IRCRE201312153
Date: 2013-12-09
The past year turned out to be an interesting introduction into the new types of threats users are facing as well as what they will continue to face, at greater levels, in the coming years.
We have continued to see the use of scammer and “assumed guilt” threats such as Ransomware and the emergence of even greater threats using similar tactics. We have seen the rise and fall of a very popular exploit kit and had an entire year of cautious surfing because of drive-by exploits and watering hole attacks.
Phone scammers have shown us that it’s not always safe to trust people who claim to be technical specialists and the battle against mobile threats has raged on in greater severity.
As we enter a new year, we can expect these threats to continue with more destructive force than we have ever experienced.
Our world is changing and much of our personal communication; banking and overall well-being is now accessible online. This trend will only continue as we adopt a new ‘online life’, where all sorts of criminals are taking advantage of those inexperienced with internet security.
Biggest Threats of 2013
- Ransomware
In the outlook report from 2012, we mentioned that it was the greatest year for Ransomware, and I still attest that based on uniqueness, novelty and diversity, that is true.
However, as far as damage goes, 2013 has it beat. Ransomware, as you may know, is short for Ransom Software/Malware that attempts to lock the user out of their system or encrypt their files, holding their livelihood “Ransom”, in return for cash.
Ransomware last year and into this year, was mostly spread via exploit kits. It took a while and numerous arrests but the numbers have decreased and some of the big players have even ended development of new variants. - Cryptolocker
Reveton and Urausy were two of the biggest ransomware groups of the last year but their operations do not hold a candle to the kind of damage caused by the infamous Cryptolocker.
Discovered in September, Cryptolocker actually double encrypts a user’s personal files (such as images and documents) with both a local AES key as well as a remotely created and remotely stored RSA-2048 key.
Other Ransomware from the past has claimed to encrypt files but it’s usually either a hoax or they use a simplistic encryption method that is easy enough to break and return users files back to their intended state.
The type of encryption used by Cryptolocker is the most secure standard today. Using asymmetric public key encryption, they encrypt the files with a public key locally on the system and you can only decrypt the files with the private key, stored on the remote server.
So what about RSA-2048? Can’t you break it?
Well, hypothetically, yes, we could break it; however, the time it would take to break that kind of encryption would take more time than we will be alive. To put it into perspective, using a normal desktop system to try to revert your files back to normal, without the use of the private key, would take roughly 6.4 quadrillion years.
If you had a massive amount of super computers and the smartest cryptographers and mathematicians in the world working on it, it might take a little less time but nobody knows because nobody has done it yet.
Cryptolocker informed the user that if they did not pay within the time allocated (usually 72-96 hours), the remotely stored private key would be erased and their files would never be decrypted…or so we thought.
The security community is still working hard on battling this threat and the threats that we will surely see in the future that imitate it. - Phone Scams
Phone scammers work along the same lines as Fake AVs, where you have a third-party source telling a user that they have tons of malware on their system and it needs to be cleaned up, usually for a high price.
Phone scammers are not exclusive to 2013 but the amount of reports we get and the different types of scams these guys are using seem to be peaking.
In 2013, we have seen scammers:- Pose as Microsoft
- Pose as an antivirus company
- Pretend they can remove malware from a Mac
- Claim that not being able to connect to an inactive web server means you are infected
- Pose as law enforcement
- …and much more!
The biggest defense against this type of scam is knowledge, you will most likely never receive a call from a legitimate software company or antivirus/anti-malware firm to remove malware they have “detected” on your system.
- Android Malware
Since we knew mobile phones were going to run operating systems, we knew that mobile malware would be inevitable. And 2013 showed us an increase in mobile scams and malware.
A large portion of mobile malware consists of what we refer to as SMS Trojans, malware that sends premium text messages or makes premium phone calls without the phone owners knowing about it. The user doesn’t discover what has happened until after they have received the bill. While these types of attacks are primarily seen in Eastern Europe, others exist worldwide.
A similar threat example is the Perkle crimeware kit; it infects the user’s desktop, poses as an authentication measure for the user’s banking web site and requires the scan of a QR code that downloads malware onto the user’s mobile device.
The mobile side waits for confirmation texts sent by the bank, intercepts the codes and sends them back to the desktop to gain access to the victim’s bank account.Either way, the amount of mobile malware seen this year has increased substantially enough for the community to consider it something we are going to be dealing with much more in the future. - Blackhole Exploit Kit
In 2012 and a large portion of 2013, the BlackHole Exploit Kit was the primary method of malware delivery for cyber criminals looking to setup drive-by attacks. It hosted an assortment of different malware, depending on the need of the criminal using it, for example:- Zeus Trojan
- ZeroAccess Rootkit
- Reveton Ransomware
- And more
The kit was sold on cyber-crime forums and black markets to would-be criminals to setup on their own (or compromised) web servers. The criminals would define which payload was to be loaded (the malware) and what exploit to use. From there, once a user visited an exploit page, the malware would be installed.
In many cases, exploit kits are rented out, purchased for a high price from one criminal and then offering to host another criminals malware for a fee.
In early October, law enforcement arrested the creator of the BlackHole Exploit Kit, “Paunch”, and since then, the use of BlackHole has steadily decreased.
With older versions still lingering and being used by cyber criminals as well as modified versions released by third-party sources.
As we enter 2014, we may see less and less of the older variants of BlackHole, however it’s doubtful that it will drop off the map entirely.
At the same time, we may see the emergence of a brand new dominant exploit kit that has all the ability and threat of BlackHole but with new exploits targeting more current operating systems.
- DDoS Attacks against Banks
2013 had its fair share of bank attacks, be it through the use of malware or just hacking. One of the most notable examples were attacks against US banks in August: The attack began as a Distributed Denial of Service Attack against the target bank, the IT staff was able to respond and worked hard to fend off the attack, keeping their servers and services available to customers.
However, while the staff was busy dealing with the DDoS attack, malicious attackers were able to infiltrate the banks systems, unnoticed due to being concealed under the massive amount of traffic from the DDoS.
The attackers made off with a significant amount of money in this highly organized and effective cyber bank robbery.
Crime on all levels has been duplicated online, bank robbery included. Will we see more attacks? Definitely. Will they get worse? Yes. However, with every attack comes the lessons learned and shared with the community, making banking experiences even more secure. - PUPs
Potentially unwanted programs are the slightly less harmful cousins of malware, installing things on your computer you neither want or need, devouring system resources and making your computing experience a nightmare.
You might be wondering what exactly PUPs are, well a few examples are:- Toolbars
- Search Agents
- Value Finders
- Etc
In July of 2013, Malwarebytes Anti-Malware began detecting PUPs and offering their removal to our users, we do not automatically flag them for removal but allow the user to choose whether they want to run the software or not.
In late November, we discovered a new type of threat with some PUP peddlers, the inclusion of a Bitcoin miner installed on the system. This is a serious threat in that running a miner on a system that is not designed to do so may cause serious damage to the system itself.
We expected such things from malware like Ransomware, however, it is an entirely different story when programs that were potentially harmless, are now doing harm to unsuspecting users.
References:
http://blog.malwarebytes.org/
- 3