Three Years After Sobig.f, Next Attack Cycle Starting
Sobig.f, a worm that first appeared in August 2003 but which included a self-imposed cut-off date of Sept. 10, 2003, was the first significant malicious attack loaded into an e-mail attachment, said Mark Sunner, the chief technology officer of U.K.-based security vendor MessageLabs.
"Hindsight is fantastic, it makes things so clear when you look back and interpret events. That's the case with Sobig.f, which was particularly significant because it was the first virus that truly was all about spam.
"The whole Sobig family was incredibly significant because that was the point where spam and viruses converged." Before that, Sunner argued, the worst threats were self-replicating worms that attacked network vulnerabilities, such as 2003's MSBlast, or mass-mailed macro-based exploits like 1999's Melissa.
Hackers turned to spam in part, said Sunner, because by late 2002, the U.S. and the EU were ready to put anti-spam legislation into place. "That spam was now 'bad' didn't stop spammers, it just drove them further underground," said Sunner, and into the ranks of hackers, who quickly discovered that by mass-mailing malicious code as e-mail attachments, they could amplify the impact and reach of their work. In rapid succession, follow-on malware such as MyDoom and Bagle used the same tactics.
"It was all about spam and creating botnets, huge botnets," said Sunner. But the attackers' techniques were too successful. "In the summer of 2004, it really peaked. The bad guys were too successful. One in every 10 e-mails contained some kind of malicious code, and 90 percent of all mail was spam. You'd think [the attackers] would be pleased with that, but it was actually a bad thing for them because the press was talking about the attacks and the security community was scrambling to issue definitions.
"The overall level of vigilance went high, very high, and people started to take greater steps to protect themselves."
That swing of the pendulum led criminals to rein in their efforts to try to stay under the radar. "Botnets were once counted in the millions of machines or certainly in the hundreds of thousands," said Sunner, "but then they became much smaller and their owners more discreet."
The shift is evident in last month's malware and spam numbers. By MessageLabs' count, during August an average of only 1 in 98 e-mails contained malicious code, and spam accounted for just 64 percent of all mail traffic at corporate gateways.
Smaller, targeted attacks of today are a direct result of Sobig.f's success, Sunner said. Even the rise in phishing attacks can be attributed to attackers ditching the no-longer-profitable mass-mailing-malicious-code model of Sobig.f for other social engineering cons.
Sobig.f's three-year anniversary also gave Sunner an opportunity to talk about the next three-year cycle, which he said is already underway.
"With the benefit of hindsight, we can pinpoint 2003 and Sobig.f as the moment when viruses and spam converged. Today we're in the midst of the next wave of convergence, which will be all about spyware-type capabilities," said Sunner.
Attackers are only now starting to glean information about specific individuals or small groups using spyware-like tactics and technologies; the criminals then use that information to personalize phishing attacks and other forms of identity theft.
"Around December 2005 phishing e-mails began to head toward people who used a particular bank, and those e-mails included names and addresses and zip codes to more easily fool people into thinking the messages were legitimate," Sunner said.
Some of that information is being harvested from social networking sites, such as MySpace, where people willingly enter information about themselves.
"Years from now, we'll look back at this moment and see that this was when the bad guys moved away from the scattergun approach of identity theft, and started to use much more targeted, much more socially-engineered attacks."