Cosc 4765

SOPHOSSecurity Threat report about 2010

• Cybercriminals prey on our curiosity, and perhaps our vulnerability and gullibility, and use psychological traps to profit from unsuspecting technology users.

• Malware scams and exploits targeting social networking websites, applications, devices, and users proliferate.

• At the same time, traditional attacks continue to become more sophisticated to target the most advanced software, hardware and websites.

• Today, users are the content. Driving the growth, and at the same time being driven by it, the explosion in mobile computing is expanding the impact of the social web. And, the way that content is shared and accessed is now the core of a new global culture, affecting and combining the spheres of personal and business life.

Identifying the threats

• SophosLabs analyzed 95,000 pieces of malware– 1 unique file every 0.9 seconds, 24 hours a day.

• Today, more than ever before, hackers aren’t just producing malware for notoriety– they’re producing it for large financial gain.

• the more significant threats of 2010:– Most of these are not new ideas, but recycled ideas

from the past.

Side note

• Independent test lab AV-Test, discovers it’s 50 millionth virus/malware (Jan 26, 2011)– 55,000 new malware each day or one every 2

seconds– History:

• 1985: 553 different viruses• 2000: 176,312• 2006: about 1 million• 2010: about 20 million different malware variants

– Source: http://www.av-test.org/

Fake anti-virus software

• Also known as “scareware” or “rogueware”• Malware installed onto the system that

closely resembling and in some cases directly impersonating genuine security solutions.– Users are forced to pay for the full version,

handing over important information.• It doesn’t do anything, but likely install more malware• Also the bad guys have your credit card information

now! They can now attempt to take over your identity

Fake anti-virus software (2)

• Sophos:– over half a million fake anti-virus software variants

have been encountered.

• Real warnings have become difficult to tell from fake warnings.

Attacks using Internet marketing techniques

• Black hat SEO and SEO poisoning attacks– Search Engine Optimization (SEO) are marketing

techniques use by legitimate firms to help promote their internet presence• involves careful selection of keywords and topics to increase

a page’s popularity and rating in search engine results, which are sorted based on link rankings

– Blackhat “hijack” search terms to generate lots of traffic to their sites. Normally rouge or poisoned sites.• Google reported that up to 1.3% of their search results are

infected.

Social engineering techniqueson social networks

• Facebook, twitter, and the rest– targeted this massive and committed user base , with

diverse and steadily growing of attacks throughout 2010.

– One of the more common types of attack hitting Facebook users is “clickjacking,” also called “UI redressing.”• These attacks use maliciously created pages where the true

function of a button is concealed beneath an opaque layer showing something entirely different. Often sharing or “liking” the content in question sends the attack out to contacts through newsfeeds and status updates, propagating the scam.

Social engineering techniqueson social networks (2)

• Clickjacking attacks not only spread social networking link-spam, they also regularly carry out other actions such as granting access to valuable personal information and even making purchases.

• One of the main financial motivations behind clickjacking is money earned from survey scams.

Social engineering techniques on social networks (3)

• The “Survey scam” tricks users into installing an application from a spammed link. To access the application’s alleged (but often non-existent) functionality, users must grant access to their personal data. This sends out links to a new stash of contacts; that also must fill in a survey form, which earns the application creators money through affiliate systems.

Social engineering techniqueson social networks (4)

• Spam reports– 2010: 67%, 2009: 57%, 2008: 33.4%

• Phishing– 2010: 43%, 2009: 30%, 2008: 21%

• Malware– 2010: 40%, 2009: 36%, 2008: 21.2%

• Do you think your employee’s behavior on social networking sites could endanger security at your company?– Yes: 59%

SPAM

• January 2011: 78.6% of all email was spam– The lowest rate since March 2009• 75.7 percent of all email was spam.

– The highest rate was May 2010, which 85% of email was spam

• In January 2010, 59% of all spam was Pharmaceutical spam

– Reference: http://www.internetnews.com/security/article.php/3922281/Spam+Volume+Tumbles+in+January.htm

Botnets and SPAM

• Almost all of this spam comes from botnets, Sophos found. In Microsoft's latest Security Intelligence Report, the company reported that the U.S. was home to some 2.2 million PCs infected with botnet malware—roughly four times as many as Brazil, the country with the next highest amount.

Pharmaceutical spam

• So you buy drugs from the spam.• Assuming you actually receive it– And it doesn’t kill you.

• Later on you are scammed again– Fake FDA messages about paying a fine or face

legal action.

Social engineering techniques on social networks (4)

• A cross-site scripting (XSS) vulnerability in the Twitter website also put users at risk in 2010. This vulnerability allowed links to be posted with embedded JavaScript code known as “onMouseOver.”

What puts you at risk?

• Malware attacks can strike at anytime and from anywhere.

• Weak passwords, mobile devices and social networks, everyday software, removable media, operating systems and web all pose risk.

Passwords

• Passwords represent a serious hole in security– Bad passwords are always going to be a problem.

• The biggest such incident in 2010 affected over a million users of several popular sites operated by the Gawker Media group

• while Mozilla’s leak of 44,000 sets of logins from its add-ons system seems to have only affected inactive accounts.

Mobile devices and smartphones • According to Gartner– 1 in 6 people have access to a mobile device

• Iphone– Early 2010, apple releases updates to patch 65

vulnerabilities, plus a further patch for another dozen.– Potential iphone spyware was release (also blackberry

too)– Proof of concept botnet made up of Iphones and

androids• Nearly 8,000 phones, before it was discovered.

– Jailbreaking an iphone, removes almost all security on the phone, making them very vulnerable to attacks.

Mobile devices and smartphones (2)

• Android– In early in 2010, Google found and removed banking

malware from the site when a wallpaper application gathered information on over 1 million Android users.

– Researchers at the BBC put together their own smartphone spyware with ease and researchers spotted a basic SMS Trojan in Russia, although it didn’t make its way onto the Android market.

– Flash• Well now we need adobe applications updates as well.

Mobile devices and smartphones (3)

• Windows 7 phone– Microsoft’s reputation for favoring functionality

over security does not bode well for security on the devices.

• Blackberry– The BlackBerry security-built-in model is fairly

successful so far, although potential spyware applications have been introduced.

Mobile devices and smartphones (4)

• Palm Pre– A flaw exposed this year granted cybercrooks a

backdoor into Pre systems via a maliciously-crafted mail message or webpage.

• Nokia and Symbian OS– Still the largest phone manufacture.– There have been a number of malware produced

for the Symbain OS.

software

• Adobe– PDF Reader

• New exploits appearing at least 1 a month for most of 2010• Maliciously crafted PDFs, with payloads that could infects

systems (Windows and Mac)

– Flash• a trick to install exploits if flash wasn’t already installed• As well as several Zero-day exploits in flash itself.

• Sun/Oracle– Java had several different security holes in the JVM.

Removable media

• Exploits using USB drives to automatically run when the device was inserted into a computer– Requiring Autoplay to be turned off

• But– Stuxnet found and exploited an unpatched

vulnerability to bypass the Autoplay being off.

Removable media (2)

• IBM handed out infected USB drives at the AusCERT security conference– They contains two pieces of malware. – This was an accident, not intentional.

• Poor quality control or security measures at “factories” can lead to “pre-infected” devices with malware– Not just USB, but other devices like camera,

Sdcards, phones, and even DVDs.

OSs• MS Windows 7– While more secure then XP and Vista, it has still had

numerous security fixes.– Malware creators are now target Windows 7

specifically, since it is over taking XP as the top Windows OS.

• Mac OS X– Smaller install base, but …– OSX/Pinhead Trojan targeted the iPhoto application– Numerous Trojan and malware targeted at user to

open backdoors in the UNIX environment.

Web and Web Servers

• Malvertising– Putting malicious advertisements onto websites.– May appear alongside leg ads– The ad server software maybe hacked or getting

them by checks run by ad suppliers

• Minnesota’s largest newspaper, Farm Town, and even Google fall prey to them.

Web and Web Servers (2)

• Sophos see almost 30,000 new malicious URLs every day!– 70% are legitimate websites that have been hacked.– Examples:

• European site of the tech blog: TechCrunch• Several news organizations, like Jerusalem post • Government websites such the U.K.’s somerset country

council• Large US hosting provider were all hit

– Injected JavaScript» http://nakedsecurity.sophos.com/2010/11/30/large-us-hosti

ng-provider-hit-in-web-attack/

QA&