The second quarter threat report from McAfee has some bad news for all computer users out there. The main finding is that Spam volumes have increased by 141% since March, 2009, continuing the longest streak of increasing spam volumes ever. But that’s not all, as there has been a dramatic expansion of botnets and auto-run malware.

The report highlighted the fact that 14 million computers have been enslaved by cybercriminal botnets, a 16% increase over last quarter.

Auto-run is becoming an increasing problem and over a test period of 30 days, it was discovered to have infected over 27 million files. Auto-Run malware, which exploits Windows Auto-Run capabilities, does not require any user clicks to activate. It is most often spread through portable USB and storage devices. Depressingly, the rate of detection surpasses the infamous Conficker worm by 400%, making it the number one piece of malware detected around the world.

Mike Gallagher, Senior Vice President and Chief Technology Officer of McAfee Avert Labs, said:
“The jump in bot and spam activity we saw in the last three months is alarming, and the threat from Auto-Run malware continues to grow. The expansion of these infections is a grave reminder of the potential harm that can be caused by unprotected computers in homes and businesses.”

McAfee also provides some background showing the a generally worsening computer security situation.

It is noted that fourteen million additional computers have been turned into botnets this quarter. This equates to more than 150,000 computers infected every day, or 20% of the personal computers bought daily.

It also said that South Korea accounted for the largest boost in bot activity. The country saw a 45% increase in new infected computers over the last quarter. And such botnets were used to execute the recent DDoS cyber attacks against the White House, the New York Stock Exchange and South Korean government Web sites.

But although South Korea has its problems, it only accounts for less than four percent of the world’s new bots. And its the U.S. which tops the list with 15% of the new zombie computers.

And its this bot expansion that is behind the increasing volume of spam, which is now 92% of all email. Spam volumes have now exceeded the highest volume on record by 20%, increasing at a steady rate of roughly 33% each month. This equates to spam volumes growing by over 117 billion emails every day.

What’s most disturbing, is that as the number of bots continues to grow, malware writers have begun to offer malicious software as a service to those who control botnets. By exchanging, or selling resources, cybercriminals distribute new malware to wider audiences instantaneously. And the creation of and management of malware is becoming even easier, thanks to programmes like Zeus.

Programs like Zeus – an easy-to-use Trojan creation tool – continue to make the creation and management of malware even easier.

And cyber criminals are increasingly turning their attention to the popular social networking sites, including Twitter, Facebook and MySpace.

Guest Article by Neil Camp

Security outfit Kaspersky reports that it has discovered a fresh version of the malicious virus Sinowal which represents a very sophisticated threat and computer users should be on their guard. It’s also employs a new method which is being used for the first time by cyber criminals.

Sinowal, also known as Torpig, has the ability to hide itself by contaminating the master boot record (MBR), which is part of a computer’s hard drive. The MBR is the lowest level of the operating system and by sitting here, it effectively by-passes the anti-virus software.

Sinowal is a botnet forming virus which is designed to exploit weaknesses in websites. One of its most recent victims has been the security hole in the Adobe Acrobat Reader of PDF software.

Sinowal is particularly sophisticated on one level, yet quite simple on another, turning it into a long term enemy of the security experts for many years.

Kaspersky admitted that for many computer users, being infiltrated by Sinowal and its variants was inevitable. Sinowal was adept at creating botnets which would later allow trojans onto the infected computers.

The security firm recommended that anti-virus software be kept stringently up-to-date and that should Sinowal be discovered, special instructions had to be followed in order to remove it.

Guest Article by Neil Camp

McAfee’s latest security threat report (covering January to March, 2009), reveals that since January, over 12 million new IP addresses have been hi-jacked by cybercriminals, a 50% increase since 2008.

IP addresses are hijacked and their computers used as zombies within worldwide botnets. A zombie will then be used to send out spam email, infecting other machines which will in turn send out even more email, and so the process goes on, creating billions of spam emails which clog up the system.

The U.S. is home to the greatest percentage of botnet infected computers, accounting for nearly 20% of all zombie machines.

Cybercriminals are rushing to create new botnets after the shakedown of a major spam hosting ISP, McColo Corp, in November 2008 which cut spam levels by some 60%.

And the cybercriminals are quickly recovering the ground that they had lost, with spam volumes now about 70% of what they were before McColo was stopped.

Jeff Green, senior vice president of McAfee Avert Labs, said: “The massive expansion of these botnets provides cybercriminals with the infrastructure they need to flood the web with malware. Essentially, this is cybercrime enablement.”

The report came up with a number of other findings, including that the Koobface virus has made a resurgence. More than 800 new variants of the virus have been discovered in March 2009 alone.

Also, malware writers are increasingly using servers which host legitimate content to launch malicious and illegal content.

URL redirects are being used more often by cybercriminals and the use of web 2.0 sites are being used to hide their location.

Ironically, given the recent media fuss about Conficker, the report concludes that this worm, and all its variants, only accounted for some 10% of detections reported during the first quarter. But whether this means it was over-hyped, or hasn’t yet had the affect feared, remains to be seen.

Guest Article by Neil Camp

Conficker is coming alive.

The virus that threatened to cause chaos on April Fool’s Day and was eventually labelled by some as a prank, is having the last laugh as it becomes activated across a number of personal computers.

Conficker, also spelt Conflicker, and also known as Downadup, or Kido, is a particularly insidious form of worm which sits covertly on a computer and turns them into a zombie, part of a botnet. The zombie sits and awaits instructions, mostly opening the way for a piece of malware with a specific task. This might be a virus called Waledac, which sends out millions of spam emails from the computer’s mail box.

Accompanying the spam emails are false anti-spyware programmes which eventually renders the receiving computer open to attack. The receiving computer is then recruited into the botnet, in turn sending out more spam email. The receiving computer is also sitting there with its defences down, awaiting the virus to send back personal and financial details of its user back to the originator of the worm.

Computer security experts are worried because the worm appears very sophisticated and operates in a stealth mode, sitting on machines until activated. It’s feared that the Conficker has infiltrated thousands of computers, awaiting instructions. Experts also fear that there is a twist that no-one is aware of yet, as the Conficker has yet to show its true colours.

The Conficker and its botnets are thought to be controlled by cyber crime syndicates based in China, Eastern Europe, Latin America and Southeast Asia.

The worm is designed to exploit operating system weaknesses, with Windows being particularly vulnerable. It can by-pass many corporate firewalls as people swap files from one infected computer to a clean one, using a USB memory stick.

Computer users worldwide are being warned to be on their guard against the Conficker.

Guest Article by Neil Camp

Security firm Finjan has discovered a massive network of remotely controlled PCs, including computers inside the U.K. and U.S. governments.

The network, known in the industry as a botnet, is said to have spread across nearly two million individual machines and looks likely to have originated in the Ukraine. Although figures were patchy, it is believed that several computers within U.K. Government departments were comprised. It is understood that the Metropolitan Police is investigating.

A botnet is a cyber criminals dream. The infected computers that form the net become zombies, awaiting instructions from the people who planted them. All it takes is for one machine to be infected, before it then in-turn infects as many machines as it can, creating the botnet. The zombie computers are then open to attack from all kinds of viruses and malware which have different roles in life.

One job might be to send out phishing emails from the computer users mailbox, enlarging the botnet and causing people to load bogus websites which ask for personal and financial details. Another might be to record keystrokes on a user’s computer which allows the cyber criminals to enter a legimate website, usually financial, and empty an account using the information they have gathered. And they might allow access to a computer’s stored information, including files and operating systems.

In effect, the zombie computer becomes a beachhead for all manner of future attacks.

The cyber criminals behind the attack represent the storm troopers and rather than use the open door themselves, they usually sell the opportunity to others. It has been reported that the hackers behind this botnet were selling access to machines within the botnet at around $100 a time.

The botnet hit worldwide, with around 5% of infected machines being situated in the U.K., including the British Government and one computer inside the BBC.

The network was spotted after routine security checks and rumours of its existence, and marks a new stage of sophistication from the world’s cyber criminals.

Guest Article by Neil Camp