Cisco 2009 Midyear Security Report1
All contents are Copyright © 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Midyear Security Reportpresents an overview of Cisco securityintelligence, highlighting threat informationand trends from the rst half of 2009. Thereport also includes recommendations fromCisco security experts and predictions ofhow identied trends will evolve.
As the global economy struggles to regain its footing,one moneymaking sector remains healthy—online crime.This sector embraces technical innovation, collaborateswith like-minded enterprises to develop new strategiesfor generating income, and continues to demonstrateadoption of the best legitimate business strategies tomaximize prots.Criminal sophistication and business acumen haveincreased since the publication of the
2008 AnnualSecurity Report
. For instance, criminal enterprises areinnovating new business models with the creators ofbotnets—networks of compromised computers thatcan carry out the bidding of online scammers. Theseinnovations include “botnets as a service,” a sobering spinon the software-as-a-service trend that has spread acrossthe technology sector.“We see many signs that criminals are mimicking thepractices embraced by successful, legitimate businessesto reap revenue and grow their enterprises,” said TomGillis, Vice President and General Manager of CiscoSecurity Products. “It seems the best practices espousedby
magazine and Harvard Business School havefound their way into the online underworld.”
Cause for Concern: TechnicalInnovation of Online Criminals
The technical innovation and capabilities of onlinecriminals are remarkable. The Concker worm, whichbegan infecting computer systems in late 2008 and early2009 (and is still infecting thousands of new systems daily),provides the best example. Several million computersystems have been under Concker’s control at sometime as of June 2009, which means the worm appears tohave created the largest botnet to date. (Read more aboutConcker on page 4.)Security industry watchers also point to the methodsused by Concker to propagate and create the botnet.Instead of using newer approaches that involve socialengineering, or delivering the payload via email or theInternet, Concker’s creators exploited a vulnerability inthe Windows operating system. This was an “old-school”method that may not have seemed threatening, giventhe preponderance of new tactics for online scams.Concker’s creators appear to have recognized thattheir entry point into computer systems might yield moresatisfying results.It’s safe to say online attacks will continue to showcasethe most cutting-edge technology—and criminals willtry to use older tactics in new ways. Criminals are alsoclosely watching security researchers and learning fromtheir methods for thwarting attacks, putting the “good guy”knowledge to use so their next attack can evade existingprotections.
Cause for Concern: CriminalSophistication and Collaboration
“Bad guys” are aggressively collaborating, selling eachother their wares, and developing expertise in specictactics and technologies. Specialization makes it tougherto shut down illegal activity, because there are manyplayers in this ecosystem.Consider the collaboration between the creators of twolarge botnets, Concker and Waledac (see page 10). InApril, the Concker botnet monetized itself by deliveringthe Waledac malware via Concker’s own hosts, along withscareware—scam software sold to consumers basedon their (often unnecessary) fear of a potential threat—togenerate revenue from victims. In other words, Conckerserved as a large-scale distributor for Waledac’s wares.