Last month featured a number of interesting, if troubling stories, ranging from the largest credit card theft indictment in history, to using Twitter to control botnets. So without further ado, here are a selection of some of the top endpoint security stories for August 2009:

• 130 Million Credit Card Numbers Stolen
  Top story has to be the theft of 130 million credit card numbers and the arrest and indictment of Albert Gonzalez. This was the largest such theft in history and was accomplished using a number of techniques including exploiting well known vulnerabilities on unprotected systems.
• TJX Settles with Banks for $525k
  TJX, another Albert Gonzalez victim, made news this month when it settled its class action lawsuit for $525k to four remaining banks. This added to its existing settlements and was included in TJX’s existing budget of $256 million it budgeted to cover the breach.
• Big Drop in Phishing Attacks
  IBM reported a large drop recently of phishing attacks. Speculation about the reason for the drop includes shifting tactics and a pre holiday lull.
• URL Shorteners a New Threat
  URL shortening services are being used to distribute malware. Looking for a reason for the drop in phishing? It may have something to do with the increase of distribution of malicious links on sites like Twitter, Facebook and other social sites using shortened URLs.
• Twitter Introduces Malware Filter
  The use of their network to distribute malware isn’t lost on Twitter. They are moving to include malware checking for distributed Twitter links.
• Botnets and Trojans Stay in the News
  Botnets and trojan horses continue to be top stories; An attempt to shutdown a botnet fails after 48 hours, trojan horses remain most common infection in August 2009, hackers use Twitter to control their botnets, and finally this and other news leads Steven J. Vaughan-Nichols of ComputerWorld to declare Botnets Must Die.
• Even Apple Makes Security News
  Apple has come under fire for the addition of basic malware protection. Security vendors like Symantec say it is too light weight and knocks their overall security protection.

That’s it for this month’s endpoint security wrap up for August 2009. Be sure to look for these monthly.

It’s almost like a proof-of-concept. Here’s how a presentation by Conficker’s handlers to prospective clients could go. “See, we can do this: Conficker sends millions of spam. Or, we can do this: Conficker DoS a competitor of prospective client. Oh, you want to make a few bucks? Try this: scareware installed on n% of Conficker-infected endpoints.”

I’ve been scratching my head, wondering what gives here. Then it came to me. Conficker is a natural for being franchised out. Instead of giving the reins to the highest bidder for the entire botnet, the handlers will be able to give the controls to, say, Conficker.f to deliver V1@gr4 spam, while Conficker.h is awaiting it’s turn to do whatever the highest bidder for the .h variant wants it to do.

Traditionally the controls to botnets have been granted in whole. The folks behind Conficker are unethical, but also quite intelligent. They have a great understanding of the terrain this battle is being played out on.

McDonalds® may have sold billions and billions of burgers, but I see a new headline coming in the near future: “Conficker: billions and billions of *insert malware, grayware, scareware, spam* delivered.