Rik Myslewski's article says (among many other things in a three-page article that particularly focuses on Apple and Google) that “Waiting in the wings are corporate entities eager to exploit your personal information, and government agencies watching your every step.”

To which I responded in the blog cited above that:

The issue of government monitoring spends a lot of time under the spotlight, of course, and so it should. (Craig Johnston and I considered some of the law-enforcement issues in an AVAR paper this year, but there’s much more to it than that, obviously.)

But I’m seriously concerned about the consequences of the increasing amount of personal data (good, bad, and purely mythical) available to anyone with a browser (or even a USB port). It’s an issue I’ve had occasion to think about several times recently, and I expect to return to it a lot more in the coming months.

I also cited some previous ESET blogs that made related points:

http://www.eset.com/threat-center/blog/2009/12/14/que-sera-sera-%e2%80%93-a-buffet-of-predications-for-2010

http://www.eset.com/threat-center/blog/2009/12/14/your-data-and-your-credit-card

http://www.eset.com/threat-center/blog/2009/12/12/the-internet-book-of-the-dead

http://www.eset.com/threat-center/blog/2009/06/09/data-protection-not-a-priority

I also use this quote from the ESET Global Threat Trends report for December, which will be available shortly.

“Criminals and legitimate businesses will mine data from a widening range of resources, exploiting interoperability between social networking providers. Sharing of data in the private sector will be an increasing threat until the need is accepted for more data protection regulation on similar lines to that seen in the public sector, especially in Europe.”

I wish I could believe that this issue is going to be resolved satisfactorily soon.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
 

ESET normally avoids giving out absolute numbers as they're too prone to be misleading or misinterpreted, since we can't say how they compare to the entire population of the Internet. (Not that it stops other companies giving "authoritative" statistics!)  I can say that our lab gets over 100,000 unique malicious binaries a day from Threatsense.Net®, a mechanism for sending in samples from machines running ESET products that detect malware. Obviously that's a global figure, not the UK: I don't have a figure for that.

However, we can give percentage figures that give an idea of which malware (and other suckware) is scoring highly regionally. If you want to compare these figures with the results we got globally in October, they're at http://www.eset.com/threat-center/threat_trends/Global_Threat_Trends_October_2009.pdf, Note, however, that this is a slightly "apples and oranges" comparison: for a number of reasons, we don't list the global top ten in the monthly report in quite the same way. For instance, nuisance applications that aren't necessarily technically malicious are filtered and some closely related detection statistics are consolidated to show the underlying trend more clearly.

•  In October in the UK, the top scorer was actually a "possibly unwanted application " (PUA), with 4.02% of detections.  
• Conficker variants were 2nd (2.68%) and 9th (2.14%) (this is an example where we conflate the figures in the report, to make the trend clearer).
• Malware that exploits the Autorun vulnerability took positions 3 (2.66) and 5 (2.36%).
• Number 4 was another type of adware  (2.47%) – note that some types of adware have serious Trojan functionality (Virtumonde, for example), they're not just a nuisance.
• Position 6 was a fake anti-malware program (2.31%) – that's a higher score than we usually get globally for a specific rogue AV variant, which is interesting. It doesn't mean that the UK is more prone to attacks by rogue AV than the rest of the world, though: it's just that there are a lot of different detections for these things. The situation is analogous to bots: while the total number of infections is very high, it doesn't show up clearly in the statistics because there are so many families and variants.
• Number 7 was an advanced heuristic that picks up an even wider range of malware than INF/Autorun.
• Number 8 was malware targeting online gamers (2.16%).
• Number 10 was a highly generic detection for a range of bots and similar malware.

I don't think there's much that governments can do on a legal/governance level (some have some catching up to do, though). The vendor research community does work with law enforcement and even intelligence services to a greater extent than you might suspect, and I wouldn't want to play down the importance of that co-operation. Some ISPs do make a serious effort to block malicious URLs, which are a -major- cause of infection, but they come and go hydra-like. It does help that AV vendors recognize a high percentage of malicious binaries once they're downloaded to a protected system (whereas detection on the site or during download tends to be highly resource intensive). However, I  don't think there's a single, easy solution: anti-malware is only one layer of remediation.

Just to give a little global perspective, the data I drew on here suggest that the threats detected by ESET-protected machines in the UK over October represented about 0.44% of the binaries submitted by all the protected machines in the world, and 1.61% of them were unique to the UK.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

There are no surprises in the top five malicious programs, which have the same rankings as in the September report. Clearly, not enough people are taking our accumulated advice on reducing the risk from Conficker, INF/Autorun and so on.

Something I didn't anticipate though is the dramatic upsurge in Win32/Flystudio detections. This class of threat has been around for a while. It did feature strongly in our July report, when it came in from nowhere to number 5, and then hovered around the lower reaches for a while. Well, this month it shot back from 46 to 6. Here's the description from the latest report.

6. Win32/FlyStudio
Previous Ranking: 46

The Win32/FlyStudio threat is designed to modify information inside the victim's Internet browser. This threat will modify search queries, with the intention of delivering advertisements to the user. Win32/FlyStudio seems to be targeting users located in China.

What does this mean for the End User?

FlyStudio is a popular scripting language, much used as a development tool in China. However, the malicious code is being reported in other regions too, including North America. This may mean that it has been deployed by other malware.

Win32/TrojanDownloader.Swizzor, however, has dropped out of the top ten.

Other items discussed include:

• The AMTSO workshop in Prague, which inspired lively debate about when, if ever, it's acceptable to create samples for testing, and the thorny issue of AMTSO compliance – what is it, and who can legimately claim it?
• An interesting exercise conducted by Christopher and Samir at the First International Workshop on Aggressive Alternative Computing and Security, in which they installed a number of scanners (including NOD32) then logged in as administrator and tried to disable them. We're pleased to note that our product was one of those fairly resistant to such tampering, but we're not convinced that this is a very useful way to test the efficacy of a product. I'll return to that shortly in a separate blog.
• The Halloween Search Engine Optimization (SEO) poisoning issue already blogged here.

Perhaps the most interesting, though, is the first sight of some statistics garnered from a cybercrime survey conducted by Competitive Edge Research and Communication Inc. on behalf of the Security Our eCity initiative, which ESET sponsors. We'll be talking more here about some of the data points from that report in the near future, but an issue that the October report focused on was the find that 63% of adults seem to think cyber criminals are mostly individual computer hackers, whereas only 21% regard organized crime as primarily responsible for cybercrime.

As the report suggests, In the last quarter of 2009, that’s a pretty frightening statistic. It may not matter to the individual computer user who is responsible for specific threats, as long as he takes the right countermeasures. But if people don't understand the nature of the threat properly (and the security industry is apparently failing to convey that information), it seems likely that they don’t understand what constitutes an appropriate countermeasure, either.

Someone asked me today to hazard a guess at the ratio of individuals to organized crime in the current threatscape. I don't really have information that specific, and automatically mistrust it when other companies offer it, unless I know it comes from someone who spends a lot of time interacting with people I wouldn't want to meet in a dark alley.

It depends on your definition of organized crime, I guess. There are plenty of horror stories about various flavours of mafia, but there are certainly also one-man-band criminals out there, not to mention the amateurs still  throwing out Proof of Concept malware and probing systems for the hell of it, or the kudos of discovering a poorly protected site.

However, most attacks are profit-driven, and most profit-driven attacks appear to be made by gangs.  On the other hand, a lot of what crosses my radar is freelancers offering specific services to anyone who’ll pay for banking Trojans, or 0-day exploits, or credit cards, or whatever. So the market is certainly “organized” but some of the players aren’t necessarily aligned with one group in particular: Having said that, though, if their services are “good” enough, I’d assume that they’ll catch the attention of the major gangs. 

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Conficker

• If you have not already done so, deploy Microsoft’s MS08-067 patch for the vulnerability initially used by the worm to infect systems.  It is also a good idea to install the MS08-068 and MS09-001 patches as well.
• Disable AutoRun on removable media.  More about this below.
• Use strong passwords.  The Conficker worm contains a set of commonly-used passwords in order to make it easier for the worm to spread across network shares.  A list is mentioned in this news article.  For more information about choosing good passwords, see these three earlier ThreatBlog articles here, here and here.  We also have a white paper on the subject.

Worms continue to spread quick as a flash

Conclusion

Aryeh Goretsky MVP, ZCSE
Distinguished Researcher

"Now may I suggest some of the things we must do if we are to make the American dream a reality. First, I think all of us must develop a world perspective if we are to survive. The American dream will not become a reality devoid of the larger dream of brotherhood and peace and goodwill. The world in which we live is a world of geographical oneness…" - Dr. Martin Luther King, from a speech delivered at Lincoln University, Pennsylvania, June 6, 1961

If Dr. King had still been alive today to see the wonders of the global connectivity of the Internet, he would probably consider the quoted portion of his speech as a "statement before its time."

Today the current global Internet penetration rate stands at approximately 24%. With a global population of 6.7 billion, that equates to roughly 1.6 billion users on the Internet across the globe. At the current penetration rate, cybercrime has become pervasive, pandemic and increasingly connected with other parts of the criminal ecosystem. It ranges from the theft of an individual’s identity to the complete disruption of a country’s Internet connectivity due to a massive distributed attack against its networking and computing resources.

With the remaining 5 billion users to connect to the Internet, there are significant challenges – one of which is cybercrime (via its many methods). There are technological preventative measures that help mitigate cybercrime attacks, but technology alone is not the answer.

The next one billion users on the Internet will not come from developed countries, but rather mostly from developing countries. Awareness, even simple levels of awareness, of various types of risks and cybercrime attacks can yield positive results. This is primarily due to the fact that the weakest link in the “security chain” is, correctly, always quoted as being the end user. The additional one billion users on the Internet will be considered “fresh targets” by the cybercriminals.

The target of cybercrime centers on information – the data that is electronically stored for retrieval and subsequent use. For instance, even with varying levels of per-capita income, the amount of money that stands to be lost to a cybercrime called “phishing” (one of the most common online attacks where a person is socially engineered to provide personally identifiable information by someone posing to be a trusted source) has the potential to be quite significant due to the sheer number of users at risk (unaware).

A real-world example of the scope of the threat: cybercrimes, like phishing and data breaches, are a scalable threat to the United States. These threats are so severe they are detailed as national security threats in the 2009 Annual Threat Assessment Intelligence Briefing to the Senate Intelligence Committee. This representes the scope of one cybercrime problem in a single country, whose users have had several years of exposure to the Internet. New Internet users will face the same difficulties – but from cybercriminals that have had also years of experience and that have optimized their attack and evasion techniques. 

Infrastructure build-out, deployment and subsequent end-user connectivity should be coupled with effective cybersecurity awareness training – in addition to application usage training. It is the ignorance of on-line risks that poses the greatest threat to the new generation of global Internet citizens. Coordinated global efforts in effective awareness training will transform these new Internet citizens from potential victims to increasingly aware, and less vulnerable, people as a whole.

Jeff Debrosse
Senior Research Director

Securing Our eCity community initiative: http://www.securingourecity.org/

Not surprisingly, at the top of the list is a family of programs that exploit Microsoft’s longest unpatched vulnerability. That’s right, Autorun.inf, is an evil “feature” that should have been patched out of existence a long time ago. Since it is so effective for malware there are lots of threats that exploit it.

In the number two position we find a family of threats that steal passwords for online games. This is also pretty logical. There is a lot of money in the sale of “virtual” items and characters for real money.

In third place is the new kid on the block… the Conficker worm. Conficker is truly a tragedy as it is indicative of really poor security practices. Failure to patch your OS will leave you vulnerable to this worm. Autorun is another attack vector. If you disable autorun you take away another avenue of attack for Conficker and the most widespread threats we see. I’ll have a blog up in a day or two that will show you how to really kill autorun. It’s the patch that MS should have disclosed a long time ago. Administrative shares are another avenue of attack and weak passwords are still another security fault that Conficker exploits.

If you decrease the number of security holes you have then your goalie, security software, takes less shots on goal. That is a basic defensive strategy. Prevention is always better than cure, and Conficker highlights that much more work is required in the prevention department.

You can read the whole report at http://www.eset.com/threat-center/threat_trends/Global_Threat_Trends_January_2009.pdf

Randy Abrams
Director of Technical Education

We’ve also been doing a little tidying of the white papers page, and there will be some additional material there in the near future, including papers on fake antimalware, the apparently late but unlamented Storm botnet, some of our recent conference papers on testing, malware naming, and user education, and an independent paper on spotting implementational errors in comparative tests that has also been referenced in the AMTSO document on The Fundamental Principles of Testing.

AMTSO (The Anti-Malware Testing Standards Organization) will be considering a number of additional documents next month, on a number of test-related topics, as well as the "terms of engagement" for the newly-appointed Reviews of Reviews board.

This board, on which ESET is represented, will implement one of the areas highlighted in the AMTSO preliminary charter: "Providing analysis and review of current and future testing of anti-malware and related products."

That’s a topic I certainly intend to come back to!

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

So here’s a snippet from our 2008 Global Threat Report, which is about to come out, and from which I’ve previously included some tasters here.

Our in-the-cloud threat-tracking system ThreatSense.Net® gives us a way of tracking detections of known threats over months or years (you may have noticed that I referred to it in a previous blog about Conficker/Downadup), so we looked at the top twenty threat detections reported between January and December 2008.

(See table 1 below)

As you’ll have noticed, there are quite a few very similar detections there such as INF/Autorun, INF/Autorun.gen, and Win32/Autorun.KS, or all the Online Games Password stealers, so we consolidated some of them into a single detection category, as we do for our monthly reports, and reduced the resulting detections to a top ten. (Sometimes, less is more. )

In fact, these detections could have been consolidated further – for instance, there’s an overlap between Pacex and gamer password stealers – but we think that the table above gives a pretty good impression of the underlying trends, which seems to us more useful than focusing on  individual variants and sub-families.

The top ten trends are shown in table 2 below.

There’s much more information in the forthcoming report (I’ll link it here when it’s available), but here’s a brief summary of what this table tells us about trends over the past year.

• Gaming password stealers have the largest volume and percentage share over the whole year, even if we don’t include Pacex.gen detections. Gamers are a very popular target.
• Malware that uses the Windows Autorun facility as an infection vector (a very broad classification label) runs gaming trojans a close second. Autorun would be a good idea in a better world, but in the one we actually live in, it’s better for most people if it’s disabled.
• While the general classification of adware covers many distinct programs, the continuing presence of Win32/Toolbar.MyWebSearch and the many variants of the Virtumonde Trojan in the top ten give some idea of the size of the problem.
• The GetCodec downloader and associated threats continue to be a major presence. This testifies to the continued success of social engineering of the “click here and install this program so that you can view this highly desirable content” genus.
• Data theft through PC compromise is one of the most consistent aims of the malware author, as the Win32/Agent group of Trojans indicates.
• The continuing presence of advanced detections like INF/Autorun, Win32/Statik and Win32/Genetik in the top ten testify to the continuing need for sophisticated heuristics to flag the presence of new malware that doesn’t resemble known malware closely enough to be identified using an existing family identifier.

Table 1: Top 20 Detections

Table 2: Top Ten Trend Detections

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Furthermore, when you copy or move data elsewhere, it’s usually at least as important to protect/encrypt it when it’s on removable media, or transferred electronically. Even if the target storage device is secure from malware or hacking, you also need to be aware of other dangers such as physical risks, transit risks, business-related risks such as an escrow site going out of business and so on.

Consider (seriousl!) regularly backing up your data to a separate disk (as a bare minimum) and, where possible, a remote site or facility. Sounds extreme? Think about it.

You can’t rely on backing up to another partition on the same disk as the original: if the disk dies, the chances are that all partitions will be lost.

You can’t rely on backing up to another disk on the same system. If the system is stolen, or there’s a fire, for instance, then in the immortal words of Tom Lehrer they’ll "all go together". In the latter instance, the chances are that you’ll lose your thumb drives, CD-RWs and so on as well.

And if you’re working in a corporate environment, you might want to avoid doing what one site I know of did, and back up data to a server, but forget to back up the server itself.

I’m sure I don’t need to remind you to take care of your passwords as well, do I?

David Harley BA CISSP FBCS CITP