According to a new Internet threat report, cybercriminals are channelling their botnet and malware activities through emerging countries such as India and Brazil, where robust Internet connections are in place but where users are failing to protect their systems.
This is one of the main findings from the latest Internet Security Threat Report from Symantec Corp.
"Web-based attacks are the preferred method for getting malware onto people's computers," said Sian John, a security architect with Symantec, but as she explained, Web-based attacks rely on high availability and fast connections, which is why India and Brazil are rising in prominence.
The criminals themselves can be based anywhere in the world, but they are increasingly choosing countries with a rapidly growing population of personal computers and where users may be less aware of the need for security. Once they can infect those computers, they can launch broader attacks more frequently.
Symantec recorded 6.8 million new infections in 2009. "It equates to one computer being infected worldwide every 4.6 seconds," said John.
The United States still has the most bot-infected computers, accounting for 11% of the global total, while Taipei was the city with the most bot-infected computers, accounting for 5% of the worldwide total.
The number of new bot-infected computers averaged 46,451 per day during 2009, a 38% decrease compared with 2008. But the number of new distinct bot command-and-control servers actually rose slightly from 15,197 to 17,432. Of these new bot command-and-control servers, 69% operated through HTTP, while the rest used IRC channels. Since most legitimate Internet traffic uses HTTP as well, the malicious communication back to the command-and-control servers is often hard to detect.
Malware, phishing on the rise
The growth rate in new malware continues to increase. In its Internet threat report, Symantec said there were nearly 2.9 million new pieces of malicious code detected over the course of 2009, a 71% increase over 2008, which itself had shown a similar increase over the previous year. New malware in 2009 represents 51% of the total that Symantec has ever encountered.
Phishing is still on the increase, with 59,526 phishing hosts detected, up 7% on 2008's level. Nearly a quarter (23%) of phishing attacks used one of five phishing toolkits that are readily traded on underground websites.
Worse still, John said it is possible to buy a toolkit for the Zeus banking Trojan for $700 on some Web forums. The kits make it easy for less-skilled hackers to customise Zeus to their needs, and to launch attacks against their chosen targets. The report says Symantec observed nearly 90,000 unique variants of the basic Zeus toolkit.
As explained in the Internet threat report, variants of the Zeus Trojan kit use spam to lure users to a website that uses social engineering or that exploits a Web browser vulnerability to install the bot on the victim's computer. The bot then allows remote access to the computer and can be used to steal information such as the user's online banking credentials. Each bot can then be used to send out more spam runs to compromise new users.
With so many attacks targeting browser vulnerabilities, Symantec also examined the time it took various vendors to fix vulnerabilities in their browsers. Microsoft came out with flying colours, taking an average one day to plug a vulnerability, while Apple took an average of 13 days to fix Safari.
Firefox was affected by 169 new vulnerabilities, more than any other browser; Safari had 94 new vulnerabilities; Internet Explorer had 45; Chrome had 41; Opera had 25.
David Divitt, a fraud consultant with U.S.-based ACI Worldwide Inc., which specialises in payments systems, said that banks need to help customers being targeted by criminals to improve security, and to find ways of detecting suspicious activity more quickly.
"Man-in-the-browser viruses are difficult to detect as often standard security measures do not even reveal the presence of the virus," he said. "Banks can use out-of-band communication, such as a mobile phone, as an additional method of authentication to confirm the transaction details and verify the user. This makes it more difficult for fraudsters to operate, as they have to simultaneously compromise multiple channels."