Trend Micro
TrendLabsGlobal Threat Trends 1H 2010
Threat Trends 4
Email Threat Trends 5
Web-Based Threat Trends 8
File-Based Threat Trends 9
Cybercrime and Botnets 10
Underground Economy 12
High Profile Incidents of 1H2010 12
Vulnerabilities 15
Trend Micro Technology and Protection 16
Smart Protection Network 16
Solutions and Services 16
TrendMicroEnterpriseSecurity 16
TrendMicroSecureCloud 16
TrendMicroWorry-FreeBusinessSecurity 16
TrendMicroTitanium 17
AdviceforBusinessesAdoptingCloudStrategies 17
AdviceforBusinesses 17-18
TopTipsforEndUsers 19
About TrendLabs 20
Table of Contents
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
Introduction
Cybercrime is now a fully fledged, but highly illegal business. And it’s all about money.
AstheUndergroundEconomyhasgrownandflourished,cybercriminalshavedeveloped
newmethodsfortrickingvictims.Theirscamsareamazinglylucrative,withprofitstotaling
inthebillionsperyear.ManyperpetratorshailfromEasternEuropewherecybercrime
isrampantandconsideredbusinessasusual.Canadianpharmacyspam,fakeantivirus
andothersarepartofawell-organizedbusinessmodelbasedontheconceptofaffiliate
networking.Inthecaseofcybercrime,productssoldviaaffiliatemarketingmaybehighly
profitable,althoughhighlyillegal—suchasclickfraudandsellingcreditcarddetails.
InthisreportcoveringJanuarytoJune2010,weexaminevariouscybercrimeincidents,
thecriminal’suseofmultipletoolssuchasbotnets,andlookatthreattrendsandactivity
currentlycausing,andlikelytocontinuetocausethemostpain,costanddisruptionto
connectedusersacrosstheworld.
Manythreatshaveevolvedinrecenttimes,becomingmoresilent,andmoreinsidious.
Threatsareintertwined–meaningalmosteverythreatcomprisesmultiplecomponents
forattacking,infectingandcompromisingdata.Componentsalwaysrelatetooneormore
ofthefollowingthreevectors–email,webandfile.Duringthefirstsixmonthsof2010
TrendLabsSMidentifiedEuropeasthelargestsourceofspamemails,whileEducationisthe
industrymostaffectedbymalwarecompromise.Meanwhile,theUSistheprimarysource
ofmaliciousURL’s.
Vulnerabilityexploitsareakeyassetusedbycybercriminals.Theybuyandsellvulnerability
information,exploitcode,aswellasothertypesofmalware.Inthefirsthalfof2010,over
2500commonvulnerabilitiesandexposures(CVE’s)wererecorded.
Professionalcriminalsarewidelyknowntobetheperpetratorsofalmostallthreats.
Botnetsaremanagedandrunasanenterpriseorganizationmanagesitsnetwork.Making
moneyistheprimaryaim.
3
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
Threat Trends
The Trend Micro™ Smart Protection Network™ infrastructure delivers advanced protection from the cloud, blocking threats in real-time before they reach you. Leveraging a unique, cloud-client architecture, it is powered by a global network of threat intelligence sensors, email, Web, and file reputation technologies that work together to dramatically reduce infections.
TheSmartProtectionNetworkisnowseeing45billionqueriesevery24hours,whileit
blocks5billionthreatsandprocesses2.5terabytesofdataonadailybasis.Onaverage80
millionusersareconnectedtothenetworkeachday.
ThiscommunityofusershelpsenableTrendMicroSmartProtectionNetworktocontinue
evolvingandimprovingprotectioninreal-time.
Thefollowingdatapoints,takenfromSmartProtectionNetworkandothersupporting
monitoringsystems,provideacomprehensiveinsightintothethreatsTrendMicro
protecteditsusersagainst,inthefirstsixmonthsof2010.
4
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
Spam
SpamcontinuedtogrowbetweenJanuaryandJune2010,albeitwithabriefintervalduringApril.
Themostnotablechangebetweenthefirstandsecondquartersof2010,wasthereductioninspamfromAPACandtheincreaseinspamfromEurope.CountriesstronglycontributingtothegrowthinspamfromEuropeincludeGermany,UK,ItalyandFrance.
Currently,TrendLabsmonitors38languagesanddialectsusedinspam.Thiscoverageiscontinuouslybeingimprovedtoprovideincreasedprotectionagainsthighlylocalizedspam.Morethan95%ofspamisinEnglish.Forthenon-Englishspam,thetopmostcommonlanguagesreceivedareRussian,Japanese,Chinese,Spanish,andFrench.
Mostofthespamtrackedduringthepastsixmonthsfallunderthefollowingthreecategories:Commercial(28%),Scams(22%),orHealth/Medical(15%).Intermsofspamtechnique,37%oftotalsamplesuseHTML,followedbyPlainText(25%)andShortSpam(10%).
Spam Volume3,500,000,000
3,000,000,000
2,500,000,000
2,000,000,000
1,500,000,000
1,000,000,000
500,000,000
0.00
JA
N
FE
B
MA
R
AP
R
MA
Y
JU
N
Regional Spam Sources - Q1
31%
38%
14%
14%
3% 0%
APAC
Europe
North America
South America
Unknown
Africa
Regional Spam Sources - Q2
28%
44%
14%
11%
3% 0%
APAC
Europe
North America
South America
Unknown
Africa
Spam Technique Distribution
25%
37%
6%
10%
4% 2%
5%1%0%
Plain Text
HTML
Image
PDF/RTF attached
GIF/JPEG attached
RAR/Zip attached
XLS attached
DOC/TXT attached
HTML Inserts
Short Spam
Salad
Others
3%
6%
Email Threat Trends
5
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
Commercial,ScamsandHealth/Medicalspammadeupthevastmajority–atotalof65percentofthetotalspamtrackedinthefirsthalfof2010.
Thequantityofspammedmessagesdistributedviabotnetsisastronomical.Spamcontinuestobeavectorofchoiceforcriminalsowingtothespeedofdistributionanddelivery,thevasttargetlistandrelativelylowcostofinvestmentwhencomparedtotheprofitonoffer.
ThebelowchartdemonstratesthequantityofspamperASN(AutonomousSystemNumber)inthefirstsixmonthsof2010.AnASNisallocatedtoeachISPororganizationthatmanagesalargegroupofIProutingprefixes1.
Ascanbeseenfromthechartabove,certainASNsareworkinghardtoreducethespamdistributedviatheirnetworks;however,theseeffortsseemtobecounteredbyanumberofprovidersnotactingtomanagethespamproblem.OnewayISP’scanhelpcombatbotnetsandspamisbyblockingemailonport25—theportresponsibleforSMTPtransfers.Botnetcommunicationsuseport25whensendingspamandotherjunkmail.
Byblockingport25andmovingemailcommunicationstoadifferentinternalport,thespamcommunicationswillbecomeineffective.Generallyspeaking,userswillnotnoticeanydirectchange,asmostusetheirISPs’ownserversorfreeemailservicesfromproviderslikeGmail,WindowsLiveHotmail,orYahooMail.
Asanexampleofhowandwhytheissueofspamisnowoverwhelming,accordingtoTrendMicroresearch,spamnowaccountsforaround97%ofallemailincirculation2.Inarecentlaboratorycontrolledinvestigation,thequantityofspamgeneratedbyasinglebotinfestedcomputerina24hourperiodtotaledaround2,553,9403.
1http://en.wikipedia.org/wiki/Autonomous_System_Number2http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis
q3_2009_spam_report.pdf3https://blog.trendmicro.com/how-many-spam-can-a-spam-bot-spam/
0100,000,000
200,000,000
300,000,000
400,000,000
500,000,000
600,000,000
700,000,000
800,000,000
JA
N
FEB
MA
R
AP
R
MA
Y
JU
N
Spam Volume by CountryUSAINDDEUBRAGBRFRAVNMITAKORPOLROMRUSNLDESPUKRCOLTWNSAUPRTISRARGGRCCANTURothers
982945899123223209245609050
5089250193269285677383462
6849476681671267131846799
6830184032769933202011528573
0
200,000
400,000
600,000
800.000
Spam volume by ASN (past 6 months)
JA
N
FEB
MA
R
AP
R
MA
Y
JU
N
98
29
45
89
9
123
22
32
09
24
56
0
90
50
50
89
25
019
32
69
28
56
77
38
34
62
68
30
184
03
27
69
9
33
20
20
115
28
57
3
68
49
47
66
816
7
126
7
1318
46
79
9
Spam volume by ASN (past 6 months)Spam Type Distribution
15%
7%
4%0%1%
Health/Meds
Stocks
Educ/Degree
Jobs
Scam
Adult/Porn/Dating
Financial
Commercial
Malware (URL)
Malware (attachment)
Phishing
Others
22%28%
4%
11%
2%0%
6%
Email Threat Trends
6
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
ThefollowingchartshowsthetotalnumberofspambotinfectedcomputersTrendLabsidentifiedpercountry.Aspambotisaninfectedcomputercontrolledbyabotnetknowntoprolificallydistributespam,althoughitisunlikelytobelimitedtoonlythistypeofactivity.Note,thatthisisnotthetotalnumberofinfectedcomputers–asmanybotsarenotusedtodistributespam.
However,thetotalnumberofactivespammingIP’sinIndiaandBrazilarewellaheadoftheirclosestrival,Germany.Inthepast6months,bothIndiaandBrazilhavefullyemergedascentralcountriesinthecybercriminallandscape.
Phishing
Targeted Entities
Inalphabeticalorder,thefourmostpopularentitiestargetedviabothphishingemailandspoofedsitesinthefirstsixmonthsof2010were(1)BankofAmerica,(2)eBay,(3)HSBC,and(4)PayPal.
Whilethemajorityofthetop10targetedentitiesarecommercialorfinancialentities,socialmediaplatformslikeFacebookandTwitter,aswellasMMORPGslikeWorldofWarcraft,werealsoconsistentlypresent.Themajorityofthenewentitiesbeingtargetedbyphishersarelocalbanksinspecificcountries(e.g.,Italy,Malaysia,UnitedStates)andonlinegamingservices(seebelow,inalphabeticalorder):
• AirAcademyFCU:acreditunionwithbranches inColorado
• BancaDelMontediLucca
• BancaCarige:acommercialItalianbank,includingsomeofitssubsidiarieslikeCassadiRisparmiodiCarraraandCassadiRisparmiodiSavona
• BancaCesarePonti:acommercialItalianbank
• BancaSai:acommercialItalianbank
• Battle.net:anonlinegamingserviceoperatedbyBlizzardEntertainment
• CassadiRisparmiodiFerrara:acommercialItalianbank
• CenturyLink:atelecommunicationscompanyintheUnitedStates
• FirstCaribbeanInternationalBank:aBarbados-basedbankoperatingintheCaribbean
• iQuebec:aFrench-languageInternetportal
• Lottomatica:anItaliangamingcompany
• NantahalaBank&TrustCompany:anAmericanbank
• NCSoft:anonlinegamingserviceprovider
• PinnacleBank:anAmericanbank
• President’sChoiceFinancial:aCanadianbank
• PublicBankBerhad:aMalaysianBank
• SCRIGNOforBancaPopolareDiSondrio:an Italianbank
Phishing Techniques
BetweenJanuaryandJune2010,phisherscontinuedthetrendofexplicitlydisplayphishingURLs.Thisindicatesvictimsstilltrustthatasiteisauthenticbasedonmoreobviousvisualcluessuchasthesite’sappearanceanduseofcorrectcompanylogos,insteadofinspectingtheURLaddressbar.
7
1H10 Total Host Count by Country
0
25,000,000
20,000,000
15,000,000
10,000,000
5,000,000
IND
BR
AD
EU
VM
NR
US
US
AIT
AG
BR
UK
RS
AU
CO
LE
SP
PO
LC
HN
AR
GT
WN
RO
MT
HA
TU
RS
RB
GR
CP
RT
IDN
PA
Ko
the
rs
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
Web-Based Threat Trends
TheonslaughtofthreatsusingtheWebasameanstopropagatewillincreasinglycausechallengesfororganizationsandendusers.
Bad Actors vs. Victims
BadActorsreferstothesourceofmaliciousURL’s.TheUnitedStateshasconsistentlybeentheprimarysourceofmaliciousURLs,whileJapanaccessedthegreatestnumberofmaliciousURLs.Similarly,NorthAmericaisthetopcontinentthathasthemostmaliciousURLs,whileAsiaisthecontinentwithmostvictims.
Top URLs and Domains Blocked
BelowisthelistoftheURLsthatconsistentlyappearedinthetop10for4-6months(innoparticularorder):
Belowisthelistofdomainsthatconsistentlyappearedinthetop10for4-6months(innoparticularorder):
8
Growth in Malicious URLs4,000,000,000
3,500,000,000
3,000,000,000
2,500,000,000
2,000,000,000
1,500,000,000
1,000,000,000
500,000,000
0
JA
N
FE
B
MA
R
AP
R
MA
Y
JU
N
# JAN FEB MAR Q1
1 UnitedStates UnitedStates UnitedStates UnitedStates
2 China China China China
3 Netherlands Netherlands Netherlands Netherlands
4 RussianFederation
Germany Germany Germany
5 Germany RussianFederation
Romania RussianFederation
6 Romania Japan Japan Romania
7 Japan Romania RussianFederation
Japan
8 France France UnitedKingdom France
9 UnitedKingdom UnitedKingdom France UnitedKingdom
10 Ukraine Canada Canada Canada
11 BosniaandHerzegovina
Ukraine Ukraine Ukraine
12 Canada SouthKorea SouthKorea SouthKorea
13 SouthKorea Italy Italy Sweden
14 Sweden Sweden Sweden Italy
15 Portugal Poland Australia Poland
16 Poland Turkey Bahamas BosniaandHerzegovina
17 Italy Australia Turkey Turkey
18 Turkey CzechRepublic Poland Australia
19 Australia Taiwan CzechRepublic Portugal
20 Israel Panama Panama CzechRepublic
URL Description
ad.globe7.com:80/iframe3(USA) ContainsmaliciousIFRAMEcode
bid.openx.net:80/json(USA) KnowntodownloadTROJ_AGENTvariants
delivery.adyea.com:80/lg.php(DEU) Knowntodownloadworms;setsdrivestoautoplaybycreatingautorun.infinthedrives’rootdirectories
dt.tongji.linezing.com:80/tongji.do(CHN)
RelatedtoJS_DLOADR.ATF
hot1.xgazo.info:80/pic.php(USA) Proxyavoidancesite
newt1.adultadworld.com:80/jsc/z5/ff2.html(USA)
Adultwebsite
openxxx.viragemedia.com:80/www/delivery/afr.php(NLD)
Knowntohostadware
URL Description
bid.openx.net(USA) KnowntodownloadTROJ_AGENTvariants
delivery.adyea.com(DEU) Knowntodownloadworms;setsdrivestoautoplaybycreatingautorun.infinthedrives’rootdirectories
dt.tongji.linezing.com(CHN) RelatedtoJS_DLOADR.ATF
hot1.xgazo.info(USA) Proxyavoidancesite
newt1.adultadworld.com(USA) Adultwebsite
openxxx.viragemedia.com(NLD) Knowntohostadware
trafficconverter.biz(USA) KnowntobeaccessedbyConficker/DOWNADvariants
# APR MAy JUN Q2
1 UnitedStates UnitedStates UnitedStates UnitedStates
2 China China Ireland China
3 Netherlands Romania China Ireland
4 Germany Germany Romania Romania
5 Romania Japan Japan Germany
6 Japan UnitedKingdom Germany Japan
7 UnitedKingdom Netherlands UnitedKingdom Netherlands
8 RussianFederation Ukraine Netherlands UnitedKingdom
9 Ukraine RussianFederation RussianFederation RussianFederation
10 France France Ukraine Ukraine
11 Canada SouthKorea France France
12 SouthKorea Canada SouthKorea Canada
13 Italy Australia Canada SouthKorea
14 Australia Italy Sweden Australia
15 Sweden Belgium Belgium Sweden
16 Turkey Sweden Australia Belgium
17 Bahamas Taiwan Latvia Italy
18 Singapore Bahamas Italy Bahamas
19 CzechRepublic Singapore Bahamas Latvia
20 Poland Poland Taiwan Taiwan
Monthly Top 20 Bad Actors by Country
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
File-Based Threat Trends
New Malware Creation
Inordertoensurewidesourcingofmalwaresamples,TrendMicrohasitsownresearchandmonitoringsystemsandalsocollaborateswithmultipleindependentthirdparties.IncludedamongtheseindependentthirdpartiesisAV-test.org.Calculationsbaseduponthetotalnumberofuniquesamplescollectedin2009,anewpieceofmalwareiscreatedevery1.5seconds.
TrendLabsnowseesintheregionof250,000sampleseachday.However,recentestimatesplacethenumberofuniquenewmalwaresamplesintroducedinasingledayatgreaterthan60,000uniquesamples.
Trojansaccountforabout60percentofnewsignaturescreatedbyTrendLabs,and53percentofoveralldetectionsasofJune.BackdoorsandTrojan-spyware,oftenassociateddefinedascrimewareordata-stealingmalware,comeinsecondandthirdplaces,respectively.However,themajorityofTrojansleadtodata-stealingmalware.
Infections according to Industry
ThechartbelowclearlyindicatesthatEducationasanindustryhasbeenhardesthitbyinfectionsinthefirsthalfof2010.Thisislikelyowingtothenumberofstudentsusingoldandoutofdatesoftwareandsecurity,andpossiblyvisitingsuspectwebsites.Theseissuescompoundthechallengesrelatedtosecuringacomplex,distributedanddiverseinfrastructure.
Infection breakdown by Industry
Infections tracked, by Industry over Time
New Unique Samples Added toAV-Test.org’s Malware Collection
1,500,000
1,000,000
500,000
0
2,000,000
20
07-
01
20
07-
03
20
07-
05
20
07-
07
20
07-
09
20
08
-01
20
08
-03
20
08
-05
20
08
-07
20
08
-09
20
08
-11
20
09
-01
20
09
-03
20
09
-05
20
07-
07
20
07-
09
20
09
-11
20
10-0
1
20
10-0
3
Uniq
ue
Sam
ple
sA
dded
NEWThreat Every
1.5Seconds
TESTGrowth
3 Month Median
Forecast
Utilities
Technology
Other
Materials
Healthcare
Financial
Education
Transportation
Retail
Oil and Gas
Manufacturing
Government
Fast-Moving Consumer Goods (FMCG)
Communications and Media
Telecommunications
Real estate
Media
Insurance
Food and beverage
Energy
Banking
200,000,000
150,000,000
100,000,000
50,000,000
0
JA
N
FE
B
MA
R
AP
R
MA
Y
JU
N
*5,! *56! 257! 8.3! 9:;!
D.6.:=EE5,B:+A=,C!
10%
4%1%
Banking
Communication/Media
Education
Energy
Fast-Moving Consumer Goods
Financial
Food and beverage
Government
Healthcare
Insurance
Manufacturing
Materials
Media
Oil and gas
Other
Real estate
Retail
Technology
Telecommunications
Transportation
Utilities
2% 3%0% 1%
6%
2%
0%0%
0%4%
0%1%
3%2%
44%10%
1%
2%
9
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
Cybercrime and Botnets
Botnets are the tool of choice for distributing malware, perpetrating attacks and sending slews of spam email. Through these botnets, botnet herders – the Cybercriminals behind the botnets earn millions of dollars in money stolen from innocent computer users.
These cybercriminals buy and sell, build partnerships and rent services just as above-board business would; the main difference being the legitimacy and legality of the products, solutions and services they handle.
In an effort to help better explain cybercrime, in April 2010, TrendLabs forward looking research group published the following correlation map to provide a pictorial representation of the cybercriminal business model4.
This chart may on the face of it, seem quite complicated, but we can illustrate by using BREDO and CUTWAIL as an example.
CUTWAIL spammed messages contain BREDO variants, therefore it can be assumed that the criminals behind BREDO are paying the criminals behind CUTWAIL to send spam containing BREDO. It is also likely that they are paid per machine infected by the BREDO variant they spammed. Note that these infected machines, which are part of the CUTWAIL botnet, report back to the BREDO botnet master.
The same thing happens between ZeuS and BREDO. The criminals behind ZeuS pay the criminals behind BREDO to install their (ZeuS) malware on infected machines. As we all know, ZeuS malware steals bank account information, among other things (e.g., POP3 and FTP accounts).
CUTWAIL
BREDO
SASFIS
KOOBFACE
ZEUS
TDSS FAKEAV
How the thread is delivereda.k.a. PUSHDO
usually found insocial networkingsites
a.k.a BREDOLABBREOLAB
notoriousinformationstealer
Approved for rootkit capabilities
spamware used to extortmoney from victims. ITexchange for fakesecurity software
used to deliverMalware as pay perinstall or pay peraccess models
SPAM
Pay per Install
WALEDAC
10
4 http://blog.trendmicro.com/spotlighting-the-botnet-business-model/
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
Thereisanongoingcycleofmoneymovingfromoneplacetoanother.Inanotherexample,criminalsbehindFAKEAVgetpaidifusersbuytheirfakeantivirusprogramsandtheyusethismoneytopayotherbotnetstospreadtheirprograms.
Attheendoftheday,theaimofthissuccessionofinfectionsistostealmoneyfromaffectedusers.Keepinmindthateverytimeaprimarybotnetdownloadsanothermalware,criminalsbehindthebotnetarepaid.
TrendLabsexpertsseethiscyclecontinuing,andevolvingconstantly.ArguablytwothreatsthathavehadthemostimpactinthepastsixmonthsareZeuSandKOOBFACE.
ZeuS
ZeuSisprimarilyacrimewarekitdesignedtostealusers’onlinebankinglogincredentials,amongotherthings.ItisthehandiworkofEasternEuropeanorganizedcriminalsthathasnowenteredtheundergroundcybercriminalmarketasacommodity.ZeuShasproliferatedinpartduetotheavailabilityoftheseZeuStoolkits,whichallowcybercriminalstorapidlycreateZeuSvariantsinamatterofminutes.HundredsofnewZeuSvariantsareseenbyTrendMicroeveryday,andthisisnotlikelytochangeinthenearfuture.
AnewversionoftheZeuSmalwarehasalsobeenencounteredinthewildsincethestartoftheyear.Thesenewversions,frequentlyreferredtoasZeuS2.0versions,havehadtheirbehaviorchangedtobecomemoredifficulttodetectandremovefromsystems.Inaddition,thisnewversionalsoincludesdefaultsupportforcurrentversionsofWindows,wherebeforeithadtobeacquiredasan“upgrade”5.
KOOBFACE
KOOBFACEhasbeenaroundsincelastyear,gearinguptobecomethelargestsocialnetworkingthreattodate.Intheearlypartofthisyear,TrendLabsexpertsnotedthattheKOOBFACEgangwascontinuouslyupdatingtheirbotnet:changingthebotnet’sarchitecture,introducingnewcomponentbinaries,andmergingthebotnet’sfunctionswithotherbinaries.TheyalsobeganencryptingtheirC&Ccommunicationstoavoidmonitoringandtakedownbysecurityresearchersandtheauthorities.
KOOBFACEattacksusersonseveralsocialnetworkingsites,andgiventheincreasingusageacrossalldemographics,theKOOBFACEgangwillnotlikelyletgoofthismoney-generatingscheme.Infact,ithadbeguntrackingvisitors,asevidencedbyashortJavaScriptcodefoundinthefakevideopagestheganghassetup.ThisenablesthecreatorstocorrelateuseractivitybasedontimeofdayandvolumeofsuccessfulKOOBFACEinfections6.
5http://us.trendmicro.com/imperia/md/content/us/trendwatchresearchandanalysis/zeusapersistentcriminalenterprise.pdf
6http://us.trendmicro.com/imperia/md/content/us/trendwatchresearchandanalysis/web_2_0_botnet_evolution_-_koobface_revisited__may_2010_.pdf
11
4http://blog.trendmicro.com/spotlighting-the-botnet-business-model/
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
During their monitoring, experts from TrendLabs identified the following items and their average price tag, for sale on the underground.
Documents Scan Resale Services:Passport/utility bill/statement - $20 Credit card (front and back) - $25 Passport/utility bill/statment - $20Original docs - starts from $4Passport - $20 Drivers License - $20Credit cards - $30Utility bill - $10
US Credit Card Sales:US credit cards selling: USA /Master Card / VISA Price – $0.80c - $1 each
EU credit cardsCredit cards: Denmark, Greece, Ireland (Eire), Latvia, Netherlands, Norway, SwedenPrice - $3 per card
Credit Card Money CashersCard information input servicePerson inputs the information of the credit card in online shops, for delivery to the requested addressPrice - $5
PayPal accounts sellingSell Hacked PayPal accountsPrice - 30% of the current balance on the PayPal account
Between January and June 2010, there were many high profile threat incidents. The following threat incidents are those we believe had most impact on users and/or the security industry.
1 – The IE and other Zero Day Attacks7
In January, spammed emails loaded with malware files were sent to users and malicious sites were been found to contain hidden JavaScript malware that took advantage of a zero-day vulnerability exploit in Internet Explorer. All versions of Internet Explorer (except v5.01) were affected and the exploit was known to send backdoor Trojans to affected systems.
Once executed, these malicious backdoor files stole information which was sent to a remote user. This zero-day vulnerability was subsequently reprogrammed to avoid a security feature in Internet Explorer – forcing Microsoft to release an out-of-band patch (Microsoft Security Bulletin MS10-002) on 21 January. Some reports also suggest that cybercriminals are also launching attacks using recent vulnerabilities found in Adobe Reader and Acrobat.
Independent researchers surmised that about 34 companies were affected by what was been described as a “highly sophisticated and targeted attack.” This situation is in line with the Trend Micro prediction that there would be “No global outbreaks, but localized and targeted attacks”.
2 – ZeuS, ZBOT and Kneber
ZeuS, Kneber and ZBOT all relate to the notorious ZeuS crimeware. In February, Kneber hit the headlines and shone a spotlight on ZeuS, an established toolkit known to be leveraged by many other threats, it is one of the most dangerous threats online. ZeuS is often mistakenly referred to as a botnet – in fact, ZeuS is made up of many, many small botnets, all linked by their use of the same crimeware.
ZeuS may arrive as an attachment or link in a spammed message or be unknowingly downloaded via compromised websites. Most ZeuS botnets target bank-related websites, however, in the first 6 months of 2010, Trend Micro monitored activity including:
• Spam targeting government agencies • Phishing attacks that target AIM users • ZBOT variants that target the social networking site Facebook
Underground Economy High Profile Incidents of 1H2010
7 http://threatinfo.trendmicro.com/vinfo/web_attacks/Zero-Day_Internet Explorer_Bug_Downloads_HYDRAQ.html
12
Inordertodefraudvictims,thecriminalsbehindthisthreatgeneratealistofbank-relatedwebsitesorfinancialinstitutionsfromwhichtheystealusernames,passwordsandothersensitivebankinginformation.Theyharvestcredentialssuchasthoseusedforonlineshopping,onlinepaymentandFTP,andinsertextraformelementstolegitimatepages(eg.Onlinebanking)thataskforadditionalinformationsuchasPINnumbers.
TrendLabspublishedacomprehensiveinsightintoZeuSinMarch2010–ZeuSaPersistentCriminalEnterprise8.
3 - Mariposa Botnet Uses
Mariposa,“butterfly”inSpanish,referstoanetworkof13millioncompromisedsystemsinmorethan190countriesworldwidethatismanagedbyasinglecommand-and-control(C&C)serverinSpain.ThisbotnethasbeendubbedasoneofthebiggestnetworksofzombiePCsincyberspacealongsidetheSDBOTIRC,DOWNAD/Conficker,andZeuSbotnets.TheMariposabotnetwasinexistenceasearlyasDecember2008,androsetofameinMay2009.
However,inMarch2010cameitsshutdownandthesubsequentarrestofthreeofitsmainperpetrators.
Typically,botnetscarrywiththembinariesormaliciousfilesthattheirperpetratorsuseforvariouspurposes.Atthetimeitsnotorietywasgrowing,TrendMicrothreatanalystsfoundWORM_AUTORUN.ZRO,awormretrievedfromcompromisedsystemsthatwerefoundtobepartoftheMariposabotnet.Thiswormhastheabilitytospreadviainstant-messaging(IM)applications,peer-to-peer(P2P)networks,andremovabledrives.SomebinarieswerealsocapableofspreadingbyexploitingavulnerabilityinInternetExplorer(IE).
Justlikeanyotherbotnet,DiasdePesadilla(DDP),akatheNightmareDaysTeam,usedMariposatomakemoney.Thebotnetwasbeingusedtostealinformationsuchascreditcardnumbers,bankaccountdetails,usernamesandpasswordstosocial-networkingsites,andimportantfilesfoundonaffectedsystems’harddrives,whichcybercriminalsmayuseinanumberofways.ExpertsalsofoundthatDDPstolemoneydirectlyfrombanksusingmoneymulesintheUnitedStatesandCanada.
FurtherdiggingintoMariposa’sbusinessmodelrevealedthatitsadministratorsalsoofferedundergroundservicestopotentialclients.Someoftheseservicesincludedhackingserverstotakecontrol,encryptingbotstomaketheminvisibletosecurityapplications,andcreatinganonymousVPNconnectionstoadministerbots.Morethan200binariesoftheMariposabotnethavebeenfoundinthewild.Amongthese,usersshouldbemostwaryofinformationstealersthatcompromisenotjustbankinginformationbutalsoauser’sidentity.
4 - Shanghai World Expo as Bait in Cyber Attack
AttheendofMarch/beginningApril2010,TrendLabsidentifiedanewattack,usingapreviouslyknownAdobeexploit.Intheattack,emailedmessages,purportedlycomingfromBureauofShanghaiWorldExpo,askedrecipientstoopenafileattachedtothemessage,andtoupdatetheirsubmittedregistrationforms.TherewereindicationsthattheattackwasintentionallytargetedtowardWesternjournalistsinAsia.ItisunclearhowthedetailsofpersonsregisteredtoattendtheExpowereaccessedbythecriminals,howeverit’sworthnotingthattheWorldExpowebsitestatedthatitexpectedaround70millionattendee’stotheeventthisyear9.
Theattachmentwithinthespammedmessagewasa.PDFfilethattookadvantageofaknownvulnerability(patchedbyAdobeinFebruary2010)inAdobeAcrobatandReader(CVE-2010-0188).Oncesuccessfullyexploited,the.PDFfiledroppedabackdoorprogramontotheaffectedsystem,whichinturnenabledattackerstogainfullcontrolofavictim’smachine.
Themethodusedtoexploitthisvulnerability,onthisoccasion,differedfromthatusedpreviously.TrendMicroresearchersidentifiedthatthe.PDFfileshadanembeddedmalicious.TIFFfile.Thisembedded.TIFFfile,whenprocessedbyvulnerableAdobeproducts,triggeredthevulnerabilityandtheexecutionofarbitrarycode.Inthisattack,systeminformationsuchasComputername,CPUinformation,OSversion,andIPaddressoftheaffectedsystemwasstolenandsenttoaremoteserver.
High Profile Incidents of 1H2010
8http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/zeusapersistentcriminalenterprise.pdf
9http://threatinfo.trendmicro.com/vinfo/web_attacks/Shanghai_Expo_Spam_Carries_Backdoor.html
13
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
5 - New, Shortened URLs in IM Spam, Now result in KOOBFACE Malware
Cybercriminalsareveryadeptatemployingnewtechniquesinordertotrickandinfectmoreusers.InthemiddleofAprilthisyear,TrendLabsidentifiedattacksofspamoverIM,usingshortenedURL’sfortheirmisdemeanor.ThetwisttothisstoryisarelationshipbetweenspamoverIM,BUZUSandKOOBFACE.
MostusersofinstantmessengerapplicationshaveonvariousoccasionsseenattemptstodupethemintoclickingonspamreceivedoverIMorstrangefriendrequests.
Itseemsthecybercriminalsmayhavealsorealizedthattheirpasttechniquesmaybebecominglesseffective,andTrendLabshasjustrecentlydiscoveredthatthesecriminalsarenowusingshortenedURLstospammalware.URL-shorteningservicesarenormallyusedtocompresslongandunreadableURLsintoshort,bite-sizedones.TheseshortURLsaremoreportable,andarenowgenerallypreferredoverthe(normallylong)actualURLswhensharingnewswithinnetworks,blogs,Tweets,andothersocialmediatools.URL-shorteningservicescanbeusedtohidemaliciouslinksfromview,therebytrickingusersintoclickingsuspiciouslinks.
KOOBFACEisanotoriousbotnetthatoriginallytargetedinnocentFacebookusers.Sincethen,ithasgoneontotargetothersocialnetworks,andsoitisnotsurprisingthatthecriminalsbehindthethreatarelookingtonewavenuesthroughwhichtoextendtheirnetworkofcompromisedmachines.KOOBFACEcausessomuchconsternationthatTrendLabshaspublished3separateresearchreportsonthesubject10.
6 – FAKEAV, the standard revenue generator11
Throughoutthefirstsixmonthsof2010,FAKEAV(orRogueAntivirus)continuedtobeusedbycybercriminalsasakeyrevenuegenerator.Programsdesignedtolookprofessional,eventothepointofofferingtelephonesupportservices,havebeenmaliciouslypushedtoinnocentusersunderthepretenceofinfectionandvulnerability.FAKEAVleveragessocialengineeringtocaptureusers’attentionandmakethreatsbelievable.Cybercriminalsusemultiplevectorstodelivertheirthreats.
Afewofthemethodstheyusearelistedbelow:
• Stealingfromusersdirectlybyconvincingthemto download,install,andthenpayforfakesoftware.• Infectingusersthroughmaliciouslinksplacedin searchresults–poisonedsearchresultsareotherwise knownasBlackHatSEO.• Deliveringapayloadofmaliciousroutinesorinstallers thatleaveadditionalmalwareontheinfectedsystem.• UsingsocialengineeringsitessuchasTwitter,to trickusers
Unlikemostthreats,FAKEAVsoftwaredisplaysavisualelementtothetargeteduser.Thiscomesintheformoffakeuserinterfacesthatuniversallyclaimthatthesystemhasbeeninfected.
Interestingly, FAKEAV has also become localized, with the same “tool” being found in multiple languages, as can be seen in the following screenshot:
14
10http://us.trendmicro.com/us/trendwatch/research-and-analysis/whitepapers-and-articles/index.html
11http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/threatbrief_final.pdf
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
Vulnerabilities
Vulnerabilitiesinapplicationshavealwaysbeenapartofthesecuritylandscape,butrecentdevelopmentstowardstheWebhavemadetheseevenmoresignificant.Forendusers,vulnerabilitieshavefacilitated“drive-by”threats,whereallthatisnecessarytobecomeinfectedbymalwareistovisitawebsite.Thewebsiteneednotbemalicious;itmaybecompromised(viamaliciousadvertisements,ortheadditionofiframesorJavascriptcode).Thisposesalargeproblemthatisnoteasytomitigate.
Inaddition,serversarecomingunderincreasingfireaswell.Assumingwell-establishedservermanagementproceduresareinplace,vulnerabilitiesbecomethebestmeansoftryingtoexecutemalwareonservers.Whilethismaybemoredifficultthancompromisingasingleusersystem,thepotentialrewardisconsequentlygreateraswell.
TrendMicroreceivesinformationaboutvulnerabilitiesbothpubliclyandprivately.Privatevulnerabilityinformationisreceivedbothfromvendors(suchasMicrosoft),third-partygroupssuchasTippingPoint’sZero-DayInitiative12,andfromthecybercriminalunderground.
Thescaleofthisthreathasbeendocumentedindependently.ApaperpresentedattheNinthWorkshopontheEconomicsofInformationSecuritydelvedintotheonlineadultindustry,butalsoprofiledwhetheruserswererunningbrowsersthatcontainedvulnerableplug-ins.Theirstudy12concludedthatastaggering88.28percentofuserswerevulnerable,asoberingnumberbyanyreckoning.
Withthesethreatsinmind,thefollowinglooksatkeyvulnerabilitystatisticsrelatedtothefirsthalfof2010.TheTrendMicroThreatEncyclopedia14includesaSecurityAdvisorysectioninwhichdetailsofallcoveredvulnerabilitiescanbefound.
Vulnerability StatisticsPublicly-knownvulnerabilitiesarecommonlyreferencedbytheCommonVulnerabilitiesandExposures(CVE)system,whichassignsauniqueidentifiertoeachvulnerability.Inthefirsthalfof2010,atotalof2,552CVEswerepublished.Thisnumberisslightlybelowthesimilarnumberforthefirsthalfof2009,whereatotalof3,086CVEswerepublished.
However,itshouldbenotedthatthisdoesnotmeanthatthevulnerabilitythreatislessening.NotallvulnerabilitiesreceiveaCVE;manyvulnerabilitiesthatareprivatelyreportedtovendorsarenotincludedinthesystem.
Byvendor,ApplehadthemostCVEsissuedinthefirsthalfoftheyear:
Whilesomevendorsreceiveasignificantamountofpressattentionforvulnerabilities,thischartservesasareminderthatthevulnerabilitythreatisfarmoremulti-prongedthanjustpatchingWindowsorupdatingFlashandAcrobat/Reader.Inaddition,someofthevendorswithlargenumbersofvulnerabilitiesfocusonenterprisesoftware,withcorrespondinglylongerpatchcyclesthatpotentiallyleaveusersatrisk.
Inaddition,thepresentationofvulnerabilityinformationtothegeneralpublicleavesmuchtobedesired.Whilesomevendorspresentvulnerabilityinformationpubliclyinwell-organizedbulletins,othersdosoinamoreadhocmannerorhidetheinformationbehindpaywallsontheirwebsites.Thismakesproperthreatassessmentonthepartofusers–bothenterpriseandconsumer–muchmoredifficult.
TheoverallscaleofthethreatposedbyvulnerabilitiesandexploitsisclearlyvisiblewhenlookingatthenumberofTROJ_PIDIEFmalwareseenbyTrendMicrointhefirsthalfoftheyear.ThePIDIEFmalwarefamilyisspecificallymadeupofmalwarethatarrivesasPDFfiles,whichexploitvulnerabilitiesintheAcrobatfamilyofproducts.Inthefirsthalfoftheyear,atotalof666newdetectionnameswereaddedtoTrendMicroproducts.Eachdetectionnamerepresentsmultiplein-the-wildvariants,resultinginatotalnumberofnewPDFthreatsnumberingintothethousands–inonlysixmonths.
12http://www.zerodayinitiative.com/13http://weis2010.econinfosec.org/papers/session2/weis2010_wondracek.pdf14http://threatinfo.trendmicro.com/vinfo/default.asp?page=1§=SA
15
3,500
3,000
2,500
2,000
1,500
1,000500
0CVEs
2009
2010
CVEs20018016014012010080604020
0
CVEs
App
le
Mic
roso
ft
Ora
cle
Ado
be
Cis
co
IBM
Sun
Moz
illa
Linu
x
HP
Nov
ell
PH
P
Apa
che
Red
hat
Free
BS
D
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
15http://us.trendmicro.com/us/trendwatch/core-technologies/index.html16http://us.trendmicro.com/us/home/enterprise/17http://trendmicro.mediaroom.com/index.php?s=43&news_
item=830&type=current&year=0)18http://us.trendmicro.com/us/home/small-business/
Smart Protection Network
TheTrendMicro™SmartProtectionNetwork™infrastructuredeliversadvancedprotectionfromthecloud,blockingthreatsinreal-timebeforetheyreachyou.Bycontinuouslyprocessingthethreatintelligencegatheredthroughitsextensiveglobalnetworkofhoneypots,customersandpartners,TrendMicrodeliversautomaticprotectionagainstthelatestthreatsandprovides“bettertogether”security,muchlikeanautomatedneighborhoodwatchthatinvolvesthecommunityinprotectionofothers.Becausethethreatinformationgatheredisbasedonthereputationofthecommunicationsource,notonthecontentofthespecificcommunication,theprivacyofacustomer’spersonalorbusinessinformationisalwaysprotected.
TrendMicroSmartProtectionNetworkusespatent-pending“in-the-cloudcorrelationtechnology”withbehaviouranalysistocorrelatecombinationsofweb,emailandfilethreatactivitiestodetermineiftheyaremalicious.Bycorrelatingthedifferentcomponentsofathreatandcontinuouslyupdatingitsthreatdatabases,TrendMicrohasthedistinctadvantageofbeingabletorespondinrealtime,providingimmediateandautomaticprotectionfromemail,fileandWebthreats.
AnotherkeycomponentoftheTrendMicroSmartProtectionNetworkisintegratedSmartfeedbackthatprovidescontinuouscommunicationbetweenTrendMicroproductsaswellasthecompany’s24/7threatresearchcentersandtechnologiesinatwo-wayupdatestream.Eachnewthreatidentifiedviaasinglecustomer’sroutinereputationcheck,forexample,automaticallyupdatesallofTrendMicro’sthreatdatabasesaroundtheworld,blockinganysubsequentcustomerencountersofagiventhreat.
FurtherinformationandbenchmarksforTrendMicroSmartProtectionNetworkcanbefoundintheCoreTechnologiesareaofTrendWatch15.
Solutions and Services
Trend Micro™ Enterprise Security
TrendMicroEnterpriseSecurityisatightlyintegratedofferingofcontentsecurityproducts,services,andsolutionsthattakefulladvantageoftheTrendMicroSmartProtectionNetwork™.Optimizedtodeliverimmediateprotection,TrendMicroEnterpriseSecurityalsodramaticallyreducesthecostandcomplexityofsecuritymanagement.
ForfurtherinformationaboutTrendMicroEnterpriseSecurity,visittheEnterprisesectionoftrendmicro.com16
Trend Micro SecureCloud™
NowavailableasaBetareleaseforearlyadoptersofcloudcomputing17,TrendMicroSecureCloudisahostedkey-managementanddata-encryptionsolutiondesignedtoprotectandcontrolconfidentialinformationthatyoudeployintopublicandprivatecloud-computingenvironments.
Trend Micro Worry-Free Business Security
Designedspecificallytofittheneedsofsmallbusinesses,Worry-FreeBusinessSecurityprotectsyourcomputerswhereverthey’reconnected—intheoffice,athomeorontheroad.PoweredbytheTrendMicroSmartProtectionNetwork,threatsaredetectedfastertokeepyourdatasafeandyourprotectionconstantlyupdated.
FurtherdetailsandthebenefitsofTrendMicroWorry-FreeBusinessSecuritycanbefoundontheSmallBusinesssectionoftrendmicro.com18.
Trend Micro Titanium
Combiningeasy-to-usesecuritywithcloud-clienttechnologiesTrendMicroTitaniumblocksthreatssuchasinfectedwebsites,phishingattacks,virusesandspywarebeforetheycanreachausers’computer.State-of-the-artprotectionforusers’dataisdeliveredwhileensuringthatcomputerperformanceisnotimpacted.
DetailsoftheTrendMicroTitaniumproductlinecanbefoundatwww.trendmicro.com/titanium.
Trend Micro Technology and Protection
16
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
Advice for Businesses Adopting Cloud Strategies
InMarch2010theCloudSecurityAlliance(CSA)published“TopThreatstoCloudComputingV1.0”19tohelporganizationsbetterunderstandtherisksofcloudcomputingandtoconsequentlymakemoreinformedriskmanagementdecisionswhenadoptingcloudstrategies.
Withtherightapproachandsecuritysolutionsthepubliccloudcanbejustassecureasatypicaltraditionalcorporatedatacentre.Werecommendthatorganizationsprovidetheirownlayersofsecurityinadditiontothatwhichisaffordedbycloudproviders.
1. Encryptallsensitivedata–theinformationthatisexclusiveto,andownedby,yourorganization.Theoperatingsystemandapplicationsarelessimportanthere–typicallyinthecloudtheyarestandardimagesthataresimplyrecycledbacktoamasterimageonshutdown.It’stheinformationproprietarytoyou,orthatyouhavecollectedfromcustomersandbusinesspartners,whichyougenerallyhavealegalobligationtoprotect.
2. EnsurethatyourFirewall,IPS,andIDSprotecteachofyourvirtualmachinesseparately.ParticularlyinaPublicCloudenvironmenttheothervirtualmachinesrunningonthesamephysicalhardwareasyoushouldbeconsideredhostile.Thefirewallatthecloudproviders’perimetercan’thelpyouhere.
3. Onlydecryptyourdatawithinthatsecurecontaineryou’veestablishedforyourvirtualmachine.Besureyoucheckfortamperinganddatastealingmalwarebeforedecryptingyourdata.
4. Makesurethatyouareincontroloftheencryptionkeys–it’syourdata!
TrendMicroofferstwoproducts–DeepSecurity™andSecureCloud™whichwhenlayeredtogethercanachievethefourrecommendationsaboveandcounterthethreatsidentified.
DeepSecurityisavailableandalreadyinwidespreaduseandSecureCloudenteredpublicbetaoverthesummerfollowingsuccessfulpilottrials20.
Advice for Businesses
Use effective solutions to protect your business.
• Toprotectyourcompanynetwork,deploysolutionsthatusecloud-basedprotection.TechnologysuchastheTrendMicroSmartProtectionNetworkcombinesInternet-based(“in-the-cloud”)technologieswithlighter-weight,clientstohelpbusinessesclosetheinfectionwindowandrespondinrealtimebeforethreatscanevenreachauser’sPCorcompromiseanentirenetwork.BycheckingURLs,emails,andfilesagainstcontinuouslyupdatedandcorrelatedthreatdatabasesinthecloud,customersalwayshaveimmediateaccesstothelatestprotectionwherevertheyconnect.
• Phishingposesasignificantthreatfororganizations.Phishingsitescancompromiseyourbrandand/oryourcompany’simageaswellasyourabilitytokeepyourcustomers’confidencewhileconductingbusinessovertheInternet.Protectyouremployeesandcustomersbyprocuringallbrand-relatedandlook-alikedomainnames.
• Stayaheadofthethreatsbyreadingsecurity-relatedblogsandrelatedinformationpages(i.e.,ThreatEncyclopedia21,CloudSecurityBlog22,TrendLabsMalwareBlog23andsocialnetworkssuchasTwitter24)whichcanhelpwarnandeducateuserswhomightotherwisebedrawntowebsitesunderfalsepretenses.
• Educateyouremployeesabouthowcybercriminalslurevictimstotheirschemes;makeuseofthreatinformationprovidedonsecurityvendorsiteslikeTrendWatch.
• TrydownloadingtoolssuchastheTrendMicroThreatWidgettohelpraiseawareness
19http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf20http://trendmicro.mediaroom.com/index.php?s=43&news
item=830&type=current&year=021http://threatinfo.trendmicro.com/vinfo/default.asp?sect=SA22http://cloudsecurity.trendmicro.com/23http://blog.trendmicro.com24http://twitter.com/trendmicro
17
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
Safeguard your customers’ interests.
• Standardizecompanycommunicationsandletyourcustomersknowaboutyouremailandwebsitepolicies.Thisway,youcanhelpyourcustomersbetteridentifylegitimatemessages.
Avoidsending“phishy”-lookingemailmessagesbyfollowingtheseguidelines:
Donotrequestpersonalinformation throughemail.
Personalizeemailwhenpossible.
DonotredirecttoanotherdomainfromtheURLprovidedtocustomers.
Donotrelyonpop-upwindowsfordatacollection,especiallythosewithnoaddressbarsornavigationalelements.
Donotuseinstantmessagingorchatwithcustomersunlesstheyinitiatethecommunication.
Beexplicitinthedetailofcommunicationsthatrequiretheimmediateactionorattentionofrecipients.
Establish and implement effective IT usage guidelines.
• Justasyouwouldneverleaveyourfrontdoorunlockedwhenyouarenothome,youmusttakethesameprecautionswithyourcomputersystemtomakesureyourbusinessisprotected.Protectingyourbusinessrequiresyoutoeducateyourselfandyouremployeesaboutsafecybersecuritypractices.AcomprehensivesetofITusageguidelinesshouldfocusonthefollowing:
Prevention.Identifysolutions,policies,andprocedurestoreducetheriskofattacks.
Resolution.Intheeventofacomputersecuritybreach,youshouldhaveplansandproceduresinplacetodeterminewhatresourcesyouwillusetoremedyathreat.
Restitution.Bepreparedtoaddressthe
repercussionsofasecuritythreatwithyouremployeesandcustomerstoensurethatanylossoftrustorbusinessisminimalandshort-lived.
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
18
Top Tips for End Users
Keep your personal computer current with the latest software updates and patches.
• ApplythelatestsecurityupdatesandpatchestoyoursoftwareprogramsandOSsandenableautomaticupdateswherepossible.SincecybercriminalstypicallytakeadvantageofflawsinthesoftwaretoplantmalwareonyourPC,keepingyoursoftwarecurrentwillminimizeyourexposuretovulnerabilities.
Protect yourself and your personal computer.
• Ifyoureceiveanemailrequestingpersonalorconfidentialinformation,donotrespondorprovidethisinformationvialinksorphonenumbersintheemail.Legitimateorganizationssuchascreditcardcompaniesandbankswillneverrequestthisinformationviaemail.
• Bewareofunexpectedorstrange-lookingemailsandinstantmessages(IMs)regardlessofsender.NeveropenattachmentsorclicklinksintheseemailsandIMs.Ifyoutrustthesender,scantheattachmentsbeforeopening.NeverprovidepersonalinformationinyouremailorIMresponses.
• Regularlycheckyourbank,credit,anddebitcardstatementstoensurethatalltransactionsarelegitimate.
• BewareofWebpagesrequiringsoftwareinstallation.Scanprogramsbeforeexecutingthem.Alwaysreadtheend-userlicenseagreement(EULA)andcancelifyounoticeotherprogramsbeingdownloadedinconjunctionwiththedesiredprogram.
• Donotprovidepersonalinformationtounsolicitedrequestsforinformation.
• Ifitsoundstoogoodtobetrue,itprobablyis.Ifyoususpectanemailisspam,deleteitimmediately.RejectallIMsfrompeoplewhomyoudonotknow.
• Whenshopping,banking,ormakingothertransactionsonline,makesurethewebsiteaddresscontainsansasinhttps://www.bank.com.YoushouldalsoseealockiconinthelowerrightareaofyourWebbrowser.
Choose secure passwords.
• Useacombinationofletters,numbers,andsymbolsandavoidusingyourfirstandlastnamesasyourloginname.
• Avoidusingthesamepasswordforallyourloginneeds.Donotusethesamepasswordforyourbankingsitethatyouuseforyoursocialnetworkingsites.
• Changeyourpasswordeveryfewmonths.
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
19
About TrendLabs
TrendLabsisamultinationalresearch,development,andsupportcenterwithanextensiveregionalpresencecommittedto24/7threatsurveillance,attackprevention,andtimelyandseamlesssolutionsdelivery.
Withmorethan1,000-strongstaffofthreatexpertsandsupportengineersdeployedround-the-clockatlabsaroundtheglobe,TrendLabsenablesTrendMicroto:
• Continuouslymonitorthethreatlandscapeacross theglobe• Deliverreal-timedatatodetect,preempt,and eliminatethreats• Researchandanalyzetechnologiestocombat newthreats• Respondinreal-timetotargetedthreats• Helpcustomersworldwideminimizedamages,reduce costs,andensurebusinesscontinuity
TrendLabshasfacilitiesinthefollowing12locations:
• Manila,Philippines(HQ)• Arlington,TX,USA• Cupertino,CA,USA• LakeForest,CA,USA• Shanghai,China• SaoPaulo,Brazil• Cork,Ireland• Paris,France• Tokyo,Japan• Taipei,Taiwan• Marlow,UnitedKingdom• Munich,Germany
NotethatthesefacilitiescanperformallorpartofcriticalTrendMicroservicessuchastechnicalsupport,malwareanalysisandsolutionsdelivery.
TrendLabs Locations
Try it now for FREEIf you would like to see for yourself just how much time you could save then we’re currently offering
a free 30 day trial of all of the security products included in the BIG initiative. Or you can download
more information about the products, including a detailed white paper, or try our Internet Security
Consultant tool.
All you need to do is visit our dedicated BIG web site at: http://uk.trendmicro.com/uk/big/
About Trend Micro:
TrendMicroIncorporated,agloballeaderinInternetcontentsecurity,focusesonsecuringtheexchangeofdigitalinformationforbusinessesandconsumers.Apioneerandindustryvanguard,TrendMicroisadvancingintegratedthreatmanagementtechnologytoprotectoperationalcontinuity,personalinformation,andpropertyfrommalware,spam,dataleaksandthenewestWebthreats.VisitTrendWatchatwww.trendmicro.com/go/trendwatchtolearnmoreaboutthelatestthreats.
TrendMicro’sflexiblesolutions,availableinmultipleformfactors,aresupported24/7bythreatintelligenceexpertsaroundtheglobe.ManyofthesesolutionsarepoweredbytheTrendMicro™SmartProtectionNetwork™infrastructure,anext-generationcloud-clientinnovationthatcombinessophisticatedcloud-basedreputationtechnology,feedbackloops,andtheexpertiseofTrendLabs(SM)researcherstodeliverreal-timeprotectionfromemergingthreats.Atransnationalcompany,withheadquartersinTokyo,TrendMicro’strustedsecuritysolutionsaresoldthroughitsbusinesspartnersworldwide.Pleasevisitwww.trendmicro.com.