Which brings us to today, the last day in the office before a long Christmas break at F-Secure Labs. But just because this blog will be a bit quiet doesn't mean we're inactive. You can follow all of Mikko Hypponen's Tweets via: https://twitter.com/mikko
Check out the Risky Business security podcast's 2012 in review for a great compilation, with soundtrack, of Aussie Patrick Gray and Kiwi Adam Boileau's weekly news segments.
Finally, as you reflect back on the security issues of 2012, remember, don't panic.
In Finland, the most popular Christmas charity is run by the local salvation army. Their campaign is called Joulupata. And as you might expect, they have a website at www.joulupata.fi.
Earlier today, if you googled for "joulupata", the first search result looked unusual:
Looks dangerous. So let's visit the site with wget and set the http referer to www.google.com so the site believes we arrived via Google.
/tds/in.cgi - this sounds like the Sutra TDS (Traffic Distribution System). This kit is often used to distribute malware and spam via hacked websites. In this case, there was no malware, just a redirect to a website called Replicavips.
If you would have visited the site without having google.com as the referer, you would just end up on the unmodified joulupata.fi frontpage.
And what's on Replicavips? It's a site where you can purchase counterfeit watches. Don't go there.
The TDS site has been blacklisted by F-Secure and relevant parties have been notified. Be careful out there.
The World Conference on International Telecommunications (WCIT) was held by the International Telecommunication Union (ITU) to finalize changes to the International Telecommunications Regulations treaty (ITR).
In attendance were representatives of governments, and companies, from around the world, not all of whom are interested in Internet freedom. In the end, the United States announced that it could not sign the ITR treaty as generated by WCIT. Several other nations followed.
GulfNews.com appears to have a different take on the issue than does the Western media.
2. Leaks will reveal more government-sponsored espionage tools
Stuxnet, Flame, Gauss, et cetera — are they the tip of the iceberg?
A cyber arms race is well underway and while we may not always be aware of nation-states' covert cyber operations, we can expect that governments are more and more involved in such activity. In 2013, we'll most likely see more leaks that definitively demonstrate this, and from countries who haven't previously been seen as a source of attacks. As the arms race heats up, the odds of leaks increase.
3. Commoditization of mobile malware will increase
The Android operating system has solidified in a way that previous mobile operating systems haven't, extending from phones to tablets to TVs to specialized versions of tablets. The more ubiquitous it becomes, the easier to build malware on top of it and the more opportunities for criminals to innovate businesswise. Mobile malware will become more commoditized, with cybercriminals building toolkits that can be purchased and used by other criminals without real hacking skills. In other words, malware as a service, for Android.
4. Another malware outbreak will hit Macs
2011 saw scareware called Mac Defender, and in 2012 Flashback took advantage of flaws in Java. The Labs predict 2013 will bring another Mac malware outbreak that will have some success within the Mac community.
The author of the Flashback Trojan is still at large and is rumored to be working on something else. And while there have been smart security changes to the Mac OS, there's a segment of the Mac-using population who are basically oblivious to the threats facing Macs, making them vulnerable to a new malware outbreak.
5. Smart TVs will become a hacker target
Smart TVs are plugged into the Internet, they've got processing power, and since they typically aren't equipped with security, they're wide open to attacks. Adding to their vulnerability is that unlike home computers, many smart TVs are directly connected to the Internet without the buffer of a router, which deflects unsolicited traffic. Also, consumers often don't change the factory default username and password that have been set for web administration, giving easy access to hackers.
It's very easy for hackers to scan for smart TVs on the Internet. When found, they only need to use the default username and password, and they're in. 2012 already witnessed LightAidra, which infected set top boxes. 2013 could see smart TVs being used for such purposes as click fraud, Bitcoin mining, and DDoS attacks.
2013 may see a rise in popularity of tracking software, and not just for parental control purposes. There has already been growth in child safety apps that monitor kids' activities, for example, their Facebook behavior. Of course this kind of software can also be used to spy on anyone, not just kids. The more smartphones there are, the more people will be seeking out software like this � to find out what their spouses are up to, for example.
7. Free tablets will be offered to prime content customers
Tablets and e-readers are all the rage, and more and more often in closed ecosystems such as the iPad with iTunes or the Kindle with Amazon. As the Kindle price keeps dropping, the Labs predict that 2013 may bring a free e-reader or tablet for prime customers of companies who charge for content, like Amazon or Barnes & Noble. Closed ecosystems are more secure, but then you have to trust the provider to protect your privacy.
So what's good for security may not be great for your privacy.
Also, Amazon recently announced flat-fee plans for unlimited children's content and games. As more dedicated, and closed, devices are available, more and more parents will opt to restrict their children's usage of Windows-based computers, and that will affect their parental control software needs.
The Australian edition of SC Magazine reported on similar hacks earlier this year.
This strikes us as an interesting development as most of the ransomware we've seen during 2012 has been focused on locking out individuals from their desktops. (See the ransomware section of our H1 Threat Report.)
There have been numerous "hacktivist" driven breaches during 2012. (Including ones involving sensitive medical records.) It really is not much of a surprise, or it shouldn't be, that some criminals have developed ways to profit from the same sort of hacker activity. Is this the beginning of a trend which we'll see outside of Oz in 2013?
Finland has a rather small population in which F-Secure has a relatively large market share. (Natch.) And every so often, something "big" will occur in such a way that Finland becomes a kind of statistical laboratory.
Here's a graph of malware detections (as in preventions) that occurred in Finland from November 24th to November 27th.
And this is a graph of the same from December 1st to December 4th.
Why is there such a dramatic difference?
An advertising network used by one of Finland's most popular websites, suomi24.fi, was compromised during the December time period. And according to Suomi24, all of that malware traffic was pushed by a single ad from a third-party advertiser's network.
Just one ad.
This is what our customers using our Browsing Protection feature would have seen:
And if the site blocking wasn't enabled, this is the antivirus notification:
What was blocked? — Rogue Antivirus. As in fake security software.
Here's one version:
And here's another:
These rogue programs aren't actually scanning your computer for threats, but still, they're more than happy to charge for their services. Rogues don't offer any free trials, they want payment up front.
Payment up front? That's generally a good sign there's something amiss.
Do you ever use your laptop's Smart Card reader? You don't? Yeah, we didn't think so.
(Half of you reading this probably didn't even realize it had one to begin with.)
Windows users: open your Control Panel, go to Administrative Tools, Services — and stop the Smart Card service. Adjust the startup type to prevent it from starting up with the system.
All done? Good.
Now you're not wasting resources on an unused service and as a bonus — a malware called Shylock will no longer infect your system.
Why's that?
Because upon execution, Shylock checks for the Smart Card service and if it isn't present, it quits.
Shylock 1
And that's not all. Marko from our Threat Research team found that it also checks for memory and hard drive space.
Here's the memory check:
Shylock 2
At least 256MB is required:
Shylock 3
And the hard drive related checks:
Shylock 4
Shylock 5
And as you can see from the "Shylock 3" image, the combined drive space must be equal to at least 12GB.
Now you might be asking yourself, why is Shylock so particular?
The most likely answer is it's an attempt to avoid being debugged by antivirus vendors, which typically use virtual environments for research. And such virtual environments don't always include things such as virtual Smart Card readers. But then again… sometimes they do.
Acting on a tip, a member of our Threat Research team (Brod) has discovered a Dalai Lama related website is compromised and is pushing new Mac malware, called Dockster, using a Java-based exploit.
Page source from gyalwarinpoche.com:
Here's a screenshot of gyalwarinpoche.com from Google's cache:
Note: Google's November 27th snapshot also includes a link to the malicious exploit (so don't visit).
The gyalwarinpoche site doesn't seem to be as "official" as dalailama.com:
The Java-based exploit uses the same vulnerability as "Flashback", CVE-2012-0507. Current versions of Mac OS X and those with their browser's Java plugin disabled should be safe from the exploit. The malware dropped, Backdoor:OSX/Dockster.A, is a basic backdoor with file download and keylogger capabilities.
This is not the first time gyalwarinpoche.com has been compromised and it certainly isn't the first time Tibetan related NGOs have been targeted. Read more here and here.
There is also an exploit, CVE-2012-4681, with a Windows-based payload: Trojan.Agent.AXMO.