Evolved Threats in a Post PC World 2012 WP

7/30/2019 Evolved Threats in a Post PC World 2012 WP

1/20

Trnd.Mcro.incorporatd.....................2012.ANNUAL.SeCURiTY.ROUNDUP

evolvd.Thrats.n.a.Post-PC.World


2/20

Mobl. 2

Android malware followed the footsteps of Windows threats interms of history, but at a much faster rate.

Targtd.Attacks.and.Data.Brachs. 4

Data breaches have become typical. Threat actors closely respondto their targets environment by using both old and new tools andtechniques.

Cybrcrm. 7

Threats evolved to become more effective and platform-agnostic,responding to the changing digital landscape.

Softwar.Vulnrablts.11

Java exploits were seen, along with several zero-days for otherprograms.

Socal.Mda.and.Onln.Srvcs. 13

Social media threats atlined in terms of creative use oftechnology, privacy concerns made headlines, and cloud serviceswere abused by the bad guys.


3/20

Experts have been predicting the coming post PC era for a fewyears. So the question has been, when will we know that itsreally here? A simple answer is, well know its really here whencybercriminals move beyond the PC. By that measure, 2012 is trulythe year we entered the post-PC era as cybercriminals moved toembrace Android, social media platforms, and even Macs with theirattacks.

Most notable for 2012 is that it took Android less than three years toreach the volume of malware threats that it took 14 years for the PCto reach. If that wasnt enough proof, attackers moved their tried-and-true attacks to social media platforms like Pinterest and Tumblrfor a broader reach. Attackers have even embraced social media forcommand and control, opting for Twitter over IRC in some cases.

In seeking out vulnerabilities to attack, attackers continued thistrend by focusing on a technology whose very name is synonymouswith multiplatform developmentJava. 2012 was the year when Javasupplanted pure Windows-based threats in the attackers crosshairsleading, among other things, to the rst widespread attack againstMacs.

Beyond this move away from the PC, 2012 saw attackers focus onrening their attacks and adopting more professional softwaredevelopment practices rather than introducing new attack means.The Black Hole Exploit Kit, automatic transfer systems (ATSs), andransomware were all rened and improved in ways that would makeany commercial software vendor proud.

Most worrisome for enterprises and organizations though is thatdata breaches and targeted attacks continued at an alarming rate

with staggering consequences. In one incident alonethe GlobalPayments data breachthe cost has already reached US$94 millionand is still climbing. Targeted attacks are being helped along by thechildren of Stuxnetattack code and kits like Flame, Duqu, andGauss that were derived from the Stuxnet attack of three years ago.

Overall, 2012 unfolded much like our chief technology ofcer,Raimund Genes, predicted in our 12 Security Predictions for 2012,particularly around post-PC threatsthe sophistication of attacksand targeted attacks. As he noted then, our hope that new OSsmake the world a safer place didnt work out. 2012 has clearlyshown that to be the case. The post-PC era is hereand its alreadylooking to be a more dangerous era with higher stakes at risk.


4/20

Growth.of.Androd.OS.ThratsLike PC Malware but Faster

2012 erased any doubt that themalware threat for mobile devicesis real. The number of Androidmalware shot up from 1,000 at thestart of the year to 350,000 byyears end.

This explosive malware growthmirrors the growth of the AndroidOS itself. IDC estimates thatas many as three-fourths of allsmartphones shipped in the thirdquarter ran the Android OS.1 Sincecybercriminals go after the mostcommonly used OS, Android has

attracted the bulk of cybercriminalattention on mobile platforms todate.

Two major mobile malwaretypes dominated 2012. First, wesaw premium service abusers,which subscribe users to various

services that add to their bills.Second, we saw many high-riskapps, which violate user privacy byacquiring sensitive data withoutasking for explicit consent.

Android is well on its way tobecoming the Windows of themobile space. The popularity ofWindows means that it has facedthe lions share of desktop threatsfor years. Similarly, the largeAndroid market was the target ofmost mobile threats, but their rateof volume growth and complexity

swelled at a much faster pacecompared with PC malware.

For Android, it is no longer a caseof directly installing maliciousapps in smartphones. Now, URLsare able to either wipe data fromphones2 or take over devices.3Smartphones are now facing thesame kinds of threats previouslyseen on their PC cousins, all inroughly three years.

TrendLabsSM also released the2012 Annual Mobile Threat andSecurity Roundup: RepeatingHistory, which goes into moredetail about the mobile threat

landscape last year.

Androd.was.th.targt.of.most.mobl.thrats,.but.thr.rat.of.volum.growth.and.complxty.swlld.at.a.much.fastr.pac.compard.wth.PC.malwar

Weve seen the same kinds of threats in the early web threat days of PC malwareappear in the Android malware landscapeall in roughly three years.

2


5/20

It took Android less than 3 years to reach 350,000 malware while ittook PC malware 14 years to reach the same volume of threats.

The staggering increase in the Android malwarevolume was partially due to the volume of

premium service abusers and high-risk appsseen in the latter months of 2012.

More than 70% of all Android malware belongs to a fewmalware families, most of which were either premium

service abusers or high-risk apps.

3


6/20

Data.Brachs.and.APT.CampagnsThe New Normal

2012 saw the continuation of theprevious years pattern of databreaches and targeted attacks.Payment processing company,Global Payments;4 the SouthCarolina Department of Revenue;5and online shoe store, Zappos,6for instance, all suffered breachesthat affected millions of usersand had a considerable nancialimpact. In the case of the GlobalPayments breach, the expensesreached US$94 million. Thequestion is no longer if a system

will suffer a security breach, butwhen.

Despite heightened awarenessof APTs and targeted attacks,we have seen several ongoingcampaigns against various

organizations and companies.Among the campaigns weclosely investigated were LURID,Luckycat, Taidoor, and IXESHE.We observed that attackers weregood at customizing attacksas necessarythreat actors wereable to use the attack vector mostsuitable to their purposes.

Spear-phishing emails were stillthe primary means of deliveringmalware in targeted attacks.Stealth and persistence wereachieved through a wide variety

of means, making networktrafc analysis critical forsecurity defenders. We have

seen remote access Trojans(RATs) like PoisonIvy, PlugX,Xtreme, JACKSBOT, and DRATused in targeted attacks. Thesereadily available RATs, includingunsophisticated ones, made iteasier for threat actors to carryout targeted attacks.

We also saw indications thatmobile devices were becoming ofinterest to threat actors. Mobilemalware with information theftcapabilitiessimilar to those usedin a targeted attackwere found

on servers related to the Luckycatcampaign.7

. An experiment found that 87% of organizations clicked a link related to a social engineering lure.

. Targets of the Luckycat campaign included those in the aerospace, energy, military research, engineering,and shipping industries and Tibetan activists.

. A modied version of ENFALa malware used in the Lurid campaignwas able to compromise 874computers in 33 countries in 2012..

. A survey found that 67% of organizations believed their security activities werent enough to stopadvanced persistent threats (APTs) or hackers.

. The IXESHE campaign has been actively staging targeted attacks since at least July 2009.. The rst stage of launching an APT campaign is intelligence gathering.

Th.quston.s.no.longr.f.a.systm.wll.suffr.a.scurty.brach,.but.whn

4


7/20

Attackers still largely used emails, the most popular mode of business communication, toget in to target networks. DreamMail is an email client that supports several protocols,

including SMTP, eSMTP, POP3, Hotmail, and Yahoo and a remote mailbox access function.

Threat actors used a mix of oldup to three-year-oldand relatively new vulnerabilities.

5


8/20

Rich Text Format (.RTF) les were the most common kind of les used in targeted attacks,Microsoft Excel les, a close second. However, this data does not entirely reect the actual

vulnerabilities used, as it is relatively easy to embed different kinds of exploits into different le types.

The diagram above shows the connections between the heavilyreported malware said to have close ties with Stuxnet.

6


9/20

CybrcrmFine-Tuning Attack Methods

Cybercriminals continued toenhance and improve their toolsin 2012. The three most notabledevelopments in the year had todo with ransomware, ATSs, and theBlackhole Exploit Kit.

Ransomware have been a problemfor some time, but 2012 saw aparticular tactic that came intocommon usage. Ransomwareclaimed that law enforcementgroups suspended userssystems due to violations ofthe law. In order to unlock their

computers, users had to pay a neusing online vouchers.

Ransomware can be consideredthe successor of fake antivirusmalware as the leading cybercrimethreat facing consumers. Boththreats cause users to worry aboutsomething (i.e., losing importantdata or downloading maliciousles) and asks them to pay up tomake the problem go away.

Similarly, ATSs became a keythreat facing smaller businesses.ATSs remove middlemen, usuallya keylogger or a WebInject le,when siphoning funds. Instead ofpassively stealing information,ATSs automatically transfer

funds from the victims to thecybercriminals accounts.8 Thismakes fraud more difcult todetect on the part of banks, as thetransaction appears to be madeby the user and not a potentiallyfraudulent third party. By contrast,traditional banking malwarerequire human intervention totransfer funds, which is a slowerprocess and may easily bedetected by banks.

The Blackhole Exploit Kit spent2012 in the limelight, as it was

utilized in a number of phishingcampaigns. It saw a major upgradein the second half of the yearwith the release of version 2.0 inthe undergrounda response toincreased security vendor effortsto shut down 1.x versions.9 Thesephishing campaigns also changedthe way phishing was conductedsubtle emails made it difcult evenfor tech-savvy users to distinguish

real from fake messages.

Taken together, these threedevelopments represent anevolutionary upgrade to existingthreats, demonstrating howmalware development has becomeincreasingly professional in rigor,discipline, and methodology. Noneof the developments constituteda completely new threat, butthe updated versions appearedmore dangerous in the threatenvironment.

This doesnt mean that the rest ofthe threat landscape was stagnant

2012 saw the signicant rise of theZeroAccess malware family10 whilemajor le infectors like XPAJ11 andVOBFUS12 returned to prominence.Our analysis of the Chinese13 andRussian14 underground economiesrevealed that the business ofstealing information like email andsocial networking account logins,credit card numbers, and personaldata remains as brisk as ever.

Non.of.th.dvlopmnts.consttutd.a.compltly.nw.thrat,.but.th.updatd.vrsons.appard.mor.dangrous.n.th.thrat.nvronmnt

7


10/20

The DOWNAD worm has been around since 2008, spreading throughout networks using a now-patched vulnerability inMicrosofts Server Service. ZeroAccess piggybacks on cracked applications or poses as a required codec in peer-to-peer

(P2P) applications. Crack or keygen programs generate serial numbers to enable the use of pirated applications.

Doman

trafcconverter.biz

info.ejianlong.com

deepspacer.com

mmi.explabs.net

www . funad . co . kr

www . trafcholder . com

serw.clicksor.com

install.ticno.com

172.168.6.21

Rason

Distributes malware, particularly DOWNAD variants

Downloads malware

Hosts malicious URLs, the registrant of which is a known spammer

Page DROPPER Trojans request access to

Poses security risks for compromised systems and/or networks

Trafc site known for distributing malware

Associated with the proliferation of pirated applications and otherthreats; posts annoying pop-up messages

Engaged in malware distribution

Distributes X97M_LAROUX.BK, XF_HELPOPY.AW, XF_NETSNAKE.A,X97M_LAROUX.CO, and X97M_LAROUX.CE

The proliferation of DOWNAD malware was partially aided by malware-hosting URLs. Some of these,however, are not necessarily malicious but have been compromised to perform malicious routines.

8


11/20

Almost all spam are still written inEnglish, similar to previous years.

India was the top spam-sending country in 2012while Saudi Arabia sent the most number of

spam in the third quarter.

More than 20% of the malicious URLs identied in 2012were hosted in the United States or used hosting

services located in the same region.

Blackhole Exploit Kit URLs related to renewed phishingattacks were a primary contributor to the resurgence ofthe phishing URL volume in 2012 after dipping in 2011.

9


12/20

The Blackhole Exploit Kit has changed the way phishing attacks are carried out. ATSs, meanwhile, have seendevelopments compared with traditional banking Trojans that made them prominent in 2012.

Ransomware infections increasedthroughout 2012.

Ransomware have changed throughout the years.

Ransomware Developments

10


13/20

VulnrabltsOld but Reliable Exploits and Some Zero-Days

Zero-day vulnerabilities continuedto affect users in 2012. In August,the Blackhole Exploit Kit15 madeuse of a zero-day vulnerabilityin Java 7.16 In September, a zero-day use-after-free vulnerability inInternet Explorer17 was patched,but was previously used in attacksthat led to RATs.18 Just beforethe year ended, older versionsof the browser were foundwith another zero-day aw.19Taking a peek ahead this year,we saw yet another Java zero-

day vulnerability abused by theBlackhole Exploit Kit.20

Attackers did not need to seekout new vulnerabilities, as mostusers failed to patch their systemsanyway, which means that oldvulnerabilities still worked.The VOBFUS worm, which hita number of computers in thelatter part of 2012, uses thesame vulnerability that Stuxnet

originally used as far back as2010.21 Targeted attacks are knownto make use of vulnerabilities inMicrosoft Ofce applicationsthat date back to 2009.22 In fact, a

three-year-old vulnerability, CVE-2009-3129 or MS09-067, was thethird most exploited vulnerabilityin targeted attacks in April 2012.23

An exploit kita combination ofexploits designed to compromisea users computeris a key partof todays threat environment.One of the most prominent exploitkits today is the Blackhole ExploitKit, which is commonly used inphishing campaigns to targetcomputers.24

The applications most targetedby exploit kits are browsersor technologies that exposefunctionality through browserplug-ins, particularly InternetExplorer; Adobe Acrobat, Reader,and Flash Player; and Java.However, developers have takensteps to make the bugs in theirproducts more difcult to exploit.For example, Adobe highlighted

Acrobat and Readers improvedsandboxing feature with therelease of version 11.25 Adobe FlashPlayer received a new backgroundupdater26 to help users who stillrun older versions. Browsersreceived constant updatesthroughout the year to patchexisting holes and strengthen theirdefenses against exploits.

Java, however, has not seen asimilar development. Instead,there have been moves to reducethe use of Java. Apple went so far

as to remove Java from browserson OS X computers.27 A Decemberupdate to Java allowed users todisable Java content in browsers.28

The relatively unsecured state ofJava, combined with its popularitywith users, resulted in growth in itspopularity among cybercriminals.

Th.rlatvly.unscurd.stat.of.Java,.combnd.wth.ts.popularty.wth.usrs,.rsultd.n.growth.n.ts.popularty.among.cybrcrmnals

1


14/20

Of the vulnerabilities addressed in 2012, the majority were rated medium (4.0 to 6.9) inseverity while a third were given a high (7.0 to 10.0) severity rating.

The majority of browser exploits we monitored in 2012came from the Blackhole Exploit Kit 1.0, while a third came

from RedKit. Java was the most targeted program by exploit kitsbased on the browser exploits we monitored.

12


15/20

Socal.Mda.and.Onln.SrvcsRecycled Threats

While social media threats did notchange much in 2012, attackersdid not remain idle in exploitingnew opportunities.

In 2012, Pinterest29 and Tumblr30became popular among usersand attracted the attention ofvarious scammers. As expected,cybercriminals go where theaudience is, so malicious links inPinterest and Tumblr pointed tosurvey scams.

However, much of the discussion

surrounding social media has beenabout privacy. Decisions madeby social networking sites aboutuser privacy called into questionhow these sites handle personalinformation. The question of

whether or not users trusted theirsocial networks came up again31and again32 in 2012.

In addition, users continued toinadvertently share condentialinformation online. Theyposted their credit card detailsand IDs without realizing theconsequences of doing so.Unfortunately, these incidentsjust represent the worst case ofoversharing online.33

Legitimate online services

were also used with increasingfrequency for malicious purposes.

Pastebin saw much use as adumping ground for all sorts ofstolen information. Blog commentsand Twitter accounts becamecommon means to control botnetsas an alternative to centralcommand-and-control servers,which can be found and blockedfar more easily than legitimateservices.

Dcsons.mad.by.socal.ntworkng.sts.about.usr.prvacy.calld.nto.quston.how.ths.sts.handl.prsonal.nformaton

The switch from basic IRC to other new tools for command and control is one exampleof how cybercriminals abuse legitimate online services for their own operations.

13


16/20

Cybercriminals used all kinds of lures to reel in victims throughout 2012.

14


17/20

What.Ths.Mans.for.Usrs.and.Busnsss

Mobl.Thrats

For.Hom.Usrs

. Use your smartphones built-in security features.

. Avoid using free but unsecured Wi-Fi access.

. Scrutinize every app you download regardless of source.

. Understand permissions before accepting them.

. Consider investing in a mobile security app for Android like Trend Micro Mobile Security PersonalEdition.

For.Scurty.Groups

On top of educating employees on consumer tips to secure their mobile devices, enterprises should embraceconsumerization via this three-step plan with the help of mobile device management and security productslike Trend Micro Mobile Security:

. Stp.1:.Have a plan.

. Stp.2:.Say yes but not to everything and not to everyone.

. Step 3: Put the right infrastructure in place.

Targtd.Attacks.and.Data.Brachs

For.Hom.Usrs

Enterprises and organizations are the common targets of APTs and highly targeted attacks. But attacks oftenenter target networks via employee inboxes in the form of spear-phishing emails. Employees must delete orignore emails from unknown sources.

For.Scurty.Groups

. Develop local and external threat intelligence.

. Test and educate employees against social engineering attacks.

. Formulate mitigation and cleanup strategies in case of an attack.

. Deploy custom defense solutions like Trend Micro Deep Discovery to protect against APTs.

. Protect company data through data protection and management solutions.

15


18/20

Cybrcrm

For.Hom.Usrs

. Regularly check your bank, credit, and debit card statements to ensure that all of the transactions in themare legitimate.

. When conducting nancial transactions online, make sure the website address contains an s as inhttps.://.www..bank..com

. Invest in a comprehensive security suite like Trend Micro Titanium Security.

For.Scurty.Groups

. Install effective security solutions in computers or devices that contain or have access to sensitiveinformation.

. Deploy a defense-in-depth security practice.

. Block threats at their source using web, IP, and domain reputation technologies.

. Invest in sandbox technologies to identify advanced malware.

Softwar.Vulnrablts

For.Hom.Usrs

. Apply the latest security updates and patches to your software programs and OSs.

. Enable automatic updates where possible.

For.Scurty.Groups

Deploy solutions that allow vulnerability shielding to help immediately protect networks from exploits likeTrend Micro Deep Security.

Socal.Mda.Thrats

For.Hom.Usrs

. Use random but memorable phrases as passwords.

. Avoid using the same password across online accounts.

. Change your password every few months.

. Consider using password managers like Trend Micro DirectPass.

. A good rule of thumb on giving out information on social networking sites is to ask, Would I give thisinformation to a stranger over the phone?

For.Scurty.Groups

. Monitor employees social networking usage.. Create easy-to-follow guidelines on social media use regarding sharing of information and representing

your companys brand and image.

. Clearly dene whats condential.

16


19/20

Rfrncs

1 http://www.idc.com/getdoc.jsp?containerId=prUS237718122 http://blog.trendmicro.com/trendlabs-security-intelligence/dirty-ussds-and-the-

android-update-problem/3 http://blog.trendmicro.com/trendlabs-security-intelligence/exynos-based-android-

devices-suffer-from-vulnerability/4 http://money.cnn.com/2012/04/02/technology/global-payments-breach/index.htm5 http://www.forbes.com/sites/anthonykosner/2012/10/27/cyber-security-fails-as-3-6-

million-social-security-numbers-breached-in-south-carolina/6 http://news.cnet.com/8301-1009_3-57359536-83/zappos-customer-data-accessed-

in-security-breach/7 http://blog.trendmicro.com/trendlabs-security-intelligence/defcon-2012-android-

malware-in-luckycat-servers/8 http://blog.trendmicro.com/trendlabs-security-intelligence/evolved-banking-fraud-

malware-automatic-transfer-systems/9 http://blog.trendmicro.com/trendlabs-security-intelligence/blackhole-2-0-beta-

tests-in-the-wild/10 http://blog.trendmicro.com/trendlabs-security-intelligence/under-the-hood-of-

bkdr_zaccess/11 http://blog.trendmicro.com/trendlabs-security-intelligence/pe_xpaj-persistent-le-

infector/12 http://blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_

vobfus/13 http://blog.trendmicro.com/trendlabs-security-intelligence/the-chinese-

underground-part-1-introduction/14 http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-russian-

underground/15 http://blog.trendmicro.com/trendlabs-security-intelligence/java-zero-days-and-the-

blackhole-exploit-kit/16 http://blog.trendmicro.com/trendlabs-security-intelligence/java-runtime-

environment-1-7-zero-day-exploit-delivers-backdoor/17 http://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-releases-out-

of-cycle-patch-for-ie/18 http://blog.trendmicro.com/trendlabs-security-intelligence/new-ie-zero-day-exploit-

leads-to-poisonivy19 http://blog.trendmicro.com/trendlabs-security-intelligence/why-is-the-watering-

hole-technique-effective/20 http://blog.trendmicro.com/trendlabs-security-intelligence/java-zero-day-exploit-

and-ruby-on-rails-vulnerabilities/21 http://technet.microsoft.com/en-us/security/bulletin/MS10-04622 http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2012-0158-

exploitation-seen-in-various-global-campaigns/23 http://blog.trendmicro.com/trendlabs-security-intelligence/snapshot-of-exploit-

documents-for-april-2012/24 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-

papers/wp_blackhole-exploit-kit.pdf25 http://blogs.adobe.com/asset/2012/10/new-security-capabilities-in-adobe-reader-

and-acrobat-xi-now-available.html26 http://blogs.adobe.com/asset/2012/03/an-update-for-the-ash-player-updater.html27 http://arstechnica.com/apple/2012/10/apple-removes-java-from-all-os-x-web-

browsers/28 http://www.infoworld.com/d/security/java-7-update-10-allows-users-restrict-java-in-

browsers-20942329 http://blog.trendmicro.com/trendlabs-security-intelligence/survey-scams-nd-their-

way-into-pinterest/30 http://blog.trendmicro.com/trendlabs-security-intelligence/tumviewer-and-online-

income-survey-scams-hit-tumblr/31 http://blog.trendmicro.com/trendlabs-security-intelligence/infographic-public-or-

private-the-risks-of-posting-in-social-networks/32 http://blog.trendmicro.com/trendlabs-security-intelligence/privacy-worries-hound-

facebook-yet-again/33 http://blog.trendmicro.com/trendlabs-security-intelligence/the-dangers-of-posting-

credit-cards-ids-on-instagram-and-twitter/


20/20

TReND.MiCRO.iNCORPORATeD

Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cloudsecurity leader, creates a world safe for exchanging digital informationwith its Internet content security and threat management solutionsfor businesses and consumers. A pioneer in server security withover 20 years experience, we deliver top-ranked client, server andcloud-based security that ts our customers and partners needs,stops new threats faster, and protects data in physical, virtualized and

cloud environments. Powered by the industry-leading Trend MicroSmart Protection Network cloud computing security infrastructure,our products and services stop threats where they emergefrom theInternet. They are supported by 1,000+ threat intelligence expertsaround the globe.

TReNDLABSSM

TrendLabs is a multinational research, development, and supportcenter with an extensive regional presence committed to 24x7 threatsurveillance, attack prevention, and timely and seamless solutionsdelivery. With more than 1,000 threat experts and support engineersdeployed round-the-clock in labs located around the globe, TrendLabsenables Trend Micro to continuously monitor the threat landscapeacross the globe; deliver real-time data to detect, to preempt, and to

eliminate threats; research on and analyze technologies to combatnew threats; respond in real time to targeted threats; and helpcustomers worldwide minimize damage, reduce costs, and ensurebusiness continuity.

2013 by Trend Micro Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend

Documents

Evolved Threats in a Post PC World 2012 WP