Upload
dinhthien
View
216
Download
0
Embed Size (px)
Citation preview
STATEOFMALWAREREPORT[DRAFT]UNDEREMBARGOUNTILJANUARY31,2017
ExecutivesummaryIn2016,wefinallysawtheheadlinescatchupwiththehype.Cyberattacksandcybersecurity,oralackthereof,grabbedmediaattentiononboththecorporateandconsumersides,evenbecomingakeyissueintheUSpresidentialelection.Inthisrespect,youcouldsaythateveryone,eventhosewhohaveneverloggedon,wasaffectedbycyberattacksandhackingin2016.Togetabetterideaofjusthowmuchthethreatlandscapeevolvedin2016,weexamineddatatakenfromnearly100millionWindows,Mac,andAndroiddevicesinover200countriesduringtheJune-November2016timeperiod.ThesedeviceswererunningMalwarebytescybersecuritysolutionsincorporateandconsumerenvironmentsandreportedclosetoabillionmalwaredetections/incidencesinthetimeperiod.Thisisreal-worlddatatakenfromattackevents,notconjecturedistilledfromtangentialdatapoints.Inaddition,weutilizedataobtainedfromourowninternalhoneypotsandcollectioneffortstoidentifymalwaredistribution,notonlyinfection.Threekeytakeaways
1. Spurredbyamassiveshiftincybercriminalattackmethodology,2016wastheyearthatrealitycaughtuptothehype.Threatactorsrampedupattacksonbusinesseswhileengineeringever-moreeffectivemalwarevariants,includingadfraudandransomware.
2. Cyberattackmethodologyandthefavoredmalwaretoolsusedtocommitcybercrimevariesdistinctlybynation/geography,reflectingincreased“personalization”ofcybercrime.
3. Whileadedicatedgroupofcybercriminalscontinuestoattackenterprisebusinesses,low-levelattacksfocusedontheconsumeraretakinggreateradvantageofthebusinessestheydosnare.
Cybercriminalschangetheirmethodology:RansomwareIn2016,ransomwaremadesplashyheadlines,andforgoodreason:Inransomware,cybercriminalstrulyhavebuiltthemselvesabettermousetrap.WhiletraditionalmalwarelikebankingTrojans,spyware,keyloggers,etc.,requiresthecybercriminaltooverseemultiplestepsbeforerevenueisdeliveredtotheirbankaccount,ransomwaremakesitaseamless,automated
process.Scriptkiddies(hackerswithlittleornocodingskills)canevenbuyturnkeyransomwarekitsknownas“RansomwareasaService”(RaaS)thattakeallthehassleoutofdigitalthievery.Inthefourthquarterof2016alone,wecataloguednearly400variantsofransomware,themajoritycreatedsimplybyanewcriminalgrouptryingtogetapieceofthepie.Thetrendofransomwareisnotnew,however,aswe’vewatcheddistributiongrowthoverthelasttwoyearsandhaveobservedspecificfamiliesthathavemadeittothetopofthecybercrimemarket.
Figure1.January2016Exploit/MalSpamPayloads
Figure2.November2016Exploit/MalSpamPayloads
Asyoucanseefromtheabovecharts,ransomwaredistributionbetweenJanuary2016andNovember2016increasedby267percent.Thisisanunprecedenteddominationofthethreatlandscapelikenothingwehaveeverseenbefore.Todelvedeeperintothespreadofransomware,wecanlookatourowndetectionsandtheirgeographicspread:
• Top10countiesimpactedbyransomwareincidents:1. UnitedStates2. Germany3. Italy4. UnitedKingdom5. France6. Australia7. Canada8. Spain9. India10. Austria
• Percentageofransomwareincidentsbycontinent:
o Europe 49.26%o NorthAmerica 32.51%o Asia 9.84%o Oceania 3.72%o SouthAmerica 3.67%o Africa 1.00%
Itshouldn’tbeasurprisethattheUnitedStatesisthecountrywiththemostincidentsofransomware,beingoneofthelargestrepresentationsofWesternculture.ManygroupsfromEasternEurope,aswellasacrosstheworld,targetAmericansnotonlybecauseofthewideaccessibilitytotechnology,butalsothemeanstopaytheransomand,possibly,ideologicalviews. However,WesternEuropeisjustasmuchatrisk.OurstatsrevealedEuropetobethecontinentwiththegreatestamountofinfections,withcountrieslikeGermany,Italy,theUKandFrancemakingupthenextfourspotsincountriesimpactedmostbyransomware.Occurrencesofransomwareencountersdiffer,eveninhigh-incidentrateregions.Byvolume:
• 81percentofransomwareattacksagainstbusinessesoccurredinNorthAmerica• 51percentofransomwareattacksagainstconsumersoccurredinEurope
AcountrythatseemstobemissingfromthislistisRussia.Thisisn’tbecauseRussiancitizenshaveafirmgrasponcomputersecurity–thiswillmakemoresenseafterlookingatthetopfamiliesandtheirfunctionality.TopRansomwareFamilies2016In2016,therewerethreemainplayersintheransomwaregame.Oneofthoseplayersdroppedoutoftheraceandtwoothersareconstantlycompetingfordominance.Thesefamiliesare/were:
- TeslaCrypt- Locky- Cerber
Fromthebelowchartyoucanseesomeofthemostprominentfamilieslistedandchartedthroughout2016.
Figure3.RansomwareFamilyTrends2016
ThebeginningoftheyearshowedahugespikeintheuseofTeslaCrypt.However,inMayTeslaCryptcloseditsdoorsandreleasedthemasterdecryptionkeyforalltheirvictims.
Figure4.CourtesyofBleepingComputer
WhenTeslaCryptshutdown,itcreatedavacuumthatwasquicklyoccupiedbytwootherrisingfamilies,LockyandCerber.IttookmostofQ3andQ4butthesefamilieshavemanagedtomakeittothesamelevelofdistributionasTeslaCrypthadinMarchandMay.LockyandCerberhavealotincommonasfarasransomwarefamiliesgo.BothfamiliesutilizeRSAlevelencryption,makingthedevelopmentofadecrypterdifficultifnotimpossible.Theybothhavethecapabilitytoencryptfiles“offline”orwithoutneedingtocommunicatewiththeCommandandControl(CnC)serverbeforeinitiatingencryptionoperations,somethingwhichwasoneofthebestmethodsofdefenseintheearlydaysofCryptoLocker.
CerberandLockyalsoidentifytheirvictimsbasedonwhichcountrytheyarelikelytoreside.Forexample,ifavictimresidesinRussia,insteadofinfectingandencryptingthesystem,theydonothingatall.Thisisakeyclueinpossibleattributionofthegroupsbehindthesefamiliesasbeingassociatedwith,ifnotlocatedin,EasternEurope.ItalsorevealswhyRussiaisnotonourlistofthetopmostinfectedcountries,despiteitslargepopulationandaccessibilitytotechnology.ThesefamiliesarenotlimitedtoNorthAmericaeither.CerberandLockyarealsothetopransomwarefamiliescurrentlyplaguingcountrieslikeGermany,makingtheirspreadaworldwidethreat.FromanEnterprisepointofview,ransomwarecybercriminalsconcentratedtheireffortsonenterprisebusinesses,particularlyNorthAmericanenterprises,nodoubtrealizingthatthesecompanieshadthemosttolose,andtheresourcestopay.Infact,ransomwaredetectionsoutnumberedbankingTrojandetectionsinNorthAmericanbusinessesbyaratioof3:1.Globally,12.3percentofenterprisebusinessdetectionswereransomware,comparedtoonly1.8percentontheconsumerside. KovterWhileransomwarehasbeentheprimarilydistributedmalwareof2016,thisisn’ttosaythattherehasn’tbeenshiftsindistributionlevelsfrommonthtomonth.Infact,formultiplepartsoftheyear,adfraudmalware,specificallyKovter,hasbeentheprimarypayload,asseenbelow(thegreenline):
Figure5.Exploit/MalSpamDrops2016
Kovterisoneofthemostadvancedfamiliesofmalwarecurrentlyfoundinthewild.Itsportssophisticatedfunctionalitysuchastheabilitytoinfectthesystemwithoutdroppingafilebutratherbycreatingaspecialregistrykey,makingitdifficulttodetectformanyantivirusvendors.Inaddition,itutilizesrootkitcapabilitiestofurtherhideitspresenceandwillactivelyidentify
anddisablesecuritysolutions.WhileKovteritselfisnotnew,firstappearingin2015,ithashistoricallybeenusedasadownloaderforothermalwarefamilies,atooltostealpersonalinformation,abackdoorforattackerstogainaccesstothesystemandevenitsownransomwarefamily.However,in2016weobserveditprimarilybeingusedfor“adfraud”whichisatermusedformalwarethathijacksthesystemandusesittovisitandclickonadvertisementsandwebsitesonlinetocreatemoreclicks/hitsforanadcampaign(knownasclick-jacking)runbyeitherthecriminalsbehindtheKovterdeploymentortheirclients.Inadditiontothenoveluseofthemalware,thedistributionhasalsomadesomechangesover2016.WhilepreviouslyKovterwasprimarilyspreadusingdrivebyexploitsandExploitKits,wesawamassivesurgeinitbeingdistributedthroughmaliciousphishingemailsaswell.Thischangeindistribution,combinedwithaverylargetargetoftheUnitedStates,madeKovteroneofthebiggestthreatsofthislastyearforAmericansmorethananyoneelse:Top5countiesimpactedbyKovterinfections:
• UnitedStates 68.64%• Germany 2.58%• Canada 1.65%• France 1.34%• Italy 1.30%
TheimportanceofKovterbeingusedinthisfashionliesinthesamereasonransomwarehastakenoff;itprovidesasourceofdirectprofitfortheattackers.Ratherthansellingpassworddumps,creditcardinformationandsocialmediaaccountstoothercriminals,havingthevictimeitherpaytogettheirimportantfilesbackORutilizingthemtodefraudtheadvertisingindustryarebothviablemethodsofprofitingoffusersdirectly.Thismethodisalsoamassiveclueintothemindsetofthemoderncybercriminalwheretheattacksfocusmoreontheuserandlessonthetechnology.Wewilldiscussthatmorelater.Cybercriminalschangetheirmethodology:AdwareandTechSupportScamsSidesteppingfromadfraudtoadware,weobservedamassivesurgeintheamountwedetectedin2016.Theterm“adware”identifiesaformofmalicioussoftwarethatdisplaysunwantedadvertising,andcancompriseseveralnoxiousmalwaresubspecies,includingPotentiallyUnwantedPrograms(PUPs),browserlockers,andspyware.Inrecentyears,adwarehasgrownmoreaggressiveandintrusive,withVonteeraadwareevendisablingantivirusandanti-malwaresoftwareonthecomputeritinfects.Somevariantsfakeacomputerfailure(BlueScreenofDeath)tospuracalltoashadytechsupportfirmthatwillfixtheuser’scomputerforafee.Thisbehaviorslidesadwareclosertoitsshadiermalwarecousins.
Figure6.FakeBSOD
Wefoundadwaretobeanequalopportunityoffenderin2016,posingasignificantproblemfromconsumersandbusinessesalike.Infact,ofthesixcategoriesofmalwarewereviewedforthisstudy,adwarerepresentedthelargestthreatbyvolume.Seventy-eightpercentofthemalwaredetectedonbusinessendpointswasadware.Infact,thisthreatissowidespreadthatweevenfoundsystemsinfectedwithitinAntarctica!CosttoBusiness:MoreAdwareWhileadedicatedgroupofcybercriminalscontinuestolaunchtargetedattacksagainsttheenterprise(especiallyusingransomwareasapayload),businessesareimpactedthemost,byvolume,bylow-level(i.e.lesssophisticated)adwareattacks.Infact,77percentofallthreatsenterprisesseegloballyareadware.Coststobusinesses:
• WhileadwareisclassifiedasaPotentiallyUnwantedProgram(PUP),andthereforenotconsideredasmuchofathreatasransomwareistobusinesses,itcanstillrepresentasignificantcosttotheenterprisetoremediatetheinfectionorre-imagethemachine.
• Adwarealsocreatesdowntimeforemployees,whomayexperienceslowercomputersandpop-upadsthatdistractusersfromproductivity.
Thetopadwarevariantsimpactingtheenterpriseinclude:
• Adware.PremierOpinion–8.86percentoftotaldetections• Adware.MoboGenie–3.99percentoftotaldetections• Adware.Agent–2.07percentoftotaldetections
Whyarelow-levelattacksbeingseenatsuchhighrates?Attacksthatprimarilyfocusontheconsumeraretakinggreateradvantageofbusinessestheyensnare.Ownersoflow-levelcampaignsarepayingmoreattentiontowhomtheyinfect.Iftheyfindtheyareinfectingabusiness,they’llchangethegamebyraisingthepriceofransomwareorlookinglaterallywithin
theorganizationfordataofmorevalue.Cybercriminalsaretryingtomaximizetheimpactofthebusinessinfectionstheydoget.Cybercriminalschangetheirmethodology:BotnetsBotnets(anetworkofprivatecomputersinfectedwithmalicioussoftwareandusedtosendspam)havebeenoneofthemostcommonlydevelopedmechanismsfordeployingmalwareforthelast10years.Thisisduetotheirsmallsize,abilitytohideandabilitytoexecuteaninnumerableamountofoperationsdependingonwhatitisdevelopedfor.Thisyear,wesawanewuseforbotnets,tocompromiseandinfecttheInternetofThings(IoT)atermusedfrequentlytodescribeinterconnecteddevicesthataren’tnecessarilyfullyfledgedcomputers.Forexample,athermostatthatallowsitsusertochangethetemperaturefromacrossthecountry,ahomesecuritycamerathatallowstheownertoviewtheirhomeremotely,andevensomebabymonitorsallfallintotheIoTcategory.LateSeptemberamassiveattackusedtheMiraibotnettocompromisemanyIoTdevicesandhomerouters,withalltheinfecteddevicestakingordersfromasinglesource.Onceassemblingthearmyofbots,theattackerusedwhatisreferredtoasaDDoS(DistributedDenialofService)attacktobringdowncertainwebsites,notably“KrebsonSecurity”.Amonthlater,Miraiwasusedtoattackoneofthebackbonesoftheinternet,Dyn,andindoingsopreventedmillionsofusersfromaccessingpopularsiteslikeTwitter,RedditandNetflix.ThistypeofmalwareiseasyenoughtoevadesimplybyupdatingsecuritypatchesforIoTdevicesandusingnon-standardconfigurations.Forexample,creatingcustompasswordandadministratorloginsandremovingwhatcomesdefault.OneofthekeyfeaturesofMiraiwasnotonlyscanningtheinternetforconnecteddevices,butalsoutilizinganinternaldatabaseofdefaultusernameandpasswordstogainaccesstothedevices.ApartfromMirai,2016wasnotagreatyearforbotnets,atleastnotintheUnitedStates.However,AsiaandEuropedealtwithanincreaseinvariantsdevelopedfrompopularfamilies.Forexample,theKelihosbotnet,grew785percentinJulyand960percentinOctober,whileIRCBotgrew667percentinAugustandQbotgrew261percentinNovember.
• Percentageofbotnetsbycontinent:o Asia 53.97%o Europe 13.21%o NorthAmerica 11.03%o SouthAmerica 5.79%o Africa 3.81%o Oceania 0.45%
Asitturnsout,Germanydealtwithaseriousbotnetproblem.Thecountrysawa550percent
increaseintheamountofbotnetdetectionsfrom2015to2016. Cybercriminalschangetheirmethodology:MalwareDistributionOneofthebiggestchangesintermsofdistributionin2016wastheuseofattachedscriptstophishinge-mails.ThesescriptsusuallyresideinsideofaZIPfileandonceopenedandlaunched,wouldreachouttoaremoteservertodownloadandinstallmalicioussoftwareonthesystem.
Figure7.MaliciousphishingemailwithZIPfileattached
Anothermethodthatbecamepopularagainin2016includedtheuseofmacroscriptsinsideofMicrosoftOfficedocuments(.docx,.xlsx,etc.)whichwouldexecuteoncetheuseropensthedocumentandenabledmacros.Utilizingsophisticatedsocialengineeringtactics,theattackerscoaxedtheuserintoenablingthesefeatures,whichwouldalsodownloadandexecutemalwareonthesystem.
Figure8.MaliciousWordDocumentusingsocialengineeringtogettheusertoenablemacros
Inadditiontothechangesinwhatwasattachedorhowmalwarewasinstalledonthesystemthroughphishingattacks,therewasamassiveincreaseoftheuseofthismethodoverexploitkitsinJune.Thereasonforthisisbecauseoneofthemajorexploitkitsof2015andtheearlypartof2016,Angler,shutdownitsoperations.Anglerwastheexploitkittopdogforquiteawhileandevennow,morethansixmonthslater,therehasyettobeanexploitkitthathasrisentoitssamelevelofusebycybercriminals.However,RIGexploitkitismakingarapidascensiontotaketheplaceofAnglerandwearelikelytoseemorefromthiskitin2017.ThemajorityofexploitsusedbyRIGareprimarilypre-existingexploitsagainstpatchedvulnerabilitiesforInternetExplorer,FlashandSilverlight,whichreinforcestheimportancetokeepyoursoftwareuptodate.Inaddition,muchoftheactivityhasbeentargetingthegeographicareaaroundKorea,TaiwanandSingapore.Thisdistributiontrendislikelygoingtochangesoon,butinthemeantime,utilizinganomalousbehavioractivitymonitorsaswellasheuristicdetectionenginesshouldprotectusersfromtheseattacksandthepayloadstheydrop.Educationisalsoanimportantfactorwhendealing
withphishing.Inanenterpriseenvironment,refreshingyouremployeesonhowtorecognizeaphishingattackwouldbeidealtocombatthisthreat.Cybercriminalschangetheirmethodology:AndroidmalwareOverthelastfewyears,themobilethreatlandscapehasn’tchangedmuch.MobilemalwarecreatorsareprimarilystillplayingcatchupbyattemptingtoduplicatemaliciousfunctionalityfoundinmodernWindowsdesktopmalware,whichcanbedifficultwhenitcomestotheAndroidoperatingsystem.However,anotabletrendin2016wastheincreaseduseofrandomizationutilizedbythemalwareauthorsinanattempttoevadedetectionfrommobilesecurityengines.Thishasresultedinaseriousincreaseintheamountofmobilemalwarebeingdetected.Infact,morethanhalf(53.1percent)ofallconsumerthreatsdetectedaroundtheworldin2016wereAndroidmalware,includingmobileransomware.
Figure9.AndroidRansomware
Interestingly,Brazil,Indonesia,PhilippinesandMexicomadethetop10countriesformobilemalwaredetections.However,mobilemalwareiswidelydispersed,withthefourtopregionsgettingsimilarsharesofmobilemalwaredissemination.Only15percentagepointsseparatethe
topregion,Europe(31percentofmobilemalware)fromthefourth-highestregion,SouthAmerica(15percentofmobilemalware).Thebrightsideis,whiletherearemoremobilemalwarevariantscurrentlyinthewildthaneverbefore,mostofthemareonlyfoundonthirdpartyappstores.So,thebestadvicetoavoidthisthreatwouldbetosticktotrustedsourcesliketheGooglePlayStore,utilizemobilesecuritysoftwaretonotonlydetectmobilemalwarebutalsoaudityourcurrentsecurityconfigurationandidentifyappsthatareaskingforafewtoomanypermissions.Malwareattacksvarybynations/geographyOurdatashowedregionaldifferencesinthemalwareusedandtheattackmethodology.Unsurprisingly,US-targetedandEuropean-targetedattackswerehighlydifferentiated:
• TheUSrecordedthemostmalwaredetections,andleadsallcountriesinthedetectionsofeverycategorycharted,exceptbankingTrojans.(Turkeyleads)
• RansomwareisamoresignificantthreatinNorthAmericaandEuropewhilebankingTrojansaremoreprevalentinSouthAmericaandAsia.
• AsianbusinessesseetwiceasmanybankingTrojansasransomwaredetections.• Brazil,Thailand,VietnamandTurkeyallmadethetop10countriesforbankingTrojan
incidents.• However,whenlookingatcontinents,ratherthancountries,Europehadthemost
numberofmalwaredetections.(mostsheernumberofdetections)• Amongthemalwarecategoriesexaminedinthisreport,Europeingeneralisthemost
malware-riddencontinent,andsaw20percentmoreinfectionsthanNorthAmericaand17timesmorethanOceania.
• Europeleadsallcontinentsinransomware–49percentofransomwaredetectionswerefromEurope-baseddevices.
• EuropeleadsallcontinentsinAndroidmalware—31percentofAndroidmalwaredetectionswerefromEurope-baseddevices.
• Europeleadsallcontinentsinadware—37percentofadwaredetectionswerefromEurope-baseddevices.
Europeanmalware:SetsSightsonFrance,UKandSpain
• ThecountrieshithardestbymalwareinEuropeareFrance,theUKandSpain—althoughtheVaticanCitysawthesteepestrisewitha1,200percentincreaseinallmalwarevariantsduringthetimeperiod!
• TheUnitedKingdomwasthesecondmosttargetedcountryinEuropeforalltypesofmalwarebehindFrance.Inthesix-monthperiod,theUKsawalmosttwiceasmanyincidentsasRussia.
• Germanyisthesecond-mostimpactedcountrybyransomware,followingtheUS,supportingthetheorythatmalwareauthorsuseGermanyasatestinggroundfortheirwaresbeforewiderdistribution.
• Meanwhile,Russiawasdisproportionatelyunder-impactedbyransomware,butremains
2017PredictionsRansomwareLookingbackatthelastyearandthetrends,shiftsandtakeoverconcerningransomware,wehaveafewpredictionsaboutwhatwearelikelytoseein2017.Itispossiblethatwiththemajorplayerstakingthemainstageattheendoftheyear,weareunlikelytoseemany,ifany,advancedfamiliesenterthemarketandrisetothesamelevelasCerberandLocky.Thistrendwillcontinuefrom2016wherenearly60percentoftheransomwarevariantsdetectedinthelastsixmonthswerelessthanone-year-old,furtherdrivinghomethefactthatmostransomwareinexistencetodayisdevelopedbynewcomerstotheransomwareindustry.Morethanlikely,wewillcontinuetoobserveunsophisticatedfamiliesemergetomakeaprofitfromamateurcybercriminalsandinturn,thesefamilieswilllikelymakeitpossibletodevelopdecryptorstoassistthevictimsofthemalware.Unfortunately,aswith2016,thesesmallerfamiliesarelessdistributedandsometimesnotevenseeninthewild.So,whiledecryptordevelopmentwillbehelpfultosomevictims,manyofthosewithencryptedfilesareleftwithlimitedoptions.TheonefunctionalitythatmightmakeagreaterimpactwithsmallerfamiliesistheabilitytomodifytheMasterBootRecord(MBR)whichisaparamountpartofasystembeingabletobootintoitsoperatingsystem.Oncemodified,thesystemwillbootintoalockscreensetupbythemalware,demandingpaymenttonotonlydecryptfilesbutalsorestoreaccesstothemainoperatingsystem.
Figure10.PetyaLockscreen
MBRransomwarehasbeenobservedthroughout2016withfamilieslikePetyaandGoldenEye,howeverthisfunctionalityhasyettobecomepartofthefeaturesofferedbyCerberorLocky.Theadditionofthisfunctionalityreducedtheoptionsforavictimtobasically“PayorWipe.”Inotherwords,giveintothecriminalsdemandsorcompletelywipethesystemandstartfresh,losingeverything.MalwareDistributionOvertheyears,wehaveobservedonlyonestabletruthofthemalwaredevelopmentanddistributionworld-distributionthroughe-mail.Asmentionedpreviously,phishingattacksincludingmaliciousattachmentshadabigcomebackinthesecondhalfoftheyear.However,wepredictthatexploitkits(RIGspecifically)arelikelytobecomethestandardfordistributionofmalwareagainintheverynearfuture.TheinitialsignofanewseasonforexploitkitdominationtypicallyalignswiththecreationofZero-Dayexploits,orcodethattargetsvulnerabilitiesforwhichthereisnopatchcurrentlyavailabletoprotecttheuser.OnceyouhearaboutanewFlashorInternetExplorerexploit,expectdrive-byexploitsandmalvertisingtogetmoreattentionshortlyafter.However,asbefore,wewillnotseemaliciousphishingattacksdisappear.Duetothenewdevelopmentsinthedownloadandinstallationofmalwareoriginatingfromphishingemails,aswellastheuseofmacroscriptsinOfficedocuments,thismethodofattackwillcontinueatsteadylevelsthroughouttherestoftheyear,likelywithincreasedsophistication.PotentiallyUnwantedProgramsWeprimarilycoveredAdwareasbeingoneofthelargestdetectedthreatsof2016.However,thetermPotentiallyUnwantedPrograms(PUP)spansnumeroustypesofsoftwarefromtoolbarstoregistrycleanersand,asmoreandmoresecuritycompanieshavestartedtodetectthisformofsoftware,theactorsbehinditsdevelopmentanddistributionhavemodifiedtheirmethodstoensurethegreatestamountofexposure.ThesemethodsincludemodifyingtheirsoftwarejustenoughtoslidebythecriteriamanysecuritysoftwarecompaniescreateforclassifyingPUPs,workingtogetherwithTechSupportScamorganizationstoshareuserbases,changingthenameoftheirproductsandcompaniesandotheractivitieswhicharemoreakintomalwareauthorsthan‘legitimate’companies.Wecanexpectthesedevelopmentstocontinueinto2017,likelywithsophisticatedPUPsbecomingmoreaggressive.InternetofThingsTheIoTisafantasticsignofourfuturerealityandassuchisbeingdeveloped,adoptedandanalyzedheavilybyusers,securitypersonnelandcompanies.However,thesurgeofnew
developmentswithlackofconcernforsecurityhasresultedinbotnetslikeMiraibeingabletotakedownabackboneoftheinternet.Itisimperativethat,asacommunity,weencouragedevelopersofIoTdevicestospendthetimenecessaryinmakingsurethesedevicesarenotonlysafeandfunctional,butalsosecureenoughtonotbeusedfornefariouspurposes.Despitewhattheindustrydecidestodo,becomemoresecureorignoreitaltogether,thedoorshavebeenopenedbymalwarelikeMiraifornewmalwaredevelopmentandattackstrategiesutilizedbycybercriminalstostealpersonalinformation,reducepersonalsafetyandcreateliteralrobotarmiesin2017.