2013 Security Threat Report
Upcoming SlideShare
Loading in...5

2013 Security Threat Report



The 2013 Security Threat Report recaps what happened in data security in 2012, and what trends are ahead in 2013. For more information, visit: http://bit.ly/VcLfLa

The 2013 Security Threat Report recaps what happened in data security in 2012, and what trends are ahead in 2013. For more information, visit: http://bit.ly/VcLfLa



Total Views
Slideshare-icon Views on SlideShare
Embed Views



1 Embed 2

http://getvoip.com 2



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    2013 Security Threat Report 2013 Security Threat Report Document Transcript

    • Security ThreatReport 2013 New Platforms and Changing Threats
    • Table of contents GraphicsForeword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Survey: Email education . . . . . . . . 32012 in review: Blackhole. . . . . . . . . . . . . . . . . 7New platforms and changing threats . . . . . . . . . . . . . . . . . . . . . . . 2 Countries hosting Blackhole . . . . . . 9 Widening attacks related to Facebook and other Survey: Smartphone spam. . . . . . 15 social media platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Survey: Android app consideration. 17 Emerging risks to cloud services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Survey: Web browser. . . . . . . . . 19 Mac OS X malware snapshot. . . . . 22Blackhole: Today’s malware market leader. . . . . . . . . . . . . . . . . . 6 Top 12 spam producing countries. . 27 Four stages of the Blackhole life cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Spam sources by continent. . . . . . 27 What we’re doing about Blackhole, and what you can do. . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Threat exposure rate . . . . . . . . . 29Java attacks reach critical mass . . . . . . . . . . . . . . . . . . . . . . . . . . 10 So, what can you learn from data loss—beyond that you don’t want it to happen to you?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 VideosAndroid: Social engineering explained. . . . . . 3Today’s biggest target. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Cloud storage and BYOD . . . . . . . . 4 Unsophisticated, but profitable: Introducing SophosLabs. . . . . . . . .8 Fake software, unauthorized SMS messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Blackhole. . . . . . . . . . . . . . . . . 8 Joining the botnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Android malware. . . . . . . . . . . . 14 Capturing your messages and your bank account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Ransomware. . . . . . . . . . . . . . 20 PUAs: Not quite malware, but still risky. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Mac malware . . . . . . . . . . . . . . 23 Mitigating the risks while they’re still manageable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Long tail . . . . . . . . . . . . . . . . . 30Diverse platforms and technologieswiden opportunities for attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Ransomware returns for an encore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Security Threat Report 2013
    • OS X and the Mac: More users, emerging risks . . . . . . . . . . . . . 21 Fake antivirus and Flashback: Learning from Windows malware, gaining agility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 . . Morcut/Crisis: More sophisticated and potentially more dangerous. . . . . . . . . . . . . . . . . 23 Windows malware hiding quietly on Macs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Recent OS X security improvements and their limitations. . . . . . . . . . . . . . . . . . . . . . . . . . 24 Implementing a comprehensive Mac anti-malware solution. . . . . . . . . . . . . . . . . . . . . . . . 25Authorities make high-profile malwarearrests and takedowns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Growth of dangerous targeted attacks. . . . . . . . . . . . . . . . . . . . . 28Polymorphic and targeted attacks: The long tail . . . . . . . . . . . . 30 Polymorphism: Not new, but more troublesome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Countering server-side polymorphism. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Targeted attacks: narrow, focused and dangerous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Defense-in-depth against SSP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Complete security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Explore your two paths to complete security with Sophos . . . . . . . . . . . . . . . . . . . . . . . . . 34What to expect in 2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35The last word. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Adware Adware is software that displays advertisements on your computerSecurity Threat Report 2013
    • Security Threat Report 2013
    • Foreword Reflecting on a very busy year for cyber security, I would like to highlight some key observations for 2012. No doubt, the increasing mobility of data in corporate environments is one of the biggest challenges we faced in the past year. Users are fully embracing the power to access data from anywhere. The rapid adoption of bring your own device (BYOD) and cloud are really accelerating this trend, and providing new vectors of attack. Another trend we are seeing is the changing nature of the endpoint device, transforming organizations from a traditional homogeneous world of Windows systems to an environment of diverse platforms. Modern malware is effective at attacking new platforms and we are seeing rapid growth of malware targeting mobile devices. While malware for Android was just a lab example a few years ago, it has become a serious and growing threat. BYOD is a rapidly evolving trend, and many of our customers and users actively embrace this trend. Employees are looking to use their smartphone, tablet, or next generation notebook to connect to corporate networks. That means IT departments are being asked to secure sensitive data on devices they have very little control over. BYOD can be a win-win for users and employers, but the security challenges are real while boundaries between business and private use are blurring. It raises questions on who owns, manages and secures devices and the data on them. Finally, the web remains the dominant source of distribution for malware—in particular, malware using social engineering or targeting the browser and associated applications with exploits. For example, malware kits like Blackhole are a potent cocktail of a dozen or more exploits that target the tiniest security holes and take advantage of missing patches. Cybercriminals tend to focus where the weak spots are and use a technique until it becomes less effective, and then move on to the next frontier. Security is at the heart of this revolution of BYOD and cloud. Protecting data in a world where systems are changing rapidly, and information flows freely, requires a coordinated ecosystem of security technologies at the endpoint, gateway, mobile devices and in the cloud. IT security is evolving from a device-centric to a user-centric view, and the security requirements are many. A modern security strategy must focus on all the key components—enforcement of use policies, data encryption, secure access to corporate networks, productivity and content filtering, vulnerability and patch management, and of course threat and malware protection. Best wishes, Gerhard Eschelbeck CTO, SophosSecurity Threat Report 2013 1
    • 2012 in review:New platforms andchanging threatsIn 2012, we saw attackers extend their reach to moreplatforms, from social networks and cloud services toAndroid mobile devices. We saw them respond to newsecurity research findings more rapidly, and leveragezero-day exploits more effectively.In the past year the most sophisticated malware authors upped the stakes with newbusiness models and software paradigms to build more dangerous and sustained attacks.For instance, the creators of Blackhole, an underground malware toolkit delivered throughSoftware-as-a-Service rental arrangements (aka crime packs), announced a new version.They acknowledged the success of antivirus companies in thwarting their activities, andpromised to raise their game in 2012.Private cybercriminals were apparently joined by state-based actors and allies capable ofdelivering advanced attacks against strategic targets. We saw reports of malware attacksagainst energy sector infrastructure throughout the Middle East, major distributeddenial-of-service attacks against global banks, and targeted spearphishing attacks againstkey facilities.More conventionally, attackers continued to target thousands of badly-configured websitesand databases to expose passwords and deliver malware—yet again demonstrating the needfor increased vigilance in applying security updates and reducing attack surfaces. Meanwhile,a new generation of victims found themselves on the wrong end of payment demands fromcybercriminals, as social engineering attacks such as fake antivirus and ransomwarecontinued unabated.Security Threat Report 2013 2
    • In the wake of these growing risks, 2012 also Widening attacks related tosaw good news. This year, IT organizations Learn more aboutand other defenders increasingly recognized Facebook and other attacks related tothe importance of layered defenses. Many social media platforms social media platformsorganizations began to address the security challenges of smartphones, tablets, and Throughout 2012, hundreds of millions ofbring your own device (BYOD) programs. Four Data Threats in a users flocked to social networks—and soEnterprises moved to reduce their exposure Post-PC World did attackers. They built creative new socialto vulnerabilities in platforms such as Java engineering attacks based on key userand Flash; and to demand faster fixes from concerns such as widespread skepticismtheir platform and software suppliers. 2 Beth Jones of about Facebook’s new Timeline interface, SophosLabs explains socialNot least, law enforcement authorities or users’ natural worries about newly posted engineeringachieved significant victories against images of themselves. Attackers alsomalware networks—including the arrest moved beyond Facebook to attack maturingof a Russian cybercriminal charged with platforms such as Twitter, and fast-growinginfecting 4.5 million computers with the services such as the Pinterest social content Naked Security Surveygoal of compromising bank accounts; and sharing network. Should businesses foolthe sentencing in Armenia of the individual employees into opening In September 2012, Sophos reportedresponsible for the massive Bredolab botnet. inappropriate emails with the the widespread delivery of Twitter direct aim of education?Yet another good sign: Microsoft’s aggressive messages (DMs) from newly-compromisedlawsuit against a China-based Dynamic DNS accounts. Purportedly from online friends,service that enabled widespread cyber crime, 1 these DMs claim you have been capturedincluding operation of the Nitol botnet . The in a video that has just been posted onlawsuit’s filing and settlement demonstrated Facebook. If you click the link in the DM,those who facilitate cyber crime can be held you’re taken to a website telling you toas accountable as the criminals themselves. upgrade your “YouTube player” to viewIn 2013, as computing increasingly shifts to the video. If you go any further, you’ll bevirtualized cloud services and mobile infected with the Troj/Mdrop-EML 3platforms, attackers will follow, just as they backdoor Trojan.always have. This means IT organizations September also saw the first widespreadand users will need to ask tough new Yes  85.21% account takeovers on Pinterest. Thesequestions of their IT service providers and attacks spilled image spam onto other No  14.79%partners; become more systematic about social networks such as Twitter and Based on 933 respondents votingprotecting diverse devices and network Facebook. Victimized users who had linked Source: Naked Securityinfrastructure; and become more agile about their Pinterest accounts to these networksresponding to new threats. We’ll be there to found themselves blasting out tweetshelp—every minute of every day. and wall posts encouraging their friends to participate in disreputable work-at-home 4 schemes.Security Threat Report 2013 3
    • 2012 in review: New platforms and changing threatsWith 1 billion users, Facebook remains the Emerging risks to cloudnumber one social network—and hence, the Learn more abouttop target. In April, Sophos teamed with services cloud servicesFacebook and other security vendors to help improve Facebook’s resistance to malware. In 2012, the financial and managementFacebook now draws on our massive, up-to- advantages of cloud services attracted many Adopting Cloudthe-minute lists of malicious links and scam IT organizations. In addition to expanding Services With Persistentsites to reduce the risk that it will send its their reliance on hosted enterprise software Encryption 5users into danger. Of course, this is only one and more informal services such as thecomponent of the solution. Researchers at Dropbox storage site, companies have alsoSophos and elsewhere are working to find Fixing Your Dropbox begun investing more heavily in privatenew approaches to protecting users against Problem clouds built with virtualization technology.social network attacks. This move raises more questions about whatFor example, Dark Reading reported that cloud users can and should do to keep the CTO Gerhardcomputer scientists at the University organization secure and compliant. Eschelbeck explains cloudof California, Riverside have created an Cloud security drew attention in 2012 with storage and BYODexperimental Facebook app that is claimed Dropbox’s admission that usernames andto accurately identify 97% of social malware passwords stolen from other websites had 6and scams in users’ news feeds. Innovations been used to sign into a small number ofsuch as social authentication—in which its accounts. A Dropbox employee had usedFacebook shows you photos of your friends, the same password for all his accounts,and asks you to identify them, something including his work account with access tothat many hackers presumably can’t sensitive data. When that password was 7do—may also prove helpful. stolen elsewhere, the attacker discovered that it could be used against Dropbox. This was a powerful reminder that users should rely on different passwords for each secure site and service. Dropbox is no stranger to cloud authentication problems, having accidentally removed all password protection from all its users’ files 8 in 2011 for nearly four hours. Also, VentureBeat reported that the company’s iOS app was storing user login credentials in unencrypted text files—where they would be visible to anyone who had physical access to the phone.Security Threat Report 2013 4
    • Dropbox has since improved security ÌÌ Can you prevent snapshotting of virtualby introducing optional two-factor servers that capture current operating 9authentication, but its problems raise memory images—including all workingbroader issues. In May 2012, the Fraunhofer encryption keys? Some experts, such asInstitute for Secure Information Technology Mel Beckman or System iNEWS, believereported on vulnerabilities associated with this rules the public cloud off-limits inregistration, login, encryption, and shared environments where legal compliance 10data access on seven cloud storage sites. requires physical control of hardware, 13 e.g., HIPAA.It’s worth noting that Dropbox and someother sites already encrypt data in storage It’s a cloudy world, but when and if youand transit, but this only protects data that decide to use cloud services, the followinghas not been accessed using a legitimate three steps can help you protect your data:user ID and password. Data stored on public 1. Apply web-based policies using URLcloud systems is subject to the surveillance filtering, controlling access to public cloudand interception laws of any of the jurisdictions storage websites and preventing usersin which those cloud systems have servers. from browsing to sites you’ve declaredDropbox’s difficulties have called greater off-limits.attention to cloud security in general. With 2. Use application controls to block or allowpublic cloud services and infrastructure particular applications, either for thebeyond the control of the IT organization, entire company or for specific groups.how should companies approach securityand compliance? Two-factor (or multi-factor) 3. Automatically encrypt files before theyauthentication is a must. But is it enough? are uploaded to the cloud from anyConsider issues such as these: managed endpoint. An encryption solution allows users to choose their preferredÌÌ How will you manage “information cloud storage services, because the files leakage”? Specifically, how do you know if are always encrypted and the keys are malicious insiders are forwarding sensitive always your own. And because encryption information to themselves, where it will takes place on the client before any data 11 remain available even if they’re fired? is synchronized, you have full control of the safety of your data. You won’t have toÌÌ How are you vetting suppliers and worry if the security of your cloud the administrators who operate their storage provider is breached. Central keys systems? Are you applying the same give authorized users or groups access strict standards and contractual to files and keep these files encrypted for requirements you demand from other everyone else. Should your web key go business-critical partners who see missing for some reason—maybe the user 12 confidential or strategic data? simply forgot the password—the security officer inside the enterprise would have access to the keys in order to make sure the correct people have access to that file.Security Threat Report 2013 5
    • Blackhole: Today’smalware market leaderFeaturing research by SophosLabsA close inspection of Blackhole reveals just howsophisticated malware authors have become. Blackholeis now the world’s most popular and notorious malwareexploit kit. It combines remarkable technical dexteritywith a business model that could have come straightfrom a Harvard Business School MBA case study.And, barring a takedown by law enforcement, securityvendors and IT organizations are likely to be battling itfor years to come.An exploit kit is a pre-packaged software tool that can be used on a malicious web server tosneak malware onto your computers without you realizing it. By identifying and making useof vulnerabilities (bugs or security holes) in software running on your computer, an exploit kitcan automatically pull off what’s called a drive-by install. This is where the content ofa web page tricks software—such as your browser, PDF reader or other online contentviewer—into downloading and running malware silently, without producing any of the warningsor dialogs you would usually expect. Like other exploit kits, Blackhole can be used to delivera wide variety of payloads. Its authors profit by delivering payloads for others, and they havedelivered everything from fake antivirus and ransomware to Zeus and the infamous TDSSand ZeroAccess rootkits. Blackhole can attack Windows, OS X, and Linux. It is an equal-opportunity victimizer.Security Threat Report 2013 6
    • Between October 2011 and March 2012, Four stages of the Blackholenearly 30% of the threats detected by Blackhole representsSophosLabs either came from Blackhole life cycle 27% of exploit sitesdirectly, or were redirects to Blackhole and redirectskits from compromised legitimate sites. 1.  ending users to a Blackhole SBlackhole is distinguished not only by its In 2012 more than 80% of exploit sitesuccess, but by its Software-as-a-Service the threats we saw wererental model, similar to much of today’s The attackers hack into legitimate redirects, mostly from websites and add malicious content legitimate sites that havecloud-based software. Weekly rental rates (usually snippets of JavaScript) that been hacked. A powerfulare specified (in Russian) right in the kit’s generate links to the pages on their warning to keep your siteaccompanying read me file, along with secure and your serversurcharges for additional domain services. Blackhole site. When unsuspecting users scripts and applications upLike legitimate vendors of rental software, visit the legitimate site, their browsers to date.Blackhole’s authors offer updates free for also automatically pull down the exploit 14the life of the subscription. kit code from the Blackhole server.Customers who want to run their own Blackhole host sites change quickly.Blackhole servers can purchase longer Freshly registered domains are normallylicences. But the version of the Blackhole kit used to host Blackhole, typically acquiredthat these customers receive is extensively through the abuse of dynamic DNSobfuscated. This is one of several steps services such as ddns., 1dumb.com,that Blackhole’s authors have taken to keep and dlinkddns.com. These hosts oftencontrol over their product. We haven’t yet disappear within one day. Blackhole’sseen Blackhole spin-offs from unrelated ability to consistently send traffic to theauthors, though Blackhole has been correct new hosts shows an impressive level of centralized control. Exploit site  0.7%aggressively updated, and other authors (Blackhole)are borrowing its techniques. Blackhole has multiple strategies to Drive-by redirect  26.7% control user traffic. We’ve recently seen (Blackhole) its owners abuse affiliate schemes. Web hosts voluntarily add Blackhole Exploit site  1.8% code in exchange for a small payment, (not Blackhole) perhaps without realizing what the code Payload  7.5% will do. We’ve also seen Blackhole use Drive-by redirect  58.5% old-fashioned spammed email links and (not Blackhole) attachments. For example, links that indicate problems with a bank account, SEO  1.1% or claim to provide a scanned document. Fake antivirus  0.4% 2.  oading infected code from the L Other  3.4% landing page Source: SophosLabs Once your browser sucks in the exploit kit content from the Blackhole server, the attack begins. The exploit code, usually JavaScript, first works out and records how your browser arrived atSecurity Threat Report 2013 7
    • Blackhole: Today’s malware market leader the Blackhole server. This identifies the 4.Tracking, learning and improving affiliates who generate the traffic in the Learn more about Blackhole keeps a record of which first place, so they can be paid just like exploits worked with what combination Blackhole affiliates in the legitimate economy. Then of browser, operating system and the exploit code fingerprints, or profiles, plugins. This way, Blackhole’s authors Malware B-Z: Inside the your browser to identify what operating can measure which exploits are most Threat From Blackhole to system you are using, which browser effective against each combination of ZeroAccess version you have, and whether you have browser, plugin, and underlying operating plugins installed for Flash, PDF files, Java system. This tracking technique isn’t applets and more. uncommon, but Blackhole’s authors Mark Harris introduces While we’ve seen attacks based on many have been diligent in updating their kit SophosLabs types of vulnerabilities, security holes in to reflect what they discover. Java appear to be the leading cause of Blackhole is equally good attaking Blackhole infections. Here, again, Blackhole Fraser Howard of advantage of new zero-day vulnerabilities. uses legitimate code wherever possible. SophosLabs explains For example, in August 2012 it targeted For example, it loads its exploit code Blackhole a highly-publicized vulnerability in through the Java Open Business Engine, Microsoft Help and Support Center to which has been used to support a wide deliver poisoned VBS scripts. Blackhole variety of workflow applications and launched a new attack based on systems, including the U.S. president’s 15 a dangerous new Java 7 vulnerability daily Terrorist Threat Matrix report. (CVE-2012-4681) that allows infected3. Delivering the payload code to compromise Java’s permission 16 checking system. Remarkably, 12 Once a victim’s system has been cracked, hours after a proof-of-concept for this Blackhole can deliver the payload Java attack went public, it was already it’s been directed to send. Payloads are 17 included in Blackhole. Oracle, in turn, typically polymorphic—they vary with delivered an emergency patch by the each new system that’s been infected. end of August, but many systems Blackhole’s authors have been aggressive remain unpatched. about using advanced server-side polymorphism and code obfuscation. Given the level of sophistication and Since they maintain tight central control, agility shown by Blackhole’s authors, they can deploy updates with exceptional we have been surprised that they’ve speed. Compared with other exploit kits left some portions of their kit essentially that attackers purchase and host, we see stagnant. For example, URL paths, rapid shifts in Blackhole’s behavior and filenames, and query string structure. effectiveness. Blackhole payloads also SophosLabs expects this to change in typically use custom encryption tools the future, opening new opportunities designed to evade antivirus detection. for Blackhole’s authors to improve Those tools are added by Blackhole’s their attacks. customers, and Blackhole contributes with an optional service that actively checks antivirus functionality on each system it attempts to attack.Security Threat Report 2013 8
    • What we’re doing about Blackhole, and what you can doAt SophosLabs, we track Blackhole 24/7, 3. lock compromised legitimate websites Bmaking sure that our generic detection and exploit sites through a combinationand reputation filtering keep up with this of reputation filtering and contentchanging exploit kit. Whenever Blackhole detection technologies, and use contentlearns how to counter them, we rapidly detection to block payloads. Note thatroll out updates as needed via the cloud. reputation filtering can often block exploitWe also apply cutting-edge techniques sites before content detection occurs, butfor identifying and analyzing server-side it is not foolproof by itself.polymorphic attacks such as Blackhole. 4. eter or reduce social engineering DOn your end, the best defense against attacks that originate with spam withBlackhole is a defense in depth. up-to-date spam filters and more active user education.1. uickly patching operating systems and Q applications is always important, and it’s 5. f your endpoint security product has I best to automate your patching process. HIPS (host intrusion prevention system) features, use them for added protection2. o reduce the attack surface, disable T against new or modified exploits. vulnerable systems such as Java and Flash wherever you don’t need them.Where are Blackhole exploit sites being hosted? Countries hosting Blackhole exploit sites (2012) B  razil 1.49% Italy  5.75% G  reat Britain 2.24% Chile  10.77% N  etherlands 2.55% Russia  17.88% G  ermany 3.68% United States  30.81% C  hina 5.22% Other  13.88% T  urkey 5.74% Source: SophosLabsSecurity Threat Report 2013 9
    • Java attacks reachcritical massThis was a rough year for Java in the browser. Majornew vulnerabilities repeatedly battered Java browserplugins, encouraging many organizations to get rid ofJava in the browser if possible.In April, more than 600,000 Mac users found themselves recruited into the globalFlashback, or Flashplayer botnet, courtesy of a Java vulnerability left unpatched on OS Xfor far too long. After Apple issued a removal tool and a Java patch, Oracle assumed directresponsibility for publishing Java for OS X in the future, and promised to deliver Javapatches for OS X and Windows and to release OS X Java patches at the same time as 18those for Windows.Oracle’s Java developers were soon called upon to deliver prompt patches. Within days ofthe discovery of a new zero-day vulnerability affecting Java 7 on all platforms and operatingsystems, the flaw was already being exploited in targeted attacks, was integrated into 19the widely used Blackhole exploit kit, and had even shown up in a bogus Microsoft 20Services Agreement phishing email. According to one detailed analysis, this exploitenabled untrusted code to access classes that should be off-limits, and even disabled the 21Java security manager.As Oracle had promised, it released an out-of-band fix more rapidly than some observershad expected. But, within weeks, more major Java flaws surfaced. Security Explorations,the same researchers who discovered the first flaw, found another way to bypass Java’s 22secure application sandbox—this time, not just on Java 7, but also on Java 5 and 6, andin all leading browsers. The new exploit put 1 billion devices at risk.Security Threat Report 2013 10
    • Many users today have little or no need for Major organizations still leave users’browser-based Java programs, known asapplets. JavaScript and other technologies passwords vulnerablehave largely taken over from applets insidethe browser. Unless you genuinely need, Password vulnerabilities ought to be a rarity. Well-knownand know you need, Java in your browser, and easily-followed techniques exist for generating,Sophos recommends that you turn it off. using and storing passwords that should keep bothOur website offers detailed instructions for individuals and organizations safe. Yet in 2012 we sawdoing so within Internet Explorer, Firefox, one massive password breach after another, at a slew of 23Google Chrome, Safari, and Opera. high profile organizations.If you do rely on websites that require Java, ÌÌ ussian cybercriminals posted nearly 6.5 million LinkedIn Rconsider installing a second browser and passwords on the Internet. Teams of hackers rapidly wentturning Java on in that browser only. Use to work attacking those passwords, and cracked moreit for your Java-based websites only, and than 60% within days. That task was made simpler by thestick to your Java-disabled main browser fact that LinkedIn hadn’t “salted” its password databasefor everything else. 24 with random data before encrypting it.Java isn’t the only plugin platform that’scaused security headaches. In previous ÌÌ ating website eHarmony quickly reported that some 1.5 Dyears, Adobe’s Flash has also been million of its own passwords were uploaded to the web 25victimized by high-profile exploits. Fortunately, following the same attack that hit LinkedIn.the need for browser plugins such as Flash isdiminishing. HTML5-enabled browsers have ÌÌ ormspring discovered that the passwords of 420,000 of Fcapabilities such as playing audio and video its users had been compromised and posted online, andbuilt in, making customary plugins obsolete. instructed all 28 million of the site’s members to change 26 their passwords as a precaution. ÌÌ ahoo Voices admitted that nearly 500,000 of its own Y 27 emails and passwords had been stolen. ÌÌ ultinational technology firm Philips was attacked by M the r00tbeer gang. The gang walked away with thousands of names, telephone numbers, addresses 28 and unencrypted passwords. ÌÌ EEE, the world’s largest professional association for I the advancement of technology, left a log file of nearly 400 million web requests in a world-readable directory. Those requests included the usernames and plain text 29 passwords of nearly 100,000 unique users.Security Threat Report 2013 11
    • Java attacks reach critical mass So, what can you learn from data loss—beyond thatLearn more aboutmodern threats you don’t want it to happen to you? If you’re a user: Train your employees tosteer clear of trouble with ÌÌ Use stronger passwords—and use a different one for each site that storesour free toolkit. information you care about. ÌÌ Use password management software, such as 1Password, KeePass, or Five Tips to Reduce LastPass. Some of these tools will even generate hard-to-crackRisk From Modern Web passwords for you. 30Threats If you’re responsible for password databases: ÌÌ on’t ever store passwords in clear text. D ÌÌ  Always apply a randomly-generated salt to each password before hashing and encrypting it for storage. ÌÌ  Don’t just hash your salted password once and store it. Hash multiple times to increase the complexity of testing each password during an attack. It’s best to use a recognized password crunching algorithm such as bcrypt, scrypt or PBKDF2. ÌÌ  Compare your site’s potential vulnerabilities to the OWASP Top Ten security risks, especially potential password vulnerabilities associated with 31 broken authentication and session management. ÌÌ inally, protect your password database, network and servers with F layered defenses.Security Threat Report 2013 12
    • Android:Today’s biggest targetFeaturing research by SophosLabsOver 100 million Android phones shipped in the secondquarter of 2012 alone. In the U.S., a September 2012 32survey of smartphone users gave Android a whopping52.2% market share. Targets this large are difficult for 33malware authors to resist. And they aren’t resisting—attacks against Android are increasing rapidly. In thesepages, we’ll share some examples, and offer someperspective. We’ll ask: How serious are these attacks?Are they likely to widen or worsen? And what reasonablesteps should IT organizations and individuals take toprotect themselves?Security Threat Report 2013 13
    • Android: Today’s biggest targetUnsophisticated, but profitable: Learn more aboutFake software, unauthorized SMS messages mobile device managementToday, the most common business model Andr/Boxer presents messages in Russianfor Android malware attacks is to install and has disproportionately attacked Eastern fake apps that secretly send expensive European Android users who visit sites Free tool: Mobilemessages to premium rate SMS services. where they’ve been promised photos of Security for AndroidRecent examples have included phony attractive women.versions of Angry Birds Space, Instagram, 34 When they arrive at these sites, usersand fake Android antivirus products. In May Mobile Security Toolkit see a webpage that is carefully crafted2012, UK’s mobile phone industry regulator to entice them to download and install adiscovered that 1,391 UK Android users malicious app. For example, the userhad been stung by one of these scams. Mobile Device might be prompted (in Russian) to install aThe regulator fined the firm that operated Management Buyers Guide fake update for products such as Opera orthe payment system involved, halted Skype. Or, in some cases, a fake antivirusfund transfers, and demanded refunds for scan is run, reports false infections, and When Malware Goesthose who’d already paid. However, UK recommends the installation of a fake Mobileusers represented only about 10% of this antivirus program. Once installed, themalware’s apparent victims—it has been new app begins sending expensive SMSseen in at least 18 countries. messages. Many of these Trojans install Vanja Svajcer ofCurrently, one family of Android malware, with what Android calls the INSTALL_ SophosLabs explainsAndr/Boxer, accounts for the largest number PACKAGES permission. That means they Android malwareof Android malware samples we see, roughly can download and install additionalone third of the total. Linked to .ru domains malware in the future.hosted in the Ukraine, Android threats accelerate In Australia and the U.S., Sophos is now reporting Android threat exposure rates exceeding those of PCs. Android Threat Exposure Rate Android TER PC TER 60 50 40 30 20 10 Australia Brazil United Others Malaysia Germany India France United Iran States Kingdom Threat exposure rate (TER): Measured as the percentage of PCs and Android devices that experienced a malware attack, whether successful or failed, over a three month period. Source: SophosLabsSecurity Threat Report 2013 14
    • Joining the botnet Capturing your messages and Naked Security Survey your bank account Is smartphone SMS/TXTUntil recently, most fake software attacks spam a problem for you?we’ve seen on Android have been relativelyunsophisticated. For example, some use We have also begun to see Androidprimitive polymorphic methods that involve malware that eavesdrops on incoming SMSrandomizing images, thereby changing messages and forwards them to anotherchecksums to avoid detection. Leading SMS number or server. This sort of datasecurity companies learned how to defeat leakage represents a significant risk, boththis tactic many years ago. to individuals and to organizations.But the attackers are making headway. The potential exists for attacks like theseFor example, consider the malware-infected to target Internet banking services that sendeditions of Angry Birds Space we saw in mobile transaction authentication numbersApril 2012 (Andr/KongFu-L). Again, available via SMS. Many banks send authenticationonly through unofficial Android app markets, codes to your phone via SMS each time Yes  43.78%these Trojans play like the real game. But you do an online transaction. This means that just stealing a login password is no I t was, but Ithey also use a software trick known as the longer enough for criminals to raid your downloadedGingerBreak exploit to gain root access, an app and it isinstall malicious code, and communicate account. But malware on your phone, such sorted now 2.36%with a remote website to download and as the Zeus-based Andr/Zitmo (and similar versions targeting BlackBerry) are capable No—I rarely/never install additional malware. This allows of intercepting those SMS messages. received an SMSthese Trojans to avoid detection and text spam on myremoval, while recruiting the device into Consider the following hypothetical scenario. phone 45.29%a global botnet. Through a conventional phishing attack, a Based on 552 votes victim gives criminals sufficient information Source: Naked Security to allow them to sign in to your mobile banking account and also port your phone number (this has happened). They can now log in to your online bank account while also receiving an SMS containing the second-factor authentication token needed to complete a transaction. Through the use of a malicious Android app that harvests SMS messages in real time and in concert with a social engineering attack, attackers open a brief window of opportunity to steal this token and use it before you can stop them.Security Threat Report 2013 15
    • Android: Today’s biggest targetPUAs: Not quite malware, but still risky Mitigating the risks while they’re still manageableIt’s worth mentioning the widespread presence of potentiallyunwanted applications (PUA). PUAs are Android apps that In most business environments, the risks from Androidmay not strictly qualify as malware, but may nevertheless are modest at this point. But those risks are growing. Evenintroduce security or other risks. as Google makes improvements that secure the platformFirst, many users have installed apps that link to aggressive against more obvious threats, new threats emerge. Foradvertising networks, can track their devices and locations, example, some security experts have recently expressedand may even capture contact data. These apps earn concern about risks from new near field communicationstheir profits simply by serving pornographic advertising. (NFC) features intended to allow advanced Android devicesMany companies may wish to eliminate them due to the to function like credit cards.information they expose, or because they may have a duty Even today, Android malware can place a company’sof care to protect employees from inappropriate content future at risk by exposing strategic information or stealingand a potentially hostile work environment. passwords. With this in mind, IT organizations should secureSecond, some sophisticated Android users have chosen their Android devices against malware, data loss, and otherto install Andr/DrSheep-A on their own devices. Similar to threats. We recommend the following steps to bring downthe well-known desktop tool Firesheep, Andr/DrSheep-A the level of risk. Remember, none of these tips are foolproofcan sniff wireless traffic and intercept unencrypted cookies or sufficient in isolation. But in most environments, they willfrom sites like Facebook and Twitter. The legitimate use for go a long way.this tool is to test your own network. However, it is oftenused to impersonate nearby users without their knowledge. ÌÌ xtend your IT security and acceptable use policies to EWe currently find Andr/DrSheep-A on 2.6% of the Android Android devices, if you haven’t done so already.devices protected by Sophos Mobile Security. Corporate ITdepartments are unlikely to countenance the installation, ÌÌ efuse access to rooted Android devices. Rlet alone the use, of such tools. ÌÌ onsider full device encryption to protect against data CIf you “root” your device, it means you enable software to loss, and provide for remote wipe of lost or stolen devices.acquire full Android administrator privileges. The name If you choose to encrypt, make sure your solution can alsocomes from the administrator account, known as “root” encrypt optional SD cards that may contain sensitive data,on UNIX-like operating systems such as Android. Rooting even if those SD cards are formatted differently.is popular because it allows you greater control over yourdevice—notably to remove unwanted software add-ons ÌÌ here possible, establish automated processes for Wincluded by your service provider, and to replace them with updating Android devices to reflect security fixes. Keepalternatives of your own choosing. your Android devices up to date with the security patches provided by the manufacturer and by the vendors of anyRooting bypasses the built-in Android security model that additional software you’ve intalled.limits each app’s access to data from other apps. It’s easierfor malware to gain full privileges on rooted devices, and ÌÌ onsider restricting Android devices to apps from Google’s Cto avoid detection and removal. For the IT organization official Play Store. Malware has turned up in the Playsupporting BYOD network access, rooted Android devices Store, but much less frequently than in many of the otherincrease risk. unregulated, unofficial app markets, notably those in Eastern Europe and Asia.Security Threat Report 2013 16
    • ÌÌ hen you authorize app stores, limit users to apps with W a positive history and a strong rating. Naked Security Survey What is the most important consideration when you install anÌÌ void social engineering attacks, and help your colleagues A app on your Android device? avoid them. This means carefully checking the permissions that an app requests when it’s installed. For example, Reputation of  if you can’t think of a specific credible reason why an developer 43.78% app wants to send SMS messages, don’t let it. And pause Popularity of  35 for a moment to consider whether you still want to install it. application 28.65%ÌÌ inally, consider using an anti-malware and mobile F C  ost of app 13.24% device management solution on your Android devices. We Download  recommend Sophos Mobile Control. But whatever solution location 14.32% you choose, get it from a company that has extensive experience with both antivirus and broader security Based on 370 respondents challenges. Why? First, because attack techniques are Source: Naked Security beginning to migrate to Android from other platforms. Your solution provider should already know how to handle these. Second, because attacks are emerging and mutating more rapidly. Your provider should have the 24/7 global infrastructure to identify threats, and the cloud-based infrastructure to respond immediately. Third, and most importantly, because today’s complex infrastructures require an integrated mobile security response that goes beyond antivirus alone to encompass multiple issues, ranging from networking to encryption.Security Threat Report 2013 17
    • Diverse platforms andtechnologies widenopportunities for attackOnce, almost everyone ran Windows.Attackers attacked Windows. Defenders defendedWindows. Those days are gone.In 2012 we saw plenty of Windows-specific holes and vulnerabilities. For instance,the Windows Sidebar and Gadgets in Windows Vista and Windows 7 were revealed to be soinsecure that Microsoft immediately eliminated them, and gave customers tools to disablethem.Windows Sidebar had hosted mini-programs (gadgets) such as news, stocks, and weatherreports. Together, these were Microsoft’s answer to Apple’s popular Dashboard andWidgets. However, security researchers Mickey Shkatov and Toby Kohlenberg announcedthat they could demonstrate multiple attack vectors against gadgets, show how to create 36malicious gadgets, and identify flaws in published gadgets. Already planning a newapproach to these miniature applications in Windows 8, Microsoft dropped Sidebar andGadgets like a rock.While most computer users still work with Windows, far more development now takes placeelsewhere—on the web and mobile platforms. This means companies and individual usersmust worry about security risks in new and untraditional environments such as Android.Security Threat Report 2013 18
    • Here is a sampling of security breaches in Ransomware returns for an2012, offering a taste of what we all must Naked Security Surveydeal with—and why our defenses must encore Which web browser do youbecome increasingly layered, proactive and recommend?comprehensive. Certain attacks seem cyclical. Even when defeated for years, they’re too easy andÌÌ n February 2012, a hacker identified I tempting for cybercriminals to abandon cross-site scripting (XSS) holes in 25 UK forever. For example, in 2012, Sophos saw a online stores that had been certified as resurgence in ransomware attacks that lock 37 safe by VeriSign, Visa, or MasterCard. users out of their computers, and demand Criminals can exploit XSS flaws to steal payment to restore access. authentication credentials or customer billing information, placing customers at Ransomware is far from new. Way back in risk of identity theft. The holes arose from 1989, primitive ransomware was distributed a common source: a poorly written script on floppy disks by postal mail. Users were promised advanced software to advise Internet Explorer  5.95% for filtering user searches. It’s another reminder to users that security isn’t just a them about HIV/AIDS, but instead found Chrome  28.9% matter of words and icons. Simply seeing their hard drives scrambled. Users were Firefox  23.09% https://, a padlock, or a VeriSign Trusted told to pay $189 to an address in Panama logo doesn’t mean you can get careless via bankers draft, cashier’s check, or Safari  3.25% 40 online. And it’s a huge reminder to web international money order. Opera  36.75% professionals to keep all their applications Today’s ransomware arrives via more modern No preference  2.06% and scripts up to date, including scripts techniques, such as social engineered made publicly available by other authors. Based on 370 respondents email and poisoned webpages. One sort Source: Naked Security of ransomware merely freezes your PCÌÌ Thousands of self-hosted WordPress sites and asks for money. This leaves your were hosting the dangerous Blackhole underlying files intact. Although an infection 38 malware attack. In August 2012, Sophos is disruptive, it can usually be repaired. The discovered a major malware campaign other sort of ransomware scrambles your which attempts to infect computers files, so it is as catastrophic as losing your using the notorious Blackhole exploit laptop altogether or suffering a complete kit. Users receive “order verification” disk failure. emails containing links to legitimate WordPress blogs that have been poisoned As of this writing, the most widespread to download malware. Users of the hosted ransomware is of the first type. Reveton, WordPress.com service aren’t vulnerable: for example, also known as Citadel or the service provider, Automattic, looks Troj/Ransom, hides the Windows desktop, after the security of the WordPress.com locks you out of all programs, and displays servers for them. a full screen window with an FBI (or other national police) logo. You see an urgentÌÌ ackers have been demonstrating at least H claim that illegally downloaded copyrighted theoretical attacks against everything material has been found on your computer, from transit fare cards to the newest and that you must pay a fine (typically $200) near field communication (NFC) to restore access. 39 enabled smartphones.Security Threat Report 2013 19
    • Diverse platforms and technologies widen opportunities for attackThis attack can be defeated by rebooting In nearly every case, updated antivirusto an antivirus tool that contains its own software can prevent ransomware from Learn more aboutoperating system, bypassing Windows (for installing and running on your computer. ransomwareexample, Sophos Bootable Anti-Virus). But if you’ve left your computer unprotected Once this tool is running, users can scan and you get hit by encryption-basedtheir systems, remove the infection, and ransomware, it’s probably too late. Some Top 5 Myths of Saferestore their systems. 41 ransomware encryptions can be reversed Web Browsing (Sophos has free tools which may be ableUnfortunately, we’ve also seen growing to help), but only if the criminals have madenumbers of infections that fully encrypt Director of Technology cryptographic mistakes. There may be nousers’ hard drives using strong encryption, Strategy, James Lyne, cure, so prevention is always better.and securely forward the only key to the explains ransomwareattackers. In July 2012, we saw a variantthat threatened to contact police with a“special password” that would reveal child 42pornographic files on the victim’s computer.Security Threat Report 2013 20
    • OS X and the Mac:More users,emerging risksFeaturing research by SophosLabsMost malware developers have found it more profitableto attack Windows than to learn new skills needed totarget the smaller OS X user community. But Macs arefinding a new home in thousands of businesses andgovernment agencies, and malware authors are payingattention.Forrester Research analyst Frank Gillette recently reported that “almost half of enterprises(1,000 employees or more) are issuing Macs to at least some employees—and they plan a 4352% increase in the number of Macs they issue in 2012.” Even more Macs are arrivingunofficially through bring your own device arrangements, where they are often anexecutive’s device of choice for accessing web or cloud applications. Growing Macusage means many IT organizations must objectively assess, mitigate, and anticipateMac-related malware threats for the first time. And the risks are clearly increasing.Security Threat Report 2013 21
    • OS X and the Mac: More users, emerging risksFake antivirus and Flashback:Learning from Windows malware, gaining agilityIn 2011, we saw a sustained attack on Flashback first surfaced as a fake AdobeMac users by a malware family called Flash installer late in 2011. In April 2012,MacDefender. This malware, a fake antivirus, Flashback began to install itself as a drive-bywas the first significant Mac attack to be download, exploiting a Java vulnerability leftdistributed via search result pages that unpatched on OS X weeks after Microsoftattracted users to legitimate sites that had had provided a fix to Windows users. Applebeen poisoned with malware. ultimately patched OS X 10.7 and 10.6, but not previous versions. At the infection’sMacDefender is worth discussing today peak, Sophos’ free Mac antivirus productbecause it shows how Mac malware often identified Flashback-related malware onfollows in the footsteps of older Windows approximately 2.1% of the Macs it protected.attacks. One sensible way to anticipatethe future of Mac malware is to see what’s While both MacDefender and Flashbackhappening now to Windows users. For have been beaten back, they each showinstance, Mac admins might reasonably Mac malware authors becoming moreexpect new customized attacks relying on agile. We’ve seen the authors changing theserver-side polymorphism. delivery mechanisms of existing malware and pursuing new zero-day exploits.Borrowing from MacDefender while applyingimportant innovations of their own, thecreators of the notorious Flashback botnet(aka, OSX/Flshplyr) infected more than600,000 Macs in the spring of 2012.Mac OS X malware snapshotIn a typical week, SophosLabs detects 4,900 pieces of OS X malware on Mac computers.This chart shows a snapshot of Mac malware detected in the week of August 1-6, 2012.  OSX/FkCodec-A 26%  OSX/Flshplyer-D 3.2%  OSX/FakeAV-DWN 13.28%  OSX/FakeAV-A 2.8%  OSX/FakeAVZp-C 13%  OSX/DnsCha-E 2.7%  OSX/FakeAVDI-A 8.6%  OSX/RSplug-A 2.4%  OSX/FakeAV-DPU 7.1%  OSX/Flshplyr-E 2.4%  OSX/FakeAVDI-B 6.2%  OSX/FakeAV-FNV 2.3%  OSX/SafExinj-B 4.1%  OSX/Jahlav-C 2.1%  OSX/FakeAV-FFN 3.3% Source: SophosLabsSecurity Threat Report 2013 22
    • Morcut/Crisis: More sophisticated and Learn more aboutpotentially more dangerous emerging OS X risks Fake antivirus software typically makes money forcybercriminals by convincing users to provide personal credit Free tool: Sophoscard information for software they don’t need. For most Anti-Virus for Macenterprises, the downside risks of fake antivirus have beenmodest. But malware such as OSX/Morcut-A (aka Crisis), Andrew Ludgate offirst discovered in late July 2012, presents greater risks. SophosLabs explains MacDesigned for spying, Morcut can remotely monitor malwarevirtually every way a user communicates: mousecoordinates, IM, Skype call data, location information,the Mac’s webcam and microphone, clipboard contents,keystrokes, running apps, web URLs, screenshots,calendar and address book contents, alerts, deviceinformation, and even file system metadata.Morcut appears as a Java Archive file (JAR) claiming to bedigitally signed by VeriSign. If installed by the user, Morcutdeploys kernel driver components to hide and run without 44administrator’s authentication; a backdoor componentwhich opens the Mac to other network users; command andcontrol to accept remote instructions and adapt its behavior;and, most importantly, code for stealing user data.If Morcut spreads, it will represent a serious threatto internal corporate security and compliance. Itscapabilities especially lend themselves to targeted attacksaimed at capturing information about specific known Macusers in pivotal organizational roles. In contrast to mostearlier Mac malware, it also reflects an extremely thoroughunderstanding of Mac programming techniques, capabilities,and potential weaknesses.Similar backdoor techniques are already appearingelsewhere. For instance, we recently saw them embeddedin a kit for the first time. The kit, OSX/NetWrdRC-A, is 45primitive, flawed, and easily halted. But it’s a harbinger ofmore sophisticated and dangerous attacks to come.Security Threat Report 2013 23
    • OS X and the Mac: More users, emerging risksWindows malware hiding quietly on Macs Recent OS X security improvements and their limitationsMuch of the malware found on Macs is Windows malware.Traditionally, many Mac users have been indifferent about Mac OS X, originally built on BSD UNIX, has a strong securitythis—they assume that it won’t damage their systems, and model. In 2009, with the release of OS X 10.6 Snow Leopard,may not consider the harm to Windows-using colleagues Apple added limited malware scanning through the Launchthey might place at risk. But IT administrators running Services Quarantine (LSQuarantine) system and XProtectcross-platform environments (or working with partners technology. In mid-2011, XProtect became a dynamic pushand customers who use Windows) are likely to see things update service with more power to detect and clean up filesdifferently. Moreover, the Windows partitions of dual-boot fingerprinted as malicious.Macs can indeed be infected, as can virtualized Windowssessions running under Parallels, VMware, VirtualBox, or In mid-2012, with OS X 10.8 Mountain Lion, Apple introducedeven the open source WINE program. Gatekeeper, which manages code execution permissions for code obtained through approved software. By default,Mac users who need occasional access to a Windows Gatekeeper pre-authorizes all software signed with anprogram sometimes decide to download it from third parties, official Apple developer key that has not been blocked dueand may illegally create a license key using a downloadable to previous abuse.generator. By doing so, they often encounter malwaresuch as Mal/KeyGen-M, a family of trojanized license key Gatekeeper is a significant and welcome improvement ingenerators that we’ve identified on approximately 7% of the Mac security, but it is only a partial solution. Software copiedMacs running Sophos Anti-Virus software. from USB, already on the computer, copied directly between computers, or transferred by non-standard file transferAnother common source of Windows malware on Macs systems such as BitTorrent will evade it. Individual userstoday is fake Windows Media movie or TV files. These files with administrator credentials can change Gatekeeper’scontain auto-forwarding web links promising the codec default settings to allow unsigned apps to install withoutneeded to view the video, but deliver zero-day malware 46 any alert.instead. Windows Media files generally won’t run on Macs,but Mac users often torrent these files to improve their Users or running processes can still strip the LSQuarantine“ratios” on private tracker sites, without realizing the contents flag from files. Unsigned programs can be authorized andare malicious. Windows users then attempt to play the launched simply by right-clicking on them in the Finder andvideos and become infected. selecting Open, instead of just double-clicking on the icon. Versions of OS X older than 10.8 don’t include Gatekeeper. Finally, the runtime interpreters for Java, Flash, and OS X shell scripts are all pre-authorized by Apple. These interpreters are free to run whatever code they wish. Java and Flash have been major attack vectors on the Mac platform. This may gradually become less of a problem—the Mac version of Java was recently hardened, and Adobe Flash is gradually being replaced by HTML5.Security Threat Report 2013 24
    • Implementing a comprehensive Mac anti-malware solutionIf Gatekeeper, LSQuarantine and XProtect offer only a partial solution, what does a completeMac anti-malware solution look like? It will have these components:ÌÌ User education. Work with Mac users the Mac’s underpinning is based on BSD to help them understand that significant UNIX, its user interface is not. Therefore, threats to Macs do exist. More will arrive generic UNIX knowledge is very helpful, as Macs become increasingly popular in but not necessarily sufficient. business, and social engineering attacks ÌÌ trong IT processes and policies. S are as likely to victimize Mac users as Wherever possible, extend ITIL-type best Windows users. practice policies to Macs as well as PCs. Provide for rapid and automated patching ofÌÌ Layered protection. Constantly updated Macs as well as Windows devices. And, of Mac endpoint protection is now essential— course, patch Java, Flash, and applications but so is protection for servers, mail and as well as OS X itself. If possible, control web gateways, and network infrastructure. users’ ability to install new software. Make Note that server applications such as sure your internal developers digitally sign WordPress and Drupal have been their own OS X software. Finally, manage heavily exploited by malware capable of your logs. Macs log virtually everything in targeting Mac clients. Be aware that many real time, making it possible to identify new lightweight virus scanners, especially security threats and halt them via firewall those on integrated gateway and firewall policy changes or by isolating portions devices, do not scan for Mac malware of the network. and exploits, leaving them essentially unprotected at this layer. ÌÌ Realism. Since Macs are often used by senior executives and creative teamsÌÌ ac-specific expertise. Either hire M who need maximum control over their Mac specialists or train existing staff on computers, you may need to accept the platform’s unique characteristics. For that some Macs will be untrusted. But instance, heuristic firewall and router untrusted should not mean unprotected. policies may need to reflect differences You should still offer users whatever in Mac traffic associated with Safari web protection is practical. And organizations browser pre-caching or network discovery can’t forget legal requirements associated broadcasts generated by the Mac’s with security and breach notification. Bonjour services. Knowledgeable file These requirements may be especially system configuration choices can harden important to enforce where senior dual-boot Mac/Windows systems executives are involved. Many security against attack. experts argue that perimeters are Where Mac users rely on Mail.app or becoming less defensible, and conclude other UNIX-style back-end mail clients, that all systems should be treated as careful decisions about mail storage can untrusted, not just Macs. make it less likely that Windows users will inadvertently open infected .zip files. WhileSecurity Threat Report 2013 25
    • Authorities make Learn more about malwarehigh-profile malware Exposing the Money Behind the Malwarearrests and takedownsSecurity professionals will always have to rely onthemselves first and foremost to protect their ownsystems and assets. But in 2012, we received more helpfrom the authorities—and that was a welcome relief.In perhaps their highest-profile victory, U.S. federal authorities followed up their 2011 arrestsof the notorious LulzSec hackers by gaining extensive cooperation from one of the gang’s keyfigures, Hector Xavier Monsegur (“Sabu”). As Sabu, Monsegur had long railed against the U.S.government—but he reportedly worked for months under cover, helping build cases againstthose behind hacking attacks on the CIA, Pentagon, U.S. Senate, the UK’s Serious OrganisedCrime Agency (SOCA), and many other prominent organizations. Monsegur helped nab JakeDavis (aka “Topiary”) in the Shetland Islands, where Davis reputedly held 750,000 stolenpasswords in his possession. In August 2012, prosecutors requested a further six-month 47delay in Monsegur’s sentencing to accommodate his further cooperation.LulzSec may have been the most widely publicized case of the year, but it was far fromthe only one. 2012 began with the extradition of suspected Russian cybercriminal VladimirZdorovenin to the U.S. Zdorovenin was charged with installing keyloggers on U.S. victims’computers to capture credit card numbers, using those accounts to make apparentlylegitimate purchases of goods from their own online businesses, and tapping into their 48victims’ financial services accounts to manipulate stock prices. He pled guilty to conspiracy 49and wire fraud.Security Threat Report 2013 26
    • Then, in May, the mastermind of Bredolab—a botnet thatcaptured 30 million computers in its heyday—was sentenced Top 12 spam producing countriesto four years in jail in Armenia. According to prosecutors,Georg Avanesov was earning 100,000 Euros (£80,000 or 1. India 12.19% 7. Russia 3.34%$125,000) a month from his Bredolab botnet business, 2. United States 7.06% 8. France 3.04%renting access to criminals who wanted to mail spam andspread malware. At its peak, Avanesov’s botnet was spewing 3. Italy 6.95% 9. Pakistan 2.95%out more than 3 billion infected emails every day—while he 4. Korea 5.37% 10. Poland 2.77% 50was jetting off to the Seychelles for luxury vacations. 5. Brazil 4.17% 11. Indonesia 2.73%In June, the U.S. Federal Bureau of Investigation culminateda two-year international investigation into credit card fraud 6. Vietnam 4.16% 12. China 2.73%with 24 arrests of alleged cybercriminals from theU.S., UK, Bosnia, Bulgaria, Norway, Germany and beyond. Percent of all spamThese “carders” included several experts in creating remote Source: SophosLabsaccess Trojans and defrauding Apple product warranties.The FBI estimated that it prevented more than $205 million infraudulent transactions, identified 411,000 stolen cards, and Spam sources by continent 51notified 47 organizations that they had been compromised. Asia  48.66%Later the same month, Tokyo police arrested six men inconnection with an app that infected Android smartphones, Europe  27.07%stole personal data, and demanded a fee. According to the South America 10.89%police, 9,252 people had downloaded the malicious Android North America  9.68%app, and 211 of them were convinced to pay up—more than 52$250,000 in all. Africa  3.20%Then, early in July, the UK’s Police Central e-crime Unit (PCeU) Oceania  0.05%reported the tough sentences meted out to three citizens ofthe Baltic states, after their conviction for using the SpyEye Percent of all spam Source: SophosLabsTrojan to steal from online bank accounts throughout the 53UK, Denmark, The Netherlands and New Zealand.Later in July, Dutch police took down the secondary commandand control (C&C) computers used by the huge Grum botnet, 54just a week after its existence was publicized. Shortlythereafter, other authorities were able to disable the botnet’sprimary C&C computers in Panama and Russia, therebydismantling a botnet that was responsible for an estimated 5517% of the world’s spam.Security Threat Report 2013 27
    • Growth of dangeroustargeted attacksWhile law enforcement was becoming more effectiveagainst cybercriminals, 2012 also saw growing concernabout state-sponsored cyber attacks, as well as exploitslaunched in apparent cooperation with states to achievestrategic objectives. To the extent that these attacksproliferate and are confirmed, high-value governmentand private targets will face worrisome new risks.Lower value targets will also need to increase vigilancein order to avoid becoming collateral damage. This willmean, among other things, strengthening their ownnetwork security efforts—and integrating them withother security services to detect and repel attacksmore rapidly. 56In this category, the Flame attack got the most publicity in 2012, but its significanceand effectiveness were far from clear. More recently, the destructive Shamoon Trojan(Troj/Mdrop-ELD) apparently caused significant damage throughout the Middle East’s energy 57sector. According to the BBC and The Register, it infected some 30,000 computers, taking 58Saudi Arabia’s national oil company network offline. Soon thereafter, Qatar’s naturalgas firm RasGas was attacked, taking its network and website offline as well, and 59leaving its office systems unusable.Security Threat Report 2013 28
    • We saw hints of organized cyber attacksagainst the U.S. Late in September, U.S. Is your country safe or risky?Senator Joseph Lieberman pointed to Threat exposure rate by countrymassive recent DDoS attacks targeting 10 Safest CountriesBank of America, JPMorgan Chase, Wells TER TERFargo, Citigroup and PNC Bank, and allegingwithout public proof that these attacks 1. Norway 1.81% 6. U.S. 3.82%were “done by Iran… [as] a response toincreasingly strong economic sanctions 2. Sweden 2.59% 7. Slovenia 4.21%the U.S. and its allies have put on Iranian 3. Japan 2.63% 8. Canada 4.26%financial institutions. It is, if you will, a 60counter attack...” 4. UK 3.51% 9. Austria 4.27%According to Bloomberg, whatever their 5. Switzerland 3.81% 10. Netherlands 4.28%source, these new attacks “have breachedsome of the nation’s most advanced 10 Riskiest Countriescomputer defenses and exposed the 61vulnerability of its infrastructure.” TER TERBy their very nature, state-sponsored cyber 1. Indonesia 23.54% 6. India 15.88%attacks (and attacks by highly-sophisticated 2. China 21.26% 7. Mexico 15.66%private teams closely allied with states)are difficult to track and prove—and 3. Thailand 20.78% 8. UAE 13.67%equally susceptible to being overhyped. 4. Philippines 19.81% 9. Taiwan 12.66%Nevertheless, more actors appear to bedeveloping the capability to execute such 5. Malaysia 17.44% 10. Hong Kong 11.47%attacks. And, once they possess sucha capability, the temptation to use it will Threat exposure rate (TER): Measured as the percentage of PCs thatbe substantial. experienced a malware attack, whether successful or failed, over a three month period. Source: SophosLabs Welcome to the age of personalized malware 50% 75% 88% 50% of our detections 75% of unique pieces 88% of malware are based on only 19 of malware are seen in found in fewer than 10 malware identites. only one organization. organizations. Source: SophosLabsSecurity Threat Report 2013 29
    • Polymorphic and Learn more about long tailtargeted attacks: Richard Wang of SophosLabs explainsThe long tail the long tailFeaturing research by SophosLabsThe phrase “long tail” has become a popular way todescribe events that don’t fall within the conventionalstatistical distribution, but instead occur in ones or twosat the “tail end” of the distribution curve. That’s the casein retail, where personalized products represent agrowing percentage of sales—and it’s increasingly truein malware too.At Sophos, 75% of the malware files reported to us are only ever seen in one organization.This level of polymorphism is unprecedented. What’s more, attackers have begun todevelop and use far more sophisticated approaches to polymorphism to hide their attacksfrom security vendors and IT organizations. This battle has serious implications for IT, so it’simportant to understand what’s happening, how Sophos is responding, and what you can doto protect yourself.Security Threat Report 2013 30
    • Polymorphism: Not new, but more Countering server-side polymorphismtroublesome At Sophos, we’ve used the analogy of genetics to become far more sophisticated in detecting SSP and other attacks.Polymorphism is not a new idea—malware authors have Sophos behavioral genotype technology identifiesbeen using it for 20 years. Simply stated, polymorphic code new malware by recognizing and extracting “genes”changes its appearance in an attempt to avoid detection, (or components of behavior). Using a finely tuned scoringwithout changing its behavior or goals. If a program looks system reflecting all the malware we’ve ever collected,different enough, attackers hope, antivirus software might miss we can identify combinations of genes (genotypes) thatit. Or the antivirus software might be forced to generate too distinguish malware from legitimate code. We can comparemany false positives, leading users to disable it. this information with genes seen in known good files,In a polymorphic attack, code is typically encrypted to appear minimizing false positives.meaningless and paired with a decryptor that translates it This gene-based approach is flexible and extensible. We canback into a form that can be executed. Each time it’s decrypted, always add or modify genes reactively, or issue predictivea mutation engine changes its syntax, semantics, or both. genes to catch what the authors seem most likely to changeFor instance, Windows malware authors have often used next. We can also watch how they respond to detections bystructured exception handling to obfuscate control flow other security companies. Often, malware authors makeand make it tougher to perform static analysis of programs 62 changes which don’t immediately impact our detection.before they run. By proactively adjusting our genetic profile to reflectTraditional polymorphic viruses are self-contained and must these changes, we can make it less likely that furthercontain the mutation engine in order to replicate. Sophos and changes will render the attack invisible to us.other security companies have become adept at detecting For certain SSP malware, the back-and-forth betweenthese forms of malware. With access to the mutation engine, security vendors and malware authors has acceleratedit’s easier to analyze its behavior. dramatically. For example, sophisticated malware authorsToday attackers are rapidly moving to web-distributed are constantly attempting to determine which portions ofmalware relying on server-side polymorphism (SSP). Now, their code are being detected. We’ve seen attackers modifythe mutation engine and associated tools are hosted entirely and replace compromised code within hours. Of course,on the server. Criminals can use these tools to create diverse we’re also working non-stop to anticipate and respond.file content on the fly. Recipients of this content (whether it SSP was pioneered on Windows systems, and has primarilyis a Windows .exe, Adobe PDF, JavaScript, or anything else) been used on Windows executable files and JavaScriptsee only one example of what the engine can create. webpage content. In 2012, we saw it used for the first timeThey don’t get to see the engine itself. in Android malware, and we believe it will spread to OS XSecurity companies typically respond by obtaining many in the near future. The notorious Blackhole exploit kit reliesdifferent examples of the engine’s handiwork to gather heavily on SSP, though it also has many other tricksinformation about how the engine works. They then write up its sleeve.generic detection code.Security Threat Report 2013 31
    • Polymorphic and targeted attacks: The long tailTargeted attacks: narrow, focused Defense-in-depth against SSPand dangerous IT and security professionals need to be well-prepared to counter attacks based on SSP and narrowly targetedLike most SSP attacks, Blackhole aims to deliver its payload cybercrime attacks. First and foremost, you need layeredwidely and indiscriminately. But other forms of long tail defense-in-depth.attack are much more narrowly targeted. A malwareauthor may intend to attack only a few organizations, For example, the widespread ZeroAccess botnet andseeking crucial financial data or banking credentials, and rootkit can often be spotted by the way it connects to itscarefully preparing the attack with up-front research and peer-to-peer botnet. Detecting this communication at yourreconnaissance. They may launch an attack with a spoofed firewall would lead you back to the infected computer.email containing an infected document attachment crafted Security rules should combine static and dynamic analysisto tempt specific recipients. to identify a malicious program. For example, suspiciousFor example, a financial decision-maker might receive an content noticed when a file is first analyzed (such as unusualinfected spreadsheet promising quarterly sales data. If the encryption) can later be linked to suspicious activitytargeted person opens the infected document without it (such as making an unexpected network connection).being flagged and the malware is installed, it may sit IT professionals need to consider the risk of seeminglyquietly until a user logs onto the company’s online banking legitimate administration tools in targeted attacks. Thesesite. At this point, the malware may steal credentials tools won’t be detected as malicious, but are actually quitethrough keystroke logging or by intercepting the second powerful in an attacker’s hands. Effective countermeasuresauthentication factor in a two-factor authentication system. include limiting the sorts of non-business applications that aThe attacker then can use the login for a future attack. user can run, a feature usually called application control.Criminals often launch targeted attacks against small Finally, IT professionals need to aggressively counterand mid-sized businesses without a strong IT presence. an attacker’s best opportunities to find and exploitAnd, since these pieces of malware are typically distributed vulnerabilities by reducing network, software and user attackto only a small number of targets, they may not be known surfaces. Regular and automated patching has always beenby the organization’s security provider and could slip through good practice, but it’s become even more urgent in today’sundetected, even without the use of advanced polymorphic threat landscape.techniques. This demonstrates another advantage of Sophos’gene-based approach. Our endpoint protection client canusually recognize new malware from its behavior andcharacteristics, even if we haven’t seen it before.The attackers may focus on compromising a singlewebsite they know their target organization’s userswill visit. Targets sometimes include small supply chain 63partners perceived as likely to have weaker IT security.Beyond using advanced endpoint protection, if you area small or mid-sized business you can also reduce riskby setting aside a separate computer for online financialservices: one that won’t be used for general web browsing,email reading, or social networking.Security Threat Report 2013 32
    • Complete securityTo stop evolving threats, protect data everywhere,manage your users needs for mobility, and ease thepressures on your IT team, you need a completesecurity strategy—covering the full security lifecycle.Complete security can be divided into four primarystrategies:ÌÌ  educe the attack surface. Take an active approach that monitors more than malware, R including threats like vulnerabilities, applications, websites and spam.ÌÌ  rotect everywhere. Make sure users are protected wherever they are and whatever device P they’re using and combines endpoint (including mobile), gateway and cloud technologies to share data and work together to provide better protection without impacting users and performance.ÌÌ  top attacks and breaches. It’s time to move beyond simply relying on antivirus S signatures and look at layers of detection that stop threats at different stages of their execution. Make sure protection also looks at risky user behavior too—not just for malicious code.ÌÌ  eep people working. That includes your users and IT staff. Simplifying the tasks that take K too much time today—by providing complete visibility and granular control of your security system—you can quickly see when something is wrong and then fix it.Security Threat Report 2013 33
    • Complete securityExplore your two paths to complete security with SophosSophos UTM Sophos EndUser ProtectionIntegrates complete security software Protects you everywhere, from yourwithin a single appliance. Choose only the network to your servers, endpoints andprotection you need when you need it. And mobile devices. And, because it’s alldeploy it on the platform that best fits your from Sophos, it works better together.business: software, hardware or virtual It’s easier to use, saving you time andappliance. Each offers an identical feature money, and it’s backed by a vendorset no matter if you protect 10 or 5,000 you trust.users. And our web-based managementconsole enables easy, consolidatedmanagement of all your IT security. Endpoint Network Our endpoint protection will Keep your network keep data in and malware out, infrastructure safe with all within your antivirus budget. complete network security. Encryption Email We secure your confidential We encrypt your sensitive information and help you comply email, prevent data loss with regulations. and block spam. Mobile Web We help you easily protect, We make using the Internet secure and manage your mobile safer and more productive. devices and data. UTM You get one appliance that eliminates the complexity of multiple point solutions.Security Threat Report 2013 34
    • What to expect in 2013By James Lyne, Director of Technology StrategyAt Sophos we pride ourselves in rapidly identifying,managing and responding to threats.While cybercriminals are often opportunistic, we believethat in 2013 the ready availability of testing platforms—some with money back guarantees from theirsponsors—make it all the more likely malware willcontinue to slip through single-tier traditional securitysystems. As a result we believe we will see moreattacks where attackers hold long-term, high impactaccess to businesses. In response, a renewed focus onlayered security and detection across the entire threatlifecycle, not just the point of initial entry, is likely to be asignificant theme in the coming year. We also think thefollowing five trends will factor into the IT securitylandscape in 2013.Basic web server mistakesIn 2012 we saw an increase in SQL injection hacks of web servers and databases to steallarge volumes of user names and passwords. Targets have ranged from small to largeenterprises with motives both political and financial. With the uptick in these kinds ofcredential-based extractions, IT professionals will need to pay equal attention to protectingboth their computers as well as their web server environment.Security Threat Report 2013 35
    • What to expect in 2013More “irreversible” malware Learn more aboutIn 2012 we saw a surge in popularity and quality of ransomware malware, which encryptsyour data and holds it for ransom. The availability of public key cryptography and clever mobile security command and control mechanisms has made it exceptionally hard, if not impossible to reverse the damage. Over the coming year we expect to see more attacks which, for Mobile Device Security:IT professionals, will place a greater focus on behavioral protection mechanisms as well What’s Coming Nextas system hardening and backup/restore procedures.Attack toolkits with premium featuresOver the past 12 months we have observed significant investment by cybercriminalsin toolkits like the Blackhole exploit kit. They’ve built in features such as scriptableweb services, APIs, malware quality assurance platforms, anti-forensics, slick reportinginterfaces, and self protection mechanisms. In the coming year we will likely see a continuedevolution in the maturation of these kits replete with premium features that appear to makeaccess to high quality malicious code even simpler and comprehensive.Better exploit mitigationEven as the number of vulnerabilities appeared to increase in 2012—including every Javaplugin released for the past eight years—exploiting them became more difficult as operatingsystems modernized and hardened. The ready availability of DEP, ASLR, sandboxing, morerestricted mobile platforms and new trusted boot mechanisms (among others) madeexploitation more challenging. While we’re not expecting exploits to simply disappear, wecould see this decrease in vulnerability exploits offset by a sharp rise in social engineeringattacks across a wide array of platforms.Integration, privacy and security challengesIn the past year mobile devices and applications like social media became more integrated.New technologies—like near field communication (NFC) being integrated in to theseplatforms—and increasingly creative use of GPS to connect our digital and physical livesmeans that there are new opportunities for cybercriminals to compromise our security orprivacy. This trend is identifiable not just for mobile devices, but computing in general.In the coming year watch for new examples of attacks built on these technologies.Security Threat Report 2013 36
    • The last wordSecurity really is about more than Microsoft. The PCremains the biggest target for malicious code today, yetcriminals have created effective fake antivirus attacksfor the Mac. Malware creators are also targetingmobile devices as we experience a whole new set ofoperating systems with different security models andattack vectors. Our efforts must focus on protectingand empowering end users—no matter what platform,device, or operating system they choose.Security Threat Report 2013 37
    • Sources1.  icrosoft Settles Lawsuit Against 3322 dot org, Reveals Scale of Nitol Botnet M 17. Java Flaws Already Included in Blackhole Exploit Kit Oracle Was Informed  in China, http://nakedsecurity.sophos.com/2012/10/05/microsoft-settles- of Vulnerabilities in April, Naked Security, http://nakedsecurity.sophos. lawsuit-against-3322-dot-org/ com/2012/08/30/java-flaws-already-included-in-blackhole-exploit-kit-oracle-2.  eware Remove Your Facebook Timeline Scams, Naked Security, http:// B was-informed-of-vulnerabilities-in-april/ nakedsecurity.sophos.com/2012/05/29/beware-remove-your-facebook- 18.  racle Updates Java, Supports OS X, Claims Full and Timely Updates for O timeline-scams/; ‘Remove Facebook Timeline’ Themed Scam Circulating on Apple Users, Naked Security, http://nakedsecurity.sophos.com/2012/08/15/ Facebook, ZDNet, http://www.zdnet.com/blog/security/remove-facebook- oracle-updates-java-claims-full-and-timely-updates-for-apple-users/ timeline-themed-scam-circulating-on-facebook/9989 19.  npatched Java Exploit Spreads Like Wildfire, Naked Security, 8/28/12, http:// U3.  witter DMs From Your Friends Can Lead to Facebook Video Malware Attack, T nakedsecurity.sophos.com/2012/08/28/unpatched-java-exploit-spreads-like- Naked Security, http://nakedsecurity.sophos.com/2012/09/24/twitter- wildfire/ facebook-video-malware/ 20. Attacks on Java Security Hole Hidden in Bogus Microsoft Services Agreement 4.  MG This Is So Cool! Pinterest Hack Feeds Spam to Twitter and Facebook, O Email, Naked Security, http://nakedsecurity.sophos.com/2012/09/03/java- Naked Security, http://nakedsecurity.sophos.com/2012/09/12/omg-this-is-so- security-hole-microsoft/ cool-pinterest-hack-feeds-spam-to-twitter-and-facebook/ 21. CVE-2012-4681 Java 7 0-Day vulnerability analysis, Deep End Research, http:// 5.  acebook Teams Up With Sophos and Other Security Vendors, Naked Security, F www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html http://nakedsecurity.sophos.com/2012/04/25/facebook-teams-up-sophos- 22.  ew Security Hole Found in Multiple Java Versions, Naked Security, http:// N other-vendors/ nakedsecurity.sophos.com/2012/09/26/new-security-hole-multiple-java-6.  pplication Detects Social Network Spam, Malware, Dark Reading, A versions/ http://www.darkreading.com/security-monitoring/167901086/security/ 23. Visit: http://www.sophos.com/en-us/security-news-trends/security-trends/ vulnerabilities/240006232/application-detects-social-network-spam-malware. java-zero-day-exploit-disable-browser.aspx html 24. New Security Hole Found in Multiple Java Versions, Naked Security, http:// 7.  Continued Commitment to Security, The Facebook Blog, http://www. A nakedsecurity.sophos.com/2012/09/26/new-security-hole-multiple-java- facebook.com/blog/blog.php?post=486790652130 versions/8.  atest Black Eye For Dropbox Shines Spotlight On Larger Problem, Dark L 25. Philips Hacked as R00tbeer Gang Strikes Again, Naked Security, http://  Reading, http://www.darkreading.com/blog/240004868/latest-black-eye-for- nakedsecurity.sophos.com/2012/08/21/r00tbeer-returns-philips-hacked-poor- dropbox-shines-spotlight-on-larger-problem.html passwords/9.  nother Layer of Security for Your Dropbox Account, Dropbox Blog, 8/27/12, A 26. Security Spill at the IEEE, Naked Security, http://nakedsecurity.sophos.  https://blog.dropbox.com/index.php/another-layer-of-security-for-your- com/2012/09/26/ieee-squirms-after-sensational-security-spill/ dropbox-account 27.  he Worst Passwords You Could Ever Choose Exposed by Yahoo Voices Hack, T10 .  Fraunhofer Institute Finds Security Vulnerabilites in Cloud Storage Services, Naked Security, 7/13/12, http://nakedsecurity.sophos.com/2012/07/13/yahoo- The H Security, http://www.h-online.com/security/news/item/Fraunhofer- voices-poor-passwords/ Institute-finds-security-vulnerabilites-in-cloud-storage-services-1575935.html 28.  hilips Hacked as R00tbeer Gang Strikes Again, Naked Security, http:// P11.  Dropbox Security Warnings for Businesses, InformationWeek, http://www. 5 nakedsecurity.sophos.com/2012/08/21/r00tbeer-returns-philips-hacked-poor- informationweek.com/security/management/5-dropbox-security-warnings-for- passwords/ business/240005413?pgno=2 29.  ecurity Spill at the IEEE, Naked Security, http://nakedsecurity.sophos. S12.  you move forward with cloud computing, you may find it valuable to As com/2012/09/26/ieee-squirms-after-sensational-security-spill/ read Security Guidance for Critical Areas of Focus in Cloud Computing V3.0, 30.  he Worst Passwords You Could Ever Choose Exposed by Yahoo Voices Hack, T available from the Cloud Security Alliance at https://cloudsecurityalliance.org/ Naked Security, 7/13/12, http://nakedsecurity.sophos.com/2012/07/13/yahoo- guidance/csaguide.v3.0.pdf voices-poor-passwords/13.  loud Security: Top 5 Vulnerabilities of the Public Cloud, iPro Developer, http:// C 31.  WASP Top Ten 2010: The Ten Most Critical Web Application Security Risks, O www.iprodeveloper.com/article/security/public-cloud-security-698785 The Open Web Application Security Project (OWASP), http://owasptop10.14.  ophos Technical Paper: Exploring the Blackhole Exploit Kit, http://www. S googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf sophos.com/en-us/why-sophos/our-people/technical-papers/exploring-the- 32.  ource: IDC. http://money.cnn.com/2012/08/08/technology/smartphone- S blackhole-exploit-kit.aspx market-share/index.html15. The Open Business Engine, http://obe.sourceforge.net/ 33.  ource: ComScore. http://www.comscore.com/Press_Events/Press_ S16. ImmunityProducts.Blogspot.com, http://immunityproducts.blogspot. Releases/2012/9/comScore_Reports_July_2012_U.S._Mobile_Subscriber_ com/2012/08/java-0day-analysis-cve-2012-4681.html Market_ShareSecurity Threat Report 2013 38
    • 34.  ngry Birds Malware Firm Fined £50,000 for Profiting From Fake Android A 51 .  BI Arrests 24 in Internet Credit Card Fraud Ring, Naked Security, http:// F Apps, Naked Security, http://nakedsecurity.sophos.com/2012/05/24/angry- nakedsecurity.sophos.com/2012/06/27/fbi-arrests-24-in-internet-credit-card- birds-malware-fine/ fraud-ring/35.  eading this, you might be curious why Sophos Anti-Virus requests permission R 52 .  ndroid Porn Malware Leads to Arrests in Japan, Naked Security, http:// A to send SMS messages. When you do a remote lock or locate, it wants to nakedsecurity.sophos.com/2012/06/18/android-porn-malware/ send you an SMS with latitude/longitude or confirmation that the lock was 53.  altic SpyEye Malware Trio Sent to Prison, Naked Security, http:// B successful. nakedsecurity.sophos.com/2012/07/01/uk-cops-announce-sentencing-of-36.  isable Windows Sidebar and Gadgets Now on Vista and Windows 7. D baltic-malware-trio/ Microsoft Warns of Security Risk, Naked Security, http://nakedsecurity.sophos. 54. Dutch Police Takedown C&Cs Used by Grum Botnet, Security Week, http://  com/2012/07/12/disable-windows-sidebar-gadgets/ www.securityweek.com/dutch-police-takedown-ccs-used-grum-botnet37.  5 VeriSign Trusted Shops Found to Have XSS Holes, Naked Security, http:// 2 55. Top Spam Botnet ‘Grum’ Unplugged, Krebs on Security, http://krebsonsecurity.  nakedsecurity.sophos.com/2012/02/28/verisign-xss-holes/ com/2012/07/top-spam-botnet-grum-unplugged/38. nsecure WordPress Blogs Unwittingly Host Blackhole Malware Attack, Naked I 56. Midyear Security Predictions: What You Should Know and Look Out For, Dark  Security, http://nakedsecurity.sophos.com/2012/08/10/blackhole-malware- Reading, http://www.darkreading.com/blog/240002287/midyear-security- attack/ predictions-what-you-should-know-and-look-out-for.html39. Android NFC Hack Lets Subway Riders Evade Fares, Naked Security, http://  57. 30,000 Machines Infected in Targeted Attack on Saudi Aramco, The Register,  nakedsecurity.sophos.com/2012/09/24/android-nfc-hack-lets-subway-riders- http://www.theregister.co.uk/2012/08/30/rasgas_malware_outbreak/ evade-fares/ 58.  hamoon Virus Targets Energy Sector Infrastructure, BBC, http://www.bbc. S40.  ansomware: Would You Pay Up? Naked Security, http://nakedsecurity.sophos. R com/news/technology-19293797 com/2012/09/25/ransomware-would-you-pay-up/ 59 .  ore Dangerous Attacks Against Major Energy Providers: Mystery Virus Attack M41 .  eveton/FBI Ransomware: Exposed, Explained and Eliminated, Naked Security, R Blows Qatari Gas Giant RasGas Offline, Cyberseecure, http://cyberseecure. http://nakedsecurity.sophos.com/2012/08/29/reveton-ransomware-exposed- com/2012/08/mystery-virus-attack-blows-qatari-gas-giant-rasgas-offline-the- explained-and-eliminated/ register/42.  ansomware Makes Child Porn Menaces in Broken English, Naked Security, R 60.  .S. Senator Blames Iran for Cyber Attacks on Banks, Naked Security, http:// U http://nakedsecurity.sophos.com/2012/07/04/ransomware-menaces/ nakedsecurity.sophos.com/2012/09/26/us-iran-banks/43.  pple Infiltrates the Enterprise: 1/5 of Global Info Workers Use Apple Products A 61 .  yber Attacks on U.S. Banks Expose Computer Vulnerability, Bloomberg, C for Work, http://blogs.forrester.com/frank_gillett/12-01-26-apple_infiltrates_ http://www.bloomberg.com/news/2012-09-28/cyber-attacks-on-u-s-banks- the_enterprise_15_of_global_info_workers_use_apple_products_for_work_0 expose-computer-vulnerability.html44 .  ac Malware Spies on Email, Survives Reboots, http://www.informationweek. M 62. Taxonomy of Malware Polymorphism, http://www.foocodechu.com/?q=node/54  com/security/attacks/mac-malware-spies-on-email-survives-rebo/240004583 63.  uropean Aeronautical Supplier’s Website Infected With “State-Sponsored” E45 .  pple Zombie Malware “NetWeird” Rummages for Browser and Email A Zero-Day Exploit ], http://nakedsecurity.sophos.com/2012/06/20/aeronautical- Passwords, http://nakedsecurity.sophos.com/2012/08/24/apple-zombie- state-sponsored-exploit/ malware-netweird-rummages-for-browser-and-email-passwords/46 .  ountain Lion: Hands on With Gatekeeper, http://www.macworld.com/ M article/1165408/mountain_lion_hands_on_with_gatekeeper.html47 .  ulzSec Informant Sabu Rewarded With Six Months Freedom for Helping Feds, L Naked Security, http://nakedsecurity.sophos.com/2012/08/23/sabu-lulzsec- freedom/48 .  lleged Russian Cybercriminal Extradited to the US, Naked Security, http:// A nakedsecurity.sophos.com/2012/01/19/alleged-cybercriminal-extradited-usa/49 .  ussian Man Pleads Guilty to Cyber-Fraud Conspiracy in U.S., Bloomberg, R http://www.bloomberg.com/news/2012-02-24/russian-national-pleads-guilty- to-cyber-fraud-conspiracy-in-u-s-.html50 .  redolab: Jail for Man Who Masterminded Botnet of 30 Million Computers, B Naked Security, http://nakedsecurity.sophos.com/2012/05/23/bredolab-jail- botnet/Security Threat Report 2013 39
    • Copyright 2013 Sophos Ltd. All rights reserved.Sophos and Sophos Anti-Virus are registered trademarks of Sophos Ltd. and Sophos Group.All other product and company names mentioned are trademarks or registered trademarksof their respective owners.The information contained in the Security Threat Report is for general information purposesonly. It’s provided by Sophos and SophosLabs and NakedSecurity.sophos.com. While wekeep the information up to date and correct, we make no representations or warrantiesof any kind, express or implied, about the completeness, accuracy, reliability, suitability oravailability with respect to the website or the information, products, services, or relatedgraphics contained in this document for any purpose. Any reliance you place on suchinformation is therefore strictly at your own risk.United Kingdom Sales: North American Sales: Australia and New Zealand Sales: Asia Sales:Tel: +44 (0)8447 671131 Toll Free: 1-866-866-2802 Tel: +61 2 9409 9100 Tel : +65 62244168Email: sales@sophos.com Email: nasales@sophos.com Email: sales@sophos.com.au Email : salesasia@sophos.coBoston, USA  |  Oxford, UK© Copyright 2013. Sophos Ltd. All rights reserved.All trademarks are the property of their respective owners.Sophos Security Threat Report 2013.na. 1.13