Instead of trying to rebuild another botnet to replace Rustock and to launch massive spam campaigns, criminals have turned to more targeted attacks.
shifted away from building up botnet armies in favor of launching targeted
attacks on specific corporate networks in 2011, according to security
The overall number of networks and
computers hijacked by criminals globally and commandeered into a botnet army
has declined each year since 2009, Cisco said in its 2011 state of security
report, released Dec. 14. The Global Adversary Resource Market Share Index,
which tracks the number of compromised systems, has dropped over the past few years,
Attackers also changed how they
distribute malware in 2011, as they realized it could be used for "far
more nefarious purposes" than just stealing bank accounts, AppRiver researchers
wrote in their 2011 review.
Malware that is stealthy and "siphoning off" personal information,
which can later be sold on underground markets, is potentially a more
profitable approach, according to AppRiver. Facebook spammers took advantage of
users' tendency to click on links posted by "friends" to launch
clickjacking scams or download malware.
"This is becoming a precision,
assassin-like model versus a horrible, carpet bomb type of model," Scott
Olechowski, threat research manager for Cisco, said during a Dec. 13 news
Law enforcement has had success
shutting down major botnets. Microsoft announced its role in shutting down Rustock
command-and-control servers located in the United States, an operation that
included FireEye and federal law enforcement. Microsoft also worked with
Kaspersky Lab to move against the Kelihos botnet
"Almost immediately the effects of
the operation were noticed as the millions of bots infected with Rustock
stopped receiving orders and fell silent," AppRiver researchers wrote in
their report, adding that with the spam-spewing botnet crippled
, spam volumes have
dropped nearly 35 percent in 2011.
Cisco Security also noted the decrease
in spam, reporting a "steep decline" in spam volume since August 2010
from 379 billion messages a day to 124 billion. The United States was the No. 1
source for spam in 2010, but dropped to ninth place in 2011, according to
Mary Landesman, senior security researcher at Cisco. India has taken over
the top spot, according to Cisco. The amount of money generated annually from
spam has also fallen by roughly half, to $500 million, Cisco said.
The drop for the United States was the
result of a "huge effort by law enforcement" to shut down botnets,
However, Cisco also attributed the
decline to the fact that cyber-criminals are changing their attack methods.
While high-profile attacks from the Zeus botnet generated headlines, the most
lucrative and efficient attacks this year were smaller operations on high-value
targets, according to Landesman. The company reported earlier in the year that
criminals were favoring targeted phishing emails
spam campaigns and were seeing bigger payoffs.
That's not to say there were no mass
email campaigns in 2011. Adversaries successfully tricked and compromised users
as they customized campaigns to reflect world events, such as the devastating earthquake and tsunami in Japan
and the death of
Osama bin Laden. Spam emails claimed to have news and video for
information-hungry users or they masqueraded as charities raising funds to help
victims. Black hat search engine optimization tactics poisoned search results
so that people looking for details were directed to Websites that downloaded
malware onto the victims' computers, giving attackers direct access.
"The moment that a tragedy occurs
and draws the attention of a major portion of society, those with mal-intent
immediately begin trying to capitalize on the events by feeding the Internet
with their own versions of these news stories complete with information and
money-stealing malware," AppRiver said in its report.
Enigma Software identified the top five
days with the most malware infections in 2011 and found that the New Zealand
earthquake and Arab Spring saw exceptionally higher numbers of malware and
phishing attacks. The other dates included the "usual suspects" such
as the Monday after Thanksgiving for Cyber-Monday-related attacks and April
"The bad guys know that lots of
people will be scouring the Internet for good deals and the hottest holiday
items," said Alvin Estevez, CEO of Enigma Software.
The company reported a 71 percent spike
in malware on Feb. 27 over the previous day as malware and phishing attacks
linked to the earthquake in New Zealand and a 28 percent spike on March 28 over
the previous date as scammers linked to news about the Arab Spring uprisings.
Social networking spam
also became more common,
with spammers posting Wall messages on Facebook or sending out shortened links
on Twitter. Users were tricked into completing fake surveys in clickjacking
the malicious link being pasted as Wall posts to all the friends, thus
spreading the infection, according to AppRiver.