Another year comes to an end but not without leaving a trail of security issues and concerns. This year also saw a shift in the trend and distribution of malware. The rise in smartphones has essentially turned them into a fundamental objective for cybercriminals, who have started to target these devices at a much larger scale.
Here is my take on what to expect in 2013:
1. Phishing and malware
Phishing e-mails and malware go hand-in-hand. If in the last year, we saw an increase in phishing mails, we also saw a jump in drive-by downloads being presented to the victims via phishing e-mails. 2013 will be no good as the bad-actors have found a very convenient and a fruitful method of serving spam with malware.
Randomly generated domains are being used to a greater effect to avert the static domain based detection, presently being deployed by the anti-virus software. In the coming months, we shall see a rise in the usage of these types of domains for nefarious purposes.
2. Difficult to detect malware
Undetectable Malware — the perfect malware that a hacker can ask for. The method generally revolves around creating millions of mutant variants, which are then scanned using a cloud-based service that is home to a number of security products. Services such as these come for as little as USD 1 for 24 hours of unlimited usage, where hackers are allowed to test any number of malware against detection. The perpetrators then release the undetected malware variants into the World Wide Web to further infect unwary users. Cloud-based services will play a major role since they will be the main point of contact for a number of malicious coders.
3. Exploitation of social networks
Social networks are not only considered as an excellent platform by the general public, but it also comes as a perfect fit for cybercriminals. First and foremost, it can be easily used to spread spam and scams using the all famous news feed. Social networks are also considered as a launch pad to conduct attacks on unsuspecting victims — this can be achieved by impersonating as a ‘Friend’. Also, more than 70 percent of URLs shared are shortened links, where at least 55 percent of the links posted lead to malware. And these are the links that users click without giving it a second thought.
Moreover, social networking and smartphones has achieved a high level of penetration in the consumer market. Whether its user is a corporate user or not, this platform will be used and abused by scammers or fraudsters, equally. We have observed a trend in social networking sites being used to serve malware and this will continue to rise in 2013. The impact of this is directly related to the corporate policies governing these sites and the devices that use it. The hardened networks of corporate will be tested, as due to the penetration of devices is quite huge and popular amongst its users.
4. Use of rootkits to conceal zero-day attacks
Operating system vulnerabilities make up for the most sought after attacks by cybercriminals. However, they are difficult to come by. To successfully exploit such vulnerabilities and to be able to go undetected, the need to conceal the malware using a Rootkit is what most hackers look out for. Not only are Rootkits difficult to detect, but are also extremely difficult to remove as it conceals itself at hardware level. Moreover, they give administrator level privileges to attackers and can go undetected to a general user.
5. Java-based attacks
It is also seen that the malware will continue to target vulnerabilities in Java, Flash and PDF. We have and will be witnessing a continuous use of exploits specifically targeted towards Flash, PDF and Java-based components. Exploiting such components will remain to be a malware coders delight as their patch process is slow in detecting and blocking multiple vulnerabilities. Moreover, by writing code in Java, hackers can attack Windows, Linux and Mac using platform independent code.
6. Mobile malware
Smartphones are the new hot targets by malware writers as they are the next big thing in both communication and entertainment. Smartphone-based attacks involve infecting legitimate applications. This is achieved by changing application permissions to application updates which are generally not there when the application is first installed.
Mobile devices are reshaping the way people communicate across the network and the rise in smartphones and tablets is giving rise to cloud-based services. With so much happening in the mobile segment, it goes without a doubt that targeted attacks and theft of personal information will see a definite growth with regard to this segment. Now, since desktops and laptops cannot be written off completely, there will be instances where malware will be programmed to run and execute on both PCs and smartphones/tablets. We have seen this in the past and this trend will set new standards in the malware industry.
7. Mac-based malware
The Mac malware has been the topic of discussion for most security researchers. Not only have we witnessed that the once impenetrable Mac was just a myth, but the threat to this once supposedly secure OS has grown by the numbers.
What seemed to be a harmless flash downloader turned out to be one of the most effective method used in infecting Mac’s around the world. Distributed as a fake Flash Player update, the Flashback malware was effectively distributed using malicious websites. However, there were a number of legitimate used in successfully spreading the malware. For instance, Hacked WordPress blogs were being used as a platform to distribute this malware, resulting in infection in over 700,000 Mac OSs. Attacks on the Mac might be low at the moment; however this is one segment that will need to be closely watched.
8. Industrial attacks
The security industry has witnessed a significant change in the development of malware. APTs (Advanced Persistent Threats) like Stuxnet and Flame have made headlines with their complexity and methods at evading detection. It goes without saying that they are also the most difficult to detect and can go undetected for months or even years. Moreover, the overall sophistication of the attack highly depends on the security of the chosen target. For instance, if an attack can be carried out using conventional phishing and common exploit kits, the use of complex techniques such as this would not be used by adversaries.
Defending against APTs is not only tough but the tools that are used to keep such attacks at bay are often ineffective. Reason being, cybercriminals behind the creation of APTs are constantly innovating various tactics and procedures that help circumvent security protocols and standards. Here, APTs are used with a very focused and precise objective in mind and are financially resound, adaptive to change, resilient and patient. Here, the threat will change with respect to the security deployed, until the set objectives are achieved or will withdraw if the overall cost of the operation outweighs the value of the target.
9. Insider threat
We will now have to redefine the concept of insider threat. The threat will be directly proportional to the knowledge and alertness of the user. Corporates will have to ensure that their user base is well aware of the emerging threats and how to identify them. The user will now be indirectly responsible for the network breaches, which occur.
10. The Growth of MaaS (Malware-as-a-Service)
In a spate of things to come, the cloud has given birth to a number of services. We have Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS). Now, add a new one and we have Malware-as-a-Service (MaaS) that is slowly seeing a rise in the malware industry. The Internet has become a source for free or low-cost malware that is easily customizable to meet every hacker’s need. Malware-as-a-Service significantly reduces the skill set needed by a cybercriminal to launch automated attacks. The result is a shift in attacks from large corporations to smaller companies.
Take the example of Citadel — based on the ZeuS source code. This particular malware model aims to provide better support to its customer base while at the same time it allows cybercriminals to customize the Trojan, according to their needs and command and control infrastructure. Going even a step further, malware authors have developed an online platform where customers can request features, report bugs and even contribute modules. Moreover, this new development also comes in as an indication of a trend in malware evolution.
Just like many legitimate software companies, the project based on the Citadel model brings in a whole new service via a customer-relationship management model. The said project has already led to the creation of various modules which further adds better encryption, video/screen capture and methods of avoiding detection – some of which that are coded by Citadel developers, other by the project’s customers.
What’s amazing is the conceptualization of MaaS. Just like large corporations, a huge amount of detailing has gone into the creation of such a service. The lifecycle of the product is what these malware creators excel at — from design to release to after sales support – each stage is implemented in every detail with care and attention. What we have here is a new level of design that caters to complex solutions which is highly scalable and effective. The complexity of such a design itself shows the need for high skilled (malware) programmers behind such projects.
What’s interesting is the sale and support offered by this channel, which more often than not resemble the workings of a legal demand and supply chain. And as previously mentioned, analysis and enhancement of the product are done by submission of bug reports using an online platform. In addition, bug reports are also collected from various underground sites. This drastic change has in fact further helped them market and sell their products.
Given below are the main services offered using Citadel’s platform: – An online network for customers such as the Citadel CRM Store. This allows users to be an active player in the malware product development lifecycle – Reporting of bugs and other software-related errors – A discreet platform meant for code sharing. Each client can share various modules and software code with one other thereby creating new modules or improvements – Promotion of public proposals for software improvements along with the addition of new features – Various communication channels which would include instant messengers and jabber channels
It goes without a doubt that the continued advancement in malware will keep researchers and anti-malware vendors busy in the coming months and end users will need to be vigilant while going online to reduce the chances of an infection