A recent article on Network World entitled “Is Retaliation the Answer to Cyber Attacks” presented an interesting concept from French-based firm TEHTRI-Security—that of businesses and other organizations actively responding to criminal attacks by exploiting vulnerabilities in criminal networks and possibly deploying those same tools that criminals use to illegally acquire information, disrupt business, and steal money.

We appreciate that, of course—everybody wants to strike back—this is a very natural emotion. Simply compare how you might behave should somebody attack you or your family on the street. Meanwhile, the security industry delivers clean, legitimate solutions that help mitigate and prevent—but cannot guarantee 100 percent to eradicate—every emerging threat but this does not address this emotional need.

We do understand why some organizations may consider such a response to criminal attacks, in our view, to deploy attack tools on attackers presents the same moral consideration whether it is used in a physical or digital response. If everyone were to attack their attackers, we would likely find ourselves in an all-out digital conflict.

There are further issues that need to be presented and considered before anyone takes a decision such as this.

Reacting to such an incident in this way can potentially worsen the situation. Frequently, such attacks are carried out by criminal organizations with greater resources and money than even the largest enterprise.

When you strike back, are you ready to accept the blackhat revenge?

You may be confronted by a massive distributed denial-of-service (DDoS) attack that can take you out of business for weeks. You may be confronted by a hacking attack or other cyber activities that you do not want to be exposed to.

And do you really know who your attacker is—they may well be a powerful Mafia organization. Criminals have long demonstrated that they lack moral fiber. Is there any reason to believe they will not use other illegal tactics in their counter response?

Then there is a legal consideration, not for the criminal who does not care about law and order, but for you… the use of hacking tools in a revenge attack is not legal. That you are a victim does not justify the violation of law and such a violation can place you at risk of legal action as well as can seriously damage your organization’s and your own reputation.

In short, a pure counterstrike does not do its job and may increases the security, professional, and personal risks for the one who retaliates.

While there is no easy answer to the cybercriminal onslaught, at Trend Micro, we actively collaborate with Internet organizations, security industry partners, and law enforcement agencies around the world to stop these criminal activities.

And by working together with our customers to expand the global network of sensors that feed information to the Trend Micro™ Smart Protection Network™, we are committed to offering the best protection whenever, wherever, and however our customers connect.

With the growing diversity of OSs among companies as well as the growing use of mobile devices, cybercriminals should have a very profitable 2011. Their tactic will be to put a new spin on social engineering by way of “malware campaigns” and by bombarding recipients with email messages that drop Trojan downloaders. All these will largely be made possible because of the Internet. Already, Trend Micro threat researchers have found that more than 80 percent of the top malware use the Web to arrive on users’ systems.

Diversity of OSs expand opportunities for cybercrime

2011 will bring about growth in exploits for alternative OSs, programs, and Web browsers, combined with tremendous growth in the use of application vulnerabilities.

Cloud computing and virtualization—while offering significant benefits and cost savings—will move servers outside traditional security perimeters and will expand the playing field for cybercriminals. It will likewise increase the security demand on cloud service providers.

Trend Micro expects more proof-of-concept (PoC) attacks against cloud infrastructure and virtualized systems to show up in 2011. Knowing that the desktop monoculture will disappear, cybercriminals will test how to successfully infiltrate and misuse a monoculture in the cloud.

Targeted attacks on “unpatchable” (but widely used) legacy systems like Windows® 2000/Windows® XP SP2 are likewise expected to continue.

It’s all about social engineering

Social engineering will continue to play a big role in the propagation of threats. Trend Micro believes that there will be fewer infiltrated websites in 2011. Instead, cybercriminals will focus on malware campaigns that promote malware via cleverly designed email messages that trick users into clicking malicious links that point to download pages. These types of campaign will speed up the proliferation process for downloader malware. The downloader would then randomly generate binaries to avoid detection, as DOWNADConficker and ZeuS-LICAT have done in the past.

Thanks to easy-to-use underground toolkits, midsize companies will continue to be a target of cyber-espionage. In 2010, the use of underground toolkits like XWM exploded, making it easier to target particular organization types. ZeuS primarily targeted small businesses in 2010. Moving forward, localized and targeted attacks are expected to continue to grow in number and sophistication both against big name brands and/or critical infrastructure.

In 2011, it is very likely that cybercriminals will increasingly target security vendors’ brands in order to cause confusion and insecurity among users. To learn more about the key forecasts for next year, read the Trend Micro 2011 Threat Predictions.

Trend Micro has released its Threat Report for the first half of the year. The report focuses on the global trends in online threats that we have seen.

Threat Trends

Europe became the largest source of spam globally in the first half of the year. Contrary to what some would believe, pornographic mail make up only 4 percent of all spam. Commercial, scam-based, and pharmaceutical/medical spam accounted for 65 percent of the total number of spam worldwide. HTML spam was the most common kind of spam.

We saw significant growth in the number of malicious URLs, which increased from 1.5 billion at the start of the year to over 3.5 billion by June. North America was the leading source of these while Asia/Pacific was the region with the most number of attempts to access these sites. The top URLs blocked by Trend Micro were adult websites.

Trojans accounted for about 60 percent of the new patterns TrendLabs created in the first half of the year. Overall, 53 percent of the overall number of detections consist of Trojans. The majority of Trojans lead to data-stealing malware. Backdoors and crimeware/data-stealing malware came in second and third places.

India and Brazil were identified as the countries with the greatest number of computers that became part of botnets. These bots are used to distribute malware, to perpetrate criminal attacks, and to send out spam.
Read the rest of this entry »

Trend Micro’s TrendLabs^SM has released its latest roundup for the month of July 2010. Recognizing that attacks are now carried out using three primary vectors—email, Web, and file—I have drawn on some of the highlights from the past month.

Spam

The United States, Brazil, and India retained their positions as the top 3 spam-sending countries, a trend consistent with the previous two months. Both the United States and Brazil posted an increase in their spam numbers during the said months. India, meanwhile, posted a decline.

Top Phishing Targets

HSBC has become the top phishing target this month via email. It leaped from the bottom of the list to the top spot this July while PayPal remained part of the top 3 phishing targets. The full top 10 list can be found within the monthly report.

New Phishing Targets

Two new companies have been added to phishers’ list of targets, namely:

1. ABN AMRO Bank N.V., a Dutch bank based in Amsterdam
2. Banco Hipotecario Dominicano (BHD), a Big Four bank in the Dominican Republic

Malware

With malware threats persistently posing danger to users, TrendLabs consistently monitors the threat landscape. This month, ATM malware, botnets, and online gaming-related threats were particularly noteworthy.

The notorious KOOBFACE botnet also launched another notable attack this July using the old technique of sending out direct messages (DMs) via Facebook.

Two notable ZeuS/ZBOT malware were found this July—one targeting Russian banks and/or Yandex services, the other was TSPY_ZBOT.CQJ, which steals information by inserting malicious code into legitimate banking websites. The malicious code works when the said sites are viewed using Internet Explorer or Firefox.

The report also notes that the continued proliferation of online gaming threats has made the gaming sector a consistent cybercriminal target. This is particularly true in China where online gaming is very popular and where cybercriminals have created XWM, the popular Chinese Trojan kit.

Web Threats

User account information and credit card credentials reap good profits for cybercriminals. As such, cybercriminals continued to leverage on the widespread use of social networking sites, search engines, and redirectors this July. In the report, we detailed certain attacks and notable data points related to compromised sites.

Top Domain IP Addresses Blocked

The domains in the list have been found to be hosted in Ireland, the United States, Russia, China, Romania, and Japan.

• bid.<blocked>.net
• cdn4.<blocked>click.net
• delivery.<blocked>yea.com
• dt.tongji.<blocked>zing.com
• hot1.x<blocked>zo.info
• linux1<blocked>.mysite4now.net
• pic.s139.c<blocked>er.jp
• traffic<blocked>ter.biz
• z0g7<blocked>1i0.com
• z.ali<blocked>.com

Top URLs Blocked

These malicious URLs have been found to be hosted in Ireland, China, the United States, Germany, and Japan.

• bid.<blocked>.net:80/json/
• dt.tongji.<blocked>zing.com:80/tongji.do/
• cdn4.spec<blocked>.net:80/img/qa1.swf/
• delivery.<blocked>yea.com:80/lg.php/
• z.ali<blocked>.com:80/alimama.php/
• linux1<blocked>4now.net:80/1pa2p/www/pic.php/
• hot1.x<blocked>.info:80/pic.php/
• linux106.m<blocked>now.net:80/jpg4/www/pic.php/
• pic.s139.co<blocked>.jp:80/pic.php/
• ad.globe7.<blocked>:80/iframe3/

For the full report and analysis, visit the Threat Report section of TrendWatch.

Cybercrime is a day-to-day reality for anyone using the Internet. Whether for email or Web surfing, all Internet users are potentially at risk.

Botnets are the tool of choice for distributing malware, for perpetrating attacks, and for sending slews of spammed messages. Through these botnets, botnet herders (the cybercriminals behind the botnets), earn millions of dollars in money stolen from innocent computer users.

These cybercriminals buy and sell services, build partnerships, and rent services just as above-board businesses do; the main difference being the legitimacy and legality of the products, solutions, and services they handle. The quantity of spammed messages distributed via botnets is astronomical. Spam continues to be a vector of choice for cybercriminals owing to their speed of distribution and delivery, vast target list, and relatively low cost of investment compared with the profit on offer.

As an example of how and why the spam issue is still overwhelming, according to Trend Micro research, spam now accounts for around 97 percent of all the email in circulation. In a recent laboratory-controlled investigation, the quantity of spam generated by a single bot-infested computer in a 24-hour period amounted to around 2,553,940.

What can be done about it and who can effect change?

According to the recent 2010 Consumer Survey published by the Messaging Anti-Abuse Working Group (MAAWG), 65 percent of the respondents felt that ISPs and ESPs should bear most of the responsibility for stopping spam, computer viruses, fraudulent email, and spyware.

Given that the MAAWG survey also identified that there is a serious lack of awareness regarding bots and botnets on the part of the average consumer, service providers need to consider taking proactive steps to help secure and support their customers.

Trend Micro chief technologist Dave Rand explains that ISPs have the ability to help combat botnets and spam through some fairly simple steps. For instance, they can block email on port 25—the port responsible for SMTP transfers. Botnet communications use port 25 when sending spam and other junk mail.

By blocking port 25 and moving email communications to a different internal port, the spam communications will become ineffective. Generally speaking, users will not notice any direct change, as most use their ISPs’ own servers or free email services from providers like Gmail, Windows Live Hotmail, or Yahoo Mail.

ISPs have the ability to monitor their own network activity and, for billing or technical reasons, can identify particular IP host addresses at any given time. With this information, they know what traffic traverses their network and have the technical ability to observe malicious traffic. This enables them to block port 25 and, more importantly, to identify and notify the compromised customer.

Through experience, Trend Micro knows that the majority of times, a customer will seek help in resolving the compromised machine/s within their network. This collaborative communication helps reduce the number of bot-infected computers and, by so doing, helps ensure the privacy and security of customers and users.

Trend Micro believes that the recently signed agreement in Australia (in which ISPs committed to notifying their consumers of PC compromises) and a similar agreement between over a dozen ISPs in the Netherlands (that have agreed to share security information and notify and block compromised customers) will have a dramatic impact on the number of bot-infected computers in those countries alone.

Through research and monitoring, Trend Micro identified more than 4 million compromised systems in Turkey alone. We worked directly with a particular ISP that subsequently took action, removing these computers from the network as far as spam generation was concerned. Although these computers were still infected and can be used to steal information, the immediate drop in spam from this network was very noticeable.

The notification role service providers play is vital, as during these projects, we have seen that once informed, the majority of customers do proactively look to clean up their network. Also consider that we know that these compromised hosts are not all consumer owned…  some of them are in government networks and also in hospitals. This means that this is more than just a spam issue, it is also a health and welfare issue.

Given the size of this issue, do we need IT officials to secure the integrity of systems at country level? Perhaps we do…

Looking at the evolution of the spam problem, we know that India is a growing issue. Dave Rand is currently working directly with ISPs across India in the search for the right solution to deal with the problem. Brazil is another country coming to the forefront in terms of number of compromised computers. In Brazil, we know that much of the spam is banking related and that the dominant cybercrime families in Latin America are, broadly speaking, online banking focused.

Trend Micro wants to work with ISPs and to have them take an active role in notifying their customers. The issue is now becoming one of social and moral responsibility for service providers the world over.

We don’t pretend to know everything but together with the help of ISPs, we know we can help improve the situation for everyone.