Spam may be down but malware marches merrily on.
That’s the message from the “November Threat Landscape Report” released yesterday by security vendor Fortinet.
Global spam levels ultimately fell 12 percent in November after Dutch authorities took down a large Bredolab network made up of 140 different servers. The Bredolab botnet was typically used by cybercriminals to send out spam selling fake drugs, according to Fortinet. Spam had actually fallen as much as 26 percent the week after the network was dismantled but was able to stage a bit of a recovery afterward.
The ever-present Koobface botnet, known for affecting Facebook users, also suffered a hit on November 14 when U.K. Internet service provider Coreix took down three of its central “MotherShip” servers. The perpetrators of Koobface use these MotherShip servers as their main command-and-control systems to direct the spread of the botnet and control infected PCs. The bad guys communicate with the MotherShip machines through intermediary servers.
Though the takedown of the MotherShip servers dealt Koobface a severe blow, the success was short-lived as the botnet operators were able to use stolen FTP accounts to hijack other servers, according to Fortinet.
“We confirmed that on November 14, when the primary servers were taken offline, the intermediary servers failed to proxy content, which effectively crippled the botnet,” Derek Manky, project manager for cyber security and threat research at Fortinet, said in a statement. “Unfortunately, we saw communication restored five days later on November 19th. This is likely due to the fact that Koobface contains an FTP harvesting module.”
Looking at other botnets, Fortinet found another prominent threat in November in the form of Sasfis, a botnet that infects PCs by using the standard port 80 reserved for HTTP traffic. Increasingly, botnets are using common ports to spread in an effect to blend in with normal traffic. Detections of Sasfis command-and-control servers were third on the top 10 attack list maintained by Fortinet.
Fortinet also discovered in November that the Hiloti botnet was using legitimate DNS queries to report back to its command-and-control servers, another example of a botnet trying to use standard protocols to avoid being detected.
Finally, zero-day vulnerabilities were found last month in Adobe Shockwave, Adobe Flash, Microsoft PowerPoint, Apple QuickTime, and Microsoft’s Internet Explorer. All of these weaknesses were cited by Fortinet as critical as they leave the applications open to attacks that are able to run code remotely.
In terms of sheer malware attacks among the top countries hit in November, the U.S. accounted for 35 percent, up from 32 percent in October. Japan took 22 percent of the total attacks, up from 16 percent the prior month. And Korea took the brunt of 12.5 percent of the world’s total malware attacks, up from less than 9 percent in October.