RSS Alerts

Share

More services

Related Links

Related Stories

  • QuickBooks scam leads victims down a BlackHole
    Spammers are targeting QuickBooks users in a tax-related scam that links to a BlackHole exploit kit.
  • M86’s new technology protects schools
    M86 Security has released a new version of its Web Filtering and Reporting Suite specifically aimed at schools. With pupils’ growing use of both personal and school-issued portable devices, it is becoming increasingly important that staff are aware of what’s going on in order to adequately discharge their ‘duty of care’ on school premises.
  • Combination of Blackhole and Carberp growing in Russia
    Blackhole is an exploit kit. Carberp is increasingly the trojan of choice for financial crime, rivaling the long-established Zeus/SpyEye trojan. New ESET research demonstrates the growth of this combination, particularly in the Russian region.
  • Sorry Vladimir, our bad: Water pump ‘hack’ just equipment failure
    The contractor who helped install the industrial control system for the Curran-Gardner Public Water District in Springfield, Illinois, said the water pump allegedly hacked by the Russians in fact just burned out.
  • Russian hackers behind first successful US SCADA system attack
    Russian hackers are reported to have been behind an attack on a water utility station in Springfield, Illinois, earlier this month, destroying a pump after gaining unauthorized access to the system.

Top 5 Stories

News

2011 review: CNI targetted, spam down, botnets up

08 February 2012

Malicious spam grows, Blackhole dominates and critical national infrastructures are targeted, says M86 in its latest report.

In its review of the latter half of 2011, M86 Labs notes that although spam is at its lowest level for several years, the amount of spam containing malicious attachments rose from less than 1% to around 5%. The volume of inbound spam dropped from around 90% of all inbound emails in September 2010 to 70% in December 2011, but it “still makes up a major percentage of total inbound email and is increasingly malicious,” says the report. Major disruptions during 2011 to botnets such as Kelihos, Mega-D and Rustock are suggested reasons for the decline. Today, 90% of all spam comes from just eight well-known and established botnets. “Later in the year,” says the report, “the focus shifted from malicious attachments to malicious links that led to exploit kits, in particular, the Blackhole exploit kit.” The report illustrates this with the August Facebook campaign “that led to a fake Facebook login page, and ultimately to the Blackhole exploit kit and a Zbot Trojan.”

Blackhole is now by far the dominant exploit kit, possibly because of its ability to frequently update in order to take advantage of new vulnerabilities. “For example,” notes M86, “the vulnerability, CVE-2011-3544 Oracle Java Applet Rhino Script Engine Remote Code Execution, a zero-day that was published at the end of November, was exploited a few days later in the wild by the Blackhole exploit kit.” More than 95% of all discovered malicious URLs involved with exploit kits use Blackhole; and more than half of the currently most exploited vulnerabilities can be found within it. 

Almost half of the world’s malicious web content is hosted on servers in the United States (49.2%). Russia comes second with just 6%. But Russia seems to be the home of Blackhole, and certainly new versions are first deployed in Russia and Eastern Europe. Older versions of Blackhole dominate, perhaps because they have been leaked in public and private forums and criminals “who don’t wish to pay for the exploit kit, prefer using a free old variant.”

One of the most disturbing developments of 2011 has been the widening scope of attacks. “Targeted attacks became sophisticated and pursued a wider range of organizations, including commercial, national critical infrastructure and military targets,” states the report. One of the new routes that emerged during this period was the use of fraudulent digital certificates. DigiNotar’s intrusion resulted in the “fraudulent issuance of hundreds of digital certificates for a number of domains, including Google, Yahoo!, Facebook, and even for some intelligence agencies, such as the CIA, the British MI6 and the Israeli Mossad.”

Direct attacks against governments and national infrastructures have also increased. M86 quotes two examples: a virus with a keylogger that infiltrated the computers controlling the US Drone Fleet, and the alleged attack on Springfield’s water supply (later denied by the Department for Homeland Security). It is time to reconsider, suggests M86, “whether certain systems do actually need to be connected to the Internet. Yes, there are benefits, but do those outweigh the security concerns and can those concerns be mitigated?”

This article is featured in:
Internet and Network Security • Malware and Hardware Security • Public Sector

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012