The document discusses how social engineering attacks target users through deception. It notes that while anti-virus software cannot fully stop the spread of malware, educating users could help. However, user education is rarely attempted, especially with senior executives who are often prime targets. The document also discusses how social media sites can be useful but also pose risks if users accept friend requests from strangers, as this enables scammers to target more people through deception.

1. A NNUAL GLO B A L THR E A T
R EPORT 2009
THE WORLD’S LARGEST SECURITY ANALYSIS OF
REAL-WORLD WEB TRAFFIC
PAGE 1

2. F O R E WORD
There’s an old saying that says“familiarity breeds contempt.” Our goal is to help dispel the misconceptions and subsequent
Perceived familarity can have an equally detrimental effect - complacency that arise due to perceived familiarity with malware
lulling us into a false sense of complacency and blinding us to as merely a system-disrupting scourge. To fully combat today’s
reality. threats, we must recognize its 21st century purpose – criminal
data and asset-targeting designed to achieve global economic
For many years there have been dire sounding warnings that advantage.
cyberwar is looming somewhere on the horizon. Many have
scoffed at those predictions; others have approached the topic - Mary Landesman, Senior Security Researcher, ScanSafe STAT
with academic and even military interest. But what many have
failed to realize is that cyberwar is already here and the battle
is already being waged. At the frontlines are corporate assets:
intellectual property, research, schematics, sensitive proprietary
data, and confidential customer and employee information.
Modern malware is merely a tool – and only one of many – used
by cybercriminals to carry out their attacks. To approach today’s
security challenges as a malware problem is to completely miss
the bigger picture – it is a criminally run sophisticated e-business
network intent on gathering intellectual and corporate assets. It
is not simply a malware problem per se; it is a large scale cyber-
espionage assault and all countries are being adversely impacted.
In the 2009 ScanSafe Annual Global Threat Report, we intend to
highlight some of the business practices that drive cybercrime,
explore some of the human aspects that fuel many of these
attacks, and present data that demonstrates the continued use
of the Web as the attack vehicle.
PAGE 2

3. KEY HIGHLIGHT S
Malicious PDF files comprised 56% of Web-
encountered exploits in 1Q09, growing to 80% of all
exploits by 4Q09; Flash exploits encountered via the
Web dropped from 40% in 1Q09 to 18% in 4Q09;
Web-encountered exploits in Word and
Excel comprised less than 1% of all detected
exploits for the year;
Malicious image files comprised 10% of all Web
malware encountered in 2009;
The Gumblar attacks were the single largest at
14% of all Web malware blocks in 2009;
Compromises and malware encounters resulting
from the Asprox and Zeus botnets comprised 2%
and 1% of Web malware blocks, respectively;
45% of all Web malware encounters in 2009
were with exploits and iframes indicative of
compromised websites;
Energy & Oil experienced an encounter rate 356%
higher than normal for data theft trojans;
Companies in the Pharmaceutical & Chemical
sector experienced a 322% heightened rate of
encounter with data theft trojans;
Other sectors experiencing higher than average
exposure to data theft trojans included Government
at 252% higher and the Banking & Finance sector at
204% higher;
Attacks continue to increase. A representative
customer encountered 77 compromised
websites in May 2007, compared to 1024 in
May 2009. Direct encounters with data theft
Trojans increased from 0 in May 2007 to 307 in
May 2009.
PAGE 3

4. C O N TENTS
Foreword 2
Key Highlights 3
Contents 4
Why this Report 5
Introduction 6
The Business of Malware 8
The Sole Proprietor
The Middleman
The Developer
The Buyer
Targeting the Attack 12
Promiscuous Friending
Exploiting the Wild Wild Web 14
Adobe a Target
The Office Space
Malicious Image Files
Building a Better Botnet 17
Gumblar
Asprox
Zeus
Malware Categories 20
Outbreak Intelligence
One Company’s Experience 22
The Vertical Threat 23
A Decade of Deception 24
Executive Summary 26
Glossary 27
About ScanSafe 28
PAGE 4

5. WHY THIS REPO R T
The ScanSafe Global Threat Report is
an analysis of more than a trillion Web
requests processed in 2009 by the
ScanSafe Threat Center on behalf of
the company’s corporate clients in over
80 countries across five continents.
Our leading position of providing
security in-the-cloud provides
unparalleled insight in the real-world
Web threats faced by the today’s
enterprise; this report represents the
world’s largest security analysis of real-
world Web traffic.
The ScanSafe Global Threat Report
provides a view of the threats which
businesses actually face, rather than
those experienced in labs or other
artificial environments. Our data is
gathered from real-time analysis
by our proprietary threat detection
technology, Outbreak Intelligence™, of
every single Web request processed by
ScanSafe in 2009.
This approach differs to traditional
methods of gathering information
on Web-based threats, such as those
methods afforded by distributed
‘honeypot’ networks. The artificial and
contrived nature of honeypots, Web
crawling, or similar technologies can
lead to a skewed vision of the Web
threat landscape which does not reflect
actual user experience.
By using the analysis data generated by
Outbreak Intelligence™ in the course
of protecting our customers, ScanSafe
can report on the threats that our users
would have been exposed to had they
not been using our security service.
Our leading position of providing security
in-the-cloud provides unparalleled insight
in the real-world Web threats faced by the
today’s enterprise; this report represents
the world’s largest security analysis of
real-world Web traffic.
PAGE 5

6. I N TR ODUCTION
“… the stolen data included e-mail
passwords, messages, and other
information tied to executives with access
to proprietary exploration and discovery
information.”
PAGE 6

7. INTRODUCTI O N
Sometime in mid-December 2009, This is not to say the malware was easily The heightened risk of data theft Trojan
search engine giant Google discovered detectable. But today, no malware is encounters continued throughout 2009;
a breach of their network which had easily detectable. On average, even given Energy & Oil experienced an encounter
subsequently led to the loss of sensitive four possible points of detection (the rate 356% higher than the rate for all
intellectual property. The origin of email, the website, the exploit and the customers combined.
the breach: an email containing a dropper), the miss rate with traditional
link that pointed to a hostile website. signature scanners is near 40%. Unlike Google and Adobe, the
The resulting compromise enabled energy companies alleged to have
attackers to see inside Google’s Pre-dating the Google/Adobe been breached did not confess to
network and, eventually, to target announced attacks were targeted the compromise. Indeed, few victim
specific resources that enabled the attacks on energy and oil companies in companies choose to self report. Instead,
theft of sensitive intellectual property. late 2008 and early 2009. Those attacks the breaches that get acknowledged
went undisclosed until a January 2010 publicly are generally only those which
During the course of their investigation, investigation by The Christian Science involve theft of consumer or employee
Google discovered more than 20 other Monitor1 revealed details. According data – and only then because the laws
high-profile companies had been to that report, the stolen data “included require it. This selective disclosure fuels
similarly breached, including Adobe. e-mail passwords, messages, and other the misconception that cybercriminals
Eventual statements from Google and information tied to executives with are only intent on stealing data intended
Adobe described the attacks as highly access to proprietary exploration and for credit card fraud and identity theft.
targeted and highly sophisticated. discovery information.” In reality, cybercriminals are casting a
Yet for anyone monitoring the state much wider net.
of cybercrime today, the methods Neither the report of those attacks nor
employed were routine and the malware the sensitivity of the data targeted was
actions predictable. Indeed, components a surprise to ScanSafe. In November
dropped in Hydraq.A, the malware 2008 we published the ScanSafe Vertical
described as used in those attacks, were Risk Assessment2 which analyzed
components that have been found in Web malware data to determine the
other malware for the past two years – risk posture of 21 industry verticals.
even contained in far more mundane Our analysis revealed that not only
scareware programs. was Energy & Oil most at risk, but that
particular vertical’s rate of exposure to
new variants of data theft Trojans was
four times the average for all verticals
combined.
The heightened risk of data theft Trojan
encounters continued throughout 2009;
Energy & Oil experienced an encounter
rate 356% higher than the rate for all
customers combined.
http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved
1
http://www.scansafe.com/downloads/whitepapers/ScanSafe_STAT_Vertical_Risk_Assessment.pdf
2
PAGE 7

8. TH E B USINESS OF MALWARE
To attempt to describe the business The Sole Proprietor
structure behind cybercrime is not
unlike trying to describe the business These more independent criminals
structure behind any other global broker in stolen credit cards, phished
economy. It is, in fact, well beyond the banking credentials, and similar
scope and size of this report to attempt consumer-focused data theft transfers.
to do it justice (no pun intended). These crimes tend to be less sophisticated
Instead, we will be forced to highlight and thus have a lower barrier to entry. As
only a few of the tactics used, in the the laws of economics would suggest,
hopes of helping readers understand this often leads to supplies being larger
the broadness of the methods than demand, driving prices of the
employed. (For a more complete stolen credentials downward. As with
discussion, download the ScanSafe traditional legitimate online commerce,
whitepaper, “Web 2.0wned: A History stolen credentials come from across the
of Malware on the Web” 3). globe and the sellers have their own
eBay-style ratings systems to verify their
‘trustworthiness’ to buyers.
Figure 1
3
http://www.scansafe.com/downloads/whitepapers/A_History_of_Malware_on_the_Web.pdf
PAGE 8

9. THE BUSINESS OF MALWA R E
The Middleman And as would any other software maker,
the exploit kit writers fully describe
Just as there are trucking companies that what’s included in their offering.
ship goods between a buyer and seller,
there are cybercriminals that specialize Offer additional reasons to buy their
in delivering exploit kits that join the product (Figure 3).
attacker and victim. Consolidation
even occurs as it often does among And offer support services free of charge
partners in any other business, as we see (Figure 4).
advertised in Figure 2.
The cost for this exploit kit: a mere one
hundred US dollars.
Figure 2
Figure 3
Figure 4
Figure 5
PAGE 9

10. TH E B USINESS OF MALWARE
The Developer on remote computer. So it can cause of services he and other cybercriminals
unwanted results. Now we have a special provide. But industrial espionage isn’t just
Malware authors typically employ a offer for you, don’t you want to have an a cross-border problem; competitors can
reseller to peddle the malware on behalf undedected copy of Turkojan Private also buy the services of cybercriminals to
of the author – presumably in exchange Edition?” gain intel on product pricing strategies
for commission. In Figure 6, we see and proprietary development data.
member “jboyz” reselling the latest (at Available for purchase from the authors’
the time) private version of the Zeus website are three versions: bronze, gold, In some cases, the buyer may contract
banking Trojan for a minimum $6,000. and silver – each subsequent upgrade directly with the malware developer.
Additional features are extra, total cost offers successively extended periods In January 2009, Heartland Payment
for the full blown package is triple the during which the product is guaranteed Systems publicly announced a malware
amount. to be undectable by scanners or replaced breach of their internal systems had
free of charge. resulted in large scale theft of credit
It’s worth noting that while Zeus is card transactions processed on behalf
typically considered a banking Trojan, of their merchant customers. It was later
capabilities enable it to steal whatever The Buyer divulged that the malware used in those
data the attacker wishes to target, as well attacks was custom-created specifically
as sniffing and retrieving FTP and POP3 The sole proprietor, middleman, and for the Heartland heist.
credentials and capturing HTTP / HTTPS developer all have something to gain
traffic. by publicly advertising their offerings. In summary, there is no common
Conversely, there will be no such public denominator that defines the buyer –
Developers and their resellers may also displays from the buyer, particularly who they are and what data they are
take a more professional approach to those criminals engaged in hardcore after is left only to their own imagination
selling. To entice their customers to cyber-espionage such as the attacks – and their ability to pay. But one thing
move from free to fee versions of their leveraged against Google, Adobe, oil is certain, today’s malware is highly
software, the developers of the Turkojan companies, and multiple other firms customizable; once planted within the
keylogger family ask: over the past year. enterprise, this digital insider threat is
able to operate silently and efficiently
“Anti-virus and anti-spyware software In “Hacking for Fun and Profit in China’s to siphon the most sensitive assets from
label Turkojan Public Edition as Underworld,” a Chinese cybercriminal that corporation.
potentially unwanted programs and identified only as “Majia”4 admits that
sometimes they can remove them government and military agencies are
or prevent installing Turkojan server among those who contract for the types
Available for purchase from the authors’
website are three versions: bronze, gold,
and silver – each subsequent upgrade offers
successively extended periods during which
the product is guaranteed to be undectable by
scanners or replaced free of charge.
4
http://www.nytimes.com/2010/02/02/business/global/02hacker.html?pagewanted=1&hp
PAGE 10

11. THE BUSINESS OF MALWA R E
Figure 6
Figure 7
PAGE 11

12. TA R G ETING THE ATTACK
PAGE 12

13. TARGETING THE ATTA C K
Whether targeted to a specific individual Anti-Virus Cannot Stop the Spread of was there’s no real way (save offline
or sent to a broad generic audience, Email Worms,” the researchers warned, verification) to ensure that the person
social engineering attacks are designed “As long as there are users who can be on the other end of the ‘wire’ is really the
to trick the user into taking some action fooled, malware will continue to plague person you think they are. The problem
that will prove harmful to themselves or us.” Their advice: either get rid of the gets exponentially worse when dealing
others. The range of social engineering users or help them to avoid getting with promiscuous frienders who will
scams is broad: money laundering fooled. accept any friend request, even from
schemes disguised as help wanted ads, persons they only vaguely know and
bogus notices from spoofed authorities Despite that still timely advice, user often from complete strangers.
such as the FBI or IRS, advance fee fraud education is typically never attempted
schemes masquerading as death benefit and certainly almost never with the most Social networking sites can be a useful
notices, breaking news alerts that link to highly positioned senior executives. Yet tool for keeping abreast of events in
malicious websites – the list goes on. these executives are the biggest – and friends, family, or colleagues lives,
often easiest – targets. Thanks to press whether personally or professionally. It
The more targeted social engineering releases, social networking sites, silo- can also be a useful tool for networking
attacks can cause huge headaches style sites that collate information on with associates met at business
for corporations. Instead of figuring public personalities, and search engines, conferences or with whom you otherwise
out a way to break through the finding enough information to compose don’t have day-to-day contact. But to
perimeter defenses, attackers are able a reasonably personalized targeted be used safely, any correspondence
to entice innocent inside employees to attack email has never been easier. sent via the network should be treated
unwittingly grant them entry. A frequent as cautiously as any traditional email
target – highly placed executives would – that means, don’t divulge
with knowledge and access to the Promiscuous Friending confidential information, don’t click links
corporation’s most sensitive data assets. in any unsolicited message received
Back in the day when MySpace was first unexpectedly and never agree to install
The approach that allegedly tripped up introduced, many worried about who anything resulting from a link received in
oil execs and led to those networks being would protect the kids from online con an unsolicited message.
infiltrated was a simple email claiming artists and criminals. Maybe we should
to be a discussion of the “Economic be asking ourselves who will protect the The social networking sites are designed
Stabilization Act.” As with Google, Adobe, adults. to make it easy to network. This ease
and so many other victim companies, means it’s equally easy for scammers to
that email contained a link to a booby- At the Vegas BlackHat conference in set up shop. Don’t assume that because
trapped website which foisted exploits August ‘08, researchers Shawn Moyer it happens on a social networking site,
onto any visitor that clicked through. and Nathan Hamiel presented “Satan that it must be safe. Quite the opposite is
is On My Friends List: Attacking Social true. Offline, trust your real life friends to
In May 2000, researchers for Interhack Networks.” Part of that demonstration have your back. But online, trust no one.
Corporation published advice on email- focused on how trivially easy it was to
borne threats that is as true today as it spoof the profiles of well known people
was ten years ago. In summarizing “Why in the security industry. The point made
Instead of figuring out a way to break through the
perimeter defenses, attackers are able to entice
innocent inside employees to unwittingly grant
them entry. A frequent target – highly placed
executives with knowledge and access to the
corporation’s most sensitive data assets.
http://www.interhack.net/pubs/email-trojan/
5
PAGE 13

14. E X P L OITING THE WILD WILD WEB
PAGE 14

15. EXPLOITING THE WILD WILD W E B
The vast majority of modern malware As seen in figures 8 and 9, malicious PDF recent surges in Adobe vulnerabilities
encounters occur with exposure files comprised 56% of exploits in 1Q09, has become of concern to many officials,
to compromised websites, which growing to 80% of all exploits by 4Q09. prompting an unprecedented warning
attackers outfit with hidden malicious Conversely, Flash exploits dropped from from Stephen Northcutt, president of
iframes or external javascript source 40% in 1Q09 to 18% in 4Q09. This trend is the SANS Technology Institute. In the
references. Typically, attackers use likely indicative of attackers’ preference August 4, 2009 issue of SANS Newsbytes,
multiple layers of compromised or for PDF exploit, probably due to a Northcutt warned: “I think organizations
malicious websites in a single attack, combination of increasing availability should avoid Adobe if possible. Adobe
thus the initially encountered (but of vulnerabilities in Adobe Reader and security appears to be out of control, and
unseen) iframe may silently cycle Adobe Acrobat and the continued using their products seems to put your
through two, three, or even more widespread use and acceptance of organization at risk. Try to minimize your
iframes and source reference hosts PDF files in both the workplace and attack surface. Limit the use of Adobe
before the final exploits or malicious consumer sectors. products where you can.”
binary are delivered. This cross-domain
attack and subsequent malware CVE, maintained by the MITRE Whether Adobe products can or should
delivery is silent but deadly. Corporations, retains a list of security be avoided is a matter of debate.
vulnerabilities, assigning it a common However, what does appear certain is
Adobe a Target identifier to facilitate information and that Adobe Reader and Adobe Acrobat
data sharing. As of December 31, 2009, are increasingly a favored exploit
When malicious exploit code was there were 288 total CVE records for target for attackers. Accordingly, users
encountered in 2009, vulnerabilities vulnerabilities in Adobe products. Of should treat all PDF files with the same
involving malformed PDF files (Adobe those, 107 CVE numbers assigned to caution they would use with any other
Reader / Adobe Acrobat) were the Adobe vulnerabilities were issued in executable file type. Enhanced security
most frequently targeted, followed 2009; only one was rated low, 25 were of PDF can be obtained by disabling
by vulnerabilities in Adobe Flash. rated medium, and the remaining 81 Adobe javascript in Reader and Acrobat
Interestingly, as the rate of malicious were rated high. In 2008, there were and avoiding the use of browser plug-ins
PDF files increased in 2009, the rate only 58 vulnerabilities listed in CVE for for those products.
of malicious Flash files decreased vulnerabilities in Adobe products, 50
throughout the year. in 2007, 35 in 2006, 18 in 2005, with
the remaining 20 CVE entries spread
between 2004 to 1999. The problem of
Figure 8 - PDF / Flash Exploits Figure 9 - Adobe CVE Records
PAGE 15

16. E X P L OITING THE WILD WILD WEB
The Office Space Malicious Image Files In many cases, malicious image files
are hosted on legitimate websites
It is well understood that attackers Malformed images also factored presumed to have been compromised.
typically employ exploits that target the extensively in Web-delivered attacks In most of those cases, it appears the
most ubiquitous products. Given that throughout 2009, although not due to an attackers have replaced actual site
these are Web-delivered exploits and exploit by definition. These images take images with the maliciously modified
Adobe Reader is the most ubiquitous advantage of features in the operating copies of the images. The imposter
document reader used on the Web, it system, browser, and the Web server. As images display normally but behind
stands to reason that the rate of PDF a result, MIME types can be forged, PHP the scenes, depending on the browser,
exploits would be high. However, can be nestled in text comment fields of the iframe contained in the image
exploits for Microsoft Office file formats, legitimate GIF or JPG images, and PHP attempts to launch malcode from the
which also enjoy widespread use, interpreters can override even concerted attacker-owned site. Note that these
were comparatively (and significantly) blacklisting efforts. Figure 10 shows the malicious images are not the sole means
more rare in 2009. Collectively, Web- proportion of malicious image files to all of compromise, but typically act as an
encountered exploits in Word and Excel other Web-delivered malware for each adjunct to the overall compromise.
comprised less than 1% of all detected quarter of 2009.
exploits for the year.
Malicious Image Files
12%
10%
8%
6%
4%
2%
0%
1Q09 2Q09 3Q09 4Q09
Figure 10 - Malicious Image Files
PAGE 16

17. BUILDING A BETTER BOTN E T
In most of those cases, it appears
the attackers have replaced actual
site images with the maliciously
modified copies of the images.
PAGE 17

18. B U I L D ING A BETTER BOTNET
The traditional definition of a botnet Gumblar The technique also proved effective at
is a collection of compromised client bypassing signature detection. During
computers under the control of a Gumblar is a multi-stage series of Gumblar’s initial peak from April 24th
common attacker (or common group compromises that delivers malware through May 15th, signature scanners
of attackers). A typical botnet may designed to intercept Web traffic, steal were unable to detect the Gumblar
be used for nefarious commercial FTP credentials, manipulate search compromise. ScanSafe Outbreak
purposes such as distributing spam engine results, and install backdoors on Intelligence successfully detected and
or scareware. Botnets can also be compromised computers and websites. blocked all phases of the Gumblar attack.
used for distributed denial of service
(DDoS) attacks, which can sometimes The malicious script embedded during In subsequent phases, Gumblar attackers
be rendered against competing sites the original compromise was placed on began uploading PHP backdoors to
or services for illicit financial gain. In collateral .js or .php files called when the compromised websites, providing
addition to other uses (left only to the page was loaded, rather than directly attackers with continued control of the
imagination of the attackers), botnets on the default home page itself. This sites even if the original FTP passwords
can also play a role in the compromise technique enabled attacks to avoid were changed.
of legitimate websites or be used as casual observation, but still have their
part of a fast flux network to mask the malicious scripts rendered when users At 14% of the total Web malware blocks
origin of a particular malware host. visited the site. for the year, the Gumblar attacks were the
most prevalent attacks in 2009, peaking
In 2009, Gumblar changed the at 35% of all blocks in November 2009.
traditional view of botnets, as the
Gumblar attackers began uploading PHP
backdoors to compromised websites
for continued command and control of
those sites. This enables the attackers to
interchangeably use the compromised
sites as the actual malware host, or as
part of a redirection chain for exploit
delivery, or both. This not only hampers
remediation efforts – effectively giving
the Gumblar attackers thousands of
possible malware hosts – but it also
can thwart standard reputation-style
filters and thus increase the likelihood of
Figure 11 - Gumblar
exposure to the malware.
In 2009, the three most prolific botnets
from a Web malware standpoint were
Gumblar (14%), Asprox (2%), and Zeus
(1%). While both Conficker and Koobface
received the lion share’s of attention from
a media perspective, actual encounters
resulting from these botnets were
extremely low, collectively representing
only .05% of Web malware in 2009.
PAGE 18

19. BUILDING A BETTER BOTN E T
Asprox Zeus Zeus was the third largest single botnet
impacting Web surfers in 2009. Zeus-
The Asprox botnet causes infected The Zeus botnet was implicated in a $6 related malware and sites compromised
computers (bots) to become the attack million dollar commercial account heist by the Zeus botnet comprised 1% of
mechanism. Some of the bots are on 20 European banks in the summer of all Web malware blocks for the year.
instructed to upload a SQL injection 2008. In early 2009, the Zeus botnet began Beginning in the first quarter of 2009,
attack tool, which then queries search employing an exploit toolkit known as the Zeus botnet began employing
engines to find susceptible sites and Luckysploit, which uses standard RSA the LuckySploit framework to render
exploit any found. Successful exploit public/private key cryptography to exploits on unsuspecting Web surfers’
results in compromised websites encrypt the communication session with computers.
that silently attempt to infect visitors’ the browser.
computers. Other bots are used as hosts
for the malware. Asprox commonly Zeus bots are known for browser traffic
uses fast flux, thus a single malware sniffing, intercepting POST data and
domain called by the compromised keystrokes associated with the active
site may resolve to one of a number of browser session as well as clipboard
IP addresses in an attempt to mask the data pasted into the browser. While
actual host. these actions facilitate Zeus’ activities
concerning data theft, it could also lead
In terms of botnet-related Web malware, to compromise of FTP credentials. For
websites compromised as a result of this reason, impacted sites may not just
Aprox were second largest at 2% of all be spreading new Zeus banking trojans
Web malware blocks, peaking at 11% in and bots, their management systems
October 2009. may also be infected. Zeus bots and
trojans are also rootkit-enabled, which
can hinder discovery efforts.
Figure 12 - Asprox Figure 13 - Zeus
PAGE 19

20. M A L WARE CATEGORIES
Web Malware Blocks by Category
This report focuses solely on malicious
Exploit & Iframe
software and excludes tracking cookies,
Web bugs, non-malicious opt-in Backdoor & PWS
tracking or legitimate (but potentially Trojan - General
unwanted) advertising supported
Rogue Scanner
software. Categories of malware in this
report include the following: Downloader / Dropper
Virus & Worm
• Trojans
• Exploits / iframes Redirector
• Redirectors Clickfraud Trojan
• Downloaders
0% 10% 20% 30% 40% 50%
• Clickers
• Scareware (rogue scanners) Figure 14 - Web Malware Blocks by Category
• Viruses
• Worms (including autorun worms
which connect via the Web upon Top Ten Web Malware
3%
infection) 2%
Trojan-Iframe.JS.Gumblar
2%
PSW.Banker
In 2009, 45% of all blocked Web malware OI-PSW.Keylogger.OF
encounters were with exploits and 2%
Worm.AutoIt
iframes indicative of compromised Hoax.Win32.Krap.ah
websites. The second highest category 2%
OI-PSW.Win32.MultiBanker.SV
were direct encounters with Trojans 14%
Backdoor.Win32.RaMag.a
2%
engaged in data theft (backdoors and PSW.Win32.Magania.bfrp
password stealers), which comprised 2%
Trojan.HTML.IFrame.kr
1%
19% of all ScanSafe Web malware blocks 1%
for the year. Interestingly, because Figure 15 - Top Ten Web Malware
scareware is intentionally designed to be
a very noticeable infector, these rogue
scanners tend to get the lion share
of attention in media and consumer
reports, yet were only 7% of all Web
malware encounters for 2009.
In 2009, 45% of all blocked Web
malware encounters were with
exploits and iframes indicative of
compromised websites.
PAGE 20

21. MALWARE CATEGOR I E S
Outbreak Intelligence
Outbreak
Intelligence,
Today’s cybercriminals go to great 27%
lengths to ensure their malware
goes undetected. As we previously
demonstrated in Figure 7, malware
creators may even offer service
level agreements consisting of
full replacement and money-back
guarantees that the malware will not be
picked up by traditional scanners. Signature, 73%
In 2009, 27% of all Web-delivered
malware blocked by ScanSafe Outbreak Figure 16 - Outbreak Intelligence vs. Signature Blocks
Intelligence was undetectable by
signature scanners at the time of 100%
encounter. While 27% was the overall 90%
average for the year, during peak 80%
outbreak periods the rate of zero day 70%
malware blocks was much higher. 60%
50%
Outbreak Intelligence blocks on 40%
November 7th reached 97%. Second 30%
highest rate of zero day malware 20%
occurred on August 24, with 90% 10%
0%
undetectable by traditional signatures.
03-Dec-09
17-Dec-09
04-Jun-09
18-Jun-09
08-Oct-09
22-Oct-09
05-Nov-09
19-Nov-09
02-Jul-09
09-Apr-09
23-Apr-09
16-Jul-09
30-Jul-09
12-Feb-09
26-Feb-09
10-Sep-09
24-Sep-09
12-Mar-09
26-Mar-09
01-Jan-09
15-Jan-09
29-Jan-09
13-Aug-09
27-Aug-09
07-May-09
21-May-09
Figure 17 provides a day-by-day
snapshot of zero day malware blocked
by Outbreak Intelligence in 2009. Figure 17 - Outbreak Intelligence Blocks Throughout 2009
In 2009, 27% of all Web-
delivered malware blocked by
ScanSafe Outbreak Intelligence
was undetectable by signature
scanners at the time of encounter.
PAGE 21

22. O N E COMPANY’S EXPERIENCE
Focus Company: Compromised
Websites Encountered
To help contextualize the increased 1200
risks posed by Web-delivered malware, 1000
ScanSafe provides raw numbers from an 800
actual 15,000 seat customer. We analyze 600
that customer’s Web malware blocks in
400
May of each of the target years (2007,
200
2008, 2009) to provide year-over-year
0
comparisons for trending purposes.
May 2007 May 2008 May 2009
Figure 18 - Focus Company: Compromised Websites Encountered
As Figure 18 demonstrates, encounters Focus Company: Data Theft Trojans
with compromised websites have Encountered
increased dramatically over the past
350
three years. In May 2007, the customer
300
encountered only 77 compromised 250
websites, increasing to 481 compromised 200
website encounters in 2008, and 1024 150
encounters in May 2009. 100
50
Direct encounters with data theft Trojans 0
also increased year over year, from 0 May 2007 May 2008 May 2009
direct encounters in May 2007 to 307 in Focus Company: Unique Attacks
Figure 19 - Focus Company: Data Theft Trojans Encountered
May 2009.
Encountered
250
A typical website compromise can
impact tens of thousands of websites 200
simultaneously. Multiple distinct 150
(unrelated) attacks can also occur
100
simultaneously. Throughout 2009,
ScanSafe STAT recorded over a thousand 50
unique attacks on average for each 0
month of the year. In May 2007, our May 2007 May 2008 May 2009
15,000 seat focus customer encountered Figure 20 - Focus Company: Unique Attacks Encountered
11 unique separate attacks, compared to Focus Company: Total Encounters
197 unique attacks in May 2009. 2000
1800
Total encounters also increased year 1600
1400
over year. The ScanSafe STAT focus
1200
customer experienced 205 total Web 1000
malware encounters in May 2007, 669 in 800
May 2008, and 1719 total Web malware 600
400
encounters in May 2009. 200
0
May 2007 May 2008 May 2009
Figure 21 - Focus Company: Total Encounters
PAGE 22

23. THE VERTICAL THRE A T
For two years in a row, ScanSafe STAT The Government sector had a 2.5 times
malware block data reflects a disturbing higher than average rate of encounters
trend – companies in highly sensitive with data theft Trojans delivered via the
verticals experience a much higher than Web, but had a 25% lower than average
average rate of Web malware encounters. rate of encounters with unique variants
of this category of malware. The Banking
In 2009, Energy & Oil experienced a 3.5 & Finance sector experienced a data
times higher rate of direct encounters theft Trojan encounter rate that was
with data theft Trojans compared to all 204% higher than average. Encounters
other verticals for the report period. with unique variants of data theft Trojans
Companies in the Pharmaceutical and were 211% higher than the norm for all
Chemical sector experienced a 3.2 times customers combined.
heightened rate of encounter with this
most serious category of malware.
Increased rate of exposure to data theft Trojans
Both the Pharmaceutical & Chemical
industry and the Energy & Oil sector also Energy and Oil 356%
experienced higher rates of encounter
to unique variants of password stealers Pharmaceutical & Chemical 322%
and backdoors, at a rate 14 times and 11
times higher than average, respectively. Government 252%
The higher rate of encounters with
unique variants is likely indicative of Banking Finance 204%
greater targeting of these segments,
as attackers typically introduce new
variants in an attempt to evade malware
detection.
In 2009, Energy & Oil experienced
a 356% greater rate of direct
encounters with data theft Trojans
compared to all other verticals for
the report period.
PAGE 23

24. A D E CADE OF DECEPTION
As one decade closes and another January 2003 ushered in the Sobig worm, Following the worm wars, named threats
begins, it provides an opportunity to look a significant threat not fully appreciated became fewer as attacks became more
both to the future and to the past. For until Sobig.E and Sobig.F appeared in overtly criminal and profit motivated.
as the saying goes, “Those who cannot the summer of that same year. Sobig- To bypass technology, clever attackers
remember the past are condemned to infected computers were outfitted with began incorporating a much higher
repeat it.” 6 a spam proxy, enabling mass-mailers to degree of social engineering in their
send large volumes of unwanted email attacks. In January 2005, following the
Modern malware is commercially via victim computers, even harvesting previous month’s tsunami in the Indian
motivated - instead of writing malware the victims own email contacts to add to ocean, scammers began targeting
for ego gratification, today’s attackers the spammers’ mailing lists. peoples’ fear and curiosity through
are using malware to make money. Thus, breaking news alerts. Links in the email
in hindsight, the May 2000 Loveletter The monetary gains to be had from that claimed to point to headline news
worm was a harbinger of things to come. harvesting email addresses became actually pointed to malicious malware
The Loveletter worm combined social even more apparent during the that turned victim computers into bots.
engineering (love letter for you) with a subsequent email worm wars in early
password-stealing trojan designed to 2004. Beginning with MyDoom and By 2006, the Storm botnet was formally
harvest ISP usernames and passwords. the Bagle worm, an interloper (Netsky) underway, though not named as
The intent: to provide free Internet quickly jumped into the fray. The authors such until January 2007, after a bogus
access to the worm’s author. of Bagle then began coding variants of breaking news alert claimed “230 dead
their worm that, in addition to dropping as storm batters Europe.” Coincidental to
In mid-September 2001, the Nimda their own malware, would also remove the alert, a very real storm in Europe did
worm began its rapid spread around Netsky. In turn, the Netsky author began cause loss of life, thus earning the trojan
the globe, facilitated by multiple means neutering the MyDoom/Bagle infections family (and its associated botnet) its new
of propagation. One of the methods while adding his own malicious code to name, Storm.
included modifying any .htm, .html, or the system. This prompted a response
.asp pages found on infected systems. from the Bagle authors; hidden in
The worm also spread by exploiting Bagle.K’s code was the message, “Hey
several vulnerabilities in Microsoft Netsky, f*ck off you b*tch, don’t ruine our
IIS, furthering the worm’s ability to business, wanna start a war?”
infect Web pages. As such, Nimda can
be viewed as a pioneer in malware’s
eventual move to the Web.
“...instead of writing malware for ego
gratification, today’s attackers are using
malware to make money.”
6
George Santayana: Life of Reason, Reason in Common Sense, Scribner’s, 1905
PAGE 24

25. A DECADE OF DECEPTI O N
In 2007, publicity around MPack led The 2009 Gumblar attacks can be “Hey Netsky, f*ck off
to heightened adoption of exploit viewed as the culmination of a decade’s
frameworks in general, laying the evolution of criminal/profit-motivated you b*tch, don’t ruine
groundwork for managed Web attacks. malware. Gumblar creates two sets of
The release of free or low cost SQL botnets: client-side traditional backdoors our business, wanna
injection tools in the Fall of 2007, and a second, never before seen
followed by remote discovery tools such botnet compromised of thousands of
start a war?”
as Goolag in 2008, further cemented backdoored websites. Gumblar includes -- Bagle.K author, 2004
cloud-based malware delivery via the a forced redirect revenue stream for
Web. These attacks quickly proved the Gumblar creators thus providing
profitable and shifted the value instant monetization, as well as long
proposition from spam and malicious term potential profits via its ability to
marketing to stolen FTP credentials and intercept, tamper with and steal Internet
intellectual/financial property theft. and network communications. Gumblar
Cloud-based distribution of malware also includes the ultimate in social
also increased the sophistication of engineering – turning perfectly good,
malware creation kits, thus doubling the reputable websites against their visitors,
volume of malware with exponential and even against their very owners.
year-over-year increases.
The 2009 Gumblar attacks can
be viewed as the culmination of
a decade’s evolution of criminal/
profit-motivated malware.
PAGE 25

26. E X E C UTIVE SUMMARY
If Loveletter was the harbinger of The digital divide will also likely continue
data theft to come in the last decade, to grow and resulting tensions will likely
Gumblar may well be the first harbinger fuel further cyber-attacks, including
of mass control of the Web in the new even more increases in attacks designed
decade. As such, one can only conclude for theft of intellectual property and
that the criminal harvesting of data via attacks designed to disrupt access.
the Web will continue to be top priority
for attackers in 2010 and beyond. To confront the challenges of the coming
years, we must reposition our thinking to
To counter threats on the Web, network match the new reality. We must forgo our
architecture will likely undergo many perceived familiarities and see the issues
changes in the coming decade. As a that are already at hand – the criminal
result, it can be expected that various business of data harvesting and the
forms of user authentication based siphoning off of intellectual property.
on trust relationships will eventually Our defences must extend beyond the
emerge. As these efforts evolve, confines of brick and mortar and into the
subsequent online personas will become cloud to ensure end-to-end protection
increasingly attractive targets to would- of our most sensitive assets and people,
be attackers. Identity theft programs will regardless of operating system, device,
subsequently need to evolve beyond or geo-locale.
protection of one’s credit report, to
include protecting one’s virtual identity
from those who would spoof it for illicit
gains.
It can also be expected that the Internet
will increasingly become more device
and service centric and less “desktop
centric.” As that development unfolds,
this will introduce a less homogenous
environment for attackers, thus further
propelling the (ab)use of the Web for
criminal gain.
One can only conclude that the criminal
harvesting of data via the Web will
continue to be top priority for attackers in
2010 and beyond.
PAGE 26

27. G L O S SARY
Backdoor Malware that provides surreptitious and unwanted access to a remote computer or device
Compromised Site A site which has been the victim of exploit of vulnerabilities, resulting in the distribution of malware
Heuristic An algorithm which may be signature or behavior-based, designed to detect a characteristic or specific set of
criteria consistent with previously observed malware
Malicious Site Website distributing malware, whether intentionally or through compromise
Malware Software distributed for malicious intent
OI ScanSafe Outbreak Intelligence™; a collection of technologies designed to detect both known and unknown
malware threats
Password Stealer Malware that monitors keystrokes, captures screenshots, or steals data, sending the captured details to
attackers
Signature An algorithm used by signature-based scanners to detect a specific threat or specific family of threats
Trojan A non-replicating program which has intentionally malicious behavior
Virus Malware that infects other files or programs
Worm Malware that spontaneously copies itself to other folders, drives, shares, or accessible sites
Zero-Day A vulnerability or malware for which no patch, signature, or intelligence is available preliminary to initial
detection
PAGE 27

28. ABOUT SCANSA F E
ScanSafe EMEA ScanSafe (www.scansafe.com), now a
Qube, 90 Whitfield Street part of Cisco, is the pioneer and largest
London,W1T 4EZ global provider of SaaS Web Security,
T: +44 (0) 20 7034 9300 ensuring a safe and productive Internet
F: +44 (0) 20 7034 9301 environment for businesses. ScanSafe
E: info@scansafe.com solutions keep malware off corporate
networks and allow businesses to
control and secure the use of the Web. As
ScanSafe US
a SaaS solution, ScanSafe eliminates the
950 Elm Avenue
burden of purchasing and maintaining
San Bruno, CA 94066
infrastructure in-house, significantly
T: +1 650 989 7100
lowering the total cost of ownership.
F: +1 650 989 6543
Powered by its proactive, multilayered
E: info@scansafe.com
Outbreak Intelligence™ threat detection
technology, ScanSafe processes more
than 20 billion Web requests and 200
million blocks each month for customers
in over 100 countries.
The ScanSafe Security Threat Alert Team
(STAT) is a key part of the ScanSafe Threat
Center, which monitors the global state
of Web traffic, 24 hours a day, seven
days a week. STAT is comprised of a
group of malware experts dedicated
to analyzing trends and anomalies in
Web traffic scanned by the ScanSafe
Threat Center and the more than 200
million blocks each month. The team
performs ongoing expert analysis of
Internet threats, identifying trends in
new malware tactics and developing
technologies to prevent them.
STAT also provides timely information
on significant, newly emerging Web-
borne threats via the ScanSafe STAT
blog - a tool designed to provide readers
with the pulse on the overall Web threat
landscape.
In 2009, the company was awarded
“Best Content Security” solution by SC
Magazine for the third consecutive year.
© ScanSafe All rights reserved. ScanSafe, the ScanSafe logo and Outbreak Intelligence are trademarks of ScanSafe. All other trademarks are the property of their respective owners.
PAGE 28 PAGE 28