The year 2010 has been almost identical to the previous one in terms of malware evolution. Generally speaking, trends have not changed that much and nor have the targets for attack; though certain malicious activities have progressed dramatically.
Whilst monthly malware detection rates have remained reasonably stable since 2009, with browser attacks and botnets continuing to be the main threats to cybersecurity, there has been a downturn in activity by certain types of malware.
Vulnerabilities have really come to the fore in 2010, especially those in Adobe software. Exploiting vulnerabilities has become the prime method for penetrating users’ computers, with vulnerabilities in Microsoft products rapidly losing ground to those in Adobe and Apple products (Safari, QuickTime and iTunes).
In our 2009 report, we attempted to predict the most likely ways in which cybercrime and IT threats would evolve during 2010. A year later, we can see that most of our predictions have come true.
It is true to say that P2P networks are now a major channel by which malware penetrates users’ computers. In terms of security incident rate, we estimate this infection vector to be second only to browser attacks.
Practically all types of threats including file viruses, Rogue AVs, backdoors and various worms spread via P2P-networks. Additionally, such networks have fast become an environment conducive to the propagation of new threats, such as ArchSMS.
The increase in cybercriminal activity on P2P networks has been well documented by other IT companies too. For example, in their Q2-2010 threat report , Cisco stated that the number of attacks carried out via the three most popular P2P networks, BitTorrent, eDonkey and Gnutella, had risen dramatically.
The P2P malware epidemic started in March, when the number of incidents detected by the Kaspersky Security Network exceeded the 2.5 million per month mark for the first time. A conservative estimate of the number of attacks occurring monthly by the end of the year puts the figure at somewhere close to 3.2 million.
So-called partnership programs have remained a primary means of communication between cybercriminal groups who create new botnets, manage existing ones and decide on new targets for their creations.
The year 2010 has seen a whole host of ‘grey’ money-making schemes in operation alongside openly criminal activities, such as infecting legal websites or infecting users computers by means of drive-by downloads. Grey schemes include coercing users into voluntarily downloading files by various means, using hijacked resources for Black SEO, distributing attention-grabbing links, spreading adware and redirecting traffic to adult content sites.
To learn more about how such ‘partnership programs’ work, please read the article ‘ The Perils of the Internet ’.
No epidemics have occurred in 2010 that are comparable to the Kido (Conficker) worm epidemic of 2009 in terms of propagation speed, the number of affected users and the scope of attention it attracted. However, if these factors are considered separately, outbreaks of certain infections may be classified as global epidemics.
The Mariposa, Zeus, Bredolab, TDSS, Koobface, Sinowal and Black Energy 2.0 botnets have attracted a lot of attention from both journalists and analysts in 2010. Each attack involved millions of infected computers located all over the world. These threats are among the most advanced and sophisticated malware ever created.
They propagated using all of the existing infection vectors, including regular email. They were the trailblazers in social and P2P networks, and some of them were also the first to infect 64-bit platforms, with many propagating via zero-day vulnerabilities.
The malware writers’ creativity peaked with Stuxnet however. This was a truly revolutionary worm which grabbed the cybersecurity headlines in the second half of 2010. The publications included speculation about Stuxnet’s potential targets and about how it operated; in fact, Stuxnet drew more media attention than any other threat in history.
We are witnessing an apparent trend in which the most widespread malicious programs tend to be the most sophisticated. This raises the bar for the manufacturers of cybersecurity products who are waging technological warfare on the cybercriminals. These days, it is not enough to be able to identify ninety-nine percent of the millions of malware samples out there, but then fail to detect or treat the one threat which is extremely sophisticated and therefore widespread.
This prediction was fairly controversial – opinions on this issue are divided, even among Kaspersky Lab experts. It depended on a number of additional factors: the owners and participants of partnership programs shifting to other methods of making money, counteraction from antivirus companies and law-enforcement agencies, and the presence of serious competition between different cybercriminal groups creating and distributing Rogue AVs.
According to figures for the year garnered from KSN, the number of Rogue AVs has in fact decreased globally. Rogue AV activity peaked at around 200,000 incidents per month in February-March 2010, before experiencing a fourfold decrease towards the end of 2010. At the same time, existing Rogue AVs tended to narrow their target zones to specific regions, with cybercriminals ceasing to spread them indiscriminately and focusing on specific countries such as the USA, France, Germany and Spain.
A year ago, we predicted that there would be attacks on Google Wave and its clients. However, this project was abandoned by Google during mid-2010, before it gathered a critical mass of users and came into full operation. Thus, our prediction did not have a chance to come true.
In 2009, the first iPhone malware and a piece of spyware for Android were detected. We expected the cybercriminals to focus much more of their attention on these two platforms.
No real malware events occurred that targeted iPhone and which could be compared to the Ike worm incident of 2009. However, several concept programs were created for this platform in 2010 that demonstrated techniques that could be used by the cybercriminals. A truly remarkable example of one such technique was ‘SpyPhone’, the brainchild of a Swiss researcher. This program allows unauthorized access to information about the user’s iPhone device, his or her location, interests, friends, preferred activities, passwords and web search history. This data can then be sent to a remote server without the user’s knowledge or consent. This functionality can be hidden within an innocuous-looking application.
While in the past, experts have said that users who have jailbroken their iPhones to install third-party applications are increasing the risk to themselves, it is now the case that even those installing native applications downloaded from Apple Store are also exposing themselves to a degree of threat. Several incidents have taken place that involved legitimate Apple applications – iPhone apps were detected that covertly gathered data and sent it to software manufacturers.
Everything mentioned above is also relevant to the Android platform. Malware of an overtly cybercriminal nature has been detected for the Android platform that uses the popular mobile Trojan technique of sending SMSs to premium-rate numbers. Trojan-SMS.AndroidOS.FakePlayer was detected by Kaspersky Lab in September 2010, and became the first real example of Android malware – it was apparently created by Russian virus writers. This piece of malware was distributed via malicious websites rather than through Android Market; however, Kaspersky Lab experts believe there is also a strong probability that malware may soon be found in products available through Android Market. We are concerned about the fact that many legitimate applications can ask for, and typically be granted, access to a user’s personal data and authorization to send SMSs and make calls. In our view, this places the reliability of the entire Android security concept in doubt.
That concludes the summary of our 2009 predictions and whether they have come true or not. We will continue with a review of certain trends and specific incidents that have had a significant impact on the field of IT security.
The attack known as Aurora occurred in early 2010 and affected a number of large companies located around the globe, including Google, which was considered its main target. This incident brought to light serious security breaches and identified the attackers’ potential goals which were cyber-espionage and the theft of confidential commercial data. Future targeted attacks are likely to have similar goals.
The Stuxnet story that we mentioned above is remarkable in two respects. Firstly, its level of sophistication beat all previous records, and secondly, it was designed to specifically target programmable logic controllers (PLCs). PLCs are commercially available industrial control devices that are typically used in industry. To date, this has been the first instance of industrial cyber-sabotage to attract such widespread publicity. Attacks like this can potentially inflict significant physical damage. The boundary between the virtual world and the real world has now become blurred and this poses new problems that the entire cyber-community will have to face in the near future.
Digital certificates and signatures are one of the pillars upon which confidence and assurance in the computer world are based. Digital signatures naturally play an important role in developing security products: files signed by trusted manufacturers are regarded as clean. This technology helps the manufacturers of cybersecurity products reduce false positive rates and save resources when scanning users’ computers for infection.
The events of 2010 have demonstrated that the cybercriminals are able to obtain digital certificates in a legal manner, just like any software manufacturer does. In one instance, a certificate was obtained for a program which purported to be a piece of ‘software to remotely manage computers that do not have a GUI’, though the program was actually a backdoor. This trick is useful to the cybercriminals as it prevents malware from being detected and is most often used in adware, riskware and Rogue AVs. Having received a certification key, a cybercriminal can easily provide every malicious program that he or she creates with a digital signature.
The whole concept of software certification as a means of ensuring cybersecurity has, in effect, been seriously discredited. In fact, this may have a knock-on effect in that it discredits some of the digital certification centers which at present total some several hundred in number. In the worst case, it could mean the emergence of certification centers controlled by the cybercriminals themselves.
A digital certificate, or technically, the privacy key contained within it, is a physical file that can potentially be stolen just like any other digital asset. The Stuxnet components that were detected were signed with certificates issued to Realtec Semiconductors and JMicron. It remains unclear exactly how a privacy key could have fallen into the cybercriminals’ hands; it could have occurred in several ways. The cybercriminals may have acquired these confidential files by illicitly purchasing them from insiders, or stealing them using some type of a backdoor or similar piece of malware. For example, the ability to steal certificates appears to be something that the ubiquitous Zbot, or ZeuS as it is otherwise known, would be capable of.
In order to better understand what awaits us in 2011 in the field of IT threats, we first need to divide the potential trends into three distinct categories. In this forecast, we will analyze the aims of cyber attacks, look at the methods used to carry them out and examine who the organizers of such attacks are.
In previous forecasts we have only ever looked at the methods used, e.g. attacks on mobile platforms, the exploitation of vulnerabilities, etc. This was because, for the past few years, the perpetrators have always been cybercriminals, and their aims have invariably been financial gain.
However, we may witness a significant sea-change in 2011, with a major shift in the makeup of the organizers and their aims. These changes will be on a par with the demise of malware written by the so-called ‘script kiddies’, whose aim was primarily to show off their virus writing skills, and whose efforts heralded the age of the cybercriminal.
It’s important to point out that the method used to launch a cyber attack does not depend on who organizes it or what their aims are; instead it’s determined by the technical possibilities presented by today’s operating systems, the Internet and its services, not to mention the devices people use for work and in other areas of their daily lives.
It could be said that 2010 was the ‘Year of the Vulnerability’, and 2011 only promises worse to come. The rise in malicious exploits that seize on programming errors won’t just be down to new vulnerabilities appearing in popular solutions from the likes of Microsoft, Adobe and Apple, but will also occur because of the speed at which cybercriminals react to such loopholes. A couple of years ago the use of a zero-day vulnerability was considered something to write home about, whereas in 2010, they became a common occurrence. Sadly, that trend is set to continue, with zero-day threats becoming even more prevalent. Moreover, the remote code execution class of vulnerabilities will not be the exclusive weapon of choice in 2011, as vulnerabilities that allow privilege escalation, data manipulation and security mechanisms to be bypassed emerge from the shadows to take centre-stage.
The theft of online banking credentials, spam, DDoS attacks, extortion and scams are likely to remain the primary sources of the cybercriminals’ illegal income. Of course, there will be more emphasis placed on some of these methods than on others, but it’s safe to assume that they will all continue to be used to achieve the goals of the cybercriminals in one form or another.
There is little doubt that there will be an increase in the number of threats targeting 64-bit platforms. There will be new developments with regards to attacks on mobile devices and mobile operating systems, and these are likely to affect Android in particular. Attacks on users of social networks will increase. The majority of attacks will make use of vulnerabilities and will be carried out via browsers. DDoS attacks will remain one of the biggest problems plaguing the Internet.
But all of the above are only the entrees to the main course, which will consist of the biggest shift in the threat landscape to date – the emergence of a new breed of organizers with new and more potent aims for their cyber attacks.
As we have already discussed, over the last few years we have grown accustomed to combating malicious code created by cybercriminals for financial gain. The creation of the Stuxnet worm was a significant and frightening departure from the familiar, suggesting a moral and technological barrier had been breached. The attack was an impressive demonstration to the whole world of just what the cybercriminals’ arsenals contain, as well as a wake-up call to the IT security industry because of how difficult it was to counteract. It is even quite possible that programs like Stuxnet could be used as a medium for the know-how and capabilities of secret services and commercial organizations.
Of course, compared to the number of more traditional cybercriminal attacks that will occur, those with Stuxnet’s level of sophistication will be few and far between. However, when they do, they will be potentially far harder to detect and as they are unlikely to affect the average user, only the odd episode will hit the headlines. The majority of victims are unlikely to ever know they have been targeted. The principal aim of such attacks will not be sabotage, as was the case with Stuxnet, but the theft of information.
These types of attacks may only begin in 2011 and come to fruition years later. However, it is already clear that the arrival of this new generation of cybercriminals means that those tasked with counteracting such cyber threats will need to raise their game considerably.
A few years back we outlined the concept of Malware 2.0. Well, now it’s time for another one – Spyware 2.0.
When you look at modern malware it becomes clear that, apart from sending spam and organizing DDoS attacks, its main focus is stealing users’ accounts, regardless of whether they are of the banking, email or social networking variety. In 2011, we expect a new class of spyware programs to emerge, the aim of which can be defined quite simply as: steal everything. They will gather any information that they can about the user: his or her location, work, friends, income, family, hair and eye color, etc. Such a program will leave no stone unturned, examining every document and every photo stored on an infected computer that it can.
This all sounds very much like the sort of data that social networks and Internet advertisers want to get their hands on. In fact, there are plenty of potential buyers out there for this kind of stuff. What they intend to do with the information once they have it doesn’t really matter either. The main thing is that there is a demand for it, and that means it’s a potential goldmine for the switched-on cybercriminal.
They will get in on the act at the earliest opportunity, stealing everything they can get. Information is the most valuable asset in the modern world, because as the saying goes, knowledge is power, and power means control. As a result, the sphere of interest of those who initiate attacks of this type has widened considerably.
Furthermore, traditional cybercrime is increasingly encroaching on those areas that it has, until now, avoided – targeted attacks on businesses. Attacks used to be confined to stealing money from specific users, banking institutions and payment systems; now the technology used by the cybercriminals has advanced to such a degree that they are capable of carrying out industrial espionage, blackmail and extortion.