2014: Mid-Year Threat Review


Published on

Our researcher Aryeh Goretsky took a look at some of the more interesting pieces of malware and threats that have occurred over the first six months of the year 2014. And what a year it has been, with some serious new developments as well as persistence of numerous older threats.

Published in: Software, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The data in the following chart can be extremely misleading due to difficulties to interpretation.

    It is not accurate at all, because:
    there’s no direct correlation between # of signatures & threats they protect against
    doesn’t take into account non-signature-based technologies like heuristics, generic, genetic algorithms, neural net stuff, etc.
    Keep in mind:
    one signature may detect entire multiple families of malware (some of which can generate 4.2B+ variants)
    2-3 dozen may be required to detect a single family of malware

    It is most useful to think of it at as a measure of workload
    relative activity of malware in the threatscape
    amount of effort expended to combat it

    So, why show it to you?

    I thought it would be interesting to look at.
    May highlight some interesting behaviors…

    So, with this cautionary messaging in mind, let’s see how busy ESET’s threat research lab was in the first half of 2014…
  • NB: This slide will be redacted from the published version of the deck

    The threat research lab is receiving about 200K samples a day. Sometimes more
    The valleys that you see, by the way, are a development that has become more prevalent over the past few years.

    As malware creation and distribution has evolved into an industry…. they’ve become businesses in themselves.

    And they don’t like to work weekends.

    This data is specifically for malware only. If, for example, we were to look at data on phishing, we would see huge spikes on Fridays. Phishers like to target you on Fridays so they have the weekend to clean out your account before you think of contacting your bank on Monday.

    The two spikes that you see mid-April are from base signature updates—the first one goes off to around 9,000, and the second to 2,000.
  • In 2012, number of unique Android malware detections increased 17× (yes, that’s 1,700%)
    Mobile malware (Android) is growing rapidly:
    2010 3 families
    2011 51 families
    2012 63 families
    2013* 79 families
    Between 2012 and 2013, detections of Android malware by ESET increased by 63%*

    Sources: Trends for 2013, Astounding Growth of Mobile Malware [pdf], Trends for 2014:The Challenge of Internet Privacy [pdf] *data for 2013 is from first 10 months of year

    See the Mobile Device Threats and BYOD Webinar that I gave on BrightTalk for more details.
  • Cartoon courtesy of David Harley.
  • On the financial targeting malware side,

    The success of Bitcoin and related computer mediated, decentralized cryptocurrencies such as dogecoin and litecoin, initially as darkweb currencies, and later into other areas, has spawned a whole new class of entrepreneurs, except that instead of generating or trading in coins, they are interested in either stealing the wallets, or botting machines and using it to mine for them. The two operations, by the way, are not always mutually exclusive.

    Corkow is interesting because banking bots have traditionally been very focused on banks, usually clustered on regional boundaries (US banks, UK banks, RU banks, etc.). While the regional specialization continues, Corkow is interesting because it’s been fine-tuned a little, at least in that it’s mostly targeting banks used primarily by businesses, as opposed to individuals. Also brokerages, as well.

    Mobile banking has not been adopted as widely in the US yet as it has in EU and APAC, but that’s likely to change, especially as Chip & PIN systems are phased in over the next few years.
  • Heartbleed allowed private keys to be viewed, which means that information normally protected by cryptography could be stolen by an attacker.

    SANS ranked it as a top threat.

    Number of affected sites now estimated to be down to 15%, but still a lot of patching going on. Will be a problem on software and devices which are no longer supported, manufactured for years to come, I’m afraid.
  • Hybrid Broadcast Broadband TV or “HbbTV” – hbbtv.org
    In 2012, some 80M Smart TVs were sold. These are devices which run an embedded operating system in firmware, often like Android, but can be something else like WindRiver, QNX, etc. These are manufactured by consumer electronics companies, for whom security is not something they typically think of first, last, and during the process. They may not even have developed the firmware, but licensed it from someone else. As such, they have no SDL, and perhaps no plans to update it, ever.

    When Samsung was notified of their Smart TV’s webcams being hacked in 2012, their initial response was to tell people to cover the lens - http://www.nbcnews.com/tech/security/tv-watching-you-senator-calls-smarter-smart-tv-security-f6C10869252
  • We’re not standing by idly.

    This is a screenshot showing a technology we’re rolling out to help inform users when their router may have been compromised.
  • Gotofail was the name given to an SSL vulnerability in devices running iOS and OS X, not unlike the Heartbleed vulnerability.

    An attacker could perform a MitM attack, bypassing SSL/TLS verification during the initial connection, and masquerade as a trusted server.

    Named after accidental inclusion of a command “gotofail;” which caused this error to occur.

    Nice write up at http://grahamcluley.com/2014/02/critical-security-hole-ios-mac/
  • Credential theft
    Cpanel targeting
    Spam runs
    Web site takeovers for malware injection/deployment
    10,000+ still infected as of March, 2014
  • ESET is a team, and I would not have been able to give this report without assistance from my coworkers.
  • 2014: Mid-Year Threat Review

    1. 1. 2014 Mid-Year Threat Review The good, the bad and the ugly
    2. 2. Presenter Aryeh Goretsky, MVP, ZCSE Distinguished Researcher ESET North America ✉ askeset@eset.com @eset (global) @esetna (US + Canada)
    3. 3. About ESET • Leading security solution provider for companies of all sizes, home and phones • Pioneered and continues to lead the industry in proactive threat detection • Presence in more than 180 countries worldwide • Protecting over 100 million users • Ten years of consecutive VB100 awards† • 5th Largest Endpoint Security Vendor‡ †Source: Virus Bulletin Magazine ‡Source: IDC, Worldwide Endpoint Security 2013-2017 Forecast and 2012 Vendor Shares
    4. 4. What’s on the agenda? • A brief look into ESET’s threat database • Android malware • Banking bots & Bitcoin thieves • Heartbleed SSL vulnerability • Internet of Things (IoT) • Mac & iPhone • Nation-state malware • Windigo/Ebury malware campaign • Windows XP reaches its end of life
    5. 5. What this presentation is not about • BYOD & mobile device threats • Data breaches (eBay, Target, …) • Edward Snowden, NSA, et al • Multifactor authentication • Passwords and PINs • Phishing, scams & social media • Windows 8.1 Update
    6. 6. Threat Database Updates
    7. 7. Threat Database Updates [CHART REDACTED] To view this slide, please see the presentation at: https://www.brighttalk.com/webcast/1718/110971
    8. 8. Android is becoming Windows
    9. 9. Android Malware • Amount of malware continues to grow • Can be deployed by Windows malware (q.v.) • Reports of smartphones & tablets shipping with pre-installed malware • Everything old is new again: – first worm discovered, Android/Samsapo – first ransomware discovered, Android/Simplocker • On the plus side – Google plans to periodically re-scan installed apps – Most malware originates outside of Google Play, device or carrier stores
    10. 10. Android Malware Have you seen any malware, potentially unwanted applications or junk apps on your Android devices? Yes no
    11. 11. Banking bots & Bitcoin thieves • Arrival of *coin mining and stealing on multiple platforms, technologies (Android, BAT, MSIL, Win32, VBS) • Win32/Corkow banking Trojan targets Bitcoin wallets, Android developers and Russian business bank accounts • Win32/Qadars banking bot now drops Android iBanking component Android/Spy.Agent.AF via Facebook webinject
    12. 12. Heartbleed SSL Vulnerability • 2 year old flaw in OpenSSL allows eavesdropping into communications • About two-thirds of web sites were affected • Also affected networking gear from Cisco, Juniper and others; in VPN software, etc. • Windows 8 inbox VPN clients, too • May have been exploited for those 2 years before being discovered
    13. 13. Internet of Things • Smart TVs – “Red Button” bot in your living room? – Script injection, credential theft, malware? – all via broadcast (EU standard, soon in US) • Smart TVs – the spy in your living room? – Some have microphones and webcams • Not apparent when they’re on; or how to turn off (or if) • Can be remotely taken over (Samsung) – Sent viewing habits, URLs, filenames of private videos (LG) – Replace images/videos on screen (Philips) • Tesla’s iPhone app, used to lock/unlock vehicle, vulnerable to brute-forcing
    14. 14. IOiT: Routers and DVRs, etc. • Residential gateway broadband routers under attack from worms like Win32/RBrute – DNS changing • Browser injection – Ad injection substitution, spying, etc. • Credential theft – bank fraud, shopping, social media, webmail … • Search engine redirection – Bing, Google, Yahoo redirect to sponsored & PPC searches – coin mining (DVR, NAS...) • Nowhere near as effective as PCs, but remember: “Quantity has a quality all its own.” – Joseph Stalin
    15. 15. IOiT: Routers and DVRs, etc. [LIST OF AFFECTED VENDORS REDACTED] To view this slide, please see the presentation at: https://www.brighttalk.com/webcast/1718/110971
    16. 16. IOiT: Routers and DVRs, etc. Reminder: 1. Disable access to admin settings on LAN and wireless interfaces 2. Update firmware to latest version (manual check may be required-do not rely on autoupdate) 3. Use a str0ng password
    17. 17. IOiT: Fighting router-based threats
    18. 18. Internet of Things Do you use any of these Internet connected devices?  Home Automation (thermostat, fire/CO2 alarms, X10, Zigbee, etc.)  Network Attached Storage (NAS)  Next-gen gaming console  Router / Wi-FI Access Point  Smart TV and/or Digital Video Recorder (DVR)
    19. 19. Mac, iPad & iPhone an Apple a day… No major campaigns targeting OS X & iOS, but… • GotoFail, a critical SSL vulnerability is patched • Targeted attacks continue, such as against Chinese and Tibetan advocacy groups • Weird ransomware attacks target Australian and New Zealand iPhones, iPads & Macs
    20. 20. Nation-state malware update • OSX/Appetite trojan used against Falun Gong and Tibetan activists • MiniDuke (aka Win32/SandaEva) continues to be used – Targets include European governments, institutions and NGOs • Use of Win32/Agent.VXU against Ministry of Natural Resources and the Environment in Vietnam (US equivalent: EPA)
    21. 21. The Windigo Campaign …anything but Windows • Started with investigation into Linux/Ebury – OpenSSH backdoor + credential stealer – Malicious library and patch to OpenSSH binaries – Took several steps to avoid detection • Includes Linux/Cdorked, Perl/Calfbot and Win32/Glupteba.M families • Over 25,000 servers infected over past 2 years • Affected Linux, FreeBSD, OpenBSD, Mac OS X – Plus some Windows servers running Perl + Cygwin
    22. 22. Windows XP reaches EOL status • On April 8th, support ended for Windows XP – An update, MS14-021, released on 5/1/14 due to extraordinary circumstances – One-time event, don’t expect it again • Globally, 30% of PCs still running XP – Regionally, ranging from 11% to 61% usage • If you’re still running XP: – Patch systems to final set of updates – Isolate – Figure out migration strategy now
    23. 23. Resources: Android ESET’s We Live Security (blog) • Android malware worm catches unwary users • Android malware? Google will be watching your every move • Android phones and tablets ship “pre-infected” with malware • ESET Analyzes First Android File-Encrypting, TOR-Enabled Ransomware ESET’s Virus Radar (threat encyclopedia) • Android/Samsapo • Android/Simplocker
    24. 24. Resources: Banking Bots & Trojans ESET’s We Live Security (blog) • Facebook Webinject Leads to iBanking Mobile Bot • Corkow: Analysis of a business-oriented banking Trojan • Corkow – the lesser-known Bitcoin-curious cousin of the Russian banking Trojan family • Surveillance cameras hijacked to mine Bitcoin while watching you ESET’s Virus Radar (threat encyclopedia) • Win32/Corkow • Win32/Qadars • Android/Spy.Agent.AF
    25. 25. Resources: Heartbleed ESET’s We Live Security (blog) • All eyes on Heartbleed bug: Worse than feared and could affect “billions” • Heartbleed claims British moms and Canadian tax payers as victims • Heartbleed encryption flaw leaves millions of sites at risk • “I am responsible”: Heartbleed developer breaks silence
    26. 26. Resources: Internet of Things (1/4) ESET’s We Live Security (blog) • Attack on Samsung’s Boxee TV service leaks 158,000 passwords and emails • Channel Cybercrime: Bug allows hackers to hijack screen of Philips TVs • Fridge raiders: Will 2014 really be the year your smart home gets hacked? • Hacker amasses $620,000 in cryptocurrency using infected computers • LG admits that its Smart TVs have been watching users and transmitting data without consent
    27. 27. Resources: Internet of Things (2/4) ESET’s We Live Security (blog) • ‘Major’ Smart TV vulnerability could allow mass wireless attacks • More than 300,000 wireless routers hijacked by criminals in global attack • Mysterious ‘Moon’ worm spreads into many Linksys routers – and hunts new victims • Simplocker Ransomware: New variants spread by Android downloader apps • Smart TVs can be infected with spyware – just like smartphones
    28. 28. Resources: Internet of Things (3/4) ESET’s We Live Security (blog) • Stop TVs spying on us. U.S. Senator calls for safer Smart devices • Surveillance cameras hijacked to mine Bitcoin while watching you • Tesla shocker as researcher picks electric supercar’s lock • The Internet of Things isn’t a malware-laced game of cyber- Cluedo… yet • Win32/Sality newest component: a router’s primary DNS changer named Win32/Rbrute
    29. 29. Resources: Internet of Things (4/4) ESET’s Virus Radar (threat encyclopedia) • Win32/Sality • Win32/Rbrute
    30. 30. Resources: Mac Malware ESET’s We Live Security (blog) • 10 years of Mac OS X malware • Five tips to help control your privacy on Mac OS X • iPhone and Apple ransom incidents? Don’t delay locking down your i-stuff • Master of Mavericks: How to secure your Mac using Apple’s latest update • Urgent iPhone and iPad security update, Mac OS X as well ESET’s Virus Radar (threat encyclopedia) • OSX/Appetite
    31. 31. Resources: Nation-State Update ESET’s We Live Security (blog) • 10 years of Mac OS X malware • Miniduke still duking it out ESET’s Virus Radar (threat encyclopedia) • OSX/Appetite • Win32/Agent.VXU • Win32/SandyEva (MiniDuke)
    32. 32. Resources: Windigo Campaign ESET’s We Live Security (blog) • An in-depth Analysis of Linux/Ebury • Interview: Windigo victim speaks out on the ‘stealth’ malware that attacked his global company • Operation Windigo – the vivisection of a large Linux server-side credential-stealing malware campaign • Over 500,000 PCs attacked every day after 25,000 UNIX servers hijacked by Operation Windigo • Windigo not Windigone: Linux/Ebury updated ESET research papers • Operation Windigo (PDF)
    33. 33. Resources: Windows XP EOL ESET’s We Live Security (blog) • 5 Tips for protecting Windows XP machines after April 8, 2014 • Goodbye, Windows XP! • With just days to go, just how many PCs are still running Windows XP? • Windows exploitation in 2013 • XP-diency: beyond the end of the line
    34. 34. Special Thanks Kudos to Bruce P. Burrell David Harley Amelia Hew Emilio Plumey Javier Segura Aaron Sheinbein Marek Zeman for their assistance with the ESET 2014 Mid Year Threat Report!
    35. 35. I would like to request one of the following Contact from ESET Sales Business Edition Trial PassMark® Competitive Analysis Report Monthly Global Threat Report Polling question:
    36. 36. Q&A Discussion