There’s no doubt that 2011 was a year of threat proliferation in cyberspace. Old threats were revived and new attack vectors opened up. For example, sales of smartphones and tablets soared, all of them potential attack platforms, and we saw social engineering on the rise in social media and targeted email attacks like spear-phishing. Meanwhile, mean-spirited, human-on-human social engineering flared up in cold-call support scams. Malware continued to evolve throughout the year, as we documented on the ESET Threat Blog and in conference papers and published articles. ESET’s Virus Lab continues to collect well over 100,000 unique malware samples per day.
So you might be tempted to conclude that 2011 was a bad year for those concerned about protecting data and information systems. Yet there were some hopeful signs throughout the year, steps taken to take down the bad guys, and strong signals to the good guys to do better. One of the most notable areas of success was the international assault on botnets, some operators of which are now in custody. There were also arrests in a variety of cybercrime cases, from the Florida man who was hacking celebrity email accounts, to phone hackers working for the News of the World in the UK, and a Seattle gang that combined old-fashioned breaking-and-entering with war-driving and network hacking to steal everything from computers to paychecks.
Botnet operators are especially loathed, by companies and consumers alike, not just because of the crimes they enable—everything from spam to fraud, financial theft, DDoS and data ransoming—but also because of the huge waste of resources that botnets represent. The time and energy consumed by efforts to fend off botnet-enabled activities, like the massive server resources required to cope with spam, are a drain on the global economy.
In the first quarter of 2011 we saw the Rustock botnet fall in the face of combined efforts from Microsoft, the U.S. Marshals Service, the Dutch High Tech Crime Unit, and China’s National Computer Network Emergency Response Technical Team (CNCERT). One of the key steps in that takedown occurred in the first month of the year; that’s when Microsoft filed a temporary restraining order against “John Does controlling a computer botnet thereby injuring Microsoft and its customers.” The significance of this order was the platform it created for a sudden and coordinated seizure of the botnet’s command and control servers before the bot herders had a chance to react and move them elsewhere.
At one point in its five year existence existence Rustock was pumping out nearly half of the world’s spam. Based on McAfee’s helpful 2009 carbon footprint analysis, that spam was wasting electricity at the rate of 15 billion kilowatt-hours per year, enough to power over a million homes in the United States. You could say that taking down Rustock reduced greenhouse gas emissions by the same amount as taking 1.5 million passenger cars of the road.
In September, Microsoft announced it had taken down another botnet, known as Kelihos (Waledac 2.0). In an operation code-named Operation b79, Microsoft used legal and technical measures similar to those employed in its previous botnet takedowns, including an ex parte temporary restraining order—enabling the seizure of assets such as domain names without first notifying the other party—and claims of trademark infringement under the 1946 Lanham Act (an anti-spam strategy advocated by the author over ten years ago).
The FBI also engaged in some spectacular takedowns in 2011. In April they hit the botnet based on the Coreflood Trojan which had infected millions of PCs with a keylogger that sent banking credentials and other sensitive information to the botnet’s command-and-control servers. The FBI seized the servers and replaced them with new ones that could distribute instructions to disable the Trojan on user machines, thereby opening a new front in the war on malware: legally sanctioned removal of malware by a third party. In November the U.S. Department of Justice took down “DNS Changer,” arguably the biggest botnet dismantled so far (said to be more than twice the size of Rustock).
Besides taking down botnets, the FBI was busy making cases against the bad guys and making life harder for cybercriminals on the run. Two big cases came to light in December alone. On December 15 in Las Vegas, 16 people were charged with bogus Internet sales of merchandise like automobiles, travel trailers and watercraft. A week later, 14 Romanian citizens were charged with conspiracy, fraud and identity theft offenses stemming from their alleged participation in an extensive “phishing” scheme; three of the charged defendants have been extradited from Romania to the United States.
Of course, reducing cyber-threats is not just about locking up the bad guys. Legitimate companies that earn returns for their investors by operating in cyberspace need to play their part in helping cyber-citizens protect their personal data, even as we spend more time online and use an ever-expanding range of digital communication channels. According to Nielsen, Google and Facebook were the most visited sites of 2011. Some 153.4 million people visited Google sites each month, on average, while Facebook traffic averaged 137.6 million (based on web traffic from home and work computers from January through October 2011 and does not include mobile visits).
Besides being 2011’s two most visited websites, Facebook and Google this year became two of the largest companies operating under an FTC consent decree due to complaints about privacy practices. Consumers concerned about privacy and security should see this is a good thing, considering what has happened to Microsoft over the last 9 years. Prior to the 2002 FTC action, Microsoft had a fairly dismal information security track record. Since then the company has transformed itself into a leading force in several key areas of cyber-security, botnet takedowns being just one of them. What Google and Facebook have in common with Microsoft is a business model that relies on the continued growth of, and trust in, networked technology. In other words, they have every incentive to work hard to reduce cyber-threats. Here’s hoping we get more good news to report in 2012.
Stephen Cobb, Security Evangelist ESET, North America