5. Current State of Affairs

Malware infection ratios

1. Trojans accounted for 61% of all malware created during the first quarter of 2010.
2. The next category was viruses, which totalled just over 15%.
3. Adware is now in third place, accounting for 14% of all malware created. This category includes malicious programs such as rogueware or fake antivirus products, which have continued to grow since they first appeared two years ago. As with Trojans, the reason for the existence of rogueware is purely financial.
4. Worms are at 8.7% and spyware, accounting for just 0.29%.
5. The ‘others’ category accounts for just 1% of the total malware.

Current Trends in Malware

1. Various Malware Forms Adopting the Rootkit Technology
2. Banking Trojans Grow Smarter as They Follow the Money
3. Malware Writers Target the most popular, Adobe, Microsoft Products
4. Growing threat from Zero Day vulnerabilities
5. Botnet Warfare
6. Scareware on the Rise
7. Web Evolution Leads to Escalating Attacks
8. Targeted Attacks on the Rise

1. Malware Forms Adopting the Rootkit Technology

As rootkits evolved, they were also being embedded in malicious programs. In those days it was difficult to create stealth technologies independently, because little was written about this field: as a result, the small number of malicious rootkits could be divided into three categories:

• Trojans which used ready-made tools and libraries to hide themselves. The overwhelming majority of these Trojans used Hacker Defender and FU.

• Ready-made malicious rootkits which could be downloaded or purchased and which could be modified by the user. Haxdoor is one example. Like HacDef, Haxdoor was very popular in the fall of 2005; Kaspersky Lab was adding around ten new signatures daily to protect against new variants of Haxdoor.

• Custom rootkits developed for targeted attacks. AV vendors usually learned about these rootkits directly from customers, mostly large enterprises. Typically, virus analysts conducted on-site manual forensic investigations after network administrators couldn’t identify the cause of the problem. This group of rootkits was extremely small, but the samples showed a high level of technical sophistication.

By 2005, almost 80% of extant rootkits were variants of HacDef and Haxdoor. Rbot and SdBot were the first multi-functional backdoor Trojans to include built in rootkit technologies. The motive was clear; any technologies that improved the overall functionality of a commercial Trojan resulted directly in additional financial gain for the author and/or controller. Thus bot masters were the first to latch on to stealth/rootkit technologies.

By 2006 we saw rootkit technologies being built into common email worms such as Bagle; Trojan-Spy programs such as Goldun; and Mailbot programs, such as Rustock. This development proved to be a serious challenge for AV vendors. And the trend continues.

Stuxnet is one of the most recent and perhaps the most dangerous malware making use of the rootkit technology.

2. Banking Trojans Grow Smarter as They Follow the Money

In 2009 criminals adapted their methods to more effectively attack online banking and get around current protections used by banks. Trojans demonstrated new tactics that went well beyond the rather simple keylogging-with-screenshots efforts that we had seen in previous years. Most Trojans now use rootkit techniques to hide on a victim’s system and disable anti-virus software or prevent signature updates. Often the victim’s computer becomes part of a botnet and receives malware configuration updates.

Simple Trojans, such as those predominant in South American countries, lie dormant until the victim opens the bank’s website. They then add fields for the user to fill in, asking for credit card number and ATM PIN, for example, or for a couple of indexed transaction authorization numbers (iTANs). The Trojan usually comes with a configuration file that contains information for hundreds of banks, specifying the additional fields and their layout and mimicking the bank’s design. Although these Trojans, such as Torpig, are still popular today, they are far from state of the art.

More troublesome is the Silentbanker family. These Trojans can silently change the details a user enters to transfer the money to the attacker during a transaction. The user is not aware that anything is amiss until the next account statement arrives. Bebloh, also known as URLZone, takes this deception even further. This Trojan not only changes the transaction details to suit the attacker but it will also check the user’s account and transaction limits and stay just below them to avoid alerting the bank. Bebloh also keeps track of the transactions the user originally made and changes the account statement to display these instead of the real transactions. Of course, the account balance is modified as well. The latest, and perhaps most worrisome, development comes from the Zeus family. These Trojans are frequently updated with new versions and are sold on underground forums to anyone interested in starting a career in crime. Zeus comes with a command and control server and is extremely flexible in its configuration, allowing easy adjustments to a criminal’s specific needs. Now there is a man-in-the-middle console that allows an attacker to operate in real time. The attack could occur like this: When the victim logs into an online banking account the user sees a maintenance bar that moves slowly until it is full, and then must answer additional security questions, with everything in the bank’s website design. These steps help buy time for the attacker. The moment the victim logs in, the attacker is notified and initiates a transaction while the victim is waiting. In the next step the victim is asked to register his or her mobile phone number and to confirm this with a specific iTAN. The attacker uses this iTAN, which the bank requests, to complete the illicit transaction. Once the victim enters the iTAN, the attacker completes the transaction and the victim gets to see a message saying the phone registration was successful but that online banking is closed for maintenance.

3. Malware Writers Target the most popular, Adobe, Microsoft Products

The year 2009 saw an increase in attacks targeting client software. The favourite vector among attackers is Adobe products, primarily Flash and Acrobat Reader. Using reliable “heap spray–like” and other exploitation techniques, malware writers have turned Adobe apps into a hot target. Further, Flash and Reader are among the most widely deployed applications in the world, which provides a higher return on investment to cybercriminals. Based on the current trends, Adobe product exploitation is likely to surpass that of Microsoft Office applications in the number of desktop PCs being attacked.

(i) Recently Patched Adobe PDF Vulnerability Again Targeted

Hackers have once again targeted the newly patched Adobe PDF Reader flaw to implant Trojan virus downloaders on Windows systems. As per the researchers at malware protection center of Microsoft, the vulnerability called CVE-2010-0188 was patched just few days back in February 2010, confirming that hackers are extremely quick to explore new targets for their malicious payload.

In his blog posted on March 8, 2010, Marian Radu, security researcher, Microsoft, said that while lately examining a malware containing PDF file, he noticed a new flaw abused by the sample. After some deep probing, he observed that the sample abused CVE-2010-0188.

Giving further details on the attack, Radu said that Adobe Reader opens and after that closes upon the installation of PDF file while executable file called a.exe is directly installed in the C:\ drive. The a.exe file, which is implanted into the PDF, looks to link to a .biz registered domain in order to install other files. Further, JavaScript is used to exploit this flaw effectively.

The Microsoft’s researcher said that the malware containing file has presently been identified as Exploit: Win32/Pidief.AX. Moreover, the dropped malware has been detected as TrojanDownloader: Win32/Qaantiz.A.

The security experts opined that assaults using PDF bugs are surging; as a result, Adobe is facing troubles fighting its bad reputation as far as products puzzled with vulnerabilities are concerned.

It is noteworthy that Adobe had already cautioned about the recent attack in February 2010, advising users to update the software to the latest version which is automatically offered to all its users. Unfortunately, some of the users did not notice the memo and thus, the vulnerability is being abused for targeted assaults. Moreover, security experts added that most of times, users are not aware of the regular updating that should be performed to evade cyber attacks. As a healthy practice, the security experts suggest that users should update their operating system and all the applications. They also asked them to avoid opening files coming from suspected sources.

(ii) Malicious Adobe Flash files

Adobe Flash files (often called swiff files due to their .swf file extension) use a binary file format and require a player in order to be displayed to the user. The Flash player generally comes in the form of a web browser plugin, which is used to display Flash files embedded in web pages. However, there is also a standalone player that can execute Flash files without the need for a web browser. Flash is often used to create Flash-based advertisements that perform malicious actions.

Following are few of the instances showing manipulation of Adobe products, to make them malicious:

Security researchers have recently spotted a type of malicious software that overwrites update functions for other applications, which could pose additional long-term risks for users.The malware, which infects Windows computers, masks itself as an update for Adobe Systems’ products and other software such as Java. Users can inadvertently install malware on computers if they open malicious email attachments or visit Web sites that target specific software vulnerabilities. Adobe’s products are one of the most targeted by hackers due to their wide installation base.

(iii) Adobe zero-day vulnerability exploited by backdoor Trojan on a PDF file

The zero-day vulnerability on Adobe Flash, Reader, and Acrobat is being exploited by a strain of malware. Symantec’s Joji Hamada claimed that Trojan.Pidief.J, a PDF file that drops a backdoor onto the compromised computer if an affected product is installed, is a new threat to the vulnerability.

Hamada said that attacks on the vulnerability can take place by receiving an email with a malicious PDF attachment or with a link to the malicious PDF file or through a website with the malicious SWF embedded in HTML code or by stumbling across a malicious PDF or SWF file when surfing the web.

There have also been attacks using a malicious SWF file (detected as Trojan Horse) in conjunction with a HTML file (detected as Downloader) to download another malware (detected as Backdoor.Trojan) from the web.

The attacks seem limited at this point. However, other cyber criminals may jump on the bandwagon to take advantage of the vulnerability in the very near future.

4. Growing threat from Zero Day vulnerabilities

Following is a list of vulnerabilities targeting Microsoft products:

i) Aurora Attack

The first quarter of 2010 saw numerous incidents of cyber-crime widely reported in the media. Google reported that a sophisticated and coordinated attack, dubbed ‘Operation Aurora’, had targeted a number of large multinational companies. Hackers had exploited vulnerability in Internet Explorer to silently install a Trojan on computers, thereby remotely accessing users’ confidential information. This zero-day vulnerability affected three versions of Internet Explorer <6, 7 and 8> on Windows 2000 SP4, WXP, 2003, Vista and Windows 7. Here Microsoft offers more details. The vulnerability has been identified as CVE-2010-0249 and KB979352, and the official Microsoft security patch, classified as critical, can be downloaded and installed from MS10-002.

Several Google employees in various countries received strange emails inviting them to access a Web page through a link. What happened then has been recognized as one of the most sophisticated cyber-attacks ever. The attack affected more than 30 multinational companies. Perhaps one of the most interesting aspects of this case, according to some sources, is that the people who received the emails were not chosen at random, rather they were high-ranking management who supposedly had privileged access rights to various applications. This is what we call a ‘targeted attack’, as opposed to massive or indiscriminate attacks.

The Trojan made encrypted connections to servers hosted in Texas and Taiwan. One of the main characteristics of the attack was the use of dynamic DNS, making it difficult to follow the trail. However, certain servers were identified which hosted domains registered by the Peng Yong 3322.org service in China, according to various technical reports. Google claimed that China was responsible for the attack, given that one of the source servers was in the country. The Chinese authorities denied all responsibility.

5. Botnet Warfare

During the last six years, botnets have become the biggest thorn in the side of cyber security professionals. Botnets have become the essential infrastructure used by cybercriminals and nation states for launching nearly every type of cyberattack: from data exfiltration and espionage to spam and distributed denial of service. By using an extremely cheap-to-acquire and seemingly infinite supply of stolen computing power and bandwidth across the globe, attackers can not only amplify the impact of their attacks but also hide their true identities and locations behind numerous hops of compromised machines in their service.

To combat this growing menace, security researchers and key infrastructure partners from telecommunications and domain-registration communities have begun to strategically target and shut down the control infrastructure of most threatening botnets. The goal is to deny this essential capability to the criminals and reduce the threat traffic traversing the Internet. In many cases the targets in the crosshairs of the security community have been illicit ISPs that provided “abuse complaint–resistant” hosting for numerous cybercriminal operations. These services have not been quickly shut down in spite of complaints of criminal conduct emanating from that hosting space. ISPs and domain registrars such as Russian Business Network, McColo, Atrivo, 3FN, UkrTelegroup, and EstDomains have long been favourite places to park control servers through which the botnet owners would issue commands and updates to their global networks of zombies.

In 2010, it is expected that there would be a significant trend toward a more distributed and resilient botnet infrastructure that relies much more on peer-to-peer technologies rather than on the centralized hosting model that is prevalent today.

(i) Kneber

In Feb 2010, NetWitness announced the dismantling of a botnet called Kneber. This was widely reported in the media, given the startling nature of the statistics released: 75,000 computers infected across 2,500 organizations worldwide. Kneber was based on the infamous Zeus Trojan, which first appeared in 2007 and has been infecting users ever since.

(ii) Mariposa

In early March 2010, it was announced that the largest botnet known to date had been closed down, and that three of the suspected ringleaders had been arrested. The botnet was called Mariposa (Spanish for Butterfly). Tracking down the criminals behind this operation had become extremely complex, as they always connected to the Mariposa control servers from anonymous VPN (Virtual Private Network) services, thus preventing from identifying their real IP addresses.

6. Scareware on the Rise

One key profit-driven malware trend of 2009 was the boom in “scareware,” or fake antivirus security product scams. These attacks prey on IT security fears and fool users into believing their computer has a problem when it does not. Typically, scareware is planted on websites in the form of pop-up advertisements or disguised downloads. There have also been occasions when hackers have spammed out scareware, or links to it, using traditional social engineering tricks to fool users into clicking on the attachment or link. Such scams have taken advantage of the full gamut of vectors to reach new audiences: links sent out via email promising lottery winnings, malvertising surreptitiously planted on legitimate sites or even paid for, messages spread via social networking sites such as Twitter or Facebook, and most deviously the use of search engine optimization.

SEO attacks draw users searching for trending news stories and events, such as the deaths of pop stars or actors, whether real or only rumoured, and even genuine security scares. These malware threats are generally web borne, reached via email links or subverted search engine results, and this vector is now by far the dominant method of spreading malware.

7. Web Evolution Leads to Escalating Attacks

2009 saw increased attacks on websites, exploit cocktails thrown at unsuspecting users, infrastructure failure via natural and unnatural causes, and “friendly fire” became a larger problem than ever. With Facebook reaching more than 350 million users, it is expected that 2010 will take these trends to new heights. Criminal toolkits are evolving rapidly to use new technologies that increase the sophistication of the attack—leaving even more users blind to the risks. Malware authors love following the social networking buzz and hot spots of activity; that will continue in 2010. As Google and other providers crack down on search engine poisoning, we expect that Twitter and similar services will increase in appeal for such purposes.

Along with Twitter’s success, there has been widespread adaptation of abbreviated URL services, such as bit.ly and tinyurl.com. These services now appear in all sorts of communications—making it easier than ever to mask the URLs that users are asked to click. This trick will play a more predominant role in 2010; it’s the perfect avenue to direct users to websites that they would normally be wary about visiting.

As users’ expectations of their Web 2.0 services evolve, it is expected that there will be many rogue services set up with the hidden purpose of capturing credentials and data. Users blindly distribute applications; with the widespread availability of stolen credentials it could become very easy to launch and share these rogue apps across a wide population. The audience is there: Facebook boasts more than 350,000 active applications1 and Apple’s App Store recently reached the 100,000 mark. And that’s not counting the numbers in other markets. Wherever and whenever a trusted mainstream website distributes or promotes third-party content, attackers seek to abuse the trust relationship established between the site and their users. Users often let down their guard when clicking hyperlinks sent from their friends, or when installing applications offered by well-known sites.

8. Targeted Attacks on the Rise

Email is increasing in popularity as the preferred method for targeting attacks against individual users, corporations, and government institutions. Although such attacks were rare some years ago, we now see many reports of successful assaults, both by criminals and for espionage, in which an email with an attachment or a link to a website is the attack vector. Those emails have been specifically crafted to get the attention of a particular individual. The success of such attacks is certainly helped by vulnerabilities in a number of popular applications that process and display attached documents or media files. These security holes allow malware to install Trojans when users open files that most people expect to be benign. We anticipate that these attacks will continue to increase in 2010.
In 2009 a couple of major incidents represented the tip of the iceberg, as such incidents are rarely made public. In March, following a ten-month investigation, authorities disclosed the “GhostNet,” a network of at least 1,295 compromised computers in 103 countries. The machines primarily belonged to government, aid groups, and activists. The attack was carried out by emails with subject lines related to the Dalai Lama or Tibet. The emails carried malicious attachments that connected the infected machines to systems located in China. (No evidence suggests the Chinese government was involved.)


[1] Panda labs results, quarterly report, 2010.
[2] http://www.securelist.com/en/analysis?pubid=204792016
[3] McAfee Labs, 2010 Threat Prediction, 2010.
[4] http://www.infoworld.com/d/security-central/new-malware-overwrites-sadobe-software
[5] http://www.spamfighter.com/News-14048-Recently-Patched-Adobe-PDF-Vulnerability-Targeted
[6] http://www.scmagazineuk.com/adobe-zero-day-vulnerability-exploited-by-backdoor-trojan-on-a-pdf-file

pages: 1 2 3 4 5 6 7 8 9 10


Comments are closed.

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 46123 items have been purified.