Trend Micro統計上半年記錄和預測下半年

1st Half 2007 Threat Roundup and 2nd Half Forecast

KUALA LUMPUR – July 13, 2007 – Trend Micro released its 1st Half 2007 threat report with a forecast of threats to expect in the second half of the year as well. The report clearly details the various threats dominating the cyberworld and the pattern in which it spreads. Trend Micro also offers preventive measures to ensure that these threats are contained.

Trend Micro stresses that the era of the global outbreak is over. Today's threats are stealthy, regional and targeted, blended and sequential, Web-based and motivated by money. There are economies built around the creation, sale and utilization of malware. Trend Micro continues to see explosive growth in the Web-based attacks, while the use of messaging remains a popular threat vector as well. Using these two threat vectors in combination to target victims has gained significant momentum in the first half of 2007. Adding to the mix, the technologies and techniques used for malicious purposes are growing ever more sophisticated.

Infrastructure Vulnerabilities
Infrastructure vulnerabilities are threats that originate from the existence of security weaknesses in applications, network architectures, or operating systems. Malware authors rely on security holes in software applications to be able to introduce malicious code to personal computers (PCs). Some proactively look for vulnerabilities and sell their information in digital black markets. Others wait for public disclosure of the vulnerability, and then craft an exploit hoping to reach users before vendors distribute patches or updates. Notable infrastructure vulnerability exploits recently detected include:
Trojans that exploit Microsoft Windows applications, specifically MS Word, MS Excel, and MS PowerPoint
Trojans that exploit Microsoft Windows cursor (.ANI) files a vulnerability in the way Windows 2000, XP, Server 2003, and Vista handle animated cursor and icon formats
Infrastructure vulnerabilities exist not only in software products, but also in Internet applications. For example, cross-site scripting (XSS) , a popular application used by Web 2.0 sites including MySpace and YouTube, also is popular among malicious code developers who exploit an XSS vulnerability to phish high volume, interactive Web sites.

High-Impact Threats
High-impact threats are threats that have the capacity to cause very high localized damage. Examples include regional outbreaks and targeted attacks. The high-impact threats from the first half of this year illustrate how malware authors are able to deploy code that specifically targets victims using social engineering tactics. The NUWAR worm is among the more prominent of such events.

The NUWAR worm emerged in late 2006, propagating via mass-emailed messages with war-related subject lines and attached executable files that are capable of transforming PCs into spam- and infectious-worm email generators. It was not until January 2007, when Trojan variants arrived via spammed email messages, that the malware gained much publicity. Leveraging a 200-kph storm ravaging Eastern Europe, a slew of email messages containing the subject "230 dead as storm batters Europe" were spammed to unsuspecting recipients. Concerned and curious, recipients who were lured into opening the attachments named full clip.exe, full story.exe, full video.exe, and read more.exe, inadvertently introduced a Trojan downloader onto their computers. Other malware authors deliver high-impact by relying on the timely popularity of certain Web sites. During the first week of February, malware authors attempted to capitalize on Super Bowl XLI in the United States. They created a malicious script, hacked into the official site of the Miami Dolphins Stadium, and unknowingly delivered a key-logger to anyone who happened to visit the site known as a "drive-by-download." Recently in June, over 3000 websites in Italy were compromised affecting over 15000 users with keyloggers and bot software.

Content-Based Threats
Content-based threats are threats that cyber criminals deliver via email or Web content. Spam and phishing are well-known types of content-based threats.

Spam
Spam, defined as unsolicited email messages containing links that download malware, continued to rise during the first months of 2007. Malware delivered via spam, such as the NUWAR worm, have proven to be quite adept at exploiting real world events and human interest in doomsday pronouncements of war. As discussed earlier, such spam attacks have a very high-impact when delivered using social engineering tactics or increasingly stealth attack vectors, such as image spam.

Phishing
In response to the surge in online commerce generated by the holiday season, attempts via email to procure personally identifiable information with the intent of identity and financial theft (commonly referred to as phishing), peaked in January 2007. While numbers were down for a few months, May saw an increase in attempts, reflecting the ease by which fake Web sites can now be created (via the introduction of phishing kits into the underground markets) and established online (via cheaper rates for domain registration).

The top ten Web sites that were spoofed by phishers during the past six months are:
1. eBay
2. PayPal
3. Bank of America
4. Wachovia
5. Fifth Third Bank
6. BB&T
7. Poste Italiane
8. Sparkasse
9. Regions Bank
10. VolksBank

Process-Based Threats
Process-based threats are typically propagated via executable applications resident on a host PC. Examples include malware, spyware and adware. The latest infection counts show that the growth in the number of infections from heuristically-detected malware have nearly doubled from December 2006 to May 2007.
Table 2. Trojan Spyware Detections for 2007

Notable process-based exploits being detected today include:
Advanced file infectors (viruses that attach themselves to program files)
Information theft spyware targeting online gaming
Rogue anti-spyware software containing malware

Distributed Threats
Distributed threats are threats that involve the use of bots, or botnets, to mount attacks on third party victims. Due to the power and sophistication of bots and botnets, they remained the hacker's best friend in 2007. Their ability to go undetected and be called into action on a moment's notice for use in spam, phishing, denial of service, keylogging and other malware- and crimeware-related activities make them a key player in the threat landscape.

As the past few months have demonstrated, there is a distinct effort by botnet masters, particularly those that send out spam (NUWAR and STRAT) to increase their batting average in infection rates by closely monitoring real-world events and crafting timely email messages to increase the likelihood that each spammed message ends up in a hit. As discussed in content-based threats, the changing subject headings are proving to be effective.

Effective Measures for Combating Today's Threats
For enterprises, mid-size corporations and small businesses, Trend Micro recommends a multi-layered approach to protection, including the following:
Deploy HTTP-scanning methods
Do not allow unnecessary protocols to enter the corporate network
Deploy vulnerability scanning software in the network
Restrict user privileges for all network users
Deploy corporate anti-spyware scanning
Support user awareness campaigns

For home users, Trend Micro recommends the following:
Beware of pages that require software installation
Scan all programs and files downloaded from email or via the Internet
Beware of unexpected or strange-looking emails, regardless of their sender
Always run a real-time antivirus scan service