1. Almost everything done in the real world is likewise done online these days; treat being online with the same caution;
   
2. Use security software that includes antispam and data leak functionality; stop the bad guys before their phishing email even reaches your desktop and ensure your private information isn't being sent to unknown third-parties;
   
3. Viruses, worms, Trojan horses and many other threats have grown more than ten-fold in the last year alone; install and keep your anti-malware software updated and use it as another layer of defense;
   
4. Online identity theft is rampant for banking, online gaming, and social networking sites; always visit sites via their official URL and not from links sent via email, on the web, or instant messengers;
   
5. Control the amount of personal information that you make public; most social networks and rich media have options to control who has access to your posted content and it is there for a reason!

1. Website developers need to factor code maintenance into contracts with their clients and take an active stance in the security of the online services they create.

2. Companies with web services need to understand the security implications and be prepared to have their website developed and maintained by an outfit who understands the modern threat landscape.

• There are several different players in the world of Internet crime, and I will name them all as they come up in the creation of this document. As always, please email me if you wish me to add anything here. I think it is vital that we distinguish the players from the malware. All too often we see a news story where a particular cyber crime is blamed on a piece of malware. You don't see a physical bank robbery blamed on the gun; so why should we be so sloppy in reporting the world of malware? These malicious programs only exist at the specific design and to the specific uses of PEOPLE, and the PEOPLE are the criminals involved.
• HACKER: generic term, originally meaning "skilled programmer" now full of contradictory meaning, still, today used as the general term for anyone skilled beyond the constraints of normal people, especially where computer security is concerned.
• HACKTIVIST: politically motivated hacker (popular with website defacing).
• HAT: a term used to define the ethical status of a hacker in question.
• BLACK HAT: evil, or at least on the dark side. Not to be confused with the Black Hat Briefings, an annual security seminar series.
• GREY HAT: questionable.
• WHITE HAT: ethical hacker (there are actually standards for this).
• BLUE HAT: a consultant brought in to hack a new system prior to it's launch.
• RED HAT: a version of Linux, not part of this discussion.
• SPAMMER, SPAM KING: One who sends spam (always) for monetary gain (frequently) with intent to defraud.
• SCRIPT KIDDY: a term of derision. The "script kiddy" is too unskilled to write his own malware, and uses virus creation scripts to generate them for him.
• BOTHERDER: anyone who gathers bots under a C&C, and resells the resultant botnet to other criminals.
• CRACKER: one who defeats copy protection or other DRM.
• FILE SHARER: the cheapest, lowest level of cyber crime, this is people sharing copyrighted materials online. Ironically, this is the most legally prosecuted group of all our cyber criminals, due largely to the actions of industry watchdog organizations like the RIAA and MPAA.

• VIRUS: the granddaddy of them all, and still going strong, a virus is noted for its ability to make copies of itself, or replicate. There are far more viruses today than ever before, yet they are now the smallest part of malware. (This means malware overall has grown far more rapidly than viruses in recent years.)
• WORM: subset of virus. A worm is a virus that spreads itself to multiple systems through a connected resource or network. This contains both email viruses like Melissa and non-user involving worms like CODE RED.
• SPAM: automatically mass-forwarded email. Today's SPAM is almost always forwarded by a BOTNET.
• NETWORK VIRUS (NETWORK WORM): this is a virus that uses a vulnerability to spread without any user notice or interference. A good example of this is SLAMMER.
• PHISHING: an email delivers a spurious link to a fraudulent web page. Object? Theft of password, account data or identity, are its main targets.
• BOTNET: oddly, the BOTNET will occur in nearly every category, because it does nearly everything! Much malicious code is delivered by the ubiquitous remote control botnets.
• TROJAN: anything disguised to encourage the user to voluntarily download or activate it. This is like the Trojan Horse from the Odyssey.
• WEB-BASED THREATS, WEB THREATS: the most modern family of delivery is based on viewing an infected web page. Although this contains and began with phishing attacks, today WEB THREATS frequently are triggered by the mere viewing of an infected page. Most recent statistics claim that nearly ten percent of all websites are infected.

• BOT: again, we find that bots are not only a payload for viruses and worms, but are frequently downloaded by bots themselves. BOTS are updated to add new features and to evade detection.
• DOWNLOADER: this does just as it sounds; it is a program whose sole function is to download yet other programs.
• TROJAN: unlike the delivery method (trojan) defined in part 2, when the word TROJAN is applied as a payload it frequently means that a back door or RAT (see below) has been planted on the system.
• BACKDOOR: An added and secret way into the targeted system.
• TRAPDOOR: A backdoor built into the system by its designers; a trapdoor is never a payload for malware.
• KEYLOGGER: records every keystroke in the hope of stealing vital information.
• EVENT RECORDER: like a keylogger but records Internet input as well as keyboard data.
• SCREEN SCRAPER: takes 'snapshots' of the computer screen to override protection from the keylogger.
• ROOTKIT: the 'Harry Potter invisibility cloak' of the software world, a rootkit will hide anything else going on by seizing control of the program vector table.
• SPYWARE: a much overused term, spyware can be anything from a web cookie log to a password theft payload. Many innocuous spyware infections are used by crimeware for a 'piggyback.'
• LOGIC BOMB, DESTRUCTIVE PAYLOAD: very 'old school' a logic bomb will destroy data (or, in very limited circumstances, systems) when triggered.
• TRIGGER CONDITION: had to put this in here, viruses, etc. used to rely on some external condition (date, time, reboot count, ad infinitum) to trigger their payload activity, but nowadays it is pretty much all handled under internet triggering and a C&C.

• IRC CHAT ROOMS: this is where much of the criminal business is done. Stolen credit cards and passwords are auctioned off by the bucketload on secret criminal auction sites. All pretty much based on Internet Relay Chat (IRC).
• COMMAND AND CONTROL (C&C): the server that drives a BOTNET.
• SHARED RESOURCE CONNECTION: in the recent Web threat invasions, we have seen a trend to infect via an isp, Web hosting agency or other common infrastructure server. This permits infection of thousands of websites in a very limited amount of time.
• DISTRIBUTED MALWARE GANG: the person who writes the code is working for someone who resells it to an integrator who packages it into an 'off the shelf' toolkit like MPACK. The person who infects the system with this purchased kit resells the stolen data to yet another gang who actually arrange the crime. This passing the buck makes it very difficult to prosecute cyber criminals, especially when done internationally.
• OFF-THE-SHELF, KITS: these days, a criminal needs no expertise to become an Internet criminal-he can buy an off-the-shelf hacking package together with tech support and an upgrade contract.
• PHARMING: like phishing, but accomplished at the Domain Name Server (DNS) level. Pharming requires sophisticated techniques to detect.
• DENIAL OF SERVICE ATTACK (DOS, DDOS): many computers are used to shut down a particular IP address, frequently for purposes of extortion. The first really noteworthy DDOS was in 1992, and was performed by a Toronto area teen calling himself "mafiaboy." Today, DOS attacks are very common. The machines involved are frequently referred to as 'ZOMBIES.'
• INFECTED WEB SITE: using any one of a number of vulnerabilities, a website can become the source of an infection. It is estimated that ten percent (10%) of ALL websites are infected.
• ZOMBIE: a machine used in a DOS or in a BOTNET (distinction--the program is a BOT-short for Robot, the computer is a ZOMBIE).
• WAREZ: hacker term for software (particularly cracked software, malware and software piracy).

This is a message to the rest of the Mac community, so listen up. Ever heard of hubris? Tone it down and you will not be attacked.

Sometimes things aren't what they look like, but sometimes they are. A few months back, our investigators followed a threat taking shape from a dodgy Web server. After chasing the initial lead, they were able to pull a lot of data and track down where the attack was coming from: an organization that calls itself RBN (Russian Business Network). For some time we've noticed this specific part of the Internet spewing malware, infected Web pages, malicious exploits, and spam galore. Now more people are noticing as reported in the news, but even though many security companies have tried to report malware incidents from the RBN to the Russian authorities, this organization has proved to be as resilient as the Web hosting they allegedly aim to provide. Just yesterday, this shady organization spoke for the first time, denying all charges against them.

The fact is that where there is money to be had, there will always be people willing and able to break the law for their own benefit. From the looks of it, criminal organizations centered on malware are here to stay and their business models are developing as fast as their income. I read recently about the concept of "malware as a service" on blogspot and that's exactly what RBN and others criminals are becoming: malware enablers. Not only do they create the executables, but these organizations host and maintain a complex platform that fuels the malware engine and then sell it to their customers. They keep deploying and updating malware, while using the stolen bandwidth and data to fulfill their customer's needs.

A few years ago, a friend of mine had his small retail Web site compromised by hackers. When I saw him that very same day, he told me how the "hacker group" had replaced his sausage-selling Web page with a humorous show-off page including a few distasteful remarks about how skilled the hackers were. Needless to say, my friend didn't think it was funny, but apparently that was the end of the damage.

If my friend was attacked by hackers today, chances are his customer database would be stolen along with credit card numbers and email addresses--the most valuable assets of such a database. In addition, the hackers would probably leave malware running in the machine to guarantee further access. Today, malware not only keeps the access open, but also maximizes the effects of the break in. In many cases, the compromised machines silently become malware download sites, infected with spam-sending malware or with other nasties.

Shockingly enough, it is small Internet-based businesses like my friend's that are the most likely targets of hackers. In a recent article in the New York Times, recent studies show that small businesses spend the least on security relative to larger firms. Today, I strongly advise my friend to keep his servers permanently up-to-date and protected with a comprehensive security solution. A small investment in security can prove to be a decisive barrier to attack, protecting business and customers from threats.

Whether it is a worm (like Stration) that infects PCs in order to broadcast spam unbeknownst to the owner or a spam campaign that delivers spyware (like troj_small) to steal sensitive information, today's threats continue to grow in volume and sophistication. As a result, I am seeing many organizations expanding the traditional "defense in depth" strategy to a more intelligent and coordinated Layered Messaging Security approach- that intelligently deploys the most appropriate types of protection at the most effective points in the network.

Certainly, there has been a lot of attention focused on email gateway security in the last few years, to stop external attacks at the perimeter (in order to preserve connections and reduce bandwidth and storage costs) and, increasingly, ensure that sensitive information does not leave the organization. But protection at the email server still plays a valuable role- stopping threats originating inside of the organization (a risk that has grown along with the mobility of the workforce) by inspecting internal and outgoing email before archiving, supervisory and other obligations begin.

Beyond email, I've seen a growing awareness of the need to extend messaging security to protect IM and collaboration servers- although in many cases organizations are just beginning to move from awareness to action. And a surprising number of customers seem to be getting more value from web security products by using them to supplement messaging security measures- URL filtering is a good way to protect users against sophisticated phishing attacks, for example.

If this blog has piqued your interest, have a look at our new whitepaper on Layered Messaging Security. And please share your own opinions about what was discussed today.

Thanks to an increased Internet bandwidth in developed countries, video downloading is becoming a more common occurrence. In order to be able to see different video formats, users need to have codecs installed. Codecs are programs that encode and decode digital data streams.

Although the "codec installation" attack is not new, these types of attacks have been increasing lately, duping many users into downloading and installing malware threats on their PCs. The strategy of the attacker is to provide supposed codec files for users to download free of charge. They even go as far as setting up fake Web sites, created around the concept of codec downloading.

Everything starts when a user downloads a video file and is warned that a codec is needed in order to see the content. After an Internet search, users can land on a malware Web site that looks so convincingly real that they willingly install the fake codec, which is actually malware. The graphical interfaces of these fake codec Web sites are so well done that they can fool even the most experienced users. Check this screenshot and this other one for examples.

The ZLOB family of trojans is the one that uses this strategy most often. Once the malware has infected a computer, it downloads and installs more malware and eventually sets up a backdoor in the computer, leaving it vulnerable to external access. This backdoor can bring any other malware into the system with identity theft effects, information leakage, or spyware downloads. Since the final effect can be devastating for both the user and the company, it is in the user's best interest to avoid downloading codecs and other programs from untrusted sources.

Be warned, make sure you download real codecs, employ gateway security, and always have your antivirus up to date!

TrendLabs discovered the first Stration worm samples last August. Ever since then, it's been hammering users with annoying emails. The remarkable thing about Stration is that apparently it behaves like an old-time worm. It brings back memories from Bagle and Netsky and the war of the worms more than two years ago now. These worms just wanted to propagate as far and as wide as possible. To do this, they sent ingeniously-crafted emails that fool users into thinking they come from a local admin or other similar schemes. This is totally different from the threat landscape today with money-hungry malware whose only objective is steal the user's money or resources.

Well, after careful analysis by our lab researchers, Trend Micro uncovered the real reason of Stration. After some obfuscated communication with certain Internet servers, it finally downloads email templates to mass-mail to lists of users. Can you guess what kind of email it sends? Advertisements for pharmaceuticals. Yes, that's right. The whole big-worm scheme is just a giant ruse to create a massive spamming platform. If you ask me, that was something almost expected. It's not a coincidence that third-party vendors estimate spam totals between 77%, and 89% of all email traffic. Most of this is image spam, the kind of email Stration is sending.

Read the whole white paper about Stration from the Trend Micro Incident Response Team and stay protected!

Right after Internet Explorer 7 was released a few days ago, some advisories appeared with new bugs that affect this last version of the ever-popular browser: check this advisory and this advisory. What does this tell us about Internet Explorer 7 browser security? Should people switch to Firefox, Opera, or any of the other browsers in the market now?

What it tells us is that Internet Explorer is still the most used and therefore the most attacked browser. Hackers continue targeting the browser that will get them the most financial gain. Lately, attacks on other browsers have increased, as well as attacks on Internet Explorer.

In my opinion, users should choose their browser taking into account product security features, usability, and speed. This is more of a personal preference rather than a matter of security policy. At the end of the day, the Web page browser is the most used tool in our everyday computing: people should use the one they are most comfortable with. That's what I do, anyway. Otherwise, we would be forced to switch browsers every time a new version is released, since that version would be the least attacked. That'd be mad, no?