely technical means doesn’t do anything in the long term; arresting the people responsible is key to fixing the cybercrime threat.
Trend Micro partners with many law enforcement agencies around the world. Together with these partners, we continuously work to help bring those responsible for today’s online threats to a court of law. We expect these partnerships to be busier than ever in the upcoming year.