2013 Security Threat Report Presentation

2,887
-1

Published on

The 2013 Security Threat Report recaps what happened in data security in 2012, and what trends are ahead in 2013. For more information, visit: http://bit.ly/VcLfLa

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total Views
2,887
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide
  • Facebook also suffers from rogue applications.Messages posted to people’s walls, providing some link to an applicationApplication purports to be some enticing videoWhen you try and play, requests permission to access info, post to wall etcAlso pops up fake online survey, pretending to be a FB anti-spam verification surveyWhy? Scammers will get money for each scam completed!
  • The next part of our attack scenario is the installation and use of the ZeroAccess rootkit. However, before we go on it is important to remember that this is simply an example scenario. There are many ways in which ZeroAccess can be delivered, Blackhole is commonly used but is by no means the only method. We have seen various social engineering schemes, including uploading the rootkit installer to torrent sites masquerading as cracks or key generators for popular software. Likewise, ZeroAccess is not the only malware that is delivered from Blackhole.ZeroAccess itself, although most commonly known as a rootkit, combines the features of a rootkit and a peer to peer botnet to provide an attacker with a difficult to detect foothold on a PC from which to install further malware of their choosing. As such it is, like Blackhole, just another link in the attack chain. This particular link is designed to conceal its own presence and the presence of the malware it is instructed to download and install.The term rootkit originates in the Unix world where it was used to describe a set of software designed to obtain and keep root, or administrator, access to a computer. Now the term is used to describe malware that conceals its presence in an attempt to evade security scanners.As we’ll see shortly ZeroAccess is under active development. In SophosLabs we have seen hundreds of thousands of unique ZeroAccess related binaries in the last year.
  • Lets take a look at how ZeroAccess hides itself. It is this feature that leads malware distributors to use tools like ZeroAccess rather than simply spread the final stages of their attacks directly. The additional concealment of a rootkit makes it more likely that their attack will remain unnoticed, allowing them to either steal more information or take advantage of a compromised network for a longer period of time. The techniques used by ZeroAccess have changed as it has evolved and they vary depending on whether the operating system is 32 or 64 bit.Older versions of the kit install a malicious driver on 32 bit systems and subvert the operating system’s access to the disk. The components of the kit and the malware it installs are then stored in either a newly created encrypted file system or in a specially linked folder which has been modified to make it inaccessible to the operating system. The contents of these areas are available only to ZeroAccess using its own driver and therefore are invisible to both the operating system and security scanners that use the operating system to read the disk. This type of infection is usually discovered by scanning the operating system kernel to search for the malicious driver.On 64bit systems the enhancements in kernel security make it more difficult for the criminals behind ZeroAccess to install drivers. Instead, they employ some of the standard operating system features to conceal the kit’s presence from a casual observer. To do this the files are placed into the Global Assembly Cache, an area used for storing information about installed .NET assemblies. When this area is browsed using Windows Explorer the operating system will automatically switch to the Assembly Cache Viewer and display assembly information rather than the true contents of the folder, thus hiding any additional files, including ZeroAccess. More recent versions of ZeroAccess use a strategy that works on both 32 and 64 bit platforms, probably to simplify the development process. These versions add a malicious DLL to system processes and hijack the loading process for a legitimate COM object in order to activate itself. Some of the later versions also used advanced file system features such as extended attributes to hide their data. While the later techniques are not stealth in the technical sense they still serve to conceal the presence of ZeroAccess from a casual inspection. We can speculate that the authors of ZeroAccess have learned from their progression to 64bit that a truly stealthy rootkit is not necessary for them to build sufficiently large botnets and make profit from them.
  • An aspect of ZeroAccess that makes it resilient lies in the organization of its botnet infrastructure.ZeroAccess operates as a botnet, meaning that to be useful it must have some way to receive commands. For many botnets the command and control infrastructure that they use is their weakness. Remove the key command and control servers and the individual PCs are left without instructions. The botnet still exists but it cannot be used and is therefore useless to criminals. To avoid this weakness ZeroAccess, and some other recent botnets, use a distributed or peer-to-peer control model. By using distributed control ZeroAccess is resilient to attempts to destroy the botnet. Individual nodes can be cleaned up and removed from the network but it cannot be killed at a single stroke.This reduces the fragility of the botnet by removing the option to ‘cut off the head of the snake’. However, it does have some weaknesses too. The individual nodes of the botnet have to know of some other nearby nodes in order to receive instructions and those instructions may take time to propagate. Also, nodes that do not have direct internet access cannot act as servers for nodes in other networks. To account for this each installation of ZeroAccess contains a configuration file with addresses of 256 previous nodes to ensure that it will be able to contact another infected computer for instructions. For ZeroAccess the peer-to-peer model is used mainly to enable distribution of other malware or for click fraud, that is, getting the infected PC to visit a website or access online ads generate advertising income for the affiliate serving those ads. It is also used to distribute spam bots which use the infected PCs to send spam. It is likely that the click fraudsters, spammers and malware authors are renting space on the ZeroAccessbotnet and thereby funding the profits of its authors and the continued development of ZeroAccess.
  • Some versions of ZeroAccess use aggressive techniques to defend themselves on each infected endpoint. It is common for malware to attempt to disable security software, usually the malware simply has a list of security programs that it will attempt to kill if it finds they are running. This is a crude technique and can be fooled by using software that implements some randomness in its file and process names, a common technique in anti-rootkit software. To counter this ZeroAccess sets up a tripwire for security software. It creates a dummy or trap process which does nothing useful and then monitors whether any programs attempt to access the dummy process. Anything that takes the bait is assumed to be a security scanner and ZeroAccess then tries to disable the scanner by both terminating its running processes and changing its access permissions so that it cannot be run again. However, this kind of damage to security software may have been too obvious in revealing the presence of a rootkit and is not used in more recent versions of ZeroAccess.
  • There are few things which make malware for Android more common than for other platforms. Adding new applications to the market is easy and Google’s process for controlling functionality of applications is not very strict.It is very easy to become an Android developer and publish applications. It’s also easy to decompile an application, change its functionality and repackage the application as a completely new (effectively stolen application). Installation from third party sites is possible. There are number of alternative Android markets for applications, including the one set up by the network providers and other well known companies such as Amazon.Cracked applications are shared on many Android related forums and file sharing web sites. Piracy is a major problem. An article on Forbes states “The costs of piracy are very real. One-in-three developers say they’ve lost more than $10,000 in revenue due to piracy. 32% say piracy increases their support costs. One-in-four say piracy increases their server costs, with all those extra users piling onto their servers.”There is a significant number of alternative markets in China, which is currently the main source of malicious applications.Overall, the situation with Android applications is very similar to early days of Windows.It is not surprising that we are seeing increasing numbers of Android malware in our labs.
  • Of course ransomware isn’t the only threat using technology in an attempt to defeat security software. Blackhole itself and many other threats extensively use polymorphism to hide their code. Like ransomware, this isn’t a brand new technique but we are now seeing it in ever increasing numbers, especially in web-based attacks.We can see here the result of research done by SophosLabs studying around 7 million attacks over a 3 month period. It shows how many attacks are launched by each individual version of a threat. Three quarters of binaries are unique to the victim of that particular attack. As we can see the numbers drop away rapidly for 2, 3 or more victim organizations. What this means in practice is that if you encounter malware there’s a 75% chance that no-one else anywhere has seen that exact piece of malware before. In effect, a unique attack has been generated just for you. The actual effects of the attack will be exactly the same as those that everyone else sees but the form it takes will be slightly different. This is all done to avoid detection by security software.
  • 1. Attack toolkits continue to proliferateOver the past year, we’ve seen significant investment by cybercriminals in toolkits like the Blackhole Exploit Pack. Features such as scriptable web services APIs, malware quality assurance platforms, anti-forensics and self-protection mechanisms are becoming readily available. Slick reporting interfaces and ‘premium features’ are fostering new innovation and ensuring that the barrier to cyber crime entry is low and the quality of malicious code is growing. This trend will continue in 2013, with new toolkits being developed and older toolkits being strengthened.2. Modernization and hardening of operating systemsOne positive trend for 2013 is the modernization and hardening of operating systems. This year, there was a plethora of vulnerabilities that made headlines, such as the recent string of Java vulnerabilities (the 2012 equivalent of Adobe in 2011). Despite the attention these received, exploiting vulnerabilities in general became harder as people adopted more modern operating systems with new security features. The availability of DEP, ASLR, Sandboxing and new trusted boot mechanisms made exploitations more challenging. In 2013, cybercriminals will be able to find a vulnerability, but more often struggle to produce 'useful' exploit code. These mechanisms can be bypassed, but the development time and the number of vulnerabilities that can be weaponized will be smaller. We may well see more of a focus on quality social engineering to compensate for harder automated exploitation.3. Cloud-based malware testing changes the threat protection modelIn 2012, malware testing platforms were widely used to test malicious code before it was released in the wild to make detection by anti-malware products much harder. These testing platforms are now growing more feature-rich, introducing money back guarantees and continuous testing features, making cyber criminals even more agile. These platforms have forced the use of more behavioral and reputation-based security mechanisms, a trend that will accelerate in 2013. Watch out for more bi-directional security data exchanges between endpoints and security labs and new strategies in intelligence gathering to equal the efforts of cyber criminals.4. Increased focus on layered securityThe aforementioned attack tools plus the trend of targeted, low-volume attacks means we will see more attacks where the malware authors will gain long-term access to systems (a trend most definitely now established). As a result, 2013 will see a stronger focus on layered security systems that detect malware across the entire threat lifecycle, not just the initial point of entry. There was a recent incident where the initial exploit and malware were entirely missed (they were genuinely new and well tested) but the attacker was caught when he started to use command and control to try and dump password hashes. Even features like application control and reputation can be useful against targeted attacks.5. One step forward, two steps backWe all know the story. The pace of adoption of new technologies, devices and operating systems is only increasing, a trend that will naturally continue in 2013. The challenge however is that many of the new devices and protocols we introduce are making basic mistakes, which allow simple attacks we had previously eliminated to once again be effective. For example, there are lots of new devices configured not to encrypt email usernames/ passwords in transport. This problem is trivially mitigated with configuration, but the traditional processes and controls (or knowledge) are not implicitly covering these new scenarios. The security community needs to watch these new technologies closely in 2013 as they are already in production in most cases.6. Mobile attacks become more advancedMost mobile attacks to date have been comparable to 1990s PC malware or simple attacks. They can largely be avoided by correct device configuration and management. The increased adoption of mobile control and security solutions will force mobile malware authors to alter their strategies in order to remain effective. This is also likely as the mobile device becomes a more interesting platform for attackers to target in terms of pay off. In 2013, it is likely we will see mobile malware start to borrow more techniques from its PC cousin (though volumes are likely still to remain low with more of a focus on attacks than malware). The open versus walled garden control model will continue to be tested with both ends of the spectrum creating opportunities for cyber criminals to capitalize.7. Web servers back in the crosshairsAttacking web servers to distribute malware has been the default for some time – we find a new infected website every couple of seconds. While most businesses have protection for traditional PC environments and endpoints, many neglect to adequately protect their web server environments. In 2012, we saw a large number of web server and database hacks. Like most trends, malware attacks come in cycles, and it has become fashionable to extract credentials from web servers. This trend was gaining momentum in 2012 and it shows no signs of slowing down for 2013.8. Integrate ‘all of the things’Mobile devices, applications and social networks (amongst others) continue to become more integrated, which will potentially breed new opportunities for cyber criminals in 2013. New technologies—like NFC being integrated into mobile platforms and increasingly creative use of GPS services to connect our digital and physical lives—means there will be new opportunities for cyber criminals to compromise our security and/or privacy. This is true not just for mobile devices, but also for traditional computing. Digital systems are gaining the ability to have far more kinetic impact in the real world. In 2013, we need to watch not just the evolution of existing attacks but new types appearing with which we haven’t previously dealt.9. Diverse business models and irreversible malwareFor many years, the majority of malicious code has been financially oriented–stealing credit cards, bank details and other credentials. Theft of intellectual property or intelligence has notably been on the agenda (particularly over the last 24 months), but represents a much smaller portion of malware. Business models and motives for malicious code are however diversifying. One particularly concerning category is ransomware. Ransomware encrypts your data and demands money to unlock your files, forcing you to pay the criminals or to restore from a backup, a process can go poorly in many enterprises. Whereas early samples were low in numbers and easy to reverse and remove, the latest versions are more widespread and use public key cryptography. In some cases their damage is irreversible. We can expect to see more of this class of malware and potentially similar evolutions in 2013.10. Skills problem becomes more apparentAs the platforms and technologies that we use and need to secure are diversifying, so too are the targets of the attackers. Securing platforms like Linux is increasingly on the priority list of many organizations (not necessarily from malware, but from hackers) and getting staff with up-todate skills will be an increasing issue. Staff will need to plan to train on mobile platforms, new computing delivery models and even protocols such as IPv6 as they become more relevant. With perhaps the greatest degree of change occurring in computing platforms in the enterprise since we moved from the mainframe, the next couple of years will bring many new lessons to learn.11. Cyber criminal anti-forensics Cyber criminals and hackers are now using those techniques we’ve developed in the security industry against us. Reputation lists that block forensics teams, labs and security researchers from accessing malicious code networks are being shared between crime packs, presenting more challenges for those doing forensic investigation and trying to chase down incidents. Forensics specialists, law enforcement and vendors need to work carefully to avoid falling into cyber criminals traps.12. More advanced hacktivism and political Debate It goes without saying that hacktivism has a huge place in the public eye and that it is likely to continue to escalate next year. Interestingly, political debates are raging over whether methods like DDoS are legitimate online versions of protest. Over the year we saw hacktivists employ a wide range of techniques beyond DDoS, though many organizations still perceive this as the primary threat from hacktivists. There has been an upward trend in more advanced hacktivist attacks and we can expect more nasty surprises and news headlines next year. Organizations should not limit their field of thinking on hacktivists to DDoS.13. Arguments over big data vs. analytics and confusionWith the challenge of malicious code and attackers bypassing traditional single-layer controls, lots of organizations are discussing the hot topic of the moment: ‘big data’. You’ve likely seen some of the marketing hype around big data, with many claiming magical solutions to the security problem by just combining lots of information together. This process somehow works together to then output actionable and useful intelligence, even though the original data was often poor in quality. Many organizations are still chasing basics like patching. In 2013, the hype turns to reality. As more companies slowly develop the business process and organizational maturity to benefit from these forms of analysis.
  • 2013 Security Threat Report Presentation

    1. 1. Sophos Security Threat Report 2013January 2013
    2. 2. Sophos updateProtecting businesses for over 27 years• First European-based vendor of security solutions for Businesses • Headquarter in Oxford, UK • Billings in excess of 400M US$ (300M €)• Global with strong European base • 100 millions users • 1,600 employees worldwide • 5 SophosLabs Centers, including 2 in the EU Oxford, Budapest, Boston, Vancouver, Sydney • 8 R&D Centers, including 6 in the EU Oxford, Aachen, Budapest, Dortmund, Karlsruhe, Linz, Munich, Vancouver• Dedicated to Businesses2
    3. 3. Triple Leader Endpoint Data UTM Magic Quadrant for Magic Quadrant for Magic Quadrant for Endpoint Protection Platforms Mobile Data Protection Unified Threat Management Sources: Gartner: Magic Quadrantsfor Endpoint Protection Platforms (2 Jan 2013) , Mobile Data Protection (6 Sep 2012), and UTM (5 March 2012). The Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.3
    4. 4. Triple Champion Endpoint Data UTM Vendor Lanscape for Vendor Landscape for Vendor Landscape for Endpoint Anti-Malware Endpoint Encryption Next Generation Firewalls Sources: Info-Tech: Vendor Landscape for Endpoint Anti-Malware (October 2012) , Endpoint Encryption (December 2011), and UTM (October 2012). The Vendor Landscape graphic was published by Info-Tech as part of a larger research note and should be evaluated in the context of the entire report.4
    5. 5. Security Threat Report www.sophos.com/en-us/security-news-trends/reports/security-threat-report.aspx5
    6. 6. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions6
    7. 7. Threats continue to growSophosLabs analyze 250,000+ new malware samples every day 250,0007
    8. 8. Spam is diminished butnot defeated• Authorities are successfully fighting back In July, the dismantling of Grum botnet Control and Command center in the Netherlands, then in Panama and Russia succeeded in reducing spam volume by 17%• But targeted attacks such as spear phishing are growing8
    9. 9. Web is the new Email Web is the the predominant mechanism to infect users Spam 85% Web9
    10. 10. Compromised legitimate sitesSophosLabs detect 30,000 new infectious Web pages every day Browse via Search engine Browse direct10
    11. 11. Drive-by downloadsExploit kits make it trivial for anyone to exploit users over the web • Exploit packs can be bought relatively cheaply • No skill required • Content created to target relevant browser and application vulnerabilities • „Silent‟ infection of victims11
    12. 12. Social EngineeringPrevalent on social network attacks clickjacking Social engineering12 Fake polls
    13. 13. Redirecting victims„Controlling‟ user traffic Compromise legitimate web sites Search engine optimization (SEO)13
    14. 14. Protection StrategiesLayered Protection: block an attack at any step in the delivery chain Compromise legitimate web sites Search engine optimisation (SEO)14
    15. 15. Protection StrategiesWhere do Sophos product technologies work in protecting customers? Compromise legitimate web sites Search engine optimisation (SEO) Antimalware Scan Malicious URL Filtering Host IPS (runtime)15 Security Patches
    16. 16. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions16
    17. 17. Blackhole27% of infected sites and redirections17
    18. 18. Toolkits & Polymorphism• Blackhole attacks multiply thanks to widely spread Toolkits• They make an extended use of JavaScript obfuscation capabilities in their attempts to evade detection with server-side Polymorphism 18
    19. 19. MaaS (Malware as a Service) Price list for Blackhole19
    20. 20. VulnerabilitiesBlackhole exploits vulnerabilites in PDF, Flash, Java … ? hcp://…20
    21. 21. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions21
    22. 22. Blackhole (v1.x)Targets a large array of vulnerabilities, including a majority on Java CVE Cible DescriptionCVE-2012-4681 Java Java forName, getField vulnerabilityCVE-2012-0507 Java Java AtomicReferenceArray vulnerabilityCVE-2011-3544 Java Oracle Java SE Rhino Script Engine Remote Code Execution vulnCVE-2011-2110 Flash Adobe Flash Player unspecified code execution (APSB11-18)CVE-2011-0611 Flash Adobe Flash Player unspecified code execution (APSA11-02)CVE-2010-3552 Java SkylineCVE-2010-1885 Windows Microsoft Windows Help and Support Center (HCP)CVE-2010-1423 Java Java Deployment Toolkit insufficient argument validationCVE-2010-0886 Java Unspecified vulnerabilityCVE-2010-0842 Java JRE MixerSequencer invalid array indexCVE-2010-0840 Java Java trusted Methods ChainingCVE-2010-0188 PDF LibTIFF integer overflowCVE-2009-1671 Java Deployment Toolkit ActiveX controlCVE-2009-4324 PDF Use after free vulnerability in doc.media.newPlayerCVE-2009-0927 PDF Stack overflow via crafted argument to Collab.getIconCVE-2008-2992 PDF Stack overflow via crafted argument to util.printfCVE-2007-5659 PDF collab.collectEmailInfoCVE-2006-0003 IE MDAC22
    23. 23. Instant exploit of vulnerabilitiesWhat is the future of Java? • August 2012 • CVE-2012-4681 zero-day • Rapidly targeted • Metasploit • Exploit kits “It took less than 12 hours from the time the proof of concept for the latest Java zero-day vulnerabilities went public for exploits of those vulnerabilities to be included in a commercial crimeware kit.”23
    24. 24. Blackhole 2.0September 2012 – New version of the exploit kit announced ! • Less predictable URLs • Harder to track • Harder to block via IDS • More aggressive blacklisting • “Monitor” mode • Slimmer • Less vulnerabilities • Etc.24
    25. 25. Blackhole (v2.x)Reportedly slimming down volume of exploits targeted CVE Cible DescriptionCVE-2012-4681 Java Java forName, getField vulnerabilityCVE-2012-0507 Java Java AtomicReferenceArray vulnerabilityCVE-2011-3544 Java Oracle Java SE Rhino Script Engine Remote Code Execution vulnCVE-2011-2110 Flash Adobe Flash Player unspecified code execution (APSB11-18)CVE-2011-0611 Flash Adobe Flash Player unspecified code execution (APSA11-02)CVE-2010-3552 Java SkylineCVE-2010-1885 Windows Microsoft Windows Help and Support Center (HCP)CVE-2010-1423 Java Java Deployment Toolkit insufficient argument validationCVE-2010-0886 Java Unspecified vulnerabilityCVE-2010-0842 Java JRE MixerSequencer invalid array indexCVE-2010-0840 Java Java trusted Methods ChainingCVE-2010-0188 PDF LibTIFF integer overflowCVE-2009-1671 Java Deployment Toolkit ActiveX controlCVE-2009-4324 PDF Use after free vulnerability in doc.media.newPlayerCVE-2009-0927 PDF Stack overflow via crafted argument to Collab.getIconCVE-2008-2992 PDF Stack overflow via crafted argument to util.printfCVE-2007-5659 PDF collab.collectEmailInfoCVE-2006-0003 IE MDAC
    26. 26. Blackhole payloadsPayloads distributed by Blackhole between August-Sep 2012 Downloader 2% Other ZeroAccess 9% 6% Zbot 25% Backdoor 6% FakeAV 11% Ransomware 18% Sinowal 11% PWS 12%26
    27. 27. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions27
    28. 28. Ransomware The new scareware? • Malware that locks/encrypts user data • Pay ransom to access files Simple Medium Complex • Password • XOR • RC4 protected archives • shift • Public key crypto Recover data?28
    29. 29. Ransomware Multilingual!29
    30. 30. Ransomware: Matsnu Lockout page shown to user30
    31. 31. Ransomware: Matsnu Behind the scene • Connection to C&C server • HTTP, RC4 encrypted • Receives remote commands: • IMAGES • GEO • LOCK • UNLOCK • URLS • EXECUTE • KILL • UPGRADE • UPGRADEURL • LOAD • WAIT • MESSAGE31
    32. 32. Ransomware: Matsnu File encryption Manifest file original_filename1.ext new_filename1.ext key original_filename2.ext new_filename2.ext key … … • Recovery tool? • No! • Decryption/recovery requires: • Grab data value from HTTP request • B64 decode (->MASTER_KEY) • Grab machine ID from HTTP request • RC4 decrypt the MASTER_KEY with this • Append constant string • RC4 decrypt manifest file with machine ID key • DWORD transposition • RC4 decrypt this using the MASTER_KEY • Locate file you wish to decrypt in the manifest file • Grab RC4 key for file, append constant string32 • RC4 decrypt file
    33. 33. Agenda Web Blackhole Java Ransomware Nothing ZeroAccess to see here Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions33
    34. 34. ZeroAccessZeroAccess is a Rootkit familytypically dropped in the system by a Blackhole attack Nothing to see here34
    35. 35. HidingZeroAccess evolves its hiding techniques depending on the OS 32 bit 64 bit Global Assembly Malicious driver Injected DLL Cache Encrypted Linked file system Hide ‘in plain sight’ folder35
    36. 36. Peer-to-Peer BotnetZeroAccess uses a distributed or peer-to-peer control model for resilience36
    37. 37. TrapsZeroAccess use aggressive techniques to defend themselves,such as setting up traps for security software37
    38. 38. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions38
    39. 39. After Fake AV for Mac ...MacDefender, MacSecurity and more39
    40. 40. Flashback (OSX/Flshplyer)Flashback on a malware epidemic on Mac OSX • 600,000 Mac OS X systems infected in spring 2012 • These systems have been exploited in a very large scale botnet • First appearance at the end of 2011 • Pretended to be a Flash installer • Passive and silent download • Exploited several Java vulnerabilities on Mac OS X • In March, exploit of a vulnerability corrected only in April by Apple • 2.1% of Mac systems were infected at the infection peak (Estimation based on Sophos free antimalware for Mac)40
    41. 41. Morcut (OSX/Morcut-A)More sophisticated and potentially more dangerous• Designed for spying • Monitors virtually every way a user communicates• First appearance in July 2012• Posed as a Java Archive file (JAR) • Pretended to be signed by Verisign • Deployed kernel driver components to hide and run without administrator‟s authentication• Reflects an extremely thorough understanding of Mac programming techniques, capabilities, and potential weaknesses• Perfect tool for targeted attacks41
    42. 42. And more ...Distribution of the 4,900 malwares for Mac OS Xthat spread in the first week of August 201242
    43. 43. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions43
    44. 44. Mobile Malware 60,000 54,900 50,000 40,000 30,000 20,000 10,000 0 2011 2012 Jan Apr Jul Oct Jan Apr Jul Oct44
    45. 45. Threat Exposure Rate In the USA and Australia, this rate exceeds those of PCs45
    46. 46. Why Android?• Adding applications to marketplace is easy• Repackaged apps• Alternative Android application markets• Forums and file sharing sites• “Cracked” apps• Alternative markets• Android app landscape similar to Windows46
    47. 47. Android Malware Spyware mTAN Andr/DroidRt Andr/NewyearL- Others B Andr/Gmaster-A Andr/KongFu Andr/Kmin Andr/Boxer Andr/Fake47
    48. 48. Andr/Boxer & Andr/FakePremium SMS Trojans Andr/Boxer Andr/Fake Percentage in total 56.8% 17.5% Number of >3 0-4 Premium SMS Russia, Ukraine and Targeted Countries Russia Kazakhstan • Determine premium • Download and number based on the install applications Other Functionalities Mobile Country Code • Access website • Access website • masquerade as a legitimate app48
    49. 49. Andr/KongFuSophisticated & Multifunctional49
    50. 50. Andr/FkToken-A - mTANMobile transaction authentication number sentby banks to authenticate online bank transactions • Catch SMS message • Send SMS message • Delete SMS message • Contact remote sites to get list of info like attack‟s phone number and websites • Also it looks like it will A trial sample detected as Andr/FkToken-A download and install apk50
    51. 51. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions51
    52. 52. Storage in the Cloud Which solution(s) other than email are you using to exchange professional data? Portable Devices (USB keys …) 77% A corporate solution (FTP server …) 38% Online storage services (Dropbox…) 27% Remote access solution (VPN …) 16% Other 4% Source: Sophos online poll - 1,005 total count When you ask your IT department for help, how long are you willing to wait before looking for a solution on your own? Less than 5 minutes 22% Between 5 and 30 minutes 40% Between 30 minutes and 1 hour 13% Between 1 hour and 1 day 14% 1 day 5% I never move without their answer, however long 7% Source: Sophos online poll - 1,005 total count52
    53. 53. Do you worry about Dropbox? Are files Where is the protected? data stored? Are you Is sensitive allowed to use data already in it? the cloud?53
    54. 54. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions54
    55. 55. Targeted drive-by attackMore cases are revealed55
    56. 56. Targeted drive by attackIndirect targeting • Hack aeronautical site HACK • Redirect + exploits uploaded to site • TARGET company browses site HIT • Zero-day vulnerability hits TARGET EXPLOIT • CVE-2012-1889 (MS XML Core Services) • TARGET compromised PWN56
    57. 57. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions57
    58. 58. 75% of attacks are unique Malware attacks (binary)80%70%60%50%40%30%20%10% 0% 1 2 3 4 5 >5
    59. 59. Server-side Polymorphism• Weaknesses of old-style polymorphic worms • Polymorphism engine part of the code • Can be reversed by persistent researchers • Must be decrypted in memory • Emulate the code until the invariant is found • Detection can be based on the decryption loop• Server side-polymorphism • Responsible for the explosion of variants • 250,000 new malware samples are analyzed every day by SophosLabs • No direct access to the polymorphic engine • Frequent updates59
    60. 60. Obfuscated JavaScript • Endless source of obfuscation techniques • Anti-emulation techniques • Recursive function calls • Hooking events (eg. amount of mouse movements ) • Elapsed time checks • etc …60
    61. 61. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions61
    62. 62. Thirteen predictions for1. Attack toolkits continue to proliferate2. Modernization and hardening of operating systems3. Cloud-based malware testing changes the threat protection model4. Increased focus on layered security5. One step forward, two steps back6. Mobile attacks become more advanced7. Web servers back in the crosshairs8. Integrate ‘all of the things’9. Diverse business models and irreversible malware10. Skills problem becomes more apparent11. Cyber criminal anti-forensics12. More advanced hacktivism and political Debate13. Arguments over big data vs. analytics and confusion62
    63. 63. Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions63
    64. 64. Protect Users at all levelsDeploy solutions at all levels, covering the entire threat lifecycleReduce attack surface Protect everywhere Stop attacks and breaches Keep people working URL Filtering Web Application Endpoint Web Encryption Data Control Access control Automation WiFi security Firewall Protection for cloud Anti-spam Patch Manager Mobile Control Virtualization Anti-malware User education Visibility Local self-help Application Mobile app Clean up Technical Device Control Secure branch Intrusion Firewall Control security support offices prevention Encryption Tamper Free Email Live Protection Small protection Home use VPN Performance updates encryption64
    65. 65. Reduce attack surfaceDeploy solutions with preventive features Anti-Malware Unified Engine Anti-Spyware Sophos Entreprise Console Anti-Rootkit HIPS Web Protection Application Control Integrated Mangement Device Control DLP URL Filtering Patch Assessment Client Firewall NAC Encryption65
    66. 66. Protect all the Devices or your EndUsersThe emergence of BYOD requires to protect an ever larger number of devices Corporate Mobiles Employee Mobiles Corporate PC or Laptop Employee Device66 Corporate Servers Virtualized systems
    67. 67. Control Web ApplicationsControl Web access and Web applications usage Endpoint Web access Web Applications • Anti-malware • Anti-malware • Real time monitoring • Host IPS • HTTPS Scan • Block / Allow • Malicious URL blocking • Anonymizing • Manage risks • Application control Proxies blocking dynamically • URL Filtering • URL Filtering • Limit bandwidth • DLP • Content filtering • Manage priorities
    68. 68. Educate UsersUse Sophos free Education toolkits and resources DOs and DON’T Mobiles Data Social Networks (Best practices)68
    69. 69. Staying ahead of the curveStaying ahead of the curve US and Canada facebook.com/securitybysophos 1-866-866-2802 NASales@sophos.com Sophos on Google+ UK and Worldwide linkedin.com/company/sophos + 44 1235 55 9933 Sales@sophos.com twitter.com/Sophos_News nakedsecurity.sophos.com 69

    ×