Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
12/5/2012
01:20 AM
Dark Reading
Dark Reading
Security Insights
50%
50%

Android Riskier Than PCs: Sophos Security Threat Report 2013

Acceleration of BYOD and cloud, challenges caused by ransomware, continued threats coming from Blackhole, and what to expect in 2013

Annual security threat reports are expected from security companies, while security professionals chomp at the bit to read the research findings.

Sophos recently made its report available for public consumption. The report contains information about new platforms and changing threats, Blackhole, Java, Android as a target, ransomware is back, OS X and the Mac, cybercriminals taken down in 2012, polymorphic and targeted attacks, and what to expect in 2013.

The report opens immediately covering the Blackhole Exploit Kit's 2.0 growing success, which is a crime pack that is taking advantage of software-as-a-service (SaaS) for cybercriminals to rent time to deliver malware during their campaigns. Blackhole Exploit Kit (BHEK) was found representing 27% of the exploited sites and redirects. Redirects are when legitimate websites become compromised and send the user's Web browser to Blackhole for delivering a polymorphic payload.

As stated in the report, "[Blackhole] combines remarkable technical dexterity with a business model that could have come straight from a Harvard Business School MBA case study." That doesn't bode well for security professionals thwarting off cybercriminals and, even worse, for home users.

Bar Chart: Android Threats Accelerate

The Sophos Security Threat Report will take you through the four stages of the Blackhole life cycle. I also recommend reading "Inside a Black Hole" from SophosLabs.

SophosLabs is hard at work tracking Blackhole to detect the changing exploit kit and to counter Blackhole's detection countermeasures. More details are provided in the report, including advice on how to protect your systems.

In 2012, social media sites such as Facebook, Pinterest, and Twitter, to name a few, are where billions of people flocked to provide their statuses, share media, and market their wares. They also were in the company of cybercriminals looking to socially engineer anyone they can in order to deliver malware or phish user account information. The objectives are clear: to steal personal information and deliver more malware.

Social media attacks won't subside in 2013, and they are targeting mobile platforms even more, primarily Android.

From a mobile malware standpoint, Android has become the biggest target, with 52.2 percent market share.

Gerhard Eschelbeck, Sophos' CTO, wrote in the report foreword: "While malware for Android was just a lab example a few years ago, it has become a serious and growing threat."

SophosLabs compiled the Android Threat Exposure Rate (TER), which found countries such as Australia, the U.S., and Germany having a higher percentage of Android devices that experienced a malware attack than PCs over a three-month period.

The report goes on to discuss examples of Android mobile malware techniques to send SMS messages for profit (Andr/Boxer), escalate privileges (i.e. the INSTALL_PACKAGES permission), join the Android device to a botnet (Andr/KongFu-L), and steal banking information (Andr/Zitmo).

Rooting an Android tablet or smartphone is a popular modification to the device for various personal reasons. SophosLabs says in the report, "Rooting bypasses the built-in Android security model that limits each app's access to data from other apps . It's easier for malware to gain full privileges on rooted devices, and to avoid detection and removal."

If mobile malware has an easier opportunity to gain full privileges on rooted devices, then the best advice is to block root devices from getting onto your protected networks.

Get more facts from the full report by downloading the Sophos Security Threat Report 2013 from Sophos directly, without the hassle of a gated registration page. How nice.

David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger for the award winning Naked Security blog. David talks regularly with technology executives and professionals to help protect their organizations against the latest security threats. Follow him on Twitter at @DSchwartzberg

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5312
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

CVE-2012-6662
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.

CVE-2014-1424
Published: 2014-11-24
apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a "miscompilation flaw."

CVE-2014-7817
Published: 2014-11-24
The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))".

CVE-2014-7821
Published: 2014-11-24
OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (crash) via a crafted dns_nameservers value in the DNS configuration.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?