2010 Security Wrapup
Though the security news of the last months of 2010 has been dominated by Wikileaks and the politically motivated online attacks carried out by its opponents and supporters, 2010 will be most remembered as the year when the theoretical threat of cyber sabotage became possible.
In this summary:
- Wikileaks and DDoS made easy
- Stuxnet: the most significant malware development of the decade?
- Best year ever for arresting cybercriminals
- Windows XP still the major target
- Mobile security developments
Wikileaks and DDoS made easy
During the last months of 2010 Wikileaks and the politically motivated online attacks carried out by its opponents and supporters made international news—but the methods the attackers used were far too familiar to security experts.
Mikko Hypponen, Chief Research Officer at F-Secure, says, "There is nothing new in the type of distributed denial of service (DDoS) attacks that were used to target companies like Mastercard, Visa and Paypal, which had dissociated themselves from Wikileaks. But today DDoS attacks have become so easy to carry out that almost anyone can participate."
The first DDos attacks took place in 2000 and since then technology has become so simplified that many of those so-called Hacktivists participating in the attack may be unaware that they are breaking the law.
“Most of the attackers who are part of the so-called Anonymous group are not really computer experts at all but people who want to participate in the attack because they believe in the cause,” says Hypponen. “So they download the tool and let others use their computers to mount the attack. I'm quite sure most of the people participating in these attacks don't really realize that these are serious crimes.”
Preventing such attacks is a complex, costly endeavor, and typically companies don’t think about prevention until the assault is underway.
“These attackers have succeeded in shutting down the online payment credit card verification systems of both Visa and Mastercard and disrupted part of the PayPal service, immediately causing losses to credit card companies,” says Hypponen.
While these attacks certainly have global political significance, they do not live up to the definition of “cyber war”. "War isn't just nameless attacks between parties that are not nation-states to begin with," says Hypponen. "WikiLeaks is not a country. MasterCard is not a country."
Stuxnet: the most significant malware development of the decade?
The most significant malware development of the year – and perhaps of the whole decade – has been the highly sophisticated Stuxnet worm.
“Stuxnet can attack factory systems and alter automation processes, therefore making cyber sabotage a reality by causing real world damage,” says Mikko Hypponen.
A Windows worm most likely spread through USB device, Stuxnet infects a system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic factory system. If it finds a connection, it then modifies commands sent from the Windows computer to the PLC Programmable Logic Controllers, i.e. the boxes that actually control the machinery. Once running on the PLC, it looks for a specific factory environment. If this is not found, it does nothing.
Hundreds of thousands of computers around the world have been hit by Stuxnet. Siemens has announced that 15 factories were known to be infected. But Stuxnet is not limited to industrial plants. Most of the infected machines are collateral infections, i.e. normal home and office computers. But the fact that Stuxnet was designed to target a very specific facility or facilities points to the revolutionary nature of the threat.
Unusually large at 1.5 MB, Stuxnet exploited 5 vulnerabilities (4 of which were zero-days—all have been patched by Microsoft), employed a stolen signature and installed its own driver. F-Secure Labs estimates that it would take more than 10 manyears of work to complete Stuxnet.
This complexity and the fact that it could be used to impair the ability of a centrifuge to enrich uranium while providing no monetary gain suggest that Stuxnet was probably developed by a government—though which government is unclear.
For more information about the clues that may suggest who created Stuxnet, visit the F-Secure Labs weblog: Stuxnet Redux: Questions and Answers
Best year for arresting cybercriminals
2010 has been the best year ever in terms of the number of people arrested and convicted for committing online crimes.
Malware, which used to be written by hobbyists, became a vast profit-driven business controlled by criminals around 2003. However, for years the transition of malware from an online annoyance to criminal activity was not reflected by the number of arrests and convictions of the perpetrators. In the rare cases that people were caught and prosecuted, the sentences were hardly punitive. But in 2010 F-Secure saw what we hope is the beginning of a shift in the ability of law enforcement to identify, capture and prosecute cybercriminals.
In a landmark case in March 2010, Alfredo Gonzales received a 20 year jail sentence for being the ringleader of a gang that hacked tens of millions of credit card records from TJ Maxx and several other US retailers. This is the longest sentence ever passed in a cyber crime case. Gonzales and his gang members gained access into the authentication systems of the retailers’ cash registers by hacking into their wi-fi. Millions of credit cards had to be re-issued as a result.
The FBI revealed in October that it had arrested more than 90 suspected members of an international cyber crime ring, accused of stealing about $70million from bank accounts in the United States.
More arrests were also made in the UK and the Ukraine, from where the operation was directed. The criminals had gained access to people’s online banking details by sending infected spam messages. According to the FBI, the arrests were part of “one of the largest cyber criminal cases we have ever investigated”.
An interesting case involving spytools installed on mobile phones was reported by The Register in July, in which Romanian authorities had arrested 50 people accused of using off-the-shelf software to monitor the mobile phone communications of their spouses, competitors and others.
The Romanian Directorate for Investigating Organized Crime and Terrorism also arrested Dan Nicolae Oproiu, a 30-year-old IT specialist who allegedly sold the spyware for handsets running the iPhone, Blackberry, Symbian, and Windows Mobile operating systems, according to The Register.
Mikko Hypponen says, “Antivirus companies are not the police but we always provide the material uncovered by our investigations into cybercrime to the authorities so they can take action. It’s great to see this is having an effect and we hope that the new level of arrests and punitive sentencing represents a permanent shift in the way cybercrime is tackled.”
Windows XP still the major target
The Windows 7 operating system has been lauded as a safer operating system than its predecessor Window Vista. Despite overtaking Vista in terms of market share this year, Windows 7 is still far behind Windows XP, which remains the most popular operating system and the biggest target for malware writers.
"Cybercriminals will always look for the easy targets," says Mikko Hypponen. "It's likely that XP attacks will still be around for a number of years.”
In July 2010, Microsoft stopped issuing updates for Windows XP Service Pack 2. At that time, we estimated that 10% of our customers were still using XP SP2, potentially leaving them open to exploitable vulnerabilities.
The security implications of using outdated operating systems have been demonstrated by reports that the oil spill in the Gulf of Mexico could in part have been caused by the failure of computers that were still using Windows NT 4 from 1996.
Hypponen says, "It is irresponsible that a billion dollar oil drilling operation did not bother to keep its computers up-to-date and as secure as possible."
Mobile security developments
The number of mobile malware has not increased dramatically in 2010 but this year saw some developments that may provide insight to future trends.
The year opened with several banking apps being removed from the Android Marketplace. The applications were not developed or authorized by the banks themselves and could not do real online banking from the Android device. Apparently they only opened the web interface of the online bank for the user and could have stolen user credentials.
In April, a trojanized version of the Windows Mobile game 3D Anti-terrorist action was uploaded to several Windows Mobile freeware download sites. Infected phones made secret calls to expensive premium rate numbers, resulting in big phone bills for the victims.
In August, it turned out the Android app Tap Snake wasn’t just a gamebut a client for a commercial spying application called GPS SPY. The game looks like an average "Snake" clone. However, there are two hidden features. First, the game won't exit. Once installed, it runs in the background forever, and restarts automatically when you boot the phone. And secondly, every 15 minutes the game secretly reports the GPS location of the phone to a server.
For years, F-Secure Labs has been predicting that it was only a matter of time before some banking trojan focused on phones. And the year closed with evidence that a ZeuS variant had been engineered to steal a mobile transaction authentication number (mTAN) using a Symbian (.sis) or Blackberry (.jad) component. mTANs are sent via SMS, and are used by some banks as a form of single use one-time password to authorize an online financial transaction.
An F-Secure Labs analysis of the configuration files revealed this attack was not a one-off by some hobbyist. It was developed by individuals with an excellent understanding of mobile applications and social engineering. Increasingly complex attacks targeting mobile banking are inevitable.