Amongst all of this activity, more platforms with further complexity continue to arise and gain popularity, such as micro-blogging site Twitter. Naturally, some of the similar aforementioned attacks have followed as well. One of the effective mechanisms of next-generation worms traversing through linked accounts on social networking sites is that malicious links are sent out from one connected contact to another. Since most of these contacts presumably know each other, there is a higher level of trust – and a tendency for any recipient to let their guard down when clicking on these links. Most threat activity we have seen on social networking sites come from harvested accounts, from worms like Koobface and phishing campaigns. These accounts are typically used in ad-hoc fashion to blast out messages or invites to their contacts. Mass mailers, now typically hosted on botnets, follow the same pattern: they harvest accounts, and send out spam to as many contacts as possible – and have been doing this for a very long time. Enter targeted attacks.

There has been an increasing trend of targeted attacks, ones that are premeditated and delivered to usually only a handful of recipients, if not just one. These are often delivered as poisoned documents that trigger exploits, and drop malware such as keylogger trojans. For a detailed investigation, you may read further here. In parallel with the increasing targeted attack front, we have witnessed an increase in document exploit activity. Figure 1 below shows a 6 month window of detected activity for common exploited document formats: XLS, DOC, and PDF:

With the amount of attacks that are circulating on next generation platforms, “Web 2.0″, whatever you want to call it – it is only a matter of time until cyber criminals become more aggressive and innovative with their methods. They have already started this transition and are in full-swing with targeted attacks through traditional e-mail, so it is likely that they will follow suit and expand their horizons to new channels. Harvested accounts from social networks are primed for targeted attacks, and in theory would be even more effective than the already dangerous targeted attacks through traditional e-mail. This is because of several factors:

1. Social networks host a wealth of information that would assist in social engineering hooks (think personal information and profiles, messages archived / posted, etc)
2. User bases have exploded on popular social network sites, and everybody is participating: from end users, celebrities / officials and enterprise (marketing, PR, executives, the list goes on)
3. Next generation platforms not only support the basic attack vectors that e-mail does (files and malicious links), but offer much more opportunities for attack, innovation and expansion
4. As I already pointed out, social networking rings / established contacts have a high degree of trust already

Framework is already in place to siphon account credentials with ease, as we have witnessed over the last year. With favored targeted attack methods becoming quite active (Figure 1 – poisoned documents), and ample opportunity on the horizon, it is suffice to say that the Internet is indeed a scary and hostile place. Always try to validate the identity of any contact, especially when file attachments or malicious links are involved.

After a year long battle, W32/Virut.A finally lands in top spot – surpassing Netsky. This parasitic file infector proves to be quite virulent, and has generated enough activity to land in our malware top 10 for twelve solid months. On top of infecting multiple local files on a PC, the virus can spread through file shares and/or removable media such as USB thumb drives. Additionally, it has a rather unique capability to propagate through other worms in a hybrid form – read here for more info.

Conficker, conficker, conficker. The notorious worm which has made headlines across the world continues to evolve with a new variant, Conficker.C. While it remained in fourth position in our Top 10 Exploitation list, exploit activity of MS08-067 (detected by FortiGuard IPS as ‘MS.DCERPC.NETAPI32.Buffer.Overflow‘) actually decreased since we recorded a peak of activity on February 12th, 2009. Even with slightly deflated exploit levels, the worm has certainly established a strong global foothold and with the development of Conficker.C, the authors intend for it to stick around for a while. Conficker.C is quite simply more robust and effective – it boasts a new domain generation algorithm, and uses an enhanced cryptographic hash function (MD6) to validate the authenticity of its own malicious code. Most notably, after April 1st, 2009 it will attempt to communicate with a larger set of rendezvous points than previous variants used.

It is yet to be seen what happens after April 1st, though it should be pointed out that this code simply becomes active on that date and will remain active afterwards. Given the amount of attention Conficker has received, it is likely the authors will attempt any sort of strike at a later date when it is less anticipated – and more Conficker.C variants are spread. That said, always be aware and keep your protection up to date. Conficker is best blocked through layered defense, such as intrusion prevention, web content filtering, and antivirus. We continue to monitor this threat in the lab.

There were 30 new vulnerabilities rated as ‘Critical’, up from last period’s count of 25. So far, active exploitation of these has been low. However, as we have seen before, critical vulnerabilities are highly sought in the digital underground and typically have long lifespans; it may take some time before successful exploits rise. This should be seen as a good opportunity to keep up to date with the latest patches before the vulnerabilities become larger issues.

Social engineering attacks continue to become more sophisticated. A form of Location Based Services (LBS), spam and attacks custom tailored towards a recipient’s geographical location have become more mainstream. Two examples from this edition include a spam campaign from Waledac, providing links to fake news sites serving up malicious variants of the Waledac family. The fake news sites (posing to be Reuters) had dynamic headlines which cited explosions in regions that were close to the geographic location (geoIP) of the victim who would follow these links. The other example comes from the Canadian Pharmacy gang: spam driving traffic to the vast network of fraudulent domains owned by this group is shown this edition, localized in Japanese. Canadian Pharmacy employs LBS, offering different content based on the geographic location of the would-be customer.