Sophos , profile picture
Uploaded bySophos
5,157 views

2013 Security Threat Report Presentation

The Sophos Security Threat Report from January 2013 details the evolving landscape of cybersecurity threats, highlighting the growing sophistication of malware, particularly through techniques like drive-by downloads and social engineering. It notes the emergence of ransomware and the use of exploit kits, such as Blackhole, in targeted attacks, emphasizing the importance of layered security and proactive defenses. The report also addresses specific malware trends across various platforms, including Windows and Mac OS X, alongside predictions for future threats.

Embed presentation

Sophos Security Threat Report 2013 January 2013
Sophos update Protecting businesses for over 27 years • First European-based vendor of security solutions for Businesses • Headquarter in Oxford, UK • Billings in excess of 400M US$ (300M €) • Global with strong European base • 100 millions users • 1,600 employees worldwide • 5 SophosLabs Centers, including 2 in the EU Oxford, Budapest, Boston, Vancouver, Sydney • 8 R&D Centers, including 6 in the EU Oxford, Aachen, Budapest, Dortmund, Karlsruhe, Linz, Munich, Vancouver • Dedicated to Businesses 2
Triple Leader Endpoint Data UTM Magic Quadrant for Magic Quadrant for Magic Quadrant for Endpoint Protection Platforms Mobile Data Protection Unified Threat Management Sources: Gartner: Magic Quadrantsfor Endpoint Protection Platforms (2 Jan 2013) , Mobile Data Protection (6 Sep 2012), and UTM (5 March 2012). The Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. 3
Triple Champion Endpoint Data UTM Vendor Lanscape for Vendor Landscape for Vendor Landscape for Endpoint Anti-Malware Endpoint Encryption Next Generation Firewalls Sources: Info-Tech: Vendor Landscape for Endpoint Anti-Malware (October 2012) , Endpoint Encryption (December 2011), and UTM (October 2012). The Vendor Landscape graphic was published by Info-Tech as part of a larger research note and should be evaluated in the context of the entire report. 4
Security Threat Report www.sophos.com/en-us/security-news-trends/reports/security-threat-report.aspx 5
Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 6
Threats continue to grow SophosLabs analyze 250,000+ new malware samples every day 250,000 7
Spam is diminished but not defeated • Authorities are successfully fighting back In July, the dismantling of Grum botnet Control and Command center in the Netherlands, then in Panama and Russia succeeded in reducing spam volume by 17% • But targeted attacks such as spear phishing are growing 8
Web is the new Email Web is the the predominant mechanism to infect users Spam 85% Web 9
Compromised legitimate sites SophosLabs detect 30,000 new infectious Web pages every day Browse via Search engine Browse direct 10
Drive-by downloads Exploit kits make it trivial for anyone to exploit users over the web • Exploit packs can be bought relatively cheaply • No skill required • Content created to target relevant browser and application vulnerabilities • „Silent‟ infection of victims 11
Social Engineering Prevalent on social network attacks clickjacking Social engineering 12 Fake polls
Redirecting victims „Controlling‟ user traffic Compromise legitimate web sites Search engine optimization (SEO) 13
Protection Strategies Layered Protection: block an attack at any step in the delivery chain Compromise legitimate web sites Search engine optimisation (SEO) 14
Protection Strategies Where do Sophos product technologies work in protecting customers? Compromise legitimate web sites Search engine optimisation (SEO) Antimalware Scan Malicious URL Filtering Host IPS (runtime) 15 Security Patches
Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 16
Blackhole 27% of infected sites and redirections 17
Toolkits & Polymorphism • Blackhole attacks multiply thanks to widely spread Toolkits • They make an extended use of JavaScript obfuscation capabilities in their attempts to evade detection with server-side Polymorphism 18
MaaS (Malware as a Service) Price list for Blackhole 19
Vulnerabilities Blackhole exploits vulnerabilites in PDF, Flash, Java … ? hcp://… 20
Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 21
Blackhole (v1.x) Targets a large array of vulnerabilities, including a majority on Java CVE Cible Description CVE-2012-4681 Java Java forName, getField vulnerability CVE-2012-0507 Java Java AtomicReferenceArray vulnerability CVE-2011-3544 Java Oracle Java SE Rhino Script Engine Remote Code Execution vuln CVE-2011-2110 Flash Adobe Flash Player unspecified code execution (APSB11-18) CVE-2011-0611 Flash Adobe Flash Player unspecified code execution (APSA11-02) CVE-2010-3552 Java Skyline CVE-2010-1885 Windows Microsoft Windows Help and Support Center (HCP) CVE-2010-1423 Java Java Deployment Toolkit insufficient argument validation CVE-2010-0886 Java Unspecified vulnerability CVE-2010-0842 Java JRE MixerSequencer invalid array index CVE-2010-0840 Java Java trusted Methods Chaining CVE-2010-0188 PDF LibTIFF integer overflow CVE-2009-1671 Java Deployment Toolkit ActiveX control CVE-2009-4324 PDF Use after free vulnerability in doc.media.newPlayer CVE-2009-0927 PDF Stack overflow via crafted argument to Collab.getIcon CVE-2008-2992 PDF Stack overflow via crafted argument to util.printf CVE-2007-5659 PDF collab.collectEmailInfo CVE-2006-0003 IE MDAC 22
Instant exploit of vulnerabilities What is the future of Java? • August 2012 • CVE-2012-4681 zero-day • Rapidly targeted • Metasploit • Exploit kits “It took less than 12 hours from the time the proof of concept for the latest Java zero-day vulnerabilities went public for exploits of those vulnerabilities to be included in a commercial crimeware kit.” 23
Blackhole 2.0 September 2012 – New version of the exploit kit announced ! • Less predictable URLs • Harder to track • Harder to block via IDS • More aggressive blacklisting • “Monitor” mode • Slimmer • Less vulnerabilities • Etc. 24
Blackhole (v2.x) Reportedly slimming down volume of exploits targeted CVE Cible Description CVE-2012-4681 Java Java forName, getField vulnerability CVE-2012-0507 Java Java AtomicReferenceArray vulnerability CVE-2011-3544 Java Oracle Java SE Rhino Script Engine Remote Code Execution vuln CVE-2011-2110 Flash Adobe Flash Player unspecified code execution (APSB11-18) CVE-2011-0611 Flash Adobe Flash Player unspecified code execution (APSA11-02) CVE-2010-3552 Java Skyline CVE-2010-1885 Windows Microsoft Windows Help and Support Center (HCP) CVE-2010-1423 Java Java Deployment Toolkit insufficient argument validation CVE-2010-0886 Java Unspecified vulnerability CVE-2010-0842 Java JRE MixerSequencer invalid array index CVE-2010-0840 Java Java trusted Methods Chaining CVE-2010-0188 PDF LibTIFF integer overflow CVE-2009-1671 Java Deployment Toolkit ActiveX control CVE-2009-4324 PDF Use after free vulnerability in doc.media.newPlayer CVE-2009-0927 PDF Stack overflow via crafted argument to Collab.getIcon CVE-2008-2992 PDF Stack overflow via crafted argument to util.printf CVE-2007-5659 PDF collab.collectEmailInfo CVE-2006-0003 IE MDAC
Blackhole payloads Payloads distributed by Blackhole between August-Sep 2012 Downloader 2% Other ZeroAccess 9% 6% Zbot 25% Backdoor 6% FakeAV 11% Ransomware 18% Sinowal 11% PWS 12% 26
Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions 27
Ransomware The new scareware? • Malware that locks/encrypts user data • Pay ransom to access files Simple Medium Complex • Password • XOR • RC4 protected archives • shift • Public key crypto Recover data? 28
Ransomware Multilingual! 29
Ransomware: Matsnu Lockout page shown to user 30
Ransomware: Matsnu Behind the scene • Connection to C&C server • HTTP, RC4 encrypted • Receives remote commands: • IMAGES • GEO • LOCK • UNLOCK • URLS • EXECUTE • KILL • UPGRADE • UPGRADEURL • LOAD • WAIT • MESSAGE 31
Ransomware: Matsnu File encryption Manifest file original_filename1.ext new_filename1.ext key original_filename2.ext new_filename2.ext key … … • Recovery tool? • No! • Decryption/recovery requires: • Grab data value from HTTP request • B64 decode (->MASTER_KEY) • Grab machine ID from HTTP request • RC4 decrypt the MASTER_KEY with this • Append constant string • RC4 decrypt manifest file with machine ID key • DWORD transposition • RC4 decrypt this using the MASTER_KEY • Locate file you wish to decrypt in the manifest file • Grab RC4 key for file, append constant string 32 • RC4 decrypt file
Agenda Web Blackhole Java Ransomware Nothing ZeroAccess to see here Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 33
ZeroAccess ZeroAccess is a Rootkit family typically dropped in the system by a Blackhole attack Nothing to see here 34
Hiding ZeroAccess evolves its hiding techniques depending on the OS 32 bit 64 bit Global Assembly Malicious driver Injected DLL Cache Encrypted Linked file system Hide ‘in plain sight’ folder 35
Peer-to-Peer Botnet ZeroAccess uses a distributed or peer-to-peer control model for resilience 36
Traps ZeroAccess use aggressive techniques to defend themselves, such as setting up traps for security software 37
Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 38
After Fake AV for Mac ... MacDefender, MacSecurity and more 39
Flashback (OSX/Flshplyer) Flashback on a malware epidemic on Mac OSX • 600,000 Mac OS X systems infected in spring 2012 • These systems have been exploited in a very large scale botnet • First appearance at the end of 2011 • Pretended to be a Flash installer • Passive and silent download • Exploited several Java vulnerabilities on Mac OS X • In March, exploit of a vulnerability corrected only in April by Apple • 2.1% of Mac systems were infected at the infection peak (Estimation based on Sophos free antimalware for Mac) 40
Morcut (OSX/Morcut-A) More sophisticated and potentially more dangerous • Designed for spying • Monitors virtually every way a user communicates • First appearance in July 2012 • Posed as a Java Archive file (JAR) • Pretended to be signed by Verisign • Deployed kernel driver components to hide and run without administrator‟s authentication • Reflects an extremely thorough understanding of Mac programming techniques, capabilities, and potential weaknesses • Perfect tool for targeted attacks 41
And more ... Distribution of the 4,900 malwares for Mac OS X that spread in the first week of August 2012 42
Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 43
Mobile Malware 60,000 54,900 50,000 40,000 30,000 20,000 10,000 0 2011 2012 Jan Apr Jul Oct Jan Apr Jul Oct 44
Threat Exposure Rate In the USA and Australia, this rate exceeds those of PCs 45
Why Android? • Adding applications to marketplace is easy • Repackaged apps • Alternative Android application markets • Forums and file sharing sites • “Cracked” apps • Alternative markets • Android app landscape similar to Windows 46
Android Malware Spyware mTAN Andr/DroidRt Andr/NewyearL- Others B Andr/Gmaster-A Andr/KongFu Andr/Kmin Andr/Boxer Andr/Fake 47
Andr/Boxer & Andr/Fake Premium SMS Trojans Andr/Boxer Andr/Fake Percentage in total 56.8% 17.5% Number of >3 0-4 Premium SMS Russia, Ukraine and Targeted Countries Russia Kazakhstan • Determine premium • Download and number based on the install applications Other Functionalities Mobile Country Code • Access website • Access website • masquerade as a legitimate app 48
Andr/KongFu Sophisticated & Multifunctional 49
Andr/FkToken-A - mTAN Mobile transaction authentication number sent by banks to authenticate online bank transactions • Catch SMS message • Send SMS message • Delete SMS message • Contact remote sites to get list of info like attack‟s phone number and websites • Also it looks like it will A trial sample detected as Andr/FkToken-A download and install apk 50
Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 51
Storage in the Cloud Which solution(s) other than email are you using to exchange professional data? Portable Devices (USB keys …) 77% A corporate solution (FTP server …) 38% Online storage services (Dropbox…) 27% Remote access solution (VPN …) 16% Other 4% Source: Sophos online poll - 1,005 total count When you ask your IT department for help, how long are you willing to wait before looking for a solution on your own? Less than 5 minutes 22% Between 5 and 30 minutes 40% Between 30 minutes and 1 hour 13% Between 1 hour and 1 day 14% 1 day 5% I never move without their answer, however long 7% Source: Sophos online poll - 1,005 total count 52
Do you worry about Dropbox? Are files Where is the protected? data stored? Are you Is sensitive allowed to use data already in it? the cloud? 53
Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 54
Targeted drive-by attack More cases are revealed 55
Targeted drive by attack Indirect targeting • Hack aeronautical site HACK • Redirect + exploits uploaded to site • TARGET company browses site HIT • Zero-day vulnerability hits TARGET EXPLOIT • CVE-2012-1889 (MS XML Core Services) • TARGET compromised PWN 56
Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions 57
75% of attacks are unique Malware attacks (binary) 80% 70% 60% 50% 40% 30% 20% 10% 0% 1 2 3 4 5 >5
Server-side Polymorphism • Weaknesses of old-style polymorphic worms • Polymorphism engine part of the code • Can be reversed by persistent researchers • Must be decrypted in memory • Emulate the code until the invariant is found • Detection can be based on the decryption loop • Server side-polymorphism • Responsible for the explosion of variants • 250,000 new malware samples are analyzed every day by SophosLabs • No direct access to the polymorphic engine • Frequent updates 59
Obfuscated JavaScript • Endless source of obfuscation techniques • Anti-emulation techniques • Recursive function calls • Hooking events (eg. amount of mouse movements ) • Elapsed time checks • etc … 60
Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions 61
Thirteen predictions for 1. Attack toolkits continue to proliferate 2. Modernization and hardening of operating systems 3. Cloud-based malware testing changes the threat protection model 4. Increased focus on layered security 5. One step forward, two steps back 6. Mobile attacks become more advanced 7. Web servers back in the crosshairs 8. Integrate ‘all of the things’ 9. Diverse business models and irreversible malware 10. Skills problem becomes more apparent 11. Cyber criminal anti-forensics 12. More advanced hacktivism and political Debate 13. Arguments over big data vs. analytics and confusion 62
Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions 63
Protect Users at all levels Deploy solutions at all levels, covering the entire threat lifecycle Reduce attack surface Protect everywhere Stop attacks and breaches Keep people working URL Filtering Web Application Endpoint Web Encryption Data Control Access control Automation WiFi security Firewall Protection for cloud Anti-spam Patch Manager Mobile Control Virtualization Anti-malware User education Visibility Local self-help Application Mobile app Clean up Technical Device Control Secure branch Intrusion Firewall Control security support offices prevention Encryption Tamper Free Email Live Protection Small protection Home use VPN Performance updates encryption 64
Reduce attack surface Deploy solutions with preventive features Anti-Malware Unified Engine Anti-Spyware Sophos Entreprise Console Anti-Rootkit HIPS Web Protection Application Control Integrated Mangement Device Control DLP URL Filtering Patch Assessment Client Firewall NAC Encryption 65
Protect all the Devices or your EndUsers The emergence of BYOD requires to protect an ever larger number of devices Corporate Mobiles Employee Mobiles Corporate PC or Laptop Employee Device 66 Corporate Servers Virtualized systems
Control Web Applications Control Web access and Web applications usage Endpoint Web access Web Applications • Anti-malware • Anti-malware • Real time monitoring • Host IPS • HTTPS Scan • Block / Allow • Malicious URL blocking • Anonymizing • Manage risks • Application control Proxies blocking dynamically • URL Filtering • URL Filtering • Limit bandwidth • DLP • Content filtering • Manage priorities
Educate Users Use Sophos free Education toolkits and resources DOs and DON’T Mobiles Data Social Networks (Best practices) 68
Staying ahead of the curve Staying ahead of the curve US and Canada facebook.com/securitybysophos 1-866-866-2802 NASales@sophos.com Sophos on Google+ UK and Worldwide linkedin.com/company/sophos + 44 1235 55 9933 Sales@sophos.com twitter.com/Sophos_News nakedsecurity.sophos.com 69

More Related Content

PPT
4 Steps to Optimal Endpoint Settings
bySophos
 
PPT
Sophos Utm Presentation 2016
byInformatikaFortuno
 
PDF
G01.2012 magic quadrant for endpoint protection
bySatya Harish
 
PPTX
Security: more important than ever - Sophos Day Belux 2014
bySophos Benelux
 
PPTX
Sophos Next-Generation Enduser Protection
byGiovanni Giovannelli
 
PPTX
Consider Sophos - Security Made Simple
byDavid Fuchs
 
PPTX
UTM - The Complete Security Box
bySophos
 
PPTX
What's cooking at Sophos - an introduction to Synchronized Security
bySophos Benelux
 
4 Steps to Optimal Endpoint Settings
bySophos
 
Sophos Utm Presentation 2016
byInformatikaFortuno
 
G01.2012 magic quadrant for endpoint protection
bySatya Harish
 
Security: more important than ever - Sophos Day Belux 2014
bySophos Benelux
 
Sophos Next-Generation Enduser Protection
byGiovanni Giovannelli
 
Consider Sophos - Security Made Simple
byDavid Fuchs
 
UTM - The Complete Security Box
bySophos
 
What's cooking at Sophos - an introduction to Synchronized Security
bySophos Benelux
 

What's hot

PPTX
The next generation of IT security
bySophos Benelux
 
PPTX
XG Firewall
byDeServ - Tecnologia e Servços
 
PPTX
Sophos Wireless Protection Overview
bySophos
 
PPTX
Securing with Sophos - Sophos Day Belux 2014
bySophos Benelux
 
PDF
Preparing Your School for BYOD with Sophos UTM Wireless Protection
bySophos
 
PPTX
Endpoint Security Evasion
byInvincea, Inc.
 
PPTX
Sophos EndUser Protection
bySophos
 
PPTX
Sandboxing
byLan & Wan Solutions
 
PPTX
Sandboxing
byLan & Wan Solutions
 
PPTX
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...
bySWITCHPOINT NV/SA
 
PPTX
This is Next-Gen IT Security - Introducing Intercept X
bySophos Benelux
 
PPTX
Get the Most From Your Firewall
bySophos
 
PPTX
Sophos utm-roadshow-south africa-2012
bydvanwyk30
 
PPTX
Sandbox
byayush_nitt
 
PPTX
Sophos Security Day Belgium - The Hidden Gems of Sophos
bySophos Benelux
 
PDF
Kaspersky Lab new Enterprise Portfolio
byKaspersky
 
PDF
Dell sonicwall connected security
byMotty Ben Atia
 
PPTX
Kaspersky endpoint security business presentation
byData Unit
 
PDF
Complete Endpoint protection
byxband
 
The next generation of IT security
bySophos Benelux
 
XG Firewall
byDeServ - Tecnologia e Servços
 
Sophos Wireless Protection Overview
bySophos
 
Securing with Sophos - Sophos Day Belux 2014
bySophos Benelux
 
Preparing Your School for BYOD with Sophos UTM Wireless Protection
bySophos
 
Endpoint Security Evasion
byInvincea, Inc.
 
Sophos EndUser Protection
bySophos
 
Sandboxing
byLan & Wan Solutions
 
Sandboxing
byLan & Wan Solutions
 
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...
bySWITCHPOINT NV/SA
 
This is Next-Gen IT Security - Introducing Intercept X
bySophos Benelux
 
Get the Most From Your Firewall
bySophos
 
Sophos utm-roadshow-south africa-2012
bydvanwyk30
 
Sandbox
byayush_nitt
 
Sophos Security Day Belgium - The Hidden Gems of Sophos
bySophos Benelux
 
Kaspersky Lab new Enterprise Portfolio
byKaspersky
 
Dell sonicwall connected security
byMotty Ben Atia
 
Kaspersky endpoint security business presentation
byData Unit
 
Complete Endpoint protection
byxband
 

Similar to 2013 Security Threat Report Presentation

PDF
Dan Guido SOURCE Boston 2011
bySource Conference
 
PDF
Toorcon Seattle 2011 - Browser Exploit Packs
byAditya K Sood
 
PPTX
IBM Smarter Business 2012 - IBM Security: Threat landscape
byIBM Sverige
 
PDF
Maximize Computer Security With Limited Ressources
bySecunia
 
PDF
3 Nir Zuk Modern Malware Jun 2011
bydavidmaciaalcaide
 
PPTX
Stopping the Adobe, Apple and Java Software Updater Insanity
byLumension
 
PPTX
The Endless Wave of Online Threats - Protecting our Community
byAVG Technologies AU
 
PPTX
Emerging Threats and Trends in Online Security
byAVG Technologies AU
 
PDF
Battling Malware In The Enterprise
byAyed Al Qartah
 
PPTX
Kurt baumgartner lan_deskse2012
byKurt Baumgartner
 
PPTX
Top Application Security Trends of 2012
byDaveEdwards12
 
PDF
Metasploitation part-1 (murtuja)
byClubHack
 
PPTX
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptx
byEthioTelecom_Getahun Biratu
 
PDF
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
byAditya K Sood
 
PDF
Vicente Diaz - Jorge Mieres - Fuel For Pwnage
bySource Conference
 
PDF
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
byAditya K Sood
 
PPTX
Spiceworld 2011 - AppRiver breakout session
byShane Rice
 
PDF
IT Vulnerability & Tools Watch 2011
byWASecurity
 
PDF
AVG Threat Report Q4 2012
byAVG Technologies AU
 
PPT
The Future of Automated Malware Generation
byStephan Chenette
 
Dan Guido SOURCE Boston 2011
bySource Conference
 
Toorcon Seattle 2011 - Browser Exploit Packs
byAditya K Sood
 
IBM Smarter Business 2012 - IBM Security: Threat landscape
byIBM Sverige
 
Maximize Computer Security With Limited Ressources
bySecunia
 
3 Nir Zuk Modern Malware Jun 2011
bydavidmaciaalcaide
 
Stopping the Adobe, Apple and Java Software Updater Insanity
byLumension
 
The Endless Wave of Online Threats - Protecting our Community
byAVG Technologies AU
 
Emerging Threats and Trends in Online Security
byAVG Technologies AU
 
Battling Malware In The Enterprise
byAyed Al Qartah
 
Kurt baumgartner lan_deskse2012
byKurt Baumgartner
 
Top Application Security Trends of 2012
byDaveEdwards12
 
Metasploitation part-1 (murtuja)
byClubHack
 
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptx
byEthioTelecom_Getahun Biratu
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
byAditya K Sood
 
Vicente Diaz - Jorge Mieres - Fuel For Pwnage
bySource Conference
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
byAditya K Sood
 
Spiceworld 2011 - AppRiver breakout session
byShane Rice
 
IT Vulnerability & Tools Watch 2011
byWASecurity
 
AVG Threat Report Q4 2012
byAVG Technologies AU
 
The Future of Automated Malware Generation
byStephan Chenette
 

More from Sophos

PPTX
Your Money or Your File! Highway Robbery with Blackhole and Ransomware
bySophos
 
PDF
2013 Security Threat Report
bySophos
 
PDF
Is Your Network Ready for BYOD?
bySophos
 
PPTX
8 Threats Your Anti-Virus Won't Stop
bySophos
 
PPTX
When Malware Goes Mobile
bySophos
 
PPTX
Exposing the Money Behind Malware
bySophos
 
PPTX
BYOD - Protecting Your School
bySophos
 
PPTX
Endpoint Protection
bySophos
 
PPTX
Sophos Mobile Control - Product Overview
bySophos
 
PPTX
Complete Security
bySophos
 
PPTX
IT Security DOs und DON’Ts (Italian)
bySophos
 
PPTX
IT Security DOs and DON'Ts
bySophos
 
Your Money or Your File! Highway Robbery with Blackhole and Ransomware
bySophos
 
2013 Security Threat Report
bySophos
 
Is Your Network Ready for BYOD?
bySophos
 
8 Threats Your Anti-Virus Won't Stop
bySophos
 
When Malware Goes Mobile
bySophos
 
Exposing the Money Behind Malware
bySophos
 
BYOD - Protecting Your School
bySophos
 
Endpoint Protection
bySophos
 
Sophos Mobile Control - Product Overview
bySophos
 
Complete Security
bySophos
 
IT Security DOs und DON’Ts (Italian)
bySophos
 
IT Security DOs and DON'Ts
bySophos
 

Recently uploaded

PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
AI Technology important knowledge ......
byutkarshj2007
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
The Landscape of Computer Software Development Companies
byYash Singh
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 

2013 Security Threat Report Presentation

  • 1.
    Sophos Security ThreatReport 2013 January 2013
  • 2.
    Sophos update Protecting businessesfor over 27 years • First European-based vendor of security solutions for Businesses • Headquarter in Oxford, UK • Billings in excess of 400M US$ (300M €) • Global with strong European base • 100 millions users • 1,600 employees worldwide • 5 SophosLabs Centers, including 2 in the EU Oxford, Budapest, Boston, Vancouver, Sydney • 8 R&D Centers, including 6 in the EU Oxford, Aachen, Budapest, Dortmund, Karlsruhe, Linz, Munich, Vancouver • Dedicated to Businesses 2
  • 3.
    Triple Leader Endpoint Data UTM Magic Quadrant for Magic Quadrant for Magic Quadrant for Endpoint Protection Platforms Mobile Data Protection Unified Threat Management Sources: Gartner: Magic Quadrantsfor Endpoint Protection Platforms (2 Jan 2013) , Mobile Data Protection (6 Sep 2012), and UTM (5 March 2012). The Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. 3
  • 4.
    Triple Champion Endpoint Data UTM Vendor Lanscape for Vendor Landscape for Vendor Landscape for Endpoint Anti-Malware Endpoint Encryption Next Generation Firewalls Sources: Info-Tech: Vendor Landscape for Endpoint Anti-Malware (October 2012) , Endpoint Encryption (December 2011), and UTM (October 2012). The Vendor Landscape graphic was published by Info-Tech as part of a larger research note and should be evaluated in the context of the entire report. 4
  • 5.
    Security Threat Report www.sophos.com/en-us/security-news-trends/reports/security-threat-report.aspx 5
  • 6.
    Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 6
  • 7.
    Threats continue togrow SophosLabs analyze 250,000+ new malware samples every day 250,000 7
  • 8.
    Spam is diminishedbut not defeated • Authorities are successfully fighting back In July, the dismantling of Grum botnet Control and Command center in the Netherlands, then in Panama and Russia succeeded in reducing spam volume by 17% • But targeted attacks such as spear phishing are growing 8
  • 9.
    Web is thenew Email Web is the the predominant mechanism to infect users Spam 85% Web 9
  • 10.
    Compromised legitimate sites SophosLabsdetect 30,000 new infectious Web pages every day Browse via Search engine Browse direct 10
  • 11.
    Drive-by downloads Exploit kitsmake it trivial for anyone to exploit users over the web • Exploit packs can be bought relatively cheaply • No skill required • Content created to target relevant browser and application vulnerabilities • „Silent‟ infection of victims 11
  • 12.
    Social Engineering Prevalent onsocial network attacks clickjacking Social engineering 12 Fake polls
  • 13.
    Redirecting victims „Controlling‟ usertraffic Compromise legitimate web sites Search engine optimization (SEO) 13
  • 14.
    Protection Strategies Layered Protection:block an attack at any step in the delivery chain Compromise legitimate web sites Search engine optimisation (SEO) 14
  • 15.
    Protection Strategies Where doSophos product technologies work in protecting customers? Compromise legitimate web sites Search engine optimisation (SEO) Antimalware Scan Malicious URL Filtering Host IPS (runtime) 15 Security Patches
  • 16.
    Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 16
  • 17.
    Blackhole 27% of infectedsites and redirections 17
  • 18.
    Toolkits & Polymorphism •Blackhole attacks multiply thanks to widely spread Toolkits • They make an extended use of JavaScript obfuscation capabilities in their attempts to evade detection with server-side Polymorphism 18
  • 19.
    MaaS (Malware asa Service) Price list for Blackhole 19
  • 20.
    Vulnerabilities Blackhole exploits vulnerabilitesin PDF, Flash, Java … ? hcp://… 20
  • 21.
    Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 21
  • 22.
    Blackhole (v1.x) Targets alarge array of vulnerabilities, including a majority on Java CVE Cible Description CVE-2012-4681 Java Java forName, getField vulnerability CVE-2012-0507 Java Java AtomicReferenceArray vulnerability CVE-2011-3544 Java Oracle Java SE Rhino Script Engine Remote Code Execution vuln CVE-2011-2110 Flash Adobe Flash Player unspecified code execution (APSB11-18) CVE-2011-0611 Flash Adobe Flash Player unspecified code execution (APSA11-02) CVE-2010-3552 Java Skyline CVE-2010-1885 Windows Microsoft Windows Help and Support Center (HCP) CVE-2010-1423 Java Java Deployment Toolkit insufficient argument validation CVE-2010-0886 Java Unspecified vulnerability CVE-2010-0842 Java JRE MixerSequencer invalid array index CVE-2010-0840 Java Java trusted Methods Chaining CVE-2010-0188 PDF LibTIFF integer overflow CVE-2009-1671 Java Deployment Toolkit ActiveX control CVE-2009-4324 PDF Use after free vulnerability in doc.media.newPlayer CVE-2009-0927 PDF Stack overflow via crafted argument to Collab.getIcon CVE-2008-2992 PDF Stack overflow via crafted argument to util.printf CVE-2007-5659 PDF collab.collectEmailInfo CVE-2006-0003 IE MDAC 22
  • 23.
    Instant exploit ofvulnerabilities What is the future of Java? • August 2012 • CVE-2012-4681 zero-day • Rapidly targeted • Metasploit • Exploit kits “It took less than 12 hours from the time the proof of concept for the latest Java zero-day vulnerabilities went public for exploits of those vulnerabilities to be included in a commercial crimeware kit.” 23
  • 24.
    Blackhole 2.0 September 2012– New version of the exploit kit announced ! • Less predictable URLs • Harder to track • Harder to block via IDS • More aggressive blacklisting • “Monitor” mode • Slimmer • Less vulnerabilities • Etc. 24
  • 25.
    Blackhole (v2.x) Reportedly slimmingdown volume of exploits targeted CVE Cible Description CVE-2012-4681 Java Java forName, getField vulnerability CVE-2012-0507 Java Java AtomicReferenceArray vulnerability CVE-2011-3544 Java Oracle Java SE Rhino Script Engine Remote Code Execution vuln CVE-2011-2110 Flash Adobe Flash Player unspecified code execution (APSB11-18) CVE-2011-0611 Flash Adobe Flash Player unspecified code execution (APSA11-02) CVE-2010-3552 Java Skyline CVE-2010-1885 Windows Microsoft Windows Help and Support Center (HCP) CVE-2010-1423 Java Java Deployment Toolkit insufficient argument validation CVE-2010-0886 Java Unspecified vulnerability CVE-2010-0842 Java JRE MixerSequencer invalid array index CVE-2010-0840 Java Java trusted Methods Chaining CVE-2010-0188 PDF LibTIFF integer overflow CVE-2009-1671 Java Deployment Toolkit ActiveX control CVE-2009-4324 PDF Use after free vulnerability in doc.media.newPlayer CVE-2009-0927 PDF Stack overflow via crafted argument to Collab.getIcon CVE-2008-2992 PDF Stack overflow via crafted argument to util.printf CVE-2007-5659 PDF collab.collectEmailInfo CVE-2006-0003 IE MDAC
  • 26.
    Blackhole payloads Payloads distributedby Blackhole between August-Sep 2012 Downloader 2% Other ZeroAccess 9% 6% Zbot 25% Backdoor 6% FakeAV 11% Ransomware 18% Sinowal 11% PWS 12% 26
  • 27.
    Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions 27
  • 28.
    Ransomware The newscareware? • Malware that locks/encrypts user data • Pay ransom to access files Simple Medium Complex • Password • XOR • RC4 protected archives • shift • Public key crypto Recover data? 28
  • 29.
  • 30.
    Ransomware: Matsnu Lockoutpage shown to user 30
  • 31.
    Ransomware: Matsnu Behindthe scene • Connection to C&C server • HTTP, RC4 encrypted • Receives remote commands: • IMAGES • GEO • LOCK • UNLOCK • URLS • EXECUTE • KILL • UPGRADE • UPGRADEURL • LOAD • WAIT • MESSAGE 31
  • 32.
    Ransomware: Matsnu Fileencryption Manifest file original_filename1.ext new_filename1.ext key original_filename2.ext new_filename2.ext key … … • Recovery tool? • No! • Decryption/recovery requires: • Grab data value from HTTP request • B64 decode (->MASTER_KEY) • Grab machine ID from HTTP request • RC4 decrypt the MASTER_KEY with this • Append constant string • RC4 decrypt manifest file with machine ID key • DWORD transposition • RC4 decrypt this using the MASTER_KEY • Locate file you wish to decrypt in the manifest file • Grab RC4 key for file, append constant string 32 • RC4 decrypt file
  • 33.
    Agenda Web Blackhole Java Ransomware Nothing ZeroAccess to see here Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 33
  • 34.
    ZeroAccess ZeroAccess is aRootkit family typically dropped in the system by a Blackhole attack Nothing to see here 34
  • 35.
    Hiding ZeroAccess evolves itshiding techniques depending on the OS 32 bit 64 bit Global Assembly Malicious driver Injected DLL Cache Encrypted Linked file system Hide ‘in plain sight’ folder 35
  • 36.
    Peer-to-Peer Botnet ZeroAccess usesa distributed or peer-to-peer control model for resilience 36
  • 37.
    Traps ZeroAccess use aggressivetechniques to defend themselves, such as setting up traps for security software 37
  • 38.
    Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 38
  • 39.
    After Fake AVfor Mac ... MacDefender, MacSecurity and more 39
  • 40.
    Flashback (OSX/Flshplyer) Flashback ona malware epidemic on Mac OSX • 600,000 Mac OS X systems infected in spring 2012 • These systems have been exploited in a very large scale botnet • First appearance at the end of 2011 • Pretended to be a Flash installer • Passive and silent download • Exploited several Java vulnerabilities on Mac OS X • In March, exploit of a vulnerability corrected only in April by Apple • 2.1% of Mac systems were infected at the infection peak (Estimation based on Sophos free antimalware for Mac) 40
  • 41.
    Morcut (OSX/Morcut-A) More sophisticatedand potentially more dangerous • Designed for spying • Monitors virtually every way a user communicates • First appearance in July 2012 • Posed as a Java Archive file (JAR) • Pretended to be signed by Verisign • Deployed kernel driver components to hide and run without administrator‟s authentication • Reflects an extremely thorough understanding of Mac programming techniques, capabilities, and potential weaknesses • Perfect tool for targeted attacks 41
  • 42.
    And more ... Distributionof the 4,900 malwares for Mac OS X that spread in the first week of August 2012 42
  • 43.
    Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 43
  • 44.
    Mobile Malware 60,000 54,900 50,000 40,000 30,000 20,000 10,000 0 2011 2012 Jan Apr Jul Oct Jan Apr Jul Oct 44
  • 45.
    Threat Exposure Rate In the USA and Australia, this rate exceeds those of PCs 45
  • 46.
    Why Android? • Addingapplications to marketplace is easy • Repackaged apps • Alternative Android application markets • Forums and file sharing sites • “Cracked” apps • Alternative markets • Android app landscape similar to Windows 46
  • 47.
    Android Malware Spyware mTAN Andr/DroidRt Andr/NewyearL- Others B Andr/Gmaster-A Andr/KongFu Andr/Kmin Andr/Boxer Andr/Fake 47
  • 48.
    Andr/Boxer & Andr/Fake PremiumSMS Trojans Andr/Boxer Andr/Fake Percentage in total 56.8% 17.5% Number of >3 0-4 Premium SMS Russia, Ukraine and Targeted Countries Russia Kazakhstan • Determine premium • Download and number based on the install applications Other Functionalities Mobile Country Code • Access website • Access website • masquerade as a legitimate app 48
  • 49.
  • 50.
    Andr/FkToken-A - mTAN Mobiletransaction authentication number sent by banks to authenticate online bank transactions • Catch SMS message • Send SMS message • Delete SMS message • Contact remote sites to get list of info like attack‟s phone number and websites • Also it looks like it will A trial sample detected as Andr/FkToken-A download and install apk 50
  • 51.
    Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 51
  • 52.
    Storage in theCloud Which solution(s) other than email are you using to exchange professional data? Portable Devices (USB keys …) 77% A corporate solution (FTP server …) 38% Online storage services (Dropbox…) 27% Remote access solution (VPN …) 16% Other 4% Source: Sophos online poll - 1,005 total count When you ask your IT department for help, how long are you willing to wait before looking for a solution on your own? Less than 5 minutes 22% Between 5 and 30 minutes 40% Between 30 minutes and 1 hour 13% Between 1 hour and 1 day 14% 1 day 5% I never move without their answer, however long 7% Source: Sophos online poll - 1,005 total count 52
  • 53.
    Do you worryabout Dropbox? Are files Where is the protected? data stored? Are you Is sensitive allowed to use data already in it? the cloud? 53
  • 54.
    Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targeted Attacks Long Tail Perspectives for 2013 Conclusions 54
  • 55.
    Targeted drive-by attack Morecases are revealed 55
  • 56.
    Targeted drive byattack Indirect targeting • Hack aeronautical site HACK • Redirect + exploits uploaded to site • TARGET company browses site HIT • Zero-day vulnerability hits TARGET EXPLOIT • CVE-2012-1889 (MS XML Core Services) • TARGET compromised PWN 56
  • 57.
    Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions 57
  • 58.
    75% of attacksare unique Malware attacks (binary) 80% 70% 60% 50% 40% 30% 20% 10% 0% 1 2 3 4 5 >5
  • 59.
    Server-side Polymorphism • Weaknessesof old-style polymorphic worms • Polymorphism engine part of the code • Can be reversed by persistent researchers • Must be decrypted in memory • Emulate the code until the invariant is found • Detection can be based on the decryption loop • Server side-polymorphism • Responsible for the explosion of variants • 250,000 new malware samples are analyzed every day by SophosLabs • No direct access to the polymorphic engine • Frequent updates 59
  • 60.
    Obfuscated JavaScript •Endless source of obfuscation techniques • Anti-emulation techniques • Recursive function calls • Hooking events (eg. amount of mouse movements ) • Elapsed time checks • etc … 60
  • 61.
    Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions 61
  • 62.
    Thirteen predictions for 1.Attack toolkits continue to proliferate 2. Modernization and hardening of operating systems 3. Cloud-based malware testing changes the threat protection model 4. Increased focus on layered security 5. One step forward, two steps back 6. Mobile attacks become more advanced 7. Web servers back in the crosshairs 8. Integrate ‘all of the things’ 9. Diverse business models and irreversible malware 10. Skills problem becomes more apparent 11. Cyber criminal anti-forensics 12. More advanced hacktivism and political Debate 13. Arguments over big data vs. analytics and confusion 62
  • 63.
    Agenda Web Blackhole Java Ransomware ZeroAccess Mac OS X Android Cloud Targetd Attacks Long Tail Perspectives for 2013 Conclusions 63
  • 64.
    Protect Users atall levels Deploy solutions at all levels, covering the entire threat lifecycle Reduce attack surface Protect everywhere Stop attacks and breaches Keep people working URL Filtering Web Application Endpoint Web Encryption Data Control Access control Automation WiFi security Firewall Protection for cloud Anti-spam Patch Manager Mobile Control Virtualization Anti-malware User education Visibility Local self-help Application Mobile app Clean up Technical Device Control Secure branch Intrusion Firewall Control security support offices prevention Encryption Tamper Free Email Live Protection Small protection Home use VPN Performance updates encryption 64
  • 65.
    Reduce attack surface Deploysolutions with preventive features Anti-Malware Unified Engine Anti-Spyware Sophos Entreprise Console Anti-Rootkit HIPS Web Protection Application Control Integrated Mangement Device Control DLP URL Filtering Patch Assessment Client Firewall NAC Encryption 65
  • 66.
    Protect all theDevices or your EndUsers The emergence of BYOD requires to protect an ever larger number of devices Corporate Mobiles Employee Mobiles Corporate PC or Laptop Employee Device 66 Corporate Servers Virtualized systems
  • 67.
    Control Web Applications ControlWeb access and Web applications usage Endpoint Web access Web Applications • Anti-malware • Anti-malware • Real time monitoring • Host IPS • HTTPS Scan • Block / Allow • Malicious URL blocking • Anonymizing • Manage risks • Application control Proxies blocking dynamically • URL Filtering • URL Filtering • Limit bandwidth • DLP • Content filtering • Manage priorities
  • 68.
    Educate Users Use Sophosfree Education toolkits and resources DOs and DON’T Mobiles Data Social Networks (Best practices) 68
  • 69.
    Staying ahead ofthe curve Staying ahead of the curve US and Canada facebook.com/securitybysophos 1-866-866-2802 NASales@sophos.com Sophos on Google+ UK and Worldwide linkedin.com/company/sophos + 44 1235 55 9933 Sales@sophos.com twitter.com/Sophos_News nakedsecurity.sophos.com 69

Editor's Notes

  • #13 Facebook also suffers from rogue applications.Messages posted to people’s walls, providing some link to an applicationApplication purports to be some enticing videoWhen you try and play, requests permission to access info, post to wall etcAlso pops up fake online survey, pretending to be a FB anti-spam verification surveyWhy? Scammers will get money for each scam completed!
  • #35 The next part of our attack scenario is the installation and use of the ZeroAccess rootkit. However, before we go on it is important to remember that this is simply an example scenario. There are many ways in which ZeroAccess can be delivered, Blackhole is commonly used but is by no means the only method. We have seen various social engineering schemes, including uploading the rootkit installer to torrent sites masquerading as cracks or key generators for popular software. Likewise, ZeroAccess is not the only malware that is delivered from Blackhole.ZeroAccess itself, although most commonly known as a rootkit, combines the features of a rootkit and a peer to peer botnet to provide an attacker with a difficult to detect foothold on a PC from which to install further malware of their choosing. As such it is, like Blackhole, just another link in the attack chain. This particular link is designed to conceal its own presence and the presence of the malware it is instructed to download and install.The term rootkit originates in the Unix world where it was used to describe a set of software designed to obtain and keep root, or administrator, access to a computer. Now the term is used to describe malware that conceals its presence in an attempt to evade security scanners.As we’ll see shortly ZeroAccess is under active development. In SophosLabs we have seen hundreds of thousands of unique ZeroAccess related binaries in the last year.
  • #36 Lets take a look at how ZeroAccess hides itself. It is this feature that leads malware distributors to use tools like ZeroAccess rather than simply spread the final stages of their attacks directly. The additional concealment of a rootkit makes it more likely that their attack will remain unnoticed, allowing them to either steal more information or take advantage of a compromised network for a longer period of time. The techniques used by ZeroAccess have changed as it has evolved and they vary depending on whether the operating system is 32 or 64 bit.Older versions of the kit install a malicious driver on 32 bit systems and subvert the operating system’s access to the disk. The components of the kit and the malware it installs are then stored in either a newly created encrypted file system or in a specially linked folder which has been modified to make it inaccessible to the operating system. The contents of these areas are available only to ZeroAccess using its own driver and therefore are invisible to both the operating system and security scanners that use the operating system to read the disk. This type of infection is usually discovered by scanning the operating system kernel to search for the malicious driver.On 64bit systems the enhancements in kernel security make it more difficult for the criminals behind ZeroAccess to install drivers. Instead, they employ some of the standard operating system features to conceal the kit’s presence from a casual observer. To do this the files are placed into the Global Assembly Cache, an area used for storing information about installed .NET assemblies. When this area is browsed using Windows Explorer the operating system will automatically switch to the Assembly Cache Viewer and display assembly information rather than the true contents of the folder, thus hiding any additional files, including ZeroAccess. More recent versions of ZeroAccess use a strategy that works on both 32 and 64 bit platforms, probably to simplify the development process. These versions add a malicious DLL to system processes and hijack the loading process for a legitimate COM object in order to activate itself. Some of the later versions also used advanced file system features such as extended attributes to hide their data. While the later techniques are not stealth in the technical sense they still serve to conceal the presence of ZeroAccess from a casual inspection. We can speculate that the authors of ZeroAccess have learned from their progression to 64bit that a truly stealthy rootkit is not necessary for them to build sufficiently large botnets and make profit from them.
  • #37 An aspect of ZeroAccess that makes it resilient lies in the organization of its botnet infrastructure.ZeroAccess operates as a botnet, meaning that to be useful it must have some way to receive commands. For many botnets the command and control infrastructure that they use is their weakness. Remove the key command and control servers and the individual PCs are left without instructions. The botnet still exists but it cannot be used and is therefore useless to criminals. To avoid this weakness ZeroAccess, and some other recent botnets, use a distributed or peer-to-peer control model. By using distributed control ZeroAccess is resilient to attempts to destroy the botnet. Individual nodes can be cleaned up and removed from the network but it cannot be killed at a single stroke.This reduces the fragility of the botnet by removing the option to ‘cut off the head of the snake’. However, it does have some weaknesses too. The individual nodes of the botnet have to know of some other nearby nodes in order to receive instructions and those instructions may take time to propagate. Also, nodes that do not have direct internet access cannot act as servers for nodes in other networks. To account for this each installation of ZeroAccess contains a configuration file with addresses of 256 previous nodes to ensure that it will be able to contact another infected computer for instructions. For ZeroAccess the peer-to-peer model is used mainly to enable distribution of other malware or for click fraud, that is, getting the infected PC to visit a website or access online ads generate advertising income for the affiliate serving those ads. It is also used to distribute spam bots which use the infected PCs to send spam. It is likely that the click fraudsters, spammers and malware authors are renting space on the ZeroAccessbotnet and thereby funding the profits of its authors and the continued development of ZeroAccess.
  • #38 Some versions of ZeroAccess use aggressive techniques to defend themselves on each infected endpoint. It is common for malware to attempt to disable security software, usually the malware simply has a list of security programs that it will attempt to kill if it finds they are running. This is a crude technique and can be fooled by using software that implements some randomness in its file and process names, a common technique in anti-rootkit software. To counter this ZeroAccess sets up a tripwire for security software. It creates a dummy or trap process which does nothing useful and then monitors whether any programs attempt to access the dummy process. Anything that takes the bait is assumed to be a security scanner and ZeroAccess then tries to disable the scanner by both terminating its running processes and changing its access permissions so that it cannot be run again. However, this kind of damage to security software may have been too obvious in revealing the presence of a rootkit and is not used in more recent versions of ZeroAccess.
  • #47 There are few things which make malware for Android more common than for other platforms. Adding new applications to the market is easy and Google’s process for controlling functionality of applications is not very strict.It is very easy to become an Android developer and publish applications. It’s also easy to decompile an application, change its functionality and repackage the application as a completely new (effectively stolen application). Installation from third party sites is possible. There are number of alternative Android markets for applications, including the one set up by the network providers and other well known companies such as Amazon.Cracked applications are shared on many Android related forums and file sharing web sites. Piracy is a major problem. An article on Forbes states “The costs of piracy are very real. One-in-three developers say they’ve lost more than $10,000 in revenue due to piracy. 32% say piracy increases their support costs. One-in-four say piracy increases their server costs, with all those extra users piling onto their servers.”There is a significant number of alternative markets in China, which is currently the main source of malicious applications.Overall, the situation with Android applications is very similar to early days of Windows.It is not surprising that we are seeing increasing numbers of Android malware in our labs.
  • #59 Of course ransomware isn’t the only threat using technology in an attempt to defeat security software. Blackhole itself and many other threats extensively use polymorphism to hide their code. Like ransomware, this isn’t a brand new technique but we are now seeing it in ever increasing numbers, especially in web-based attacks.We can see here the result of research done by SophosLabs studying around 7 million attacks over a 3 month period. It shows how many attacks are launched by each individual version of a threat. Three quarters of binaries are unique to the victim of that particular attack. As we can see the numbers drop away rapidly for 2, 3 or more victim organizations. What this means in practice is that if you encounter malware there’s a 75% chance that no-one else anywhere has seen that exact piece of malware before. In effect, a unique attack has been generated just for you. The actual effects of the attack will be exactly the same as those that everyone else sees but the form it takes will be slightly different. This is all done to avoid detection by security software.
  • #63 1. Attack toolkits continue to proliferateOver the past year, we’ve seen significant investment by cybercriminals in toolkits like the Blackhole Exploit Pack. Features such as scriptable web services APIs, malware quality assurance platforms, anti-forensics and self-protection mechanisms are becoming readily available. Slick reporting interfaces and ‘premium features’ are fostering new innovation and ensuring that the barrier to cyber crime entry is low and the quality of malicious code is growing. This trend will continue in 2013, with new toolkits being developed and older toolkits being strengthened.2. Modernization and hardening of operating systemsOne positive trend for 2013 is the modernization and hardening of operating systems. This year, there was a plethora of vulnerabilities that made headlines, such as the recent string of Java vulnerabilities (the 2012 equivalent of Adobe in 2011). Despite the attention these received, exploiting vulnerabilities in general became harder as people adopted more modern operating systems with new security features. The availability of DEP, ASLR, Sandboxing and new trusted boot mechanisms made exploitations more challenging. In 2013, cybercriminals will be able to find a vulnerability, but more often struggle to produce 'useful' exploit code. These mechanisms can be bypassed, but the development time and the number of vulnerabilities that can be weaponized will be smaller. We may well see more of a focus on quality social engineering to compensate for harder automated exploitation.3. Cloud-based malware testing changes the threat protection modelIn 2012, malware testing platforms were widely used to test malicious code before it was released in the wild to make detection by anti-malware products much harder. These testing platforms are now growing more feature-rich, introducing money back guarantees and continuous testing features, making cyber criminals even more agile. These platforms have forced the use of more behavioral and reputation-based security mechanisms, a trend that will accelerate in 2013. Watch out for more bi-directional security data exchanges between endpoints and security labs and new strategies in intelligence gathering to equal the efforts of cyber criminals.4. Increased focus on layered securityThe aforementioned attack tools plus the trend of targeted, low-volume attacks means we will see more attacks where the malware authors will gain long-term access to systems (a trend most definitely now established). As a result, 2013 will see a stronger focus on layered security systems that detect malware across the entire threat lifecycle, not just the initial point of entry. There was a recent incident where the initial exploit and malware were entirely missed (they were genuinely new and well tested) but the attacker was caught when he started to use command and control to try and dump password hashes. Even features like application control and reputation can be useful against targeted attacks.5. One step forward, two steps backWe all know the story. The pace of adoption of new technologies, devices and operating systems is only increasing, a trend that will naturally continue in 2013. The challenge however is that many of the new devices and protocols we introduce are making basic mistakes, which allow simple attacks we had previously eliminated to once again be effective. For example, there are lots of new devices configured not to encrypt email usernames/ passwords in transport. This problem is trivially mitigated with configuration, but the traditional processes and controls (or knowledge) are not implicitly covering these new scenarios. The security community needs to watch these new technologies closely in 2013 as they are already in production in most cases.6. Mobile attacks become more advancedMost mobile attacks to date have been comparable to 1990s PC malware or simple attacks. They can largely be avoided by correct device configuration and management. The increased adoption of mobile control and security solutions will force mobile malware authors to alter their strategies in order to remain effective. This is also likely as the mobile device becomes a more interesting platform for attackers to target in terms of pay off. In 2013, it is likely we will see mobile malware start to borrow more techniques from its PC cousin (though volumes are likely still to remain low with more of a focus on attacks than malware). The open versus walled garden control model will continue to be tested with both ends of the spectrum creating opportunities for cyber criminals to capitalize.7. Web servers back in the crosshairsAttacking web servers to distribute malware has been the default for some time – we find a new infected website every couple of seconds. While most businesses have protection for traditional PC environments and endpoints, many neglect to adequately protect their web server environments. In 2012, we saw a large number of web server and database hacks. Like most trends, malware attacks come in cycles, and it has become fashionable to extract credentials from web servers. This trend was gaining momentum in 2012 and it shows no signs of slowing down for 2013.8. Integrate ‘all of the things’Mobile devices, applications and social networks (amongst others) continue to become more integrated, which will potentially breed new opportunities for cyber criminals in 2013. New technologies—like NFC being integrated into mobile platforms and increasingly creative use of GPS services to connect our digital and physical lives—means there will be new opportunities for cyber criminals to compromise our security and/or privacy. This is true not just for mobile devices, but also for traditional computing. Digital systems are gaining the ability to have far more kinetic impact in the real world. In 2013, we need to watch not just the evolution of existing attacks but new types appearing with which we haven’t previously dealt.9. Diverse business models and irreversible malwareFor many years, the majority of malicious code has been financially oriented–stealing credit cards, bank details and other credentials. Theft of intellectual property or intelligence has notably been on the agenda (particularly over the last 24 months), but represents a much smaller portion of malware. Business models and motives for malicious code are however diversifying. One particularly concerning category is ransomware. Ransomware encrypts your data and demands money to unlock your files, forcing you to pay the criminals or to restore from a backup, a process can go poorly in many enterprises. Whereas early samples were low in numbers and easy to reverse and remove, the latest versions are more widespread and use public key cryptography. In some cases their damage is irreversible. We can expect to see more of this class of malware and potentially similar evolutions in 2013.10. Skills problem becomes more apparentAs the platforms and technologies that we use and need to secure are diversifying, so too are the targets of the attackers. Securing platforms like Linux is increasingly on the priority list of many organizations (not necessarily from malware, but from hackers) and getting staff with up-todate skills will be an increasing issue. Staff will need to plan to train on mobile platforms, new computing delivery models and even protocols such as IPv6 as they become more relevant. With perhaps the greatest degree of change occurring in computing platforms in the enterprise since we moved from the mainframe, the next couple of years will bring many new lessons to learn.11. Cyber criminal anti-forensics Cyber criminals and hackers are now using those techniques we’ve developed in the security industry against us. Reputation lists that block forensics teams, labs and security researchers from accessing malicious code networks are being shared between crime packs, presenting more challenges for those doing forensic investigation and trying to chase down incidents. Forensics specialists, law enforcement and vendors need to work carefully to avoid falling into cyber criminals traps.12. More advanced hacktivism and political Debate It goes without saying that hacktivism has a huge place in the public eye and that it is likely to continue to escalate next year. Interestingly, political debates are raging over whether methods like DDoS are legitimate online versions of protest. Over the year we saw hacktivists employ a wide range of techniques beyond DDoS, though many organizations still perceive this as the primary threat from hacktivists. There has been an upward trend in more advanced hacktivist attacks and we can expect more nasty surprises and news headlines next year. Organizations should not limit their field of thinking on hacktivists to DDoS.13. Arguments over big data vs. analytics and confusionWith the challenge of malicious code and attackers bypassing traditional single-layer controls, lots of organizations are discussing the hot topic of the moment: ‘big data’. You’ve likely seen some of the marketing hype around big data, with many claiming magical solutions to the security problem by just combining lots of information together. This process somehow works together to then output actionable and useful intelligence, even though the original data was often poor in quality. Many organizations are still chasing basics like patching. In 2013, the hype turns to reality. As more companies slowly develop the business process and organizational maturity to benefit from these forms of analysis.