Q4 2009 Threat Summary
2009's Worm of the Year: Conficker
Major security developments in 2009 included Conficker, the most pervasive networking worm in years.
Conficker spread fast in computers using the Windows XP operating system which had not been patched with a late 2008 Microsoft update. Infection rates peaked at more than 12 million computers worldwide, causing major problems for companies, hospitals, airports and other public institutions around the world.
Unlike many previous worms that were released in the wild for personal fame, Conficker was designed to call home and create a botnet of infected computers — a potentially profitable commodity for the authors of the worm. The Conficker Working Group, composed of several anti-virus companies including F-Secure, prevented the worm from reporting home and establishing a powerful botnet. Nevertheless, millions of computers still remain infected with Conficker at the end of 2009. It is still a mystery who wrote the Conficker worm.
This year saw the launch of the Windows 7 operating system as a replacement for Windows Vista and Windows XP, which were both affected by major security concerns. Windows 7 shows promise as a leaner, more secure operating system, and also has an improved user security experience compared to Vista.
The focus on a better user experience and improved security is also one of the important trends in 2009, coinciding with the emergence of Netbooks.
Facebook, MySpace, Linked-In, Twitter — social networking sites have been all the rage in 2009.
On December 1st, Facebook announced that it has 350 million user accounts.
Social Networks have also become a major target for online criminals who are misusing the high level of trust involved in communities of friends and contacts to carry out phishing attacks and spread links to malicious websites. Compromised social networking accounts provide the ideal cover for online criminals to develop new money-making activities. People are much more likely to click on a link that seems to be coming from a trusted friend or relative, than an attachment or a link in an e-mail from someone they don’t know.
Sites such as Facebook are now working to implement greater privacy controls and are attempting to simplify the user experience in an attempt to limit mis-use of trust.
Curse – The "Curse of Silence" exploit against several current versions of Symbian S60 phones was demonstrated at the end of December, 2008. The exploit was very easy to utilize and a video demonstrating how to perform it was quickly distributed on the Web. The resulting effect of the exploit jams the victim's SMS messaging.
Many network operators reacted quickly and started filtering their SMS traffic so as to prohibit the exploit message. Nokia later released a free recovery utility called "SMS Cleaner". The exploit was, at best, a potential nuisance with little profit motive, and has not been widely reported to have been used.
Latitude – In February, Google Latitude was introduced for the very popular mobile Google Maps application. Google Maps has the ability to locate the phone based on GPS or cell tower positioning. The Latitude add-on allows users to "broadcast" their location to approved individuals using their Google account IDs. The service is easy to use and is a likely forecaster of things to come. Location based applications are in high demand and many other service providers seek to offer solutions with a Social Networking focus. The introduction of Latitude has alarmed some privacy advocates, but so far users have control over their own information.
FlexiSpy – A well known Spy Tool began offering an iPhone version during Q1, 2009. FlexiSpy for iPhone requires the phone be "jail broken". The software's features include hiding the interface icon as well as hiding the fact that the phone itself has been jail broken. FlexiSpy tracks the phone's usage (SMS, e-mail, GPS, etc.) and sends the collected data to FlexiSpy's website from where the phone's owner, or another party, can view the logged reports.
Sexy View – Worm:SymbOS/Yxe.A was the most significant mobile malware case of Q1. The Yxe worm is the first discovered SMS worm, and is spread largely in China.
Yxe is also the first malware that is compiled to run on Symbian S60 3rd Edition phones. The S60 3rd Edition platform is greatly protected by requiring applications to be Symbian Signed. In the case of Yxe, a leaked, valid certificate was used to sign the worm. Thus, very minimal user interaction was required for installation.
When Yxe infects a phone by sending an SMS message to the victim that promises a "sexy view" and celebrity gossip. The SMS links to a website that then prompts the victim to install the Yxe worm. If the victim does so, the worm uses the victim's Contact list to spread itself further. The victim's Contact will receive a message that appears to be coming from their friend, and so the worm continues to spread via Social Engineering. On installation, the worm reports the phone number back to the website from which it was downloaded.
SMS spam is a large problem in China with hundreds of billions of spam messages reported. This harvesting of phone numbers is very similar to the harvesting of e-mail addresses seen on PCs in 2002. Several network operators have been fined as China works to shut down access points that allow the sending of SMS spam.
SEO Attacks and Rogue Scareware
Much of the traffic for malicious websites is generated by search engine optimization (SEO) attacks where the attackers seed the search engines with popular search topics like the names of celebrities in the news. When people end up on these sites their computers are taken over.
The installation of rogue security products has been a favorite tactic used by criminals in 2009 and the case of File Fix Professional is a good example of this. In fact, the writers of this software do not push the product themselves and all the work is done by their botnet master affiliates. File Fix Pro encrypts some of the files in the My Documents folder and then confronts the user with what seems like a realistic error message, saying that Windows is recommending them to download a special tool to fix the files. When the user clicks on the message he gets a download of File Fix Pro which does “fix” the files – in order words decrypts them — if the user pays $49.99 for the product.
It is a clever social engineering trick because the user does not realize that the files have been taken hostage and the purchase of the rogue security product is a ransom payment to recover the files. The user may even recommend this seemingly useful software to others. The real software vendor is not actually doing anything illegal because it is the botnet holders who are encrypting people’s files and making them purchase the tool.
- YouTube Video: Tiger Woods SEO Attacks
In 2009 smartphones have become more popular and more powerful than ever. Smartphones are increasingly used for Internet based activity, including social media. Much of this has been driven by the iPhone and other touchscreen smartphones. The iPhone already has more than 10 percent share of the smartphone market and its popularity is inevitably attracting the attention of malware writers.
At the end of 2009 jailbroken iPhones became a target for the first profit-motivated malware on this platform. The speed of the malware evolution for jailbroken iPhones is a telling sign of the times. The news of a Dutch hacker exploiting a jailbroken iPhone vulnerability was quickly followed by an Australian hobbyist writing the Ikee worm that tried to "teach people a lesson" for not changing their default SSH password. The worm changed the wallpaper on infected iPhones to a picture of Rick Astley.
The first profit driven worm for jailbroken iPhones then emerged almost immediately in the Netherlands, which was designed to create a mobile botnet and gain access to online banking details. The worm tried to redirect the customers of a Dutch bank to a phishing site when they were trying to access their online bank from the iPhone.
We fully expect this kind of organized criminal activity involving smartphones to increase next year.
Cloud Security in 2009
While criminals are busily churning out an unprecedented volume of malware, the security industry is also developing ever more sophisticated technologies to meet the threats. In 2009 "cloud computing" emerged as an important advance against the constantly evolving malware threats.
F-Secure has been among the pioneers of developing antivirus in the cloud. This means that all the information we have about all the possible malicious programs and all the possible good programs is now stored “in-the cloud”, i.e. in our data centers, with no limits to the amount of data.
The benefits of real-time access to this vast amount of information are substantial. For example, antivirus databases no longer eat up the memory and hard drive space on people’s computers. Protection in the cloud also means that when we tag a file as "bad", all our customers around the world are protected against the threat in a matter of seconds.
- YouTube Video: Evolution of Security