Q2 2008 Threat Summary
Silent Growth of Malware Accelerates
Click the image above for video
The number of malware detections seen during the first half of 2008 has exceeded the growth rate experienced during 2007. We ended 2007 with 500,000 total detections. By the end of June 2008 this number is around 900,000. The growth rate has never been faster.
This recent explosion of malware doesn't necessarily represent new types of threats. It is largely the packing, encryption, and obfuscation of existing families of trojans, backdoors, exploits, and other threats. What the increasing use of self-defense technologies in malware represents is the ever growing professionalism within the crime-ware community.
Criminals are adapting and utilizing enterprise level systems and code within their operations. The complexity and quality of their IT infrastructure and systems continues to increase, providing them with the power to silently flood the Internet with their menace.
Trend towards More Targeted Attacks
The first half of 2008 has witnessed a growing number of targeted malware attacks on individuals, companies, and organizations.
In a targeted malware attack, the attacker profiles his victim and sends an e-mail using the recipient's name, title, and perhaps references to his job function. The message's content is typically something that the recipient would expect to receive via e-mail.
The content will seem like an ordinary Word or PDF document, or other common file type, but infects the recipient's computer with a hidden payload. Often this is a backdoor that gives the attacker access to the information stored on the computer without any outward sign of infection.
As an example of an attack during the month of May, high-level executives were targeted with an e-mail mentioning a supposed complaint made to the Better Business Bureau (USA) about their company. By researching their chosen targets, the criminals were able to use real company and individual names. This made the approach much more credible to the recipients, who were then more likely to follow the on-screen instructions and put their computer at risk. The technique used a high degree of social engineering and specialized malware to infect the would-be victims.
In this case the e-mail message linked to www.us-bbb.com in order to download the "complaint". The real Better Business Bureau is located at www.us.bbb.org. The supposed complaint allegedly required an Adobe Acrobat update to be read and the download claimed to require Internet Explorer and an ActiveX component. Once the ActiveX application was installed, a backdoor opened the system and provided access to confidential information.
Targeted Political Motives
Targeted malware attacks are also being used for political and military motives. During the recent clashes between Tibetans and the Chinese military, the battles on the streets were accompanied by political espionage on the Internet. Human rights groups, pro-Tibet organizations and individuals supporting the freedom of Tibet were attacked with a carefully targeted and technically advanced e-mail campaign that attempted to infect their computers in order to spy on their actions.
The content of the e-mails was crafted from the real announcements and messages of the pro-Tibet groups. Some e-mails purported to include pictures of Tibetans shot by the Chinese army. The e-mails were forged to look like they were coming from trusted persons or organizations, making it more likely that they would be opened by the recipients. They were sent to mailing lists, private forums and directly to persons working inside pro-Tibet groups. Some individuals received targeted attacks several times a month. The attacks used many "trusted" file types including DOC, XLS, PPT, PDF, and CHM.
For example, one document seemed as if it was sent by the Unrepresented Nations and Peoples Organization (UNPO) but the e-mail headers were forged and the e-mail was coming from somewhere else altogether. The e-mail issued a statement of solidarity for the people of Tibet and contained a modified version of a PDF-encoded vulnerability to exploit Adobe Acrobat. If the recipients opened the document, they were infected with a keylogger that collected and sent everything typed on the affected machine to a server running at a DNS-bouncer system. The exploit inside the PDF file was even crafted to evade detection by most antivirus products at the time.
We have seen some of the same malware applications used for both political and corporate attacks. This supports the conclusion that those with the political motives to attack free Tibet groups are also involved in attacks on businesses, notably businesses within the defense industry.
Guarding against such personalized attacks requires great individual vigilance and a strong security culture within an organization. Most security education is designed to inform people of online threats directed at millions of Internet users and is not nearly as effective in protecting individuals who have been specifically targeted.
F-Secure has developed proactive DeepGuard technology to fight attacks such as these targeted attacks. DeepGuard is shipping in all of F-Secure's current workstation products.
The same tools and information that are helping criminals to collect data on individuals is also being used to collect profiles on groups. Phishing a particular group is known as spear phishing. The attackers only send phishing bait to those that match the data profile. A spear phishing attempt may even attempt to address the recipient by name by analyzing the e-mail address. For example, "firstname.lastname@example.org" becomes "Dear John" rather than "Dear Customer" as is used by most generic phishing.
Increasingly Sophisticated Malware
Not all of the malware seen during the first half of the year were repackaged known threats. There were also some notable developments.
The flexibility of current malware attacks demonstrates that some criminals have considerable resources and expertise at hand. Creating advanced backend systems requires serious time and investment.
This year we have seen a very advanced Master Boot Record (MBR) rootkit, known as "Mebroot", which is probably the stealthiest malware produced so far.
It keeps the amount of system modifications to a minimum and is very challenging to detect from within the infected system. The F-Secure team that developed our defense against Mebroot estimates that it took several months of development.
The Storm worm has been dubbed malware 2.0 for its sophisticated sense of timing and social engineering methods, as well as the complexity of its design. It utilizes peer-to-peer technologies, creating a decentralized botnet that fights back against detection.
Storm has played a major role in the evolution of the online threat towards the current trend of drive by downloads.
Microsoft Corporation reported in April that its Malicious Software Removal Tool (MSRT) has been very successful in disinfecting Storm's bots, remotely controlled components in the criminal Storm gang's network of infected computers.
Nevertheless, there has recently been an upswing in e-mails being sent out attempting to trick people into visiting Storm websites. The Storm botnet certainly isn't as big as it used to be, but it's unlikely that we have seen the last of it.
During the first half of 2008 we've seen online criminals using powerful tools to locate websites using SQL servers hosting insecure pages. The SQL servers themselves are not insecure; the tools seek out web forms that allow unchecked/unfiltered malicious input. Using the vulnerable forms these tools automatically injected the site with malicious code.
More and more web sites are using database back-ends to make them faster and more dynamic. From a security perspective, this means that it's crucial to verify what information gets stored in or requested from those databases — especially if a web site allows users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, and so on. Unless that data is sanitized before it gets saved, it's not possible to control what the web site will show to the users. SQL injection is all about exploiting weaknesses in these controls.
Such mass SQL injection attacks are increasing in number and we're seeing more domains being injected and used to host the attack files. Tens of thousands of hacked sites are actively affected. Millions have been hacked. We believe that there is now more than one criminal group using a set of different automated tools to inject malicious code. There is no longer any such thing as a "trusted site". Any site running a vulnerable form is at risk.
The SQL attacks inject IFrames that attempt to use several exploits to infect visiting computers. Infection by drive-by-download is more common than ever before.
New versions of popular web browser have been released during the month of June. Firefox version 3 was released on June 18th with a very large marketing push in the United States. Millions of copies were downloaded and installed within the first 24 hours.
Opera 9.5 was released on June 12th. Internet Explorer 8 is in beta development.
All of these browsers contain enhanced security features that promise more of a challenge to malware.
Third Party Applications
As browsers are become hardened, much of the "lowest hanging fruit" has become the third party applications that have a large installed base.
Adobe Flash is one example. Flash is installed on nearly all Windows based computers. The Response Lab received sizable numbers of malicious Flash files during May and June. Such Adobe Flash exploits have been used in combination with the SQL injection attacks mentioned above. All but the current version of Flash 18.104.22.168 are at risk and many, many computers do not have the current version installed.
The powerful automated tools employed by malware wielding criminals have made it ever more important to update all of the application installed on one's computer.*
Mobile Phone Security
During the first half of 2008 there were no significant mobile malware outbreaks. There was one new S60 2nd Edition worm called Beselo, more proof-of-concept type malware, and new commercial spy tools.
Mobile phone "modding" - the recreational hacking or modifying of phone hardware/handsets - has been very dynamic during the January to June period. Mobile phone enthusiasts are drawn to popular hardware and are eager to unlock any restrictions that exist. It's very similar to the modding culture that exists among the video game community.
Jailbreak is a UNIX term that refers to the placing of files outside of a restricted folder structure. Once files have access to and are located in such restricted folders - privileged locations - the operating system can be altered.
The term jailbreak recently entered popular culture thanks to the Apple iPhone. Enthusiasts have developed easy to use tools with which to jailbreak the iPhone. The popularity of the device has led to rapid growth in iPhone security research.
Perhaps some of this mobile activity has fueled the Symbian modder community as well. The Symbian operating system is the market-leading open operating system for mobile smartphones. Sales and market-share for Symbian based phones far exceed those of the iPhone. It is now possible to "Jailbreak" the Symbian S60 3rd Edition operating system with a single easy to use application.
Recent hacking techniques have targeted Symbian's debugging interface, thus giving modders full control of the device without having to touch the firmware which can be risky. It also appears that all versions of the current Symbian operating system may be vulnerable to the techniques used. A graphical SISX application has only been developed for S60 3rd Edition however.
The privilege escalation allows the phone's owner to install completely unsigned applications. Only signed or self-signed applications are possible with the security model intact. The hack limits the launching of new applications, but combined with another application, the hack can be toggled on or off at will following the first configuration.
It's possible that Cabir, Commwarrior, or Beselo source code could be updated to run on S60 3rd Edition phones and with the addition of this privilege escalation they could cause similar problems as they do on 2nd Edition phones. However, Nokia and Symbian have worked on more S60 security features than just the platform security capabilities model. Current user interfaces would present more of a social engineering challenge than with 2nd Edition phones. We predict that someone will produce malware for 3rd Edition phones at some point just to prove that it's possible, but don't yet foresee any widespread threat.
More likely we'll see a small but growing subset of enthusiasts running homebrew applications in much the same way as with the iPhone. Those users who are willing to risk the security consequences will run free applications from developers that skip the expense of the Symbian signing process. This subset of enthusiasts will continue to grow and will present more and more of a challenge to IT administrators attempting to enforce security policies within their organizations.