[Security] Malware Evolution 2011
The Top-10 of 2011: An “Explosive” Year in Security
With 2011 coming to its end, it makes sense to sit back and take a look at what’s been happening over the past 12 months in the IT Security world. If we had to summarize the year in a single word, I think it would have to be “explosive.” The multitude of incidents, stories, facts, new trends and intriguing actors is so big that it makes it very hard to come up with a Top-10 of security stories of 2011. What I was aiming for with this list was to remember the stories that also indicated major trends or the emergence of new major actors on the security scene. By looking at these stories, we can get an idea of what will happen in 2012.
1. The Rise of “Hacktivism”
It’s difficult to imagine someone reading this list who has not yet heard of Anonymous, LulzSec, and maybe TeaMp0isoN. Throughout 2011 these groups together with others were actively involved in various operations against law enforcement agencies, banks, governments, security companies and major software vendors. Sometimes working together, in other cases working against each other, these groups emerged as one of the main groups of actors of 2011, through incidents such as security breaches of networks belonging to the United Nations, security intelligence firm Stratfor, FBI contractor IRC Federal, US Defense contractor ManTech, and the CIA. Interestingly, some of these incidents, such as the Stratfor hack, revealed major security problems such as the storing of CVV numbers in unencrypted format, or extremely weak passwords used by administrators.
Overall, the rise of hacktivism was one of the major trends of 2011, and no doubt it will continue in 2012 with similar incidents.
2. The HBGary Federal Hack
Although related to the first item on this list, I’d like to point this one out as a separate story. In January 2011, hackers from the Anonymous hacker collective broke into HBGary Federal’s webserver – hbgaryfederal.com – through an SQL injection attack. They were able to extract several MD5 hashes for passwords belonging to the company CEO, Aaron Barr, and COO, Ted Vera. Unfortunately, both used passwords that were very simple: six lowercase letters and two numbers. These passwords allowed the attackers to get access to the company’s research documents and tens of thousands of mails stored on Google Apps. I believe this story is relevant because it demonstrates an interesting situation – the use of weak passwords together with old software systems plus use of the cloud can turn into a security nightmare. If the CEO and COO had used strong passwords, none of this would likely have happened. Or, if they’d had multi-factor authentication enabled on Google Apps, the attackers wouldn’t have been able to access the superuser account and copy all the company e-mails. It’s important to point out that even if better security measures had been in place, we can’t rule out the possibility that the ever-persistent hackers wouldn’t have found another way in. Persistence and determination, combined with plenty of time, gives the attackers the upper hand.
3. The Advanced Persistent Threat
Although many security experts despise this term, it has made its way into the media and rocketed to super-popularity with incidents such as the RSA security breach or the imposingly entitled incidents such as operations Night Dragon, Lurid and Shady Rat. Interestingly, many of these operations were not too advanced at all. On the other hand, there were many cases in which zero-day exploits were used, such as in the RSA breach. In this case, the attackers took advantage of CVE-2011-0609 – a vulnerability in Adobe Flash Player – to run malicious code on the target machine. Another interesting zero-day was CVE-2011-2462, a vulnerability in Adobe Reader, which was used in targeted attacks against U.S. Defense contractor ManTech. Several things stand out in these attacks: Many cases involved zero-day vulnerabilities in Adobe software; many of these attacks were directed at U.S. targets, notably companies working with the U.S. military or government; the Lurid attack was interesting because it mainly targeted countries in Eastern Europe such as Russia or CIS countries. These attacks confirm the emergence of powerful nation-state actors and the establishment of cyber-espionage as common practice. Additionally, many of these attacks seemed to be interconnected and have major global ramifications. For instance, the RSA breach was notable because the attackers stole the database of SecurID tokens, which was later used in another high-profile attack.
4. The Comodo and DigiNotar Incidents
On March 15, 2011 one of the affiliates of Comodo, a company known for its security software and SSL digital certificates, was hacked. The attacker quickly used the existing infrastructure to generate nine fake digital certificates for web sites such as mail.google.com, login.yahoo.com, addons.mozilla.com and login.skype.com. During the analysis of the incident Comodo was able to identify the attacker as operating from the IP address 22.214.171.124 - in Tehran, Iran. But in terms of size this was nothing compared to the DigiNotar breach. On June 17, 2011 hackers began poking around the DigiNotar servers, and over the next five days managed to get access to their infrastructure and generate over 300 fraudulent certificates. The hacker left a message in the form of a digital certificate containing a message in the Persian language: “Great hacker, I will crack all encryption, I break your head!” To make the link with Iran more solid, days later the fake certificates were used in a man-in-the-middle attack against over 100,000 Gmail users from Iran.
The attacks against Comodo and DigiNotar have highlighted that that there’s already been a loss of trust in the certificate authorities (CA). In the future CA compromises may become more widespread. Besides, it is likely that more digitally signed malware will appear.
In June 2010, researcher Sergey Ulasen from the Belarusian company VirusBlokada discovered an intriguing piece of malware that appeared to use stolen certificates to sign its drivers and a zero-day exploit that used .lnk files for replication in a typical Autorun fashion. This malware became world famous under the name Stuxnet, a computer worm containing a very special payload aimed directly at Iran’s nuclear program. Stuxnet hijacked Siemens PLCs at Iran’s Natanz plant and reprogrammed them in a very specific way, indicating one single objective: sabotaging the uranium enrichment process at Natanz. Back then, when I saw the code that reprogrammed the PLCs responsible for controlling the 64,000-RPM centrifuges, I thought to myself that it’s impossible to write something like that without having access to the original schematics and source code. But how could attackers have obtained something as sensitive as the custom code that controls the billion dollar facility?
One possible answer lies within the Duqu Trojan. Created by the same people that were responsible for Stuxnet, Duqu was discovered in August 2011 by the Hungarian research lab CrySyS. Originally, it wasn’t known how Duqu infected its targets. Later, malicious Microsoft Word documents exploiting the vulnerability known as CVE-2011-3402 were discovered as a means of Duqu’s penetration. The purpose of Duqu is quite different to Stuxnet. This Trojan is actually a sophisticated attack toolkit, which can be used to breach a system and then systematically siphon information out of it. New modules can be uploaded and run on the fly, without a file system footprint. The highly modular architecture, together with the small number of victims around the world, made Duqu undetectable for years. The first trace of Duqu-related activity we were able to find actually dates back to August 2007. In all the incidents we have analyzed the attackers used an infrastructure of hacked servers to move the data – sometimes hundreds of megabytes – out of the victims’ PCs .
Duqu and Stuxnet represent the state of the art in cyber warfare and hint that we are entering an era of cold cyber war, where superpowers fight each other unconstrained by the limitations of real-world war.
6. The Sony PlayStation Network Hack
On April 19, 2011, Sony learned that its PlayStation Network (PSN) had been hacked. At first the company was reluctant to explain what had happened and claimed that the service, which was suspended on April 20, would be back up in a few days. It wasn’t until April 26 that the company acknowledged that personal information had been stolen, which potentially included credit card numbers. Three days later, reports appeared that seemed to indicate that 2.2 million credit card numbers were being offered for sale on hacker forums. By May 1, the PSN was still unavailable, which left many users not only having had their credit cards stolen but also frustrated at not being able to play the games they’d already paid for. Then in October 2011, the PSN was again making the headlines with 93,000 compromised accounts that had to be locked down by Sony to prevent further misuse. The Sony PSN hack was a major story in 2011 because it indicates, among other things, that in the cloud era, Personally Identifiable Information is conveniently available in one place, accessed over fast Internet links, ready to be stolen in case of any misconfigurations or security issues. In 2011, 77 million usernames and 2.2 million credit cards came to be considered normal “booty” in the cloud era.
7. Fighting Cybercrime and Botnet Takedowns
While the attackers in the PSN incident are still unidentified, 2011 was a definitively bad year for the many cybercriminals who got caught and arrested by law enforcement authorities around the world. The ZeuS gang arrests, the DNSChanger gang takedown, and the Rustock, Coreflood and Kelihos/Hilux botnet takedowns were just a few examples. These indicate an emerging trend: Bringing down a cyber-criminal gang goes a long way towards hampering criminal activity around the world, sending a message to the remaining gangs that this is no longer a risk-free undertaking. One particular case I’d like to mention is the Kelihos takedown, which was performed by Kaspersky Lab in cooperation with Microsoft’s Digital Crimes Unit. Here, Kaspersky Lab initiated a sinkhole operation for the botnet, counting many tens of thousands of infected users per day. And here’s where the big debate starts: Knowing the bot update process, Kaspersky Lab or a law enforcement agency could effectively push a program to all the infected users, notifying them thereof in the process, or even cleaning their machines automatically. In a poll ran on the Securelist website, a whopping 83% voted that Kaspersky Lab should “push a cleanup tool that removes the infections,” despite this being illegal in most countries. For obvious reasons, we haven’t done so, but it outlines the vast limitations of today’s legal system when it comes to fighting cybercrime in an effective manner.
8. The Rise of Android Malware
In August 2010, we identified the first Trojan for the Android platform – Trojan-SMS.AndroidOS.FakePlayer.a, which masqueraded as a media player app. In less than a year, Android malware quickly exploded and became the most popular mobile malware category. This trend became obvious in Q3 2011, in which we discovered over 40% of all the mobile malware we saw in 2011. Finally, we hit critical mass in November 2011 when we uncovered over 1000 malicious samples for Android, which is almost as many as all the mobile malware we have discovered in the past six years! The huge popularity of Android malware can be attributed to several things - most notably the wild growth of Android itself. Secondly, the documentation freely available regarding the Android platform makes the creation of malware for Android quite easy. Finally, there are many who blame Google Market for its weak screening process, which makes it straightforward for cybercriminals to upload malicious programs.While there are only two known malicious programs for iPhone, we are now approaching 2000 Android Trojans already in our collection.
9. The CarrierIQ Incident
CarrierIQ is a small privately-owned company, founded in 2005, and operating out of Mountain View, California. According to their website, CarrierIQ software is deployed on over 140 million devices around the world. Although the declared purpose of CarrierIQ is to collect “diagnostic” information from mobile terminals, security researcher Trevor Eckhart demonstrated how the extent of the information CarrierIQ collects goes beyond the declared simple “diagnostic” purpose, including things such as keylogging and monitoring URLs opened on a mobile device. CarrierIQ is built within a typical Command and Control architecture where system administrators can establish the kind of information that is collected from phones and which information is sent “home.” While it is obvious that CarrierIQ does collect a lot of information from your mobile phone, it doesn’t necessarily mean it is evil, or so we are advised to think by its creators, or companies such as HTC, which support its usage. Being a U.S.-based company, CarrierIQ could be forced to disclose much of the collected information to US law enforcement, if presented with a warrant. This legal loophole could effectively turn it into a government spy and monitoring tool. Whether this may indeed be the case or not, many users have decided that it’s best to get rid of CarrierIQ from their phones. Unfortunately, it isn’t a simple process and is different for iPhones, Android phones and BlackBerrys. In the case of Android, you may have to root your phone in order to get rid of it. Alternatively, many users have decided to flash custom Android firmware instead, such as Cyanogenmod.
The CarrierIQ incident shows that we are totally unaware of what exactly is running on our mobile devices, or the level of control which the mobile operator has over your hardware.
10. MacOS Malware
While I realize that I’m putting myself into the line of fire by even just mentioning Mac OS X malware, I think it’s an important story from 2011 which shouldn’t be overlooked. Products called MacDefender, MacSecurity, MacProtector or MacGuard, which are rogue AV products for Mac OS, appeared in May 2011 and quickly became popular. Distributed through black-hat SEO techniques in Google searches, these programs rely on social engineering to get the user to download, install, and then pay for the “full” version. Most who decide to pay $40 for the supposedly full version later discover that they actually paid $140, and sometimes they paid several times over. The crossing over of PC threats (rogue AV programs being one of the most popular malware categories for PCs) to Macs is an important trend of 2011. In addition to Mac OS rogue AVs, the DNSChanger family of Trojans deserves special mention as well. First identified around 2007, these small Trojans conduct a very simple and straightforward system compromise by changing the DNS settings to point to the criminals’ private DNS servers, before uninstalling themselves. Hence, you may get infected with a DNSChanger, have your DNS settings changed, and think you’re fine because there’s no malware actually on your computer; however, in reality what the criminals do is abuse the DNS communication to make you visit fake websites and perform click fraud and man-in-the-middle attacks. Luckily, in November 2011, the FBI arrested the six Estonian nationals who made up the gang behind the DNSChanger malware. According to FBI data, in the past four years they infected over four million computers in more than 100 countries and generated approximately $14 million in illegal profit. These incidents show that malware for Mac OS is as real as malware for PCs, and that even modern security practices fail against carefully elaborated social engineering techniques. It is without doubt that we will see both platforms continue to be abused in the future.
To summarize, these ten stories are just a tiny speck in the galaxy of 2011 security incidents. The reason I selected them is because they point to the major actors of 2011 who will no doubt continue to play a major role in the cyber-security blockbuster which is around the corner. These are the hacktivist groups, the security companies, the advanced persistent threat in the form of superpowers fighting each other through cyber-espionage, the major software and gaming developers such as Adobe, Microsoft, Oracle and Sony, law enforcement agencies, traditional cybercriminals, Google - via the Android operating system, and Apple - thanks to its Mac OS X platform. The relations among these can be complicated, full of drama, contain many super-secret details, and be as mysterious and darkly dreaming as Showtime’s Dexter. One thing is for sure – these same stars will be playing in all the major 2012 security blockbuster movies.
Cyberthreat forecast for 2012
2011 was the year that virtually all global players signaled their readiness to develop and deploy cyber weapons. The mass hysteria sparked by the discovery of the Stuxnet worm in 2010 led a number of states to start treating the use of cyber weapons against them as an act of war. However, by doing so, they are losing sight of some very important aspects of this type of threat. Take, for instance, Stuxnet. It was a unique phenomenon, designed exclusively for use at a specific time and at a specific place. And there was no readily available military solution to combat it. This is why we believe that the use of cyber weapons like Stuxnet will continue to be limited to isolated incidents. Their appearance will depend primarily on the relationship between specific states. Basically, to facilitate the creation of a cyber weapon of this standard there needs to be both an assailant and a victim. For the assailant, the problem needs to have become so serious that it can no longer be ignored, but the option of military action is out of the question. Analysis of current interstate conflicts can help predict similar incidents in the future.
This may well be true for cyber weapons such as Stuxnet, designed to carry out acts of sabotage. However other cyber weapons, used to destroy data at a given time, are likely to be more widely used. Programs such as kill switches, logic bombs etc., can be developed on a regular basis and deployed systematically. Moreover, the creation of these programs can be outsourced to private contractors used by the military, or law enforcement and intelligence agencies. In many cases the outsourcer will never know the identity of the actual client.
It is safe to say that the main cyber conflicts in 2012 will revolve around traditional confrontations: the US and Israel versus Iran, and the US and Western Europe versus China.
Mass targeted attacks
In 2011 we witnessed the emergence of new sources of malware and targeted cyber attacks. In the New Year we expect to see a significant increase in the number of new players and threats as well as high-profile incidents.
A far more effective detection process will also play a role in boosting the number of recorded attacks. An entirely separate field of the IT security industry has sprung up as a result of the problems associated with detecting and combating targeted attacks, and large companies are increasingly approaching small private firms for help in dealing with them. The growing competition in the market offering this kind of protection service will shed more light on incidents. As a result of the enhanced level of protection and the number of vendors offering help, the attackers will be forced to drastically change their methods.
At present many of the groups behind targeted attacks often don’t even bother creating specialized malware and instead use someone else’s ready-made programs. A good example is the Poison Ivy Trojan, originally created in Sweden but which has become a firm favorite with Chinese hackers. In contrast is the Duqu Trojan, a harbinger of things to come that can be modified to achieve specific aims and which makes use of dedicated command servers.
The effectiveness of traditional attack methods – the use of documents in email attachments that contain exploits for vulnerabilities – will gradually diminish. Attacks will increasingly be launched from browsers. Of course, the effectiveness of this approach will depend on the number of vulnerabilities found in popular software such as browsers, office applications and multimedia systems.
The range of companies and areas of the economy that will come under attack will expand. The majority of incidents currently affect companies and state organizations involved in arms manufacturing, financial operations, as well as hi-tech and scientific research activities. In 2012 companies in the natural resource extraction, energy, transport, food and pharmaceutical industries will be affected, as well as Internet services and information security companies. The geographic range of the attacks will increase considerably, spreading out beyond Western Europe and the US to affect countries in Eastern Europe, the Middle East and South-East Asia.
The unwanted attention that the Android platform has received from virus writers will intensify. In 2012 cybercriminals targeting mobile platforms will focus heavily on creating malware for Google Android. The dramatic growth in malicious programs for Android in the second half of 2011 saw Google’s operating system rank first among mobile platforms in terms of the number of threats, and there is little to suggest that the virus writers will shift their focus in the near future.
We also expect an increase in attacks making use of vulnerabilities. 2012 will see cybercriminals making active use of a variety of exploits to spread malware as well as malicious programs containing exploits that can be used to escalate privileges and gain access to a device’s operating system. Virtually all the attacks that made use of exploits in 2011 were attempts to elevate privileges to the operating system. However, in 2012 we are very likely to see the first attacks that will use exploits to infect the operating system itself. In other words, we’ll see the first mobile drive-by-download attacks.
There will be an increase in the number of malicious programs finding their way into app stores, especially Android Market. The fact that Google’s policy of checking new apps has changed very little, despite numerous malicious programs being discovered at Android Market, means the virus writers are unlikely to refrain from uploading malware to official stores.
There is a high probability that the first mass worm for Android will appear, capable of spreading itself via text messages and sending out links to itself at some online app store. We’re also likely to see the first mobile botnet on the same platform.
The activities of several virus writer groups specializing in mobile applications evolved into the wholesale manufacture of malware in 2011 – a process that will continue to develop in 2012. It means we are likely to face a full-blown mobile malware industry next year.
Other mobile platforms
Symbian. For a long time the most popular platform among users and virus writers. Now losing ground on the mobile OS market and among cybercriminals. Therefore, we don’t expect to see significant amounts of malware for this platform.
J2ME. We will continue to see quite a few malicious programs (more precisely, SMS Trojans) for Java 2 Micro Edition. However, their number will either remain at the same level or decrease.
Windows Mobile. A platform that has never attracted much attention from virus writers and 2011 was no different. It will hardly be surprising if the number of malicious programs for this platform can be counted on the fingers of one hand.
Windows Phone 7. Quite likely that the first proof-of-concept malware will appear for this platform.
iOS. Since its arrival in 2009 two malicious programs have been detected that target cracked devices running iOS, and not much else. Don’t expect any changes in 2012, unless Apple changes its software distribution policy.
In 2012 a considerable amount of non-Android-based malware will most probably be used in targeted attacks. A typical example is the attack using ZitMo and SpitMo (Zeus- and SpyEye-in-the-Mobile).
Mobile espionage – data theft from mobile phones and the tracking of subjects using their telephones and geolocation services – will become widespread, going well beyond the traditional use of such technologies by law enforcement agencies and private investigation companies.
Attacks on online banking
In 2012, attacks on online banking systems will be one of the most widespread methods of stealing money from rank and file users. The number of crimes committed in this area is rising rapidly all over the world in spite of all the technical measures taken by banks.
In the near future, it is likely that there will be more cases of unauthorized access to online banking systems in Asian countries. That is because these services are rapidly developing in South-East Asia and China, while the region’s abundant cybercrime expertise has so far been focused on other types of attacks (including attacks on online gamers). Apart from online games, Asian cybercriminals have gained a reputation for their phishing attacks on clients of European and US banks. Now that local e-payment and banking services are developing in line with the rising standards of living in Asian countries, there will be an ever increasing number of attacks performed on local banks and users, employing dedicated, locally-focused phishing and Trojan programs.
Such attacks will most probably be targeted on mobile device users as well as PC users. Apart from South-East Asia and China, attacks may be performed on mobile payment services in East African countries.
Users’ private lives
The problem of protecting users’ confidential data is gradually becoming one of the hottest topics in IT security. Russian users have seen data leak from cellphone operators and e-commerce sites, there were the stories about the mobile software from CarrierIQ and the storing of geolocation data in iPad/iPhone, data thefts from tens of millions of clients of various systems in South Korea, the hacking of Sony PlayStation Network – to name just a few a few of the high-profile events that took place in the last year. Although these incidents varied in their causes as well as the amount and type of data stolen, they all had the same aim.
Increasingly companies all over the world are trying to collect as much information as they can about their clients. Unfortunately, this is not often supported by sufficient measures to protect the information that is gathered. The continuing development of “cloud technologies” also contributes to potential data losses: there is now an extra target for the cybercriminals to attack, i.e. the data centers where various companies’ data are stored. Data leaks from cloud services could deal a serious blow to the perception of the technology itself and the idea of “cloud storage” that largely rely on users’ trust.
As for the systems collecting user data, similar to CarrierIQ, we are convinced there will be more instances of them being exploited in 2012. Mobile providers, software and web-service manufacturers do not intend to throw away the business opportunities that arise from holding users’ data.
Hacktivism, or hacker attacks as a form of protest, is now experiencing a revival and reaching new levels. Multiple attacks on various government institutions and businesses will continue in 2012 despite all the efforts of authorities arresting high-profile hacktivists. Hacktivism will increasingly have political implications, and this will be a more serious trend than in 2011 when most attacks targeted corporations or were carried out just for lulz.
However, hacktivism can also be used to disguise other attacks by distracting attention from them or setting up a false trail, thus creating an opportunity to “securely” hack an object of interest. In 2011, a number of hacktivist attacks have led to leaks of sensitive information which is undoubtedly the purpose of classic targeted attacks both in terms of commercial espionage and national interests. In these cases, hacktivists have greatly (and perhaps involuntarily) assisted other groups which can take advantage of their methods to steal information in attacks of a very different kind.
In summary, we expect to see the following events and trends next year in the field of cybercriminal activities:
Cyber weapons like Stuxnet will be tailor-made for specific cases only. Cybercriminals will increasingly use simpler tools, such as kill switches, logic bombs etc. to destroy data at a required time.
The number of targeted attacks will continue to grow. Cybercriminals will begin using new infection methods, as the effectiveness of existing methods diminishes. The range of targeted businesses and areas of economic activity will expand.
2012 will see cybercriminals writing mobile malware that primarily targets Google Android. We expect to see an increasing number of attacks exploiting vulnerabilities as well as the first mobile drive-by attacks.
There will be more and more cases where malware is uploaded to official app stores, primarily to Android Market. Mobile espionage will become widespread; this will include stealing data from mobile phones, and tracking people using their telephones and geolocation services.
In 2012, attacks on online banking systems will be one of the most widespread methods used to steal money from users. South-East Asia, China and East Africa are particularly at risk.
Multiple attacks on various government institutions and businesses will be carried out all over the world. Hacktivism may also be used to conceal other types of attacks.