Security ThreatReport 2013         New Platforms and Changing Threats
Table of contents                                                                                                         ...
OS X and the Mac: More users, emerging risks .  .  .  .  .  .  .  .  .  .  .  .  . 21       Fake antivirus and Flashback: ...
Security Threat Report 2013
Foreword             Reflecting on a very busy year for cyber security, I would like to highlight some key observations   ...
2012 in review:New platforms andchanging threatsIn 2012, we saw attackers extend their reach to moreplatforms, from social...
In the wake of these growing risks, 2012 also    Widening attacks related tosaw good news. This year, IT organizations    ...
2012 in review: New platforms and changing threatsWith 1 billion users, Facebook remains the       Emerging risks to cloud...
Dropbox has since improved security                 ÌÌ Can you prevent snapshotting of virtualby introducing optional two-...
Blackhole: Today’smalware market leaderFeaturing research by SophosLabsA close inspection of Blackhole reveals just howsop...
Between October 2011 and March 2012,             Four stages of the Blackholenearly 30% of the threats detected by        ...
Blackhole: Today’s malware market leader   the Blackhole server. This identifies the      4.Tracking, learning and improvi...
What we’re doing about Blackhole, and what you can doAt SophosLabs, we track Blackhole 24/7,             3.		 lock comprom...
Java attacks reachcritical massThis was a rough year for Java in the browser. Majornew vulnerabilities repeatedly battered...
Many users today have little or no need for         Major organizations still leave users’browser-based Java programs, kno...
Java attacks reach critical mass                                   So, what can you learn from data loss—beyond thatLearn ...
Android:Today’s biggest targetFeaturing research by SophosLabsOver 100 million Android phones shipped in the secondquarter...
Android: Today’s biggest targetUnsophisticated, but profitable:                                                           ...
Joining the botnet                             Capturing your messages and                                                ...
Android: Today’s biggest targetPUAs: Not quite malware, but still risky                        Mitigating the risks while ...
ÌÌ 	 hen you authorize app stores, limit users to apps with   W   a positive history and a strong rating.                 ...
Diverse platforms andtechnologies widenopportunities for attackOnce, almost everyone ran Windows.Attackers attacked Window...
Here is a sampling of security breaches in        Ransomware returns for an2012, offering a taste of what we all must     ...
Diverse platforms and technologies widen opportunities for attackThis attack can be defeated by rebooting         In nearl...
OS X and the Mac:More users,emerging risksFeaturing research by SophosLabsMost malware developers have found it more profi...
OS X and the Mac: More users, emerging risksFake antivirus and Flashback:Learning from Windows malware, gaining agilityIn ...
Morcut/Crisis: More sophisticated and                                                                 Learn more aboutpote...
OS X and the Mac: More users, emerging risksWindows malware hiding quietly on Macs                              Recent OS ...
2013 Security Report by Sophos
2013 Security Report by Sophos
2013 Security Report by Sophos
2013 Security Report by Sophos
2013 Security Report by Sophos
2013 Security Report by Sophos
2013 Security Report by Sophos
2013 Security Report by Sophos
2013 Security Report by Sophos
2013 Security Report by Sophos
2013 Security Report by Sophos
2013 Security Report by Sophos
2013 Security Report by Sophos
2013 Security Report by Sophos
2013 Security Report by Sophos
2013 Security Report by Sophos
Upcoming SlideShare
Loading in...5

2013 Security Report by Sophos


Published on

1 Comment
  • Dear Sir
    I am a PhD student at university utara Malaysia, and I try to find statistic index for Smartphone and laptop users among Malay people, in other word my search aim to conduct short life for “consumer convert their own device to a innovation” “communication product” like Smartphone, laptop, internet supplement device, till know I don’t found sciences research discuss it or a statistic index related to it.
    From your kindness and as you are a scholars could you help me in this issue, and lead me to credible information connect to the matter as I mansion it above, I will be thankful to you.
    May name is Hazem Mohammad
    PhD student, uum University, COB COLLEGE, SBM school
    Cell 0133 215 411
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Transcript of "2013 Security Report by Sophos"

  1. 1. Security ThreatReport 2013 New Platforms and Changing Threats
  2. 2. Table of contents GraphicsForeword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Survey: Email education . . . . . . . . 32012 in review: Blackhole. . . . . . . . . . . . . . . . . 7New platforms and changing threats . . . . . . . . . . . . . . . . . . . . . . . 2 Countries hosting Blackhole . . . . . . 9 Widening attacks related to Facebook and other Survey: Smartphone spam. . . . . . 15 social media platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Survey: Android app consideration. 17 Emerging risks to cloud services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Survey: Web browser. . . . . . . . . 19 Mac OS X malware snapshot. . . . . 22Blackhole: Today’s malware market leader. . . . . . . . . . . . . . . . . . 6 Top 12 spam producing countries. . 27 Four stages of the Blackhole life cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Spam sources by continent. . . . . . 27 What we’re doing about Blackhole, and what you can do. . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Threat exposure rate . . . . . . . . . 29Java attacks reach critical mass . . . . . . . . . . . . . . . . . . . . . . . . . . 10 So, what can you learn from data loss—beyond that you don’t want it to happen to you?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 VideosAndroid: Social engineering explained. . . . . . 3Today’s biggest target. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Cloud storage and BYOD . . . . . . . . 4 Unsophisticated, but profitable: Introducing SophosLabs. . . . . . . . .8 Fake software, unauthorized SMS messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Blackhole. . . . . . . . . . . . . . . . . 8 Joining the botnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Android malware. . . . . . . . . . . . 14 Capturing your messages and your bank account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Ransomware. . . . . . . . . . . . . . 20 PUAs: Not quite malware, but still risky. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Mac malware . . . . . . . . . . . . . . 23 Mitigating the risks while they’re still manageable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Long tail . . . . . . . . . . . . . . . . . 30Diverse platforms and technologieswiden opportunities for attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Ransomware returns for an encore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Security Threat Report 2013
  3. 3. OS X and the Mac: More users, emerging risks . . . . . . . . . . . . . 21 Fake antivirus and Flashback: Learning from Windows malware, gaining agility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 . . Morcut/Crisis: More sophisticated and potentially more dangerous. . . . . . . . . . . . . . . . . 23 Windows malware hiding quietly on Macs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Recent OS X security improvements and their limitations. . . . . . . . . . . . . . . . . . . . . . . . . . 24 Implementing a comprehensive Mac anti-malware solution. . . . . . . . . . . . . . . . . . . . . . . . 25Authorities make high-profile malwarearrests and takedowns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Growth of dangerous targeted attacks . . . . . . . . . . . . . . . . . . . . . 28Polymorphic and targeted attacks: The long tail . . . . . . . . . . . . 30 Polymorphism: Not new, but more troublesome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Countering server-side polymorphism. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Targeted attacks: narrow, focused and dangerous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Defense-in-depth against SSP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Complete security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Explore your two paths to complete security with Sophos . . . . . . . . . . . . . . . . . . . . . . . . . 34What to expect in 2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35The last word. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Adware Adware is software that displays advertisements on your computerSecurity Threat Report 2013
  4. 4. Security Threat Report 2013
  5. 5. Foreword Reflecting on a very busy year for cyber security, I would like to highlight some key observations for 2012. No doubt, the increasing mobility of data in corporate environments is one of the biggest challenges we faced in the past year. Users are fully embracing the power to access data from anywhere. The rapid adoption of bring your own device (BYOD) and cloud are really accelerating this trend, and providing new vectors of attack. Another trend we are seeing is the changing nature of the endpoint device, transforming organizations from a traditional homogeneous world of Windows systems to an environment of diverse platforms. Modern malware is effective at attacking new platforms and we are seeing rapid growth of malware targeting mobile devices. While malware for Android was just a lab example a few years ago, it has become a serious and growing threat. BYOD is a rapidly evolving trend, and many of our customers and users actively embrace this trend. Employees are looking to use their smartphone, tablet, or next generation notebook to connect to corporate networks. That means IT departments are being asked to secure sensitive data on devices they have very little control over. BYOD can be a win-win for users and employers, but the security challenges are real while boundaries between business and private use are blurring. It raises questions on who owns, manages and secures devices and the data on them. Finally, the web remains the dominant source of distribution for malware—in particular, malware using social engineering or targeting the browser and associated applications with exploits. For example, malware kits like Blackhole are a potent cocktail of a dozen or more exploits that target the tiniest security holes and take advantage of missing patches. Cybercriminals tend to focus where the weak spots are and use a technique until it becomes less effective, and then move on to the next frontier. Security is at the heart of this revolution of BYOD and cloud. Protecting data in a world where systems are changing rapidly, and information flows freely, requires a coordinated ecosystem of security technologies at the endpoint, gateway, mobile devices and in the cloud. IT security is evolving from a device-centric to a user-centric view, and the security requirements are many. A modern security strategy must focus on all the key components—enforcement of use policies, data encryption, secure access to corporate networks, productivity and content filtering, vulnerability and patch management, and of course threat and malware protection. Best wishes, Gerhard Eschelbeck CTO, SophosSecurity Threat Report 2013 1
  6. 6. 2012 in review:New platforms andchanging threatsIn 2012, we saw attackers extend their reach to moreplatforms, from social networks and cloud services toAndroid mobile devices. We saw them respond to newsecurity research findings more rapidly, and leveragezero-day exploits more effectively.In the past year the most sophisticated malware authors upped the stakes with newbusiness models and software paradigms to build more dangerous and sustained attacks.For instance, the creators of Blackhole, an underground malware toolkit delivered throughSoftware-as-a-Service rental arrangements (aka crime packs), announced a new version.They acknowledged the success of antivirus companies in thwarting their activities, andpromised to raise their game in 2012.Private cybercriminals were apparently joined by state-based actors and allies capable ofdelivering advanced attacks against strategic targets. We saw reports of malware attacksagainst energy sector infrastructure throughout the Middle East, major distributeddenial-of-service attacks against global banks, and targeted spearphishing attacks againstkey facilities.More conventionally, attackers continued to target thousands of badly-configured websitesand databases to expose passwords and deliver malware—yet again demonstrating the needfor increased vigilance in applying security updates and reducing attack surfaces. Meanwhile,a new generation of victims found themselves on the wrong end of payment demands fromcybercriminals, as social engineering attacks such as fake antivirus and ransomwarecontinued unabated.Security Threat Report 2013 2
  7. 7. In the wake of these growing risks, 2012 also Widening attacks related tosaw good news. This year, IT organizations Learn more aboutand other defenders increasingly recognized Facebook and other attacks related tothe importance of layered defenses. Many social media platforms social media platformsorganizations began to address the security challenges of smartphones, tablets, and Throughout 2012, hundreds of millions ofbring your own device (BYOD) programs. Four Data Threats in a users flocked to social networks—and soEnterprises moved to reduce their exposure Post-PC World did attackers. They built creative new socialto vulnerabilities in platforms such as Java engineering attacks based on key userand Flash; and to demand faster fixes from concerns such as widespread skepticismtheir platform and software suppliers. 2 Beth Jones of about Facebook’s new Timeline interface, SophosLabs explains socialNot least, law enforcement authorities or users’ natural worries about newly posted engineeringachieved significant victories against images of themselves. Attackers alsomalware networks—including the arrest moved beyond Facebook to attack maturingof a Russian cybercriminal charged with platforms such as Twitter, and fast-growinginfecting 4.5 million computers with the services such as the Pinterest social content Naked Security Surveygoal of compromising bank accounts; and sharing network. Should businesses foolthe sentencing in Armenia of the individual employees into opening In September 2012, Sophos reportedresponsible for the massive Bredolab botnet. inappropriate emails with the the widespread delivery of Twitter direct aim of education?Yet another good sign: Microsoft’s aggressive messages (DMs) from newly-compromisedlawsuit against a China-based Dynamic DNS accounts. Purportedly from online friends,service that enabled widespread cyber crime, 1 these DMs claim you have been capturedincluding operation of the Nitol botnet . The in a video that has just been posted onlawsuit’s filing and settlement demonstrated Facebook. If you click the link in the DM,those who facilitate cyber crime can be held you’re taken to a website telling you toas accountable as the criminals themselves. upgrade your “YouTube player” to viewIn 2013, as computing increasingly shifts to the video. If you go any further, you’ll bevirtualized cloud services and mobile infected with the Troj/Mdrop-EML 3platforms, attackers will follow, just as they backdoor Trojan.always have. This means IT organizations September also saw the first widespreadand users will need to ask tough new Yes 85.21% account takeovers on Pinterest. Thesequestions of their IT service providers and attacks spilled image spam onto other No 14.79%partners; become more systematic about social networks such as Twitter and Based on 933 respondents votingprotecting diverse devices and network Facebook. Victimized users who had linked Source: Naked Securityinfrastructure; and become more agile about their Pinterest accounts to these networksresponding to new threats. We’ll be there to found themselves blasting out tweetshelp—every minute of every day. and wall posts encouraging their friends to participate in disreputable work-at-home 4 schemes.Security Threat Report 2013 3
  8. 8. 2012 in review: New platforms and changing threatsWith 1 billion users, Facebook remains the Emerging risks to cloudnumber one social network—and hence, the Learn more abouttop target. In April, Sophos teamed with services cloud servicesFacebook and other security vendors to help improve Facebook’s resistance to malware. In 2012, the financial and managementFacebook now draws on our massive, up-to- advantages of cloud services attracted many Adopting Cloudthe-minute lists of malicious links and scam IT organizations. In addition to expanding Services With Persistentsites to reduce the risk that it will send its their reliance on hosted enterprise software Encryption 5users into danger. Of course, this is only one and more informal services such as thecomponent of the solution. Researchers at Dropbox storage site, companies have alsoSophos and elsewhere are working to find Fixing Your Dropbox begun investing more heavily in privatenew approaches to protecting users against Problem clouds built with virtualization network attacks. This move raises more questions about whatFor example, Dark Reading reported that cloud users can and should do to keep the CTO Gerhardcomputer scientists at the University organization secure and compliant. Eschelbeck explains cloudof California, Riverside have created an Cloud security drew attention in 2012 with storage and BYODexperimental Facebook app that is claimed Dropbox’s admission that usernames andto accurately identify 97% of social malware passwords stolen from other websites had 6and scams in users’ news feeds. Innovations been used to sign into a small number ofsuch as social authentication—in which its accounts. A Dropbox employee had usedFacebook shows you photos of your friends, the same password for all his accounts,and asks you to identify them, something including his work account with access tothat many hackers presumably can’t sensitive data. When that password was 7do—may also prove helpful. stolen elsewhere, the attacker discovered that it could be used against Dropbox. This was a powerful reminder that users should rely on different passwords for each secure site and service. Dropbox is no stranger to cloud authentication problems, having accidentally removed all password protection from all its users’ files 8 in 2011 for nearly four hours. Also, VentureBeat reported that the company’s iOS app was storing user login credentials in unencrypted text files—where they would be visible to anyone who had physical access to the phone.Security Threat Report 2013 4
  9. 9. Dropbox has since improved security ÌÌ Can you prevent snapshotting of virtualby introducing optional two-factor servers that capture current operating 9authentication, but its problems raise memory images—including all workingbroader issues. In May 2012, the Fraunhofer encryption keys? Some experts, such asInstitute for Secure Information Technology Mel Beckman or System iNEWS, believereported on vulnerabilities associated with this rules the public cloud off-limits inregistration, login, encryption, and shared environments where legal compliance 10data access on seven cloud storage sites. requires physical control of hardware, 13 e.g., HIPAA.It’s worth noting that Dropbox and someother sites already encrypt data in storage It’s a cloudy world, but when and if youand transit, but this only protects data that decide to use cloud services, the followinghas not been accessed using a legitimate three steps can help you protect your data:user ID and password. Data stored on public 1. Apply web-based policies using URLcloud systems is subject to the surveillance filtering, controlling access to public cloudand interception laws of any of the jurisdictions storage websites and preventing usersin which those cloud systems have servers. from browsing to sites you’ve declaredDropbox’s difficulties have called greater off-limits.attention to cloud security in general. With 2. Use application controls to block or allowpublic cloud services and infrastructure particular applications, either for thebeyond the control of the IT organization, entire company or for specific should companies approach securityand compliance? Two-factor (or multi-factor) 3. Automatically encrypt files before theyauthentication is a must. But is it enough? are uploaded to the cloud from anyConsider issues such as these: managed endpoint. An encryption solution allows users to choose their preferredÌÌ How will you manage “information cloud storage services, because the files leakage”? Specifically, how do you know if are always encrypted and the keys are malicious insiders are forwarding sensitive always your own. And because encryption information to themselves, where it will takes place on the client before any data 11 remain available even if they’re fired? is synchronized, you have full control of the safety of your data. You won’t have toÌÌ How are you vetting suppliers and worry if the security of your cloud the administrators who operate their storage provider is breached. Central keys systems? Are you applying the same give authorized users or groups access strict standards and contractual to files and keep these files encrypted for requirements you demand from other everyone else. Should your web key go business-critical partners who see missing for some reason—maybe the user 12 confidential or strategic data? simply forgot the password—the security officer inside the enterprise would have access to the keys in order to make sure the correct people have access to that file.Security Threat Report 2013 5
  10. 10. Blackhole: Today’smalware market leaderFeaturing research by SophosLabsA close inspection of Blackhole reveals just howsophisticated malware authors have become. Blackholeis now the world’s most popular and notorious malwareexploit kit. It combines remarkable technical dexteritywith a business model that could have come straightfrom a Harvard Business School MBA case study.And, barring a takedown by law enforcement, securityvendors and IT organizations are likely to be battling itfor years to come.An exploit kit is a pre-packaged software tool that can be used on a malicious web server tosneak malware onto your computers without you realizing it. By identifying and making useof vulnerabilities (bugs or security holes) in software running on your computer, an exploit kitcan automatically pull off what’s called a drive-by install. This is where the content ofa web page tricks software—such as your browser, PDF reader or other online contentviewer—into downloading and running malware silently, without producing any of the warningsor dialogs you would usually expect. Like other exploit kits, Blackhole can be used to delivera wide variety of payloads. Its authors profit by delivering payloads for others, and they havedelivered everything from fake antivirus and ransomware to Zeus and the infamous TDSSand ZeroAccess rootkits. Blackhole can attack Windows, OS X, and Linux. It is an equal-opportunity victimizer.Security Threat Report 2013 6
  11. 11. Between October 2011 and March 2012, Four stages of the Blackholenearly 30% of the threats detected by Blackhole representsSophosLabs either came from Blackhole life cycle 27% of exploit sitesdirectly, or were redirects to Blackhole and redirectskits from compromised legitimate sites. 1. ending users to a Blackhole SBlackhole is distinguished not only by its In 2012 more than 80% of exploit sitesuccess, but by its Software-as-a-Service the threats we saw wererental model, similar to much of today’s The attackers hack into legitimate redirects, mostly from websites and add malicious content legitimate sites that havecloud-based software. Weekly rental rates (usually snippets of JavaScript) that been hacked. A powerfulare specified (in Russian) right in the kit’s generate links to the pages on their warning to keep your siteaccompanying read me file, along with secure and your serversurcharges for additional domain services. Blackhole site. When unsuspecting users scripts and applications upLike legitimate vendors of rental software, visit the legitimate site, their browsers to date.Blackhole’s authors offer updates free for also automatically pull down the exploit 14the life of the subscription. kit code from the Blackhole server.Customers who want to run their own Blackhole host sites change quickly.Blackhole servers can purchase longer Freshly registered domains are normallylicences. But the version of the Blackhole kit used to host Blackhole, typically acquiredthat these customers receive is extensively through the abuse of dynamic DNSobfuscated. This is one of several steps services such as ddns.,,that Blackhole’s authors have taken to keep and These hosts oftencontrol over their product. We haven’t yet disappear within one day. Blackhole’sseen Blackhole spin-offs from unrelated ability to consistently send traffic to theauthors, though Blackhole has been correct new hosts shows an impressive level of centralized control. Exploit site 0.7%aggressively updated, and other authors (Blackhole)are borrowing its techniques. Blackhole has multiple strategies to Drive-by redirect 26.7% control user traffic. We’ve recently seen (Blackhole) its owners abuse affiliate schemes. Web hosts voluntarily add Blackhole Exploit site 1.8% code in exchange for a small payment, (not Blackhole) perhaps without realizing what the code Payload 7.5% will do. We’ve also seen Blackhole use Drive-by redirect 58.5% old-fashioned spammed email links and (not Blackhole) attachments. For example, links that indicate problems with a bank account, SEO 1.1% or claim to provide a scanned document. Fake antivirus 0.4% 2. oading infected code from the L Other 3.4% landing page Source: SophosLabs Once your browser sucks in the exploit kit content from the Blackhole server, the attack begins. The exploit code, usually JavaScript, first works out and records how your browser arrived atSecurity Threat Report 2013 7
  12. 12. Blackhole: Today’s malware market leader the Blackhole server. This identifies the 4.Tracking, learning and improving affiliates who generate the traffic in the Learn more about Blackhole keeps a record of which first place, so they can be paid just like exploits worked with what combination Blackhole affiliates in the legitimate economy. Then of browser, operating system and the exploit code fingerprints, or profiles, plugins. This way, Blackhole’s authors Malware B-Z: Inside the your browser to identify what operating can measure which exploits are most Threat From Blackhole to system you are using, which browser effective against each combination of ZeroAccess version you have, and whether you have browser, plugin, and underlying operating plugins installed for Flash, PDF files, Java system. This tracking technique isn’t applets and more. uncommon, but Blackhole’s authors Mark Harris introduces While we’ve seen attacks based on many have been diligent in updating their kit SophosLabs types of vulnerabilities, security holes in to reflect what they discover. Java appear to be the leading cause of Blackhole is equally good attaking Blackhole infections. Here, again, Blackhole Fraser Howard of advantage of new zero-day vulnerabilities. uses legitimate code wherever possible. SophosLabs explains For example, in August 2012 it targeted For example, it loads its exploit code Blackhole a highly-publicized vulnerability in through the Java Open Business Engine, Microsoft Help and Support Center to which has been used to support a wide deliver poisoned VBS scripts. Blackhole variety of workflow applications and launched a new attack based on systems, including the U.S. president’s 15 a dangerous new Java 7 vulnerability daily Terrorist Threat Matrix report. (CVE-2012-4681) that allows infected code to compromise Java’s permission 16 checking system. Remarkably, 123. Delivering the payload hours after a proof-of-concept for this Once a victim’s system has been cracked, Java attack went public, it was already 17 Blackhole can deliver the payload included in Blackhole. Oracle, in turn, it’s been directed to send. Payloads are delivered an emergency patch by the typically polymorphic—they vary with end of August, but many systems each new system that’s been infected. remain unpatched. Blackhole’s authors have been aggressive Given the level of sophistication and about using advanced server-side agility shown by Blackhole’s authors, polymorphism and code obfuscation. we have been surprised that they’ve Since they maintain tight central control, left some portions of their kit essentially they can deploy updates with exceptional stagnant. For example, URL paths, speed. Compared with other exploit kits filenames, and query string structure. that attackers purchase and host, we see SophosLabs expects this to change in rapid shifts in Blackhole’s behavior and the future, opening new opportunities effectiveness. Blackhole payloads also for Blackhole’s authors to improve typically use custom encryption tools their attacks. designed to evade antivirus detection. Those tools are added by Blackhole’s customers, and Blackhole contributes with an optional service that actively checks antivirus functionality on each system it attempts to attack.Security Threat Report 2013 8
  13. 13. What we’re doing about Blackhole, and what you can doAt SophosLabs, we track Blackhole 24/7, 3. lock compromised legitimate websites Bmaking sure that our generic detection and exploit sites through a combinationand reputation filtering keep up with this of reputation filtering and contentchanging exploit kit. Whenever Blackhole detection technologies, and use contentlearns how to counter them, we rapidly detection to block payloads. Note thatroll out updates as needed via the cloud. reputation filtering can often block exploitWe also apply cutting-edge techniques sites before content detection occurs, butfor identifying and analyzing server-side it is not foolproof by itself.polymorphic attacks such as Blackhole. 4. eter or reduce social engineering DOn your end, the best defense against attacks that originate with spam withBlackhole is a defense in depth. up-to-date spam filters and more active user education.1. uickly patching operating systems and Q applications is always important, and it’s 5. f your endpoint security product has I best to automate your patching process. HIPS (host intrusion prevention system) features, use them for added protection2. o reduce the attack surface, disable T against new or modified exploits. vulnerable systems such as Java and Flash wherever you don’t need them.Where are Blackhole exploit sites being hosted? Countries hosting Blackhole exploit sites (2012) Brazil 1.49% Italy 5.75% Great Britain 2.24% Chile 10.77% Netherlands 2.55% Russia 17.88% Germany 3.68% United States 30.81% China 5.22% Other 13.88% Turkey 5.74% Source: SophosLabsSecurity Threat Report 2013 9
  14. 14. Java attacks reachcritical massThis was a rough year for Java in the browser. Majornew vulnerabilities repeatedly battered Java browserplugins, encouraging many organizations to get rid ofJava in the browser if possible.In April, more than 600,000 Mac users found themselves recruited into the globalFlashback, or Flashplayer botnet, courtesy of a Java vulnerability left unpatched on OS Xfor far too long. After Apple issued a removal tool and a Java patch, Oracle assumed directresponsibility for publishing Java for OS X in the future, and promised to deliver Javapatches for OS X and Windows and to release OS X Java patches at the same time as 18those for Windows.Oracle’s Java developers were soon called upon to deliver prompt patches. Within days ofthe discovery of a new zero-day vulnerability affecting Java 7 on all platforms and operatingsystems, the flaw was already being exploited in targeted attacks, was integrated into 19the widely used Blackhole exploit kit, and had even shown up in a bogus Microsoft 20Services Agreement phishing email. According to one detailed analysis, this exploitenabled untrusted code to access classes that should be off-limits, and even disabled the 21Java security manager.As Oracle had promised, it released an out-of-band fix more rapidly than some observershad expected. But, within weeks, more major Java flaws surfaced. Security Explorations,the same researchers who discovered the first flaw, found another way to bypass Java’s 22secure application sandbox—this time, not just on Java 7, but also on Java 5 and 6, andin all leading browsers. The new exploit put 1 billion devices at risk.Security Threat Report 2013 10
  15. 15. Many users today have little or no need for Major organizations still leave users’browser-based Java programs, known asapplets. JavaScript and other technologies passwords vulnerablehave largely taken over from applets insidethe browser. Unless you genuinely need, Password vulnerabilities ought to be a rarity. Well-knownand know you need, Java in your browser, and easily-followed techniques exist for generating,Sophos recommends that you turn it off. using and storing passwords that should keep bothOur website offers detailed instructions for individuals and organizations safe. Yet in 2012 we sawdoing so within Internet Explorer, Firefox, one massive password breach after another, at a slew of 23Google Chrome, Safari, and Opera. high profile organizations.If you do rely on websites that require Java, ÌÌ ussian cybercriminals posted nearly 6.5 million LinkedIn Rconsider installing a second browser and passwords on the Internet. Teams of hackers rapidly wentturning Java on in that browser only. Use to work attacking those passwords, and cracked moreit for your Java-based websites only, and than 60% within days. That task was made simpler by thestick to your Java-disabled main browser fact that LinkedIn hadn’t “salted” its password databasefor everything else. 24 with random data before encrypting it.Java isn’t the only plugin platform that’scaused security headaches. In previous ÌÌ ating website eHarmony quickly reported that some 1.5 Dyears, Adobe’s Flash has also been million of its own passwords were uploaded to the web 25victimized by high-profile exploits. Fortunately, following the same attack that hit LinkedIn.the need for browser plugins such as Flash isdiminishing. HTML5-enabled browsers have ÌÌ ormspring discovered that the passwords of 420,000 of Fcapabilities such as playing audio and video its users had been compromised and posted online, andbuilt in, making customary plugins obsolete. instructed all 28 million of the site’s members to change 26 their passwords as a precaution. ÌÌ ahoo Voices admitted that nearly 500,000 of its own Y 27 emails and passwords had been stolen. ÌÌ ultinational technology firm Philips was attacked by M the r00tbeer gang. The gang walked away with thousands of names, telephone numbers, addresses 28 and unencrypted passwords. ÌÌ EEE, the world’s largest professional association for I the advancement of technology, left a log file of nearly 400 million web requests in a world-readable directory. Those requests included the usernames and plain text 29 passwords of nearly 100,000 unique users.Security Threat Report 2013 11
  16. 16. Java attacks reach critical mass So, what can you learn from data loss—beyond thatLearn more aboutmodern threats you don’t want it to happen to you? If you’re a user: Train your employees tosteer clear of trouble with ÌÌ Use stronger passwords—and use a different one for each site that storesour free toolkit. information you care about. ÌÌ Use password management software, such as 1Password, KeePass, or Five Tips to Reduce LastPass. Some of these tools will even generate hard-to-crackRisk From Modern Web passwords for you. 30Threats If you’re responsible for password databases: ÌÌ on’t ever store passwords in clear text. D ÌÌ Always apply a randomly-generated salt to each password before hashing and encrypting it for storage. ÌÌ Don’t just hash your salted password once and store it. Hash multiple times to increase the complexity of testing each password during an attack. It’s best to use a recognized password crunching algorithm such as bcrypt, scrypt or PBKDF2. ÌÌ Compare your site’s potential vulnerabilities to the OWASP Top Ten security risks, especially potential password vulnerabilities associated with 31 broken authentication and session management. ÌÌ inally, protect your password database, network and servers with F layered defenses.Security Threat Report 2013 12
  17. 17. Android:Today’s biggest targetFeaturing research by SophosLabsOver 100 million Android phones shipped in the secondquarter of 2012 alone. In the U.S., a September 2012 32survey of smartphone users gave Android a whopping52.2% market share. Targets this large are difficult for 33malware authors to resist. And they aren’t resisting—attacks against Android are increasing rapidly. In thesepages, we’ll share some examples, and offer someperspective. We’ll ask: How serious are these attacks?Are they likely to widen or worsen? And what reasonablesteps should IT organizations and individuals take toprotect themselves?Security Threat Report 2013 13
  18. 18. Android: Today’s biggest targetUnsophisticated, but profitable: Learn more aboutFake software, unauthorized SMS messages mobile device managementToday, the most common business model Andr/Boxer presents messages in Russianfor Android malware attacks is to install and has disproportionately attacked Eastern fake apps that secretly send expensive European Android users who visit sites Free tool: Mobilemessages to premium rate SMS services. where they’ve been promised photos of Security for AndroidRecent examples have included phony attractive women.versions of Angry Birds Space, Instagram, 34 When they arrive at these sites, usersand fake Android antivirus products. In May Mobile Security Toolkit see a webpage that is carefully crafted2012, UK’s mobile phone industry regulator to entice them to download and install adiscovered that 1,391 UK Android users malicious app. For example, the userhad been stung by one of these scams. Mobile Device might be prompted (in Russian) to install aThe regulator fined the firm that operated Management Buyers Guide fake update for products such as Opera orthe payment system involved, halted Skype. Or, in some cases, a fake antivirusfund transfers, and demanded refunds for scan is run, reports false infections, and When Malware Goesthose who’d already paid. However, UK recommends the installation of a fake Mobileusers represented only about 10% of this antivirus program. Once installed, themalware’s apparent victims—it has been new app begins sending expensive SMSseen in at least 18 countries. messages. Many of these Trojans install Vanja Svajcer ofCurrently, one family of Android malware, with what Android calls the INSTALL_ SophosLabs explainsAndr/Boxer, accounts for the largest number PACKAGES permission. That means they Android malwareof Android malware samples we see, roughly can download and install additionalone third of the total. Linked to .ru domains malware in the future.hosted in the Ukraine, Android threats accelerate In Australia and the U.S., Sophos is now reporting Android threat exposure rates exceeding those of PCs. Android Threat Exposure Rate Android TER PC TER 60 50 40 30 20 10 Australia Brazil United Others Malaysia Germany India France United Iran States Kingdom Threat exposure rate (TER): Measured as the percentage of PCs and Android devices that experienced a malware attack, whether successful or failed, over a three month period. Source: SophosLabsSecurity Threat Report 2013 14
  19. 19. Joining the botnet Capturing your messages and Naked Security Survey your bank account Is smartphone SMS/TXTUntil recently, most fake software attacks spam a problem for you?we’ve seen on Android have been relativelyunsophisticated. For example, some use We have also begun to see Androidprimitive polymorphic methods that involve malware that eavesdrops on incoming SMSrandomizing images, thereby changing messages and forwards them to anotherchecksums to avoid detection. Leading SMS number or server. This sort of datasecurity companies learned how to defeat leakage represents a significant risk, boththis tactic many years ago. to individuals and to organizations.But the attackers are making headway. The potential exists for attacks like theseFor example, consider the malware-infected to target Internet banking services that sendeditions of Angry Birds Space we saw in mobile transaction authentication numbersApril 2012 (Andr/KongFu-L). Again, available via SMS. Many banks send authenticationonly through unofficial Android app markets, codes to your phone via SMS each time Yes 43.78%these Trojans play like the real game. But you do an online transaction. This means that just stealing a login password is no It was, but I they also use a software trick known as the longer enough for criminals to raid your downloadedGingerBreak exploit to gain root access, an app and it isinstall malicious code, and communicate account. But malware on your phone, such sorted now 2.36%with a remote website to download and as the Zeus-based Andr/Zitmo (and similar versions targeting BlackBerry) are capable No—I rarely/never install additional malware. This allows of intercepting those SMS messages. received an SMSthese Trojans to avoid detection and text spam on myremoval, while recruiting the device into Consider the following hypothetical scenario. phone 45.29%a global botnet. Through a conventional phishing attack, a Based on 552 votes victim gives criminals sufficient information Source: Naked Security to allow them to sign in to your mobile banking account and also port your phone number (this has happened). They can now log in to your online bank account while also receiving an SMS containing the second-factor authentication token needed to complete a transaction. Through the use of a malicious Android app that harvests SMS messages in real time and in concert with a social engineering attack, attackers open a brief window of opportunity to steal this token and use it before you can stop them.Security Threat Report 2013 15
  20. 20. Android: Today’s biggest targetPUAs: Not quite malware, but still risky Mitigating the risks while they’re still manageableIt’s worth mentioning the widespread presence of potentiallyunwanted applications (PUA). PUAs are Android apps that In most business environments, the risks from Androidmay not strictly qualify as malware, but may nevertheless are modest at this point. But those risks are growing. Evenintroduce security or other risks. as Google makes improvements that secure the platformFirst, many users have installed apps that link to aggressive against more obvious threats, new threats emerge. Foradvertising networks, can track their devices and locations, example, some security experts have recently expressedand may even capture contact data. These apps earn concern about risks from new near field communicationstheir profits simply by serving pornographic advertising. (NFC) features intended to allow advanced Android devicesMany companies may wish to eliminate them due to the to function like credit cards.information they expose, or because they may have a duty Even today, Android malware can place a company’sof care to protect employees from inappropriate content future at risk by exposing strategic information or stealingand a potentially hostile work environment. passwords. With this in mind, IT organizations should secureSecond, some sophisticated Android users have chosen their Android devices against malware, data loss, and otherto install Andr/DrSheep-A on their own devices. Similar to threats. We recommend the following steps to bring downthe well-known desktop tool Firesheep, Andr/DrSheep-A the level of risk. Remember, none of these tips are foolproofcan sniff wireless traffic and intercept unencrypted cookies or sufficient in isolation. But in most environments, they willfrom sites like Facebook and Twitter. The legitimate use for go a long way.this tool is to test your own network. However, it is oftenused to impersonate nearby users without their knowledge. ÌÌ xtend your IT security and acceptable use policies to EWe currently find Andr/DrSheep-A on 2.6% of the Android Android devices, if you haven’t done so already.devices protected by Sophos Mobile Security. Corporate ITdepartments are unlikely to countenance the installation, ÌÌ efuse access to rooted Android devices. Rlet alone the use, of such tools. ÌÌ onsider full device encryption to protect against data CIf you “root” your device, it means you enable software to loss, and provide for remote wipe of lost or stolen devices.acquire full Android administrator privileges. The name If you choose to encrypt, make sure your solution can alsocomes from the administrator account, known as “root” encrypt optional SD cards that may contain sensitive data,on UNIX-like operating systems such as Android. Rooting even if those SD cards are formatted popular because it allows you greater control over yourdevice—notably to remove unwanted software add-ons ÌÌ here possible, establish automated processes for Wincluded by your service provider, and to replace them with updating Android devices to reflect security fixes. Keepalternatives of your own choosing. your Android devices up to date with the security patches provided by the manufacturer and by the vendors of anyRooting bypasses the built-in Android security model that additional software you’ve intalled.limits each app’s access to data from other apps. It’s easierfor malware to gain full privileges on rooted devices, and ÌÌ onsider restricting Android devices to apps from Google’s Cto avoid detection and removal. For the IT organization official Play Store. Malware has turned up in the Playsupporting BYOD network access, rooted Android devices Store, but much less frequently than in many of the otherincrease risk. unregulated, unofficial app markets, notably those in Eastern Europe and Asia.Security Threat Report 2013 16
  21. 21. ÌÌ hen you authorize app stores, limit users to apps with W a positive history and a strong rating. Naked Security Survey What is the most important consideration when you install anÌÌ void social engineering attacks, and help your colleagues A app on your Android device? avoid them. This means carefully checking the permissions that an app requests when it’s installed. For example, Reputation of if you can’t think of a specific credible reason why an developer 43.78% app wants to send SMS messages, don’t let it. And pause Popularity of 35 for a moment to consider whether you still want to install it. application 28.65%ÌÌ inally, consider using an anti-malware and mobile F Cost of app 13.24% device management solution on your Android devices. We Download recommend Sophos Mobile Control. But whatever solution location 14.32% you choose, get it from a company that has extensive experience with both antivirus and broader security Based on 370 respondents challenges. Why? First, because attack techniques are Source: Naked Security beginning to migrate to Android from other platforms. Your solution provider should already know how to handle these. Second, because attacks are emerging and mutating more rapidly. Your provider should have the 24/7 global infrastructure to identify threats, and the cloud-based infrastructure to respond immediately. Third, and most importantly, because today’s complex infrastructures require an integrated mobile security response that goes beyond antivirus alone to encompass multiple issues, ranging from networking to encryption.Security Threat Report 2013 17
  22. 22. Diverse platforms andtechnologies widenopportunities for attackOnce, almost everyone ran Windows.Attackers attacked Windows. Defenders defendedWindows. Those days are gone.In 2012 we saw plenty of Windows-specific holes and vulnerabilities. For instance,the Windows Sidebar and Gadgets in Windows Vista and Windows 7 were revealed to be soinsecure that Microsoft immediately eliminated them, and gave customers tools to disablethem.Windows Sidebar had hosted mini-programs (gadgets) such as news, stocks, and weatherreports. Together, these were Microsoft’s answer to Apple’s popular Dashboard andWidgets. However, security researchers Mickey Shkatov and Toby Kohlenberg announcedthat they could demonstrate multiple attack vectors against gadgets, show how to create 36malicious gadgets, and identify flaws in published gadgets. Already planning a newapproach to these miniature applications in Windows 8, Microsoft dropped Sidebar andGadgets like a rock.While most computer users still work with Windows, far more development now takes placeelsewhere—on the web and mobile platforms. This means companies and individual usersmust worry about security risks in new and untraditional environments such as Android.Security Threat Report 2013 18
  23. 23. Here is a sampling of security breaches in Ransomware returns for an2012, offering a taste of what we all must Naked Security Surveydeal with—and why our defenses must encore Which web browser do youbecome increasingly layered, proactive and recommend?comprehensive. Certain attacks seem cyclical. Even when defeated for years, they’re too easy andÌÌ n February 2012, a hacker identified I tempting for cybercriminals to abandon cross-site scripting (XSS) holes in 25 UK forever. For example, in 2012, Sophos saw a online stores that had been certified as resurgence in ransomware attacks that lock 37 safe by VeriSign, Visa, or MasterCard. users out of their computers, and demand Criminals can exploit XSS flaws to steal payment to restore access. authentication credentials or customer billing information, placing customers at Ransomware is far from new. Way back in risk of identity theft. The holes arose from 1989, primitive ransomware was distributed a common source: a poorly written script on floppy disks by postal mail. Users were promised advanced software to advise Internet Explorer 5.95% for filtering user searches. It’s another reminder to users that security isn’t just a them about HIV/AIDS, but instead found Chrome 28.9% matter of words and icons. Simply seeing their hard drives scrambled. Users were Firefox 23.09% https://, a padlock, or a VeriSign Trusted told to pay $189 to an address in Panama logo doesn’t mean you can get careless via bankers draft, cashier’s check, or Safari 3.25% 40 online. And it’s a huge reminder to web international money order. Opera 36.75% professionals to keep all their applications Today’s ransomware arrives via more modern No preference 2.06% and scripts up to date, including scripts techniques, such as social engineered made publicly available by other authors. Based on 370 respondents email and poisoned webpages. One sort Source: Naked Security of ransomware merely freezes your PCÌÌ housands of self-hosted WordPress sites T and asks for money. This leaves your were hosting the dangerous Blackhole underlying files intact. Although an infection 38 malware attack. In August 2012, Sophos is disruptive, it can usually be repaired. The discovered a major malware campaign other sort of ransomware scrambles your which attempts to infect computers files, so it is as catastrophic as losing your using the notorious Blackhole exploit laptop altogether or suffering a complete kit. Users receive “order verification” disk failure. emails containing links to legitimate WordPress blogs that have been poisoned As of this writing, the most widespread to download malware. Users of the hosted ransomware is of the first type. Reveton, service aren’t vulnerable: for example, also known as Citadel or the service provider, Automattic, looks Troj/Ransom, hides the Windows desktop, after the security of the locks you out of all programs, and displays servers for them. a full screen window with an FBI (or other national police) logo. You see an urgentÌÌ ackers have been demonstrating at least H claim that illegally downloaded copyrighted theoretical attacks against everything material has been found on your computer, from transit fare cards to the newest and that you must pay a fine (typically $200) near field communication (NFC) to restore access. 39 enabled smartphones.Security Threat Report 2013 19
  24. 24. Diverse platforms and technologies widen opportunities for attackThis attack can be defeated by rebooting In nearly every case, updated antivirusto an antivirus tool that contains its own software can prevent ransomware from Learn more aboutoperating system, bypassing Windows (for installing and running on your computer. ransomwareexample, Sophos Bootable Anti-Virus). But if you’ve left your computer unprotected Once this tool is running, users can scan and you get hit by encryption-basedtheir systems, remove the infection, and ransomware, it’s probably too late. Some Top 5 Myths of Saferestore their systems. 41 ransomware encryptions can be reversed Web Browsing (Sophos has free tools which may be ableUnfortunately, we’ve also seen growing to help), but only if the criminals have madenumbers of infections that fully encrypt Director of Technology cryptographic mistakes. There may be nousers’ hard drives using strong encryption, Strategy, James Lyne, cure, so prevention is always better.and securely forward the only key to the explains ransomwareattackers. In July 2012, we saw a variantthat threatened to contact police with a“special password” that would reveal child 42pornographic files on the victim’s computer.Security Threat Report 2013 20
  25. 25. OS X and the Mac:More users,emerging risksFeaturing research by SophosLabsMost malware developers have found it more profitableto attack Windows than to learn new skills needed totarget the smaller OS X user community. But Macs arefinding a new home in thousands of businesses andgovernment agencies, and malware authors are payingattention.Forrester Research analyst Frank Gillette recently reported that “almost half of enterprises(1,000 employees or more) are issuing Macs to at least some employees—and they plan a 4352% increase in the number of Macs they issue in 2012.” Even more Macs are arrivingunofficially through bring your own device arrangements, where they are often anexecutive’s device of choice for accessing web or cloud applications. Growing Macusage means many IT organizations must objectively assess, mitigate, and anticipateMac-related malware threats for the first time. And the risks are clearly increasing.Security Threat Report 2013 21
  26. 26. OS X and the Mac: More users, emerging risksFake antivirus and Flashback:Learning from Windows malware, gaining agilityIn 2011, we saw a sustained attack on Flashback first surfaced as a fake AdobeMac users by a malware family called Flash installer late in 2011. In April 2012,MacDefender. This malware, a fake antivirus, Flashback began to install itself as a drive-bywas the first significant Mac attack to be download, exploiting a Java vulnerability leftdistributed via search result pages that unpatched on OS X weeks after Microsoftattracted users to legitimate sites that had had provided a fix to Windows users. Applebeen poisoned with malware. ultimately patched OS X 10.7 and 10.6, but not previous versions. At the infection’sMacDefender is worth discussing today peak, Sophos’ free Mac antivirus productbecause it shows how Mac malware often identified Flashback-related malware onfollows in the footsteps of older Windows approximately 2.1% of the Macs it protected.attacks. One sensible way to anticipatethe future of Mac malware is to see what’s While both MacDefender and Flashbackhappening now to Windows users. For have been beaten back, they each showinstance, Mac admins might reasonably Mac malware authors becoming moreexpect new customized attacks relying on agile. We’ve seen the authors changing theserver-side polymorphism. delivery mechanisms of existing malware and pursuing new zero-day exploits.Borrowing from MacDefender while applyingimportant innovations of their own, thecreators of the notorious Flashback botnet(aka, OSX/Flshplyr) infected more than600,000 Macs in the spring of 2012.Mac OS X malware snapshotIn a typical week, SophosLabs detects 4,900 pieces of OS X malware on Mac computers.This chart shows a snapshot of Mac malware detected in the week of August 1-6, 2012. OSX/FkCodec-A 26% OSX/Flshplyer-D 3.2% OSX/FakeAV-DWN 13.28% OSX/FakeAV-A 2.8% OSX/FakeAVZp-C 13% OSX/DnsCha-E 2.7% OSX/FakeAVDI-A 8.6% OSX/RSplug-A 2.4% OSX/FakeAV-DPU 7.1% OSX/Flshplyr-E 2.4% OSX/FakeAVDI-B 6.2% OSX/FakeAV-FNV 2.3% OSX/SafExinj-B 4.1% OSX/Jahlav-C 2.1% OSX/FakeAV-FFN 3.3% Source: SophosLabsSecurity Threat Report 2013 22
  27. 27. Morcut/Crisis: More sophisticated and Learn more aboutpotentially more dangerous emerging OS X risks Fake antivirus software typically makes money forcybercriminals by convincing users to provide personal credit Free tool: Sophoscard information for software they don’t need. For most Anti-Virus for Macenterprises, the downside risks of fake antivirus have beenmodest. But malware such as OSX/Morcut-A (aka Crisis), Andrew Ludgate offirst discovered in late July 2012, presents greater risks. SophosLabs explains MacDesigned for spying, Morcut can remotely monitor malwarevirtually every way a user communicates: mousecoordinates, IM, Skype call data, location information,the Mac’s webcam and microphone, clipboard contents,keystrokes, running apps, web URLs, screenshots,calendar and address book contents, alerts, deviceinformation, and even file system metadata.Morcut appears as a Java Archive file (JAR) claiming to bedigitally signed by VeriSign. If installed by the user, Morcutdeploys kernel driver components to hide and run without 44administrator’s authentication; a backdoor componentwhich opens the Mac to other network users; command andcontrol to accept remote instructions and adapt its behavior;and, most importantly, code for stealing user data.If Morcut spreads, it will represent a serious threatto internal corporate security and compliance. Itscapabilities especially lend themselves to targeted attacksaimed at capturing information about specific known Macusers in pivotal organizational roles. In contrast to mostearlier Mac malware, it also reflects an extremely thoroughunderstanding of Mac programming techniques, capabilities,and potential weaknesses.Similar backdoor techniques are already appearingelsewhere. For instance, we recently saw them embeddedin a kit for the first time. The kit, OSX/NetWrdRC-A, is 45primitive, flawed, and easily halted. But it’s a harbinger ofmore sophisticated and dangerous attacks to come.Security Threat Report 2013 23
  28. 28. OS X and the Mac: More users, emerging risksWindows malware hiding quietly on Macs Recent OS X security improvements and their limitationsMuch of the malware found on Macs is Windows malware.Traditionally, many Mac users have been indifferent about Mac OS X, originally built on BSD UNIX, has a strong securitythis—they assume that it won’t damage their systems, and model. In 2009, with the release of OS X 10.6 Snow Leopard,may not consider the harm to Windows-using colleagues Apple added limited malware scanning through the Launchthey might place at risk. But IT administrators running Services Quarantine (LSQuarantine) system and XProtectcross-platform environments (or working with partners technology. In mid-2011, XProtect became a dynamic pushand customers who use Windows) are likely to see things update service with more power to detect and clean up filesdifferently. Moreover, the Windows partitions of dual-boot fingerprinted as malicious.Macs can indeed be infected, as can virtualized Windowssessions running under Parallels, VMware, VirtualBox, or In mid-2012, with OS X 10.8 Mountain Lion, Apple introducedeven the open source WINE program. Gatekeeper, which manages code execution permissions for code obtained through approved software. By default,Mac users who need occasional access to a Windows Gatekeeper pre-authorizes all software signed with anprogram sometimes decide to download it from third parties, official Apple developer key that has not been blocked dueand may illegally create a license key using a downloadable to previous abuse.generator. By doing so, they often encounter malwaresuch as Mal/KeyGen-M, a family of trojanized license key Gatekeeper is a significant and welcome improvement ingenerators that we’ve identified on approximately 7% of the Mac security, but it is only a partial solution. Software copiedMacs running Sophos Anti-Virus software. from USB, already on the computer, copied directly between computers, or transferred by non-standard file transferAnother common source of Windows malware on Macs systems such as BitTorrent will evade it. Individual userstoday is fake Windows Media movie or TV files. These files with administrator credentials can change Gatekeeper’scontain auto-forwarding web links promising the codec default settings to allow unsigned apps to install withoutneeded to view the video, but deliver zero-day malware 46 any alert.instead. Windows Media files generally won’t run on Macs,but Mac users often torrent these files to improve their Users or running processes can still strip the LSQuarantine“ratios” on private tracker sites, without realizing the contents flag from files. Unsigned programs can be authorized andare malicious. Windows users then attempt to play the launched simply by right-clicking on them in the Finder andvideos and become infected. selecting Open, instead of just double-clicking on the icon. Versions of OS X older than 10.8 don’t include Gatekeeper. Finally, the runtime interpreters for Java, Flash, and OS X shell scripts are all pre-authorized by Apple. These interpreters are free to run whatever code they wish. Java and Flash have been major attack vectors on the Mac platform. This may gradually become less of a problem—the Mac version of Java was recently hardened, and Adobe Flash is gradually being replaced by HTML5.Security Threat Report 2013 24