By Andrew Brandt
With 2010 finally behind us, and an unknown number of cyberattacks likely to come in the new year, I thought I’d run down a brief list of the malicious campaigns criminals pulled off last year that I’d really dread to see anyone repeat. Now that they’re in the past, they should stay there.
Operation Aurora: Google’s accusation (with Adobe, Juniper Networks, Rackspace, Yahoo! and Symantec) that China hacked its servers, allegedly stealing private emails stored on the company’s servers. The big surprise wasn’t that it was happening, but that companies were publicly talking about it.
Abused ccTLDs: 2010 saw lots more malicious content originating from previously un-abused country code top-level domains, which are assigned to national authorities, such as the .in (India) and .cc (Cocos (Keeling) Islands) top-level domains. The Cocos Islands’ .cc domain deserves particular note because the more than 2200 malicious domains (discovered during 2010) hosted under this ccTLD outnumber the approximately 600 human inhabitants of the tiny archipelago by nearly 4-to-1.
Koobface: “the little social network worm that could” employed new URL obfuscation techniques, introduced its own keylogger, and focused efforts on a smaller number of social media sites, while Facebook got more proactive at shutting down the worm’s operations quickly. Maybe this year they’ll disappear altogether.
Malware attached to spam email: It’s been years since anyone tried emailing executables, but the people behind Trojan-Downloader-Tacticlol (aka Sasfis or Oficla) figured out how to bypass some protection methods: Embed your malware in a .zip archive.
Rogue antivirus: Rogues continue to plague users. Rogue AV is a big moneymaker for malware distributors, so it should come as no surprise that said distributors seem to have been investing in social engineering techniques, making their rogues much harder for a casual observer to identify, let alone get rid of.
PDF vulnerabilities: 2010 was the year of the Exploit-PDF — malicious Adobe Reader files are now woven into the blanket of threats facing PC users. Please update your copy of Adobe Reader today. And while you’re at it, don’t get suckered into buying a fake Adobe Reader that costs real money.
Stuxnet: So, this one really was uber-1337, if reports are to be believed. Not much to say other than wow. Complex, sophisticated, super-targeted, and definitely bad for the build-a-neutron-bomb-in-your-basement crowd.
Blackhat SEO : Attacks on Google Image Search results led some users into Rogue Antivirus infections. In the past, only the BHSEO we had seen was of regular text search results. As fast as Google closes the loopholes that permit black hat SEO to succeed, these malicious search engine manipulators find new ones to abuse.
Malware mimicry: In the past year, we’ve seen several large infection campaigns waged, using programs pretending to be Windows Update, Firefox update, Adobe updater, Flash updates, or some other legitimate auto-update app. When all other social engineering schemes fail, why not simply tell the user to download an update to their vulnerable program and watch them infect themselves that way?
Malware modifying Firefox to make password stealing more effective is relatively rare, but potentially very dangerous. Malware authors have been experimenting with modifying Firefox files all year, but Firefox 4, when it is finally released, will offer features that may render malware creators’ efforts in this regard worthless.