Malware Intelligence Lead
The biggest threat in 2012 was the end of the world and since I am writing this now, we can say for sure that it did not happen. Although, can we say the world is the same, at least in cyberspace? The year 2012 was very important to pointing out that our privacy; anonymity and security are entirely up for grabs when it comes to cyber threats. We faced some of the most nefarious social engineering attempts and a serious shift in how people are becoming victims. This blog post is going to talk about the biggest of those threats: what they are, how we have been fighting against them and where we stand. I will also touch on what to expect from these same threats in 2013 as well as what new threats we may face over the next year.
This past year was very good for finding state-sponsored malware. Over the course of the year, Kaspersky discovered four different state-sponsored malware:
It also found a connection between all of them and a connection back to the first state-sponsored malware found in the wild, Stuxnet. They were all found in the general same part of the world on networks belonging to various governments. There has been some speculation as to who created the malware found and what their purposes were. I for one believe that they all worked together in some way, whether or not the code existed to do so and the way in which these different strains of malware were put into motion and how they communicated with their command and control makes it obvious that they were being used systematically for very specific purposes.
So was the state-sponsored malware threat anything that the average person needed to worry about? Not really. With the exception of Stuxnet, which went a little rogue back in 2010 and therefore was discovered and one instance of Flame being found somewhere other than its original location, state-sponsored malware has a mission and a purpose and sticks to that purpose. If by any chance the malware somehow ended up on your system, I highly doubt that unless you are a political diplomat or a high-ranking military official, your information would be of any use to a government espionage agency.
If you are wondering about the future of state-sponsored malware, I wish I could say that it was the last we will see of it. I believe 2013 might be a very good year for finding new state-sponsored malware in the wild and whether or not it has malicious intent toward the average user is yet to be known. Either way, the cyber security industry knows that it is out there and will be a bit more suspicious in 2013, a tactic that might also allow new and intricate cyber-crime malware to be discovered.
Malware threats to you
Moving on, let us talk about some of the malware we saw in 2012 that had the most effect on the average user and posed the most threat via its methodology, technology and purpose.
I could literally rant for hours about Ransomware and if you have been keeping up with my blog posts over the last year, then you know that I already have. Ransomware, in my opinion, was the MOST threatening malware to be spread in 2012. I say this not because of the technology it employs, which ranges from basic to highly advanced, but the finely crafted social engineering ploy that it user against the infected user.
What I have been referring to as “assumed guilt” is how the creators of the Ransomware force users to believe that they have done something wrong (or more likely that they have been caught) and therefore need to be absolved of their wrong doings. Rather than go to court, face law enforcement officials or have any of your assumed crimes brought into the public eye, the Ransomware gives you an out by paying a fine.
There are a few ideas on how Ransomware might evolve in 2013. My personal opinion is that it is not going to go away any time soon. An opposing opinion is that we may very well see the grand finale of Ransomware in 2013 due to the widespread knowledge of this threat. Fusing the two theories, I think we might see a decrease in what we have come to know about Ransomware (pretending to be the FBI, etc.) and instead see the growth of new types of Ransomware that requires more of the user than just paying a fine. It is very possible that it will become a very powerful standalone weapon in 2013 and beyond due to its social engineering aspects and ability to be modified quickly to avoid detection.
2012 was also a great year for Banker Trojans, while not new to the malware scene they are nonetheless still a pain in the security community’s side. A banker Trojan will attempt to steal your private financial information in any way it can, whether that be through watching you enter your credentials via keylogging, stealing form data from your browser or redirecting you to fake bank websites. The relentless Zeus Trojan and SpyEye are examples of Banker Trojan malware.
The scale of the underground cyber-crime market is immense and one of the favorite items to buy/sell is credit card numbers and personal information. Every day, hundreds of variants of malware exist and are in development with the goal of stealing financial information. It is unlikely that we will see a decrease in new developments and schemes in 2013.
Remote Access Trojans have made a comeback this year, while still heavily protected against by antivirus and anti-malware vendors, we have watched as these versatile and powerful malware types have ravaged the systems of government and private users. An important thing to note is the end of development for the Dark Comet RAT earlier this year and bringing about an interesting discussion among the security community as to how to perceive the developer of malicious tools who has no malicious intent.
Another big player in the RAT activity this year was Blackshades and while it was present in numerous conflicts in Syria and of course being used to spy and manipulate average people, law enforcement was still able to identify and arrest individuals involved in its development. Looking toward the future of RATs, I highly doubt we will see them go away just yet. RATs are prepackaged to make it easy for the average Joe to become a cyber-criminal in just a few minutes and the underground market, support and further developments already seen are proof that these tools will only continue to become more intrusive and more evasive.
The Golden Age of Drive-By exploits
For several years, we have been in the “Golden Age” of drive-by exploits with the amount of compromised sites increasing all the time and the new methods being employed by cyber-criminals to exploit your web browser and infect your system with an array of different malware before you can say, “This isn’t YouTube”.
Malvertisements, which if you remember past blogs, infects a user’s system via malicious code that has been embedded within advertisements placed on legitimate ad networks by cyber criminals. The ingenious aspect of this attack is that it allows malware to be spread even on respectable and legitimate websites that employ the use of the ad networks to provide advertisement banners, and therefore a commission, to their web pages. In addition to the exploit code being seen by a greater audience, it is also difficult to track because the ads tend to change with every refresh of the web page. They were a huge threat last year and spread all types of malware ranging from rogue antivirus software to cyber-crime banker Trojans like Zeus.
Numerous efforts have been made by the cyber security community as well as the ad networks themselves and while this effort has been years in development, it may very well mitigate a large portion of the Malvertisements we find in the wild in 2013. Don’t take a sigh of relief just yet however, because cyber criminals are notorious for finding even more nefarious ways to spread malware when previous attempts have failed.
A notable service with security like Swiss cheese, Wordpress sites took a great hit in their reliability in 2012 because of the widespread operation cyber-criminals employed to exploit the sites and upload malicious code to be activated upon user visitation, A.K.A. Drive-by exploits. While Wordpress itself is not inherently insecure when used properly, too many users setting up their own Wordpress blog failed to secure their server and therefore left it open to exploitation on a grand scale. Incorrectly configured Wordpress sites contributed a great amount to the massive amount of drive-by exploits found in 2012.
In 2013, we will probably see the continued exploitation of WordPress sites. This is not the fault of the WordPress product rather the users who setup their own WordPress sites. The users fail to secure servers or install only trusted plugins or forget to update security patches for their server, leaving them open to exploitation. It may be a very long time before we see a full lock-down of every web server and in the meantime, drive-by exploits will continue through 2013 and beyond. This puts the responsibility of stopping malware to the user by disabling vulnerable applications or updating them to the newest security patches.
BlackHole Exploit Kit
It would be rude to talk about Malvertisements and Drive-by exploits in 2012 and not mention the BlackHole Exploit Kit. Originally released in 2010, BlackHole since has been constantly improved on, allowing everyone from script kiddies to professional cyber-criminals to setup their own drive-by exploit. While a formidable weapon and malware delivery tool, the most interesting aspect of BlackHole is the fact that the most effective exploits in its arsenal are ones that had been patched long ago. Considering it was responsible for a very large amount of web threats in 2012, we can say for sure that many users are not following the basic security principals of updating their software and they are paying for it in both the metaphorical and literal meaning.
The huge success of BlackHole is evidence that it is not going away any time soon. It will most likely continue to be developed in 2013 however based on the history of the cyber-crime industry; it may change hands as to who continues to develop it in the future. In addition, BlackHole is not the only exploit kit out there; new ones are popping up all the time with the similar functionality as BlackHole and even more threat. Expect to see an increase in these exploit kits in the news and security blogs in 2013.
Linux Web Server Kernel Malware
The end of 2012 revealed a new type of drive-by attack that is setup by a rootkit developed specifically for Linux Web Servers. While Linux malware is not unheard of, it is interesting to see the attackers taking new approaches to classic attacks by using this malware to automatically inject drive-by exploits on every page hosted by the web server while at the same time being completely hidden from unobservant server admins. This technology is still in its infancy and we will most definitely see how it evolves over the course of the next year or two.
Additional Drive-By Threats:
The blog posts only lists a few of the threats we have seen and expect to see, but malicious advertising, misleading advertising, exploit kits and new types of malware all point to a future where the internet is riddled with booby-traps and scams. We were able to educate and inform many of our users on many of these threats in 2012.
Other 2013 predictions
New creative methods of spreading malware
In 2012 we saw numerous unique and creative ways in which malware was being spread to the average user. We saw things like expertly designed e-mails meant to convey confidence and earn the trust of the user. We saw malware hijack communication software like Skype to masquerade as a friend and direct users to exploit sites or to even download and execute malware manually on their own system. In addition, the creation, deployment and execution of phishing attacks have become streamlined and are easily done by a novice cyber-criminal. It’s true that 2012 was a great year for creativity when it came to cyber-attacks but so was 2011, 2010 and a decade before then. The evolution of cyber-attacks does not only take into consideration the technological aspect but also the social engineering aspect.
We can expect without a shadow of a doubt that the unique and creative measures cyber-criminals will go in 2013 to exploit not only the computer system but also the human mind, will surpass any that we have seen so far. The cyber-security industry will continue to develop new protections to try to prevent the efforts of the cyber-criminal. It will also continue to educate the user, just as this blog post is meant to do, in order to arm the average person with the mental defenses to stay away from the increasingly believable methods of cyber-criminals.
Toolbars for Everyone
Adware producers that have worked hard to get white listed by all vendors will continue to also work hard on deals involving them being bundled with other software. The strategic move to bundle toolbars with many freeware security apps ensures that this will remain unchallenged in 2013. Users will demand that adware like Babylon be blocked and/or removed by security software but the industry as a whole will not listen or care due to their own lucrative toolbar ventures. In 2013 will move further from "does this freeware install a toolbar" and towards "what toolbar does this freeware install".
Malware Harvesting and Testing will change
Testing of security software will continue to move away from completely fictional "right click a pile of files" based testing and towards real world testing based on real attack scenarios that users actually face. The vendors that enjoy completely fictional "100% detection" results from certain tests will resist this move or attempt to influence it and in certain cases drop out of testing completely.
BYOD is a very real security risks
The average user now uses multiple electronic devices to stay connected to the rest of the world. No longer are they limited to staying at home, in front of a computer or in an office using a controlled device. Users now use their cell phones to check their mail and pay bills, tablets and laptops do the same; all available everywhere they go. This is obviously not new but it is nonetheless, clear evidence that the next attack vector for not only our own personal information but also that of corporations and organizations, are mobile devices.
A user, ignorant of common security practices, might attempt to get around administrative restrictions put on his work computer, by connecting to the companies Wi-Fi network and using their tablet or cell phone to search for ‘Funny Internet Videos’. This results in the companies attempts to secure individual workstations being completely bypassed and allowing for malicious software to break in. As mobile malware continues to develop for new and powerful mobile devices, it will have no problem infecting the target device, be it a cell phone or a tablet PC. It can then scan for vulnerabilities in the network, send malicious traffic or even steal passwords to disable the networks security, allowing cyber-criminals to run rampant inside of the corporation. As I said previously, mobile malware and the widespread use of mobile devices on previously secured networks are not new and it has always been a recipe for disaster. In 2013, we may very well see how bad it can get.
A change in the way people use the internet
Over the last few years, society has been on a "trial period" when it came to using the internet and dealing with cyber threats. If a person decided to post personal information on Twitter, Facebook, Google+, etc. They could do it without needing to worry too much about having their identities, login credentials, etc. stolen. Over the last year, we have seen examples of the speed at which the cyber criminals and scammers are developing new technologies in the form of exploits, malware and social engineering to obtain a person’s private information or obtain access to their private lives. 2013 may be the year that the training wheels come off for the average person using the internet, they will need to become smarter, be better prepared with the correct tools and be more vigilant because attacks are going to come at them from all angles and the bad guys are not going to hold anything back.
Where we stand
You might be wondering if after all this talk about how 2012 kicked everyone’s butt when it came to malware, exploits and other threats, the reality is that the cyber-security industry is starting to get a handle on the problems. While there is, still a significant gap in the race for cyber dominance, new legislation and public outcry has allowed the cyber security industry to flourish and therefore develop new and powerful countermeasures to malware that is faster and more effective than ever before.
Countermeasures for next year
It is never easy to predict the type of threats that one might face so soon into the year, let alone what countermeasures will be effective in stopping it. However, this blog has suggested so many different measures and guidelines to follow for the average user to stay protected from even the most heinous threats out there right now. Here is a list of a few of them:
- Keeping all software (Flash, Adobe, Java and Operating System) up to date with the latest security patches
- Disable things like Java or Flash in your browser unless you absolutely need them
- Use Ad Blocking software in your browser to prevent you from ever coming in contact with malicious advertisements
- Never trust any link sent to you from anyone unless you are using a secure method of communication and even still, if you are suspicious about a link, paste it into Google to get an idea of where it goes without exposing your system to threats.
- Never pay fines if faced with Ransomware or follow the directions of anyone holding your system hostage. The best thing to do is find a different system and search on the Internet to determine what the threat is and how to remove it. You can always seek the assistance of the Malwarebytes Forum Support experts without paying a dime and they are happy to help.
- If you really want to be safe, employing the use of a virtual machine, a sandbox application and/or a Virtual Private Network, are your best chances for avoiding online threats and still being able to surf without constant suspicion. However, using these tools does require a fair amount of technical knowledge and you should seek assistance online to learn how to obtain and use them.
As with any years passing, we tend to reflect on the lessons we have learned and the experiences we had and hope that this newfound knowledge will assist us in the coming year. I can say for sure that there can be no better training course to prepare an individual or community for the threat of 2013 as the lessons from 2012. We are likely to face similar threats that can easily be avoided and protected against but at the same time we will face threats the likes that have never been seen before and probably the creation of methods, ideas and software that will forever shape the way we use our computers. In conclusion, the best thing to do is keep calm, use common sense and keep yourself protected and you will most likely be fine. Have a great 2013, thanks for reading and stay safe.
Malware Intelligence Lead
Adam Kujawa is a computer scientist with over eight years’ experience in reverse engineering and malware analysis. He has worked at a number of United States federal and defense agencies, helping these organizations reverse engineer malware and develop defense and mitigation techniques.
Adam has also previously taught malware analysis and reverse engineering to personnel in both the government and private sectors. He is currently the Malware Intelligence Lead for the Malwarebytes Corporation. Follow him on Twitter @Kujman5000