2007 will most certainly be known in the anti-spam and anti-malware worlds as the year of the Storm Worm. From late January when Storm was first discovered all the way through the end of the year where even up to this weekend we continued to see additional Christmas e-card variants popping up, Storm Worm volumes not only eclipsed every other piece of malcode that we saw in our Threat Center, but it also surpassed volumes seen previously only by the outbreaks of the Sober worm back in 2005. Since the Storm Worm has been so adept at refining its social engineering tactics and has primarily been releasing new variants around major events like holidays, expect this to continue into 2008 likely morphing into political spam as the presidential races continue to heat up.

Speaking of social engineering, we saw several refinements this year not only in how it is used as a lure to attempt to get a user to open a message, but in how spam mail itself is targeted. Starting in late May and continuing through June (there was another that popped up in December also) spammers were forging emails purporting to be from government agencies like the FTC and non-profits like the Better Business Bureau in an attempt to make the message look like a complaint was being filed against the target company. What made these messages so unique and effective is that they were targeted and sent directly to C-level executives. If the target opened the attachment/clicked the link within the message body they were infected with a keylogger which would log any information input into the infected machine and upload it to a web site where cyber criminals were then selling that information for profit.

We also saw a significant shift away from image based spam, a tactic that had been prevalent in larger volumes since December, 2005. Image spam had been the big spam story throughout all of 2006 and even into the early parts of 2007, reaching almost 40% of spam volumes in April of this year. As it reached its peak, however, it quickly started to decline. As image spam waned, we saw the dawn of a new spam: PDF spam!

PDF spam forced the industry to react quickly and make sure that it was treating messages as holistic entities examining not only message headers and body content, but the content of attachments to ensure that spam content was not being hidden in there.

Although PDF spam volumes were short lived, they highlighted the rapid movement away from image spam to the point where image spam is currently less than 3% of all spam volume that we see. PDF spam also introduced additional challenges that image spam did not. Not only were messages larger due to the existence of the PDF attachment (this was a similar characteristic of what we saw with image spam so at least this in itself did not introduce any new challenges), but since PDFs need to be scanned for potential malcode they required the additional system resources of a virus scan. Many more CPU cycles were being chewed by processing PDF spam as opposed to its image based predecessor. PDF spam lasted in large quantities for only about a month.

As PDF spam waned we have been seeing some minimal increases in other types of attachment based spam with spam sometimes appearing within the body of a Word doc or an Excel spreadsheet. Volumes of this type of spam are still quite low, but could easily be leveraged for a wide scale attack similar to how PDF spam was used. Most of the tactics now have gone back to what I call "old school" style spam where spammers have been resorting back to text obfuscations in an effort to get their junk through spam filters.

So, as you can see, a lot has happened in 2007 and the forecast for 2008 looks to bring about some new challenges as these existing threats evolve and as new ones emerge. If you'd like some more information on what we expect to see next year and forward, feel free to read my 2008 predictions blog. In the meantime, here's to hoping everyone has a safe and wonderful holiday season.