Top 10 Malware Attacks Of 20085:14 PM EST Fri. Dec. 19, 2008
In the weeks that followed President-elect Barack Obama's victory, spammers wasted no time in jumping on the Presidential bandwagon. In fact, reports showed that about 60 percent of total global spam capitalized on Obama's name in malicious, globalized attacks following the election. One particularly successful malware campaign enticed users to click on a video codec of Obama's acceptance speech. Once users opened the link, however, a Web site linked to a file called adobe_flash_exe, a malicious downloader designed to distribute an information-stealing Trojan on the unsuspecting victim's computer. Once downloaded, a rootkit then sent victim's personal and financial data to numerous command and control centers and their computer was incorporated in a malicious botnet created to spew spam and malware.
It doesn't come as a surprise that cyber criminals don't take a break when the economy goes bad. If anything, they are leveraging the failing economy in even greater numbers, capitalizing on people's financial insecurities with everything from mortgage refinancing schemes to credit card offers. And it's probably no coincidence that experts have seen a huge spike in the number of phishing attacks targeting bank customers over the last three months. In one particular attack, phishers sent millions of e-mails directing Washington Mutual customers to submit personal and financial account information following the bank's acquisition by Chase. The legitimate-looking request was part of a malicious cyber campaign intended to steal users' information for identity theft purposes.
Phishers know how to follow the money. And the most popular social networking site, Facebook has become an obvious target for spam and malware attacks. This year, the popular social networking site became the target of numerous malicious worms, the latest being the Koobface virus, a Net worm designed to transform victims' computers into zombies that form a botnet. The worm spreads when users access their Facebook account. The worm creates a spam message, which it then sends to everyone on the user's contact list. Once the recipients open the link, they are redirected to a YouTube site, which allegedly claims to feature a video clip. If users attempts to open the video, they are asked to download the latest version of Flash Player, which in actuality is a malicious executable, which is also the Koobface worm.
Meanwhile, Facebook spam also took a sharp upward spike in 2008. Spammers spoofed user's accounts by capitalizing on the site's "wall" feature. Victims were enticed to click on a link from someone they thought was on their contact list, not realizing their friend's account had been hijacked. Once they opened the link, the users were then asked to submit login credentials. In reality however, their information was being sent to spammers who used the information for further "spamvertising" or to access copious accounts in subsequent phishing attacks.
Microsoft patched its security holes a little too late to stop a malicious Internet worm attack that exploited a critical vulnerability. The worm infected other computers across multiple networks by exploiting a critical vulnerability in the Windows Server service, which ultimately provided hackers a way to quickly and easily install information stealing malware on users' computers.
Microsoft released an emergency out-of-band patch in October -- the first one of 2008 -- repairing the error. Even still, the number of successful exploits grew significantly as hackers reverse engineered the patch and launched copious attacks in the days following the security update, Microsoft said.
Any high-profile media event always sets off a rash of attacks, especially if that event is viewed around the globe. And the 2008 Summer Olympic Games were no exception. During the games held in Beijing, spammers targeted millions of viewers in an attempt to distribute spam and malware. Numerous viewers were solicited by e-mail messages that offered discounted Olympic tickets. However, scam victims never actually received the tickets after they entered their credit card numbers and credentials into the application.
Other phishers attempted to distribute malware by luring victims with fake news headlines about the Summer Olympic Games. One of the headlines included "Millions Dead in Chinese Earthquake," accompanied by a link to a .cn domain Web site announcing that the 2008 Summer Olympics were in danger of being cancelled due to the natural disaster. Users were invited to click on a link to a video allegedly showcasing additional details of the tragedy. The link was used as a way to distribute the malicious Trojan Nuwar-E worm on victims' computers, once they tried to open the file.
It seems like no sites were safe in 2008. This year, hackers launched malware campaign after campaign by exploiting vulnerabilities in legitimate Web sites of the United Nations, CNN, Sony PlayStation, the French Embassy and others. The malware campaigns were like many SQL injection attacks in which attackers exploit vulnerabilities in high-profile Web sites that are guaranteed to bring in significant amounts of traffic. During the U.N. attack, users unknowingly downloaded a malicious file that attempted to install a combination of eight different pieces of malware stealthily installed on victims' machines to steal personal data.
Sony also dealt with hackers who infiltrated its PlayStation Web site to install malware by enticing users to download and pay for phony software. Similarly, the French Embassy Web site in Libya was attacked when perpetrators added an invisible IFRAME to the Embassy's site, which installed malicious code redirecting users to sites hosted by a Hong Kong-based provider and on through Russia and the Ukraine. Once redirected, malicious downloaders were used to compromise the victims' machines.
Six days after Russian troops invaded Georgia, the battle was taken to cyberspace. Hit particularly hard was Georgia President Mikheil Saakashvili's Web site, which hackers sabotaged by redirecting viewers to a Web page that displayed images of Hitler juxtaposed with images of the Georgian president. Additionally, several Georgian governmental Web sites, including those of the Ministry of Internal Affairs and Ministry of Defense, were also disabled with a denial of service attack. And a slew of news sites and other popular information forums were also blocked from user access during the attack.
The series of attacks sparked off a cyber tete-a-tete that lasted for weeks following the invasion, with hackers from both Russia and Georgia escalating the conflict. Russian media then accused Georgia of targeting the state-sponsored Russian news organization RIA Novosti with denial of service attacks that shut down their site for hours. Meanwhile, the Russian press reported that a South Ossetian government Web site was hijacked and blocked for hours following Georgia's military action against South Ossetian villages.
In the run up to St. Valentine's Day this year, malware authors were busy creating ways to take advantage of users' unfailing desire for love and money. One of the most widespread attacks in 2008 was a romantically themed e-mail directing unsuspecting users to a Web site purporting to contain romantic images, alongside a variant of the Dorf Trojan. Researchers later discovered that the URLs led to binaries named valentine.exe, which, it turns out, were a version of the infamous Storm Worm.
Once users linked to the malicious site, they unknowingly infected their computers with the infamous botnet, which was then used to take over their machines, launch more spam, execute denial of service attacks or steal their identity.
Storm writers got an early start on the romantic holiday this year, enticing users with subject lines such as "The Love Train," "Valentine's Day," "You Stay in My Heart," "You're My Valentine" and "Love Rose."
As more users became aware of security threats in 2008, it stands to reason that they also became more interested in antivirus software. The irony of course, is that attackers were already a few steps ahead of the game and delivering their own special brand of fake antivirus software, complete with Trojans and viruses.
Earlier this year, hackers launched an attack on numerous domains that attempted to load fake antivirus software and pretended to conduct an online scan followed by a bogus warning message alerting users to the possibility of various malware on their systems. The user was then encouraged to download and run the executable installer.exe, which researchers detected as Mal/Packer. However, instead of a virus scanner, the user was actually downloading malicious files, all of which occupied the domains of Troj/Iframe-AG.
In general, targeted attacks don't make front page headlines -- unless the victims are thousands of top executives of major corporations. This year, phishers went after the big fish as thousands of top executives across the country fell victim to a new and highly sophisticated attack requesting them to appear before a grand jury.
The phishing message, which mimicked legitimate subpoenas from the United States District Court in San Diego, was highly targeted with the recipients' name, phone number, company and correct e-mail address, and appeared to have an official-looking URL. Once opened, recipients were requested to click a link and download case histories and associated information. But upon opening the link, victims downloaded information-stealing malware -- keystroke loggers that record passwords and other personal data -- which was then sent to the remote attackers.
The U.S. District Court, Central District of California posted an advisory on its Web site warning users about the attack and stating that the court's administrative office had notified the FBI.