In its review of the latter half of 2011, M86 Labs notes that although spam is at its lowest level for several years, the amount of spam containing malicious attachments rose from less than 1% to around 5%. The volume of inbound spam dropped from around 90% of all inbound emails in September 2010 to 70% in December 2011, but it “still makes up a major percentage of total inbound email and is increasingly malicious,” says the report. Major disruptions during 2011 to botnets such as Kelihos, Mega-D and Rustock are suggested reasons for the decline. Today, 90% of all spam comes from just eight well-known and established botnets. “Later in the year,” says the report, “the focus shifted from malicious attachments to malicious links that led to exploit kits, in particular, the Blackhole exploit kit.” The report illustrates this with the August Facebook campaign “that led to a fake Facebook login page, and ultimately to the Blackhole exploit kit and a Zbot Trojan.”
Blackhole is now by far the dominant exploit kit, possibly because of its ability to frequently update in order to take advantage of new vulnerabilities. “For example,” notes M86, “the vulnerability, CVE-2011-3544 Oracle Java Applet Rhino Script Engine Remote Code Execution, a zero-day that was published at the end of November, was exploited a few days later in the wild by the Blackhole exploit kit.” More than 95% of all discovered malicious URLs involved with exploit kits use Blackhole; and more than half of the currently most exploited vulnerabilities can be found within it.
Almost half of the world’s malicious web content is hosted on servers in the United States (49.2%). Russia comes second with just 6%. But Russia seems to be the home of Blackhole, and certainly new versions are first deployed in Russia and Eastern Europe. Older versions of Blackhole dominate, perhaps because they have been leaked in public and private forums and criminals “who don’t wish to pay for the exploit kit, prefer using a free old variant.”
One of the most disturbing developments of 2011 has been the widening scope of attacks. “Targeted attacks became sophisticated and pursued a wider range of organizations, including commercial, national critical infrastructure and military targets,” states the report. One of the new routes that emerged during this period was the use of fraudulent digital certificates. DigiNotar’s intrusion resulted in the “fraudulent issuance of hundreds of digital certificates for a number of domains, including Google, Yahoo!, Facebook, and even for some intelligence agencies, such as the CIA, the British MI6 and the Israeli Mossad.”
Direct attacks against governments and national infrastructures have also increased. M86 quotes two examples: a virus with a keylogger that infiltrated the computers controlling the US Drone Fleet, and the alleged attack on Springfield’s water supply (later denied by the Department for Homeland Security). It is time to reconsider, suggests M86, “whether certain systems do actually need to be connected to the Internet. Yes, there are benefits, but do those outweigh the security concerns and can those concerns be mitigated?”