The document summarizes security trends from the first quarter of 2013, noting that multiple zero-day exploits targeted popular applications like Java and Adobe Flash Player. Old threats like spam botnets and banking Trojans improved their techniques. South Korean cyber attacks in March highlighted the dangers of targeted attacks. Fake mobile apps and phishing targeting mobile browsers also posed problems. The United States hosted the most malicious domains and was among the top sources of spam.
All of the endpoint protection products tested were unable to fully block the Internet Explorer zero-day exploit, with some blocking URL access or detecting malware payloads after exploitation. Kaspersky blocked and warned on URL access while Sophos warned but did not properly block. For exploit blocking, only Kaspersky was able to fully block the exploit code from executing. Malware detection abilities varied, with some products quarantining payloads after execution.
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
The document examines major software vulnerabilities and exploits from 2017-2018, including EternalBlue, WannaCryptor, CoinMiner, Diskcoder (aka Petya), and Meltdown/Spectre. It discusses how the number of reported vulnerabilities reached a historic peak in 2017, with the number of high severity vulnerabilities increasing by 68% from 2016. Exploits like EternalBlue were utilized by ransomware like WannaCryptor to devastating effect by taking advantage of vulnerabilities in older, unpatched systems. The risk posed by vulnerabilities underscores the need for multilayered endpoint security through timely patching and protection layers.
This document provides instructions and code examples for using offensive programming techniques, including bash scripting, Perl programming, buffer overflow exploits, and JavaScript exploits. It includes a keylogger bash script, a Perl script to access an exploits archive, a C code example for a buffer overflow, and a JavaScript code example to steal login credentials. The goal is to educate on how hackers use these programming languages and exploits to carry out offensive security attacks.
The document provides best practices for secure web development. It emphasizes that security should be considered from the beginning as part of requirements gathering and architecture design. Key recommendations include never trusting incoming data, using products with known security histories, helping users make secure choices when possible, and conducting thorough code reviews. The document is intended to help developers build applications that can withstand malicious use.
Defending Against the Dark Arts of LOLBINS Brent Muir
The document discusses defending against attacks that use legitimate operating system tools and binaries ("living off the land") through defense-in-depth strategies. It recommends: 1) application whitelisting policies for high-risk binaries, 2) blocking child processes for those binaries, and 3) restrictive firewall policies. It also provides an overview of exploit protection techniques and tips for maintaining system visibility and inventory records.
Top Application Security Trends of 2012DaveEdwards12
Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.
This document discusses increasing DevSecOps maturity in 2021. It discusses how DevSecOps can enable high software delivery performance while integrating security. It advocates leveraging security through safety-by-default approaches like using safer languages and APIs. It also recommends automating security tools to encode expert knowledge and make it available to all teams. A large section focuses on fuzz testing, explaining how it works, how it can find bugs, and how to integrate it continuously into the software development lifecycle.
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
This document discusses various aspects of securing Android app development, including:
- Setting debuggable and backup permissions to false to prevent unauthorized access.
- Clearing the clipboard when leaving an app to avoid content being copied elsewhere.
- Only requesting necessary permissions and removing unneeded ones over time.
- Encrypting databases using SQLCipher or the SQLite Encryption Extension.
- Verifying SSL certificates and encrypting network traffic using HTTPS.
- Performing cryptography in C/C++ via the Android NDK for increased security.
- Generating secure access tokens, passwords, and keys using techniques like hardware IDs and scrambling.
- Validating user input through secure hashing algorithms.
All of the endpoint protection products tested were unable to fully block the Internet Explorer zero-day exploit, with some blocking URL access or detecting malware payloads after exploitation. Kaspersky blocked and warned on URL access while Sophos warned but did not properly block. For exploit blocking, only Kaspersky was able to fully block the exploit code from executing. Malware detection abilities varied, with some products quarantining payloads after execution.
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
The document examines major software vulnerabilities and exploits from 2017-2018, including EternalBlue, WannaCryptor, CoinMiner, Diskcoder (aka Petya), and Meltdown/Spectre. It discusses how the number of reported vulnerabilities reached a historic peak in 2017, with the number of high severity vulnerabilities increasing by 68% from 2016. Exploits like EternalBlue were utilized by ransomware like WannaCryptor to devastating effect by taking advantage of vulnerabilities in older, unpatched systems. The risk posed by vulnerabilities underscores the need for multilayered endpoint security through timely patching and protection layers.
This document provides instructions and code examples for using offensive programming techniques, including bash scripting, Perl programming, buffer overflow exploits, and JavaScript exploits. It includes a keylogger bash script, a Perl script to access an exploits archive, a C code example for a buffer overflow, and a JavaScript code example to steal login credentials. The goal is to educate on how hackers use these programming languages and exploits to carry out offensive security attacks.
The document provides best practices for secure web development. It emphasizes that security should be considered from the beginning as part of requirements gathering and architecture design. Key recommendations include never trusting incoming data, using products with known security histories, helping users make secure choices when possible, and conducting thorough code reviews. The document is intended to help developers build applications that can withstand malicious use.
Defending Against the Dark Arts of LOLBINS Brent Muir
The document discusses defending against attacks that use legitimate operating system tools and binaries ("living off the land") through defense-in-depth strategies. It recommends: 1) application whitelisting policies for high-risk binaries, 2) blocking child processes for those binaries, and 3) restrictive firewall policies. It also provides an overview of exploit protection techniques and tips for maintaining system visibility and inventory records.
Top Application Security Trends of 2012DaveEdwards12
Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.
This document discusses increasing DevSecOps maturity in 2021. It discusses how DevSecOps can enable high software delivery performance while integrating security. It advocates leveraging security through safety-by-default approaches like using safer languages and APIs. It also recommends automating security tools to encode expert knowledge and make it available to all teams. A large section focuses on fuzz testing, explaining how it works, how it can find bugs, and how to integrate it continuously into the software development lifecycle.
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
This document discusses various aspects of securing Android app development, including:
- Setting debuggable and backup permissions to false to prevent unauthorized access.
- Clearing the clipboard when leaving an app to avoid content being copied elsewhere.
- Only requesting necessary permissions and removing unneeded ones over time.
- Encrypting databases using SQLCipher or the SQLite Encryption Extension.
- Verifying SSL certificates and encrypting network traffic using HTTPS.
- Performing cryptography in C/C++ via the Android NDK for increased security.
- Generating secure access tokens, passwords, and keys using techniques like hardware IDs and scrambling.
- Validating user input through secure hashing algorithms.
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
The document discusses common security pitfalls in Android apps. It outlines vulnerabilities like hardcoding sensitive info, logging sensitive data, leaking content providers, insecure data storage, and vulnerabilities in webviews and ad libraries. It also discusses issues like SQLite injection, insecure file permissions, backup vulnerabilities, and insecure network traffic. The document provides recommendations for secure coding practices like using proper permissions for activities, services, and content providers, encrypting sensitive data, and avoiding exporting components unless needed.
This document summarizes a presentation on hijacking attacks on Android devices. It discusses various types of attacks such as visual spoofing, UI redressing through techniques like clickjacking and tapjacking, and the Chrome to Phone attack. It provides examples of these attacks and outlines some countermeasures to help protect against them, such as frame busters and setting filters to block obscured touch gestures. The presentation concludes by noting that UI redressing and clickjacking attacks pose serious dangers, and that more attacks are likely to emerge in the future.
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Rizal Aditya
Mobile Top 10 2016-M2 -Insecure Data Storage.
.This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data storage and unintended data leakage.
This document discusses various aspects of securing Android development including permissions, encryption, API management, and more. It addresses securing the USB, screen, clipboard, and databases. It recommends using Android NDK for cryptography to make analysis harder. API access should use randomly generated access tokens that are tied to the user ID and hardware ID and refreshed periodically. Encryption should be done with keys derived from random, hardware ID, and user-provided values.
This document provides an overview of a presentation on digital security given by three presenters from City University London. The presentation covered key security concepts like confidentiality, integrity, and availability. It discussed common security threats like malware, intruders, and defined related terms. The presentation also outlined research on security conducted at City University's Centre for Software Reliability, including projects assessing risk, fault tolerance, and the role of quantitative analysis in security decision making.
The document discusses various security threats related to Android applications. It begins by introducing the OWASP Mobile Top 10 risks framework for categorizing common mobile vulnerabilities. It then provides more details on each of the top 10 risk categories, including examples, impacts, and tips for prevention. It also discusses techniques for protecting Android apps from reverse engineering and tampering, such as code obfuscation, anti-debugging, and license verification.
This volume of the Microsoft Security Intelligence Report focuses on the first and second quarters of 2016, with trend data for the last several quarters presented on a quarterly basis. Because vulnerability disclosures can be highly inconsistent from quarter to quarter and often occur disproportionately at certain times of the year, statistics about vulnerability disclosures are presented on a half-yearly basis
This document provides a summary of the top 10 findings from Microsoft's 2016 Trends in Cybersecurity report. Key findings include:
- 41.8% of all vulnerability disclosures were rated as highly severe, a 3-year high risk level.
- Encounters with exploits of the Java programming language are on the decline likely due to changes in how web browsers handle Java applets.
- Consumer computers encounter malware at twice the rate of enterprise computers likely due to stronger security protections in business networks.
- Locations with the highest malware infection rates were Mongolia, Libya, Palestinian territories, Iraq and Pakistan.
This strategy brief outlines how the Microsoft Cyber Defense Operations Center (CDOC) brings together security experts and data scientists from across the company to form a unified and coordinated defense against the evolving threat landscape—to protect Microsoft’s cloud infrastructure and services, products and devices, and our Microsoft corporate resources.
This document summarizes an upcoming webinar about the January 2017 Patch Tuesday updates. The webinar will provide an overview of the January Patch Tuesday bulletins, known issues, best practices for deploying updates, and industry news. The document then summarizes the key updates being released, including updates for Windows 10, Office, Adobe Flash Player, Acrobat, and security updates for other products. It concludes by listing resources for getting Shavlik content updates, attending future webinars, and watching previous webinar recordings.
This document summarizes a webinar on the December 2016 Patch Tuesday updates. It provides an agenda for the webinar including an overview of the December patches, known issues, and bulletins. It then lists details on several Microsoft and Adobe security updates released on Patch Tuesday, including the impacted products, descriptions of the vulnerabilities fixed, severity ratings, and whether a restart is required.
VenkaSure Antivirus +Internet Security offers premium quality security solutions that are easy to use with lightning fast installation - no configurations required. Best of all, it won’t chew up your system resources!
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
The deck covers details about the Sunburst/Solorigate breach including some interesting threat intel paths we are currently evaluating to attribute the attack.
The document summarizes and dispels five common myths about open source security software:
1. Open source software is too risky for IT security. However, open source is already widely used in enterprise IT infrastructure and can be more secure due to many experts reviewing code.
2. Open source software is free. While the code is free to download, significant resources are required to manage, support, and maintain open source solutions. Commercial open source vendors provide support and integration.
3. Open source vendors add little value. Vendors contribute to open source communities and add features for enterprise use cases like documentation, interfaces and integration between projects.
4. Proprietary solutions are more reliable. Experts already
This document provides an overview of fileless and living-off-the-land (LotL) attacks. It discusses how LotL attacks use legitimate system tools and functions rather than dropping files. Examples mentioned include using PowerShell scripts, macros, and registry entries to execute code. The document then describes a real-world ransomware attack attributed to the REvil group that impacted Kaseya software. The attack exploited a Kaseya server vulnerability to spread ransomware to Kaseya customers. It used living-off-the-land techniques like certutil.exe to download and execute a malicious payload without dropping files. The challenges with detecting and preventing fileless attacks are also summarized.
The incorporation of Security-Enhanced Linux in Android (SEAndroid) is an important security enhancement to the platform.
Android is built on top of the Linux kernel, with a collection of traditional and customized Linux libraries and daemons.
....
What do you remember about the Equifax? Something about someone forgetting to patch Struts, and then the bad guys were able to get in and steal all the data? What actually happened was much more nuanced, and there's much to learn by diving into the details.
The document discusses the results of analyzing the security of over 50 iOS and Android apps. Several common issues were found, including insecure data storage techniques like storing sensitive data in plaintext files, insufficient transport layer security from improperly overriding default TLS implementations, and unintentional data leakage through background iOS screenshots. Recommendations are provided to address each issue, such as using encryption to store sensitive data and relying on the framework's default TLS validation.
Threat modeling is a way of viewing the world, and so what's changing in threat modeling reflects that. There's a global pandemic. The ways we build software are changing. The threats are evolving, and attacks through systems are growing in importance.
We looked at the data. Here’s a breakdown of some key statistics about the nation’s incoming presidents’ addresses, how long they spoke, how well, and more.
The document discusses how startup entrepreneurs think and operate. It notes that startups like Airbnb and Uber were started due to identifying shortages or problems. It emphasizes that startups focus on providing customer benefit, eliminating waste, and creating value. It also highlights that startups operate with speed, embracing failure fast and pivoting quickly, with transparency and by breaking rules. Startups succeed by moving rapidly, with minimal processes and instead prioritizing speed above all else.
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
The document discusses common security pitfalls in Android apps. It outlines vulnerabilities like hardcoding sensitive info, logging sensitive data, leaking content providers, insecure data storage, and vulnerabilities in webviews and ad libraries. It also discusses issues like SQLite injection, insecure file permissions, backup vulnerabilities, and insecure network traffic. The document provides recommendations for secure coding practices like using proper permissions for activities, services, and content providers, encrypting sensitive data, and avoiding exporting components unless needed.
This document summarizes a presentation on hijacking attacks on Android devices. It discusses various types of attacks such as visual spoofing, UI redressing through techniques like clickjacking and tapjacking, and the Chrome to Phone attack. It provides examples of these attacks and outlines some countermeasures to help protect against them, such as frame busters and setting filters to block obscured touch gestures. The presentation concludes by noting that UI redressing and clickjacking attacks pose serious dangers, and that more attacks are likely to emerge in the future.
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Rizal Aditya
Mobile Top 10 2016-M2 -Insecure Data Storage.
.This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data storage and unintended data leakage.
This document discusses various aspects of securing Android development including permissions, encryption, API management, and more. It addresses securing the USB, screen, clipboard, and databases. It recommends using Android NDK for cryptography to make analysis harder. API access should use randomly generated access tokens that are tied to the user ID and hardware ID and refreshed periodically. Encryption should be done with keys derived from random, hardware ID, and user-provided values.
This document provides an overview of a presentation on digital security given by three presenters from City University London. The presentation covered key security concepts like confidentiality, integrity, and availability. It discussed common security threats like malware, intruders, and defined related terms. The presentation also outlined research on security conducted at City University's Centre for Software Reliability, including projects assessing risk, fault tolerance, and the role of quantitative analysis in security decision making.
The document discusses various security threats related to Android applications. It begins by introducing the OWASP Mobile Top 10 risks framework for categorizing common mobile vulnerabilities. It then provides more details on each of the top 10 risk categories, including examples, impacts, and tips for prevention. It also discusses techniques for protecting Android apps from reverse engineering and tampering, such as code obfuscation, anti-debugging, and license verification.
This volume of the Microsoft Security Intelligence Report focuses on the first and second quarters of 2016, with trend data for the last several quarters presented on a quarterly basis. Because vulnerability disclosures can be highly inconsistent from quarter to quarter and often occur disproportionately at certain times of the year, statistics about vulnerability disclosures are presented on a half-yearly basis
This document provides a summary of the top 10 findings from Microsoft's 2016 Trends in Cybersecurity report. Key findings include:
- 41.8% of all vulnerability disclosures were rated as highly severe, a 3-year high risk level.
- Encounters with exploits of the Java programming language are on the decline likely due to changes in how web browsers handle Java applets.
- Consumer computers encounter malware at twice the rate of enterprise computers likely due to stronger security protections in business networks.
- Locations with the highest malware infection rates were Mongolia, Libya, Palestinian territories, Iraq and Pakistan.
This strategy brief outlines how the Microsoft Cyber Defense Operations Center (CDOC) brings together security experts and data scientists from across the company to form a unified and coordinated defense against the evolving threat landscape—to protect Microsoft’s cloud infrastructure and services, products and devices, and our Microsoft corporate resources.
This document summarizes an upcoming webinar about the January 2017 Patch Tuesday updates. The webinar will provide an overview of the January Patch Tuesday bulletins, known issues, best practices for deploying updates, and industry news. The document then summarizes the key updates being released, including updates for Windows 10, Office, Adobe Flash Player, Acrobat, and security updates for other products. It concludes by listing resources for getting Shavlik content updates, attending future webinars, and watching previous webinar recordings.
This document summarizes a webinar on the December 2016 Patch Tuesday updates. It provides an agenda for the webinar including an overview of the December patches, known issues, and bulletins. It then lists details on several Microsoft and Adobe security updates released on Patch Tuesday, including the impacted products, descriptions of the vulnerabilities fixed, severity ratings, and whether a restart is required.
VenkaSure Antivirus +Internet Security offers premium quality security solutions that are easy to use with lightning fast installation - no configurations required. Best of all, it won’t chew up your system resources!
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
The deck covers details about the Sunburst/Solorigate breach including some interesting threat intel paths we are currently evaluating to attribute the attack.
The document summarizes and dispels five common myths about open source security software:
1. Open source software is too risky for IT security. However, open source is already widely used in enterprise IT infrastructure and can be more secure due to many experts reviewing code.
2. Open source software is free. While the code is free to download, significant resources are required to manage, support, and maintain open source solutions. Commercial open source vendors provide support and integration.
3. Open source vendors add little value. Vendors contribute to open source communities and add features for enterprise use cases like documentation, interfaces and integration between projects.
4. Proprietary solutions are more reliable. Experts already
This document provides an overview of fileless and living-off-the-land (LotL) attacks. It discusses how LotL attacks use legitimate system tools and functions rather than dropping files. Examples mentioned include using PowerShell scripts, macros, and registry entries to execute code. The document then describes a real-world ransomware attack attributed to the REvil group that impacted Kaseya software. The attack exploited a Kaseya server vulnerability to spread ransomware to Kaseya customers. It used living-off-the-land techniques like certutil.exe to download and execute a malicious payload without dropping files. The challenges with detecting and preventing fileless attacks are also summarized.
The incorporation of Security-Enhanced Linux in Android (SEAndroid) is an important security enhancement to the platform.
Android is built on top of the Linux kernel, with a collection of traditional and customized Linux libraries and daemons.
....
What do you remember about the Equifax? Something about someone forgetting to patch Struts, and then the bad guys were able to get in and steal all the data? What actually happened was much more nuanced, and there's much to learn by diving into the details.
The document discusses the results of analyzing the security of over 50 iOS and Android apps. Several common issues were found, including insecure data storage techniques like storing sensitive data in plaintext files, insufficient transport layer security from improperly overriding default TLS implementations, and unintentional data leakage through background iOS screenshots. Recommendations are provided to address each issue, such as using encryption to store sensitive data and relying on the framework's default TLS validation.
Threat modeling is a way of viewing the world, and so what's changing in threat modeling reflects that. There's a global pandemic. The ways we build software are changing. The threats are evolving, and attacks through systems are growing in importance.
We looked at the data. Here’s a breakdown of some key statistics about the nation’s incoming presidents’ addresses, how long they spoke, how well, and more.
The document discusses how startup entrepreneurs think and operate. It notes that startups like Airbnb and Uber were started due to identifying shortages or problems. It emphasizes that startups focus on providing customer benefit, eliminating waste, and creating value. It also highlights that startups operate with speed, embracing failure fast and pivoting quickly, with transparency and by breaking rules. Startups succeed by moving rapidly, with minimal processes and instead prioritizing speed above all else.
32 Ways a Digital Marketing Consultant Can Help Grow Your BusinessBarry Feldman
How can a digital marketing consultant help your business? In this resource we'll count the ways. 24 additional marketing resources are bundled for free.
This document discusses how emojis, emoticons, and text speak can be used to teach students. It provides background on the origins of emoticons in 1982 as ways to convey tone and feelings in text communications. It then suggests that with text speak and emojis, students can translate, decode, summarize, play with language, and add emotion to language. A number of websites and apps that can be used for emoji-related activities, lessons, and discussions are also listed.
Artificial intelligence (AI) is everywhere, promising self-driving cars, medical breakthroughs, and new ways of working. But how do you separate hype from reality? How can your company apply AI to solve real business problems?
Here’s what AI learnings your business should keep in mind for 2017.
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
We asked LinkedIn members worldwide about their levels of interest in the latest wave of technology: whether they’re using wearables, and whether they intend to buy self-driving cars and VR headsets as they become available. We asked them too about their attitudes to technology and to the growing role of Artificial Intelligence (AI) in the devices that they use. The answers were fascinating – and in many cases, surprising.
This SlideShare explores the full results of this study, including detailed market-by-market breakdowns of intention levels for each technology – and how attitudes change with age, location and seniority level. If you’re marketing a tech brand – or planning to use VR and wearables to reach a professional audience – then these are insights you won’t want to miss.
Erik Costlow, Product Evangelist at Contrast Security, was Oracle's principal product manager for Java 8 and 9, focused on security and performance. His security expertise involves threat modeling, code analysis, and instrumentation of security sensors. He is working to broaden this approach to security with Contrast Security. Before becoming involved in technology, Erik was a circus performer who juggled fire on a three-wheel vertical unicycle.
The document is a whitepaper that provides an overview of DeepGuard, a Host-based Intrusion Prevention System (HIPS) from WithSecure. It discusses security challenges in today's digital world like high volumes of malware and exploits. It then describes DeepGuard's multi-layered approach using file reputation analysis, behavioral analysis, and communication with a Security Cloud. DeepGuard performs checks when programs launch and while they run to identify and block potentially harmful behaviors.
Technology auto protection_from_exploitКомсс Файквэе
This document provides an introduction, methodology, and results of a comparative assessment of Kaspersky Internet Security 2013 conducted by MRG Effitas in August 2012. The assessment tested Kaspersky and nine other leading antivirus/internet security applications to evaluate the effectiveness of Kaspersky's new Automatic Exploit Prevention technology at detecting exploits and protecting against zero-day vulnerabilities. The methodology used both in-the-wild exploits and samples generated by the Metasploit framework to bypass traditional detection methods and test protection against unknown threats. The full report contains the security applications tested, details of the vulnerabilities and payloads used, and conclusions about the test results.
The document provides 8 predictions for cybersecurity threats in 2014:
1) Advanced malware volume will decrease but attacks will become more targeted and stealthy.
2) A major data-destruction attack such as ransomware will successfully target organizations.
3) Attackers will increasingly target cloud data rather than enterprise networks.
4) Exploit kits like Redkit and Neutrino will struggle for dominance following the arrest of the Blackhole exploit kit author.
5) Java vulnerabilities will remain highly exploitable and exploited with expanded consequences.
6) Attackers will use professional social networks like LinkedIn to target executives and organizations.
7) Cybercriminals will target weaker links in organizations
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn'tSonatype
A thought-provoking look at heartbleed, which without leaving a trace, enables adversaries to steal usernames and passwords, instant messages, emails, business critical documents and communications. What happened and how can it be prevented?
This document describes a whole product dynamic "real-world" protection test conducted from August to November 2012. It tested 20 security products against over 2000 malicious URLs to evaluate each product's ability to protect a system from internet-based threats under real-world conditions. The test aimed to simulate the everyday experience of users by testing products with their default settings and incorporating factors like automatic updates. Products that blocked threats without requiring user interaction, or where the system was still protected after user-dependent alerts, were considered protected. The test found variation in results between products and over time.
With that in mind, here are 10 best DevSecOps tools for 2023 so you can get started on the right foot with the latest and greatest techniques. https://bit.ly/3Fd295g
This document outlines a security plan for ALPHA organization. It discusses how the organization uses encryption and a public key infrastructure (PKI) to secure data and communications. The PKI issues digital certificates containing public/private key pairs to authenticate users and applications. Symmetric and asymmetric ciphers are used to encrypt data during transmission and storage. The plan also covers best practices for secure software development, database security, and defending against common cipher attacks.
This guide compiles everything our development team knows about server and application security and delivers step-by-step code to help you secure your user data. It covers key concepts such as server architecture, firewalling, intrusion detection, password security, social hacks, SQL injections and more.
The document provides an overview of software security best practices. It emphasizes that security must be considered from the beginning of the development process and throughout. It discusses assessing risks, creating threat models to identify potential vulnerabilities, and using secure coding techniques and built-in security features to mitigate risks. Tools can help detect security issues during testing. The document covers topics like authentication, authorization, encryption, hashing and various Apple security features.
The document summarizes an evaluation of anti-malware solutions for Android. It reports that certain parts of their previous paper and testing methodology were considered flawed by vendors, so additional testing is being done. It provides details on the testing methodology used, which involved evaluating products' abilities to detect a collection of over 600 malware samples both during on-demand scans and when the samples were installed. Products were grouped into categories based on their detection rates, with the top category detecting over 90% of samples.
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
Deploying insecure web applications into production can be risky -- resulting in potential loss of customer data, corporate intellectual property and/or brand value. Yet many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS).
This is because traditional approaches to application security are typically complex, manual and time-consuming – deterring agile teams from incorporating code analysis into their sprints.
But it doesn’t have to be that way. By incorporating key SecDevOps concepts into the Software Development Lifecycle (SDLC) – including centralized policies and tighter collaboration and visibility between security and DevOps teams – we can now embed continuous code-level security and assessment into our agile development processes. We’ve uncovered eight patterns that work together to transform cumbersome waterfall methodologies into efficient and secure agile development.
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...Jasmin Hami
Votiro's advanced content disarm and reconstruction technology provides a proactive, signature-less method to stop undisclosed and zero-day threats. It inspects common file formats like documents, images, and archives to identify and remove malicious content while reconstructing the file to retain its functionality. The three-phase process fingerprints the file, disarms any threats, and rebuilds a safe version to neutralize exploits without detection or impact to users. This protects organizations from cyber attacks targeting known and unknown vulnerabilities.
Do you find it difficult to manage cloud security in your organization? Here are seven tips that will help you effectively secure your cloud environments.
Exodus Intelligence provides the US and Canadian governments; our NATO allies; security vendors and commercial clients with in-depth vulnerability intelligence related to unknown (0-day) vulnerabilities and known (N-day) vulnerabilities (including where vendor’ patches are failing to properly fix vulnerabilities). Focusing on defensive cyber-weaponization, Exodus identifies HIGH-RISK TARGETS, focusing on the discovery, exploitation and mitigation of undocumented vulnerabilities and known vulnerabilities (N-day) within systems and software affecting high value assets (critical infrastructure/ business-critical data). Exodus works closely with its clients to structure the continuous delivery of high-value intelligence applicable to an organization's infrastructure & business.
Exodus provides vulnerability research and zero-day/N-day intelligence to clients. It discovers exploitable vulnerabilities in code and documents them in detailed reports along with proof-of-concept exploits. Exodus' intelligence feeds include zero-days before patches are released as well as vulnerabilities in software that were patched but remain exploitable due to failed patches. The feeds help clients measure network defenses, update security rules and reduce cyber risks.
Sample Cloud Application Security and Operations Policy [release]LinkedIn
This document provides a sample cloud applications security and operations policy to guide organizations in developing security policies for cloud applications. It includes sections on authentication and administration, auditing, business continuity, data security, communication security, vendor governance, and brand reputation. For each section, it outlines baseline requirements and additional requirements for applications handling data at different security levels (1-3), based on the potential impact of unauthorized access. The goal is to balance security and usability by applying more stringent requirements to higher risk or sensitive data.
Similar to Zero days-hit-users-hard-at-the-start-of-the-year-en (20)
Sample Cloud Application Security and Operations Policy [release]
Zero days-hit-users-hard-at-the-start-of-the-year-en
1. The Trend Micro
Custom Defense Solution
Detect. Analyze. Adapat, and respond
to the attacks that matter to you.
1Q 2013 SECURITY ROUNDUP
Zero-Days Hit Users Hard
at the Start of the Year
2. LEGAL DISCLAIMER
The information provided herein is for general information and educational purposes only. It is not intended and should not be
construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the
most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the
particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to
modify the contents of this document at any time without prior notice.
Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor
implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the
document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or
enforcement purposes.
Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties
or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this
document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither
Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or
damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of
access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof.
Use of this information constitutes acceptance for use in an “as is” condition.
Contents
Vulnerabilities and Exploits:
Multiple Zero-Days in Widely
Used Software..............................................................2
Cybercrime: Old Threats Return...................................4
Digital Life Security Issues.....................................................9
Mobile Threats:
Web Threats Affect Mobile Users, Too........................ 11
APTs and Targeted Attacks: In Stealth Mode.............. 15
3. PAGE 1 | 1Q 2013 SECURITY ROUNDUP
While exploits and vulnerabilities are a common problem for users,
zero-day exploits in high-profile applications are relatively rare.
That was not the case in the first quarter of 2013. Multiple zero-day
exploits were found targeting popular applications like Java and
Adobe Flash Player, Acrobat, and Reader.
In addition, as predicted, we saw improvements in already-known
threats like spam botnets, banking Trojans, and readily available
exploit kits.
Other high-profile incidents include the South Korean cyber attacks
in March, which reiterated the dangers targeted attacks pose. On
the mobile front, fake versions of popular apps remained a problem
though phishers found a new target in the form of mobile browsers.
4. PAGE 2 | 1Q 2013 SECURITY ROUNDUP
Vulnerabilities and Exploits:
Multiple Zero-Days in Widely Used Software
Java in the Spotlight
• Java again took center stage this quarter due to a
couple of high-profile zero-day incidents.
• A zero-day exploit that sported REVETON and ransomware
variants proved that even fully patched systems can be no
match for an exploit sometimes.1
• Within days, Java released a security update to address the
issue. But instead of putting the issue to rest, the solution led
to even more questions, leading groups, including the U.S.
Department of Homeland Security, to recommend uninstalling
Java from computers.2
1 http://blog.trendmicro.com/trendlabs-security-intelligence/java-zero-day-exploit-
in-the-wild-spreading-ransomware/
2 http://blog.trendmicro.com/trendlabs-security-intelligence/java-fix-for-zero-day-
stirs-questions/
Adobe’s Improvements Challenged
• Adobe was not exempted from zero-day attacks, as Adobe
Flash Player and Reader fell prey to zero-day exploits in
February.
• Two critical vulnerabilities in Adobe Flash Player were
exploited, lending vulnerable computers to malware infection.
• Adobe Reader versions 9, 10, and 11 also fell prey to a zero-
day attack, rendering even the vendor’s sandbox technology
vulnerable.3
3 http://blog.trendmicro.com/trendlabs-security-intelligence/zero-day-vulnerability-
hits-adobe-reader/
CVSS Score Distribution for Vulnerabilities Addressed
Source: CVE Database (cve.mitre.org)
The majority of the vulnerabilities disclosed in the first quarter were rated
“medium” while about a third were rated “high.”
Low
Medium
(Rated 7–10)
High
36%
52%
12%
(Rated 4–6.9)
(Rated 0–3.9)
5. PAGE 3 | 1Q 2013 SECURITY ROUNDUP
Timeline of Adobe and Java Exploit Attacks Since Adobe Reader X
Adobe released Adobe Reader X,
which comes with the protected
mode feature.
November 22, 2010
A zero-day exploit for an Adobe Reader X
vulnerability related to a possible targeted
attack was unearthed.
December 14, 2011
Adobe released the
enhanced protected mode
feature in Adobe Reader XI
and Acrobat XI.
October 17, 2012
A zero-day Java exploit
was actively used in the
wild, particularly by the
Cool Exploit Kit and the
Blackhole Exploit Kit,
to distribute REVETON
and other ransomware
variants.
January 10, 2013
Oracle released a new version of Java to
address an in-the-wild zero-day exploit. It also
tightened Java’s default settings.
January 13, 2013
!
Oracle released a security update
to address 50 vulnerabilities,
including those exploited by the
Java zero-days in January.
February 5, 2013
A zero-day exploit targeting
Adobe Flash Player
surfaced.
February 8, 2013
A zero-day exploit targeting
certain versions of Adobe
Reader was found.
February 13, 2013
A zero-day Java exploit hit Java 7
but spared Java 6, forcing Oracle to
release an out-of-band patch.
August 28, 2012
Adobe’s protection features kept cybercriminals at bay for most of 2012 and in 2013, although these were first broken this
quarter.
In the meantime, Java was exploited left and right, joining the ranks of some of the more exploited software to date.
Adobe’s monthly patching cycle (as opposed to Oracle’s quarterly cycle) allowed it to respond more quickly to privately
reported vulnerabilities. Despite these steps by vendors, multiple zero-days riddled the first quarter’s security landscape,
highlighting the importance of cautious browsing and using proactive solutions.
6. PAGE 4 | 1Q 2013 SECURITY ROUNDUP
Cybercrime: Old Threats Return
Exploit Kits Further Stir the Pot
• The Blackhole Exploit Kit now has exploits for Java
vulnerabilities.4
• The Whitehole Exploit Kit, dubbed such for its
adoption of the Blackhole Exploit Kit code with notable
differences, also surfaced this quarter.5
• Not far behind was the Cool Exploit Kit, which is
considered a high-end version of the Blackhole Exploit
Kit.
4 http://blog.trendmicro.com/trendlabs-security-intelligence/blackhole-exploit-kit-
run-adopts-controversial-java-flaw/
5 http://blog.trendmicro.com/trendlabs-security-intelligence/whitehole-exploit-kit-
emerges/
Browser Crasher Transcends Platforms
• Users were hit by a threat we dubbed “browser
crasher” because it causes browsers to hang or crash
across different OSs.6
• Lured via Tweets with links that lead to a site
embedded with a malicious JavaScript code, affected
users saw a never-ending slew of pop-up messages.
6 http://blog.trendmicro.com/trendlabs-security-intelligence/browser-crashers-hit-
japanese-users/
Spam Botnets Refine Techniques
• Asprox, infamous for sending out tons of spam since
2007 and was supposedly taken down in 2008, has
been “reborn” with a modular framework.7
• Unlike before, Asprox now uses compromised
legitimate email accounts to evade spam filters and
KULUOZ malware as droppers.8
• First spotted in 2011, the Andromeda botnet resurfaced
this quarter with spam containing links to compromised
sites that host the Blackhole Exploit Kit.9
Newly
spotted Andromeda variants were found spreading
via removable drives and dropping component files to
evade detection.
7 http://blog.trendmicro.com/trendlabs-security-intelligence/asprox-reborn/
8 http://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_kuluoz-at-a-spam-
near-you/
9 http://blog.trendmicro.com/trendlabs-security-intelligence/andromeda-botnet-
resurfaces/
CARBERP Rears Its Ugly Head Again
• Banking Trojans known as CARBERP variants were
first spotted in 2010.
• After a CARBERP command-and-control (C&C)
server was sinkholed in 2010, variants of the malware
that download new plug-ins to aid in data stealing
surfaced.10
• Mobile versions of the malware also surfaced to prey
on the growing number of people who use their phones
or tablets to conduct banking transactions.11
10 http://blog.trendmicro.com/trendlabs-security-intelligence/carberp-sinkhole-
findings/
11 http://blog.trendmicro.com/trendlabs-security-intelligence/carberp-banking-
malware-makes-a-comeback/
Number of Botnet C&C Servers Detected per Month
JANUARY
FEBRUARY
MARCH
1,078
854
881
March showed the most number
of C&C servers detected this
quarter. Note that this is so far the
biggest number of C&C servers
we detected since June 2012.
The numbers in this chart refer
to last-seen botnet C&C server
detections as of April 10, 2013.
7. PAGE 5 | 1Q 2013 SECURITY ROUNDUP
Top 10 Countries with the Most Number of Botnet C&C Servers
Australia, 10.88%Brazil, 2.35%
Chile, 1.71%
United States, 35.66%
United Kingdom, 2.60%
Italy, 2.28%
Germany, 3.41%
China, 5.72% South Korea, 6.51%
Taiwan, 2.17%
As in 2012, the United
States continued to post the
most number of botnet C&C
servers this quarter.
Note that the hosting country
is not necessarily the location
of the threat actor.
Number of Botnet-Connected Computers Detected per Month
JANUARY
FEBRUARY
MARCH 2.5M
1.4M
1.2M
The number of computers
accessing detected C&C
servers peaked in March
as well. However, these
connections were made to
C&C servers discovered
before March. Botnets can
become less active in one
month and active the next,
depending on the botnet
master’s purposes.
8. PAGE 6 | 1Q 2013 SECURITY ROUNDUP
Overall Trend Micro Smart Protection Network Numbers
1B
2B
3B
4B
5B
6B
JANUARY
Number of
spam blocked
7B
8B
9B
FEBRUARY MARCH
Number of
malicious sites
blocked
Number of
malicious files
blocked
5.6B
2,075
Total number of
threats blocked
Detection rate
(Number of threats blocked per
second)
4.7B
443M
390M
5.1B
414M
367M
5.9B
2,211
7.3B
437M
430M
8.2B
3,055
Trend Micro protected
product users from
an average of 2,400
threats per second
this quarter.
Top 10 Countries with the Most Number of Botnet-Connected Computers
The United States showed
the most number of
computers accessing C&C
servers in the first two
months of the quarter. But
South Korea surpassed
the United States in March,
possibly as a result of
political tensions at that
time.
Austria, 2.52%
United States, 28.12%
Italy, 10.46%
Russia, 2.59%
South Korea, 21.27% Japan, 2.82%
Taiwan, 2.49%
Macau, 6.40%
India, 1.75% Malaysia, 8.88%
9. PAGE 7 | 1Q 2013 SECURITY ROUNDUP
WORM_DOWNAD TROJ_ZACCESS/SIREFEF ADW_PRICEGONG
WORM_DOWNAD - 741K
TROJ_ZACCESS/SIREFEF - 274K
ADW_PRICEGONG - 234K
WORM_DOWNAD remained the top malware this quarter, followed
by TROJ_ZACCESS/SIREFEF, just like last year. But the number
of adware surged led by ADW_PRICEGONG, which placed third to
replace 2012’s third-most prolific malware, PE_SALITY.
100,000
1,000
100
10
0
100,000
1,000
100
10
0
100,000
1,000
100
10
0
Top 3 Malware
ENTERPRISE SMB CONSUMER
NAME VOLUME NAME VOLUME NAME VOLUME
WORM_DOWNAD 364K WORM_DOWNAD 81K TROJ_ZACCESS/SIREFEF 163K
PE_SALITY 81K PE_SALITY 17K CRCK_KEYGEN 162K
PE_VIRUX 34K TROJ_ZACCESS/SIREFEF 14K ADW_PRICEGONG 157K
Top 10 Malicious Domains Blocked
DOMAIN REASON
trafficconverter . biz Has a record for hosting and distributing worms
pu . plugrush . com Has a poor reputation and record
ads . alpha00001 . com Reported as a C&C server and redirects to enterfactory.
com, another malicious site
am10 . ru Has a record and reported in relation to pop-up
messages and adware
www . trafficholder . com Related to child exploitation
www . funad . co . kr Related to a ADW_SEARCHSCOPE
www . ody . cc Related to links with suspicious scripts and sites that
host BKDR_HPGN.B-CN
cdn . bispd . com Redirects to a malicious site and related to malicious
files that distribute malware
h4r3k . com Distributes Trojans
www . dblpmp . com Contained spam and malware
Almost all of the domains
blocked this quarter were
involved in malicious
activities, specifically hosting
and distributing malware.
Only one of the top 10 was
blocked due to malicious
content related to child
exploitation.
10. PAGE 8 | 1Q 2013 SECURITY ROUNDUP
Top 10 Malicious URL Country Sources
United States
Germany
Netherlands
China
South Korea
Russia
Japan
France
United Kingdom
Canada
Others
24.63%
4.32%
3.57%
3.33%
2.99%
2.38%
1.97%
1.58%
1.28%
0.63%
53.32%
More than 20% of the
malicious domains we
blocked were hosted in the
United States, consistent
with our 2012 numbers. The
United States and Germany
hosted the most number of
blocked malicious domains.
The data in this map refer
to the number of malicious
sites hosted in the countries.
The malicious site owners
are not necessarily from the
identified countries but may
have registered their domains
in them.
Top 10 Spam Languages
English
Chinese
Japanese
German
Russian
Italian
Portuguese
Spanish
Slovak
French
Others
89.32%
1.59%
1.44%
1.36%
1.29%
0.48%
0.37%
0.32%
0.30%
0.15%
3.38%
The majority of the spam was
written in English, as it is the
most widely used language
in business, commerce,
and entertainment. As such,
spammers deemed spreading
malicious messages in this
language more profitable.
11. PAGE 9 | 1Q 2013 SECURITY ROUNDUP
Top 10 Spam-Sending Countries
United States
India
China
Spain
Taiwan
Peru
Russia
Vietnam
Belarus
Colombia
Others
11.64%
7.70%
4.28%
3.97%
3.93%
3.62%
3.42%
3.29%
3.18%
2.68%
52.29%
India, which led the pack of
spam-sending countries in
2012, fell to second place
after the United States. Some
countries that used to be part
of the top 10 list completely
dropped out this quarter. It is
clear though that spamming
remains a global problem.
Digital Life Security Issues
Holidays and Historic Events Remain
Effective Lures
• Historic moments like the papal conclave and the
announcement of the new pope did not escape the
attention of spammers and Blackhole Exploit Kit
perpetrators.12
• The Google Glass competition in February also spurred
the appearance of several web threats, including
malicious links that led to survey scams.13
• The spam and malicious domain volumes also spiked
days before Valentine’s Day, again proving that
cybercriminals still profit from these ruses.14
12 http://blog.trendmicro.com/trendlabs-security-intelligence/spammers-bless-new-
pope-with-spam/
13 http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-hop-on-
the-google-project-glass-bandwagon/
14 http://blog.trendmicro.com/trendlabs-security-intelligence/love-bugs-how-are-
valentine-threats-looking-up/
Selling User Information Follows Its Own
Business Model
• “Fullz,” which refers to a collection of crucial information
beyond names, addresses, and credit card numbers
typically stolen from unsuspecting users and sold by
scammers in underground forums.15
• Data can be stolen using different tools and/or
techniques like spreading data-stealing malware,
compromising “target-rich” organizations, and obtaining
indiscriminately disclosed information.16
• Scammers who sell user information operate within
a certain framework so they can gain new and retain
existing customers to profit.17
15 http://blog.trendmicro.com/trendlabs-security-intelligence/what-would-scammers-
want-with-my-information/
16 http://blog.trendmicro.com/trendlabs-security-intelligence/business-models-
behind-information-theft/
17 http://blog.trendmicro.com/trendlabs-security-intelligence/your-data-and-the-
business-of-online-scam/
Hacking Gives Life to Zombies
• The Montana Emergency Alert System (EAS) was
reportedly hacked and warned users that “bodies of
the dead are rising from their graves and attacking the
living.”18
• Attacks like this shows that anything connected
to the Internet, even public infrastructures, can be
compromised and have disastrous results.
18 http://blog.trendmicro.com/trendlabs-security-intelligence/zombies-are-funny-
until-someone-loses-an-eye/
Digital life refers to the entire
ecosystem regarding the online
activities of the general computing
public, including behaviors,
identities, privacy, social
engineering, social media platforms,
and the like.
12. PAGE 10 | 1Q 2013 SECURITY ROUNDUP
Notable Social Engineering Lures Used
Pope Francis
Google Glass
Windows 8Candy Crush
Valentine’s Day
News events dominated
the social engineering
lures in the first quarter,
with the election of a new
pope making the loudest
noise. Technology-related
topics like Google Glass
and Windows 8 were also
frequently used.
Cybercriminal Underground Product/Service Prices
(As of January 16, 2013)
PERSONAL DATA PRICE
BANK LOGIN DATA
Bank of America U.S.
US$7,000 balance US$300
US$14,000 balance US$500
US$18,000 balance US$800
HSBC U.S.
US$12,000 balance US$400
US$28,000 balance US$1,000
HSBC U.K.
US$8,000 balance US$300
US$17,000 balance US$700
GADGET SHIPMENT
Laptop
Apple US$240
HP/Dell/Toshiba/Samsung US$120
Vaio US$200
Mobile phone/Tablet
iPhone 3GS US$120
iPhone 4G US$150
iPhone 4GS/iPad 2 US$180
BlackBerry US$130
VERIFIED PAYPAL ACCOUNT (email and password)
US$1,500 balance US$150
US$2,500 balance US$200
US$4,000 balance US$300
US$7,000 balance US$500
Bank and e-commerce login
credentials are highly prized in
the underground compared with
their social media counterparts.
Besides peddling stolen data,
it is interesting to note that
cybercriminals also offer services
like shipping gadgets.
13. PAGE 11 | 1Q 2013 SECURITY ROUNDUP
Mobile Threats: Web Threats
Affect Mobile Users, Too
Phishing Hooks for Mobile Users
• Phishing is an emerging threat in the mobile space.19
• In 2012, the majority of mobile sites spoofed were
banking sites.20
• Financial service-related sites were most spoofed this
quarter, proving that phishers, whether on computers or
on mobile devices, will always go where the money is.
19 http://about-threats.trendmicro.com/us/mobilehub/mobilereview/rpt-monthly-
mobile-review-201302-mobile-phishing-a-problem-on-the-horizon.pdf
20 http://blog.trendmicro.com/trendlabs-security-intelligence/when-phishing-goes-
mobile/
Mobile Backdoor Infects 1M Smartphones
• An Android malware variant that can send and receive
commands was found on 1M smartphones.21
• The malware can update its script to evade anti-
malware detection. Because of its backdoor routines,
malicious users are able to control infected devices.
• Fortunately for Trend Micro customers, we have been
detecting this malware since July 2012 despite the high
number of infections in the first quarter.
21 http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-found-
to-send-remote-commands/
Fake Gaming Apps Become Threat Staples
• Mobile malware continued to take advantage of popular
gaming apps this quarter.
• We spotted fake versions of Temple Run 2 and spoofed
apps that offer cheats for the game Candy Crush
Saga.22
These apps aggressively pushed ads and
gathered personal information from infected mobile
devices.
22 http://blog.trendmicro.com/trendlabs-security-intelligence/fake-versions-of-
temple-run-2-sprint-their-way-to-users/; http://blog.trendmicro.com/trendlabs-
security-intelligence/dubious-developers-cash-in-on-candy-crush/
Business
Computer/Internet
services
Financial services
Real estate
Shopping
Social networking
Webmail services
Others
0.13%
0.39%
26.90%
1.05%
3.41%
0.79%
0.39%
66.94%
Mobile Phishing Site Types Detected
Financial sites were still the
favorite phishing targets
even in the mobile space
this quarter. Note that the
number of mobile phishing
URLs increased by 54% from
around 500 in the first quarter
of 2012 to almost 800 in the
same quarter of 2013.
The data in this figure refer
to the number of malicious
URLs that pointed to sites
with mobile-related keywords.
14. PAGE 12 | 1Q 2013 SECURITY ROUNDUP
Android Threat Volume Growth
425K
462K
509K
400K
500K
600K
February
January
March
The Android threat volume
has reached the halfway
mark in relation to our 2013
prediction—1M, indicating
continued cybercriminal
interest in the mobile space.
The increase could be
attributed to the fact that more
than half of the global mobile
device market share belongs
to Google.
Distribution of Android Threat Types
PREMIUM
SERVICE
ABUSER
ADWARE DATA/
INFORMATION
STEALER
MALICIOUS
DOWNLOADER
HACKTOOL BACKDOOR/
REMOTE
CONTROL
OTHERS
47.72% 31.99% 11.34% 6.41% 2.09% 2.58% 1.08%
As in 2012, premium service
abusers and adware remained
the top Android threats this
quarter. Premium service
abusers are known for
registering users to overpriced
services while adware
aggressively push ads and
may even collect personal
information without affected
users’ consent.
The distribution data was
based on the top 20 mobile
malware and adware families
that comprise 88% of all the
mobile threats detected by the
Mobile Application Reputation
Technology as of March 2013.
Note that a mobile threat family
may exhibit the behaviors of
more than one threat type.
15. PAGE 13 | 1Q 2013 SECURITY ROUNDUP
FAKEINST
OPFAKE
GINMASTER
BOXER
SNDAPPS
JIFAKE
KUNGFU
FAKEDOC
KMIN
KSAPP
Others
31.50%
27.04%
5.65%
2.73%
2.70%
2.38%
2.38%
2.27%
1.53%
1.49%
20.33%
Top 10 Android Malware Families
Fake apps remained a
significant mobile threat.
Malicious apps that belong to
the FAKEINST and OPFAKE
families are known for imitating
popular apps to lure users into
downloading them.
Countries Most at Risk of Privacy Exposure Due to App Use
10.78%
7.58%
7.26%
6.05%
5.53%
5.11%
4.92%4.61%
4.48%
Saudi Arabia
India
Myanmar (Burma)
Philippines
Malaysia
Brazil
Hong Kong
China
France
Turkey
5.74%
Android users from Saudi Arabia were most at risk of privacy exposure. This might
have been due to the fact that almost all of the mobile users in that country take notice
of mobile ads, which could have prompted dubious developers to create apps with
aggressive advertising features.
The ranking was based on the percentage of apps categorized as “privacy risk
inducers” over the total number of apps scanned per country. The ranking was limited
to countries with at least 10,000 scans. The ratings were based on the quarterly
analysis of real-time threat detection via Trend Micro™ Mobile Security Personal
Edition.
16. PAGE 14 | 1Q 2013 SECURITY ROUNDUP
Countries with the Highest Battery-Draining App Download Volumes
Algeria
United Kingdom
China
Canada
India
United States
Ireland
Germany
Philippines
Japan
42.39%
36.11%
35.76%
35.45%
34.94%
34.58%
33.13%
31.94%
31.90%
31.90%
Users from Algeria downloaded the most number of battery-draining apps, closely followed by those from the United Kingdom and China. Having
the ninth highest Internet penetration rate in Africa, Algeria may also become a likely web threat target.
The ranking was based on the percentage of apps categorized as “power hoggers” over the total number of apps scanned per country. The ranking
was limited to countries with at least 10,000 scans. The ratings were based on the quarterly analysis of real-time threat detection via Trend Micro
Longevity.
Countries with the Highest Malicious Android App Download Volumes
Myanmar (Burma)
India
Saudi Arabia
Russia
Ukraine
Malaysia
Philippines
Turkey
Indonesia
Italy
9.50%
7.25%
7.19%
6.06%
5.98%
5.26%
4.10%
3.50%
3.11%
3.03%
The majority of the countries most at risk of downloading malicious apps were in Asia, led
by Myanmar (Burma).
The ranking was based on the percentage of apps rated “malicious” over the total number
of apps scanned per country. The ranking was limited to countries with at least 10,000
scans. The ratings were based on the quarterly analysis of real-time threat detection via
Trend Micro Mobile Security Personal Edition.
17. PAGE 15 | 1Q 2013 SECURITY ROUNDUP
APTs and Targeted Attacks: In Stealth Mode
MBR Wiper Attacks Target South Korea
• In mid-March, certain South Korean entities were
targeted by a master boot record (MBR)-wiping
Trojan.23
• The attacks disrupted the targets’ business by
rendering systems, both clients and servers, unable to
reboot.
• The samples we found either overwrite infected
computers’ MBR using certain strings or delete specific
files and/or folders. Once overwritten, computer access
either becomes limited or nonexistent.
23 http://blog.trendmicro.com/trendlabs-security-intelligence/summary-of-march-20-
korea-mbr-wiper/
FAKEM RAT Blends with Normal Traffic
• Like most remote access Trojans (RATs), FAKEM
evades detection by blending in with normal network
traffic.24
• Unlike other RATs though, FAKEM traffic mimics
Windows Messenger, Yahoo! Messenger, or HTML
traffic to evade detection.25
24 http://blog.trendmicro.com/trendlabs-security-intelligence/hiding-in-plain-sight-
the-fakem-remote-access-trojan/
25 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-
papers/wp-fakem-rat.pdf
RARSTONE Backdoor Imitates PlugX
• Like PlugX, the RARSTONE backdoor also loads an
executable file in an infected computer’s memory, apart
from having its own set of unique tricks.26
• RARSTONE hides its executable file by directly loading
a backdoor in memory instead of dropping it onto the
computer. Unlike PlugX though, it communicates via
Secure Sockets Layer (SSL), which encrypts its traffic,
allowing it to blend with normal traffic.
26 http://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-
to-watch-out-for/
18. PAGE 16 | 1Q 2013 SECURITY ROUNDUP
FAKEM Versus RARSTONE: RAT Techniques
Despite certain differences
in routine, both FAKEM and
RARSTONE present novel ways
to remain undetected by most
anti-malware solutions.
FAKEM RARSTONE
Arrives via spear-
phishing emails
Arrives via spear-
phishing emails
Usually disguised as
files normally used
in businesses (e.g.,
.DOC, .XLS, and
.PDF)
Usually disguised
as files normally
used in offices
(e.g., .DOC, .XLS,
and .PDF)
Drops an .EXE
file that initiates
encrypted
communication with
C&C servers
Drops an .EXE
file that drops a
copy, which then
opens a hidden
Internet Explorer
process and injects
malicious code into a
computer’s memory;
the code decrypts itself
and downloads a .DLL
file from a C&C server;
the .DLL file is loaded in
memory
EXE
DLL
Creates network
traffic that mimics
Yahoo! Messenger,
Windows Messenger,
and HTML traffic
Communicates
with a C&C
server using SSLHTML SSL