By Brian Krebs
washingtonpost.com staff writer
December 27, 2006
It was the year of computing dangerously, and next year could be worse.
That is the assessment of computer security experts, who said 2006 was
marked by an unprecedented spike in junk e-mail and more sophisticated
Internet attacks by cybercrooks.
Few believe 2007 will be any brighter for consumers, who already are
struggling to avoid the clever scams they encounter while banking,
shopping or just surfing online. Experts say online criminals are
growing smarter about hiding personal data they have stolen on the
Internet and are using new methods for attacking computers that are
harder to detect.
"Criminals have gone from trying to hit as many machines as possible to
focusing on techniques that allow them to remain undetected on infected
machines longer," said Vincent Weafer, director of security response at
Symantec, an Internet security firm in Cuptertino, Calif.
One of the best measures of the rise in cybercrime is junk e-mail, or
spam, because much of it is relayed by computers controlled by Internet
criminals, experts said. More than 90 percent of all e-mail sent online
in October was unsolicited junk mail, according to Postini, an e-mail
security firm in San Carlos, Calif. Spam volumes monitored by Postini
rose 73 percent in the past two months as spammers began embedding their
messages in images to evade junk e-mail filters that search for
particular words and phrases. In November, Postini's spam filters, used
by many large companies, blocked 22 billion junk-mail messages, up from
about 12 billion in September.
The result is putting pressure on network administrators and corporate
technology departments, because junk mail laden with images typically
requires three times as much storage space and Internet bandwidth as a
text message, said Daniel Druker, Postini's vice president for
"We're getting an unprecedented amount of calls from people whose e-mail
systems are melting down under this onslaught," Druker said.
Spam volumes are often viewed as a barometer for the relative security
of the Internet community, in part because most spam is relayed via
"bots," a term used to describe personal computers that online criminals
have taken control of surreptitiously with computer viruses or worms.
The more computers the bad guys control and link together in networks,
or botnets, the greater volume of spam they can blast onto the Internet.
At any given time, between 3 million and 4 million compromised computers
are active on the Internet, according to Gadi Evron, who managed
Internet security for the Israeli government before joining Beyond
Security, an Israeli security firm. And that estimate only counts spam
bots. Evron said millions of other hijacked computers are used to launch
"distributed denial-of-service" attacks -- online shakedowns in which
attackers overwhelm Web sites with useless data and demand payment to
"Botnets have become the moving force behind organized crime online,
with a low-risk, high-profit calculation," Evron said.
He estimated that organized criminals would earn about $2 billion this
year through "phishing" scams, which involve the use of spam and fake
Web sites to trick computer users into disclosing their financial and
other personal data.
Another trend experts cite is the steady shift of Internet criminal
activity from nights and weekends to weekdays, suggesting that online
crime is evolving into a full-time profession for many.
Symantec found that the incidence of phishing scams has dropped
significantly on Sundays and Mondays in the United States. The firm
found a similar trend when it examined the pattern of new virus variants
compiled and released by attackers.
"The bulk of the fraud attacks we're seeing now are coming in Monday
through Friday, in the 9-to-5 U.S.-workday timeframe," Symantec's Weafer
said. "We now have groups of attackers who are motivated by profit and
willing to spend the time and effort to learn how to conduct these
attacks on a regular basis. For a great many online criminals these
days, this is their day job: They're working full time now."
Criminals are also becoming more sophisticated in evading anti-fraud
efforts. This year saw the advent and wide deployment of Web-browser
based "toolbars" with embedded technology designed to detect when users
have visited a known or suspected phishing Web site. But many scam
artists responded by developing new methods of hosting their fraudulent
Web sites and routing traffic to them that made them harder for law
enforcement and security experts to thwart.
"We've seen a pretty big evolutionary jump in tactics used by phishers
over the past year, and I believe it's because some of the toolbar
makers and the good guys who work to get these scam sites shut down have
really done a good job at preventing them from being successful," said
Dan Hubbard, vice president of research for Websense, an online security
firm in San Diego.
The past 12 months also brought a steep increase in the number of
software vulnerabilities discovered by researchers and actively
exploited by criminals. The world's largest software maker, Microsoft,
this year issued software fixes to 97 security holes that it classified
as "critical," meaning hackers could use them to break into vulnerable
machines without any action on the part of the user.
In contrast, Microsoft shipped just 37 critical updates in 2005.
Fourteen of this year's critical flaws were known as "zero day" threats,
meaning Microsoft first learned about the security holes only after
criminals had already begun using them.
The year began with a zero-day hole in Microsoft's Internet Explorer,
the Web browser of choice for about 80 percent of the world's online
users. Criminals were able to exploit the flaw to install
keystroke-recording and password-stealing software on millions of
computers running Windows software.
At least 11 of those zero-day vulnerabilities were in the Microsoft
Office productivity software suites, flaws that bad guys mainly used in
targeted attacks against corporations, according to the SANS Internet
Storm Center, a security research and training group in Bethesda.
Microsoft issued patches to correct a total of 37 critical Office
security flaws this year.
The year also was notable for a wave of attacks exploiting flaws in
software applications that run on top of operating systems, such as
media players and Web browsers. In February, attackers used a security
hole in AOL's popular Winamp media player to install a hidden program
when users downloaded a seemingly harmless playlist file. This month, a
computer worm took advantage of a design flaw in Apple Computer's
QuickTime media player to steal passwords from about 100,000 MySpace.com
bloggers, accounts that were then hijacked and used for sending spam.
Also this month, security experts spotted a computer worm spreading
online that was powered by a six-month old hole in a corporate
anti-virus product from Symantec.
Many security professionals speak highly of Microsoft's Vista, the
newest version of Windows scheduled for release next month. The program
includes improvements that should help users stay more secure online,
such as a Web browser with new anti-fraud tools, as well as operating
system changes that should make it more difficult for rogue software or
viruses to make unwanted changes to key system settings and files.
But some security vulnerabilities have been identified in Vista already,
including at least one in its new browser, Internet Explorer 7.
Moreover, experts worry that businesses will be slow to switch to the
new operating system and note that even if consumers adopt it more
quickly, Microsoft will continue to battle security holes in legacy
versions of its Office product.
Some software security vendors suspect that a new Trojan horse program
that surfaced last month, called "Rustock.B," may serve as the template
for future malicious software. The program morphs itself slightly each
time it installs itself on a new machine in an effort to evade
anti-virus software. In addition, it hides in the deepest recesses of
the Windows operating system, creates invisible copies of itself, and
refuses to work under common security analysis tools in an attempt to
defy identification and analysis.
"This is about the nastiest piece of malware we've ever seen, and we're
going to be seeing more of it," said Alex Eckelberry, president of the
security vendor Sunbelt Software in Clearwater, Fla. "The new threats
that we saw in 2006 have shown us that the malware authors are ingenious
and creative in their methods."
Subscribe to InfoSec News