ESET Threat Blog

I was asked about malware infection in the UK (especially with reference to Conficker), and(a) if the situation is really as bad as we, the AV vendors make out, and what the real infection rate is; and (b) whether government and ISPs etc could do more to help. You can now find a link here (http://www.guardian.co.uk/technology/2009/nov/04/malware-pc-security-antivirus) to the piece that Jack Schofield (of the Guardian newspaper) was writing on the topic. However, I thought you might be interested in my original answer on that point, at any rate if you're in the UK.

ESET normally avoids giving out absolute numbers as they're too prone to be misleading or misinterpreted, since we can't say how they compare to the entire population of the Internet. (Not that it stops other companies giving "authoritative" statistics!)  I can say that our lab gets over 100,000 unique malicious binaries a day from Threatsense.Net®, a mechanism for sending in samples from machines running ESET products that detect malware. Obviously that's a global figure, not the UK: I don't have a figure for that.

However, we can give percentage figures that give an idea of which malware (and other suckware) is scoring highly regionally. If you want to compare these figures with the results we got globally in October, they're at http://www.eset.com/threat-center/threat_trends/Global_Threat_Trends_October_2009.pdf, Note, however, that this is a slightly "apples and oranges" comparison: for a number of reasons, we don't list the global top ten in the monthly report in quite the same way. For instance, nuisance applications that aren't necessarily technically malicious are filtered and some closely related detection statistics are consolidated to show the underlying trend more clearly.

•  In October in the UK, the top scorer was actually a "possibly unwanted application " (PUA), with 4.02% of detections.  
• Conficker variants were 2nd (2.68%) and 9th (2.14%) (this is an example where we conflate the figures in the report, to make the trend clearer).
• Malware that exploits the Autorun vulnerability took positions 3 (2.66) and 5 (2.36%).
• Number 4 was another type of adware  (2.47%) – note that some types of adware have serious Trojan functionality (Virtumonde, for example), they're not just a nuisance.
• Position 6 was a fake anti-malware program (2.31%) – that's a higher score than we usually get globally for a specific rogue AV variant, which is interesting. It doesn't mean that the UK is more prone to attacks by rogue AV than the rest of the world, though: it's just that there are a lot of different detections for these things. The situation is analogous to bots: while the total number of infections is very high, it doesn't show up clearly in the statistics because there are so many families and variants.
• Number 7 was an advanced heuristic that picks up an even wider range of malware than INF/Autorun.
• Number 8 was malware targeting online gamers (2.16%).
• Number 10 was a highly generic detection for a range of bots and similar malware.

I don't think there's much that governments can do on a legal/governance level (some have some catching up to do, though). The vendor research community does work with law enforcement and even intelligence services to a greater extent than you might suspect, and I wouldn't want to play down the importance of that co-operation. Some ISPs do make a serious effort to block malicious URLs, which are a -major- cause of infection, but they come and go hydra-like. It does help that AV vendors recognize a high percentage of malicious binaries once they're downloaded to a protected system (whereas detection on the site or during download tends to be highly resource intensive). However, I  don't think there's a single, easy solution: anti-malware is only one layer of remediation.

Just to give a little global perspective, the data I drew on here suggest that the threats detected by ESET-protected machines in the UK over October represented about 0.44% of the binaries submitted by all the protected machines in the world, and 1.61% of them were unique to the UK.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

As usual, ESET has released its monthly Global Threat Trends Report, which will be available in due course at http://www.eset.com/threat-center/index.php.

There are no surprises in the top five malicious programs, which have the same rankings as in the September report. Clearly, not enough people are taking our accumulated advice on reducing the risk from Conficker, INF/Autorun and so on.

Something I didn't anticipate though is the dramatic upsurge in Win32/Flystudio detections. This class of threat has been around for a while. It did feature strongly in our July report, when it came in from nowhere to number 5, and then hovered around the lower reaches for a while. Well, this month it shot back from 46 to 6. Here's the description from the latest report.

6. Win32/FlyStudio
Previous Ranking: 46

The Win32/FlyStudio threat is designed to modify information inside the victim's Internet browser. This threat will modify search queries, with the intention of delivering advertisements to the user. Win32/FlyStudio seems to be targeting users located in China.

What does this mean for the End User?

FlyStudio is a popular scripting language, much used as a development tool in China. However, the malicious code is being reported in other regions too, including North America. This may mean that it has been deployed by other malware.

Win32/TrojanDownloader.Swizzor, however, has dropped out of the top ten.

Other items discussed include:

• The AMTSO workshop in Prague, which inspired lively debate about when, if ever, it's acceptable to create samples for testing, and the thorny issue of AMTSO compliance – what is it, and who can legimately claim it?
• An interesting exercise conducted by Christopher and Samir at the First International Workshop on Aggressive Alternative Computing and Security, in which they installed a number of scanners (including NOD32) then logged in as administrator and tried to disable them. We're pleased to note that our product was one of those fairly resistant to such tampering, but we're not convinced that this is a very useful way to test the efficacy of a product. I'll return to that shortly in a separate blog.
• The Halloween Search Engine Optimization (SEO) poisoning issue already blogged here.

Perhaps the most interesting, though, is the first sight of some statistics garnered from a cybercrime survey conducted by Competitive Edge Research and Communication Inc. on behalf of the Security Our eCity initiative, which ESET sponsors. We'll be talking more here about some of the data points from that report in the near future, but an issue that the October report focused on was the find that 63% of adults seem to think cyber criminals are mostly individual computer hackers, whereas only 21% regard organized crime as primarily responsible for cybercrime.

As the report suggests, In the last quarter of 2009, that’s a pretty frightening statistic. It may not matter to the individual computer user who is responsible for specific threats, as long as he takes the right countermeasures. But if people don't understand the nature of the threat properly (and the security industry is apparently failing to convey that information), it seems likely that they don’t understand what constitutes an appropriate countermeasure, either.

Someone asked me today to hazard a guess at the ratio of individuals to organized crime in the current threatscape. I don't really have information that specific, and automatically mistrust it when other companies offer it, unless I know it comes from someone who spends a lot of time interacting with people I wouldn't want to meet in a dark alley.

It depends on your definition of organized crime, I guess. There are plenty of horror stories about various flavours of mafia, but there are certainly also one-man-band criminals out there, not to mention the amateurs still  throwing out Proof of Concept malware and probing systems for the hell of it, or the kudos of discovering a poorly protected site.

However, most attacks are profit-driven, and most profit-driven attacks appear to be made by gangs.  On the other hand, a lot of what crosses my radar is freelancers offering specific services to anyone who’ll pay for banking Trojans, or 0-day exploits, or credit cards, or whatever. So the market is certainly “organized” but some of the players aren’t necessarily aligned with one group in particular: Having said that, though, if their services are “good” enough, I’d assume that they’ll catch the attention of the major gangs. 

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Conficker

• If you have not already done so, deploy Microsoft’s MS08-067 patch for the vulnerability initially used by the worm to infect systems.  It is also a good idea to install the MS08-068 and MS09-001 patches as well.
• Disable AutoRun on removable media.  More about this below.
• Use strong passwords.  The Conficker worm contains a set of commonly-used passwords in order to make it easier for the worm to spread across network shares.  A list is mentioned in this news article.  For more information about choosing good passwords, see these three earlier ThreatBlog articles here, here and here.  We also have a white paper on the subject.

Worms continue to spread quick as a flash

Conclusion

Aryeh Goretsky MVP, ZCSE
Distinguished Researcher

"Now may I suggest some of the things we must do if we are to make the American dream a reality. First, I think all of us must develop a world perspective if we are to survive. The American dream will not become a reality devoid of the larger dream of brotherhood and peace and goodwill. The world in which we live is a world of geographical oneness…" - Dr. Martin Luther King, from a speech delivered at Lincoln University, Pennsylvania, June 6, 1961

If Dr. King had still been alive today to see the wonders of the global connectivity of the Internet, he would probably consider the quoted portion of his speech as a "statement before its time."

Today the current global Internet penetration rate stands at approximately 24%. With a global population of 6.7 billion, that equates to roughly 1.6 billion users on the Internet across the globe. At the current penetration rate, cybercrime has become pervasive, pandemic and increasingly connected with other parts of the criminal ecosystem. It ranges from the theft of an individual’s identity to the complete disruption of a country’s Internet connectivity due to a massive distributed attack against its networking and computing resources.

With the remaining 5 billion users to connect to the Internet, there are significant challenges – one of which is cybercrime (via its many methods). There are technological preventative measures that help mitigate cybercrime attacks, but technology alone is not the answer.

The next one billion users on the Internet will not come from developed countries, but rather mostly from developing countries. Awareness, even simple levels of awareness, of various types of risks and cybercrime attacks can yield positive results. This is primarily due to the fact that the weakest link in the “security chain” is, correctly, always quoted as being the end user. The additional one billion users on the Internet will be considered “fresh targets” by the cybercriminals.

The target of cybercrime centers on information – the data that is electronically stored for retrieval and subsequent use. For instance, even with varying levels of per-capita income, the amount of money that stands to be lost to a cybercrime called “phishing” (one of the most common online attacks where a person is socially engineered to provide personally identifiable information by someone posing to be a trusted source) has the potential to be quite significant due to the sheer number of users at risk (unaware).

A real-world example of the scope of the threat: cybercrimes, like phishing and data breaches, are a scalable threat to the United States. These threats are so severe they are detailed as national security threats in the 2009 Annual Threat Assessment Intelligence Briefing to the Senate Intelligence Committee. This representes the scope of one cybercrime problem in a single country, whose users have had several years of exposure to the Internet. New Internet users will face the same difficulties – but from cybercriminals that have had also years of experience and that have optimized their attack and evasion techniques. 

Infrastructure build-out, deployment and subsequent end-user connectivity should be coupled with effective cybersecurity awareness training – in addition to application usage training. It is the ignorance of on-line risks that poses the greatest threat to the new generation of global Internet citizens. Coordinated global efforts in effective awareness training will transform these new Internet citizens from potential victims to increasingly aware, and less vulnerable, people as a whole.

Jeff Debrosse
Senior Research Director

Securing Our eCity community initiative: http://www.securingourecity.org/

Here at ESET we have just released our Global ThreatTrends report for January 2009.

Not surprisingly, at the top of the list is a family of programs that exploit Microsoft’s longest unpatched vulnerability. That’s right, Autorun.inf, is an evil “feature” that should have been patched out of existence a long time ago. Since it is so effective for malware there are lots of threats that exploit it.

In the number two position we find a family of threats that steal passwords for online games. This is also pretty logical. There is a lot of money in the sale of “virtual” items and characters for real money.

In third place is the new kid on the block… the Conficker worm. Conficker is truly a tragedy as it is indicative of really poor security practices. Failure to patch your OS will leave you vulnerable to this worm. Autorun is another attack vector. If you disable autorun you take away another avenue of attack for Conficker and the most widespread threats we see. I’ll have a blog up in a day or two that will show you how to really kill autorun. It’s the patch that MS should have disclosed a long time ago. Administrative shares are another avenue of attack and weak passwords are still another security fault that Conficker exploits.

If you decrease the number of security holes you have then your goalie, security software, takes less shots on goal. That is a basic defensive strategy. Prevention is always better than cure, and Conficker highlights that much more work is required in the prevention department.

You can read the whole report at http://www.eset.com/threat-center/threat_trends/Global_Threat_Trends_January_2009.pdf

Randy Abrams
Director of Technical Education

You may have noticed that I’ve been making a lot of references to this over the past few weeks. You can now download it here. Quite a few people have worked pretty hard to make this project happen, and I’d like to thank them now. I hope some of you will find it interesting and useful.

We’ve also been doing a little tidying of the white papers page, and there will be some additional material there in the near future, including papers on fake antimalware, the apparently late but unlamented Storm botnet, some of our recent conference papers on testing, malware naming, and user education, and an independent paper on spotting implementational errors in comparative tests that has also been referenced in the AMTSO document on The Fundamental Principles of Testing.

AMTSO (The Anti-Malware Testing Standards Organization) will be considering a number of additional documents next month, on a number of test-related topics, as well as the "terms of engagement" for the newly-appointed Reviews of Reviews board.

This board, on which ESET is represented, will implement one of the areas highlighted in the AMTSO preliminary charter: "Providing analysis and review of current and future testing of anti-malware and related products."

That’s a topic I certainly intend to come back to!

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

The top ten (twenty, twenty-five…) season doesn’t seem to have finished yet: the latest to cross my radar was something like seven ways of surviving the recession, which I’m sure is of interest to all of us, but not really in scope for this blog.

So here’s a snippet from our 2008 Global Threat Report, which is about to come out, and from which I’ve previously included some tasters here.

Our in-the-cloud threat-tracking system ThreatSense.Net® gives us a way of tracking detections of known threats over months or years (you may have noticed that I referred to it in a previous blog about Conficker/Downadup), so we looked at the top twenty threat detections reported between January and December 2008.

(See table 1 below)

As you’ll have noticed, there are quite a few very similar detections there such as INF/Autorun, INF/Autorun.gen, and Win32/Autorun.KS, or all the Online Games Password stealers, so we consolidated some of them into a single detection category, as we do for our monthly reports, and reduced the resulting detections to a top ten. (Sometimes, less is more. )

In fact, these detections could have been consolidated further – for instance, there’s an overlap between Pacex and gamer password stealers – but we think that the table above gives a pretty good impression of the underlying trends, which seems to us more useful than focusing on  individual variants and sub-families.

The top ten trends are shown in table 2 below.

There’s much more information in the forthcoming report (I’ll link it here when it’s available), but here’s a brief summary of what this table tells us about trends over the past year.

• Gaming password stealers have the largest volume and percentage share over the whole year, even if we don’t include Pacex.gen detections. Gamers are a very popular target.
• Malware that uses the Windows Autorun facility as an infection vector (a very broad classification label) runs gaming trojans a close second. Autorun would be a good idea in a better world, but in the one we actually live in, it’s better for most people if it’s disabled.
• While the general classification of adware covers many distinct programs, the continuing presence of Win32/Toolbar.MyWebSearch and the many variants of the Virtumonde Trojan in the top ten give some idea of the size of the problem.
• The GetCodec downloader and associated threats continue to be a major presence. This testifies to the continued success of social engineering of the “click here and install this program so that you can view this highly desirable content” genus.
• Data theft through PC compromise is one of the most consistent aims of the malware author, as the Win32/Agent group of Trojans indicates.
• The continuing presence of advanced detections like INF/Autorun, Win32/Statik and Win32/Genetik in the top ten testify to the continuing need for sophisticated heuristics to flag the presence of new malware that doesn’t resemble known malware closely enough to be identified using an existing family identifier.

Table 1: Top 20 Detections

Table 2: Top Ten Trend Detections

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

If sensitive information is stored on your hard drive (and if you don’t have -something- worth protecting on your system, you’re probably not reading this blog…), protect it with encryption.

Furthermore, when you copy or move data elsewhere, it’s usually at least as important to protect/encrypt it when it’s on removable media, or transferred electronically. Even if the target storage device is secure from malware or hacking, you also need to be aware of other dangers such as physical risks, transit risks, business-related risks such as an escrow site going out of business and so on.

Consider (seriousl!) regularly backing up your data to a separate disk (as a bare minimum) and, where possible, a remote site or facility. Sounds extreme? Think about it.

You can’t rely on backing up to another partition on the same disk as the original: if the disk dies, the chances are that all partitions will be lost.

You can’t rely on backing up to another disk on the same system. If the system is stolen, or there’s a fire, for instance, then in the immortal words of Tom Lehrer they’ll "all go together". In the latter instance, the chances are that you’ll lose your thumb drives, CD-RWs and so on as well.

And if you’re working in a corporate environment, you might want to avoid doing what one site I know of did, and back up data to a server, but forget to back up the server itself.

I’m sure I don’t need to remind you to take care of your passwords as well, do I?

David Harley BA CISSP FBCS CITP

Log on to your computer with an account that doesn’t have “Administrator” privileges, to reduce the likelihood and severity of damage from self-installing malware. Multi-user operating systems (and nowadays, few operating systems assume that a machine will be used by a single user at a single level of privilege) allow you to create an account for everyday use that allows you less privileges than are available to an administrator.

Most competent system administrators are familiar with (and adhere to) this “principle of least privilege” – simplistically, the more privileges you have as a user, the more damage you can do – and use a privileged account only when they need it to perform a specific task. Following their lead will give an extra layer of protection. However, as always, you shouldn’t think of this as any sort of Magic Bullet. Apart from the fact that there is no Magic Bullet, some modern operating systems have somewhat diluted the least privilege model, making it rather easy for a user with little knowledge of the security implications of administrative privilege to use it inappropriately, exposing the system to threat.