H2 2007 Threat Summary
Click the image above for video
What previously took twenty years to accumulate - was now accumulated in just one year
At the start of 2007 - our number of malware detections equaled a quarter-million. At the end of 2007, the estimates are to be equal to half-a-million.
There was a great deal of volume seen during 2007. Malware authors are producing variants in bulk. Genuine innovation appears to be on the decline and is currently being replaced with volume and mass-produced kit malware. But while new techniques weren't developed - the existing techniques were refined and adapted for much greater effectiveness. There are some very dangerous faces in the big crowd.
Windows Vista was on the horizon at the end of 2006 and the question was - would Vista be the end to malware threats? Not this year at least - The year 2007 ends with Windows XP still dominating the world's installed base leaving Vista little opportunity to make an impact. The potential strength of Vista has not yet been tested in full force. And much of the malware in the wild running on XP machines is stronger than ever. We predict that the situation will not change very soon looking at Vista's current sales.
Storm - Botnet 2007
Our Data Security Wrap-Up for the first half of 2007 (later referred to as H2) noted the birth of the "Storm Worm" - Storm being the umbrella name for a collection of backdoor trojans and e-mail worms.
On Friday, January 19th 2007, e-mail messages with subject lines based on actual news began to circulate. The subject line of "230 dead as storm batters Europe" coined the name Storm. There were in fact dozens of real deaths related to European storms during that time.
Using sensationalized versions of real headlines as a template proved to be a very clever bit of social engineering and was initially very successful. However, during H2 the headline technique's success declined as it was repeated too often. So the gang behind Storm adjusted their procedures. During the second half of 2007 (H3), they have continuously updated their social engineering tactics. Targeting the U.S. - they have used holidays such as Labor Day and seasonal events such as the beginning of the National Football League (NFL) season. Targeting others - the gang keeps up-to-date with popular trends and sites. One of their tricks was the promise of seeing "yourself" in a supposed YouTube video in a message pointing to a fake YouTube site.
The gang has also altered Storm's infection vector as detection of Storm increased and e-mail attachments were blocked. Instead of attaching the malware to the e-mail messages as before, they spammed messages with links to malicious Web pages. When the detection of the Web pages increased, they cleaned up the pages and instead linked to the malware from the page. So the vector evolution moved from e-mail attachments to Web pages pushing files to Web pages linking to files. (And those files are modified on the fly…) The evolution continues and adjusts as needed.
It is interesting to note that we have seen IFrames (inline frames) used by some Storm sites offering 16 versions of Storm to U.S. based IP addresses rather than the 9 that were offered to IP addresses outside the United States. Storm is produced in Europe but the social engineering has a definite U.S. agenda. They appear to have agents on both sides of the Atlantic.
The computers responsible for sending Storm spam and for the hosting of Storm's Web pages are they themselves part of the Storm botnet. And that botnet is rather unique as it utilizes peer-to-peer (P2P) protocols. Traditional botnets use a centralized approach. If the server is located and taken out of service, then the botnet's head is decapitated. Storm is a collective with no central point to shut down. There's no central command-and-control point to kill.
September's Malicious Software Removal Tool, part of Microsoft's monthly updates, made a dent in the size of the Storm botnet - the tool removed a good number of Storm's bots during the update process - but the botnet remains and the dent hasn't muted its overall strength.
Another special feature of the Storm botnet is that it protects itself. Repeat requests from a single source of one particular machine will result in many members of the botnet retaliating with a Distributed Denial of Service (DDoS) attack. Researchers must use caution during investigations or the botnet gets aggressive.
October brought evidence of Storm variations using unique security keys. The unique keys will allow the botnet to be segmented allowing "space for rent". It looks as if the Storm gang is preparing to sell access to their botnet. The end of H3 2007 finds Storm in a very strong position and utilizing only a fraction of its potential processing power.
Malware Trends During H2
While there are greater numbers of phishing sites online, it is most likely the result of kits such as Rock Phish. It is as easy to host multitudes of phishing sites as it is to host one. This ease of creation contributes to saturation and so there is a gradual reduction in the overall effectiveness. People are a bit more wary of phishing bait.
So what to do if you want to steal banking information? Use banking trojans.
Banking trojans sit and patiently wait for any banking activity. Trojans, by definition, use a decoy or ploy to get installed. Bank names are not mentioned. If the decoy uses clever social engineering, the victim may never realize what they have really installed on their computer.
Monitoring browser activity (URLs) for banking keywords is the Trojan's task. When banking is discovered, a number of different techniques can be employed to steal the data.
- Form grabbing
- Screenshots and video capture
- Injection of fraudulent pages or Form fields
- Man-in-the-middle attacks
Banking trojans are not a new phenomenon. But we have seen definite growth in 2007.
There is growing evidence of banking malware injecting itself into the browser. This allows some of the techniques above to be done as Man-in-the-Browser (MitB) attacks. These types of attacks allow the malware to use the browser as its platform. Encrypted banking sessions occur within the browser, so that's where banking malware wants to be, before the banking session leaves the browser. We'll see more of this trend in 2008.
Trojan Password-Stealers and Online Games
Another segment of interest this year has been Trojan password-stealers, specifically those that target online games. Online games continued to grow in popularity throughout the year 2007. More importantly - revenues continued to increase. More revenues means customers are spending more money, that's the reason online game customers are increasingly becoming targets.
The economics are relatively straightforward even if the market is a bit of a novelty. Virtual commodities exist in the virtual worlds of online games. Many players of such games are willing to spend real money on these virtual commodities. So the value of these goods is real even if they are not physically real. And things of real value are the targets of theft. The stolen commodities get auctioned off and the thieves are difficult to identify because the crime is completely online.
In short, the money being spent within virtual games and communities has increased - so we've seen a corresponding increase in the growth of this segment during 2007.
The family Trojan-PSW:W32/OnlineGames was founded in September 14th, 2006. By the end of that year, we had around 150 detections. By the end of 2007, we will be near to having twenty thousand detections for this family. And there are numerous other families targeting the online games segment as well.
Zlob - Fake Video Codecs and DNSChangers
One of the most successful pests of 2007 is Zlob. It's spyware that often claims to be a needed "video codec" to view copy-protected media.
Once installed, Zlob variants typically show fake error messages designed to convince the computer user into installing and buying rogue antispyware products.
Other pests from the Zlob gang such as DNSChanger silently reconfigure the computer's DNS server settings. DNS servers are responsible for converting people friendly text URLs into computer friendly numeric IP addresses. Once the DNS settings are changed to their servers - the Zlob gang is in control of the Web browser's destination.
They generate money by redirecting Web searches. Should the victim search for "air fare", Zlob's sponsored revenue-generating link will be put at the top of the results.
Zlob makes money by acting as a parasite. Stealing data from their victims is not the goal, and they don't steal the computer's resources to build a botnet either. What the Zlob gang prefers is to use their victims. As the victim does not suffer undo harm, many may not even realize how they are being used.
The Zlob gang expanded their target audience base late October with the introduction of DNSChangers for the Mac OSX platform.
The year 2007 was a banner one for Apple - their hardware is more popular than ever. More Apple hardware equals a greater installed base of Apple software.
Trojan DNSChangers for Mac OSX
As mentioned above, DNSChangers have started targeting Mac OSX. Social engineering is used to persuade users to enter their admin password for the install - not a big problem for clever social engineering. Getting a Mac user to type his password for an easily installed "video codec" isn't a significant challenge to overcome, at least it hasn't been a challenge for password protected Windows malware. And we're seeing a growing number of Mac DNSChanger variants. The previous lack of Mac OSX malware could be a distinct disadvantage for its users. Social engineering can short-circuit a false sense of security.
Apple Mac's market share is now significant enough for the Zlob parasites to target, as malware gangs don't make an effort to develop something without the promise of a profitable return.
Apple's Safari browser for Windows likely contributed to this development. Released in mid-June, researchers seized upon the Safari for Windows Beta and many security flaws were discovered. Many of those flaws were mirrored in the Mac version of Safari.
Web sites pushing DNSChangers determine the OS and the browser version being used by the visitor. The appropriate version of the malware is dynamically provided - visit with a Mac and you'll get Mac malware.
The Apple iPhone boasts an impressive design and a distinctive user interface. It was released in the U.S. at the end of June and becomes available to Europe during the fourth quarter of this year.
In just six months the iPhone has become a very well understood device.
It uses a version of Mac OSX, which is in turn based on Unix. If you understand Unix security, then you can relatively easily "port" your knowledge and understanding to the iPhone.
The iPhone also comes installed with the Safari browser and provides full rights to it. With the portability of understanding and the known Safari flaws mentioned above, coupled with the excellent hardware design, focus greatly intensified on the iPhone. Including the fact that the iPhone is a "locked" device and you have a perfect combination of factors leading to iPhone exploit research.
H.D. Moore added iPhone support for the Metasploit framework in September making security and attack research much easier.
Exploits for the iPhone are sought as a means to unlock the device. But in revealing those exploits there's a security consequence.
Mac OSX 10.5, code-named Leopard, was released at the end of October. It's a major release for Apple.
It's been well received for its features and sales are good but with increased popularity come increased focus on security flaws.
There have already been numerous updates made available. Research has suggested that old security flaws may have been reintroduced; Leopard's new Firewall received criticism for its implementation and and thus may affect Apple's aura of perfect security.
QuickTime and iTunes
On the topic of popular Apple applications, there's iTunes. The installed based of iTunes reaches far into the Windows platform. Even those without iPods use the application. And with iTunes comes QuickTime player .
QuickTime player is one of a growing number of applications targeted by malware. Previously, third-party applications were targeted as low hanging fruit as the Windows OS was hardened.
By the end of 2007 we're seeing more and more exploits for third-party applications. Is it because they are the low hanging fruit? Or perhaps it is because the applications have reached such popularity as to become as ubiquitous as Windows itself.
Symbian S60 3rd Edition has done an excellent job in curbing malware. Symbian leads the world's market share of smartphones. Mobile malware discovered during the second half of the year affects older S60 2nd Edition phones.
What we continue to see on 3rd Edition platforms are spy-tools. The application vendors are able to get their spy-tools signed by submitting them as "back-up" software. The signed application is then also marketed for dubiously legal purposes. This trend matches what we saw during H2 and we expect it to continue.
S60 3rd Edition is more tightly controlled than previous versions and thus the lack of malware so far. However, the iPhone demonstrates that some users of tightly controlled devices want to "unlock" those devices. During October there were Symbian platform "hacks" posted. The hacks used a bug in the firmware update package software to completely unsecure Symbian 3rd Edition phones. If more users opt to unsecure their phones, it will have an effect on the future of mobile security.
One additional thought, as commercial vendors use what amounts to social engineering to get their questionable software signed, can malware authors be far behind? With a system that relies on humans to sign software, humans are, as with PC malware, the weak link.
Reports of database breaches and data losses are becoming routine. There are massive amounts of personal data vulnerable to theft stored in databases worldwide.
January started the year with a bang. Reports revealed that TJX Companies exposed 45.7 million credit card numbers and transaction details. Poor WiFi security configurations and outdated WEP encryption was the culprit.
November caps off the year nicely in the U.K. with the HM Revenue & Customs (HMRC) losing 25 million names, addresses, and national insurance numbers. Two CDs containing information on parents, their children, and some portion of their bank account information was lost in the mail.
The use of personal data for ID theft is one obvious concern. Another newer concern is mass targeted attacks and mass spear phishing. Targeted attacks and spear phishing employ very detailed personal information as part of its social engineering. The target is called by name and the details of the message match their own personal details.
Spam addressed to "Dear Customer" is not nearly as effective as spam addressed to an individual using correct job titles and locations. Include additional factual details and the victim lowers their guard exposing themselves to phishing, trojans, backdoor, and more.
A November 6th letter from Salesforce.com acknowledged the leak of the company's contact list. The result of the leak was spear phishing attacks made on their customers.
Late November also brought news of a mass targeted attack using the U.S. Department of Justice as the bait. Recipients were addressed by name and their company name was used. The spam message claimed that the company had received a DOJ complaint. The supposed complaint, a trojan-downloader, was attached to the message.
Personal information available for exploit is everywhere. With the popularity of social networking sites it's ever more readily available to the bad guys.
We'll see more bulk targeted attacks via spam as database leaks are used to enhance social engineering during 2008.
Besides targeted spam, as "spray and pray" spam waves decrease in effectiveness, there is an increase in Web based threats. As noted in the Storm section, once Storm attachments were blocked, the malware executables were moved to the Web.
There's an increase in use of ready-made kits for vulnerabilities such as MPack, IcePack and Neosploit that include easy to use web-based admin interfaces. These kits not only target Windows and Internet Explorer vulnerabilities but also other browsers, QuickTime, Real Player, WinZip, et cetera. These kits even come with support packages and updates for the right price.
Some other trends:
- Use of pay ads (Flash exploit) affecting high profile websites (NHL, MLB).
- Use of search engine manipulation to direct people to malicious sites.
- Criminals continuously searching for sites to compromise. (Bank of India, CSIRT in China).
Conclusion and Predictions
What we saw during H3 and the whole of 2007 was volume. Malware authors are criminals and as time passes they are becoming increasingly professional at their "business". Kits and commodities markets are the result. The tools of online crime are being produced professionally. The purchased kits are producing malware in bulk. The stolen data is traded as commodities on underground auction sites. It's easy money with plenty of cover from law enforcement.
What will we see in 2008? More of the same - lots more of the same but better, stronger, faster. The criminals have the technology. Everything will continue in bulk to ensure broad coverage. And as the bulk increases individual security awareness, new improved technology powered social engineering will strip that awareness away again. 2008 will be a challenge of endurance.