ESET Threat Blog

While serving in the Marine Corps, one activity that I felt was effective in preparing both myself and my unit to be able to handle real-world scenarios, was getting as much experience as possible from military training exercises. In most cases multiple branches worked together or, as in the case with NATO exercises, multiple countries worked together. The goal was always to prepare us for various potential scenarios as well as learning to quickly adapt due to the impossible-to-calculate number of permutations of attacker, weapons, target, collateral damage, etc. 

Today the Bipartisan Policy Center (BPC) held a simulated cyber attack against the United States. The goal was to take a group of former high-ranking Cabinet and national security officials and successfully complete the mission of advising the president throughout the crisis. Their responses will be in real-time as will be  the intelligence and news feeds. The full list of participants is available from the PRNewsWire press release (http://www.prnewswire.com/news-releases/cyber-shockwave-hits-washington-83570087.html). 

The exercise began at 10 am EST and lasted for three hours. During that time, the attack escalated from cellular networks to electrical utilities. The exercise was designed by former CIA Director Michael Hayden in partnership with the BPC. 

To understand the scope and capabilities of the adversaries we are facing in today's connected world, I selected what I thought was a very applicable report: Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence. This report is from the congressional testimony on February 2, 2010, by US Director of National Intelligence, Dennis Blair. Below are samplings of his comments: 

"The cyber criminal sector in particular has displayed remarkable technical innovation with an agility presently exceeding the response capability of network defenders. Criminals are developing new, difficult-to-counter tools."

"Criminals are collaborating globally and exchanging tools and expertise to circumvent defensive efforts, which makes it increasingly difficult for network defenders and law enforcement to detect and disrupt malicious activities."

The full testimony (PDF) is available here (http://www.dni.gov/testimonies/20100202_testimony.pdf)

This brings to mind the old adage, "fight fire with fire" – which is applicable when combating cybercrime and cyber attackers. Continually increasing global cooperation (for instance: laws, extradition agreements, criminal sentences) coupled with fast-paced innovation can have the direct impact of not only closing the gap, but also plain and simply putting them in a "hurt locker" (aka "world of hurt") since, in many cases, cybercriminals/attackers don't feel pain commensurate with the scale and scope of their crimes. 

I brought up cybercrime because a number of the tools and techniques are similar or identical between cybercriminals and those that would wage cyber warfare. In fact, if you were to follow the money trail of all cybercrime activity there is a very high probability that you will ultimately encounter an adversary that is planning, or conducting, cyber attacks against the United States.  

By now you can read about operation Cyber ShockWave from just about anywhere on the 'net. You can also go to the Bipartisan Policy Center's web site directly: http://www.bipartisanpolicy.org/events/cyber2010. This weekend CNN will be providing special coverage of Cyber ShockWave (Saturday February 20). 

Hopefully this exercise provided realistic attacks and the video coverage will show the decision-makers "making the call" in different scenarios. For obvious reasons, the "big gaping holes" shouldn't be exposed to the world, but at the very least, it does bring awareness to a problem that governments across the world face on a daily basis – how to handle the dynamic nature of threats as they continually evolve. 

Jeff Debrosse

Sr. Research Director

I just noticed a blog on "Security vendor’s “top-threat” list proof for their less-than-perfect performance?" at http://hype-free.blogspot.com/2010/01/security-vendors-top-threat-list-proof.html. The essential point seems to be that periodic virus detection statistics (like our monthly ThreatSense reports) are likely to be based in part on infections spotted on a protected machine when a signature/update is released that wasn't available when the infective code was first run on that machine. He states further:

 I find the idea that marketing material put “out there” can backfire amusing .

He's right, of course, that a subset of reports will be malware detected after infection (and I'm not in a position to estimate the size of that subset, even for ESET: source information is not usually fine-grained enough to distinguish between pre- and post-infection context).

However, I wouldn't regard it as a backfire when a product detects something post-infection on the protected system. Yes, it's a failure of a product's proactive capability, but such failures are to be expected on the slippery continuum between false negatives and false positives. It doesn't make the statistics less (or more) valid.

It's only funny if you think of such reports purely as marketing collateral. Personally, I think such statistics are of limited value (especially to those who don't really know the field well enough to interpret them properly, largely because of the naming issues that seem to keep cropping up in my blogs lately). If properly done, though, they do give people a better perception of what the current trends in malware are, and thus a better idea of how they can protect themselves. Besides, there's a difference between marketing and giving people something they keep asking for. 

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/

As our December ThreatSense report (now available at http://www.eset.com/threat-center/threat_trends/Global_Threat_Trends_December_2009.pdf) was not only the last of the year but the last of the decade, it's rather longer and more detailed than usual, including a look back at the last 12 months. I suppose we could have gone back over the whole decade, but I have to sleep occasionally.

Inevitably, Win32/Conficker, INF/Autorun and gaming password stealers occupy the first three positions yet again. In fact, the most conspicuous feature of the December top ten is the preponderance of malware that exploits the Autorun vulnerability….err, facility. If you're using Windows 7, you'll probably have noticed that Autorun is disabled by default, and hopefully you'll leave it that way. ESET has published information on disabling Autorun in other versions of Windows at http://www.eset.com/threat-center/blog/2009/08/25/now-you-can-fix-autorun.

The most dramatic change to the top ten is the appearance of Win32/Spy.Ursnif.A. This label describes a spyware application that steals information from an infected PC and sends it to a remote location, creating a hidden user account in order to allow communication over Remote Desktop connections. More information about this malware is available at http://www.eset.eu/encyclopaedia/win32-spy-ursnif-a-trojanwin32-inject-kzl-spy-ursnif-gen-h-patch-zgm?lng=en.

As well as a lengthy retrospective section, there's a little crystal-ball gazing from the ESET teams in San Diego and Argentina concerning our thoughts on such major issues as social engineering, smartphone jailbreaking and rooting,  the "walled garden" concept of blocking an ISP user's full access to the Internet when his or her system is compromised by malware, cloud computing, rogue software and extortion, misuse of social networks, the use and misuse of publicly available data, and so on.

Of course, for a more cynical view, you might want to look at this, if you haven't already: http://www.eset.com/threat-center/blog/2009/12/30/top-ten-trite-security-predictions

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/

We interrupt our – well, my - scheduled programming to bring to your attention an article in "The Register" that I think deserves your attention. I put up what was intended to be a brief pointer on the AVIEN blog (http://avien.net/blog/?p=253), but I found myself kind of warming to the subject, to the extent that I think it's worth covering the same ground here.

Rik Myslewski's article says (among many other things in a three-page article that particularly focuses on Apple and Google) that “Waiting in the wings are corporate entities eager to exploit your personal information, and government agencies watching your every step.”

To which I responded in the blog cited above that:

The issue of government monitoring spends a lot of time under the spotlight, of course, and so it should. (Craig Johnston and I considered some of the law-enforcement issues in an AVAR paper this year, but there’s much more to it than that, obviously.)

But I’m seriously concerned about the consequences of the increasing amount of personal data (good, bad, and purely mythical) available to anyone with a browser (or even a USB port). It’s an issue I’ve had occasion to think about several times recently, and I expect to return to it a lot more in the coming months.

I also cited some previous ESET blogs that made related points:

http://www.eset.com/threat-center/blog/2009/12/14/que-sera-sera-%e2%80%93-a-buffet-of-predications-for-2010

http://www.eset.com/threat-center/blog/2009/12/14/your-data-and-your-credit-card

http://www.eset.com/threat-center/blog/2009/12/12/the-internet-book-of-the-dead

http://www.eset.com/threat-center/blog/2009/06/09/data-protection-not-a-priority

I also use this quote from the ESET Global Threat Trends report for December, which will be available shortly.

“Criminals and legitimate businesses will mine data from a widening range of resources, exploiting interoperability between social networking providers. Sharing of data in the private sector will be an increasing threat until the need is accepted for more data protection regulation on similar lines to that seen in the public sector, especially in Europe.”

I wish I could believe that this issue is going to be resolved satisfactorily soon.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
 

I was recently asked to share some predictions about what 2010 will bring in the security space. I asked some colleagues from ESET Research to share their thoughts as well -Randy

Randy Abrams
Director of Technical Education

Social Engineering attacks will continue to grow in prevalence. As operating systems and eventually applications become more secure, the easiest way to steal money from people or install malicious software will be to trick them. Part of this will be driven by adoption of Windows 7. Computers sold with Windows XP, with a few exceptions, such as newer netbooks, are beginning to age and will be replaced with PCs that have Windows 7. The increased security in Windows 7 means that tricking the user is far more viable than exploiting the OS for most criminals.

Third party applications will bear the brunt of vulnerability attacks. Security improvements in operating systems will continue to drive vulnerability research to applications like Safari, iTunes, Adobe Flash, Adobe Reader, many IM clients and other applications. Unfortunately, users are far less savvy about patching 3rd party applications than they are about patching the operating system

While the number of attacks against “jailbroken” iPhones is likely to increase, the number of infected or affected devices will likely decrease. The reason for a decrease is that in many cases the affected user incurs data charges and so they are motivated to do things like changing default passwords. Those who have flat rate data plans will be far more likely to continue to neglect security.

ISPs will increasingly implement technologies to identify users who are infected and take measures to block access to the internet until the user’s machines are cleaned up. It will probably be a few years before these ISPs are the norm, rather than the exception, but still the prevalence of such practices will increase.

Data breaches/losses will grow in scope as people put their data in the cloud. Cloud systems security is still fairly young. The aggregation of data will make many Cloud service providers attractive targets. We’ve already seen this as web hosting providers and credit card processing businesses have been targeted.

Pierre-Marc Bureau
Sr. Malware Researcher
 

1. Increase in rogue software or extortion software, probably some fake memory optimization tools, etc.
2. More specialization from malware gangs and exchange of service between them.  Some gangs will take care of the packing layer, others C&C communication, other stealing data, etc.
3. More malware targeting alternative operating systems like OS X and Linux as they increase their market shares.  This probably means more malware written in high level languages which can execute on various OSes like bash, perl, python, etc.

Aryeh Goretsky
Distinguished Researcher

Increased targeting of social networks, such as Facebook, LinkedIn, Twitter in the US, Orkut and Hi5 in South America, from both a social engineering standpoint and looking for cross-site scripting and wormable attacks on the web sites as well as their APIs.

Continued research into weaknesses in virtualization will lead to new attacks, but will remain largely impractical, e.g., attacker needs direct access to a server's hardware in order to perform the action.

Online games will continue to be targeted, as virtual assets such as an-game currencies or scare resources can be re-sold for real money, especially in Asia.

Increased research into attacks on gaming consoles, but with limited results due to the closed-wall nature of their Internet service.

Increased research into attacks on wireless networking (802.11n Wi-Fi, WiMAX, cellular broadband data connections) and SSL interception will make it more risky to conduct online shopping and banking over wireless connections (MITM attacks for credentials theft, etc.).

Patch management will continue to challenge IT departments.  Slight decrease in AUTORUN.INF-borne malware due to deployment of Windows 7.

David Harley
Director of Malware Intelligence
 

1. iPhone attacks will probably be a blip rather than an increasing trend, as based on a single high-visibility vulnerability. However, attacks (or at least probing for vulnerabilities) on smartphones in general are likely to increase as long as providers rely on a closed system model that encourages jailbreaking/rooting. The whitelisting model will probably get some attention eventually, even from Apple.
2. Data mining (legitimate and criminal) will have a wider and by no means automatically beneficial range of effects on individuals. The arch-example is Facebook's lack of commitment to a realistic security model, which counts more than its security centre advice. Essentially, it's encouraging its users to share as much information as possible while essentially making them responsible for the security of their own data. This isn't unique to FB, of course, or even to the Web 2.0 providers. But they're grooming us to accept that it's legitimate for an ever-wider pool of data to be used to monitor our behaviour, and makes it harder to distinguish between legit and criminal data mining.
3. Further to point 2, privacy tends to diminish where it's in the way of commercial rather than political interests. So, ironically enough, there will be particular and ongoing interest in data leakage where it affects public bodies, but selling on of information at the backdoor by more-or-less legal means will continue as it always has, though it's starting to attract some attention. This may be less true in Europe, where data protection and other directives -already- give some formal weight to the principle that organizations should only hold as much personal data as they -need-, rather than what they -want-.
4. Obviously, I'm in agreement with everyone else on the continuing importance of social engineering. The corollary to that, though, is that despite those who say that user education is ineffective, it remains an under-explored option for mitigating social engineering. It's unlikely that a psychological attack can be totally eliminated by technical means. On the other hand, it's always easy and resource-non-intensive to push responsibility back to the user and say "just be careful!" There are signs that user education in some areas is being taken more seriously, though: anti-phishing education, for instance.

I recently learned a new acronym: SODDI (Some Other Dude Did It). What this refers to is the defense that criminals routinely use (plausible deniability) – and even more so when it comes to illicit activities on the Internet.

On Sunday, November 8th 2009 the Associated Press published an article regarding an individual that was accused of possessing child pornography. After 11 months, and at a personal expense of $250,000, computer forensics proved that the computer had become infected with malware that was designed to download illegal content. Malicious software was the culprit at work behind the scenes.

This activity is a topic that had been discussed for quite a few years as a potential liability for any computer that has been infected. Software that is designed to conduct remote operations can surreptitiously download any kind of digital material to a person’s machine or establish connections (or probe/attack) any target. This would cause the owner of the infected computer to appear to have broken one, or more, of many laws including illegally accessing a network, theft of intellectual property (IP) and child pornography – to name a few. Basically, any action that an attacker or criminal can directly perform on the Internet, can also be duplicated and executed from a victim’s computer. The end result is truly horrific for the victims who have to defend themselves when the trail leads to them – and seemingly stops at their computers.

There are numerous examples of this occurring. For instance, substitute school teacher Julie Amero’s life was undeniably, and tragically, altered after the school computer she was using in a 7th grade classroom started displaying pornographic images to her students. After significant expense, loss of a teaching career and other losses she was finally convicted of a lesser charge (in 2008) and a reduced fine.

Cases like these are where several (of many) cybercrime issues converge:

• Laws: many legal systems still struggle to catch up with cybercrimes
• Plausible deniability: the challenge of proving that a person is the one that used their computer to commit an act (usually a criminal act)
• Attribution: lack of attribution across the Internet impairs the ability to accurately, and with a high degree of confidence, trace internet connections/packets back to their source(s)

When two or more of these elements are combined, the end result is typically a confusing, and potentially indefensible, gathering of forensic data that can both let a criminal “walk” or cause an innocent person to be charged, tried and sentenced.

In any war there is a term known as “collateral damage”. In the war against cybercriminals, the collateral damage is clear and unmistakable. As a society, when we  gain more overall forensic analysis experience and systems are capable of providing more accurate attributable information, we should see a diminishing number of cases of innocent victims and more/stiffer convictions for the bad guys.
   
Jeff Debrosse
Senior Research Director

Conficker

• If you have not already done so, deploy Microsoft’s MS08-067 patch for the vulnerability initially used by the worm to infect systems.  It is also a good idea to install the MS08-068 and MS09-001 patches as well.
• Disable AutoRun on removable media.  More about this below.
• Use strong passwords.  The Conficker worm contains a set of commonly-used passwords in order to make it easier for the worm to spread across network shares.  A list is mentioned in this news article.  For more information about choosing good passwords, see these three earlier ThreatBlog articles here, here and here.  We also have a white paper on the subject.

Worms continue to spread quick as a flash

Conclusion

Aryeh Goretsky MVP, ZCSE
Distinguished Researcher

• Data Breaches continue to be a huge problem: Eight-five percent of organizations surveyed had had at least 1 data breach in the last 12 months, demonstrating that there is no let up in breaches as this is consistent with 84 percent sited [sic] in the 2008 report. Companies suffering more than 5 data breaches rose to 22 percent in 2009 up from 13 percent in 2008.
• More than 70% have fully executed or just launched data encryption strategy in their organization. Once again data encryption strategies are being implemented across a majority of the respondent participants. The majority of organizations, 78 percent, have some type of encryption strategy, up from 74 percent in 2008 and from 66 percent in 2007.
• Encryption of data on mobile data-bearing devices used by employees is very important or important. More than 59 percent of respondents say it is very important or important to encrypt employees’ mobile devices – a sign that organizations recognize that valuable data is more mobile than ever.
• On average a company will pay $202 per record compromised, and, in total an average of $6.6M should they experience a data breach.

• Domestic population (census.gov): 307M
• Personally-identifiable records involved in data breaches (privacy rights clearing house): 262.5M
• Domestic Internet penetration rate (internetworldstats.com): 74.4% (251M users)

You may have noticed that I’ve been making a lot of references to this over the past few weeks. You can now download it here. Quite a few people have worked pretty hard to make this project happen, and I’d like to thank them now. I hope some of you will find it interesting and useful.

We’ve also been doing a little tidying of the white papers page, and there will be some additional material there in the near future, including papers on fake antimalware, the apparently late but unlamented Storm botnet, some of our recent conference papers on testing, malware naming, and user education, and an independent paper on spotting implementational errors in comparative tests that has also been referenced in the AMTSO document on The Fundamental Principles of Testing.

AMTSO (The Anti-Malware Testing Standards Organization) will be considering a number of additional documents next month, on a number of test-related topics, as well as the "terms of engagement" for the newly-appointed Reviews of Reviews board.

This board, on which ESET is represented, will implement one of the areas highlighted in the AMTSO preliminary charter: "Providing analysis and review of current and future testing of anti-malware and related products."

That’s a topic I certainly intend to come back to!

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

The top ten (twenty, twenty-five…) season doesn’t seem to have finished yet: the latest to cross my radar was something like seven ways of surviving the recession, which I’m sure is of interest to all of us, but not really in scope for this blog.

So here’s a snippet from our 2008 Global Threat Report, which is about to come out, and from which I’ve previously included some tasters here.

Our in-the-cloud threat-tracking system ThreatSense.Net® gives us a way of tracking detections of known threats over months or years (you may have noticed that I referred to it in a previous blog about Conficker/Downadup), so we looked at the top twenty threat detections reported between January and December 2008.

(See table 1 below)

As you’ll have noticed, there are quite a few very similar detections there such as INF/Autorun, INF/Autorun.gen, and Win32/Autorun.KS, or all the Online Games Password stealers, so we consolidated some of them into a single detection category, as we do for our monthly reports, and reduced the resulting detections to a top ten. (Sometimes, less is more. )

In fact, these detections could have been consolidated further – for instance, there’s an overlap between Pacex and gamer password stealers – but we think that the table above gives a pretty good impression of the underlying trends, which seems to us more useful than focusing on  individual variants and sub-families.

The top ten trends are shown in table 2 below.

There’s much more information in the forthcoming report (I’ll link it here when it’s available), but here’s a brief summary of what this table tells us about trends over the past year.

• Gaming password stealers have the largest volume and percentage share over the whole year, even if we don’t include Pacex.gen detections. Gamers are a very popular target.
• Malware that uses the Windows Autorun facility as an infection vector (a very broad classification label) runs gaming trojans a close second. Autorun would be a good idea in a better world, but in the one we actually live in, it’s better for most people if it’s disabled.
• While the general classification of adware covers many distinct programs, the continuing presence of Win32/Toolbar.MyWebSearch and the many variants of the Virtumonde Trojan in the top ten give some idea of the size of the problem.
• The GetCodec downloader and associated threats continue to be a major presence. This testifies to the continued success of social engineering of the “click here and install this program so that you can view this highly desirable content” genus.
• Data theft through PC compromise is one of the most consistent aims of the malware author, as the Win32/Agent group of Trojans indicates.
• The continuing presence of advanced detections like INF/Autorun, Win32/Statik and Win32/Genetik in the top ten testify to the continuing need for sophisticated heuristics to flag the presence of new malware that doesn’t resemble known malware closely enough to be identified using an existing family identifier.

Table 1: Top 20 Detections

Table 2: Top Ten Trend Detections

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence