02:21 PM
Dark Reading
Dark Reading

Slide Show: Top 10 Malware Advances In 2012

Blackhole's business model, Flashback's Mac fetish, ransomware's resurgence with Reveton, and Gauss' ability to guard against analysis among the game-changers this year

It's frequently said that cybersecurity is an arms race, with defenders constantly adapting to attackers, and attackers finding ways to better evade their target's defenses.

For malware in 2012, the analogy is an apt one. Malicious programs continually evolved in 2012, whether using new technical approaches to infection, novel business models, or demonstrating the vulnerability of areas thought unrelated to cybersecurity. Flashback demonstrated that the Mac OS X had become a viable target for cybercriminals, while the Blackhole Exploit Kit refined the crime-as-a-service business model.

Malware also became a tool of nations in 2012, in many cases aimed at gathering intelligence in the Middle East. While previous years had hinted that nation-states would develop malware as one weapon in their arsenal, half of this year's list of malware was used for political aims. The Da Vinci Trojan illustrated that governments had taken to buying malware for surveillance, while Flame and Gauss hinted at what well-funded adversaries could accomplish. Many other malicious attacks had political aims, even if they were not carried out by governments, says Liam O Murchu, manager of operations for Symantec's security response group.

"We are seeing different motivations coming into play -- that is, revenge or hacktivism," Murchu says. "We don't see the attacks done for as much of a profit motivation, but for political reasons."

Graphic: Kaspersky Lab

The Middle East became a hotbed of malware activity in 2012. In July 2012, security firms Kaspersky Lab and Seculert published research on Mahdi, an espionage program that collected information on critical infrastructure systems, financial services and government agencies in Iran, Israel, and Afghanistan.

While Mahdi's features resembled other cyberespionage tools found in suspected nation-state malware such as Duqu and Flame, the level of programming suggests that an independent actor is more likely the culprit, says Roel Schouwenberg, senior antivirus researcher with Kaspersky Lab.

"When it comes to any kind of geopolitical situation right now, you can bet there will be a cyber aspect to it," he says. "It is easier and cheaper. If you can get cyber to do the brunt of the work for you, it is much safer and a cheaper investment.

Graphic: Seculert

Security firms increasingly publicized the exponential increase in mobile--read Android--malware in 2012, especially in the third quarter of the year. Yet the numbers failed to speak to the threat level faced by mobile users. Most companies measured the number of malicious programs added to a variety of app stores--mainly insecure third-party stores--and not actual infection attempts seen by mobile users. While infection rates of phones in Russia and China hit high levels, less than 1 percent of phones in the United States and Canada were infected, according to estimates based on traffic analysis.

In addition, companies typically warned about attacks such as information stealing, theft of service and toll fraud--standard fare in the world of malware. Mobile malware will undoubtedly become a problem, and future attacks may instead use unique aspects of mobile devices to monetize infections in new ways.

A striking example is the PlaceRaider program created by researchers at the University of Indiana at Bloomington and the Crane Division of the Naval Surface Warfare Center (NSWC). The program uses an infected device to take surreptitious pictures of offices or other spaces where a worker might use a smartphone. PlaceRaider then identifies the best photos and transmits them back to home base, where the attacker can turn the phones into a 3-D representation of the target's environment.

Graphic: Indiana University at Bloomington

While much malicious software helps its creator steal data, use a victim's computer for spamming or denial-of-service attacks, or perpetrate fraud, a number of programs in 2012 were purely destructive. The Shamoon attack on oil companies in the Middle East aimed to wipe out all data on affected systems and severely impacted nearly 30,000 systems at oil giant Saudi Aramco.

While destroying data is nothing new, Shamoon and the program it emulated, Wiper, took their destructive actions to further political aims.

"There was this question of whether cybersabotage would go mainstream, and Shamoon answered that question," Kaspersky Lab's Schouwenberg says. "It would definitely be difficult for a company to recover from this sort of attack."

Graphic: Kaspersky Lab

Threatening consumers and then asking them for money is an old tactic. Fake antivirus scams would generally consist of pop-up ads that told targets that their computer was infected: Anyone who clicked on the ad would face a stream of pop-up warnings until they paid or cleaned their system.

Now attackers have distilled the tactic even further. With ransomware, a program locks a victim's computer until they pay the attacker and receive a key to unlock the system. To head off complaints to law enforcement, ransomware such as Reveton claims the system has been locked by federal law enforcement.

It's an old tactic, but one that has seen a resurgence. In the third quarter of 2012, McAfee documented a three-fold increase in ransomware samples, to more than 200,000, compared to the same quarter a year ago. Symantec calculates one scheme could have netted the perpetrators $5 million, if it ran non-stop for a year. While some ransomware does not encrypt a PC's data, but merely compromises the system, the trend is toward more serious attacks, says Richard Wang, manager of the research labs for antivirus firm Sophos.

"We are starting to see irreversible malware," Wang says. "They are using much more robust encryption."

Graphic: FBI

In 2012, the Mac OS X came under serious attack. Flashback infected anywhere from half a million to a million systems and was as technical a piece of malware as any seen on Windows. The attack included a zero-day exploit for Java, used server-side polymorphism to deliver unique binaries to victims and evade antivirus software, and used a relatively low-profile monetization scheme known as click fraud.

"The attackers specifically focused on Mac OS X--they knew what they were doing," says Symantec's O Murchu.

The attack could have earned the Flashback operators millions of dollars a year, but because the malware became notorious and the pay-per-click scheme relied heavily on a single provider, the attackers unlikely collected their money.

Graphic: Dr. Web

While a number of likely nation-state attacks were discovered in 2012, researchers also found a second class of attack: commercially made surveillance Trojans used by governments to collect information on citizens. The Da Vinci malware discovered by Dr. Web is actually monitoring software known as the Remote Control System, made by Italy-based Hacking Team. Similar to the FinFisher surveillance tool made by Gamma International, DaVinci allows the remote infection and monitoring of intelligence and law-enforcement targets by government.

However, the companies were criticized for selling the software to regimes that used the Trojans to monitor dissidents. Much of the analysis came from the pro-free speech project at Citizen Lab, part of the Munk School of Global Affairs at the University of Toronto.

"For years, we have talked about FinFisher and the stuff from Hacking Team, but it has finally been discovered, because of all the dissidence going on in the Middle East," says Kaspersky Lab's Schouwenberg.

Graphic: Citizen Lab at the Munk School of Global Affairs, University of Toronto

While it's been around for several years, the ZeroAccess botnet thrived in 2012 by keeping ahead of defenders. The botnet infected more than 2 million systems worldwide, according to research by network protection firm Kindsight.

ZeroAccess contains a sophisticated rootkit that has adapted with new techniques over the years. The malware installs a tough-to-takedown peer-to-peer botnet, from which the operators run a click-fraud scheme, stealing millions of dollars a year. The group behind ZeroAccess has tailored the rate of clicks--about 140 per day--to emulate a real user.

"It's rootkit functionality is definitely one of the most sophisticated," said Brett Stone-Gross, senior security researcher with Dell SecureWorks. "And click fraud is a very popular way to make money which has not gotten that much attention."

Graphic: F-Secure

A suspected nation-state cyberespionage program, Gauss is strongly linked to Flame and likely came from the same or a related developer. Resembling a banking Trojan, Gauss steals account information for various financial institutions based in the Middle East.

However, the program also used machine-specific encryption to make certain aspects of its program unreadable unless on a specific machine, making analysis very difficult. The program's main functionality, its payload, is still indecipherable, Kaspersky Lab's Schouwenberg says.

"Still nobody has been able to decrypt the payload," he says. "The payload is directed toward machines with a very specific configuration ... it uses system attributes to create a key and try to decrypt its instructions."

Researchers believe that malware writers will increasingly use such encryption techniques--resembling digital-rights management used by developers to stop illegal copying--to prevent defenders from analyzing the programs.

Graphic: Kaspersky Lab

While many malicious program have innovated technologically, the Blackhole exploit kit--a suite of tools for running a cybercrime business--has mainly improved on delivering easy-to-use tools to the Internet's criminal class.

That focus on "customers" has turned the Blackhole toolkit into a success. It topped the chart of malicious code detected by Microsoft in the first half of the year, and more than a quarter of all drive-by downloads in 2012 attempted to install a malicious program through the Blackhole kit, according to security firm Sophos.

"Similar kits have existed before, but what Blackhole has done is provide an exploit kit in a much more business-like fashion," says Sophos's Wang. "They will manage the process of keeping it up to date for you. It lowers the bar to entry for anyone that want to set up a drive-by attack."

Graphic: Microsoft

Stuxnet set the bar for an advanced cyberweapon, with its ability to penetrate an air-gapped network, find systems controlling uranium-processing centrifuges, and physically destroy the hardware. Similarly, Flame sets the bar for a sophisticated cyberespionage operation, Kaspersky's Schouwenberg says.

The malware, first reported on in May, could spread within a network using the Windows update mechanism, a first for a malicious program. In addition, the attackers had found a way to generate a code-signing MD5 hash that exactly matched one used by Microsoft, allowing the program to bypass most security software. Once on a system, it would steal as much information as possible, using USB drives to exfiltrate data from computers not connected to the Internet.

"Overall, the quality is the probably the best that we've seen--the same or a bit above Stuxnet even," Schouwenberg says. "Being able to spread via Windows update blows everything out of the water."

Graphic: OpenDNS

Comment  | 
Email This  | 
Print  | 
More Insights
Copyright © 2021 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service