pandalabs annual report - panda security privacy and facilitates hacking of email and even facebook...
TRANSCRIPT
2011 Summary
PandaLabs annualReport
01 Introduction
06 About PandaLabs
05 Conclusion
04 2012 Security Trends
03 Malware figures in 2011
02 2011 at a glance
-Socialnetworks-Cyber-crime-Cyber-war-Mac-Mobilemalware-Cyber-activism
Introduction
01| Introduction
Hereyouwillfindasummaryofthemostnotablefiguresregardingmalwarecreation
andinfectionsin2011,ayearthathassetanewrecordformalwarewith26millionnew
strainsincirculation.
Wealsocoversocialnetworks,whereFacebookisstillkingbothintermsofusersandthe
numberofattackssuffered,andwetakealookatthecellphoneandtabletsector,where
Androidhasbecomethenumberonetargetforcyber-crooks.
2011hasundoubtedlybeentheyearofcyber-securityawareness,withtheheadlines
frequentlyfeaturingreportsofseriouscyber-attacks.Wehaveseenthelargestdatabreach
todate,asSony’sPlayStationNetworkwashacked,affectingmillionsofusers.Inall,Sony
sufferedoveradozenattacks,withtheftofover100millionuserdetails.Similarly,Steam,
Valve’sonlinegamingplatform,washitbyattackerswhostolepersonalinformation
belongingtomorethan35millioncustomers.
Cyber-warhasalsobeenoneofthetopstoriesoftheyear.Therehavebeencasesallover
theworldandnumerousnationshavebeenaffected.Thiskindofattacknotonlyaffects
governments,butalsogovernmentcontractorslikeweaponsmanufacturers.
Thisreportrecapsthemajorcomputersecurityeventsthatoccurredin2011,andforecasts
futuretrendsfor2012.
2011 at a glance
02| 2011 at a glance
SocialnetworksplayavitalroleinthelifeofInternetusers,withFacebookandTwitteras
theworld’sbiggestsocialmediasites.Thisyearwehaveseenthelaunchofanewsocial
networkingserviceinabidtorivalFacebook:Google+.
Social networks
GOOGLE+.
Despiteitsrapidgrowth,withmorethan25millionusersregisteredinjustfewweeks,
Google+isstillfarawayfromitsdirectcompetitor,Facebook,whichmakesitlessofa
targetforcyber-crooks.However,wehaveseenacuriousattack:Rightafteritslaunch,
asinvitationswerenotopentoeveryoneandtherewashugeexpectationandinterestin
gettingone,Google+becamethesubjectofascam…onFacebook.Fraudsterscreateda
Facebookpagetitled“GetGooglePlusInvitationFREE”whereusersjusthadtoclickthe
‘Like’buttontogetaninvitation.Obviously,youalsohadtoprovideyouremailaddressto
receivetheinvitationwhich,unfortunately,nevercame.
FIG.01.MARK ZUCKERBERG’S FACEBOOK PAGE HACKED.
Finally,ifthereisonethingthatsocialnetworksprove,itisthatusersareverymuchcapableof
makingthesamemistakesoverandoveragain.MalwarecampaignsfoolingFacebookusersinto
believingtheywilldiscoverwhoissecretlyviewingtheirprofilesarestillhugelysuccessful,and
infectthousandsofcomputerusersaroundtheworld.
ThesescamsareactuallyquitefrequentonFacebook,cyber-crooks’favoriteplatformfor
launchingsocialengineeringattacksbyexploitingrealorfakenewsstories.
Forexample,afewhoursafterSteveJobs’sdeath,scammershadcreatedaFacebookpagecalled
R.I.PSteveJobs,attractingthousandsofusers.Thepagegainedfivenewfanseverysecondand
amassedmorethan90,000fansinjustafewhours.ItcontainedamaliciousURLandatext
claimingthat50freeiPadswerebeinggivenaway‘inmemoryofSteveJobs’.Obviously,thiswas
nothingbutascam,andoncetheuserclickedtheURL(whichendedwith“restinpeace-steve-
jobs”),theyweretakentoawebsiteofferingprizeslikeiPads,SonyBraviaTVs,etc.However,in
returnusershadtosubmittheirpersonaldetails:name,telephonenumber,emailaddress,etc.
2011 at a glance
2011hasseenareductioninthenumberofattacksonTwitter,theshort-messagesocial
network,anddespitetherecontinuestobeattacksbasedonexploitingTwitter’s‘Trending
Topics’,theyaredecreasingprobablyduetobetterfilteringbyTwitter’sownteam.Inany
event,itcontinuestobeexploitedasaplatformtosendoutspamandhackaccounts,as
showninthefollowingexamples:OnJuly4,FoxNews’sTwitteraccountwashackedand
startedtopostaseriesofalarmingtweetsreportingthatU.S.PresidentBarackObamahad
beenassassinated.Inaddition,theTwitteraccountofPayPalUKwashackedandusedto
criticizeitspoorsecurityinoffensivelanguage.
However,otherattackshadfarmoreseriousconsequences.Agroupofattackershackedthe
TwitteraccountofafinancialinstitutionandstartedsendingDirectMessages(DMs)toits
followersinstructingthemtoclickonalinkduetoasecurityproblemintheiraccounts.This
linktookuserstoaphishingpagethatimitatedthatofthebankandrequesteddatathat
couldthenbeusedbyattackerstoimpersonatethevictimsandstealtheirmoney.
WhentalkingaboutFacebookattacks,mostofustendtothinkthatcyber-criminalsusethe
platformtospreadtheirmalware,butthatisnotusuallythecase.Aswehavesaidonmany
occasions,usersgiveawaytoomuchinformationontheirsocialnetworkingprofiles,which
jeopardizesprivacyandfacilitateshackingofemailandevenFacebookaccountsthemselves.
GeorgeS.BronkwasarrestedinCaliforniaforcarryingoutthistypeofillegalactivity.Using
informationavailableonFacebook,hemanagedtogainaccesstovictims’emailaccounts.
Havinghijackedtheaccount,hewouldsearchforpersonalinformationhecouldthenuseto
blackmailthevictim.
Itwouldseemthatanyonecouldbecomeavictimofthesetypesofattacks,asevenMark
Zuckerberg–creatorofFacebook–hadhisFacebookfanpagehacked,displayingamessagethat
started“Letthehackingbegin”.
2011 at a glance
Cyber-crimeCyber-criminals’goalistostealinformationtheycanturnintocash.Thisexplainswhybanking
Trojans,targetingfinancialinstitutionsandtheircustomers,aretheirweaponofchoice,
althoughtherearealsoothertypesofattacks.InJanuary,ThePentagonFederalCreditUnion
reportedthefactthatcyber-criminalshadusedaninfectedPCtoaccessoneoftheirdatabases
containingconfidentialcustomerinformation.Thestoleninformationincludedeachindividual’s
name,address,socialsecuritynumberandeitherbankaccountinformationorcredit/debitcard
information.
AnotherfrequentstrategyistheuseofATMsequippedwithduplicatecardreaders.InJanuary,
twomen,aged32and31,weresentencedto7and5yearsinprisonrespectivelyforthistype
ofscam.ThesetwomenweresuspectedtobemembersofagangofRussianandAmerican
criminalsoperatingallovertheU.S.
Butitisnotonlythebankingsectorthatisatrisk.AfteratheftintheCzechRepublicand
attemptedhackinginAustria,theEuropeanCommissionwasforcedtosuspendtradinginCO2
emissioncredits.Ofcourseasusual,thecyber-criminalswereseekingtoprofitfromtheattack.
Therewasasimilarattacksomemonthsago,whenahackerstole1.6millioncarbontradingcredits
fromtheHolcimcementcompanyinRomania.At15euroseach,thatrepresentedlossesofsome
€24million.Thesetypesofattacks,inadditiontothefinancialloss,underminetheentiresystem.
Thisdiversificationispresentinotherareasaswell.Thisyearsawtheappearanceofanumberof
variantsoftheinfamousZeuSbankingTrojanaimedatonlinepaymentplatformslikeWebmoney
orMoneyBookers.
OneoftheseattackshittheUKGovernment,whichadmittedtohavingsufferedatargeted
attackwithaZeuSvariantdesignedtostealnotonlybankaccountcredentialsbutalsoallkindsof
personalinformation.
RSA,thesecuritydivisionofEMCCorporation,announcedinmid-Marchthattheyhadsuffereda
breachontheirnetworksystemsthathadexposedproprietaryinformationabouttheirtwo-factor
hardware-basedauthenticationsystem“SecurID”.
FIG.02. FACEBOOK PAGE EXPLOITING STEVE JOBS’S DEATH.
FIG.03. RSA WAS ATTACKED IN MARCH.
2011 at a glance
InMay,LockheedMartin,thelargestproviderofITservicestotheU.S.governmentandmilitary,
sufferedanetworkintrusionstemmingfromdatastolenpertainingtoRSA.Itseemsthatthe
cyber-thievesmanagedtocompromisethealgorithmusedbyRSAtogeneratesecuritykeys,and
thecompanyhadtoreplacetheSecurIDtokensofmorethan40millioncustomersaroundthe
world,includingsomeoftheworld’sbiggestcompanies.Somemonthslater,RSAstatedthatthey
wereconvincedthehackershadbeenfundedbyaforeigngovernmentand,inOctober,security
analystBrianKrebspublishedalistof760othervictimshitbythesameattackers.
InJune,theInternationalMonetaryFundsaidithadbeentargetedbyasophisticatedcyber-attack
formonths,eventhoughtheorganizationmadenopublicstatementaboutthemotivationbehind
it.Thenatureoftheinformationstoredbytheinstitutionwouldseemtoindicatethatthiswas
atargetedattack,however,wecannotruleoutthepossibilitythatitwasjustacommoncaseof
cyber-crime.
ThewebsiteoftheEuropeanSpaceAgencywasalsohackedintoandalotofinformationwas
stolenandmadepublic.Thisdataincludedusernames,FTPaccountsandevenFTPlogindetails
stored…inplaintextfiles!
AlsoinMayCitigrouprevealedthatinformationformorethan360,000U.S.creditcardaccounts
hadbeencompromisedbyawebsitehack.Theworstthingaboutthisattackisthefactthatthe
datathievesdidnotevenhavetohackaserver,butwereabletopenetratethebank’sdefenses
andleapfrogbetweentheaccountsofdifferentcustomerssimplybyinsertingvariousnumbers
intoastringoftextlocatedinthebrowser’saddressbar.
JapanesevideogamecompanySegaalsofellvictimtoacyber-attack.Thecompanyconfirmed
thatinformationbelongingto1.3millioncustomerswasstolenfromitsdatabase.Names,birth
dates,emailaddressesandevenencryptedpasswordsforSegaPassonlinenetworkweretaken.
Thefactthatthepasswordswereencryptedshouldminimizetheimpactofthehackingincident,
butonlyifstrongencryptionwasused,whichisnotalwaysthecase.
PerhapsthemostinfamousattackoccurredthisyearwastheonesufferedbySony.Everything
startedwiththetheftofdatafromtheirPlayStationNetwork(PSN),affecting77millionusers
worldwide.Notonlywasthisthebiggestdatatheftever,butthesituationwasalsoparticularly
badlyhandledbythecompany.Theyhidtheproblemfordays,andwhentheyfinallymade
itpublictheysimplysaidthattherewasevidencethatsomeuserdatacouldhavebeen
compromised,eventhoughtheyknewperfectlywellthatthesituationwasfarmoreseriousthan
that..
Tomakethingsworse,thestolen
datawasespeciallysensible,including
users’names,billingaddresses,
emailaddresses,PSNIDs,passwords
(apparentlyunencrypted),birthdates,
purchasehistory,creditcardnumbers
(fromapproximately10%ofusers),
creditcardexpirationdates,etc.
Ifthiswasnotsufficient,SonyOnline
Entertainmentwassubjecttoanother
attackafewdayslater,adatatheft
thataffectedanother24millionusers.
FIG.04. DATA FROM 100 MILLION USERS WAS STOLEN IN 2 ATTACKS SUFFERED
BY SONY.
InJuly,RogelioHackett,25,wassentencedto10yearsinprisonanda$100,000fineforstealing
675,000creditcardnumbersandrelatedinformation.Thefactthattherearetoughsentences
beinghandedoutisveryimportantasitsendsoutastrongdissuasivemessagetocriminals:
impunityisnotasoption.
Cyber-crookscontinuetousesocialengineeringtechniquestodeceiveusersandstealtheir
data,takingadvantageofheadline-grabbingeventssuchastheuntimelydeathofsingerAmy
WinehouseorSteveJobs.
InNovember,hackersbrokeintoadatabasewithcustomerinformationatSteam,theonline
platformofvideogamingfirmValve,stealinginformationfromover35millionusers,including
creditcardnumbersandpasswords.Fortunately,thisinformationwasencrypted,sothechances
ofthievesaccessingtheactualdetailsareslim
2011 at a glance
FIG.05. 35 MILLION STEAM USERS HIT BY HACKERS .
Oneofthekeyinstrumentsin
thefightagainstcyber-crimeis
internationalcooperation.Cyber-
crimeistransnationalandrequires
atransnationalresponsetotackle
it.Inthisrespect,thecollaboration
agreementsignedbetweenthe
UnitedStates’andIndia’sComputer
EmergencyResponseTeams(US-
CERTandCERT-Inrespectively)is
veryimportant.Thegeneralization
ofthistypeofagreementrepresents
amajorstepforwardinthefight
againstcyber-crime.
Whilealotofdatathievesareaftermoney,thatisnotalwaysthecase.Lastyearwesawa
numberofcelebritieswhohadpersonalphotosstolen(themostnotoriouscasebeingthatof
ScarletJohansson,whosecellphonepicsleakedtotheInternet).Therewasspeculationthat
anorganizedcrimegangcouldbebehindtheattacks,but,inreality,everythingturnedoutto
bemuchsimplerthanitseemed.Theculpritturnedouttobea35-year-oldunemployedman
namedChristopherChaney,whobrokeintothecellphonesofstartsbyguessingtheirpasswords.
Chaneymonitoredsocialmediasitesandotheronlinesourcesforpersonalinformationthatwould
yieldcluesaboutpotentialpasswordsand,withabitofpatience,gainedaccesstohisvictims’
personalmailaccounts.Healsohadapenchantforbeautifulwomen,assomeofhisvictims
includedScarlettJohansson,JessicaAlba,VanessaHudgens,MileyCyrusorChristinaAguilera.
Unfortunately,themajorityofusersalsousepasswordswhichareveryeasytoguess–knownas
weakpasswords-,whicharestronglydiscouragedbysecurityexperts..
FIG.06. CHRISTOPHER CHANEY, 35, STOLE PRIVATE PHOTOSOF OVER 50 HOLLYWOOD CELEBRITIES.
2011 at a glance
Cyber-warCyber-warhasbeenoneofthetopbuzzwordsfor2011.Therehavebeensomanycasesof
cyber-warandcyber-espionagethisyearthatyoucouldwriteapaperjustonthem.Welivein
atimewhereeverybodyandeverythingisconnectedtotheInternet,whichpresentsaworldof
opportunitiesforcyber-thieveswhileauthoritiesandgovernmententitiesworkactivelytotackle
thisproblem.
InJanuary,welearntthatCanada’sMinistryofEconomyhadbeenhitwithasophisticated
targetedattack.Whiletheinvestigationsseemedtoindicatethattheattackoriginatedfrom
China,itisactuallyverydifficulttofindtheculprit.Also,nodetailshavebeenreleasedaboutthe
stoleninformation.
BackinFebruary,U.S.securityfirmMcAfeereportedon“OperationNightDragon”,acasein
whichanumberofenergycompanieshadsufferedcyber-espionageattacksforatleasttwoyears.
LaterinvestigationshaverevealedthattheaffectedcompaniesincludedthelikesofExxonMobil,
RoyalDutchShell,BP,MarathonOil,ConocoPhillips,andBakerHughes.Theattackscameonce
againfromChina,eventhoughthereisnodirectevidenceofinvolvementbyChineseauthorities.
InMay,theNorwegianmilitarystatedthatithadbeenthevictimofaseriouscyber-attackthat
tookplaceattheendofMarch.Theattackhappenedwhen100seniormilitarypersonnelreceived
anemailinNorwegianwithanattachment.TheattachedfilewasinrealityaTrojandesignedto
stealinformation.Atleastonepersonopenedtheattachment,buttheattackwasafailureandno
datawaslost.
AtthebeginningofMarchitwaspublishedthatFrance’sMinistryofEconomyhadbeensubject
toacyber-attack,linkedtoChinayetagain.Theaimofthisactionwastostealinformation
abouttheG-20meetingheldinParisinFebruary.Over150computerswereaffected,andother
FrenchMinistriesalsosufferedunsuccessfulintrusionattempts.AlsoinMarch,40SouthKorean
governmentwebsitesfellvictimtoadenialofserviceattack.Thisattackwasverysimilartoone
in2009andwasblamedonNorthKorea,despitethefactthatlaterinvestigationslinkeditto…
China.
InMay,China’sdefenseministryspokesman,GengYansheng,admittedforthefirsttimethat
theyhadaneliteunitofcyber-warriorsintheirarmy.Britishintelligencestatedthattheunithad
beenactiveforatleast2years.Attheendofthesamemonth,thePentagondeclaredthatcyber-
attacksthatoriginatedabroadcouldqualifyasactsofwar.
FIG.07. 24,000 PENTAGON FILES STOLEN IN MAJOR CYBER-BREACH.
InJuly,theUSDeputyDefenseSecretary
BillLynnrevealedthatforeignintruders
hadtaken24,000filesofclassified
informationaboutatopsecretweapon
systemduringanattacksuffered
inMarch.Lynnsaidthata“foreign
intelligenceservice”wasmostcertainly
behindthetheftofthesecretweapon
blueprints,butdeclinedtospecifywhich
nationhadcarriedouttheattack.
Somedayslater,U.S.MarineCorpsGeneralJames‘Hoss’CartwrightstatedthattheDoD”was
prettymuchintheStoneAge”.
Ifsomethingcanbesaidaboutcyber-warorcyber-espionageattacksisthatmostofthemappear
tooriginatefromChina.However,ononehanditisobviousthatChinaisnotbehindevery
singleattackand,ontheother,Chinaitselfmustbesufferingattacksfromothers.Oneofthe
differencesbetweenademocraticandanon-democraticcountryistheamountofinformation
theymakeavailabletothepublic.When,forexample,theU.S.oracountryintheEuropean
Unionsuffersacomputerattack,ashashappenedsomanytimesthisyear,itbecomespublic
knowledge.However,thisisnotthecaseinothercountries.Isitthatsomecountriesarenever
attacked?Absolutelynot,itisjustthattheydonotmakeattacksknown.AndChina,foronce,
hasopenedtotherestoftheworldandhasadmittedthatitwashitbynearly
500,000cyber-attackslastyear,abouthalfofwhichoriginatedfromforeigncountries.
2011 at a glance
InSeptember,welearnedthatJapanesecompanyMitsubishiHeavyIndustrieshadalsobeenhit
byacyber-attack.Almost100computershadbeencompromised,despitethecompanyclaiming
thatnoconfidentialinformationhadbeenstolen.Thiscompanybuildshighlycriticalequipment,
likeguidedmissiles,rocketenginesandnuclear-powerequipment.Chineselanguagewasfound
inoneofthevirusesusedinthecyber-attack,soonceagainalleyesturnedtotheAsiangiant.
Finally,theworstfearsbecamerealitysometimelater,whenitwasconfirmedthathackershad
actuallygainedaccesstoconfidentialinformationrelatedtojetfightersandhelicoptersaswellas
powerplants.
InOctober,itbecameknownthatseveralUSAirForce’sUAVs(unmannedaerialvehicles)had
beeninfectedwithmalware.Afterspeculationofwhetherornotthishadbeenatargetedvirus
attack,itwasdiscoveredthattheinfectionwasaccidentalandthedronesoftwarewasinfected
throughtheuseofUSBdrivesusedtosharemapupdates.
InDecember,theIraniangovernmentpublishedimagesofaUSdronetheyhadcaptured
unharmed.Theinterestingthingabouttheincidentisthattheymanagedtohackthedrone’sGPS
signal,andlandeditinIranatwhatthedronethoughtwasitshomebaseinAfghanistan.
FIG.08. IRAN HACKS AND CAPTURES U.S.’S DRONE.
STUXNET
Thisisthefirstmajorcyberwarfareattackbyanationstatetodate.DiscoveredinJuly2010,the
malwareaimedatsabotagingIran’snuclearplan.In2011,newrevelationsemergedpointingto
Israelastheculprit,asIsraelDefenseForcesChiefofStaffGeneralGabiAshkenazitookcreditfor
itinhisfarewellparty.
Alsolastyear,theDEBKAfilewebsitepublishedareportciting“intelligencesources”toclaimthat
theIraniangovernmenthadhadtoreplaceanestimated5,000uranium-enrichingcentrifugesas
aresultoftheattack,andthatsincethenthecountryhadnotbeenabletoreturnitsuranium
enrichmenteffortsto‘normaloperation’.Infact,theforeignministryofIranacknowledgedthat
theywereinstalling“newerandfaster”centrifugestospeeduptheuraniumenrichmentprocess.
InJuly,theU.S.DepartmentofHomelandSecuritysaidtotheCongressthatitwasawarethata
Stuxnet-likeviruscouldbeusedtoattackcriticalinfrastructuresinthecountry.Othershavesimilar
fears.WithinDHS,manyworrythatotherattackerscoulduse‘increasinglypublicinformation’
aboutthewormtolaunchvariantsthatwouldtargetotherindustrialcontrolsystems.
2011sawtheappearanceofDuqu,alsocalled“Stuxnet2.0”and“TheSonofStuxnet”,aTrojan
horserelatedtoStuxnetandcreatedtostealinformation.ItspreadinWordfilesattachedto
emailssenttotargetedvictimsandexploiteda0-dayvulnerabilityforwhichtherewasnoavailable
patch.
MacThisyearhasseenthefirstlarge-scaleattackonMac,usingroguewareorfalseantivirussoftware.
Despitethousandsofusersbeingaffectedbythefakeantivirusprogram(calledMacDefender),
Appleverymuchtriedtoburyitsheadinthesand,denyingthatanyattackevertookplace.Afew
dayslater,however,theyacknowledgeditandreleaseda“securityupdate”toprotectagainstthe
malware.Butmerehoursaftertheupdate,cyber-criminalshadalreadyreleasednewvariantsof
themalware,likeMacShield,whicheasilybypassedApple’ssecuritypatch.Thiswasratherlogical
ifyouconsiderthefactthatthepatchwasbasedon20-year-oldtechnologies,fullyobsoleteand
totallyuselessunlesscombinedwithmoderntechniqueslikebehavioranalysis.
2011 at a glance
Cyber-criminalsarecontinuingtoshowincreasinginterestintargetingtheAppleMaccommunity
andhaveincreasedthenumberofattacksonthisplatform.Wehaveseentheappearanceofthe
firstMac-specificTrojancapableofdetectingifitisbeingrunonavirtualmachine.Thistechnique
iscommonlyusedinWindows-basedmalwaretomakedetectionmoredifficult,andthefact
thatitisbeingusedonMacplatformsindicatesthatcriminalsareturningtheirattentiontothis
operatingsystem.
Mobile malware2011hasbeendominatedbyheadlineswithnewsaboutmalwareformobilephones.
Additionally,Androidisbecomingthedominantplatformofmobilecomputingandislikelytowin
thetabletmarketshortly.
Cyber-crooksarebeginningtorealizetheexistenceofanemergingmarkettheyarewillingto
exploit,andaretryingnewtechniqueswhilecontinuingtouseprovenstrategies,likeusing
malwaretogetinfectedphonestosendSMStextmessagestopremiumratenumbers
.
Atthebeginningoftheyear,anewAndroidmalwaretookthespotlight.TheTrojan–detected
asTrj/ADRD.A–stolepersonalinformationandsentittocyber-crooks.Oneofthemostfrequent
recommendationstocombatthesethreatsistoavoiddownloadingapplicationsfromunofficial
andquestionableplaces.Inthiscase,theTrojanwasdistributedfromChineseAndroidapp
markets(notfromtheofficialstore)togetherwithaseriesofgamesandwallpapers.
UnliketheiPhone’siOS,theAndroidOSletsyouinstallapplicationsfromanywhere,anaspect
cyber-crooksarebeginningtoexploit.However,thisisnottheonlydifferencebetweenboth
operatingsystems,asapplicationsuploadedtoAndroid’sofficialstore(AndroidMarket)arenot
examinedasscrupulouslyasAppleones,whichhasalreadyledtosomenastysurprises.
Afewdayslater,anotherAndroidTrojanstartedtospreadfromChinaonceagain.Thistime,the
legitimateappshadbeenrepackagedwithmalware,thusdeliveringanastypresent.ThisTrojan
wasdesignedtocarryoutanumberofactions,fromsendingSMStextmessagestovisitingWeb
pages.ItcouldalsostopinboundSMSmessages.
ThebeginningofMarchsawthe
largestmalwareattackonAndroidto
date.Onthisoccasion,themalicious
applicationswereavailableinthe
officialAndroidMarket.Injustfour
daystheseapplications,whichinstalled
aTrojan,hadrackedupover50,000
downloads.TheTrojaninthiscase
washighlysophisticated,notonly
stealingpersonalinformationfromcell
phones,butalsodownloadingand
installingotherappswithouttheuser’s
knowledge.
FIG.09. ANDROID HAS BECOME A FAVORITE TARGET FOR CYBER-CROOKS.
Googlemanagedtoriditsstoreofallmaliciousapps,andsomedayslaterremovedthemfrom
users’phones.
Thefirstmonthsofthisyearsawanothermajorattackengineeredbythewritersoftheinfamous
ZeusbankingTrojan.Theattackwasdesignedtobypassthedoubleauthenticationsystem
implementedbybankinginstitutionsformobiledevices.IfyourPCwasinfectedandyoutried
tomakeanonlinetransaction,thebankwoulddisplayapage(modifiedbytheZeuSTrojan)
promptingyoutoenteryourphonenumberandmodelinordertosendyouamessagetoinstall
a“securitycertificate”onyourphone.However,thiscertificatewasinrealityaTrojandesignedto
interceptallmessagesyoureceived.
Ifthiswasnotenough,welearnedthatAndroidhassomeverybasicsecurityholes,asshownby
thefactthatitstoresthepasswordsforemailaccountsonthephone’sfilesysteminplaintext,
withnoencryption.Thismakesitaneasytargetforcriminals,whocaneasilyextractallpasswords
oncetheyhavehackedintothedevice.
2011 at a glance
TheappearanceofnewAndroidmalwareisbecomingincreasinglyfrequent,andthefinal
objectiveisalwaysthesame:tostealusers’data.Thus,wehaveseenmalwarewhichnotonly
copiesdatafromthedeviceandsendsittocyber-crooks,butalsorecordsphonecalls.
Inall,Googlehasremovedabout100maliciousapplicationsfromitsAndroidMarketappstore
throughout2011,whichhasundoubtedlydeliveredablowtotheconfidenceofAndroidusers.
Cyber-activismIn2010weanticipatedthatcyber-activismwouldbeoneofthemajorstoriesinthecomingyear
andourpredictionshavebeenconfirmed.
InEgypt,theInternetbecamealmostabattlefieldbetweentheEgyptiangovernmentand
protesters,especiallyonFacebookandWebpageslikethatoftheAnonymousgroup.
FIG.10. ANONYMOUS GROUP POSTER ANNOUNCING THEIR CAMPAIGN IN FAVOR OF THE EGYPTIAN PROTESTERS.
TheEgyptiangovernmentwassodesperate
thatittooktheunprecedentedstepof
shuttingdownthecountry’sInternet
connectionandmobilephonenetwork.
Similarly,policeinseveralEuropeancountries
arrestedscoresofallegedparticipantsin
2010’scyber-attacksindefenseofWikileaks
(“Operation:Payback”).
ThosearrestedweremainlyteenagersthatusedtheLOICtooltotakepartintheattackswithout
usinganykindofanonymousproxiesorvirtualprivatenetworktocovertheirtracks.Everything
seemstoindicatethatthiswasaretaliatoryactionfromgovernments(Holland,UnitedKingdom
andtheUSA)wantingtoscareoffprotesters.
Another‘battle’worthmentioningistheonewagedbetweentheU.S.securityfirmHBGary
FederalandtheAnonymousgroup.EverythingstartedwhenAaronBarr,CEOoftheAmerican
company,claimedtoknowthenamesoftheAnonymousgroupleadersandsaidhewasgoingto
makethempublic.Anonymousthenthreatenedtohackintothecompany...andmanagedtodo
soinlessthananhour.Theynotonlyhackedintothecompany’sWebpageandTwitteraccount,
butmanagedtostealthousandsofemailsthattheylaterondistributedfromThePirateBaysite.
Ifthatwerenotenough,thecontentofsomeofthesemailswashighlyembarrassingforthe
company,astheybroughttolightunethicalpractices(suchastheproposaltodeveloparootkit)
forcingAaronBarrtostanddown.
ThiswasonlythetipoftheicebergofaseriesofcriminalactivitiesperpetratedbyAnonymous,
asitseemsthattheonlywaytheycanprotestisbycommittingillegalacts.However,asstated
inpreviousreports,ifthemembersofthegroupweresmartenough,theywouldrealizethat
theirconstantbreakingofthelawunderminesthelegitimacyoftheirprotests.Overthelastfew
monthstheyhavelaunchedattacksonSonyandthewebsitesoftheU.S.ChamberofCommerce,
Spain’snationalpoliceforce,severalgovernmentalinstitutions,etc.
Well,ifyoudidn’thaveenoughalreadyofAnonymous,anewhackercollectivecalledLulzSec
emerged,whoseclaimedmainmotivationissimply‘tohavefunbycausingmayhem.
2011 at a glance
FIG.11. LULZSEC’S TWITTER PROFILE PICTURE.
LulzSechasspecializedinstealingand
postinginformationfromcompanies
withpoorsecurity(PBS,Fox,etc.),aswell
ascarryingoutdenialofserviceattacks
(againsttheCIAwebsite,forexample).
Theyalsoreleasedafulllistofuserdata
theyhadpreviouslystolensuchasemail
addresses,passwords,etc.whichhasled
toaccounthijackingandotherformsof
identitytheft..
AttheendofJune,LulzSecteamedupwithAnonymousfor“Operation:Anti-Security”,
encouragingsupporterstohackinto,stealandpublishclassifiedgovernmentinformationfrom
anysource.
Butnoteverythinghasbeenbadnews:asignificantnumberofsuspectedmembersofthe
Anonymousgroupwerearrestedduring2011.
IntheUnitedStates,AnonymouswentonestepfurtherandhackedintothesystemsofBooz
AllenHamilton(agovernmentcontractorwithstrongtiestotheUSDepartmentofDefense–
DoD),stealing90,000militaryemailaddressesandpasswords.Theymanagedtoenterthesystem
throughanoutdatedserverwithnoantivirusprotectionatall.
Soonaftertheseattacks,theFBIarrested16AnonymousmembersintheUS.Allofthesepeople
couldface5to10yearsinjailiffoundguilty.
However,noneoftheseactionsseemtohavestoppedAnonymous,whoactuallyseemsto
haveredoubleditsefforts.Justdaysafterthearrests,AnonymouspostedlinkstotwoNATO
confidentialdocuments,andclaimedtohaveonemoregigabyteofconfidentialdatawhichthey
refusedtopublishasitwouldbe“irresponsible”.
FIG.12. MESSAGE POSTED BY ANONYMOUS, BOASTING OF THEIR LATEST ATTACK.
Inaddition,theyreleasedthestolenpersonaldataofthousandsofU.S.lawenforcementofficers,
includingtheiremailaddresses,usernames,passwordsandinsomecaseseventheirsocialsecurity
numbers.Andtheydiditagainafewweekslater,astheyexposedpersonaldataofSanFrancisco-
areasubwaypoliceofficers.But,ifthiswasnotenough,thegrouphackedyetanotherU.S.
DepartmentofDefensecontractor(thistimeVanguardDefenseIndustries),stealing1gigabyteof
datasuchasemailsandconfidentialdocumentsfromoneofthecompany’stopexecutives.
Attheendoftheyear,Anonymoushackedthousandsofcreditcardnumbersandotherpersonal
informationbelongingtocustomersoftheU.S.-basedsecuritythinktankStratfortodonateto
charity.Theyalsopublishedasmallsliceofthe200gigabytesofdatathattheyclaimedtohave
stolen.ThelistofStratfor’scustomersincludesentitiesrangingfromAppleInc.totheU.S.Air
Force,whichgivesanideaoftheseriousnessoftheattack.
Meanwhile,AnonymousstrokeonceagaininEurope,stealingover8gigabytesofdatafromItaly’s
CNAIPIC(NationalCenterforComputerCrimeandtheProtectionofCriticalInfrastructure).
Malware figures in 2011
FIG.12. NEW MALWARE CREATED IN 2011, BY TYPE .
03| Malware figures in 2011
26millionnewmalwaresampleshavebeenidentifiedin2011,some73,000strainsper
day;quiteafrighteningnumber,thehighestever.Thiscouldprettymuchsumupthe
malwaresituationin2011,however,let’slookbeyondthenumberstoknowexactlywhatis
happening.Firstly,let’stakealookatthetypeofmalwarecreatedinthelast12months:
Trojanscontinuedtoaccountformostofthenewthreats,growingspectacularly.In2009,Trojans
madeup60percentofallmalware,whereasthepercentagedroppedto56percentin2010.
Thisyeartheyhavejumpedupto73percent,sothatnearlythreeoutofeveryfournewmalware
strainscreatedin2011wereTrojans.Allothermalwarecategorieshavelostgroundwithrespect
toTrojans,onceagaintheweaponofchoiceforcyber-crooks’intrusionanddatatheftefforts.
FIG.13. MALWARE INFECTIONS BY TYPE IN 2011.
FIG.14. COUNTRIES WITH THE HIGHEST MALWARE INFECTION RATES.
Malware figures in 2011
Asforthenumberofinfectionscausedbyeachmalwarecategory,itisworthrememberingthat
Trojanscannotreplicateautomatically,sotheyarelesscapableoftriggeringmassiveinfections
thanvirusesorworms,whichcaninfectalargenumberofPCsbythemselves.Thegraphbelow
showsthedistributionofmalwareinfectionsthisyear.
Asyoucansee,thereisnotabigdifferencebetweenthedifferenttypesofmalwarecreatedand
theinfectionscausedbyeachofthem,withoneexception:thepercentageofcomputersinfected
byadware/spywarealmosttriplesthepercentageofnewadware/spywarestrainscreated.
Whatisthereasonforthis‘anomaly’?Thiscategoryincludesfakeantivirussoftwareor
rogueware:applicationscreatedbycyber-crooksthattrytopassthemselvesoffaslegitimate
softwareapplicationsinordertotrickusersbyfalselyinformingthemthattheircomputersare
infected,andpromptingthemtobuyaprogramtodisinfectthem.
Roguewareisidealforcyber-criminals,whonolongerneedtostealusers’informationtomake
theirmoney;instead,userspartwiththeircashvoluntarily.Thisiswhycomputercriminalsare
spreadingroguewaretoasmanypeopleandasquicklyaspossible.Themoreinfections,themore
profit.
Let’slookatthegeographicdistributionofinfections.Whichcountriesaremostinfected?Which
countriesarebestprotected?TheaveragenumberofinfectedPCsacrosstheglobestandsat
38.49percent,withthemostinfectedcountrybeingChina(60.57percentofinfectedPCs),
followedbyThailand(56.16percent)andTaiwan(52.82percent).Thesearetheonlycountries
thatexceed50percentofinfections.Thegraphbelowshowsthe10countrieswiththehighest
malwareinfectionratesin2011.
Malware figures in 2011
Asthetableshows,therearehigh-infectioncountriesinalmosteverycontinent.TheU.S.barely
escapedthelist,astheyranked11thwithslightlymorethan39percentofitsPCsinfected,also
aboveworldaverage.
ThelistofleastmalwareinfectednationsistoppedbyEuropeancountries,withtheexceptionof
AustraliaandJapan.Swedencameinlowestwithonly24percentofitsPCsattackedbymalware.
FIG.15. LEAST MALWARE INFECTED COUNTRIES.
2012 Security Trends
04| 2012 Security Trends
Wehaveseenwhathashappenedin2011:malwarecreationrecord,highestnumber
ofTrojansever,attacksinsocialnetworks,cyber-crimeandcyber-wareverywhere.
Whatdowehavetoexpectforthenext12months?
Social networksSocialengineeringtechniquesexploitingusers’weaknesseshavebecometheleadingattack
methodinsocialnetworks.TrendingtopicssuchastheOlympicsorthenextUSPresidential
electionswillbeusedasabait.Cybercriminalswillcontinuetotargetsocialmediasitesto
stealpersonaldata.
Malware increaseInthepastfewyears,thenumberofmalwarethreatshasgrownexponentially,and
everythingseemstoindicatethatthetrendwillcontinuein2012.Infact,malwareisthe
weaponusebycybercriminalstocarryontheirattacks.
Troyanstheyarecyber-crooks’weaponofchoicefortheirattacks,asshownbythefactthatthree
outofeveryfournewmalwarestrainscreatedin2011wereTrojans,designedtositsilently
onusers’computersandstealtheirinformation.
2012 Security Trends
Cyberwarormaybeitismoreaccuratetosaycyberespionage.2011hasbeentheyearwithmostintrusions
everaimedatcompaniesandgovernmentagencies.FromNewZealandtoCanada,fromJapanto
theEuropeanParliament,therehavebeencountlessattacksaimedatstealingsecretorclassified
information.Weliveinaworldwherealltheinformationisindigitalform,somodern-dayspies
nolongerneedtoinfiltrateabuildingtostealinformation.Aslongastheyhavethenecessary
computerskills,theycanwreakhavocandaccessthebest-keptsecretsoforganizationswithout
everleavingtheirliving-rooms.In2012wewillseethesekindofattacksevenmore.
Mac malwareAsthemarketshareofMacuserscontinuestogrow,thenumberofthreatswillgrow.Fortunately
enough,itseemsthatMacusersarenowmoreawarethatMacisnotimmunetomalware
attacksandtheyareincreasinglyusingantivirusprograms,hinderingcyber-crooks.Thenumberof
malwarespecimensforMacwillcontinuetogrowin2012,althoughmuchlessthanforPCs.
Mobile malwareOvertenyearsago,antiviruscompaniesstartedmakingdirepredictionsofamobilemalware
epidemic.Yearslater,asthesituationwasnotasapocalypticaspredicted,theystartedclaiming
thattheinstallationofantivirussoftwareonmobilephoneshadpreventedthecatastrophe.Well,
theywerewrongagain.Ifhavinganantivirussolutionwereenoughtosolvealltypesofmalware
problems,theworldwouldbeahappierplace.Unfortunatelythough,bothusersandsecurity
vendorsalikeareinthehandsofcyber-crooks,whoaretheoneswhodecidewhichplatformto
target.Inthiscontext,lastyearPandaLabspredictedasurgeincyberattacksonmobilephones,
andthefactthatAndroidhasbecomethenumberonemobiletargetforcyber-crooksin2011
confirmsthatprediction.In2012therewillbenewattacksonAndroid,butitwillnotbeona
massivescale.Newmobilepaymentmethods–viaNFCforexample–couldbecomethenextbig
targetforTrojansbut,asalways,thiswilllargelydependontheirpopularity.
Malware for tabletsThefactthattabletssharethesameoperatingsystemassmartphonesmeansthattheywillbe
soontargetedbythesamemalwareasthoseplatforms.Inaddition,tabletsmightdrawaspecial
interestfromcyber-crooksaspeopleareusingthemforanincreasingnumberofactivitiesand
theyaremorelikelytostoresensitivedatathan,say,asmartphone.
Cybercriminals targeting small to medium-sized companiesWhydocybercriminalstargetonlinebankingcustomersinsteadofdirectlyattackingbanking
institutionstostealmoney?Theanswertothisquestionhastodowiththecost-benefitratio
oftheattack:Financialentitiesareusuallyverywellprotected,andthechanceoflaunchinga
successfulattackisremoteandverycostly.However,attackingtheircustomerstostealtheir
identityandimpersonatethemismuchsimpler.Thesecurityofsmalltomedium-sizedcompanies
isnotthatstrong,andthismakesthemveryattractiveforcyberthieves,whocanstealdatafrom
hundredsorthousandsofusersinonego.Onmanyoccasions,smalltomedium-sizedcompanies
donothavededicatedsecurityteams,whichmakesthemmuchmorevulnerable.
Windows 8ThenextversionofMicrosoft’spopularoperatingsystemisscheduledforNovember2012,soeven
thoughitisnotsupposedtohavemuchonanimpactonthemalwarelandscapeinthecoming
year,itwillsurelyoffercyber-crooksnewopportunitiestocreatemalicioussoftware.Windows
8willallowuserstodevelopapplicationsforvirtuallyanydevice(PCs,tabletsandsmartphones)
runningWindows8,soitwillbepossibletodevelopmaliciousapplicationslikethoseforAndroid.
This,inanyevent,willprobablynottakeplaceuntil2013.
05| ConclusionConclusion
Lastyearwefinishedourreportbycommentingonthebleakfuturethatlaidaheadfor
thesecuritysectorin2011.Unfortunatelywewereright,andcyber-attacksanddatatheft
havedominatedheadlinesallthroughtheyear.Wedonotwanttobepessimistic,but
2012doesnotlookmuchbetter.
Cyber-espionageandsocialnetworkingattackswillbethepredominantthreatsto
safeguardagainstthisyear.Theriseofsocialmedia,whichhasincreasedcommunication
betweenpeopleallovertheworld,hasitsowndisadvantagestoo.Cyber-thievescan
infectandstealdatafromthousandsormillionsofusersinonego.Younolongerneed
tobeacomputerwhiztogaincontrolofasystemoreditmaliciouscodetogeneratenew
malwarestrains.
ThegrowingnumberofInternetusersmeansthereisnoshortageofpotentialvictims.
Cyber–criminalsarejustlikepickpocketsinabusycitysquareduringtheChristmas
shoppingseason.Theproblemisthattodaythenumberofcitiesandsquares(platforms,
socialnetworkingsites,cellphones,tabletcomputers,etc.)hasmultipliedandtheyare
busierthanever,leavingyouwithmorechancesofexposingyourwalletanditscontents
(creditcards,photos,money)tothieves.Therearemorepotentialvictimsformore
pickpockets.
Butthisratherbleakoutlookshouldnotstopyoufromenjoyingthebenefitsofthe
Internet:onlinebankingandshopping,instantcommunicationwithfriendsandrelatives
allaroundtheworld,theabilitytoreadbooksonyourphoneortablet…Youjustneedto
takeafewprecautions.
06| About PandaLabsAbout PandaLabs
PandaLabsisPandaSecurity’santi-malwarelaboratory,andrepresentsthecompany’s
nervecenterformalwaretreatment:
PandaLabscreatescontinuallyandinreal-timethecounter-measuresnecessaryto
protectPandaSecurityclientsfromallkindofmaliciouscodeonagloballevel.
PandaLabsisinthiswayresponsibleforcarryingoutdetailedscansofallkindsof
malware,withtheaimofimprovingtheprotectionofferedtoPandaSecurityclients,as
wellaskeepingthegeneralpublicinformed.
Likewise,PandaLabsmaintainsaconstantstateofvigilance,closelyobservingthevarious
trendsanddevelopmentstakingplaceinthefieldofmalwareandsecurity.Itsaimisto
warnandprovidealertsonimminentdangersandthreats,aswellastoforecastfuture
events.
Forfurtherinformationaboutthelastthreatsdiscovered,consultthePandaLabsblog
at:http://pandalabs.pandasecurity.com/
https://www.facebook.com/PandaUSA
https://twitter.com/PandaSecurity
google+
http://www.gplus.to/pandasecurity
youtube
http://www.youtube.com/pandasecurity1
This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Panda Security. © Panda Security 2012. All Rights Reserved.