Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
BOOKMARK THIS PAGE | PRINT THIS PAGE | CLOSE
Internet Security Threat Report Volume 17
Custom Report
SHARE THIS PAGE Symantec blocked a total of over 5.5 billion malware attacks in 2011, an 81% increase over 2010. Web based attacks increased by 36% with over 4,500 new attacks each day. 403 million new variants of malware were created in 2011, a 41% increase of 2010. SPAM volumes dropped by 34% in 2011 over rates in 2010. 39% of malware attacks via email used a link to a web page. Mobile vulnerabilities continued to rise, with 315 discovered in 2011. Only 8 zero-day vulnerabilities were discovered in 2011 compared with 14 in 2010. 50% of targeted attacks were aimed at companies with less than 2500 employees. Overall the number of vulnerabilities discovered in 2011 dropped 20%. Only 42% of targeted attacks are aimed at CEOs, Senior Managers and Knowledge Workers. In 2011 232 million identities were exposed. An average of 82 targeted attacks take place each day. Mobile threats are collecting data, tracking users and sending premium text messages. You are more likely to be infected by malware placed on a legitimate web site than one created by a hacker.
Introduction
Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 64.6 million attack sensors and records thousands of events per second. This network monitors attack activity in more than 200 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Threat Management System, Symantec Managed Security Services and Norton consumer products, and other third-party data sources. In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 47,662 recorded vulnerabilities (spanning more than two decades) from over 15,967 vendors representing over 40,006 products. Spam, phishing and malware data is captured through a variety of sources, including the Symantec Probe Network, a system of more than 5 million decoy accounts; Symantec.cloud and a number of other Symantec security technologies. Skeptic, the Symantec.cloud proprietary heuristic technology is able to detect new and sophisticated targeted threats before reaching customers’ networks. Over 8 billion email messages and more than 1.4 billion Web requests are processed each day across 15 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and more than 50 million consumers. These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises and consumers
1 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
the essential information to secure their systems effectively now and into the future. More information Symantec.cloud Global Threats: http://www.symanteccloud.com/en/gb/globalthreats/ Symantec Security Response: http://www.symantec.com/security_response/ Internet Security Threat Report Resource Page: http://www.symantec.com/threatreport/ Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer/ Norton Cybercrime Index: http://us.norton.com/cybercrimeindex/ About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Headquartered in Mountain View, Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com.
2011 In Review
SHARE THIS PAGE
2 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
3 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
4 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
SHARE THIS PAGE
2011 In Numbers
SHARE THIS PAGE
5 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
6 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
7 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
SHARE THIS PAGE
Executive Summary
Symantec blocked more than 5.5 billion malicious attacks in 2011i; an increase of more than 81% from the
8 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
previous year. This increase was in large part a result of a surge in polymorphic malware attacks, particularly from those found in Web attack kits and socially engineered attacks using email-borne malware. Targeted attacks exploiting zero-day vulnerabilities were potentially the most insidious of these attacks. With a targeted attack, it is almost impossible to know when you are being targeted, as by their very nature they are designed to slip under the radar and evade detection. Unlike these chronic problems, targeted attacks, politically-motivated hacktivist attacks, data breaches and attacks on Certificate Authorities made the headlines in 2011. Looking back at the year, we saw a number of broad trends, including (in roughly the order they are covered in the main report): Malicious attacks skyrocket by 81 percent In addition to the 81% surge in attacks, the number of unique malware variants also increased by 41% and the number of Web attacks blocked per day also increased dramatically, by 36%. Greater numbers of more widespread attacks employed advanced techniques, such as server-side polymorphism to colossal effect. This technique enables attackers to generate an almost unique version of their malware for each potential victim. At the same time, Spam levels fell considerably and the report shows a decrease in total new vulnerabilities discovered (-20%). These statistics compared to the continued growth in malware paint an interesting picture. Attacks are rising, but the number of new vulnerabilities is decreasing. Unfortunately, helped by toolkits, cyber criminals are able to efficiently use existing vulnerabilities. The decrease in Spam - another popular and well known attack vector did not impact the number of attacks. One reason is likely the vast adoption of social networks as a propagation vector. Today these sites attract millions of users and provide fertile ground for cyber criminals. The very nature of social networks make users feel that they are amongst friends and perhaps not at risk. Unfortunately, it’s exactly the opposite and attackers are turning to these sites to target new victims. Also, due to social engineering techniques and the viral nature social networks, it’s much easier for threats to spread from one person to the next.
Cyber espionage and business: Targeted attacks target everyone We saw a rising tide of advanced targeted attacks in 2011 (94 per day on average at the end of November 2011). The report data also showed that targeted threats are not limited to the Enterprises and executive level personnel. 50% of attacks focused on companies with less than 2500 employees, and 18% of attacks were focused on organizations with less than 250 employees. It’s possible that smaller companies are now being targeted as a stepping stone to a larger organization because they may be in the partner ecosystem and less well-defended. Targeted attacks are a risk for businesses of all sizes – no one is immune to these attacks. In terms of people who are being targeted, it’s no longer only the CEOs and senior level staff. 58% of the attacks are going to people in other job functions such as Sales, HR, Executives Assistants, and Media/Public Relations. This could represent a trend in attackers focusing their attention on lower hanging fruit. If they cannot get to the CEOs and senior staff, they can get to other links inside the organizations. It is also interesting to note that these roles are highly public and also likely to receive a lot of attachments
9 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
from outside sources. For example, an HR or recruiter staff member would regularly receive and open CVs and other attachments from strangers. Mobile Phones under Attack Growth of mobile malware requires a large installed base to attack and a profit motive to drive it. According to the analyst firm, Gartner, smartphones and tablets began to outsell conventional PCs in 2011, with sales of smartphones predicted to reach 645 million by the end of 2012. And while profits remain lucrative in the PC space, mobile offers new opportunities to cybercriminals that potentially are more profitable. A stolen credit card made go for as little as USD 40-80 cents. Malware that sends premium SMS text messages can pay the author USD $9.99 for each text and for victims not watching their phone bill could pay off the cybercriminal countless times. With the number of vulnerabilities in the mobile space rising (a 93.3% increase over 2010) and malware authors not only reinventing existing malware for mobile devices but creating mobile specific malware geared to the unique the opportunities mobile present, 2011 was the first year that mobile malware presented a tangible threat to enterprises and consumers. Mobile also creates an urgent concern to organizations around the possibility of breaches. Given the intertwining of work and personal information on mobile devices the loss of confidential information presents a real risk to businesses. And unlike a desktop computer, or even a laptop, mobile devices are easily lost. Recent research by Symantec shows that 50% of lost phones will not be returned. And that for unprotected phones, 96% of lost phones will have the data on that phone breached. Certificate Authorities and Transport Layer Security (TLS) v1.0 are targeted as SSL use increases High-profile hacks of Certificate Authorities, providers of Secure Sockets layer (SSL) Certificates, threatened the systems that underpin trust in the internet itself. However, SSL technology wasn’t the weak link in the DigiNotar breach and other similar hacks; instead, these attacks highlighted the need for organizations in the Certificate Authority supply chain to harden their infrastructures and adopt stronger security procedures and policies. A malware dependent exploit concept against TLS 1.0 highlighted the need for the SSL ecosystem to upgrade to newer versions of TLS, such as TLS 1.2 or higher. Website owners recognized the need to adopt SSL more broadly to combat Man-In-The-Middle (MITM) attacks, notably for securing non-transactional pages, as exemplified by Facebook, Google, Microsoft, and Twitter adoption of Always On SSLii. 232 million identities stolen More than 232.4 million identities were exposed overall during 2011. Although not the most frequent cause of data breaches, breaches caused by hacking attacks had the greatest impact and exposed more than 187.2 million identities, the greatest number for any type of breach in 2011, according to analysis from the Norton Cybercrime Indexiii. The most frequent cause of data breaches (across all sectors) was theft or loss of a computer or other medium on which data is stored or transmitted, such as a USB key or a back-up medium. Theft or loss accounted for 34.3% of breaches that could lead to identities exposed. Botnet takedowns reduce spam volumes It isn’t all bad news; the overall volume of spam fell considerably in the year from 88.5% of all email in 2010 to 75.1% in 2011. This was largely thanks to law enforcement action which shut down Rustock, a massive, worldwide botnet that was responsible for sending out large amounts of spam. In 2010, Rustock was the largest spam-sending botnet in the world, and with its demise, rival botnets were seemingly unable or unwilling to take its place. At the same time, spammers are increasing their focus on social networking, URL shorteners and other technology to make spam-blocking harder. Taken together, these changes suggest that a growing number of untargeted but high-volume malware and spam attacks is matched by an increasingly sophisticated hard core of targeted attacks, advanced persistent threats and attacks on the infrastructure of the Internet itself. Organizations should take this message to heart. They need to be successful every time against criminals, hackers and spies. The bad guys only need to be lucky once.
i NB. This figure includes attack data from Symantec.cloud for the first time. Excluding these figures for comparison with 2010, the total figure would be 5.1 billion attacks. ii
https://otalliance.org/resources/AOSSL/index.html http://www.nortoncybercrimeindex.com/
iii
10 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Safeguarding Secrets: Industrial Espionage in Cyberspace
Safeguarding Secrets: Industrial Espionage in Cyberspace Cyber-espionage in 2011 The number of targeted attacks increased dramatically during 2011 from an average of 77 per day in 2010 to 82 per day in 2011. And advanced persistent threats (APTs) attracted more public attention as the result of some well publicized incidents. Targeted attacks use customized malware and refined targeted social engineering to gain unauthorized access to sensitive information. This is the next evolution of social engineering, where victims are researched in advance and specifically targeted. Typically, criminals use targeted attacks to steal valuable information such as customer data for financial gain. Advanced persistent threats use targeted attacks as part of a longer-term campaign of espionage, typically targeting high-value information or systems in government and industry. In 2010, Stuxnet grabbed headlines. It is a worm that spreads widely but carried a specialized payload designed to target systems that control and monitor industrial processes, creating suspicion that it was being used to target nuclear facilities in Iran. It showed that targeted attacks could be used to cause physical damage in the real world, making real the specter of cyber-sabotage.
In October 2011, Duqu came to lightiv. This is a descendent of Stuxnet. It used a zero-day exploit to install spyware that recorded keystrokes and other system information. It presages a resurgence of Stuxnet-like attacks but we have yet to see any version of Duqu built to cause cyber-sabotage. Various long term attacks against the petroleum industry, NGOs and the chemical industryv also came to light in 2011. And hactivism by Anonymous, LulzSec and others dominated security news in 2011.
Advanced Persistent Threats Advanced persistent threats (APTs) have become a buzzword used and misused by the media but they do represent a real danger. For example, a reported attack in March 2011 resulted in the theft of 24,000 files from a US defense contractor. The files related to a weapons system under development for the US Department of Defense (DOD). Government agencies take this type of threat very seriously. For example, the US DOD has committed at least $500 (USD) million to cyber security research and development and the UK Government recently released its Cyber Security Strategy, outlining a National Cyber Security Programme of work funded by the GBP £650 million investments made to address the continuously evolving cyber risks, such as e-crime as well as threats to national securityvi. All advanced persistent threats rely on targeted attacks as their main delivery vehicle, using a variety of vectors such as drive-by-downloads, SQL injection, malware, phishing and spam.
11 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
APTs differ from conventional targeted attacks in significant ways: 1. 2. 3. 4. They use highly customized tools and intrusion techniques. They use stealthy, patient, persistent methods to reduce the risk of detection. They aim to gather high-value, national objectives such as military, political or economic intelligence. They are well-funded and well-staffed, perhaps operating with the support of military or state intelligence organizations. 5. They are more likely to target organizations of strategic importance, such as government agencies, defense contractors, high profile manufacturers, critical infrastructure operators and their partner ecosystem.
The hype surrounding APTs masks an underlying reality—these threats are, in fact, a special case within the much broader category of attacks targeted at specific organizations of all kinds. As APTs continue to appear on the threat landscape, we expect to see other cybercriminals learn new techniques from these attacks. For example, we’re already seeing polymorphic code used in mass malware attacks and we see spammers exploit social engineering on social networks. Moreover, the fact that APTs are often aimed at stealing intellectual property suggests new roles for cybercriminals as information brokers in industrial espionage schemes. While the odds of an APT affecting most organizations may be relatively low, the chances that you may be the victim of a targeted attack are, unfortunately, quite high. The best way to prepare for an APT is to ensure you are well defended against targeted attacks in general. Targeted Attacks Targeted attacks affect all sectors of the economy. However, two-thirds of attack campaigns focus on a single or a very limited number of organizations in a given sector and more than half focus on the defense and aerospace sector, sometimes attacking the same company in different countries at the same time. On average they used two different exploits in each campaign, sometimes using zero-day exploits to make them especially potent.
12 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
13 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
It is, however, a mistake to assume that only large companies suffer from targeted attacks. In fact, while many small business owners believe that they would never be the victim of a targeted attack, more than half were directed at organizations with fewer than 2,500 employees; in addition, 17.8% were directed at companies with fewer than 250 employees. It is possible that smaller companies are targeted as a stepping-stone to a larger organization because they may be in the supply chain or partner ecosystem of larger, but more well-defended companies. While 42% of the mailboxes targeted for attack are high-level executives, senior managers and people in R&D, the majority of targets were people without direct access to confidential information. For an attacker, this kind of indirect attack can be highly effective in getting a foot in the door of a well-protected organization. For example, people with HR and recruitment responsibilities are targeted 6% of the time, perhaps because they are used to getting email attachments such as CVs from strangers.
14 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Where attacks come from Figure 5 represents the geographical distribution of attacking machines’ IP addresses for all targeted attacks in 2011. It doesn’t necessarily represent the location of the perpetrators.
15 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Case study In 2011, we saw 29 companies in the chemical sector (among others) targeted with emails that appeared to be meeting invitations from known suppliers. These emails installed a well-known backdoor trojan with the intention of stealing valuable intellectual property such as design documents and formulas. iv http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers /w32_duqu_the_precursor_to_the_next_stuxnet.pdf v http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers /the_nitro_attacks.pdf vi http://www.cabinetoffice.gov.uk/sites/default/files/resources/WMS_The_UK_Cyber_Security_Strategy.pdf
Against the Breach: Securing Trust and Data Protection
Political activism and hacking were two big themes in 2011; themes that are continuing into 2012. There were many attacks last year that received lots of media attention. Hacking can undermine institutional confidence in a company, and loss of personal data can result in damage to an organization’s reputation. Although not the most frequent cause of data breaches, hacking attacks had potentially the greatest impact and exposed more than 187.2 million identities, the greatest number for any type of breach in 2011, analysis from the Norton Cybercrime Index revealed. Despite the media interest around these breaches, old-fashioned theft was the most frequent cause of data breaches in 2011. Data Breaches in 2011 2011 was the year of data breaches. Analysis of the industry sectors showed that companies in the Computer Software, IT and healthcare sectors accounted for 93.0% of the total number of identities stolen. It is likely that hackers perceived some of the victims as softer targets, focused on consumer markets and
16 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
not information security. Theft or loss was the most frequent cause, across all sectors, accounting for 34.3%, or approximately 18.5 million identities exposed in 2011. Worldwide, approximately 1.1 million identities were exposed per breach, mainly owing to the large number of identities breached though hacking attacks. More than 232.4 million identities were exposed overall during 2011. Deliberate breaches mainly targeted customer-related information, primarily because it can be used for fraud. A recent studyvii from the Ponemon Institute, commissioned by Symantec, looked at 36 data breaches in the UKviii and found the average per capita cost was GBP £79 and an average incident costs GBP £1.75 million in total. Similarly in the US, Ponemon examined 49 companies and found the per capita cost of a breach was USD $194 and an average incident costs USD $5.5 million in total. Echoing the Norton Cybercrime Index data above, the Ponemon study also found that negligence (36% of cases in the UK and 39% in the US) and malicious or criminal attacks (31% in the UK and 37% in the US) were the main causes. The study’s findings revealed that more organizations were using data loss prevention technologies in 2011 and that fewer records were being lost, with lower levels of customer churn than in previous years. Taking steps to keep customers loyal and repair any damage to reputation and brand can help reduce the cost of a data breach.
17 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Certificate Authorities under attack Certificate Authorities (CAs), which issue SSL certificates that help encrypt and authenticate websites and other online services, saw an unprecedented number of attacks in 2011. Notable examples of attacks against CAs in 2011 included: March: An attack compromised the access credentials of a Comodo partner in Italy and used the partner’s privileges to generate fraudulent SSL certificates . May: It was reported that another Comodo partner was hacked: ComodoBR in Brazilx. June: StartCom, the CA operating StartSSL was attacked unsuccessfully in Junexi.
June: Diginotar was hacked in June. But no certificates were issued at firstxii. July: An internal audit discovered an intrusion within DigiNotar’s infrastructure indicating compromise of their cryptographic keys. Fraudulent certificates are issued as a result of the DigiNotar hack for Google, Mozilla add-ons, Microsoft Update and othersxiii. August: Fraudulent certificates from the DigiNotar compromise are discovered in the wild. Hacker (dubbed ComodoHacker) claims credit for Comodo and DigiNotar attacks and claims to have attacked other certificate authorities as well. Hacker claims to be from Iran. September: Security researchers demonstrate “Browser Exploit Against SSL/TLS” (BEAST for
short)xiv, a technique to take advantage of a vulnerability in the encryption technology of TLS 1.0, a standard used by Browsers, Servers and Certificate Authorities. September: GlobalSign attacked, although the Certificate Authority was not breached, their web
Google and Mozilla removed the Digicert Malaysia roots from their trusted root storesxviii. This was not as the result of a hacking attack; this was a result of poor security practices by Digicert Sdn. Bhd.
certificates as the major Web browser vendors removed Diginotar from their trusted root storesxvii. DigiNotar files for bankruptcy. November: Digicert Sdn. Bhd (Digicert Malaysia) an intermediate certificate authority that chained up to Entrust (and is no relation to the well-known CA, DigiCert Inc.) issued certificates with weak private keys and without appropriate usage extensions or revocation information. As a result Microsoft,
server was compromisedxv., but nothing elsexvi. ComodoHacker claims credit for this attack as well. September: Dutch government and other Diginotar customers suddenly had to replace all Diginotar
18 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
These attacks have demonstrated that not all CAs are created equal. These attacks raise the stakes for Certificate Authorities and require a consistently high level of security across the industry. For business users, they underline the importance of choosing a trustworthy, well-secured Certificate Authority. Lastly, consumers should be using modern up-to-date browsers and become more diligent about checking to verify that sites they visit are using SSL issued by a major trusted CA and we have included some advice in the best practices section at the end of this report. Building Trust and Securing the Weakest Links Law-abiding users have a vested interest in building a secure, reliable, trustworthy Internet. The latest developments show that the battle for end-users’ trust is still going on: SSL across a website. Companies like Facebookxx, Google, PayPal, and Twitterxxi are offering users the option of persistent SSL encryption and authentication across all the pages of their services (not Always On SSL. Online Trust Alliancexix endorses Always On SSL, a new approach to implementing
EV green bar increases the feeling of security for most (60%) shoppersxxiii. Conversely, in a US online consumer study, 90% of respondents would not continue a transaction if they see a browser warning page, indicating the absence of a secure connectionxxiv. Baseline Requirements for SSL/TLS Certificates. The CA/Browser Forum released “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates”, the first international baseline standard for the operation of Certification Authorities (CAs) issuing SSL/TLS digital certificates natively trusted in browser software. The new baseline standard was announced in December 2011 and goes into effect July 1, 2012. Code signing certificates and private key security. High profile thefts of code signing private keys highlighted the need for companies to secure and protect their private keys if they hold digital certificatesxxv. Stealing code signing keys enables hackers to use those certificates to digitally sign malware and that can help to make attacks using that malware much harder to recognize. That is exactly what happened with the Stuxnet and Duqu attacks. DNSSEC. This technology is gaining momentum as a method of preserving the integrity of the domain name system (DNS). However, it is not a panacea for all online security needs, it does not provide website identity authentication nor does it provide encryption. DNSSEC should be used in conjunction with Secure Sockets Layer (SSL) technology and other security mechanisms.
just login pages). Not only does this mitigate man-in-the-middle attacks like Firesheepxxii, but it also offers end-to-end security that can help secure every Web page that visitors to the site use, not just the pages used for logging-in and for financial transactions. Extended Validation SSL Certificates. EV SSL Certificates offer the highest level of authentication and trigger browsers to give users a very visible indicator that the user is on a secured site by turning the address bar green. This is valuable protection against a range of online attacks. A Symantec sponsored consumer survey of internet shoppers in Europe, the US and Australia showed the SSL
Legal requirements. Many countries, including the EU Member Statesxxvi and the United States (46 states) have at least sectoral data breach notification legislation, which means that companies must notify authorities and, where appropriate, affected individuals if their data is affected by a data breach. As well as a spur to encourage other territories with less regulation, these requirements can reassure users that in the event of a breach they will be quickly notified and will be able take some action to mitigate against potential impact, including changing account passwords. vii TBC: ADD URL TO UK PONEMON RESEARCH 2011 Cost of Data Breach Study: United Kingdom, Ponemon Institute, March 2012
viii ix
Certificate Authority hacks (Comodohacker), breaches & trust revocations in 2011: Comodo (2 RAs hacked), https://www-secure.symantec.com/connect/blogs/how-avoid-fraudulent-ssl, http://www.thetechherald.com/articles/InstantSSL-it-named-as-source-of-Comodo-breach-by-attacker /13145/ x http://www.theregister.co.uk/2011/05/24/comodo_reseller_hacked/
xi
StartCom attacked, http://www.internet-security.ca/internet-security-news-archives-031/security-firm-startssl-suffered-a-security-attack.html, http://www.informationweek.com/news/security/attacks/231601037 xii http://www.theregister.co.uk/2011/09/06/diginotar_audit_damning_fail/
19 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec xiii http://www.symantec.com/threatreport/print.jsp?id=highlights...
DigiNotar breached & put out of business, https://www-secure.symantec.com/connect/blogs/why-yourca-matters, https://www-secure.symantec.com/connect/blogs/diginotar-ssl-breach-update, http://www.arnnet.com.au/article/399812/comodo_hacker_claims_credit_diginotar_attack/, http://arstechnica.com/security/news/2011/09/comodo-hacker-i-hacked-diginotar-too-othercas-breached.ars, http://www.darkreading.com/authentication/167901072/security/attacks-breaches /231600865/comodo-hacker-takes-credit-for-massive-diginotar-hack.html http://www.pcworld.com /businesscenter/article/239534/comodo_hacker_claims_credit_for_diginotar_attack.html xiv Attacks & Academic proof of concept demos: BEAST (http://blog.ivanristic.com/2011/10/mitigatingthe-beast-attack-on-tls.html) and TLS 1.1/1.2, THC-SSL-DOS, LinkedIn SSL Cookie Vulnerability (http://www.wtfuzz.com/blogs/linkedin-ssl-cookie-vulnerability/), xv http://www.itproportal.com/2011/09/13/globalsign-hack-was-isolated-server-business-resumes/ http://www.theregister.co.uk/2011/09/07/globalsign_suspends_ssl_cert_biz/
xvi
xvii
http://www.pcworld.com/businesscenter/article/239639 /dutch_government_struggles_to_deal_with_diginotar_hack.html xviii xix xx
http://www.theregister.co.uk/2011/11/03/certificate_authority_banished/
https://otalliance.org/resources/AOSSL/index.html
http://blog.facebook.com/blog.php?post=486790652130 http://blog.twitter.com/2011/03/making-twitter-more-secure-https.html http://www.symantec.com/connect/blogs/launch-always-ssl-and-firesheep-attacks-page
xxi
xxii
xxiii
Symantec-sponsored consumer web survey of internet shoppers in the UK, France, Germany, Benelux, the US, and Australia in December 2010 and January 2011 (Study conducted March 2011). http://www.symantec.com/about/news/release/article.jsp?prid=20111129_01
xxiv xxv
http://www.symantec.com/connect/blogs/protecting-digital-certificates-everyone-s-responsibility/ http://www.enisa.europa.eu/act/it/library/deliverables/dbn/at_download/fullReport
xxvi
xxvii
http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology /SecurityBreachNotificationLaws/tabid/13489/
Consumerization and Mobile Computing: Balancing the Risks and Benefits in the Cloud
Risks with ‘bring your own device’ Employees are increasingly bringing their own smartphones, tablets or laptops to work. In addition, many companies are giving employees an allowance or subsidy to buy their own computer equipment. These trends, known as ‘bring your own device’, present a major challenge to IT departments more used to having greater control over every device on the network. There is also the risk that a device owned by an employee might be used for non-work activity that may expose it to more malware than a device strictly used for business purposes only. The proliferation in mobile devices in the home and in business has been fueled in large part by the growth in cloud-based services and applications, without access to the Internet many mobile devices lack a great deal of the functionality that has made them attractive in the first place.
20 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Threats against mobile devices Over the past ten years we have seen a proliferation of mobile devices but there has not yet been a corresponding rise in mobile threats on the same level as we have seen in PC malware. If we look at how PC malware evolved, there are three factors needed before a major increase of mobile malware will occur: a widespread platform, readily accessible development tools, and sufficient attacker motivation (usually financial). The first has been fulfilled most recently with the advent of Android. Its growing market share parallels the rise in the number of mobile threats during 2011.
Unlike closed systems such as Apple’s iPhone, Android is a relatively open platform. It is easier for developers, including malware writers, to write and distribute applications. In 2011, we saw malware families, such as Opfake; migrate from older platforms to Android. The latest strains of Opfake have used server-side polymorphism in order to evade traditional signature-based detection. Without a single Android marketplace for apps and central control over what is published, it is easy for malware authors to create trojans that are very similar to popular apps , although Android users must explicitly approve the set of permissions that is outlined for each app. Currently, more than half of all Android threats collect device data or track users’ activities. Almost a quarter of the mobile threats identified in 2011 were designed to send content and one of the most popular ways for phone malware authors to make money is by sending premium SMS messages from infected phones. This technique was used by 18% of mobile threats identified in 2011. Increasingly, phone malware does more than send SMS. For example, we see attacks that track the user’s position with GPS and steal information. The message that is coming through loud and clear is that the creators of these threats are getting more strategic and bolder in their efforts. People regard their phones as personal, private, intimate parts of their life and view phone attacks with alarm. The motivations for such attacks are not always monetary: in this example, it was about gathering intelligence and personal information. Mobile threats are now employing server-side polymorphic techniques and the number of variants of mobile malware attacks is currently rising faster than the number of unique families of mobile malware. Monetization is still a key driver behind the growth in mobile malware and the current mobile technology landscape provides some malicious opportunities; however, there are none at the same revenue scale achievable in Windows, yet. What mobile malware does with your phone
21 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Consumerization of IT and cloud computing As more people are bringing their own devices to work, consumer technology is invading the office.. They’re also using social networking sites for a variety of purposes, including marketing. And they’re using cloud applications instead of company-managed software to store files or communicate. In some cases, this is being done ‘below the radar’ by individual employees without the support of the company. In other cases, businesses are embracing the benefits of cloud computing, mobile working and the price/performance of consumer devices to reduce costs and improve productivity. For example, 37% of
businesses globally are already adopting cloud solutionsxxviii. The risks of unmanaged employee adoption of cloud computing or the use of consumer devices and consumer websites in business are clear. But even if companies deliberately choose consumerization, there are still security challenges. It makes it harder for companies to erect an impermeable boundary around the business and control exactly what is on employees’ PCs and how data is stored, managed and transferred, especially when tracking how and where corporate data and information is being used. Confidence in the Cloud: Balancing Risks
Many companies are keen to adopt cloud computing. It can reduce costs by outsourcing routine services, such as email or CRM, to third-party specialists and by swapping upfront capital expenditure with lower, more predictable per-user fees. It can also give companies access to newer and better technology without the difficulties of installing or upgrading in-house hardware. However, it is not without its risks. The first risk is unmanaged employee use of cloud services. For example, an employee starts using a file sharing Web site to transfer large documents to clients or suppliers, or sets-up an unofficial company page or discussion forum on a popular social networking site. In fact, the tighter the IT department holds the reins, the more likely it is that employees will work around
22 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
limitations using third party Web sites. The main risks involved in the use of ad-hoc cloud computing services include: Security and compliance - the interfaces between users, endpoints and backend systems all need to be secure with appropriate levels of access control in place. Is data encrypted as it is transferred over the internet? Non-compliance with data protection regulations –for example, if the data is hosted overseas, from a European standpoint this could result in a breach of privacy legislation. Lack of vendor validation – is the service reputable and secure? Can the users easily transfer their data to another vendor should the need arise? Public and private cloud providers depend on system availability and strong service level agreements (SLAs) can help to promote high availability. Secure access control over company data stored on third party systems. Does the service offer control over how the data is stored and how it can be accessed? If the service is unavailable for any reason, the company may be unable to access its own data. Are there legal risks and liabilities that may arise as a result of vendor terms and conditions? Always make sure the terms and conditions are clear and service level performance can be monitored against the agreed SLAs. IT managers and CISOs can address these concerns by validating an approved list of cloud applications in the same way that they would authorize on-premise software. This needs to be backed-up with the appropriate acceptable usage policies, employee training and, if necessary, enforcement using Web site access control technology. In addition, where employees access consumer sites for business use, such as using social networking services for marketing, companies need to protect users against potential attacks from Web-hosted malware and spam. xxviii Appendix D: Vulnerability Trends: Figure D.3
Spam Activity Trends
Spam in 2011 Despite a significant drop in email spam in 2011 (dropping to an average of 75.1% of all email in 2011 compared with 88.5% in 2010), spam continues to be a chronic problem for many organizations and can be a silent-killer for smaller businesses, particularly if their email servers become overwhelmed by millions of spam emails each day. With the power of botnets, robot networks of computers infected with malware and under the control of cybercriminals, spammers can pump out billions of spam emails every day, clogging-up company networks and slowing down communications. There were, on average, 42 billion spam messages a day in global circulation in 2011, compared with 61.6 billion in 2010. In 2011, we saw spam, phishing and 419 scams exploit political unrest (e.g. the Arab spring), the deaths of public figures (e.g. Muammar Gadhafi, Steve Jobs and Amy Winehouse) and natural disasters (e.g. the Japanese tsunami). They are the same topics that newspapers cover and for the same reasons: they attract readers’ attention. Unlike spam, phishing activity continued to rise (up to 0.33% or 1 in 298.0 of all email in 2011, from 0.23% or 1 in 442.1 in 2010). The proportion of phishing emails varied considerably by company size with the smallest and largest companies attracting the most, but the proportion of spam was almost identical for all sizes of business.
23 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Impact of botnets on spam Overall in 2011, botnets produced approximately 81.2% of all spam in circulation, compared with 88.2% in 2010. Between March 16th and March 17th, 2011, many Rustock command and control (C&C) servers located in the US were seized and shut down by US federal law enforcement agents, resulting in an immediate drop in the global spam volume from 51 billion spam messages a day in the week before the shutdown to 31.7 billion a day in the week afterwards. The changing face of spam Between 2010 and 2011, pharmaceutical spam fell by 34%, in large part owing to the demise of the Rustock botnet, which was mainly used to pump-out pharmaceutical spam. In contrast, messages about watches and jewelry, and sex and dating both increased as a percentage. Not only were there fewer spam emails in circulation, but smaller message sizes were the most common and English remained the lingua
franca of spamxxix, with Portuguese, Russian and Dutch the next most popular languages (albeit with a much smaller ‘market share’). As the popularity of social networking and micro-blogging sites continues to grow, spammers increasingly target them as well as traditional email for their messages. Having your content go viral is not just the dream of legitimate marketers, but cybercriminals distributing malware and spam are also finding new ways to exploit the power of social media and are even tricking users into spreading their links for them.
24 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
URL shortening and spam Spammers are making greater use of URL shortening services, even establishing their own shortening services along the way. These sites take a long website address and shorten them, making them easier to share. This has many legitimate uses and is popular on social networking and micro-blogging sites. Spammers take advantage of these services to hide the true destination of links in their unwanted messages. This makes it harder for users to know what they are clicking on and it increases the work needed for spam filtering software to check if a link in an email is legitimate or not. Spammers sometimes redirect a website address through many different shortened links. There are so many shortening services that if one gets shut down or improves security, spammers can move on to the next site. In May 2011, the first evidencexxx of spammers using their own URL shortening services appeared, and spammers were hosting their own shortened Web sites redirecting visitors to spam Web sites. These shortened links first pass through bona fide URL shortening services, in a bid to hide the true nature of the spam URL from the legitimate shortening service. Initially, spammer-operated link shorteners were rudimentary and based on freely-available open source tools. Spammers used these services to make it more difficult to detect and block spam activity based on the URLs involved, and further conceal the true location of the promoted sites. They generated different
25 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
URLs for use in different environments, such as social networking, micro-blogging and email campaigns. Spammers also used fake profiles on Twitter to send messages containing the same shortened links, with each profile using different trending topics to promote their messages. As an added bonus, link shortening sites can give them feedback through a dashboard provided by the URL shortening service about the number of click-throughs on a given link so that they can use this information to target the messages better. In other words, they can find out what people like to click and send out more of that, increasing the effectiveness of their campaigns. xxix xxx
Appendix C: Spam and Fraud Activity Trends
http://www.symanteccloud.com/en/gb/mlireport/MLI_2011_05_May_FINAL-en.pdf
Malicious Code Trends
Malware in 2011 By analyzing malicious code we can determine which threats types and attack vectors are being employed. The endpoint is often the last line of defense, but it can often be the first-line of defense against attacks that spread using USB storage devices, insecure network connections and compromised, infected websites. Symantec’s cloud-based technology and reputation systems can also help to identify and block new and emerging attacks that haven’t been seen before, such as new targeted attacks employing previously unknown zero-day exploits. Analysis of malware activity trends both in the cloud and at the endpoint can help to shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers. Corresponding to their large internet populations, the United States, China and India remained the top sources for overall malicious activity. The overall average proportion of attacks originating from the United States increased by one percentage point compared with 2010, while the same figure for China saw a decrease by approximately 10 percentage points compared with 2010. The United States was the number one source of all activities, except for malicious code and spam zombies, where India took first place. Around 12.6% of bot activity originated in the USA as did 33.5% of web-based attacks, 16.7 % of network attacks and 48.5% of phishing websites. Website malware Drive-by attacks continue to be a challenge for consumers and businesses. They are responsible for hundreds of millions of attempted infections every year. This happens when users visit a website that is host to malware. It can happen when they click on a link in an email or a link from social networking site or they can visit a legitimate website that has, itself, been infected. Attackers keep changing their technique and they have become very sophisticated. Badly-spelled, implausible email has been replaced by techniques such as ‘clickjacking’ or ‘likejacking’ where a user visits a website to watch a tempting video and the attackers use that click to post a comment to all the user’s friends on Facebook, thereby enticing them to click on the same malicious link. As result, Facebook has implemented a ‘Clickjacking Domain Reputation System’ that has eliminated the bulk of clickjacking attacks by asking a user to confirm a Like before it posts, if the domain is considered untrusted. Based on Norton Safe Webxxxi data – Symantec technology that scans the Web looking for websites hosting malware – we’ve determined that 61% of malicious sites are actually regular Web sites that have been compromised and infected with malicious code. By category, the top-5 most infected websites are: 1. 2. 3. 4. 5. Blogs and Web communications Hosting/Personal hosted sites Business/Economy Shopping Education and Reference.
It is interesting to note that Web sites hosting adult/pornographic content are not in the top five, but ranked tenth.The full list can be seen in figure 16. Moreover, religious and ideological sites were found to have triple the average number of threats per infected site than adult/pornographic sites. We hypothesize that this is because pornographic website owners already make money from the internet and, as a result, have a vested interest in keeping their sites
26 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec malware-free – it’s not good for repeat business.
http://www.symantec.com/threatreport/print.jsp?id=highlights...
In 2011, the Symantec VeriSign website malware scanning servicexxxii scanned over 8.2 Billion URLs for malware infection and approximately 1 in 156 unique websites were found to contain malware. Websites with vulnerabilities are more risk of malware infection and Symantec began offering its SSL customers a website vulnerability assessment scan from October 2011. Between October and the end of the year, Symantec identified that 35.8% of websites had at least one vulnerability and 25.3% had a least one critical vulnerability. Email-borne Malware The number of malicious emails as a proportion of total email traffic increased in 2011. Large companies saw the greatest rise, with 1 in 205.1 emails being identified as malicious for large enterprises with more than 2,500 employees. For small to medium-sized businesses with up to 250 employees, 1 in 267.9 emails were identified as malicious. Criminals disguise the malware hidden in many of these emails using a range of different attachment types, such as PDF files and Microsoft Office documents. Many of these data file attachments include malicious code that takes advantage of vulnerabilities in the parent applications, and at least two of these attacks have exploited zero-day vulnerabilities in Adobe Reader. Malware authors rely on social engineering to make their infected attachments more clickable. For example, recent attacks appeared to be messages sent from well-known courier and parcel delivery companies regarding failed deliveries. In another example, emails purporting to contain atachments of scanned images sent from network-attached scanners and photocopiers. The old guidance about not clicking on unknown attachments is, unfortunately, still relevant.
27 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Moreover, further analysis revealed that 39.1% of email-borne malware comprised hyperlinks that referenced malicious code, rather than malware contained in an attachment. This is an escalation on the 23.7% figure in 2010, and a further indication that cybercriminals are attempting to circumvent security countermeasures by changing the vector of attacks from purely email-based, to using the Web. Border Gateway Protocol (BGP) Hijacking In 2011 we investigatedxxxiii a case where a Russian telecommunications company had had its network hijacked by a spammer. They were able to subvert a fundamental Internet technology - the Border Gateway Protocol - itself to send spam messages that appeared to come from a legitimate (but hijacked) source. Since spam filters rely, in part, on blacklists of known spam senders, this technique could allow a spammer to bypass them. Over the course of the year, we found a number of cases like this. Even though this phenomenon remains marginal at this time, compared to spam sent from large botnets, it is one to watch in the coming year. Polymorphic threats Polymorphic malware or specifically, “server-side” polymorphism is the latest escalation in the arms race between malware authors and vendors of scanning software. The polymorphic technique works by constantly varying the internal structure or content of a piece of malware. This makes it much more challenging for traditional pattern-matching based anti-malware to detect. For example, by performing this function on a Web server, or in the cloud, an attacker can generate a unique version of the malware for each attack. In 2011, the Symantec.cloud email scanner frequently identified a polymorphic threat, Trojan.Bredolab, in large volumes. It accounted for 7.5% of all email malware blocked, equivalent to approximately 35 million potential attacks throughout the whole year. It used a range of techniques for stealth including server-side polymorphism, customized packers, and encrypted communications. Figure 15 below, illustrates this rise in Bredolab polymorphic malware threats being identified using cloud-based technology. This chart shows detection for emails that contained a document-style attachment purporting to be an invoice or a receipt, and prompting the user to open the attachment.
28 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Exploiting the Web: Attack toolkits, rootkits and social networking threats Attack toolkits, which allow criminals to create new malware and assemble an entire attack without having to write the software from scratch, account for nearly two-thirds (61%) of all threat activity on malicious websites. As these kits become more widespread, robust and easier to use, this number is expected to climb. New exploits are quickly incorporated into attack kits. Each new toolkit version released during the year is accompanied with increased malicious Web attack activity. As a new version emerges that incorporates new exploit functionality, we see an increased use of it in the wild, making as much use of the new exploits until potential victims have patched their systems. For example, the number of attacks using the Blackhole toolkit, which was very active in 2010, dropped to a few hundred attacks per day in the middle of 2011, but re-emerged with newer versions generating hundreds of thousands of infection attempts per day towards the end of the year. On average, attack toolkits contain around 10 different exploits, mostly focusing on browser independent plug-in vulnerabilities like Adobe Flash Player, Adobe Reader and Java. Popular kits can be updated every few days and each update may trigger a wave of new attacks. They are relatively easy to find and sold on the underground black market and web forums. Prices range from $40 to $4,000. Attackers are using Web attack toolkits in two main ways: Targeted attacks. The attacker selects a type of user he would like to target. The toolkit creates emails, IMs, blog posts to entice the target audience to the infected content. Typically, this will be a link to a malicious website that will install the malware on the victim’s system. Broadcast attacks. The attacker starts by targeting a broad range of websites using SQL injection, web software, or server exploitation. The objective is to insert a link from an infected website to a malicious site that will infect visitors. Once successful, each subsequent visitor will be attacked. Rootkits A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality. Rootkits have been around for some time—the Brain virus was the first identified rootkit to employ these techniques on the PC platform in 1986—and they have increased in sophistication and complexity since then. Rootkits represent a small percentage of attacks but they are a growing problem and, because they are deeply hidden, they can be difficult to detect and remove. The current frontrunners in the rootkit arena are Tidserv, Mebratix, and Mebroot. These samples all modify the master boot record (MBR) on Windows computers in order to gain control of the computer before the operating system is loaded. Variants of Downadup (aka Conficker), Zbot (aka ZeuS), as well as Stuxnet all use rootkit techniques to varying degrees. As malicious code becomes more sophisticated it is likely that they will increasingly turn to rootkit
29 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
techniques to evade detection and hinder removal. As users become more aware of malicious code that steals confidential information and competition among attackers increases, it is likely that more threats will incorporate rootkit techniques to thwart security software. Social media threats With hundreds of millions of people on social networking sites, it is inevitable that online criminals would attack them there. A social medium is perfect for social engineering: it’s easier to fool someone when they think they’re surrounded by friends. More than half of all attacks identified on social networking Web sites were related to malware hosted on compromised Blogs/Web Communications Web sites. This is where a hyperlink for a compromised Web site was shared on a social network. It is also increasingly used for sending spam messages for the same reasons. All social media platforms are being exploited and in many different ways. But Facebook, as the most popular, provides some excellent examples on how social engineering flourishes in social media. Criminals take advantage of people’s needs and expectations. For example, Facebook doesn’t provide a ‘dislike’ button or the ability to see who has viewed your profile, so criminals have exploited both concepts.
Quick Response (QR) codes QR codes have sprung up everywhere in the last couple of years. They are a way for people to convert a barcode into a Web site link using a camera app on their smartphone. It’s fast, convenient and dangerous. Spammers are already using it to promote black-market pharmaceuticals and malware authors have used it to install a trojan on Android phones. In combination with link shortening, it can be very hard for users to tell in advance if a given QR code is safe or not, so consider a QR reader that can check a Web site’s reputation before visiting it. Once the bait has been taken the victim must be reeled in. The next step in these attacks fools the user into taking an action to propagate the threat, for example installing an app, downloading ‘update’ to your video software or clicking on a button to prove you’re human. The attackers persuade their victims to infect themselves and spread the bait to everyone in their social circles. It must be stated that this is not just a Facebook issue; variations of these threats run on all social media platforms. The number of threats on each of these platforms is directly proportional to the number of users on these sites. It is not indication of the “security” or safety of a site. Dangerous Web sites
30 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Macs are not immune The first known Mac-based bot network emerged in 2009 and 2011 saw a number of new threats emerge for Mac OS X, including trojans like MacDefender, a fake anti-virus program. It looks convincing and it installs without requiring admin permission first. Mac users are exposed to sites that push trojans by means of SEO poisoning and social networking. In May 2011, Symantec found a malware kit for Mac (WeylandYutani BOT) the first of its kind to attack the Mac OS X platform, and Web injections as a means of attack. While this type of crime kit is common on the Windows platform, this new Mac kit is being marketed as the
first of its kindxxxiiv. In addition, many attack tools have become cross-platform, exploiting Java exploits whether they are on Macs or Windows PCs. As a result of these trends, Mac users need to be more mindful of security risks and can’t afford to assume that they are automatically immune from all threats.
31 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
xxxi
For more information on Norton Safe Web, please visit http://safeweb.norton.com
xxxii
For more information on the Symantec website vulnerability assessment service:http://www.symantec.com/theme.jsp?themeid=ssl-resources Further information can be found in Appendix C: Spam and Fraud Activity Trends http://krebsonsecurity.com/tag/weyland-yutani-bot/
xxxiii
xxxiv
Closing the Window of Vulnerability: Exploits and Zero-day Attacks
A vulnerability is a weakness, such as a coding error or design flaw that allows an attacker to compromise availability, confidentiality, or integrity of a computer system. Early detection and responsible reporting helps to reduce the risk that a vulnerability might be exploited before it is repaired. Number of vulnerabilities We identified 4,989 new vulnerabilities in 2011, compared to 6,253 the year before. (See Appendix D for more historical data and details on our methodology.) Despite this decline, the general trend over time is
32 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
still upward and Symantec discovered approximately 95 new vulnerabilities per week.
Weaknesses in critical infrastructure systems SCADA systems (Supervisory Control and Data Acquisition) are widely used in industry and utilities such as power stations for monitoring and control. We saw a dramatic increase in the number of publiclyreported SCADA vulnerabilities from 15 in 2010 to 129 in 2011. Since the emergence of the Stuxnet worm in 2010xxxv, SCADA systems have attracted wider attention from security researchers. However, 93 of the 129 new published vulnerabilities were the product of just one security researcher. Old vulnerabilities are still under attack On PCs, a six-year old vulnerabilityxxxvi in many Microsoft operating systems was, by far, the most frequently attacked vulnerability in 2011, clocking in at over 61 million attacks against the Microsoft togetherxxxviii. The most commonly exploited data file format in 2011 was PDF. For example, one PDF-related vulnerability attracted more than a million attacks in 2011. Patches are available for all five of the most-attacked vulnerabilities, so why do criminals still target them? There are several explanations. They are cheaper to attack. Criminals have to pay a premium on black market exchangesxxxix for information about newer vulnerabilities but they can buy malware off the shelf to target old ones. Attacking newer vulnerabilities may attract more attention than going after older, well-known weaknesses. Some online criminals prefer a lower profile. There is a still a large pool of potential victims because a proportion of the user base can’t, won’t or don’t install patches or install a current and active endpoint security product. Web browser vulnerabilities Web browsers are a popular target for criminals and they exploit vulnerabilities in browsers such as Internet Explorer, Firefox or Chrome as well as plugins such as PDF readers. Criminals can buy toolkits for between USD $100 and USD $1,000 that will check up to 25 different vulnerabilities when someone visits an infected Web site. In 2011, we saw a big drop off in reported vulnerabilities in all the popular browsers from a total of 500 in 2010 to a total of 351 in 2011. Much of this improvement was due to a big reduction in vulnerabilities in Google Chrome. Overall, the number of vulnerabilities affecting browser plug-ins dropped very slightly from 346 to 308. New zero-day vulnerabilities create big risks A zero-day attack exploits an unreported vulnerability for which no vendor has released a patch. This makes them especially serious because they are much more infective. If a non-zero-day attack gets past Windows RPC componentxxxvii. It was more heavily attacked than the next four vulnerabilities put
33 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
security, it can still be thwarted by properly-patched software. Not so a zero-day attack. For example, in 2011 we saw vigorous attacks against a vulnerability in Adobe Reader and Adobe Acrobat that lasted for more than two weeks. It peaked at more than 500 attacks a day before Adobe released a patch on December 16, 2011. The good news is that 2011 had the lowest number of zero day vulnerabilities in the past 6 years. While the overall number of zero day vulnerabilities is down, attacks using these vulnerabilities continue to be successful which is why they are often used in targeted attacks, such as W32.Duqu.
xxxv
For more on Stuxnet see: http://www.symantec.com/connect/blogs/hackers-behind-stuxnet and http://www.youtube.com/watch?v=cf0jlzVCyOI xxxvi CVE-2008-4250 See http://www.securityfocus.com/bid/31874
xxxvii
61.2 million attacks were identified against Microsoft Windows RPC component in 2011, and were mostly using the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). See http://www.securityfocus.com/bid/31874 Appendix D: Vulnerability Trends: Figure D.3
xxxviii xxxix
See http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches /231900575/more-exploits-for-sale-means-better-security.html
34 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Conclusion: What’s Ahead in 2012
A wise man once said, ‘Never make predictions, especially about the future’. Well, this report has looked back at 2011 but in the conclusion we’d like to take a hesitant peak into the future, projecting the trends we have seen into 2012 and beyond1. Targeted attacks and APTs will continue to be a serious issue and the frequency and sophistication of these attacks will increase. Techniques and exploits developed for targeted attacks will trickle down to the broader underground economy and be used to make regular malware more dangerous. Malware authors and spammers will increase their use of social networking sites still further. The CA/Browser Forum will release additional security standards for companies issuing digital certificates to secure the internet trust model against possible future attacks. Consumerization and cloud computing will continue to evolve, perhaps changing the way we do business and forcing IT departments to adapt and find new ways to protect end users and corporate systems. Malware authors will continue to explore ways to attack mobile phones and tablets and, as they find something effective and money-making, they will exploit it ruthlessly. In 2011, malicious code targeting Macs was in wider circulation as Mac users were exposed to websites that were able to drop trojans. This trend is expected to continue through 2012 as attack code exploiting Macs becomes more integrated with the wider web-attack toolkits. While external threats will continue to multiply, the insider threat will also create headlines, as employees act intentionally – and unintentionally – to leak or steal valuable data. The foundation for the next Stuxnet-like APT attack may have already been laid. Indeed Duqu may have been the first tremors of a new earthquake, but it may take longer for the aftershock to reach the public domain.
1
Source and inspiration: http://www.symantec.com/connect/blogs/it-predictions-2012-qa-francis-desouza
Threat Activity Trends
The following section of the Symantec Global Internet Security Threat Report provides an analysis of threat activity, as well as other malicious activity, data breaches, and Web-based attacks that Symantec observed in 2011. The malicious activity discussed in this section not only includes threat activity, but also phishing, malicious code, spam zombies, bot-infected computers, and attack origins. Attacks are defined as any malicious activity carried out over a network that has been detected by an intrusion detection system (IDS) or firewall. Definitions for the other types of malicious activities can be found in their respective sections within this report. This section will discuss the following metrics, providing analysis and discussion of the trends indicated by the data: Threat Activity Trends Malicious Activity by Source Malicious Website Activity Analysis of Malicious Web Activity by Attack Toolkits Analysis of Web-based Spyware and Adware Activity Analysis of Web Policy Risks from Inappropriate Use Analysis of Website Categories Exploited to Deliver Malicious Code Bot-infected Computers Analysis of Mobile Threats Data Breaches that Could Lead to Identity Theft
Spam and Fraud Activity Trends
Malicious activity usually affects computers that are connected to high-speed broadband Internet because these connections are attractive targets for attackers. Broadband connections provide larger bandwidth capacities than other connection types, faster speeds, the potential of constantly connected systems, and a
35 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
typically more stable connection. Symantec categorizes malicious activities as follows: Malicious code: This includes programs such as viruses, worms, and Trojans that are covertly inserted into programs. The purposes of malicious code include destroying data, running destructive or intrusive programs, stealing sensitive information, or compromising the security or integrity of a victim’s computer data. Spam zombies: These are remotely controlled, compromised systems specifically designed to send out large volumes of junk or unsolicited email messages. These email messages can be used to deliver malicious code and phishing attempts. Phishing hosts: A phishing host is a computer that provides website services in order to illegally gather sensitive user information while pretending that the attempt is from a trusted, well-known organization by presenting a website designed to mimic the site of a legitimate business. Bot-infected computers: Malicious programs have been used to compromise these computers to allow an attacker to control the targeted system remotely. Typically, a remote attacker controls a large number of compromised computers over a single, reliable channel in a botnet, which can then be used to launch coordinated attacks. Network attack origins: This measures the originating sources of attacks from the Internet. For example, attacks can target SQL protocols or buffer overflow vulnerabilities. Web-based attack origins: This measures attack sources that are delivered via the Web or through HTTP. Typically, legitimate websites are compromised and used to attack unsuspecting visitors. Methodology This metric assesses the sources from which the largest amount of malicious activity originates. To determine malicious activity by source, Symantec has compiled geographical data on numerous malicious activities, namely: malicious code reports, spam zombies, phishing hosts, bot-infected computers, network attack origins, and Web-based attack origins. The proportion of each activity originating in each source is then determined. The mean of the percentages of each malicious activity that originates in each source is calculated. This average determines the proportion of overall malicious activity that originates from the source in question and the rankings are determined by calculating the mean average of the proportion of these malicious activities that originated in each source. Data
36 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
37 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
38 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
39 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
40 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
41 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
42 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Commentary In 2011, the United States and China remained the top two sources overall for malicious activity. The overall average proportion of attacks originating from the United States in 2011 increased by 1.8 percentage points compared with 2010, while the same figure for China saw a decrease by approximately 7 percentage points compared with 2010. The United States was ranked in first position for the source of all activities except for Malicious Code, Spam Zombies and Network Attacks, for which India was ranked in first position in the first two cases, and China the latter. 12.6% of bot activity originated in The United States: The United States was already the main source of bot-infected computers for the Rustock until in March 20111, when the botnet was disrupted. Rustock had been one of the largest and most dominant botnets in 2010 and frequently associated with the Tidserv Trojan. Rustock was estimated to comprise of approximately 1.5 million bot-infected computers and was taken out of action in March 2011. This resulted in a seismic shift in the botnet landscape. By the end of 2011, other botnets with spam zombies in other parts of the world were able to take on a more dominant role in spam distribution. 33.5% of Web-based Attacks originated in the United States: Web-based attacks originating from the United States increased by 26.0 percentage points in 2011. Factors that contributed to this activity include attacks related to the Blackhole and Phoenix Web attack kits, exploiting legitimate websites that have been compromised in order to conduct further attacks. Web-based attacks originating from China decreased by 55.8 percentage points in 2011. 26.9% of Network Attacks originated in China. China has the largest population of Internet users2 in the Asia region, with approximately 513 million internet users in 2011. The internet penetration rate in China was 38.4% in 2011. 48.5% of Phishing websites were hosted in the United States. In 2011, with approximately 245
43 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
million internet users, The United States had an internet penetration rate of 78.3%. 17.5% of Spam Zombies were located in India, an increase of 11.0 percentage points compared with 2010. The proportion of spam zombies located in the United States fell by 6.4 percentage points to 1.8%, resulting in the United States being ranked in 15th position in 2011, compared with 2nd position in 2010. This decline was in large part as a result of the disruption of the Rustock botnet, which at its peak in 2010 had an estimated 1.5M computers under its control. 15.3% of all Malicious Code activities originated from India, an increase of 2.7 percentage points compared with 2010. India is home to the second largest population of internet users in Asia in 2011, with an estimated 121.0 million users and an Internet penetration rate of 10.2%. http://www.messagelabs.com/mlireport/MessageLabsIntelligence_2010_Annual_Report_FINAL.pdf, page 15 Internet population and penetration rates in 2011 courtesy of Internet Word Stats http://www.internetworldstats.com
2 1
Malicious Website Activity
Background The circumstances and implications of Web-based attacks vary widely. They may target specific businesses or organizations, or they may be widespread attacks of opportunity that exploit current events, zero-day vulnerabilities, or recently patched and publicized vulnerabilities that some users have yet to protect themselves against. While major attacks may have individual importance and often receive significant attention when they occur, examining overall Web-based attacks provides insight into the threat landscape and how attack patterns may be shifting. Analysis of the underlying trend can provide insight into potential shifts in Web-based attack usage and can assist in determining if attackers are more or less likely to employ Web-based attacks in the future. Methodology This metric assesses changes to the prevalence of Web-based attack activity by tracking the trend in the average number of malicious websites blocked each day by users of Symantec.cloud Web security services, for websites that have been compromised and contain malicious code. Underlying trends observed in the sample data provide a reasonable representation of overall malicious Web-based activity trends. This reflects the rate at which websites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity. As detection for Web-based malware increases, the number of new websites blocked decreases and the proportion of new malware begins to rise, but initially on fewer websites. Data
44 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Commentary The average number of malicious websites blocked each day rose by 36.0% in 2011 to 4,595, compared with 3,379 in 2010. The peak rate of malicious activity was 9,315 in December 2011, when approximately double the average number of malicious websites was being blocked each day. This increase was related to a rise in the number of malicious IFRAME tags being blocked. Detection for a malicious IFRAME is triggered in HTML files that contain hidden IFRAME elements with JavaScript code that attempts to perform malicious actions on the computer; for example, when visiting a malicious Web page, the code attempts to quietly direct the user to a malicious URL while the current page is loading. In 2011, the number of malicious domains blocked rose to 55,294 compared with 42,926 in 2010, an increase of 28.8%. Further analysis of malicious code activity may be found in Appendix X: Malicious Code Trends - Top Malicious Code Families.
Analysis of Malicious Web Activity by Attack Toolkits
Background The increasing pervasiveness of Web browser applications, along with increasingly common, easily exploited Web browser application security vulnerabilities, has resulted in the widespread growth of Web-based threats. Attackers wanting to take advantage of client-side vulnerabilities no longer need to actively compromise specific networks to gain access to those computers. Symantec analyzes attack activity to determine which types of attacks and attack toolkits attackers are utilizing. This can provide insight into emerging Web attack trends and may indicate the types of attacks with which attackers are having the most success. Methodology This metric assesses the top Web-based attack activity originating from compromised legitimate sites and intentionally malicious sites set up to target Web users in 2011. To determine this, Symantec ranks attack activity by the volume of associated reports observed during the reporting period. The top 10 Web-based attack activities are analyzed for this metric. Data
45 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Commentary Web-based client side exploit toolkits, or web-kits, have been around since about March of 2006 with the release of WebAttacker. For some time, these web-kits expanded their list of targeted victim software, but existed with essentially the same business model; nefarious users could purchase the attack kit and use it to build their hijacked computer networks. Once the market was established, prices steadily increased from WebAttacker’s $15 (USD) price tag on into the $1,000 (USD) range. The market existed in this fashion, with the web-kits including ever more exploits, and ever more IPS (Intrusion Prevention Systems) evasion techniques until about 2009 when web-kits began to be sold as a service, or simply kept as private. Since this time, web-kit taxonomy has been much more difficult. Often Symantec will find new web-kits in operation in the field, with little to no concrete evidence of which web-kit it is a variant of. Gone are the days when a login, or stats page would be installed at a known location revealing the web-kit name, and version. The analyst is required to rely on techniques such as comparing core similarities, install bases and methods in order to determine whether a new web-kit may be a strain of an existing one. Users are often targeted by Web exploitation kits in either of two main ways; targeted, or broadcast, sometimes referred to as sniper and shotgun: Targeted attacks begin with the attacker selecting a specific victim, or type of user they would like to target. Associated emails, Instant Messages, blog-posts, etc. are then created to entice the target audience to infected content. This infected content will effectively be a redirection from an otherwise benign Web page or email to an attack site. Such attack sites will typically then launch a drive-by attack against the victim. Broadcast attacks, on the other hand, typically begin with an attack against a broader body of websites. This may come in the form of SQL Injection, Web software compromise, or server vulnerability exploitation. Each of which has the goal of inserting a redirection URL into the content on that webserver. Once successful, each subsequent visitor will be served the attack kit. Public vs. Private web-kits
46 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Symantec has seen a variety of web exploit kits sold in the public for several years now. Some are offered as a buy outright, service contract, or license models. Other web-kits on the other hand appear to remain private for their lifetime. In these cases, it is likely that the operators are either selling infected machines, or more likely using the infected machines in house. Web-kits are interesting because of their level of maintenance. An unmaintained web-kit version, or attack site would be of little threat as it would be defeated by even rudimentary security measures. Above is a chart in figure A.10, highlighting some of the major web-kits that have been maintained regularly for a length of time and were active in 2011. Some of these are kits that either are, or at least once were publicly available for sale, or rent, and some others that appear to have been privately operated for their duration. Whilst these can be tracked, and protection can be provided against the evolution of the attack kit, it is not always possible to know by what name the maintainers have given to these kits. For these, Symantec has assigned internal placeholder names. For example, the private kit that Symantec has been tracking as NumDir internally came by this name because although deployed on several different attack servers, each new version was installed into a fixed, named numeric directory. This kit has been around since at least mid-2010 and has been maintained on a regular basis since this time with only brief interruption. It is not unusual for Symantec to be blocking between 50,000 and 120,000 attacks from it per day. At the other end of the spectrum are public kits like Blackhole. Owing to its once public nature, Blackhole is tracked by many security researchers. Similarly, it is updated approximately every couple of days, and Symantec blocks in the order of 100,000 to 220,000 attacks using Blackhole each day. The large periodic fluctuations in the number of attacks appear to be a product of the attack waves themselves, as well as the rate at which our users encounter them. The variety of public and seemingly private exploit kits does not lend itself to universal taxonomy, and while web-kits such as Blackhole, Incognito, and Phoenix are understood to be the names that their authors use, Symantec has been tracking kits such as NumDir, and DoubleSemi, using simple names derived roughly from attributes in the attack encodings. Payloads The malware installed via a web-kit infection is frequently comprehensive, and includes various Peer-to-peer and IRC bots, rootkits, and misleading apps. Web-kits have been a major contributor to several pervasive malware families, including Qakbot, Bredolab, TidServe, ZeroAccess, Bamital, Zeus, Waledac, Zlob, Virut, Sasfis, Bank-stealing Trojans, Sality, Vundo, MebRoot, KoobFace and CycBot. For more information on these malware families, please visit http://www.symantec.com/security_response/. One of the more problematic malware systems recently has been ZeroAccess3. It has been observed being delivered over DoubleSemi, Blackhole, and Phoenix. 3 http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99
Analysis of Web-based Spyware and Adware Activity
Background One of the main goals of a drive-by Web-based installation is the deployment of malicious code, but often a compromised website is also used to install spyware or adware code. This is because the cyber criminals pushing the spyware and adware in this way are being paid a small fee for each installation. However, most adware vendors, such as those providing add-in toolbars for Web browsers, are not always aware how their code came to be installed on the users’ computers; the expectation that is that it is with the permission of the end-user, when this is typically not the case in a drive-by installation and may be in breach of the vendors’ terms and conditions of use. Methodology This metric assesses the prevalence of Web-based spyware and adware activity by tracking the trend in the average number of spyware and adware related websites blocked each day by users of Symantec.cloud Web security services. Underlying trends observed in the sample data provide a reasonable representation of overall malicious Web-based activity trends. Data
47 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Commentary Only two examples of spyware were found in the top-ten list of unwanted programs in 2011, including Spyware.Perfect and Spyware.Keylogger. Spyware.Perfect is a program that tracks the keystrokes on the computer and logs them in a file. It can be configured to periodically send the log files by email. The most frequently blocked adware code was related to the Zugo search-based toolbar products and the FunWeb family of adware. Adware:W32/FunWeb is a family of adware programs that are used to display unsolicited advertising content, often through the use of pop-up windows. FunWeb variants are often bundled with other applications, games and browser plug-ins. Some variants of FunWeb may also redirect users’ browser home page and download additional code functionality. 57.1% of spyware and adware was detected using generic techniques.
Analysis of Web Policy Risks from Inappropriate Use
Background Many organizations implement an acceptable usage policy to limit employees’ use of internet resources to a subset of Web sites that have been approved for business use. This enables an organization to limit the level of risk that may arise from users visiting inappropriate or unacceptable Web sites, such as those containing sexual images and other potentially illegal or harmful content. Often there will be varying degrees of granularity imposed on such restrictions, with some rules being applied to groups of users or rules that only apply at certain times of the day; for example, an organization may wish to limit employees access to video sharing Web sites to only Friday lunchtime, but may also allow any member of the PR and Marketing teams access at any time of the day. This enables an organization to implement and monitor its acceptable usage policy and reduce its exposure to certain risks that may also expose the organization to legal difficulties. Methodology This metric assesses the classification of prohibited websites blocked by users of Symantec.cloud Web security services. The policies are applied by the organization from a default selection of rules that may also be refined and customized. This metric provides an indication of the potential risks that may arise from uncontrolled use of Internet resources. Data
48 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Commentary 46.6% of Web activity blocked through policy controls was related to Advertisement & Popups. Web-based advertisements pose a potential risk though the use of “malvertisements,” or malicious advertisements. These may occur as the result of a legitimate online ad-provider being compromised and a banner ad being used to serve malware on an otherwise harmless website. The second most frequently blocked traffic was categorized as Social Networking, accounting for 22.7% of policy-based filtering activity blocked, equivalent to approximately one in every 4 Web sites blocked. Many organizations allow access to social networking Web sites, but in some cases implement policies to only permit access at certain times of the day and block access at all other times. This information is often used to address performance management issues, perhaps in the event of lost productivity due to social networking abuse. Activity related to streaming media policies resulted in 18.9% of policy-based filtering blocks in 2011. Streaming media is increasingly popular when there are major sporting events or high profile international news stories. This activity often results in an increased number of blocks, as businesses seek to preserve valuable bandwidth for other purposes. This rate is equivalent to one in every 5 websites blocked.
Analysis of Website Categories Exploited to Deliver Malicious Code
Background As organizations seek to implement appropriate levels of control in order to minimize risk levels from uncontrolled Web access, it is important to understand the level of threat posed by certain classifications of websites and categories in order to provide better understanding of the types of legitimate websites that may be more susceptible to being compromised and potentially expose users to greater levels of risk. Methodology This metric assesses the classification of malicious Web-sites blocked by users of Norton Safe Web4 technology. Data is collected anonymously from over 50 million computers worldwide, where customers voluntarily contribute to this technology, including Norton Community Watch. Norton Safe Web is
49 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
processing more than 2 billion real-time rating requests each day, and monitoring over 12 million daily software-downloads. Reputation ratings are being tracked for more than 25 million Web sites. This metric provides an indication of the levels of infection of legitimate Web sites that have been compromised or abused for malicious purposes. The malicious URLs identified by the Safe Web technology were classified by category using the Symantec Rulespace5 technology. RuleSpace proactively categorizes Web sites into more than 80 categories in 17 languages.
50 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
51 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Commentary Approximately 61% of Web sites used to distribute malware were identified as legitimate, compromised Web sites. This figure excludes URLs that contained just an IP address and did not include general domain parking and pay-per-click Web sites. 19.8% of malicious Web site activity on legitimate, compromised domains was classified in the Blogs and Web Communications category. Interestingly, pornographic Web sites were not exploited much overall, accounting for 2.4% of all infected Web sites; however, infected pornographic Web sites were found to host a greater number of threats than other categories (except for Religion/Ideologies and Hosting/Personal Hosted Sites – see below). Ranked in third position in figure A16, approximately 25 threats were identified on each infected pornographic Web site, with 44% of these threats being identified as Trojans. 1 in 67 web sites classified as Blogs/Web Communications were found to be compromised with potentially harmful malicious content, compared with 1 in 164 for Education/Reference. Web sites classified as Religion/Ideologies were found to host the greatest number of threats per site than other categories, with an average of 115 threats per Web sites, the majority of which related to Fake or Rogue Antivirus software. Analysis of Web sites that were used to deliver drive-by Fake Antivirus attacks revealed that 82% of threats found on compromised Religion/Ideologies Web sites were related to Fake Antivirus software. 26.4% of Fake Antivirus attacks were found on compromised Religion/Ideologies Web sites. Analysis of Web sites that were used to deliver attacks using browser exploits revealed that 66.5% of threats found on compromised Business / Economy Web sites were related to browser exploits. 23.3% of browser exploit attacks were found on compromised Business / Economy Web sites. 53% of attacks used on social networking Web sites were related to malware hosted on compromised Blogs / Web Communications Web sites. This is where a URL hyperlink for a compromised Web site is shared on a social network. Compromised Hosting/ Personal hosted sites similarly accounted for 44% of social networking attacks.
4 5
For more details about Norton Safe Web, please visit http://safeweb.norton.com/ For more details about Symantec Rulespace, please visit http://www.rulespace.com/
Bot-infected Computers
Background Bot-infected computers, or bots, are programs that are covertly installed on a user’s machine in order to allow an attacker to control the targeted system remotely through a communication channel, such as Internet relay chat (IRC), P2P, or HTTP. These channels allow the remote attacker to control a large number of compromised computers over a single, reliable channel in a botnet, which can then be used to launch coordinated attacks. Bots allow for a wide range of functionality and most can be updated to assume new functionality by downloading new code and features. Attackers can use bots to perform a variety of tasks, such as setting up denial-of-service (DoS) attacks against an organization’s website, distributing spam and phishing attacks, distributing spyware and adware, propagating malicious code, and harvesting confidential information that may be used in identity theft from compromised computers—all of which can lead to
52 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
serious financial and legal consequences. Attackers favor bot-infected computers with a decentralized C&C6 model because they are difficult to disable and allow the attackers to hide in plain sight among the massive amounts of unrelated traffic occurring over the same communication channels, such as P2P. Most importantly, botnet operations can be lucrative for their controllers because bots are also inexpensive and relatively easy to propagate. Methodology A bot-infected computer is considered active on a given day if it carries out at least one attack on that day. This does not have to be continuous; rather, a single such computer can be active on a number of different days. A distinct bot-infected computer is a distinct computer that was active at least once during the period. Of the bot-infected computer activities that Symantec tracks, they can be classified as actively attacking bots or bots that send out spam, i.e. spam zombies. Distributed denial-of-service (DDoS) campaigns may not always be indicative of bot-infected computer activity, DDoS activity can occur without the use of bot-infected computers. For example, systems that participated in the high-profile DDoS “Operation Payback” attacks used publically available software such as “Low Orbit Ion Cannon” (LOIC) in a coordinated effort to disrupt many businesses Web site operations. Users sympathetic to the Anonymous cause could voluntarily download the free tool from the Web and participate en masse in a coordinated DDoS campaign and required very little technical knowledge. These attacks began at the end of 2010 and continued in 2011, with a wide variety of targets. Interestingly, because of the way the software operated, some attackers didn’t bother to disguise their machines online identifiers, resulting in a number of legal actions later in the year. The analysis reveals the average lifespan of a bot-infected computer for the highest populations of bot-infected computers. To be included in the list, the geography must account for at least 0.1% of the global bot population. Data
Commentary Bots located in Romania were active for an average of 29 days in 2011; 1 in 737 of bots worldwide was located in Romania. Romania has one of the lowest fixed-broadband adoption rates in Europe, with fewer than 15%7 of households being connected to high-speed Internet access. It takes more than twice as long to identify and clean-up a bot-infected computer in Romania than in the United States, although the number of infections in the United States is on a magnitude of more than a hundred times greater than that of Romania. One factor contributing to this disparity may be a low level of user-awareness of the issues involved combined with the lower availability of remediation guidance and support tools in the Romanian language. In the United States, which was home to 1 in 8 (12.6%) of global bot-infected computers, the average lifespan for a bot was 13 days. Further analysis revealed that 65.2% of bots were controlled using HTTP-based command and control channels.
6
Command and control
53 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
7
http://www.symantec.com/threatreport/print.jsp?id=highlights...
http://ec.europa.eu/information_society/digital-agenda/scoreboard/pillars/broadband/index_en.htm
Analysis of Mobile Threats
Background Since the first smartphone arrived in the hands of consumers, speculation about threats targeting these devices has abounded. While threats targeted early “smart” devices such as those based on Symbian and Palm OS in the past, none of these threats ever became widespread and many remained proof-of-concept. Recently, with the growing uptake in smartphones and tablets, and their increasing connectivity and capability, there has been a corresponding increase in attention, both from threat developers and security researchers. While the number of immediate threats to mobile devices remains relatively low in comparison to threats targeting PCs, there have been new developments in the field. And as malicious code for mobile begins to generate revenue for malware authors, there will be more threats created for these devices, especially as people increasingly use mobile devices for sensitive transactions such as online shopping and banking. As with desktop computers, the exploitation of a vulnerability can be a way for malicious code to be installed on a mobile device. Methodology In 2011, there were a significant number of vulnerabilities reported that affect mobile devices. Symantec documented 315 vulnerabilities in mobile device operating systems in 2011, compared to 163 in 2010, an increase of 93.3%. Symantec tracks the number of threats discovered against mobile platforms by tracking malicious threats identified by Symantec’s own security products and confirmed vulnerabilities documented by mobile vendors. Currently most malicious code for mobile devices consists of Trojans that pose as legitimate applications. These applications are uploaded to mobile application (“app”) marketplaces in the hope that users will download and install them, often trying to pass themselves off as legitimate apps or games. Attackers have also taken popular legitimate applications and added additional code to them. Symantec has classified the types of threats into a variety of categories based on their functionality. Data
54 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
NB. For a more detailed breakdown of these larger categories: each subcategory is color-coded to indicate with primary category above it belongs to. The following are specific definitions of each subcategory: Collects Device Data—gathers information that is specific to the functionality of the device, such as IMEI, IMSI , operating system, and phone configuration data. Spies on User—intentionally gathers information from the device to keep monitor a user, such as phone logs and SMS messages, and sends them to a remote source. Sends Premium SMS—sends SMS messages to premium-rate numbers that are charged to the user’s mobile account. Downloader—can download other risks on to the compromised device. Back door—opens a back door on the compromised device, allowing attackers to perform arbitrary actions.
55 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Tracks Location—gathers GPS information from the device specifically to track the user’s location. Modifies Settings—changes configuration settings on the compromised device. Spam—sends spam email messages from the compromised device. Steals Media—sends media, such as pictures, to a remote source. Elevates Privileges—attempts to gain privileges beyond those laid out when installing the app bundled with the risk. Banking Trojan—monitors the device for banking transactions, gathering the sensitive details for further malicious actions. SEO Poisoning—periodically sends the phone’s browser to predetermined URLs in order to boost search rankings. Commentary Mobile applications (“apps”) with malicious intentions rose to prominence in 2011, presenting serious risks to users of mobile devices. These metrics show the different functions that these bad mobile apps performed during the year. The data was compiled by analyzing the key functionality of malicious mobile apps. Symantec has identified five primary mobile risk types: Collect Data. Most common among bad mobile apps was the collection of data from the compromised device. This was typically done with the intent to to carry out further malicious activities, in much the way an information-stealing Trojan might. This includes both device- and user-specific data, ranging from configuration data to banking details. This information can be used in a number of ways, but for the most part, it is fairly innocuous with IMEI8 and IMSI9 numbers, taken by attackers as a way to uniquely identify a device. More concerning is data gathered about the device software, such as operating system (OS) version or applications installed, to carry out further attacks (say, by exploiting a software vulnerability). Rarer, but of greatest concern is when user-specific data, such as banking details, is gathered in an attempt to make unauthorized transactions. While this category covers a broad range of data, the distinction between device and user data is given in more detail in the subcategories below. Track User. The next most common purpose was to track a user’s personal behavior and actions. These risks take data specifically to spy on the individual using the phone. This is done by gathering up various communication data, such as SMS messages and phone call logs, and sending them to another computer or device. In some instances they may even record phone calls. In other cases these risks track GPS coordinates, essentially keeping tabs on the location of the device (and their user) at any given time. Gathering pictures taken with the phone also falls into this category. Send Content. The third-largest group of risks is bad apps that send out content. These risks are different from the first two categories because their direct intent is to make money for the attacker. Most of these risks will send a text message to a premium SMS number, ultimately appearing on the mobile bill of the device’s owner. Also within this category are risks that can be used as email spam relays, controlled by the attackers and sending unwanted emails from addresses registered to the device. One threat in this category constantly sent HTTP requests in the hopes of bumping certain pages within search rankings. Traditional Threats. The fourth group contains more traditional threats, such as back doors and downloaders. Attackers seem keen to port these types of risks from PCs to mobile devices, and progress has been made in 2011. Change Settings. Finally there are a small number of risks that focus on making configuration changes. These types attempt to elevate privileges or simply modify various settings within the operating system. The goal for this final group seems to be to perform further actions on the compromised devices. Growth in Android Threats The Opfake family, a threat targeting Eastern Europe, is a good example. This threat was originally written for Windows Mobile/Symbian/JAVAME phones. Similar experiments have occurred in China where Android.Adsms and Android.Stiniter have appeared. Both originated as Symbian threats before the malware authors moved to Android. We expect this to be a common trend, especially among affiliate network related threats Old tricks moving to new platforms Premium SMS dialers have always been a problem on the mobile threat landscape, especially in Eastern Europe, where dialers showed up on mobiles phones not to long after the introduction of the micro edition of Java virtual machine for mobile devices. It should be no surprise that the authors who have been leveraging this lucrative revenue source appear to be making a switch to the newer, popular platforms. The creators of mobile threats are getting more strategic and bolder in their efforts. A good example of this is the attempts to complicate the uninstallation of an infection. One such strategy being used is to breakdown the malicious packages into staged payloads. The idea is simple, instead of having one payload carry the entire malicious content; not to mention the telltale sign of a huge overzealous permissions list
56 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
that goes with it; break the threat into separate download modules. The smaller pieces are easier to hide, appear to be harmless updates and complicate the revocation process built in by the service provider, market place etc.
This still requires the end user to accept the installation of subsequent “update” download, potentially a major hurdle. But another threat discovered in the wild in 2011, ‘Android.Jsmshider’ found a way around this hurdle. Although this trick only worked for custom mods, by signing the payload with an ASOP (Android Open Source Project) certificate, it allowed installation to take place without any interactions or prompts. The underlying devices considered the payload to be a system update or new component, by virtue of the certificate.
With all this complication you may be forgiven for thinking that the final rivaled something like Stuxnet, but in fact the final payload in the majority of the cases was nothing more than a garden variety premium SMS sender. Most premium SMS senders and/or dialers lack sophistication and depend largely on social engineering to work. However, they have been around for many years and can have the quickest return on investment for the criminals behind them. Research suggests that the average price of stolen credit card can be as low as 40 – 80 cents (USD), but a typical dialer targeting North America would pay the author $9.99 (USD) per successful install and execution. Moreover, if it was not detected by the user, each subsequent execution would result in another payment, creating a continuous revenue stream. This stream would only stop once the device owner recognized the charge on his bill as fraudulent. Another interesting trend that Symantec observed is the use of in-app promotions to encourage the downloading of other apps. This app may require the user to download from a browser or a third party app store and is undocumented functionality of the app from the official market place.
57 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Even though user interaction is required to install any additional apps, the concern here is that this sort of vector has an element of social engineering because the end user assumes that since the first app was downloaded from the official channel any additional apps would also be originating from there. Social engineering a key tool used by mobile malware authors Because of the so called “Hardware Fragmentation10” ” issue surrounding the Android Platform, a popular online streaming video service in the US; had initially pushed an Android client app in a limited release, only to certain devices that provided the best user experience. Owing to the popularity of the service, shortly after the initial release multiple unsanctioned developer projects sprung up around to port an unofficial copy of the app to devices that were not officially supported. A gap in availability for certain devices combined with large interest from users in getting the app on their Android device created the perfect cover for Android.Flicker, a text-book example of an info-stealer targeting account information. The malicious app is not at all complex to understand. Divided into two main parts, the app is largely just a splash screen followed by a login screen where the user info is captured and posted to a server. There are multiple permissions requested at the time of installation, usually a sign of a malicious app. But in this case they are identical to the permissions required by the legitimate app. This was probably done to further the illusion that the legitimate app is being installed. There was no attempt to verify if the data entered by an unsuspecting user was accurate or not. Right after clicking on the sign in button, a user is presented with a screen indicating incompatibility with the current hardware and the recommendation to install another version of the app. On hitting the “Cancel” button, the app then attempts to uninstall itself. Attempts to cancel the uninstall process results in the user returning back to the prior screen with the incompatibility message. The rise of mobile threats with political agendas Hactivism is not restricted to PC. Mobile malware with no visible monetary gain but instead with a goal is to send a message was seen in 2011. An example: for many across the Arab World, December 18 2010 marked the birth of what is now come to be commonly known as the ‘Arab Spring’. Among the many tools used to coordinate and inform, to get the word out about the mass ‘market protests’; Symantec discovered a Trojan mass mailer/downloader embedded in an Android App.
58 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
The Trojan was embedded into a pirated version of a popular Islamic compass app. From our research the Trojanized version was only distributed via forums focusing on Middle Eastern issues. The official version of the app available on the Android Market is not infected. After the installation of the pirated app, the code goes to work on device startup/reboot, silently working in the background as a service called ‘alArabiyyah’. It picks out one link randomly from a list of eighteen and then sends out a SMS message to every contact in the address book of the infected device, sending them a link to a forum site. The content on the forum site appears to be a tribute to Mohamed Bouaziz11. App Store here… App Store there… App everywhere…. With the projected growth of smart phone sales set to overtake that of regular featured phones, it’s no surprise to see the demand for content drive the emergence of new application market places, app stores, and download sites. Sales in 2011 alone are expected to bring in $15 billion dollars (USD). Taking advantage of the growing demand for content, not to mention the absence of official outlets presences in certain regions, the number of unregulated markets has seen a dramatic rise, providing a perfect incubator and propagation engine for malware.
From a security analyst’s perspective, the mobile content distribution ecosystem can be broken down roughly into three groups: Group I, the traditional file download site and user forum file share sites. These services have been around as long as the Internet. Originally started to cater to content hungry users looking for software for Windows and Mac users, these sites started adding on download sections for handheld devices and now phones. They may or may not provide file hosting mirrors of the software. User feedback on apps is usually either inconclusive or very basic. On one of these sites, Symantec discovered a download link to a live threat, right next to an RSS feed of a blog talking about the threat. Security measures to screen software tend to be limited to using off the shelf anti-virus software, often not anti-virus software for a mobile device, but
59 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Windows-based software. Group II, “Vendor certified/Web 2.0 Markets.” These manufacturers and vendors have introduced concepts such as on device signature verification, a single point of distribution, and platform app certification, (which sanitized code by extensive and rigorous testing to ensure that software meets not only the manufactures design and platform standards). But by no means is any screening system foolproof and the occasional threat slipped through (once, twice, and even a third time) becoming the focus of many security analysts’ blogs. Group III, A loose coupling of independent pockets of cloud hosted file repositories brought together via a storefront app (usually only accessible via a mobile device) these fly by night operations seem to be using the same play book used by radio pirates operating off the coast of England in the 1970s. Their operations tend to be limited in their broadcast. Once they are discovered and/or have to move for one reason or another, the user is required to update the repository list or download a newer version of the app with the location of the file server or repositories.
In regions such as China Symantec has noticed these service providers tend to be a little bolder and operate with what can be best described as entrepreneurial flair. In addition to having the usual mobile storefront app, they also have a strong visible Web presence and use that visibility (and the absences of an official market place) to encourage local authors to submit original content; using ad revenue sharing as the monetary incentive. Ironically, in some cases they use the same ad revenue services as managed and/or owned by official marketplaces; thus blurring the line even more between legitimate sites dealing with pirated content uploaded by rouge users and illegal site trying to go legitimate after growing a user base off the back of pirated content sharing. With projected sales of around $15 billion in 2011, the number of app stores in China will continue to grow at a dramatic rate. As the primary screening mechanisms for content is usually user feedback, pirated or malicious content isn’t immediately flagged and site administrators are quick to point out this fact and disclaim any warranty on damages arising from the usage of downloaded software. From a malicious author’s perspective, these sites tend to be the easiest to target, as the users who patronage these sites have turned off device security checks to allow the installation of unsigned software. This is called side loading. China (followed closely by Eastern Europe) has long been plagued with threats and trojanized apps targeting mobile platforms. Threats that silently send out SMS messages to premium numbers have become so prevalent that the Chinese government had to take setup regulations to crack down on not only the creators but also on unscrupulous handset resellers. These resellers were intentionally selling phones preloaded with malware that carried out charge backs. The smaller the charge back, the longer it takes before a user suspects anything is wrong, especially in the case of first time buyers who aren’t used to normal monthly charges for their phone bills. In conclusion, malware threats against mobile platforms are still relatively uncommon when compared with threats targeting desktop operating systems; however, it is clear that a significant step change occurred in 2011, where mobile attacks have grown considerably and we expect this trend to continue in 2012.
8 9International Mobile Subscriber Identity
10 11
http://www.symantec.com/connect/blogs/hardware-fragmentation-thwarts-android-call-recording-trojan
http://www.time.com/time/magazine/article/0,9171,2044723,00.html
60 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Data Breaches that Could Lead to Identity Theft
Background Political activism and hacking were two big themes resulting in data theft in 2011, and ones that continue to persevere into 2012. There were many high profile hacking breaches last year that received lots of media attention for obvious reasons. Hacking can undermine institutional confidence in a company, and loss of personal data can result in damage to an organizations reputation. Despite the media hype around these breaches, hacking came in second to old-fashioned theft as the greatest source of data breaches last year according to the Norton Cybercrime Index data12. In the event of a data breach, many countries have existing data breach notification legislation that regulates the responsibilities of organizations conducting business after a data breach has occurred. For example, the EU13, the United States (46 states)14, the District of Columbia, Puerto Rico, and the Virgin Islands have all enacted legislation requiring notification of security breaches involving personal information. Methodology The data for the data breaches that could lead to identity theft is procured from the Norton Cybercrime Index (CCI). The Norton CCI is a statistical model which measures the levels of threats including malicious software, fraud, identity theft, spam, phishing and social engineering daily. Data for the CCI is primarily derived from Symantec Global Intelligence Network and for certain data from ID Analytics15. The majority of the Norton CCI's data comes from Symantec's Global Intelligence Network, one of the industry's most comprehensive sources of intelligence about online threats. The data breach section of the Norton CCI is derived from data breaches that have been reported by legitimate media sources and have exposed personal information, including name, address, Social Security numbers, credit card numbers, or medical history. Using publicly available data the Norton CCI determines the sectors that were most often affected by data breaches, as well as the most common causes of data loss. The sector that experienced the loss along with the cause of loss that occurred is determined through analysis of the organization reporting the loss and the method that facilitated the loss. The data also reflects the severity of the breach by measuring the total number of identities exposed to attackers, using the same publicly available data. An identity is considered to be exposed if personal or financial data related to the identity is made available through the data breach. Data may include names, government-issued identification numbers, credit card information, home addresses, or email information. A data breach is considered deliberate when the cause of the breach is due to hacking, insider intervention, or fraud. A data breach is considered to be caused by hacking if data related to identity theft was exposed by attackers, external to an organization, gaining unauthorized access to computers or networks. (Hacking is an intentional act with the objective of stealing data that can be used for purposes of identity theft or other fraud.) It should be noted that some sectors may need to comply with more stringent reporting requirements for data breaches than others do. For instance, government organizations are more likely to report data breaches, either due to regulatory obligations or in conjunction with publicly accessible audits and performance reports16. Conversely, organizations that rely on consumer confidence may be less inclined to report such breaches for fear of negative consumer, industry, or market reaction. As a result, sectors that are not required or encouraged to report data breaches may be under-represented in this data set.
61 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Data and commentary for Data and commentary for data breaches that could lead to identity theft by sector
Top-ten sectors by number of data breaches Healthcare, government and education sectors ranked top for number of data breaches, but ranked lower for number of identities exposed: Although the healthcare, government and education sectors accounted for the top three largest percentages for number of data breaches in 2011, those breaches accounted for approximately 9.7% of all reported identities exposed during 2011 (figure A.31). This is due to the average number of identities exposed in each of the data breaches in these sectors being relatively low. The average number of identities exposed per data breach was approximately 133,500 for these three sectors combined, compared with an average of 19.4 million identities exposed per breach for the computer software sector alone (figure A.32).
62 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Top data breaches are reflected in top sectors for identities exposed: The top three sectors of Computer Software, IT and Healthcare had the largest number of identities exposed due to data breaches in 2011; these three sectors accounted for 93.0% of the total number of identities exposed. Data and commentary for data breaches that could lead to identity theft by cause Top causes for data breach by number of breaches
Top causes for data breach by number of identities exposed Theft or loss was the top cause for data breaches: The most frequent cause of data breaches (across all sectors) that could facilitate identity theft in 2011 was theft or loss of a computer or other medium on which data is stored or transmitted, such as a USB key or a back-up medium (figure A.33).
63 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Theft or loss accounted for 34.3% of breaches that could lead to identities exposed in 2011 and this equated to approximately 18.5 million identities exposed in total. The second most frequent data breach type was related to Hackers (29.0%), which exposed approximately 187.2 million identities in 2011, the greatest number for any cause of breach in 2011.
Hacking was the leading source for reported identities exposed: Although hacking was the second most common cause of data breaches that could lead to identity theft in 2011, it was the top cause for the number of reported identities exposed. Hacking was responsible for over 80.5% of the identities exposed in the largest data breaches that occurred in 2011. The average number of identities exposed per data breach in Hacking incidents was approximately 3.3 million. Data and Commentary for type of information exposed in deliberate breaches
The most common types of identity information leaked in deliberate data breaches was names, addresses and credit card numbers; accounting for one-third of the identities breached in 2011. Names, phone numbers, email addresses and passwords were found in 16% of breaches. Usernames, passwords and purchase information were identified in 16% of the identity breaches.
64 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
12 13 14
http://www.symantec.com/threatreport/print.jsp?id=highlights...
http://www.nortoncybercrimeindex.com/ http://www.enisa.europa.eu/act/it/library/deliverables/dbn/at_download/fullReport/
http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology /SecurityBreachNotificationLaws/tabid/13489/Default.aspx
15 16
http://www.idanalytics.com/
For example, the Fair and Accurate Credit Transactions Act of 2003 (FACTA) of California. For more on this act, please see: http://www.privacyrights.org/fs/fs6a-facta.htm. Another example is the Health Insurance Portability and Accountability Act of 1996. For more information see: http://www.cms.hhs.gov/HIP AAGenInfo/
Vulnerability Trends
A vulnerability is a weakness that allows an attacker to compromise the availability, confidentiality, or integrity of a computer system. Vulnerabilities may be the result of a programming error or a flaw in the design that will affect security. Vulnerabilities can affect both software and hardware. It is important to stay abreast of new vulnerabilities being identified in the threat landscape because early detection and patching will minimize the chances of being exploited. This section discusses selected vulnerability trends, providing analysis and discussion of the trends indicated by the data. The following metrics are included: Total Number of Vulnerabilities Zero-Day Vulnerabilities Notable Zero-day Attacks Web Browser Vulnerabilities Web Browser Plug-In Vulnerabilities Web Attack Toolkits SCADA Vulnerabilities
Total Number of Vulnerabilities
Background The total number of vulnerabilities for 2011 is based on research from independent security experts and vendors of affected products. The yearly total also includes zero-day vulnerabilities that attackers uncovered and were subsequently identified post-exploitation. Calculating the total number of vulnerabilities provides insight into vulnerability research being conducted in the threat landscape. There are many motivations for conducting vulnerability research, including security, academic, promotional, software quality assurance, and, of course, the malicious motivations that drive attackers. Symantec gathers information on all of these vulnerabilities as part of its DeepSight vulnerability database and alerting services. Examining these trends also provides further insight into other topics discussed in this report. Discovering vulnerabilities can be advantageous to both sides of the security equation: legitimate researchers may learn how better to defend against attacks by analyzing the work of attackers who uncover vulnerabilities; conversely, cybercriminals can capitalize on the published work of legitimate researchers to advance their attack capabilities. The vast majority of vulnerabilities that are exploited by attack toolkits are publicly known by the time they are exploited. Methodology Information about vulnerabilities is made public through a number of sources. These include mailing lists, vendor advisories, and detection in the wild. Symantec gathers this information and analyzes various characteristics of the vulnerabilities, including technical information and ratings in order to determine the
65 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
severity and impact of the vulnerabilities. This information is stored in the DeepSight vulnerability database, which houses over 47,000 distinct vulnerabilities spanning a period of over 20 years. As part of the data gathering process, Symantec scores the vulnerabilities according to version 2.0 of the community-based
CVSS (Common Vulnerability Scoring System)1. Symantec adopted version 2.0 of the scoring system in 2008. The total number of vulnerabilities is determined by counting all of the vulnerabilities published during the reporting period. All vulnerabilities are included, regardless of severity or whether or not the vendor who produced the vulnerable product confirmed them. Data
66 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Commentary Actual number of new vulnerabilities reported is down, but trend is still upwards: The total number of new vulnerabilities reported in 2011 stood at 4,989. This figure works out to approximately 95 new vulnerabilities a week. Compared with the number from 2010 which was 6,253, it represents a decrease of 20% from that of 2010. While this may seem like positive news, it must be viewed in the context of a longer time window. When we look at the trend over the longer term, we can see that the overall pattern is still on an upward trajectory. So far, the number of vulnerabilities reported in January 2012, amounts to 488 and is already well ahead of the numbers reported in the same month last year. The most often exploited vulnerabilities are not the newest: From observation of in-field telemetry, we can see that the most frequently used vulnerability in attacks is not the newest. Our data show that the most commonly attacked component by a wide margin is the Microsoft Windows RPC component. The attacks against this component are mostly using the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874 ). This vulnerability was first reported back in October 2008 and Symantec blocked 61.2 million attempts to exploit it in 2011. This figure represents 4.7 times the volume of the second most exploited vulnerability, the Microsoft Windows RPCSS DCOM Interface Denial of Service Vulnerability (BID 8234 ), from July 2003. The next two most often used vulnerabilities are the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108 4), dating from April 2004 and the Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 194095 ), from August 2008. Finally the fifth most exploited vulnerability is the Adobe Acrobat, Reader, and Flash Player Remote
Code Execution Vulnerability (BID 357596 ), reported in July 2009. All of the top five vulnerabilities are several years old with patches available: So why are they used so often even several years after patches are available? There could be several reasons why this is the case:
Trading of vulnerabilities7 either through legitimate or clandestine channels has given exploitable vulnerabilities a significant monetary value. Because of the restricted information available on some of these new vulnerabilities, criminals may not be able to take advantage of them unless they are willing to pay the often substantial asking prices. If they are unable or unwilling to pay, they may resort to existing, widely available, tried and tested vulnerabilities to achieve their goals, even if it may potentially be less effective. For those willing to pay, they will want to ensure maximum return on their investment. This could mean they will use it discretely and selectively rather than making a big splash and arousing the attention of security vendors and other criminal groups looking for new vulnerabilities to use. Older vulnerabilities have a more established malware user base and so account for a greater amount of traffic. For example, widespread and well-established malware threats, such as W32.Downadup8 and its variants, use the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), which continues to register over 200,000
67 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
hits each day. Because these threats use vulnerabilities to spread in an automated fashion, the number of attacks they can launch would generally be far higher than for targeted attacks. For various reasons, not all of the user population apply security patches quickly or at all. This means older vulnerabilities can often still be effective, even years after patches are available. Because of this, there will always a window of opportunity for criminals to exploit and they are all too aware of this. File based vulnerabilities: The most commonly exploited data file format is the PDF file format. One of the PDF related vulnerabilities, Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (BID 357599 ) registered as the fifth most often used vulnerability in 2011 with just over 1 million attacks reported. PDF files containing vulnerabilities are often associated with Advanced Persistent Threat (APT10 ) style attacks, rather than self-replicating malware. However, in this particular case, the vulnerability in question was most often used in Web toolkit based attacks. This attack scenario involves creating malicious websites to host exploit code. Users may then be tricked into visiting these malicious toolkit websites either by website redirection (e.g. malicious IFRAMEs), SEO poisoning or by sending out spam emails, instant messages or social media updates with links to the malicious website. One thing to note, websites hosting malicious toolkits often contain multiple exploits that can be tried against the visitor. In some cases, the kit will attempt to use all exploits at its disposal in a non-intelligent fashion whereas in more modern advanced kits, the website code will attempt to fingerprint the software installed on the computer before deciding which exploit(s) to send to maximise the success rate. The fact that there are so many Web kit based exploit attempts made using this old vulnerability may suggest that a considerable number of users have not updated their PDF readers to a non-vulnerable version.
1 2 3 4 5 6 7
http://www.first.org/cvss/cvss-guide.html See http://www.securityfocus.com/bid/31874 See http://www.securityfocus.com/bid/8234 See http://www.securityfocus.com/bid/10108 See http://www.securityfocus.com/bid/19409 See http://www.securityfocus.com/bid/35759
See http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches /231900575/more-exploits-for-sale-means-better-security.html
8 9
See http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99 See http://www.securityfocus.com/bid/35759 See http://go.symantec.com/apt
10
Zero-Day Vulnerabilities
Background Zero-day vulnerabilities are vulnerabilities against which no vendor has released a patch. The absence of a patch for a zero-day vulnerability presents a threat to organizations and consumers alike, because in many cases these threats can evade purely signature-based detection until a patch is released. The unexpected nature of zero-day threats is a serious concern, especially because they may be used in targeted attacks and in the propagation of malicious code. Methodology Zero-day vulnerabilities are a sub-set of the total number of vulnerabilities documented over the reporting
68 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
period. A zero-day vulnerability is one that appears to have been exploited in the wild prior to being publicly known. It may not have been known to the affected vendor prior to exploitation and, at the time of the exploit activity, the vendor had not released a patch. The data for this section consists of the vulnerabilities that Symantec has identified that meet the above criteria.
Commentary 2011 produced the lowest number of zero-day vulnerabilities in the past 6 years. There was a 43% drop in vulnerabilities seen in 2011 compared with 2010. However the number of vulnerabilities seen in 2010 was
somewhat inflated due to W32.Stuxnet, which itself contributed to four11 of the zero-day vulnerabilities seen in that year. There was only one zero-day browser vulnerability seen in 2011, a drop of 3 from 2010. This corresponds with the overall drop in browser vulnerabilities seen in 2010. While browser vulnerabilities continue to be attractive for attackers, increased security built into browsers have made it more difficult for attackers to create reliable exploits. Examples of these security features are Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP)12 . While the overall number of zero-day vulnerabilities is down, attacks using these vulnerabilities continue to be successful. The majority of these vulnerabilities are leveraged in targeted attacks. Adobe Flash and Reader vulnerabilities are widely used in targeted attacks and account for 50% of the zero-day vulnerabilities seen in 2011.
11
http://www.symantec.com/connect/blogs/stuxnet-using-three-additional-zero-day-vulnerabilities http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx
12
Notable Zero-day Attacks
69 of 134 14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
RSA were the victim of a targeted attack in which data related to their SecurID™ product was stolen13. This stolen data was then used in further attacks against a number of military contractors. In order to gain access to the RSA network the attackers first sent a crafted email message to a number of employees with the subject line “2011 Recruitment Plan”. The message contained an attachment called 2011 Recruitment Plan.xls, as shown in figure D.6. A number of high-profile attacks in 2012 utilized zero-day vulnerabilities. In March RSA revealed that they
The attachment contained an embedded Flash file which exploited CVE-2011-0609 in order to install a Backdoor program. Once the attackers had backdoor access they were able to install the PoisonIvy remote access tool in order to iterate through the network gathering credentials and eventually getting to the target machine which contained the sought-after data. W32.Duqu W32.Duqu was discovered in September 2012 was determined to have been based on the same source code as W32.Stuxnet. W32.Duqu is designed to capture and exfiltrate data which may be used to enable a future Stuxnet-like attack. The initial W32.Duqu installer was a Microsoft Word document (.doc) which exploited a previously unknown kernel level vulnerability that allows code execution. This vulnerability was later named as CVE-2011-3402, Win32k True Type Font Parsing Vulnerability. The .doc was sent as an attachment to the targeted organization. The .doc was crafted to specifically target the recipient organization, e.g. by taking a document from the organization’s website, such as a form, and modifying it in order to exploit the vulnerability. When launched, the document triggers the exploit code which then loads shellcode to decrypt the driver and installer. The shellcode executes the driver which then in turn injects the installer into services.exe. The following diagram illustrates the infection routine:
70 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
The Sykipot Attacks The Sykipot threat has been in existence since 2006 but gained attention in December 2012 due to a series of targeted attacks in which it exploited CVE-2011-2462 - Adobe Reader/Acrobat U3D Memory Corruption Vulnerability, a zero-day vulnerability. This wasn’t the first time that the Sykipot attackers used a zero-day vulnerability. In March 2010 the same attackers used an Internet Explorer zero-day to download and install Backdoor.Sykipot - CVE-2010-0806, Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability. In the December 2012 attacks, the attackers sent targeted emails with a malicious PDF attachment, as shown in figure D.8.
The targeted email was sent to a number of individuals in a variety of organizations which cover many
71 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec industry sectors, such as:
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Defense contractors Telecommunications Computer Hardware Chemical Energy Government Departments When the PDF attachment is launched it exploits CVE-2011-2462 in order to install the Backdoor program, Backdoor.Sykipot. Backdoor.Sykipot can then receive a variety of commands from the attackers, ultimately leading to the exfiltration of sensitive documents. Window of Exposure for Zero-day Vulnerabilities The window of exposure for vulnerabilities is the difference in days between the time when exploit code affecting a vulnerability is made public and the time when the affected vendor makes a patch publicly available for that vulnerability. During this time, the computer or system on which the affected application is deployed may be susceptible to attack. Attackers will attempt to maximize the window of exposure by making swift use of exploits in attacks. Commentary An example of attackers taking advantage of the window of exposure is the usage of CVE-2011-2462 Adobe Acrobat and Reader U3D Memory Corruption Vulnerability. This vulnerability was used in targeted attacks in the wild on December 1st 2011. An advisory was published by the vendor on December 6th
201114 confirming that the vulnerability was being exploited in attacks against Adobe Reader 9.x. Version 10.x was also vulnerable but was not being exploited in the wild. On December 16 Adobe Reader and Acrobat version 9.4.7 was released to correct this vulnerability for versions 9.x. Version 10.2 was released on January 10th 2012 to correct version 10.1. The window of exposure for Adobe Reader and Acrobat 9.x was therefore 10 days. During this time heightened activity was seen against this vulnerability. The vulnerability was being exploited in crafted PDFs which were sent as email attachments. Once launched the attachment would exploit CVE-2011-2462 in order to install a backdoor program onto the victim’s machine. Symantec.cloud observed a significant spike in these malicious attachments in the period just after the vulnerability was published:
The vulnerability was used in limited targeted attacks in the period leading up to public disclosure. A few days after the vulnerability was publicly disclosed by the vendor, the vulnerability was seen being exploited in reasonably widespread attacks. It was actively used in the wild for 6 days, leading up a patch being released on December 16. The numbers above demonstrate the attractiveness of a zero-day vulnerability to attackers and how they will attempt to maximize the effectiveness of the exploit code during the window of exposure.
13 14
http://www.rsa.com/node.aspx?id=3872 http://www.adobe.com/support/security/advisories/apsa11-04.html
72 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Web Browser Vulnerabilities
Background Web browsers are nowadays ever-present components for computing for both enterprise and individual users on desktop and on mobile devices. Web browser vulnerabilities are a serious security concern due to their role in online fraud and in the propagation of malicious code, spyware, and adware. In addition, Web browsers are exposed to a greater amount of potentially untrusted or hostile content than most other applications and are particularly targeted by multi-exploit attack kits. Web-based attacks can originate from malicious websites as well as from legitimate websites that have been compromised to serve malicious content. Some content, such as media files or documents are often presented in browsers via browser plug-in technologies. While browser functionality is often extended by the inclusion of various plug-ins, the addition of plug-in component also results in a wider potential attack surface for client-side attacks. Methodology Browser vulnerabilities are a sub-set of the total number of vulnerabilities cataloged by Symantec throughout the year. To determine the number of vulnerabilities affecting browsers, Symantec considers all vulnerabilities that have been publicly reported, regardless of whether they have been confirmed by the vendor. While vendors do confirm the majority of browser vulnerabilities that are published, not all vulnerabilities may have been confirmed at the time of writing. Vulnerabilities that are not confirmed by a vendor may still pose a threat to browser users and are therefore included in this study. Data This metric examines the total number of vulnerabilities affecting the following Web browsers: Apple Safari Google Chrome Microsoft Internet Explorer Mozilla Firefox Opera
Commentary Chrome vulnerabilities dropped off dramatically in 2011. After a spike in 2010 (191), the documented vulnerabilities for Chrome browser dropped to 62 for 2011, which is a similar level as in previous years. A reason for the 2010 spike might have been the introduced bug bounty program and the rapid
73 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
development of the browser in 2010. For Firefox, Internet Explorer, Safari and Opera the number of reported vulnerabilities decreased marginally in 2011. These five browsers combined had 351 reported vulnerabilities in total in 2011, which is a strong decrease from 500 in 2010. This decline can be attributed to the decrease of Chrome browser vulnerabilities. However, a decline in the number of reported vulnerabilities does not necessarily imply that risk levels have diminished; many Web-based attack kits will continue to exploit existing vulnerabilities and rapidly incorporate exploits for new vulnerabilities.
Web Browser Plug-in Vulnerabilities
Background This metric examines the number of vulnerabilities affecting plug-ins for Web browsers. Browser plug-ins are technologies that run inside the Web browser and extend its features, such as allowing additional multimedia content from Web pages to be rendered. Although this is often run inside the browser, some vendors have started to use sandbox containers to execute plug-ins in order to limit the potential harm of vulnerabilities. Many browsers now include various plug-ins in their default installation and, as well, provide a framework to ease the installation of additional plug-ins. Plug-ins now provide much of the expected or desired functionality of Web browsers and are often required in order to use many commercial sites. Vulnerabilities affecting these plug-ins are an increasingly favored vector for a range of client-side attacks, and the exploits targeting these vulnerabilities are commonly included in attack kits. Some plug-in technologies include automatic update mechanisms that aid in keeping software up to date, which may aid in limiting exposure to certain vulnerabilities. To help mitigate the risk, some browsers have started to check for the version of installed third party plug-ins and inform the user if there are any updates available for install. Methodology Web browser plug-in vulnerabilities comprise a sub-set of the total number of vulnerabilities cataloged by Symantec over the reporting period. The vulnerabilities in this section cover the entire range of possible severity ratings and include vulnerabilities that are both unconfirmed and confirmed by the vendor of the affected product. Confirmed vulnerabilities consist of security issues that the vendor has publicly acknowledged, by either releasing an advisory or otherwise making a public statement to concur that the vulnerability exists. Unconfirmed vulnerabilities are vulnerabilities that are reported by third parties, usually security researchers, which have not been publicly confirmed by the vendor. That a vulnerability is unconfirmed does not mean that the vulnerability report is not legitimate, only that the vendor has not released a public statement to confirm the existence of the vulnerability. Data Symantec analyzed the following plug-in technologies: Adobe Reader Adobe Flash Player Apple QuickTime Microsoft ActiveX Mozilla Firefox extensions Oracle Sun Java Platform Standard Edition (Java SE)
74 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Commentary In 2011, 308 vulnerabilities affecting browser plug-ins were documented by Symantec, a slight decrease, compared to 346 vulnerabilities affecting browser plug-ins in 2010. ActiveX vulnerabilities decreased further in 2011, continuing the trend for the recent years. This may be due to the increased usage of Internet Explorer 8 which has an enhanced security features
surrounding ActiveX plug-ins15 . Adobe Flash and Java vulnerabilities increased both by 3 percent in 2011. This trend was already visible in 2010 and grew again. This is also reflected in the vulnerability usage in attack toolkits which have focused around Adobe Flash, Adobe PDF Reader and Java in 2011.
15
See http://blogs.msdn.com/b/ie/archive/2008/05/07/ie8-security-part-ii-activex-improvements.aspx
Web Attack Toolkits
Web attack toolkits are a collection of scripts, often PHP files, which are used to create malicious web sites that will use Web exploits to infect visitors. There are a few dozen known families used in the wild. Many toolkits are traded or sold on underground forums for 100-1,000$ (USD). Some are actively developed and new vulnerabilities are added over time, such as Blackhole and Eleonore toolkits, which both added various Adobe Flash vulnerabilities during 2011. Each new toolkit version released during the year is accompanied with increased malicious Web attack activity. As a new version emerges that incorporates new exploit functionality, we see an increased use of it in the wild, making as much use of the new exploits until potential victims have patched their systems. For example, the number of attacks using the Blackhole toolkit, which was very active in 2010, dropped to a few hundred attacks per day in the middle of 2011, but re-emerged with newer versions generating hundreds of thousands of infection attempts per day towards the end of the year. Since many toolkits often use the same exploits, it is often difficult to identify the specific attack toolkit behind each infection attempt. On average, the attack toolkits contain around 10 different exploits, mostly focusing on browser independent plug-in vulnerabilities found in applications such as Adobe Flash , PDF viewers and Java . In general, older exploits are not removed from the toolkits, since some systems may still be unpatched. This is perhaps why many of the toolkits still contain an exploit for the old Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (BID 17462) from 2006. The malicious script will test all possible exploits in sequence until one succeeds. This may magnify the attack numbers seen for older vulnerabilities, even if they were unsuccessful. For more information on Web attack toolkits, please read Appendix A: Threat Activity Trends - Analysis of Malicious Web Activity by Attack Toolkits.
SCADA Vulnerabilities
Background
75 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
This metric will examine the SCADA (Supervisory Control and Data Acquisition) security threat landscape. SCADA represents a wide range of protocols and technologies for monitoring and managing equipment and machinery in various sectors of critical infrastructure and industry. This includes—but is not limited to—power generation, manufacturing, oil and gas, water treatment, and waste management. Therefore, the security of SCADA technologies and protocols is a concern related to national security because the disruption of related services can result in the failure of infrastructure and potential loss of life—among other consequences. Methodology This discussion is based on data surrounding publicly known vulnerabilities affecting SCADA technologies. The purpose of the metric is to provide insight into the state of security research in relation to SCADA systems. To a lesser degree, this may provide insight into the overall state of SCADA security. Vulnerabilities affecting SCADA systems may present a threat to critical infrastructure that relies on these systems. Due to the potential for disruption of critical services, these vulnerabilities may be associated with politically motivated or state-sponsored attacks. This is a concern for governments and/or enterprises that are involved in the critical infrastructure sector. While this metric provides insight into public SCADA vulnerability disclosures, due to the sensitive nature of vulnerabilities affecting critical infrastructure there is likely private security research conducted by SCADA technology and security vendors. Symantec does not have insight into any private research because the results of such research are not publicly disclosed. Data The number of SCADA vulnerabilities rose dramatically in 2011: In 2011, there were 129 public SCADA vulnerabilities, a massive increase over the 15 vulnerabilities in 2010. Commentary The security of SCADA systems has always been an area of concern, but prior to 2010 it was on a more theoretical level. Since the emergence of W32.Stuxnet in 2010 there has been an increased focus on the security of SCADA systems. The security of these systems also gained attention in November 2011 when reports emerged of 2 separate alleged breaches. On November 10, 2011 the Illinois Statewide Terrorism & Intelligence Center (STIC) issued a report stating that the SCADA system at an Illinois water systems had been breached and that resulting action has caused a water pump to burn out. ICS-CERT later issued a by the name pr0f posted a statement to pastebin17 in which he claimed to have accessed the SCADA system used to manage water and sewage systems in South Houston, Texas. The large increase in SCADA vulnerabilities in 2011 can for the most part be attributed to one security researcher, Luigi Auriemma18, who discovered 93 out of the 129 vulnerabilities published. See http://www.us-cert.gov/control_systems/pdf/ICSB-11-327-01.pdf See http://pastebin.com/Wx90LLum See http://www.digitalbond.com/2011/03/22/interview-with-luigi-auriemma-of-34-0days-ics-vulnerabilities
16 17 18
report stating that there was no evidence to support these claims16 . On November 18th a hacker who goes
Malicious Code Trends
Symantec collects malicious code information from our large global customer base through a series of opt in anonymous telemetry programs, including Norton Community Watch, Symantec Digital Immune System and Symantec Scan and Deliver technologies. Well over 133 million clients, servers and gateway systems actively contribute to these programs. New malicious code samples, as well as detection incidents from known malicious code types, are reported back to Symantec. These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in malicious code activity in the threat landscape. Reported incidents are considered potential infections if an infection could have occurred in the absence of security software to detect and eliminate the threat. Malicious code threats are classified into four main types — backdoors, viruses, worms, and Trojans:
76 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Backdoors allow an attacker to remotely access compromised computers. Viruses propagate by infecting existing files on affected computers with malicious code. Worms are malicious code threats that can replicate on infected computers or in a manner that facilitates them being copied to another computer (such as via USB storage devices). Trojans are malicious code that users unwittingly install onto their computers, most commonly through either opening email attachments or downloading from the Internet. Trojans are often downloaded and installed by other malicious code as well. Trojan horse programs differ from worms and viruses in that they do not propagate themselves. Many malicious code threats have multiple features, for example, a backdoor will always be categorized in conjunction with another malicious code feature. Typically, backdoors are also Trojans, however many worms and viruses also incorporate backdoor functionality. In addition, many malicious code samples can be classified as both worm and virus due to the way they propagate. One reason for this is that threat developers try to enable malicious code with multiple propagation vectors in order to increase their odds of successfully compromising computers in attacks. The following malicious code trends are analyzed for 2011: Top Malicious Code Families Analysis of Malicious Code Activity by Geography, Industry Sector and Company Size Propagation Mechanisms Industrial Espionage: Targeted Attacks and Advanced Persistent Threats (APTs) TRIAGE Analysis of Targeted Attacks
Top Malicious Code Families
Background Symantec analyzes new and existing malicious code families to determine which threats types and attack vectors are being employed in the most prevalent threats. This information also allows system administrators and users to gain familiarity with threats that attackers may favor in their exploits. Insight into emerging threat development trends can help them to bolster security measures and mitigate future attacks. The endpoint is often the last line of defense and analysis; however, the endpoint can often be the first-line of defense against attacks that spread using USB storage devices and insecure network connections. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway or cloud-based filtering. Methodology A malicious code family is initially compromised up of a distinct malicious code sample. As variants to the sample are released, the family can grow to include multiple variants. Symantec determines the most prevalent malicious code families by collating and analyzing anonymous telemetry data gathered for the reporting period. Over the course of 2011, such products reported 1.8 billion such malicious code detections, compared with 1.5 billion in 2010. This figure includes malicious code detections identified in Symantec endpoint technology, including Norton as well as the Symantec.cloud security services for email and Web. Malicious code is classified into families based on variants in the signatures assigned by Symantec when the code is identified. Variants appear when attackers modify or improve existing malicious code to add or change functionality. These changes alter existing code enough that antivirus sensors may not detect the threat as an existing signature. The total number of variants identified in 2011 was 403.8 million, compared with 286 million in 2010. Overall, the top-ten list of malicious code families accounted for 47.2% of all potential infections blocked in 2011. Data
77 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
78 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
79 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Commentary Ramnit overtakes Sality to become the most prevalent malicious code family in 2011. Ranked sixth in 2010, the top malicious code family by volume of potential infections in 2011 was Ramnit. Samples of the Ramnit family of malware were responsible for significantly more potential infections than the second ranked malicious code family in 2011, Sality. This is primarily the result of activity by W32.Ramnit!html, which accounts for 51% of all Ramnit malware blocked in 2011. W32.Ramnit!html is a generic detection for .html files infected by W32.Ramnit. First discovered in 2010, W32.Ramnit!html has been a prominent feature of the threat landscape since then, often switching places with Sality throughout the year as the two families jockey for first position. Ramnit spreads by encrypting and then appending itself to DLL, EXE and HTML files. It can also spread by copying itself to the recycle bin on removable drives and creating an AUTORUN.INF file so that the malware is potentially automatically executed on other computers. This can occur when an infected USB device is attached to a computer. The reliable simplicity of spreading via USB devices and other media makes malicious code families such as Ramnit, Sality (as well as SillyFDC and others) effective vehicles for installing additional malicious code on computers. The Sality family of malware, ranked second, remains attractive to attackers because it uses polymorphic code that can hamper detection. Sality is also capable of disabling security services on affected computers. These two factors may lead to a higher rate of successful installations for attackers. Sality propagates by infecting executable files and copying itself to removable drives such as USB devices. Similar to Ramnit, Sality also relies on AUTORUN.INF functionality to potentially execute when those drives are accessed.
80 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Downadup is losing momentum: Downadup (a.k.a. Conficker) was ranked in fourth position in 2011, compared with 2010 when it was ranked second-most malicious code family by volume of potential infections in 2010. Downadup propagates by exploiting vulnerabilities in order to copy itself to network shares. Downadup was estimated still to be on more than 3 million PCs worldwide at the end of 20111 , compared with approximately 5 million at the end of 2010. Overall in 2011, 1 in 238.8 emails was identified as malicious, compared with 1 in 284.3 in 2010; 39.1% of email-borne malware comprised hyperlinks that referenced malicious code, in contrast with malware that was contained in an attachment to the email. This figure was 23.7% in 2010, an indication that cyber criminals are attempting to circumvent security countermeasures by changing the vector of attacks from purely email to the Web. In 2011, 17.9% of malicious code detected in 2011 was identified and blocked using generic detection technology. Many new viruses and Trojans are based on earlier versions, where code has been copied or altered to create a new strain, or variant. Often these variants are created using toolkits and hundreds of thousands of variants can be created from the same piece of malware. This has become a popular tactic to evade signature-based detection, as each variant would traditionally need its own signature to be correctly identified and blocked. By deploying techniques, such as heuristic analysis and generic detection, it’s possible to correctly identify and block several variants of the same malware families, as well as identify new forms of malicious code that seek to exploit certain vulnerabilities that can be identified generically. Trojan.Bredolab was the most frequently blocked malware in email traffic by Symantec.cloud in 2011. This was owing to a rise in the number of strains of aggressively polymorphic malware, where variants of the Bredolab Trojan were contained in the payload of the email attachment. Trojan.Bredolab is an example of highly polymorphic malware; malicious code that is continually changed (by structure or content) to hide its presence from security countermeasures and in 2011, Symantec.cloud stopped Trojan.Bredolab in substantial volumes using Skeptic™ technology. Trojan.Bredolab frequently acts as a downloader or installer for many secondary threats, including Trojan.Fakeavalert, Backdoor.Rustock, Trojan.Srizbi, and W32.Waledac The email would often use social engineering to encourage the recipient into opening it. Many such variants were also deployed by URL hyperlinks contained in some variations of the attacks using embedded links or attachments of the HTML file type. Attached HTML files were the most frequently blocked malicious email attachment in 2011. Web-based ZIP file format archives were the most frequently blocked malicious file type in 2011. Trojan.JS.Iframe.AOX was the most frequently blocked malicious activity in Web traffic filtered by Symantec.cloud in 2011. Detection for a malicious IFRAME is triggered in HTML files that contain hidden IFRAME elements with JavaScript code that attempts to perform malicious actions on the computer; for example, when visiting a malicious Web page, the code attempts to quietly direct the user to a malicious URL while the current page is loading. Stuxnet in 2011: Despite being developed for a very specific type of target, the number of reports of potential Stuxnet infections observed by Symantec in 2011 placed the worm at rank 18 among malicious code families, compared with 29 in 2010. The Stuxnet worm generated a significant amount of attention in 2010 because it was the first malicious code designed specifically to attack Programmable Logic Controller (PLC) industry control systems.2 Notably, Stuxnet was the first malicious code family that may directly affect the physical world and proves the feasibility for malicious code to cause potentially dramatic physical destruction. Duqu, the precursor to a new Stuxnet? In October 2011, Symantec received reports of a new threat (W32.Duqu3 ) that was created from the same code base as Stuxnet. Whilst the code base was near identical, and the methods around the attacks are similar, the purpose of the new threat appears to be completely different from Stuxnet. Where Stuxnet was primarily designed to sabotage industrial machinery, Duqu appears to be designed for information theft, particularly information related to industrial systems and other secrets. This activity could be carried out with a goal to use the stolen information to plan and mount future attacks of a similar nature to those made by Stuxnet.
1 2 3
http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking#toc15 http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ w32_duqu_the_precursor_to_the_next_stuxnet.pdf
81 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Analysis of Malicious Code Activity by Geography, Industry Sector and Company Size
Background Malicious code activity trends can also reveal patterns that may be associated with particular geographical locations, or hotspots. This may be a consequence of social and political changes in the region, such as increased broadband penetration and increased competition in the marketplace that can drive down prices, increasing adoption rates. Of course there may also be other factors at work, based on the local economic conditions that may present different risk factors. Similarly, the industry sector may also have an influence on an organization’s risk factor, where certain industries may be exposed to different levels of threat, by the nature of their business. Moreover, the size of an organization can also play a part in determining their exposure to risk. Small to medium-sized businesses (SMBs) may find themselves the target of a malicious attack by virtue of the relationships they have with other organizations; for example, a company may be subjected to an attack because they are a supplier to a larger organization and attackers may seek to take advantage of this relationship in forming the social engineering behind subsequent attacks to the main target, using the SMB as a springboard for these later attacks. SMBs are perceived to be a softer target as they are less likely to have the same levels of defense-in-depth as a larger organization is more likely to have greater budgetary expenditure applied to their security countermeasures. Methodology Analysis of malicious code activity based on geography, industry and size are based on the telemetry analysis from Symantec.cloud clients for of threats detected and blocked against those organizations in email traffic during 2011. This analysis looks at the profile of organizations being subjected to malicious attacks, in contrast to the source of the attack. Data
82 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Commentary The rate of malicious attacks carried by email has increased for eight of the top-ten geographies being targeted; malicious email threats fell in 2011 for organizations in both Vietnam and China. Businesses in the Republic of Korea (South Korea) were subjected to the highest average ratio of malicious email-borne email in 2011, with 1 in 94.2 emails blocked as malicious, compared with 1 in 209.6 in 2010. Globally, organizations in the Government and Public sector were subjected to the highest level of malicious attacks in email traffic, with 1 in 41.1 emails blocked as malicious in 2011, compared with 1 in 65.7 for 2010. Malicious email threats have increased for all sizes of organizations, with 1 in 205.1 emails being blocked as malicious for large enterprises with more than 2,500 employees in 2011, compared with 1 in 259.7 in 2010. 1 in 267.9 emails were blocked as malicious for small to medium-sized businesses with between 1-250 employees in 2011, compared with 1 in 300.0 in 2010
Propagation Mechanisms
Background Worms and viruses use various means to spread from one computer to another. These means are collectively referred to as propagation mechanisms. Propagation mechanisms can include a number of different vectors, such as instant messaging (IM), Simple Mail transfer protocol (SMTP), Common Internet File System (CIFS), peer-to-peer file transfers (P2P), and remotely exploitable vulnerabilities.4 Some malicious code may even use other malicious code as a propagation vector by locating a computer that has
83 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
been compromised through a backdoor server and using it to upload and install itself. Methodology This metric assesses the prominence of propagation mechanisms used by malicious code. To determine this, Symantec analyzes the malicious code samples that propagate and ranks associated propagation mechanisms according to the related volumes of potential infections observed during the reporting period. 5
Commentary As malicious code continues to become more sophisticated, many threats employ multiple mechanisms. Executable file sharing activity increases: In 2011, 76 percent of malicious code propagated as executables, an increase from 74 percent in 2010. This propagation mechanism is typically employed by viruses and some worms to infect files on removable media. For example, variants of Ramnit and Sality use this mechanism, and both families of malware were significant contributing factors in this metric, as they were ranked as the two most common potential infections blocked in 2011. Remotely exploitable vulnerabilities increase: The percentage of malicious code that propagated through remotely exploitable vulnerabilities in 2011 at 28 percent was 4 percentage points higher than in 2010. Examples of attacks employing this mechanism also include Downadup, which although seems to be in decline, is still a major contributing factor to the threat landscape, ranked on fourth position in 2011. File transfer using CIFS is in decline: It is worth noting that despite an increase in between 2009
84 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
and 2010, the percentage of malicious code that propagated through CIFS file transfer fell by four percentage points between 2010 and 2011. Fewer attacks exploited CIFS as an infection vector in 2011. File transfer via email attachments continues to decline: It is worth noting the continued decline in the percentage of malicious code that propagated through email attachments for the fifth year running. Between 2010 and 2011, the proportion of malware using this mechanism fell by four percentage points. While this propagation mechanism is still effective, Symantec anticipates that this downward trend will continue into the near future. This is in part owing to a shift in malicious attacks through malicious URLs contained in emails rather than attachments, compared with 2010. In 2011, 39.1% of email attacks used malicious URLs, compared with 23.7% in 2010.
4
CIFS is a file sharing protocol that allows files and other resources on a computer to be shared with other computers across the Internet. One or more directories on a computer can be shared to allow other computers to access the files within.
5
Because malicious code samples often use more than one mechanism to propagate, cumulative percentages may exceed 100 percent.
Industrial Espionage: Targeted Attacks and Advanced Persistent Threats (APTs)
Background With targeted attacks and advanced persistent threats being very much in the news in 2011, in this section we review targeted attacks and look more closely at what has been described as “advanced persistent threats” or APTs for short. Terms such as APT have been overused and sometimes misused by the media, but APTs are a real threat to some companies and industries. As noted earlier in this section, overall in 2011, 1 in 238.8 emails were identified as malicious, but approximately one in 8,300 of those were highly targeted. This means that highly targeted attacks, which may be the precursor to an APT, account for approximately one in every two million emails, still a rare incident rate. However, targeted malware in general has grown in volume and complexity in recent years, but as it is designed to steal company secrets, it can be very difficult for recipients to recognize, especially when the attacker employs compelling social engineering techniques, as we highlight in this report. Targeted attacks have been around for a number of years now, and when they first surfaced back in 2005, Symantec.cloud identified and blocked approximately one such attack in a week. Over the course of the following year, this number rose to one or two per day and over the following years it rose still further to approximately 60 per day in 2010 and 154 per day by the end of 2011. A highly targeted attack is typically the precursor to an APT, and the typical profile of a highly targeted attack will commonly exploit a maliciously crafted document or executable, which is emailed to a specific individual, or small group of individuals. These emails will be dressed-up with a social engineering element to make it more interesting and relevant. The term “APT” has evolved to describe a unique category of targeted attacks that are specifically designed to target a particular individual or organization. APTs are designed to stay below the radar, and remain undetected for as long as possible, a characteristic that makes them especially effective, moving quietly and slowly in order to evade detection. Unlike the fast-money schemes typical of more common targeted attacks, APTs may have international espionage and/or sabotage objectives. The objective of an APT may include military, political or economic intelligence gathering, confidential or trade secret threat, disruption of operations, or even the destruction of equipment. Stuxnet was a good, albeit extreme example of the latter: the malware enabled an attacker to disrupt the industrial control systems within the Uranium enrichment process of a particular target. Another characteristic of an APT is that it will also be part of a longer-term campaign, and not follow the opportunistic “smash-and-grab” approach typical of most malware in circulation today. Its purpose will be to remain undetected for as long as possible, perhaps using a variety of attacks over that period; if one attack fails then a process of continual monitoring will ensure that a follow-up attack may be more likely to succeed a few weeks later with a different approach. If successful, an attacker can use the compromised systems as a beachhead for subsequent attacks. All of which illustrate how these attacks can be both advanced and persistent threats: A threat because its
85 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
purpose is to steal data or interfere with the operations of the targeted company, and potentially exploit the compromised network now under the attacker’s control to target users in other organizations. They are advanced because of the methods employed to avoid detection, such as the use of zero-day exploits, and the means used to communicate with the command and control network; command and control instructions often involve encrypted traffic, typically sent in small bursts and disguised as normal network traffic. The key to ensuring that any stolen information can be exfiltrated without detection requires the attacker to avoid using easily detectable encryption, and to use common protocol channels that would not look out of place, but whilst making sure the data remains hidden. Furthermore, they can be described as persistent because the aim is to maintain a foothold within the compromised company’s infrastructure, and in order to achieve this, the attacker will use numerous methods to achieve this. The attackers have a very clear and specific objective, they are well-funded and well-organized and without the right protection in place, these threats have both the capability and the intent to achieve their desired goals. Methodology Defining what is meant by targeted attacks and APT is important in order to better understand the nature of this mounting threat and to make sure that you have invested in the right kinds of defenses for your organization. The types of organizations being targeted tended to be large, well-known multi-national organizations, and were often within particular industries, including the public sector, defense, energy and pharmaceutical. In more recent years the scope has widened to include almost any organization, including smaller and medium-sized businesses. But what do we really mean by targeted attacks and advanced persistent threats? An attack can be considered as targeted if it is intended for a specific person or organization, typically created to evade traditional security defenses and frequently makes use of advanced social engineering techniques. However, not all targeted attacks lead to an APT; for example, the Zeus banking Trojan can be targeted and will use social engineering in order to trick the recipient into activating the malware, but Zeus is not an APT. The attacker doesn’t necessarily care about who the individual recipient is; they may have been selected simply because the attacker is able to exploit information gathered about that individual, typically harvested through social networking Web sites. Social engineering has always been at the forefront of many of these more sophisticated types of attack, specially designed to penetrate a company’s defenses and gain access to intellectual property or in the case of Stuxnet, to interfere with the physical control systems of an operation. Without strong social engineering, or “head-hacking,” even the most technically sophisticated attacks are unlikely to succeed. Many socially engineered attacks are based on information harvested through social networking and social media Web sites. Once the attackers are able to understand their targets’ interests, hobbies, with whom they socialize, and who else may be in their networks; they are often able to construct more believable and convincing attacks. The data in this section is based on analysis of targeted email malware identified and blocked by Symantec.cloud on behalf of its customers in 2011. Data and Commentary In 2010 Stuxnet and Hydraq grabbed headlines and gave clear demonstration to warnings the security community had raised for years; that malware could be used for cyber-terrorism, real world destruction and industrial espionage. In 2011 Stuxnet became a teachable moment for many trying to explain the need for better cyber-defenses, and as an inspiration for security researchers searching for new types of systems that could be hacked. Duqu, discovered in October 2011, brought the news back to the actual threat of Stuxnet. Based in part on actual Stuxnet code, Duqu was discovered performing reconnaissance within a handful of organization, its future target not yet clear. Reports from Iran of a Star virus, may have been an early report of Duqu (exfiltration of data by Duqu was hidden appended to the end of a JPG file containing a picture of the solar system), but Duqu contained no payload and we have yet to see any version of Duqu built to cause cybersabotage. This offspring of Stuxnet, to this point, remains only interested in gather information.
86 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Various long term attacks against the petroleum industry, NGOs and the chemical industry (as reported by Symantec as the Nitro attacks) also came to light in 2011. And of course “hactivism” driven attacks by Anonymous, LulzSec and others dominated security news in 2011. The ongoing arrests of some of the people behind these attacks will clearly dominate coverage in 2012; at least for a while. The hactivism on 2011 brought on much needed discussion on fixing poor security practices. And clearly protecting customer’s information should be a top priority for all companies in 2012 and beyond. But hacktivim and high profile attacks tended to obscure how common targeted attacks had become. And fruitless arguments about the appropriate use of the term Advanced Persistent Threat (APT) drove debate but shed no real light on targeted attacks. To understand the nature of targeted attacks Symantec collected data on over 26,000 attacks that could clearly be identified as targeted. These attacks were email based and contained a malicious payload. Using our advanced data analytics framework, named TRIAGE6, we were able to identify distinct targeted attack campaigns as well as define characteristics and dynamics of these attack campaigns. From this study we have drawn conclusions about targeted attacks, which contradict some popular, but admittedly not universally held, assumptions about targeted attacks. Assumption: Only large corporations, governments and defense industries are being targeted for attack. The total number of attacks aimed at organizations with less than 2500 employees is roughly equal to attacks aimed at organization with greater than 2500 employees. Assumption: Only Senior Managers and subject matter experts get targeted Attackers want to capture the knowledge workers who have access to intellectual property (IP), but they don’t have to attack them directly to get the information they want. Assumption: A targeted attack is a single attack Too often organizations think that if they are not the target of a high profile attack, or if one attack has been blocked, that their troubles are over. However, our research shows that a targeted attack can go on for months. The attack will change over time, with new social engineering, new malware, and often leveraging multiple zero day vulnerabilities. What our research does not show is attackers giving up after one attempt to breach an organization. 6Developed by Symantec in the context of the European funded WOMBAT research project (http://www.wombat-project.eu/), TRIAGE is a novel attack attribution method based on a multi-criteria decision algorithm. This technique has been implemented and used to analyze various types of threats. In 2009, it has been used to provide input to the Symantec Report on Rogue Security Software. TRIAGE is currently improved and enriched with Visual Analytics technologies in the context of another European funded research project named VIS-SENSE (http://www.vis-sense.eu/), in which Symantec collaborates with five other partners. The Characteristics of a Targeted Attack Defining a larger versus medium versus small company can be somewhat arbitrary. For the purposes of our research we have defined large companies as those having over 2,500 employees. Medium companies are between 250 and 500; and small as those companies with less than 250 employees. When comparing the number of targeted attacks directed at companies with 2,500 or more employees and companies with less than 2,500 we see an equal split. 28.3% of all targeted attacks are targeted at small to medium-sized companies as illustrated in figure B.13. And despite the commonly held believe of small businesses that they would never be the victims of a targeted attack, 17.8% of all targeted attacks are directed at small businesses with up to 250 employees.
87 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Each of these targeted attacks is a single attack against a single individual. However, this does not mean that each individual is only attacked once. In the targeted attack campaigns analyzed by Symantec a clear picture emerges on the restlessness of attackers once they find a targeted. The data below shows attacks against an individual we’ve given the alias Mr. X. Mr. X was attacked repeatedly over a nine-month period. In the month of June of 2011 alone Mr. X was attacked 24 times - almost daily.
On average a target will see quite a few less attacks than Mr. X, but this may reflect the quick success of such attacks, rather than the attackers giving up quickly. Additionally, the ability of Mr. X to avoid infection may well be countered by the attackers infecting co-workers. The strategy of using co-workers to move towards the ultimate targeted is quite common and may be the go-to-method against targets as resilient as Mr. X. Additionally, a large number of attacks against one organization may be used as the opening gambit in an attack where valuable individual targets have not yet been identified by the attacker. This “spray and pray” method allows attackers to get a foothold into an organization and use that foothold to gather intelligence and to leap to their ultimate target. Think of these as massive attacks, and yet targeted organizationally; in other words a Massive Organizational Targeted Attack (MOTA). Based on our research, the average targeted attack campaign will comprise 78 attacks targeting 61 email addresses within a 4 day period. And yet some attack campaigns were observed lasting up to 9 months and targeting as many as 1,800 mailboxes. Who are these targets?
88 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
While 42% of the mailboxes targeted for attack are high-level executives, senior managers and people in R&D, the majority of targets are people that are unlikely to have such information. Why then are they targeted? As we’ve said, they provide a stepping-stone to the ultimate target. And in the case of Personal Assistants, Sales and Media (Public Relations) they work closely with people who are the ultimate target. But just as important, these people are also easy to find and research online: email addresses for public relations people, shared mailboxes and recruiters are commonly found on a company’s web site. Additionally, these people are used to being contacted by people they do not know. And in many cases part of the job requires them to open unsolicited files from strangers. Think of how many resumes a recruiter receives each day in a document or PDF file attachment. Finally, under the illusion that targeted attacks are only aimed at high level executives or those working with the company’s intellectual property (IP), they are less likely to have their guard up against social engineering.
In Figure B.16, we can see that malicious PDFs continue to be largely used in targeted attacks (over one third of attacks). However, malicious Zip and RAR archives start to be commonly used by attackers (27% of the attacks). It is worth noting that PE32 executable files attached to emails are very infrequent in targeted attacks. Looking at the break out of targeted attacks by industry it is not surprising that the most frequently targeted organizations are Governments. These organizations see the most attacks and this data will come as no surprise to them. However, other industries clearly are experiencing targeted attacks. Symantec research shows that “niche” sectors are usually more targeted by highly focused attacks. While Government and Defensive industries are more likely to see a MOTA type of attack, industries like Agriculture, Construction, Oil and Energy mainly see attacks that are highly targeted at a small number of companies and individuals within them.
89 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
This is not to say that Government and Defense Industries do not see highly targeted attacks. Two-thirds of attack campaigns involved either a one-off or a very limited number of attacks against organizations active in the same sector. Over 50% of those single-sector campaigns target the Government and Defense industry sectors. This type of highly targeted attack campaign can be illustrated with the Sykipot attacks. These attacks were part of a long-running series of attacks using the Sykipot family of malware. Sykipot has been used in targeted attacks for at least the past couple of years, and unconfirmed traces date back to as early as 2006. The latest wave spiked on December 1, 2011 with a huge increase of targeted individuals being sent a PDF containing a zero-day exploit against Adobe Reader and Acrobat (CVE-2011-2462). The attackers involved in Sykipot have a history of attacking various industries; however, a majority of these attacks belong to the defense industry. More details on Sykipot attacks can be found later in this section and also in Appendix D – Vulnerability Trends. One in three targeted attack campaigns are instead organized on a large-scale and fit the profile of a Massive Organizationally Targeted Attack; they target multiple people in multiple organizations, in different sectors, over multiple days. Most of these large-scale campaigns are very well resourced, with up to 4 different exploits used during the same campaign. Some are even multilingual: the language used in the email attack is tuned to the targeted recipients (such as the use of Chinese for .cn recipient domains, Japanese for .jp, Russian for .ru, etc.). Examples of this type of attack campaign include the long-running series of Taidoor attacks, or more recently the Nitro attack waves. The bulk of the Nitro attacks were launched in late July 2011 and continued into mid-September and late October 2011. The purpose of the attacks appears to be industrial espionage, mainly targeting the chemical and petroleum industries, collecting intellectual property for competitive advantage. However, our research shows that the Nitro attackers could also have targeted senior executives working in the Defense industry and the Aerospace domain in another series of attacks that took place in October 2011. More details on the Taidoor and Nitro attack campaigns can be found later in this section. Case Study – MOTA campaign NR4 is one mass-scale attack campaign out of 130 that the Symantec’s TRIAGE technology analyzed. (There is no significance to the name NR4). We do not know the ultimate goal of the attackers behind this campaign, but we do know that they targeted diplomatic and government organizations. month period. The attacks all originated from accounts on a popular free Web-based email service. All attacks came from one of three different sender aliases. Multiple email subject lines were used in the targeted attacks, all of potential interest to the recipients, with the majority being about current political issues. Almost all targeted recipients were put in BCC field of the email.
90 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
The first wave of attacks began 28 April 2011, from a single email alias. Four organizations were targeted in this first series of attacks. One of these organizations saw the CEO as well as media and sales people targeted. Over the course of the attack campaign the CEO was targeted 34 times. On 13 May 2011, a new email account began sending email to targets. It was from this account that the majority of the attacks occurred. This aliases continued attacks on the four previous organizations but added dozens of additional organizations. One organization first targeted in this attack wave was targeted 450 times. A total of 23 people in the organization were targeted, with the main focus being on researchers within the organization. The final attack wave started 30 June 2011, and ended 19 days later. While attacking a number of organizations already part of the campaign, it also targeted 5 new organizations. By 19 July 2011, the NR4 targeted campaign came to an end. During the 3 months of this campaign hundreds of emails, in English and in Chinese (used against Chinese speaking targets) arrived in targeted users mailboxes. While the content of the email was constantly being changed, each email contained an attached PDF or RAR file with the same exploit that would infect users once the attachment was opened. Interestingly, our research also showed that the three attackers involved in this NR4 campaign have been using the same command and control (C&C) servers for controlling compromised machines and exfiltrating data. Conclusion Targeted attacks should be concern for all organization, large and small. While C-level executives and those that work with a company’s IP should be careful, everyone in an organization is at risk of being targeted. This is especially true of workers who in the course of their jobs typically receive email from people they don’t know. In the end, no matter the size or type of organization you have or your role in that organization, you are at risk and best practices must be followed to protect the organization. Don’t become the weakest link in the supply chain.
TRIAGE Analysis of Targeted Attacks
Background Symantec’s advanced TRIAGE data analytics technology aims at answering some fundamental questions about targeted attacks, such as: Attribution: Can we link series of similar attacks, perhaps targeting different organizations - on the same or different dates - to larger-scale campaigns likely organized by the same group of individuals? How many different groups of attackers can we identify based on their modus operandi? What are the characteristics and dynamics of such attack campaigns? Can we observe multiple connections among those attacks, for example regarding the subjects used the malicious attachments, the targeted recipients or the date of the attack?
91 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Methodology To identify series of targeted attacks that are likely performed by the same individuals, we have used a novel attack attribution named TRIAGE. Developed by Symantec in the context of the European funded WOMBAT research project (http://www.wombat-project.eu/), TRIAGE is a novel attack attribution method based on a multi-criteria decision algorithm. This new attribution method has been implemented in an analytical software framework that is now being maintained in the context of VIS-SENSE, a European research project that aims at improving security analysis with novel Visual Analytics technologies. By leveraging our TRIAGE data analytics, targeted attacks are automatically grouped together based upon common elements likely due to the same root cause. As a result, we are able to identify complex patterns showing various types of relationships among series of targeted attacks, giving insights into the manner by which attack campaigns are orchestrated. The TRIAGE approach is illustrated in figure B.19, below. Data and Commentary Insights into targeted attack campaigns Symantec’s TRIAGE technology has identified 130 clusters of attacks, which are quite likely reflecting different campaigns organized by the same groups of individuals. Indeed, within the same cluster, all attacks are linked by at least 3 or 4 characteristics among the following ones: The origins of the attack (Email ‘From’ address or IP address used by the attacker). The attack date. The characteristics of the malicious file attached to the email (MD5 checksum, AV signature and file name). The email subject. The targeted recipient (‘To:’ or ‘Bcc:’ address fields in the email).
The Table below gives some global characteristics calculated across all attack campaigns identified by Symantec in 2011.
92 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
The Table shown below in figure 20, gives some global characteristics calculated across all attack campaigns identified by Symantec in 2011.
Based on the number of targeted recipients and sectors, we have classified the attack campaigns into two main types (Figure B.21): Type 1 - Single-sector: highly focused attack campaigns targeting one (1.a) or several (1.b) organizations within the same activity Sector; Type 2 - Multi-sector: larger-scale campaigns that usually target a large number of organizations across multiple sectors. This type of attacks fit the profile of Massive Organizationally Targeted Attack (MOTA).
93 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Type 1 – Highly targeted campaigns: Sykipot attacks Two-thirds of attack campaigns identified by Symantec were targeting either a single, or a very limited number of organizations active in the same sector. Over 50% of those single-sector campaigns target the Government and Defense sectors. However, other industries clearly are experiencing such highly targeted attacks. Symantec research shows that “niche” sectors are usually more targeted by highly focused attacks. Industries active in sectors like Agriculture, Construction, Oil and Energy mainly see attacks that are highly targeted at a small number of companies and individuals within them. A good example of such highly targeted campaign is the Sykipot series of attacks using the Sykipot family of malware, with a majority of these attacks targeting the defense industry or governmental organizations. The modus operandi of the attackers is always the same: they send to specifically chosen recipients an email with an appealing subject, sometimes using a spoofed email address in relation to the activity or the position of the targeted recipient, and containing a malicious document, which exploits some unknown vulnerability in Adobe Reader and Acrobat or in Microsoft Office software products. Figure B.22, below shows an example of such email. The name and address used by the attacker was those of a high-level executive having a position of Associate General Counsel within the targeted Defense industry.
Figure B.23, below visualizes Sykipot attack waves identified by Symantec’s TRIAGE technology during April 2011. Three different attackers (red nodes) have sent about 52 emails to at least 30 mailboxes of employees working for two different Defense industries on three different dates. The subject lines, indicated in yellow, are shared among attackers and two of them used the same mailer agent from the very same IP address to launch the attacks. Three different MD5s were used in this Sykipot campaign (nodes in gray).
94 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Type 2 – Massive Organizational Targeted Attacks (MOTA): Nitro and Taidoor attacks One third of attack campaigns were organized on a large-scale and fit the profile of a Massive Organizationally Targeted Attack (MOTA): they target multiple people in multiple organizations, in different sectors, over multiple days. Most of these large-scale campaigns are very well resourced, with up to 4 different exploits used during the same campaign. Some are even multilingual: the language used in the email attack is tuned to the targeted recipients. The Taidoor attacks illustrate perfectly this type of mass-scale attack campaign. These attacks can include a long series of attack waves, sometimes spread over a long period of time (several months, or even a few years in some cases). As illustrated in the figure below, the relationships between attackers in those campaigns are usually much more complex, involving many inter-relationships at different levels (for example, common MD5s, same mailer or IP address, etc.). This may indicate that several teams of attackers are collaborating or sharing some of their resources (like malicious code, virtual servers to launch attacks, or intelligence data on the targets). They usually target a very large number of recipients working for different organizations, which can be active in completely different sectors.
95 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
The Nitro attacks are another example of mass-scale attack campaign. The bulk of the Nitro attacks was launched in late July 2011 and continued into mid-September. Another unconfirmed Nitro campaign was also identified later in October 2011. The purpose of the attacks appears to be industrial espionage, mainly targeting the chemical and petroleum industries, to collect intellectual property for competitive advantage. An example of email sent during those Nitro attack waves is shown in figure B.25, below. In this campaign, Symantec.cloud blocked over 500 attacks of this type, in which the attackers use a spoofed email address (presumably coming from an IT support desk) to entice users to install a fake Adobe software update packaged in a zip file, and which contains a zero-day exploit to compromise the users machines. While most targeted recipients were employees working for chemical industries, our research has showed that the Nitro attackers have also targeted senior executives working in the Defense industry and the Aerospace domain during the same series of attacks in October 2011.
96 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Attack campaigns are quite often characterized by the use of specific Mailers. In our research, we have observed a substantial amount of attacks sent through free Webmail providers. The second most frequently used Mailer agents are Microsoft Outlook (Express), accounting for 18% and 6% respectively, as shown in figure B.26, below. However, some other, less frequent Mailers have also been used in targeted attacks, such as GMX Web Mailer, which was used during the Sykipot attacks in December 2011 while targeting Defense contractors and Governmental organizations.
Spam and Fraud Activity Trends
Fraud activity discusses phishing and spam trends. It also discusses activities observed on underground economy servers because this is where much of the profit is made from phishing and spam attacks. organization by mimicking (or spoofing) a specific, usually well-known brand. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they can then use to commit fraudulent acts. Phishing generally requires victims to provide their credentials, often by duping them into filling out an online form. This is one of the characteristics that distinguish phishing from spam-based scams (such as the widely disseminated “419
97 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
scam1” and other social engineering scams). Spam is usually defined as junk or unsolicited email sent by a third party. While it is certainly an annoyance to users and administrators, spam is also a serious security concern because it can be used to deliver Trojans, viruses, and phishing attempts. Spam can also include URLs that often link to malicious sites that, without the user being aware of it, attack a user’s system upon visitation. Large volumes of spam could also cause a loss of service or degradation in the performance of network resources and email services. This section discusses the following metrics: Analysis of Spam Activity Trends Analysis of Spam Activity by Geography Industry Sector and Company Size Analysis of Spam Delivered by Botnets Spam Botnets Analysis – A Strategic Viewpoint Significant Spam Tactics Spam by Language Spam by Category Future Spam Trends BGP Hijacking Phishing Activity Trends Analysis of Phishing Activity by Geography
1
http://www.symantec.com/connect/blogs/419-oldest-trick-book-and-yet-another-scam
Analysis of Spam Activity Trends
Background This section discusses the patterns and trends relating to spam message volumes and the proportion of email traffic identified as spam during 2011. Methodology The analysis for this section is based global spam and overall email volumes for 2011. Global values are determined based on the statistically representative sample provided by Symantec’s Brightmail2 operations and spam rates include spam blocked by Symantec.cloud. Data and Commentary
There were approximately 41.1 billion spam emails in circulation worldwide each day overall in 2011, compared with 61.6 billion in 2010; a decrease of 31.8% in global spam volume.
98 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Overall for 2011, 75.1% of email traffic was identified as spam, compared with 88.5% in 2010; a decrease of 13.4 percentage points.
2
http://www.symantec.com/security_response/landing/spam/
Analysis of Spam Activity by Geography, Industry Sector and Company Size
Background Spam activity trends can also reveal patterns that may be associated with particular geographical locations, or hotspots. This may be a consequence of social and political changes in the region, such as increased broadband penetration and increased competition in the marketplace that can drive down prices, increasing adoption rates. Of course there may also be other factors at work, based on the local economic conditions that may present different risk factors. Similarly, the industry sector may also have an influence on an organization’s risk factor, where certain industries may be exposed to different levels of threat, by the nature of their business. Moreover, the size of an organization can also play a part in determining their exposure to risk. Small to medium-sized businesses (SMBs) may find themselves the target of a spam attack because SMBs are perceived to be a softer target as they are less likely to have the same levels of security countermeasures as larger organizations are more likely to have greater budgetary expenditure applied to their anti-spam and security countermeasures. Methodology Analysis of spam activity based on geography, industry and size is determined from the patterns of spam activity for Symantec.cloud clients for threats during 2011. Data
99 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Commentary The spam rate has decreased across all top-ten geographies in 2011. The highest rate for spam is for organizations in Saudi Arabia, with an overall average spam rate of 80.9%. In 2010, the highest rate
100 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
was in Italy, with an overall average spam rate of 93.5%. The spam rate has decreased across all top-ten industry sectors in 2011. Organizations in the automotive sector were subjected to the highest spam rate of 77.9% in 2011; in 2010, the engineering sector had the highest spam rate of 93.5%. The spam rate has decreased for all sizes of organization in 2011. 75.2% of emails sent to large enterprises with more than 2,500 employees in 2011 were identified as spam, compared with 90.1% in 2010. 74.6% of emails sent to small to medium-sized businesses with up to 250 employees in 2011 were identified as spam, compared with 89.7% in 2010.
Analysis of Spam Delivered by Botnets
Background This section discusses botnets and their use in the sending of spam. Like ballistics analysis in the real world can reveal the gun used to fire a bullet, botnets can similarly be identified by common features within the structure of email headers and corresponding patterns during the SMTP3 transactions. Spam emails are classified for further analysis according to the originating botnet during the SMTP transaction phase. This analysis only reviews botnets involved in sending spam and does not look at botnets used for other purposes, such as for financial fraud or DDoS attacks. Methodology Symantec.cloud spam honeypots collected between 5–10 million spam emails each day during 2011. These are classified according to a series of heuristic rules applied to the SMTP conversation and the email header information. Further information and examples of this analysis can be found later in this Appendix: “Spam Botnet Analysis – A Strategic Viewpoint.” A variety of internal and external IP reputation lists are also used in order to classify known botnet traffic based on the source IP address of the sender. Information is shared with other security experts to ensure data is up-to-date and accurate. Data
3
SMTP – Simple Mail Transfer Protocol
101 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Commentary Over in 2011, approximately 78.8% of all spam was distributed by spam-sending botnets, compared with 88.2% in 2011, a decrease of 9.4 percentage points. This was in large part owing to the disruption of the Rustock botnet on 16 March 2011. By the end of 2011, this number rose to 81.2%. In the 7 days prior to the disruption of the Rustock botnet, each day approximately 51.2 billion spam emails were in circulation worldwide. In the 7 days following, this number fell to 31.7 billion, a decrease of 38.0% in global spam volume. The global spam rate during the 7 days prior to when the Rustock botnet ceasing spamming was 78.2%, compared with 70.0% in the 7 days after. During the second-half of 2011, the change in frequency of botnet spam being distributed from botnets became much more noticeable, as shown in figure C.6. Large spam runs often lasted for only two or three days and when the spam run ceased, the volume of botnet-spam fell considerably; however, when Rustock was in operation during 2010 and during the first quarter of 2011, it was almost continually sending spam at a fairly regular and steady rate.
Spam Botnet Analysis – A Strategic Viewpoint
Background Most previous studies on spamming botnets have primarily focused on identifying botnet characteristics and signatures, but not on understanding the community behavior of spam botnets. In this analysis Symantec has looked at the global behavior of spam botnets by correlating their spam campaigns through multiple characteristics. The goal is to better understand the modus operandi of spammers controlling those botnets and how these are used for spam campaign operations. Using the same methodology, we looked at the impact of the Rustock take-down on the botnet ecosystem. Methodology Symantec used a three month-data set collected by our spam traps, comprising approximately 1 million spam messages. Twelve characteristics were extracted from the email headers and message bodies, which in turn were correlated to classify spam messages that were likely to have originated from the same spammer operation. These characteristics include attributes such as the character set used, the Subject: lines, the From: domains, the URIs appearing in the message bodies.
102 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Where a large number of characteristics were shared, these indicated common traits that suggested the same botnet or spam operation were involved. Data and Commentary Correlating interconnections between botnet spam campaigns Research shows that different botnets may perform very similar spam campaigns in the same period of time, and are strongly interconnected through several characteristics of spam messages. For example, Figure C.8 visualizes approximately 1,200 spam campaigns sent through Rustock, Grum, Cutwail and Mega-D. The small nodes in the center of the graph indicate bot host names that are shared among 2 or more botnets. Similar interconnections were obtained for other characteristics as well, such as the Subject: lines, From: domains, URLs, etc. The analysis hypothesized there were three possible explanations for these interconnections between different botnets: (i) Certain computers can be compromised by more than one bot and are used in parallel by different spammers to perform similar-looking spam campaigns; (ii) Spammers controlling those botnets are collaborating (e.g., load balancing various spam campaigns on two or more botnets); and (iii) Botnet signatures may sometimes fail to identify bots with 100% of accuracy. Figure C.9, below, shows another example of a spam campaign sent through Lethic and Maazben on 3 consecutive dates, and involving shared URLs, Subject: lines, character sets and host names. At the time of analysis, all URIs were redirecting to the same website, which was distributing fake pharmaceutical products. A number of From: domains used in this campaign were also shared by the two botnets, but not shown on the graph.
103 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Dynamics of spam campaigns Symantec research has showed that spam campaigns sent through Rustock/Grum botnets are rather long-lived and stable, whereas campaigns distributed through Lethic and Maazben are instead short-lived (they last on average between 2 and 7 days), and have a more polymorphic behavior with respect to certain features, such as the frequent use of different disposable URLs and From: domains, which are being changed every day.
104 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Impact of the Rustock take-down On March 16th -17th 2011, Rustock C&C servers located in the U.S. were seized by federal law enforcement agents, thanks to a coordinated anti-botnet action led by the security industry and U.S. federal authorities. As a result of this action (dubbed Operation b107), the botnet was almost completely shut down. Looking at global spam volumes, Bagle apparently stepped up to service the spammers. However, this relative increase in spam activity from Bagle was not a direct consequence of the Rustock takedown. Instead, our research shows that Grum has much more likely taken over (at least in part) Rustock activities. We found that the two botnets were strongly interconnected by a number of common elements, such as the Subject: lines, the From: domains used to send spam, the charset, and more importantly, the URIs embedded in the messages. Perhaps even more conclusively, those shared URIs were pointing to different domains registered by the same person (according to WHOIS data registry). All those interconnections between the two botnets lead us to think that part of Rustock activity was likely to have been offloaded to Grum shortly after its takedown.
Significant Spam Tactics
Background This section discusses significant spam tactics used throughout 2010, including the size of spam messages and the languages used in spam emails.
105 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Size of Spam Messages In 2011, 61.0% of spam messages were between 2KB and 5KB in size. For spammers, smaller file sizes mean more messages can be sent using the same resources, typically botnets. Increased sizes are often associated with malicious activity, where email attachments contain malicious executable code.
Proportion of Spam Messages Containing URLs In 2011, 86.2% of spam messages contained at least one URL hyperlink, compared with 91.1% in 2010, a decrease of 4.9 percentage points.
Top-Level Domains (TLD) Identified in Spam URLs In 2011, 58.5% of spam URLs was for domains registered in the .com TLD, that is to say, spam URLs that were registered in the .com top-level domain. The second most frequently used TLD was .ru, which is the top-level country code domain for Russian, and accounted for approximately 11.5% of all spam URL domains.
106 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Spam by Language
Background and Methodology The data for this section is based on the analysis of spam processed by the Symantec.cloud Skeptic4 technology. A series of checks are made against the language of the subjects and headers available from the Skeptic knowledgebase. The analysis for this metric is based on a random sample of 3.5 million spam messages. Data
Commentary
107 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Spam in English still dominates, but has decreased over the year. At the end of 2010, 90% of spam detected was in English, falling to 88.7% by the end of 2011. This indicates a growth in non-English language spam as well as overall spam volumes diminishing over the same period. An email is classified as unknown when there is not enough recognizable text within the body of the email to be able to determine a language, typically because the body only contains a very small amount of HTML code, such as a hyperlink to a website or an image. The use of spam with only images or URLs fell in 2011. Of the percentage of non-English spam approximately half was classified as “unknown” at the end of 2010, falling to 26% by the end of 2011.
4
http://www.symanteccloud.com/en/gb/globalthreats/learning_center/what_is_skeptic
Spam by Category
Background Spam is created in a variety of different styles and complexities. Some spam is plain text with a URL; some is cluttered with images and/or attachments. Some comes with very little in terms of text, perhaps only a URL. And, of course, spam is distributed in a variety of different languages. It is also common for spam to contain “Bayes poison” (random text added to messages that has been haphazardly scraped from websites to “pollute” the spam with words bearing no relation to the intent of the spam message itself). Using Bayes poison is done to thwart spam filters that typically try to deduce spam based on a database of words that are frequently repeated in spam messages. Any automated process to classify spam into one of the categories following would need to overcome this randomness issue. For example, the word “watch” may appear in the random text included in a pharmaceutical spam message, posing a challenge as to classifying the message as pharmaceutical spam or in the watches/jewelry category. Another challenge occurs when a pharmaceutical spam contains no obvious pharmaceutical-related words, but only an image and a URL. Spammers attempt to get their messages through to the recipients without revealing too many clues that the message is spam. Any such clues found in the plain text content of the email can be examined using automated anti-spam techniques. A common way to overcome automated techniques is by using random text, but an equally effective way is to include very little in the way of extra text in the spam and to instead include a URL in the body of the message. Spam detection services often resist classifying spam into different categories because it is difficult to do (for the reasons above) and because the purpose of spam detection is usually to determine whether the message is spam and to block it, rather than to identify its subject matter. In order to overcome the ambiguity faced by using automated techniques to classify spam, the most accurate way to do it is to have someone classify unknown spam manually. While time-consuming, this process provides much more accurate results. An analyst can read the message, understand the context of the email, view images, follow URLs, and view websites in order to gather the bigger picture around the spam message. Methodology Once per month, several thousand random spam samples are collected and classified by Symantec.cloud into one of the following categories: Casino/Gambling Degrees/Diplomas Diet/Weight Loss Jobs/Money Mules Malware Mobile Phones Pharmaceutical Phishing Scams/Fraud/419s Sexual/Dating Software Unknown/Other Unsolicited Newsletters Watches/Jewelry
108 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Data
NB. These percentages represent the overall average of the monthly percentages for each category during the year, and as such the overall total for all categories will not equate to 100%. Commentary Pharmaceutical products still dominate, although to a lesser extent than in previous years. Approximately two fifths (39.6%) of all spam in 2011 was related to pharmaceutical products, a fall of 34.4 percentage points compared with 2011. This was in large part as a result of the disruption of the Rustock botnet. Pharmaceutical spam accounted for the majority of Rustock’s spam output. The disruption of the Rustock botnet in March 2011 had a major impact on the decline in pharmaceutical spam products, although other botnets have also been involved in distributing pharmaceutical spam in 2011, including Grum, Cutwail, and Donbot. A category with a low percentage still means millions of spam messages. Although it is difficult to be certain what the true volume of spam in circulation is at any given time, Symantec estimates that approximately 42.1 billion spam emails were sent globally each day in 2011. Where some of the categories listed earlier represent 0.5 percent of spam, this figure equates to more than 210 million spam emails in a single day. Spam related to Watches/Jewelry, Sexual/Dating, Casino/Gambling, Unsolicited Newsletters and Scams/Fraud all increased. Particularly notable is increase in the Sexual/Dating category, which rose by 12.1 percentage points since 2010. These are often email messages inviting the recipient to connect to the scammer through instant messaging, or a URL hyperlink where they are then typically invited to a pay-per-view adult-content Web cam site. Often any IM conversation would be handled by a bot responder, or a person working in a low-pay, offshore call center.
Future Spam Trends: BGP Hijacking
109 of 134 14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Case Study - Beware of “Fly-by Spammers” Background Routing between Autonomous Systems (AS) is achieved using the Border Gateway Protocol (BGP), which allows ASes to advertise to others the addresses of their network and receive the routes to reach the other ASes (figure C.17, below). Each AS implicitly trusts the peer ASes it exchanges routing information with. BGP hijacking is an attack against the routing protocol that consists in taking control in blocks of IP addresses owned by a given organization without their authorization. This enables the attacker to perform other malicious activities (e.g., spamming, phishing, malware hosting) using hijacked IP addresses belonging to somebody else. Some articles have recently reported on the emerging phenomenon where spammers hijack unused networks and use them to send spam from clean, non-blacklisted IP addresses. This phenomenon has been referred to as fly-by spammers. Methodology In order to study this phenomenon, a tool monitoring the routes towards spamming hosts based on traceroute has been developed by Symantec to determine whether spammers actually manipulate the Internet routing to launch spam campaigns. BGP routing data about monitored spamming networks is also collected to study the routing behavior of spammers. Data and Commentary On August 20th, the network administrator of the Russian telecommunication company "Link Telecom" complained on the North American Network Operators’ Group (NANOG) mailing list that his network had been hijacked by a spammer. The victim AS 31733 had five hijacked prefixes. On both August 25th and August 29th, changes were observed in the routes towards AS 31733 advertised in BGP. These changes were the result of the owner regaining control over his network. The hijack began in April 2011 when the spammer started to announce IP blocks belonging to the victim. Although the prefix appeared to be announced by the correct AS 31733, it was directly connected to the Internet Service Provider (ISP) AS 12182 Internap located in the US. During the period the network was under the control of the spammer, spam was received by Symantec.cloud spam honeypots. In order to hijack the network, the spammer (i) found that the blocks of IP addresses were not currently announced in the Internet and (ii) had them routed via an ISP probably using a fake proof of ownership of the network. The trust-based nature of BGP and the lack of widely deployed security mechanisms to check that the information exchanged between ASes is correct makes such attack still possible. The routing state of the prefixes before, during and after the hijack is shown in figure C.18. We can see that the prefixes were not used when the hijack occurred, probably because the company suspended its activity for a while. While the AS originating the prefixes remained the same throughout the hijack period, the provider AS changed between the different states of the network. The providers AS 12695 and AS 43659 found respectively before and after the hijack are official providers of AS 31733, whereas AS 12182 (Internap) is not (figure C.19). We also observed significant delays in the traceroute paths (figure C.20). Despite being an extremely rare occurrence, the BGB5 hijacking phenomenon by spammers is a reality, and it is always difficult to validate a suspicious case without the confirmation of the real owner of a hijacked network. Finally, it highlights the fact that some spammers become sophisticated enough to take advantage of vulnerabilities in the Internet routing in the effort to avoid current spam filters.
110 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
5
Border Gateway Protocol
111 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Phishing Activity Trends
Background This section discusses the proportion of malicious email activity that is categorized as phishing attacks and looks more closely at the emerging trends, particularly social engineering techniques and how attackers can automate the use of RSS news feeds to incorporate news and current affairs stories into their scams. Methodology The data for this section is based on the analysis of email traffic collected from Symantec.cloud global honeypots and from the analysis of malicious and unwanted email traffic data collected from customers worldwide. The analysis of phishing trends is based on emails processed by Symantec.cloud Skeptic technology, and analysis of phishing emails collected in spam honeypots. Symantec.cloud spam honeypots collected between 5–10 million spam emails each day during 2011. Data and Commentary
112 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Commentary Overall for 2011, 1 in 298.9 emails was identified and blocked as a phishing attack, compared with 1 in 442.1 in 2010; an increase of 0.11 percentage points. 85.2% of phishing attacks in 2011 related to spoofed financial organizations, compared with 56% in 2010. Phishing URLs spoofing banks attempt to steal a wide variety of information that can be used for identity theft and fraud. Attackers seek information such as names, government-issued identification numbers, bank account information, and credit card numbers. Cybercriminals are more focused on stealing financial information that can make them large amounts of money quickly versus goods that require a larger time investment, such as scams. Phishing schemes continued to use major events to entice recipients: Many email-based fraud attempts referred to major events in 2011. Examples included the Japanese earthquake, where the criminals would attempt to exploit people’s sympathies for the victims of the disaster. Many charities sought donations to provide support and cyber criminals exploited this by sending 419-scam emails in which they spoofed legitimate charities with fraudulent websites. 36.2% of phishing attacks were conducted through the use of phishing toolkits.
5
http://www.symanteccloud.com/sv/se/globalthreats/learning_center/what_is_skeptic
Analysis of Phishing Activity by Geography, Industry Sector and Company Size
Background Phishing activity trends can also reveal patterns that may be associated with particular geographical locations, or hotspots, for example, the industry sector may also have an influence on an organization’s risk factor, where certain industries may be exposed to different levels of threat, by the nature of their business. Moreover, the size of an organization can also play a part in determining their exposure to risk. Small to medium-sized businesses (SMBs) may find themselves the target of a spam attack because SMBs are perceived to be a softer target as they are less likely to have the same levels of defense-in-depth as a larger organization is more likely to have greater budgetary expenditure applied to their anti-spam and security countermeasures. Methodology Analysis of phishing activity based on geography, industry and size is determined from the patterns of spam activity for Symantec.cloud clients for threats during 2011. Data
113 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
114 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Commentary The phishing rate has decreased for seven of the top-10 geographies in 2011. The highest average rate for phishing activity in 2011 was for organizations in South Africa, with an overall average phishing rate of 1 in 96.3. In 2010, the highest rate was also for South Africa, with an overall average phishing rate of 1 in 99.0. The phishing rate has increased across all top-ten industry sectors in 2011. Organizations in the Government and Public Sector were subjected to the highest level of phishing activity in 2011, with 1 in 49.4 emails identified and blocked as phishing attacks. In 2010 the sector with the highest average phishing rate was also the Government and Public Sector, with a phishing rate of 1 in 104.3. The spam rate has increased for all sizes of organization in 2011. 1 in 250.5 emails sent to large enterprises with more than 2,500 employees in 2011 were identified and blocked as phishing attacks, compared with 1 in 400.0 in 2010. 1 in 266.1 emails sent to small to medium-sized businesses with up to 250 employees in 2011 were identified and blocked as phishing attacks, compared with 1 in 379.7 in 2010.
The Americas Region - Introduction
Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 64.6 million attack sensors and records thousands of events per second. This network monitors attack activity in more than 200 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Threat Management System, Symantec Managed Security Services and Norton consumer products, and other third-party data sources. In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 47,662 recorded vulnerabilities (spanning more than two decades) from over 15,967 vendors representing over 40,006 products. Spam, phishing and malware data is captured through a variety of sources, including the Symantec Probe Network, a system of more than 5 million decoy accounts; Symantec.cloud and a number of other Symantec security technologies. Skeptic™, the Symantec.cloud proprietary heuristic technology is able to detect new and sophisticated targeted threats before reaching customers’ networks. Over 8 billion email messages and more than 1.4 billion Web requests are processed each day across 15 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and more than 50 million consumers. These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises and consumers the essential information to secure their systems effectively now and into the future. In addition to gathering global Internet attack data, Symantec also analyses attack data that is detected by sensors deployed in specific regions. This report discusses notable aspects of malicious activity Symantec has observed in the Americas region for 2011. The Americas Region - Threat Activity Trends The following section of the Symantec Americas Region (including North America and Latin America) Internet Security Threat Report provides an analysis of threat activity, malicious activity, and data breaches that Symantec observed in the Americas region in 2011. The malicious activity discussed in this section not only includes threat activity, but also phishing, malicious code, spam zombies, bot-infected computers, and network attack origins. Attacks are defined as any malicious activity carried out over a network that has been detected by an intrusion detection system (IDS) or firewall. Definitions for the other types of malicious activities can be found in their respective sections within this report. This discussion is based on malicious threat activity detected by Symantec in the Americas region in 2011. Threat Activity Trends Metrics for the Americas AMS Malicious Activity by Geography AMS Attack Origin by Country
115 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
AMS Malicious Code Activity Trends Symantec collects malicious code information from its large global customer base through a series of opt in anonymous telemetry programs, including Norton Community Watch, Symantec Digital Immune System, and Symantec Scan and Deliver technologies. Well over 133 million clients, servers, and gateway systems actively contribute to these programs. New malicious code samples, as well as detection incidents from known malicious code types, are reported back to Symantec. Reported incidents are considered potential infections if an infection could have occurred in the absence of security software to detect and eliminate the threat. Malicious code threats are classified into four main types—backdoors, viruses, worms, and Trojans: Backdoors allow an attacker to remotely access compromised computers. Trojans are malicious code that users unwittingly install onto their computers, most commonly through either opening email attachments or downloading from the Internet. Trojans are often downloaded and installed by other malicious code as well. Trojan horse programs differ from worms and viruses in that they do not propagate themselves. Viruses propagate by infecting existing files on affected computers with malicious code. Worms are malicious code threats that can replicate on infected computers or in a manner that facilitates them being copied to another computer (such as via USB storage devices). Many malicious code threats have multiple features. For example, a backdoor is always categorized in conjunction with another malicious code feature. Typically, backdoors are also Trojans; however, many worms and viruses also incorporate backdoor functionality. In addition, many malicious code samples can be classified as both worm and virus due to the way they propagate. One reason for this is that threat developers try to enable malicious code with multiple propagation vectors in order to increase their odds of successfully compromising computers in attacks. This discussion is based on malicious code samples detected by Symantec in the Americas region in 2011. Malicious Code Activity Trends Metrics for the America AMS Top Malicious Code Samples
AMS Malicious Activity by Geography
Background This metric assesses the countries in the Americas (including North America and Latin America) region in which the largest amount of malicious activity takes place or originates. Malicious activity usually affects computers that are connected to high-speed broadband Internet because these connections are attractive targets for attackers. Broadband connections provide larger bandwidth capacities than other connection types, faster speeds, the potential of constantly connected systems, and typically a more stable connection. Symantec categorizes malicious activities as follows: Malicious code: This includes viruses, worms, and Trojans that are covertly inserted into programs. The purposes of malicious code include destroying data, running destructive or intrusive programs, stealing sensitive information, or compromising the security or integrity of a victim’s computer data. Spam zombies: These are compromised systems that are remotely controlled and used to send large volumes of junk or unsolicited emails. These emails can be used to deliver malicious code and phishing attempts. Phishing hosts: A phishing host is a computer that provides website services for the purpose of attempting to illegally gather sensitive, personal and financial information while pretending that the request is from a trusted, well-known organization. These websites are designed to mimic the sites of legitimate businesses. Bot-infected computers: These are compromised computers that are being controlled remotely by attackers. Typically, the remote attacker controls a large number of compromised computers over a single, reliable channel in a bot network (botnet), which then is used to launch coordinated attacks. Network attack origins: These are originating sources of attacks from the Internet. For example, attacks can target SQL protocols or buffer overflow vulnerabilities. Web-based attack origins: This measures attack sources that are delivered via the Web or through
116 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
HTTP. Typically, legitimate websites are compromised and used to attack unsuspecting visitors. Methodology To determine malicious activity by source geography, Symantec has compiled geographical data on numerous malicious activities, including malicious code reports, spam zombies, phishing hosts, bot-infected computers, and network attack origins. The proportion of each activity originating in each geography is then determined within the region. The mean of the percentages of each malicious activity that originates in each geography is calculated. This average determines the proportion of overall malicious activity that originates from the geography in question. The rankings are then determined by calculating the mean average of the proportion of these malicious activities that originated in each geography. Data
Figure G.1. Malicious activity by source: Americas rankings, 2011 Source: Symantec
117 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Figure G.2. Malicious activity by source: Americas Malicious code, 2011 Source: Symantec
Figure G.3. Malicious activity by source: Americas Spam zombies, 2011 Source: Symantec
118 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Figure G.4. Malicious activity by source: Americas Phishing hosts, 2011 Source: Symantec
Figure G.5. Malicious activity by source: Americas Bots, 2011 Source: Symantec
119 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Figure G.6. Malicious activity by source: Americas Web attack origins, 2011 Source: Symantec
Figure G.7. Malicious activity by source: Americas Network attack origins, 2011 Source: Symantec Commentary Malicious activity originating from infected computers in the Brazil has pushed the country to the top of the table as a source of malicious activity in LAM for 2011, and ranked fourth globally. The United States was number one for NAM and number one globally. Brazil and the United States were the top source of malicious activity across all categories for each of their respective regions. Argentina was ranked in second position overall in LAM, and was ranked second for spam zombies, bots and as a source of network attacks in LAM.
AMS Attack Origin by Country
120 of 134 14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
AMS Attack Origin by Country This metric assesses the top global countries from which attacks originated that targeted the Americas region in 2011. Note that, because the attacking computer could be controlled remotely, the attacker may be in a different location than the computer being used to mount the attack. For example, an attacker physically located in the Brazil could launch an attack from a compromised system in Australia against a network in Japan. Methodology This section measures the top originating countries of attacks that targeted computers in the Americas region in 2011. A network attack is generally considered any malicious activity carried out over a network that has been detected by an intrusion detection system (IDS), intrusion prevention system (IPS), or firewall.
NB. Figures from 2010 were not available for comparison
121 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Figure G.8 Top attacks by country in Americas, 2011 Source: Symantec Commentary The United States continues to dominate attacks on the Americas region: In 2011, the United States was the top country of origin for attacks against targets in the Americas region, accounting for half of all attacks detected by Symantec sensors in the region. This result is likely due to the high level of attack activity originating in the United States generally, as it was also the top country for originating Web-attacks globally, with 16.9% of the total. It also ranked second position globally as a source for network attacks, with 33.5% of network attacks originating in the United States. Moreover, the United States ranked first for overall global malicious activity, with 21.1% of the overall total. The United States also ranked first globally for bot-infected computers (12.6%) and in second position for malicious code (13.3%); much of the attack activity targeting countries in the Americas region would have been conducted through these malicious bot networks.
AMS Top Malicious Code Samples
Background This metric assesses the top malicious code samples in the Americas region in 2011. Symantec analyses new and existing malicious code samples to determine which threats types and attack vectors are being employed in the most prevalent threats. This information also allows administrators and users to gain familiarity with threats that attackers may favor in their exploits. Insight into emerging threat development trends can help bolster security measures and mitigate future attacks. Methodology To determine top malicious code samples, Symantec ranks each malicious code sample based on the volume of unique sources of potential infections observed during the reporting period. Data
122 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Figure G.9: Top malicious code samples in Americas, 2011 Source: Symantec Commentary The W32.Downadup (aka Conficker) dominates in the Americas region: W32.Downadup.B was ranked in first position in the Americas region in 2011, accounting for 7.3% of potential infections in LAM and 4.5% in NAM. The Downadup family of malware was ranked in fourth position globally in 2011, despite losing momentum, when in 2010 it was ranked second-most malicious code family by volume of potential infections globally. Downadup propagates by exploiting vulnerabilities in order to copy itself to network shares. Downadup was estimated still to be on more than 3 million PCs worldwide at the end of 2011 , compared with approximately 5 million at the end of 2010. Interestingly, variants of Ramnit, which was the number one family of malware globally in 2011, did
123 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
not feature strongly in the top-10 malware identified in the Americas region, and accounted for less than 1% of potential infections in NAM. W32.Sality.AE was ranked number one in LAM, but did not feature in the top-ten for NAM. Reported activity by this virus was the primary contributor to the Sality family being the second highest ranked malicious code family globally in 2011. Discovered in 2008, Sality.AE has been a prominent part of the threat landscape since then, including being the global top malicious code family identified by Symantec in 2010 and 2009. Sality may be particularly attractive to attackers because it uses polymorphic code that can hamper detection. Sality is also capable of disabling security services on affected computers. These two factors may lead to a higher rate of successful installations for attackers.
Introduction
Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 64.6 million attack sensors and records thousands of events per. This network monitors attack activity in more than 200 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Threat Management System, Symantec Managed Security Services and Norton consumer products, and other third-party data sources. In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 47,662 recorded vulnerabilities (spanning more than two decades) from over 15,967 vendors representing over 40,006 products. Spam, phishing and malware data is captured through a variety of sources, including the Symantec Probe Network, a system of more than 5 million decoy accounts; Symantec.cloud and a number of other Symantec security technologies. Skeptic, the Symantec.cloud proprietary heuristic technology is able to detect new and sophisticated targeted threats before reaching customers’ networks. Over 8 billion email messages and more than 1.4 billion Web requests are processed each day across 15 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and more than 50 million consumers. These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises and consumers the essential information to secure their systems effectively now and into the future. In addition to gathering global Internet attack data, Symantec also analyses attack data that is detected by sensors deployed in specific regions. This report discusses notable aspects of malicious activity Symantec has observed in Europe, the Middle East and Africa (EMEA) for 2011. EMEA Threat Activity Trends The following section of the Symantec Europe, the Middle East and Africa (EMEA) Internet Security Threat Report provides an analysis of threat activity, malicious activity, and data breaches that Symantec observed in EMEA in 2011. The malicious activity discussed in this section not only includes threat activity, but also phishing, malicious code, spam zombies, bot-infected computers, and network attack origins. Attacks are defined as any malicious activity carried out over a network that has been detected by an intrusion detection system (IDS) or firewall. Definitions for the other types of malicious activities can be found in their respective sections within this report. This discussion is based on malicious threat activity detected by Symantec in the EMEA region in 2011. Threat Activity Trends Metrics for Europe, the Middle East, and Africa EMEA Malicious Activity by Geography EMEA Attack Origin by Country EMEA Malicious Code Activity Trends Symantec collects malicious code information from its large global customer base through a series of opt in anonymous telemetry programs, including Norton Community Watch, Symantec Digital Immune System, and Symantec Scan and Deliver technologies. Well over 133 million clients, servers, and gateway systems actively contribute to these programs. New malicious code samples, as well as detection incidents from known malicious code types, are reported back to Symantec. Reported incidents are considered potential
124 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
infections if an infection could have occurred in the absence of security software to detect and eliminate the threat. Malicious code threats are classified into four main types— backdoors, viruses, worms, and Trojans: Backdoors allow an attacker to remotely access compromised computers. Trojans are malicious code that users unwittingly install onto their computers, most commonly through either opening email attachments or downloading from the Internet. Trojans are often downloaded and installed by other malicious code as well. Trojan horse programs differ from worms and viruses in that they do not propagate themselves. Viruses propagate by infecting existing files on affected computers with malicious code. Worms are malicious code threats that can replicate on infected computers or in a manner that facilitates them being copied to another computer (such as via USB storage devices). Many malicious code threats have multiple features. For example, a backdoor is always categorized in conjunction with another malicious code feature. Typically, backdoors are also Trojans; however, many worms and viruses also incorporate backdoor functionality. In addition, many malicious code samples can be classified as both worm and virus due to the way they propagate. One reason for this is that threat developers try to enable malicious code with multiple propagation vectors in order to increase their odds of successfully compromising computers in attacks. This discussion is based on malicious code samples detected by Symantec in the EMEA region in 2011. Malicious Code Activity Trends Metrics for Europe, the Middle East, and Africa EMEA Top Malicious Code Samples
EMEA Malicious Activity by Geography
Background This metric assesses the countries in the Europe, the Middle East, and Africa (EMEA) region in which the largest amount of malicious activity takes place or originates. Malicious activity usually affects computers that are connected to high-speed broadband Internet because these connections are attractive targets for attackers. Broadband connections provide larger bandwidth capacities than other connection types, faster speeds, the potential of constantly connected systems, and typically a more stable connection. Symantec categorizes malicious activities as follows: Malicious code: This includes viruses, worms, and Trojans that are covertly inserted into programs. The purposes of malicious code include destroying data, running destructive or intrusive programs, stealing sensitive information, or compromising the security or integrity of a victim’s computer data Spam zombies: These are compromised systems that are remotely controlled and used to send large volumes of junk or unsolicited emails. These emails can be used to deliver malicious code and phishing attempts. Phishing hosts: A phishing host is a computer that provides website services for the purpose of attempting to illegally gather sensitive, personal and financial information while pretending that the request is from a trusted, well-known organization. These websites are designed to mimic the sites of legitimate businesses. Bot-infected computers: These are compromised computers that are being controlled remotely by attackers. Typically, the remote attacker controls a large number of compromised computers over a single, reliable channel in a bot network (botnet), which then is used to launch coordinated attacks. Network attack origins: These are originating sources of attacks from the Internet. For example, attacks can target SQL protocols or buffer overflow vulnerabilities. Web-based attack origins: This measures attack sources that are delivered via the Web or through HTTP. Typically, legitimate websites are compromised and used to attack unsuspecting visitors. Methodology To determine malicious activity by source geography, Symantec has compiled geographical data on numerous malicious activities, including malicious code reports, spam zombies, phishing hosts, bot-infected computers, and network attack origins. The proportion of each activity originating in each geography is then determined within the region. The mean of the percentages of each malicious activity
125 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
that originates in each geography is calculated. This average determines the proportion of overall malicious activity that originates from the geography in question. The rankings are then determined by calculating the mean average of the proportion of these malicious activities that originated in each geography.
Figure E.1. Malicious activity by source: EMEA rankings, 2011 Source: Symantec
Figure E.2. Malicious activity by source: EMEA Malicious code, 2011
126 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Figure E.3. Malicious activity by source: EMEA Spam zombies, 2011 Source: Symantec
Figure E.4. Malicious activity by source: EMEA Phishing hosts, 2011 Source: Symantec
Figure E.5. Malicious activity by source: EMEA
127 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
Bots, 2011 Source: Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Figure E.6. Malicious activity by source: EMEA Web attack origins, 2011 Source: Symantec
Figure E.7. Malicious activity by source: EMEA Network attack origins, 2011 Source: Symantec Commentary Malicious activity originating from computers in Germany has pushed the geography to the top of the table of overall malicious activity in 2011, with Germany being the number one host for phishing Web sites in the region. Germany was also ranked in second position for bot activity, network attacks and Web-based attacks. Germany was ranked in fifth position worldwide as a source for worldwide malicious activity. Russia was ranked in second position overall in EMEA and was the top source of spam zombies in the region. The United Kingdom was ranked third overall in the region and was in first position for malicious code activity in EMEA and the top source of network attacks in the region.
Attack Origin by Country
128 of 134 14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Background This metric assesses the top global countries from which attacks originated that targeted the EMEA region in 2011. Note that, because the attacking computer could be controlled remotely, the attacker may be in a different location than the computer being used to mount the attack. For example, an attacker physically located in the United States could launch an attack from a compromised system in Germany against a network in the United Kingdom. Methodology This section measures the top originating countries of attacks that targeted computers in EMEA in 2011. A network attack is generally considered any malicious activity carried out over a network that has been detected by an intrusion detection system (IDS), intrusion prevention system (IPS), or firewall. Data
Figure E.8 Top attacks by country in EMEA, 2011 Source: Symantec Commentary The United States continues to dominate attacks on EMEA: In 2011, the United States was the top country of origin for attacks against EMEA targets, accounting for 35.6% of all attacks detected by Symantec sensors in the region. This is the approximately the same percentage as in 2010 and 2009, when the United States also ranked in first position. This result is likely due to the high level of attack activity originating in the United States generally, as it was also the top country for originating Web-attacks globally, with 16.9% of the total. It also ranked second position globally as a source for network attacks, with 33.5% of network attacks originating in the United States. Moreover, the United States ranked first for overall global malicious activity, with 21.1% of the overall total. The United States also ranked first globally for bot-infected computers (12.6%) and in second position for malicious code (13.3%); much of the attack activity targeting EMEA countries would have been conducted through these malicious bot networks. Attacks from China also increased by 7.1 percentage points in 2011,this is owing to a general increase in the number of network attacks originating from China. Attacks from Japan, Switzerland, Italy and Spain increased against targets in the EMEA region. These countries did not feature in the top-ten source of attacks in the previous year.
Top Malicious Code Samples
129 of 134 14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Background This metric assesses the top malicious code samples in EMEA in 2011. Symantec analyses new and existing malicious code samples to determine which threats types and attack vectors are being employed in the most prevalent threats. This information also allows administrators and users to gain familiarity with threats that attackers may favor in their exploits. Insight into emerging threat development trends can help bolster security measures and mitigate future attacks. Methodology To determine top malicious code samples, Symantec ranks each malicious code sample based on the volume of unique sources of potential infections observed during the reporting period.
Figure E.9: Top malicious code samples in EMEA, 2011: SourceSymantec Commentary The Sality.AE virus continues to dominate in EMEA: The top malicious code sample by volume of potential infections in EMEA for 2011 was Sality.AE. Reported activity by this virus was the primary contributor to the Sality family being the second highest ranked malicious code family globally, by prevalence in 2011. Discovered in 2008, Sality.AE has been a prominent part of the threat landscape since then, including being the global top malicious code family identified by Symantec in 2010 and 2009. Sality may be particularly attractive to attackers because it uses polymorphic code that can hamper detection. Sality is also capable of disabling security services on affected computers. These two factors may lead to a higher rate of successful installations for attackers. Sality propagates by infecting executable files and copying itself to removable drives such as USB devices. The virus then relies on Microsoft Windows AutoRun functionality to execute when those drives are accessed. This can occur when an infected USB device is attached to a computer. The reliable simplicity of spreading via USB devices and other media makes malicious code families such as Sality.AE (as well as SillyFDC and others) effective vehicles for installing additional malicious code on computers. Ramnit becomes the second most prevalent malicious code family in 2011. Ramnit was ranked in third position in EMEA in 2010. In 2011, Ramnit is ranked in first position globally as the most prevalent malicious code family. This is primarily the result of activity by W32.Ramnit!html, which accounts for 51% of all Ramnit malware identified globally in 2011. W32.Ramnit!html is a generic detection for .html files infected by W32.Ramnit. First discovered in 2010, W32.Ramnit has been a prominent feature of the threat landscape since then, often switching places with Sality throughout the year as the two families jockey for first position. Ramnit spreads by encrypting and then appending itself to DLL, EXE and HTML files. It can also spread by copying itself to the recycle bin on removable drives and creating an AUTORUN.INF file so that the malware is potentially automatically executed on other computers. This can occur when an infected USB device is attached to a computer. The reliable simplicity of spreading via USB devices
130 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
and other media makes malicious code families such as Ramnit, Sality (as well as SillyFDC and others) effective vehicles for installing additional malicious code on computers.
Best Practice Guidelines for Businesses
1. Employ defense-in-depth strategies: Emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated firewalls, as well as gateway antivirus, intrusion detection, intrusion protection systems, and Web security gateway solutions throughout the network. 2. Monitor for network threat, vulnerabilities and brand abuse. Monitor for network intrusions, propagation attempts and other suspicious traffic patterns, identify attempted connections to known malicious or suspicious hosts. Receive alerts for new vulnerabilities and threats across vendor platforms for proactive remediation. Track brand abuse via domain alerting and fictitious Web site reporting. 3. Antivirus on endpoints is not enough: On endpoints, signature-based antivirus alone is not enough to protect against today’s threats and Web-based attack toolkits. Deploy and use a comprehensive endpoint security product that includes additional layers of protection including: Endpoint intrusion prevention that protects against un-patched vulnerabilities from being exploited, protects against social engineering attacks and stops malware from reaching endpoints; Browser protection for protection against obfuscated Web-based attacks; Consider cloud-based malware prevention to provide proactive protection against unknown threats; File and Web-based reputation solutions that provide a risk-and-reputation rating of any application and Web site to prevent rapidly mutating and polymorphic malware; Behavioral prevention capabilities that look at the behavior of applications and malware and prevent malware; Application control settings that can prevent applications and browser plug-ins from downloading unauthorized malicious content; Device control settings that prevent and limit the types of USB devices to be used. 4. Secure your websites against MITM attacks and malware infection: Avoid compromising your trusted relationship with your customers by: Implementing Always On SSL; Scanning your website daily for malware; Setting the secure flag for all session cookies; Regularly assessing your website for vulnerabilities; Choosing SSL Certificates with Extended Validation to display the green browser address bar to website users; Displaying recognized trust marks in highly visible locations on your website to inspire trust and show customers your commitment to their security. 5. Make sure to get your digital certificates from an established, trustworthy certificate authority who demonstrates excellent security practices. Protect your private keys: Implement strong security practices to secure and protect your private keys, especially if you use digital certificates. Symantec recommends that organizations: Use separate Test Signing and Release Signing infrastructures, Store keys in secure, tamper-proof, cryptographic hardware devices, and Implement physical security to protect your assets from theft. 6. Use encryption to protect sensitive data: Implement and enforce a security policy whereby sensitive data is encrypted. Access to sensitive information should be restricted. This should include a Data Loss Protection (DLP) solution, which is a system to identify, monitor, and protect data. This not only serves to prevent data breaches, but can also help mitigate the damage of potential data leaks from within an organization. 7. Use Data Loss Prevention to help prevent data breaches: Implement a DLP solution that can discover where sensitive data resides, monitor its use and protect it from loss. Data loss prevention should be implemented to monitor the flow of data as it leaves the organization over the network and monitor copying sensitive data to external devices or Web sites. DLP should be configured to identify and block suspicious copying or downloading of sensitive data. DLP should also be used to identify confidential or sensitive data assets on network file systems and PCs so that appropriate data protection measures like
131 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
encryption can be used to reduce the risk of loss. 8. Implement a removable media policy. Where practical, restrict unauthorized devices such as external portable hard-drives and other removable media. Such devices can both introduce malware as well as facilitate intellectual property breaches—intentional or unintentional. If external media devices are permitted, automatically scan them for viruses upon connection to the network and use a DLP solution to monitor and restrict copying confidential data to unencrypted external storage devices. 9. Update your security countermeasures frequently and rapidly: With more than 403 million unique variants of malware detected by Symantec in 2011, enterprises should be updating security virus and intrusion prevention definitions at least daily, if not multiple times a day. 10. Be aggressive on your updating and patching: Update, patch and migrate from outdated and insecure browsers, applications and browser plug-ins to the latest available versions using the vendors’ automatic update mechanisms. Most software vendors work diligently to patch exploited software vulnerabilities; however, such patches can only be effective if adopted in the field. Be wary of deploying standard corporate images containing older versions of browsers, applications, and browser plug-ins that are outdated and insecure. Wherever possible, automate patch deployments to maintain protection against vulnerabilities across the organization. 11. Enforce an effective password policy. Ensure passwords are strong; at least 8-10 characters long and include a mixture of letters and numbers. Encourage users to avoid re-using the same passwords on multiple Web sites and sharing of passwords with others should be forbidden. Passwords should be changed regularly, at least every 90 days. Avoid writing down passwords. 12. Restrict email attachments: Configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PIF, and .SCR files. Enterprises should investigate policies for .PDFs that are allowed to be included as email attachments. 13. Ensure that you have infection and incident response procedures in place: Ensure that you have your security vendors contact information, know who you will call, and what steps you will take if you have one or more infected systems; Ensure that a backup-and-restore solution is in place in order to restore lost or compromised data in the event of successful attack or catastrophic data loss; Make use of post-infection detection capabilities from Web gateway, endpoint security solutions and firewalls to identify infected systems; Isolate infected computers to prevent the risk of further infection within the organization; If network services are exploited by malicious code or some other threat, disable or block access to those services until a patch is applied; Perform a forensic analysis on any infected computers and restore those using trusted media. 14. Educate users on the changed threat landscape: Do not open attachments unless they are expected and come from a known and trusted source, and do not execute software that is downloaded from the Internet (if such actions are permitted) unless the download has been scanned for viruses; Be cautious when clicking on URLs in emails or social media programs, even when coming from trusted sources and friends; Do not click on shortened URLs without previewing or expanding them first using available tools and plug-ins; Recommend that users be cautious of information they provide on social networking solutions that could be used to target them in an attack or trick them to open malicious URLs or attachments; Be suspicious of search engine results and only click through to trusted sources when conducting searches—especially on topics that are hot in the media; Deploy Web browser URL reputation plug-in solutions that display the reputation of Web sites from searches; Only download software (if allowed) from corporate shares or directly from the vendors Web site; If users see a warning indicating that they are “infected” after clicking on a URL or using a search engine (fake antivirus infections), have users close or quit the browser using Alt-F4, CTRL+W or the task manager. Advise users to make sure they are using a modern browser and operating system and to keep their systems current with security updates. Instruct users to look for a green browser address bar, HTTPS, and trust marks on any websites where they login or share any personal information.
132 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Best Practice Guidelines for Consumers
1. Protect yourself: Use a modern Internet security solution that includes the following capabilities for maximum protection against malicious code and other threats: Antivirus (file and heuristic based) and malware behavioral prevention can prevents unknown malicious threats from executing; Bidirectional firewalls will block malware from exploiting potentially vulnerable applications and services running on your computer; Intrusion prevention to protection against Web-attack toolkits, unpatched vulnerabilities, and social engineering attacks; Browser protection to protect against obfuscated Web-based attacks; Reputation-based tools that check the reputation and trust of a file and Web site before downloading; URL reputation and safety ratings for Web sites found through search engines. Consider options for implementing cross-platform parental controls, such as Norton Online Familyxlii. 2. Keep up to date: Keep virus definitions and security content updated at least daily if not hourly. By deploying the latest virus definitions, you can protect your computer against the latest viruses and malware known to be spreading in the wild. Update your operating system, Web browser, browser plug-ins, and applications to the latest updated versions using the automatic updating capability of your programs, if available. Running out-of-date versions can put you at risk from being exploited by Web-based attacks. 3. Know what you are doing: Be aware that malware or applications that try to trick you into thinking your computer is infected can be automatically installed on computers with the installation of file-sharing programs, free downloads, and freeware and shareware versions of software. Downloading “free,” “cracked” or “pirated” versions of software can also contain malware or include social engineering attacks that include programs that try to trick you into thinking your computer is infected and getting you to pay money to have it removed. Be careful which Web sites you visit on the Web. While malware can still come from mainstream Web sites, it can easily come from less reputable Web sites sharing pornography, gambling and stolen software. Read end-user license agreements (EULAs) carefully and understand all terms before agreeing to them as some security risks can be installed after an end user has accepted the EULA or because of that acceptance. 4. Use an effective password policy: Ensure that passwords are a mix of letters and numbers, and change them often. Passwords should not consist of words from the dictionary. Do not use the same password for multiple applications or Web sites. Use complex passwords (upper/lowercase and punctuation) or passphrases. 5. Think before you click: Never view, open, or execute any email attachment unless you expect it and trust the sender. Even from trusted users, be suspicious. Be cautious when clicking on URLs in emails, social media programs even when coming from trusted sources and friends. Do not blindly click on shortened URLs without expanding them first using previews or plug-ins. Do not click on links in social media applications with catchy titles or phrases even from friends. If you do click on the URL, you may end up “liking it” and sending it to all of your friends even by clicking anywhere on the page. Close or quit your browser instead. Use a Web browser URL reputation solution that shows the reputation and safety rating of Web sites from searches. Be suspicious of search engine results; only click through to trusted sources when conducting searches, especially on topics that are hot in the media. Be suspicious of warnings that pop-up asking you to install media players, document viewers and security updates; only download software directly from the vendor’s Web site 6. Guard your personal data: Limit the amount of personal information you make publicly available on the Internet (including and especially via social networks) as it may be harvested and used in malicious activities such as targeted attacks and phishing scams. Never disclose any confidential personal or financial information unless and until you can confirm that any request for such information is legitimate. Review your bank, credit card, and credit information frequently for irregular activity. Avoid banking or shopping online from public computers (such as libraries, Internet cafes, etc.) or from unencrypted
133 of 134
14/04/13 11:23 AM
�Build Your Report | Symantec
http://www.symantec.com/threatreport/print.jsp?id=highlights...
Wi-Fi connections. Use HTTPS when connecting via Wi-Fi networks to your email, social media and sharing Web sites. Check the settings and preferences of the applications and Web sites you are using. Look for the green browser address bar, HTTPS, and recognizable trust marks when you visit websites where you login or share any personal information. Configure your home Wi-Fi network for strong authentication and always require a unique password for access to it.
134 of 134
14/04/13 11:23 AM 