I had an interesting email today from ScanSafe, who detailed the prevalent threats from each of the last ten years.
You could argue that cyber threats became more prevalent in 2000 with the iloveyou worm, but it is also interesting to see how threats have evolved too. Mary Landesman, senior security researcher at ScanSafe, listed the threats by year as follows;
1. 2001: Loveletter steals free internet access
Modern malware is commercially motivated – instead of writing malware for ego gratification, today's attackers are using malware to make money. The Loveletter worm combined social engineering (love letter for you) with a password-stealing Trojan designed to harvest ISP usernames and passwords. The intent: to provide free Internet access to the worm's author.
2. 2002: JS/Exception bombs usher in malicious marketing
In mid-September 2001, the Nimda worm began its rapid spread around the globe, facilitated by multiple means of propagation. One of the methods included modifying any .htm, .html, or .asp pages found on infected systems. The worm also spread by exploiting several vulnerabilities in Microsoft IIS, furthering the worm's ability to infect web pages. As such, Nimda can be viewed as a pioneer in malware's eventual move to the web.
3. 2003: Sobig worm popularises spam proxy Trojans
January 2003 ushered in the Sobig worm, a significant threat not fully appreciated until Sobig.E and Sobig.F appeared in the summer of that same year. Sobig-infected computers were outfitted with a spam proxy, enabling mass-mailers to send large volumes of unwanted email via victim computers –even harvesting the victims own email contacts to add to the spammers' mailing lists.
4. 2004: Bagle worm vies for dominance to harvest addresses and account information
The monetary gains to be had from harvesting email addresses became even more apparent during the subsequent email worm wars in early 2004. Beginning with MyDoom and the Bagle worm, an interloper (Netsky) quickly jumped into the fray. The authors of Bagle then began coding variants of their worm that, in addition to dropping their own malware, would also remove Netsky. In turn, the Netsky author began neutering the MyDoom/Bagle infections while adding his own malicious code to the system. This prompted a response from the Bagle authors; hidden in Bagle.K's code was the message, “Hey Netsky, f*ck off you b*tch, don't ruin our business, wanna start a war?”
5. 2005: Bot-delivering breaking news alerts
Following the worm wars, named threats became fewer as attacks became more overtly criminal and profit motivated. To bypass technology, clever attackers began incorporating a much higher degree of social engineering in their attacks. In January 2005, following the previous month's tsunami in the Indian ocean, scammers began targeting people's fear and curiosity through breaking news alerts. Links in the email that claimed to point to headline news actually pointed to malicious malware that turned victim computers into bots.
6. 2006: The as-yet-unnamed Storm worm emerges
By 2006, the Storm botnet was formally underway, though not named as such until January 2007, after a bogus breaking news alert claimed “230 dead as storm batters Europe”. Coincidental to the alert, a very real storm in Europe did cause loss of life, thus earning the Trojan family (and its associated botnet) its new name, Storm.
7. 2007: MPack publicity popularises exploit frameworks
In 2007, publicity around MPack led to heightened adoption of exploit frameworks in general, laying the groundwork for managed web attacks. The release of free or low cost SQL injection tools in autumn of 2007.
8. 2008: Goolag and automated injection attacks complete cloud-based malware-as-a-service
In 2008, remote discovery tools such as Goolag further cemented cloud-based malware delivery via the web. These attacks quickly proved profitable and shifted the value proposition from spam and malicious marketing to stolen FTP credentials and intellectual/financial property theft. Cloud-based distribution of malware also increased the sophistication of malware creation kits, thus doubling the volume of malware with exponential year-over-year increases
9. 2009: Gumblar incorporates and expands a decade's evolution of malware
The 2009 Gumblar attacks can be viewed as the culmination of a decade's evolution of criminal/profit-motivated malware. Gumblar creates two sets of botnets: client-side traditional backdoors and a second, never before seen botnet compromised of thousands of backdoored websites. Gumblar includes a forced redirect revenue stream for the Gumblar creators thus providing instant monetisation, as well as long term potential profits via its ability to intercept, tamper with and steal internet and network communications. Gumblar also includes the ultimate in social engineering – turning perfectly good, reputable websites against their visitors.
10. 2010: ?If the poorly coded and fairly innocuous Loveletter ushered in the beginning of the decade, and the highly sophisticated, multi-pronged Gumblar is ending the decade, one can only wonder – and worry – at what the next ten years may bring.