Cisco Systems Inc. presented its first-ever Cybercrime Showcase awards as part of its 2009 Annual Security Report, released Tuesday.
Zeus: the most audacious criminal operation
Designed for information stealing and specializing in online banking fraud, Zeus is a shrink-wrapped piece of malware that any criminal is able to buy, explained Henry Stern, senior security researcher at Cisco. Some vendors are selling it as service for about $700 a month, he said.
“We’ve decided it was the most audacious because of how prominent and just how active people have been with selling this software. There are a large number of gangs that are all using the same piece of software,” he said.
The top five U.S. banks have each been targeted by over 500 Zeus botnets, according to Cisco, which also estimates 1.6 million bots in Zeus botnets.
Zeus has also targeted 1,130 brands, noted Scott Olechowski, security research manager at Cisco, during a Webcast discussing the results of Cisco’s 40-page report. Custom screen injection code, which requests additional authentication information from users, has been written for these sites, he said.
Koobface: the most notable criminal innovation
Koobface is a piece of malware that takes over a user’s social networking account, explained Stern. “As soon as you get infected, it will send messages to all of your friends and it will try to lure them into becoming infected as well,” he said.
People are more vulnerable to Koobface than previous lures mimicking e-mails from organizations or strangers because the messages seem to come from friends they already trust, he explained. “The click-through rates are quite high,” he said.
The messages contain links sending users to Web pages resembling YouTube or other social networking sites. “It looks like you are at the actual site but it claims that your Web browser is broken and you need install an update and it does it in a way that users are accustomed to seeing, which makes it successful,” said Stern.
“They are masters of social engineering,” he said.
Koobface spells Facebook backwards, but its attacks include Twitter, MySpace and Google Reader, Stern pointed out. One of the reasons Koobface won the innovation award is because it has infected all the major social networking sites, he said.
“They’ve attacked everything … with the same technique and they’ve monetized on it in the same way that many other criminal organizations have been doing by selling fake anti-virus software that claims you are infected when you are really not,” said Stern.
Koobface was first detected as worm on social networking sites in 2008 and estimates indicate that almost three million computers have been infected, according to Cisco’s report.
Threats from both Zeus and Koobface are currently getting worse, according to Stern.
Conficker Working Group: the sign of hope
The Conficker Working Group, a multi-vendor group formed in February 2009, won Cisco’s cybercrime sign of hope award. “As far as Conficker goes, the Working Group did an outstanding job of controlling what could have been the greatest threat the Internet has ever faced,” said Stern.
The group made sure to close all of the doors to make it more difficult for the Conficker gang to actually send commands and control all of the machines they had just recently infected, he said. They also made it impossible for those who controlled Conficker to monetize the botnet, he said.
While Conficker seemed to fizzle because nothing actually happened on April 1st, the Conficker Working Group was largely responsible for why nothing happened, according to Stern.
Conficker is “thankfully on the way out,” he said. This is partly due to being eclipsed by other threats, the fact that the vulnerability it had been exploiting is now a year old, cleaning up existing infections and enough people updating their machines to keep Conficker out, he said.
The number of computers on the Internet that are infected remains somewhat steady, said Greg Aaron, director of security for Afilias Ltd., one of the founding members of the Conficker Working Group and responsible for the protection of 11 top-level domains.
According to Aaron, there hasn't been any activity by the master of Conficker and its botnet for many months. “The good news is while there are still lots of infected machines out there – several million – they are not being used to perpetrate any malicious activity,” he said.
However, while Conficker is currently in a dormant state, it could still be used in the future, Aaron pointed out. “We have to remain vigilant and the members have been discussing continuing their efforts into 2010,” he said.
As a member of the Working Group,
Afilias is pleased with the win. “Learning … is very important and should something come up like this again, we and the other members are going to use that learning to combat the next problems that may arise like this,” said Aaron.
Coming up: How enterprises can put up a good fight and what IT needs to do to prepare for threats in 2010
Follow me on Twitter @jenniferkavur.