AhnLab Inc (www.ahnlab.com), a leading provider of integrated security solutions, today announced major mobile security threat trends in 2011 and Threat Predictions for 2012. According to AhnLab, 2011’s major mobile security threats include: the explosive increase in the number of the malicious code that make direct billing; malware disguised as famous applications; increasing numbers of privacy-violation applications; malicious codes target personal commercial information.
Major mobile security issue predictions for 2012 are: mass distribution of malicious codes that exploit vulnerability of applications and OS; rootkit that attacks kernel; emergence of ‘zombie smartphone’ and botnet; and localized mobile malware that targets specific region.
Major Mobile Security Threat Trends in 2011
1) Mass distribution of malicious codes that exploit vulnerability of application and OS
The most widely used malware distribution channel for Window-based PC is to compromise a website to distribute malware to many users who do not have updated software patches for the vulnerabilities. This same method is expected to be used for mobile environments as the number of smartphone users has constantly increased and, consequently, more web pages are accessed through smartphones. Just like a PC, mass distribution of malicious code to mass users could result in a significant security threat. Attackers will also try to exploit the vulnerabilities of SNS (social network service) or email applications.
2) Development of rootkit that attacks smartphone’s kernel
Rooting of Android OS or ‘jail breaking’ the iPhone generally exploits applications’ vulnerabilities. These methods enable the users to get ‘super user’ permission, allowing for full control of the kernel of the operating system. While super user permission allows users to control many restricted functions of the smartphone, this mighty authority can bring serious security threats when in the wrong hands. For instance, the attackers with super user permission can delete the system to disable all functions of the smartphone, or install undeletable malicious applications. The possibility of distribution of kernel-attacking technology could sharply increase as the number of mobile malware is increasing.
3) Emergence of ‘zombie smartphone’ and botnet
Zombie smartphone, the smartphone that has been infected by bot and can be used to perform malicious tasks under remote direction, can emerge as the new security threat, if the mass distribution of malicious code prevails. Attackers can use smartphones to deliver DDoS (distributed denial of service), just like they use zombie PCs. A malicious code that attempts to establish botnet, which is a Zombie smartphone’s network, was found in the third party market in China.
4) Localized mobile malware that targets specific region
Although 2011 was a year where various malicious codes for mobile devices were found, most malware targeted large targets including Europe, Russia and China. However, reflecting on the fact that there are small countries with large amounts of smartphone users, such as Korea, it is expected that attackers will turn their attention to those markets. There is a strong possibility that new types of malware that reflect the local mobile environment could be developed.
Major smartphone malware trends in 2011
1) Explosive increase in the number of the malicious codes that perform direct billing
Malicious applications that perform direct billing were the bulk of Android based threats in 2011. This type of malware exploits the fact that the smartphone OS includes calling and texting functions by using premium call settings. When the device is infected with this type of malware, it sends text messages to a certain number that generates a premium fee to the sender without permission from the user. Android-Trojan/Pavelsms is the most recently malicious code discovered in a scam app, which is also known as the ‘ruFraud’.
2) Malicious applications disguised as famous applications
Some malware were disguised as famous applications that have a significant number of users, such as Google Search, Google+, Angry Birds, Opera, and Skype. This type of disguised malicious code is mainly distributed in the third party market. It is difficult for the user to determine the authenticity of the application as these malicious applications look exactly the same with real ones from names to icons. Repackaging type malware is another form of disguise-type malware which functions just as normal applications, but adds malware into the program for redistribution.
3) Increasing numbers of privacy-violation applications
As smartphones contain personal information more relevant to daily life with calls, text messaging, cameras and GPS functions, the leakage of this type of information could intrude users’ privacy. For instance, malware like “Android-Spyware/Nicky” collects user location information, text transmission records, and call history. This malware can also wiretap calls by recording the calls with a voice recording function. In 2012, the number of this type of ‘digital stalking’ malicious codes is expected to grow.
4) Malicious codes target personal commercial information
It was found that Zues, the notorious malicious code that steals online banking information, also operates in various mobile environments. The malicious code called Zitmo (Zues In The Mobile) was first discovered in Symbian and Blackberry, and is recently found in the Android Platform. Zitmo in Android has disguised itself as an online banking security product. It taps text transmission history to penetrate a two-factor authentication system that requires two factors, including OTP (One Time Password) and text messaging, for authentication.
AhnLab Inc (www.ahnlab.com), a leading provider of integrated security solutions, today announced the top 7 security threats for 2012. Among these threats, sophisticated APT (Advanced Persistent Threat) attack tops the list. The remaining 6 threats include: heightened threat-levels for smartphones; increasing security threat through SNS; localization of threats that exploit applications’ vulnerabilities; increasing targeted threats for infrastructure system of specific country or industry; threats targeting cloud computing and virtualization environment; and finally, an increasing threat to the connected systems via network.
1) Evolving APT Attack
APT attacks targeting enterprises and organizations will continue in 2012, and the method to deliver the attack is expected to become increasingly sophisticated. Hitherto, the major attack route used for APT attack was sending a fake work email to specific members of enterprises or organizations targeted. The attackers collect email addresses and other information such as friends and personal network via SNS, then attach the malicious attachment with vulnerabilities or insert malicious URL to the fake email. In this case the attacker is impersonating somebody trusted by the target based on the information collected via SNS. Some attacker modified update files of the commercial software widely used by the business. In the future, an internal attack is expected to be increased exploiting handheld device including smartphones that can easily be carried into an organization, or through the equipment or software of third party companies as it is often difficult for an organization to adequately supervise its security management.
2) Heightened threat-level for smartphones
In 2010 there was anticipation for possibilities of producing and distributing malicious applications that run on smartphones, especially on those based on the Android OS. In 2011, malicious applications were able to develop means for exploiting OS vulnerabilities and were massively produced. In 2012, the malicious applications are expected to be improved through the adoption of techniques used in the past for malware targeted on conventional PC software, leading to an increase in the infection efficiency for smartphones. Examples of such techniques include a stealth technique that hides malicious codes inside a smartphone, and acquiring super user authority exploiting the vulnerabilities of the mobile device’s operating system.
Inducing users to download malware from a website through social engineering techniques, or by a automatically infecting devices using the vulnerabilities of mobile web-browser are also expected to emerge as common attacks. There are likely to be malicious applications that target financial or credit card information from Internet banking or online commercial applications installed on smartphones.
3) Increasing security threat through SNS
As SNS becomes an increasingly popular channel for instant communications and information-sharing worldwide, cases that exploit it are also on the rise. As shortened-URLs do not provide the full form of the linked website’s address, malware-distributing websites and phishing websites were increasingly distributed in the form of a shorten-URL. In 2012, such cases are expected to increasingly emerge, with SNS also being a potential intrusion route for an APT attack.
4) Localization of threats that exploits applications’ vulnerabilities
In 2011, the number of cases of attacks against the vulnerabilities of widely used applications, such as operating systems, decreased, while the number of cases exploiting the vulnerability of applications used in a specific geographical locations showed increased. Typical examples include Hangul, the word processor program that widely used in Korea, exploiting the vulnerability of the video player software, P2P and web storage programs. The infection technique used was in sending emails with files that contained vulnerabilities, or automatically infecting PCs through access to a website. This trend is expected to continue in 2012 and, furthermore, applications’ vulnerabilities could also be exploited in various security threats, such as in an APT attack.
5) Increasing attacking attempts targeting infrastructure / industrial systems.
Whether for financial gain, or for political or religious reasons, the threat of attacks to the infrastructure and/or industrial systems of specific country is expected to increase. It is thought likely that this could expand into a fully-fledged cyber war between nations if a national institution is revealed as being directly or indirectly involved in such an attack. When an internal system is accidently connected to the Internet or to an external system, owing to the negligence of the user involved, this can trigger an attack. Attacks are also likely to exploit the vulnerabilities of the specific software used in national industrial or institutional systems.
6) Threats to cloud-computing and the virtualization environment
Recently, a large number of enterprises have been adopting cloud services, based on virtualization technologies, as a business model. While offering the maximum utilization of resources, cloud services and virtualization technologies can be turned into a security threat, should their vulnerabilities become exploited. In fact, many security vulnerabilities were found in the widely adopted virtualization products in 2011. With these vulnerabilities, SpyEye code, which steals financial information, was distributed by exploiting the vulnerability of Amazon’s cloud-service. AhnLab predicts that with the increase in cloud-computing and virtualization services, they will become the target of various types of malware.
7) Increasing threat to network-connected systems such as Smart TV
Security threats to ‘smart devices’, such as smart TV and smart phone, which have embedded software to link a device to the network, are expected to increase. In particular, home appliances, which are widely used in daily life and, which usually have a long replacement cycle, are thought to possibly become exposed to persistent attacks. In one case fromJapan, for example, an attack exploited a DVD recorder connected to the Internet. A hacker demonstrated that control of a specific system was possible externally by installing Linux on a Nintendo DS terminal at a security conference. As the embedded system designed for simple repetitive tasks have of late become increasingly linked to a network, the possibility of becoming a hacking target or a DDoS attack is also increased.
Furthermore, hacktivism, a social phenomenon through which a system is hacked or else a DDoS attack is attempted as a means of promoting particular political or social ends, is expected to emerge in 2012 as a widely reported issue, especially given the present global environment, with presidential elections forecast in Korea, the US and Russia.
“As IT devices and the Internet environment improves, the techniques or distribution routes used by security threats is becoming increasingly complicated,” emphasized Howoong Lee, director of ASEC (AhnLab Security Emergency response Center). “Therefore, it is important to consider security when constructing infrastructure or in the development of a new device. Moreover, individual or enterprises and institutions should be sure to maintain information security awareness as part of their daily routine.”
It’s time to say goodbye to 2011.
AhnLab listed top 10 security trends in 2011.
1) Number of APT attacks targeting enterprises has increased
The distinct feature of APT (Advanced Persistent Threat) attack is to target a specific enterprise or organization for a particular reason and persistently attack the target. Typical examples of the attack include ‘Operation Aurora,’ which attacked 34 organizations including Google, Adobe Systems, Juniper Networks, and Yahoo, and ‘Stuxnet,’ which damaged the uranium enrichment infrastructure in Iran, and ‘Night Dragon’ which aimed at global oil, gas, and petrochemical enterprises. Such attacks targeting enterprises or organizations have occurred constantly overseas. Within Korea too, a series of the APT attacks aimed at financial and Internet enterprises have occurred and have wrought tremendous damage, in terms of a massive information leakage.
2) Rapid increase in malware targeting smartphones
As the number of mobile phone user increased, malware for mobile phones has also rapidly increased. Large amounts of malware targeting the Android operating system was detected, and the attack was believed to have been driven by it having the highest market share. One of the major causes of this rapid increase was the introduction of a revenue model called Premium Call/SMS which is a payment plan whereby a call or SMS charge is paid by the sender. In fact, in 2011, 45% of the malware found in Android phones used this type. The second major cause was the growth of the ‘Third-Party Market,’ which is not administered by any particular manufacturer. The third reason was thought to be that as a mobile phone contains a lot of important personal information, there is likely to be an increase in the amount of malware used to fish for such information.
3) Generalization of web-server attacks, such as DDoS and SQL Injection
Attacks aimed at HTTP based web-servers, which utilize the commonly-used internet protocol, are constantly increasing – and this year is no exception. SQL Injection, Cross-Site Scripting (XSS) and IFRAME are typical examples of this type of attack, which doesn’t, in general, require specialist levels of skills, partly due to the massive production of the automated tools for those attacks. DDoS became the typical attack making a web service unavailable to use. In fact, 90% of DDoS attacks target web-servers. The foreign-based sites most commonly reported as being the targets of DDoS attack in 2011 were VISA, Mastercard, Pay-Pal, Sony Playstation Network, WordPress, and the Hong Kong Stock Exchange. Domestically, the 3/4 DDoS attack was the most common example. The damage brought by the attack was not that severe when compared to the 7/7 DDoS crisis in 2009, but it nevertheless served as a potent reminded of what a DDoS strike can do.
4) Malware, exploiting the weaknesses of web application, continues to spread
The spread of malware is based upon exploiting the weaknesses of the most widely used web applications such as Internet Explorer, Firefox, and Adobe Flash Player, and it is a trend which has persisted. The main purpose of such malware is to sell the information obtained for money. Internationally, many cases were reported of online banking information being stolen using ‘Zeus’ and ‘SpyEye’ malware that spread through spam mail to random users. By contrast, within Korea, the majority of malware has been found to target online-game user information databases.
5) Evolution of malware self-preservation techniques
As the malware diagnosis mechanisms of vaccination have been enhanced, the self-preservation techniques of malware bypassing or evading the mechanisms also have become sophisticated. This evolution is accelerating due to the proliferation of malware production and preservation techniques. The most advanced type of the self-preservation techniques is infecting a MBR (Master Boot Record) sector. In addition, as such malware alters or modifies part of the window system files, it bypasses the diagnosis mechanisms, with the resulting consequence that it’s difficult for anti-virus programs to find the file of origin.
6) An increase in malware attacks exploiting a weakness in the Digital Signature
There has been an increase in the number of cases in which malware exploits a weakness in the Digital Signature. Digital Signature is a mechanism used to demonstrate the authenticity of a specific file produced by a specific entity and malware impersonates itself as an authenticated file produced by an entity signed with a legitimate digital certificate. This is in order to bypass diagnosis by anti-virus products. Examples of malware which exploits the Digital Signature include ‘Stuxnet,’ that aims to paralyze network, or ‘Zeus,’ which steals online financial information. Malware exploiting the government’s Digital Signature was found in Malaysia, while in Korea it is known that the Digital Signatures of some software companies and portal companies have been exploited by malware.
7) Attacks exploiting the weaknesses of general applications have increased
Attacks aim for the weaknesses of general applications (software), which is neither an operation system nor a web browser, have shown a rising tendency. The weaknesses in Adobe Flash Player (SWF), Adobe Acrobat Reader (PDF), and MS Office have been the most exploited. In the second half of the year, the attack abusing the weaknesses in Area-A Hangul was also discovered. In particular, the malwares exploiting Zero-day vulnerabilities through Adobe Flash Player were used in the APT attack aimed at Mitsubishi, a Japanese defense industry, and EMC/RSA, an American IT security firm. Such malware uses the weakness of common applications combined with contents that might be of interest and are disseminated through e-mail and SNS. These attacks have a high success rate as users pay less attention to install security patches compared to the weaknesses of operation systems or web browsers. Hence, it is expected that the weaknesses of general applications will be constantly abused.
8 ) Increase in attempt to attack industrial or national infrastructure
The targets of the past malware attacks have been mainly individuals or enterprises but recently the trend is expanding to the industrial base and national infrastructure. Basic infrastructures needed for the production activity of society and enterprises such as transportation, communication, energy, distribution facilities have become a target. In fact, a virus called ‘Duqu’, which is thought to be created by the same authors as ‘Stuxnet’, has been found in various countries and was center stage in the issue of the hacking of Japanese and Norwegian oil and defense industries as well as the water supply system in Illinois in the US. The damages that the threat caused were limited to an attempted attack and information leakage but, nonetheless, it is a serious problem which has the potential to cause huge damage should the attacker take control of the system control authority externally.
9) Sharp increase in online game hacking for financial purposes
As of November 2011, the number of detected online game hacking tools was 6138, surpassing the total number in 2010 of 4268. As the market for game items grew, such attacks for financial purposes have also increased.
10) Developed through social networks and for intense psychological warfare
There has been a dramatic increase of malware used for social engineering and which exploits such social issues as the devastating earthquake in Japan, and the death of Osama bin Laden, Steve Jobs, or Kim Jong-il. Previously, such malware spread through e-mail attachments in the form of executable file (EXE) or compressed file (ZIP) but, this year, many cases have been reported of MS Office or Adobe Reader (PDF) being used. Due of the increased popularity of SNS, such malware is proliferating faster than ever before, and is therefore a distinct feature of 2011.
Continued from Part 1
* Follow @AhnLab_RSA on Twitter for more security information www.twitter.com/AhnLab_RSA
AhnLab TrusGuard DPX’s DDoS attack response methodology
AhnLab TrusGuard DPX (referred to hereafter as “TrusGuard DPX”) can detect and block various types of DDoS attack traffic without managing sessions. Accordingly, no session overload will occur, and it is possible to distinguish normal traffic from DDoS attack traffic in a network environment running with the Asymmetric Routing Path,.
Also, to detect normal traffic, TrusGuard DPX provides an Anti-Spooling Filter that self-determining whether the traffic is a normal TCP session connection, and whether the TCP status information is correct. It also offers the BotNet filter for determining whether the traffic accessing the web is normal or not so that it is possible to respond to attacks bypassing the existing URL Redirect technique. On this technical basis it automatically detects source IPs that are accessing normally, and, in a case of emergency, blocks source IP traffic that is not accessing normal way. In addition, it also can respond to not only TCP traffic with status information, but also packets without any status information such as UDP/ICMP.
As a matter of course, it offers the threshold-based filter, which is the traditional method of responding to DDoS attacks. Should a normal source IP, detected in the previous normal traffic determination, be sending more traffic than usual, it detects and blocks it based on the threshold. So it provides far more accuracy and less false positive than the existing single policy based on the threshold. Additionally, to calculate accurate thresholds, it offers the Automatic Self-Learning function and the function to learn up to 128 thresholds of source IPs, which are normal but transmit a great deal of traffic, for each protection target.
<Dashboard screen capture of AhnLab TrusGuard DPX>
To cope with large-scale DDoS traffic in excess of the performance of a single product, 2 or more systems must be operated in the Active-Active structure. TrusGuard DPX provides the clustering function to run up to 12 systems as a single system. As a result, it can handle a bandwidth of up to 120Gbps, add to it, it synchronizes the information of normal source IP that sends normal traffic among up to 12 products in the cluster so that the administrator can run multiple products as a single system. It supports the inline configuration method, locating the system in the middle of the network line, and provides the Fault Tolerance function with bypassing in case of system failures. It also supports the out-of-path configuration with the system not in the middle of the network line to offer a advanced auto-recovery function so that it can be applied to a large-scale network configuration. The out-of-path configuration may be interoperated with the routers and switches of the Cisco product group.
Future DDoS attacks will need smaller traffic, and by exploiting vulnerability, it will create a greater service load. An effective way to respond to it is IPS that blocks packets which is based on such vulnerability. Accordingly, TrusGuard DPX is already using the Signature Based Filter, and thus can cope with new threats more effectively.
Prediction of future changes in DDoS attacks and suggestion of response methods
As described above, there are many different types of DDoS attacks. To carry out the attacks more effectively, attackers are continuously developing various DDoS attack techniques. In contrast, defenders are constantly researching techniques for defending against new type of DDoS attacks. In this environment attackers and defenders are still caught in a game of cat and mouse. For security firms to emerge as the winner in this battle, a new DDoS attack response technique is needed. That is to say, focusing on defense against simple threshold-based DDoS attacks like existing DDoS attack response products will inevitably be a limited option in effectively coping with ever changing DDoS attacks.
AhnLab is organically applying TrusGuard DPX, a product specializing in responding to DDoS attacks, to various kinds of malicious code information and DDoS attack information. It analyzes the information on malicious codes infecting zombie PCs, the source of DDoS attacks, and quickly updates and reflects related information and policies to endpoint products and network appliance products. That is, it analyzes new DDoS attack techniques and promptly applies new DDoS attack defense techniques to TrusGuard DPX.
DDoS attacks are likely to increasingly use zombie PCs for small-scale traffic access to bypass those products dedicated to responding to threshold-based DDoS attacks. Accordingly, the focus must be shifted from blocking attack traffic to the detection of normal traffic so that new DDoS attacks can be blocked in advance if they are not normal traffic and it will consequently be possible to respond quickly to DDoS attacks. TrusGuard DPX is a clustering technology used for handling large-scale traffic. As it supports various configuration methods, it is a perfect product for thoroughly defending against DDoS attacks, and ensuring the continuity of service for customers.
- WooKyum Kim
Product manger, AhnLab. Inc.
* Follow @AhnLab_RSA on Twitter for more security information www.twitter.com/AhnLab_RSA
Today most enterprises maintain an online presence, with the Internet being used to communicate with customers, sell products, provide services and ensure business continuity.
Consequently, if the kinds of information provided on the Internet become blocked, the resulting damaged continuity of business directly affects company health. In other words, attacks called ‘denial-of-service’ directly impair and impact the continuity of business.
There are many types of denial-of-service attacks. Examples include hacking the web server to shut down the server, acquiring authorization and completely destroying the system. The easiest method of denial-of-service attack is the technique used for inducing large volumes of traffic, known as the DDoS (Distributed Denial-of-service) threat. In fact, DDoS does not require high-level technology such as the prior acquisition of server authorization. It refers to sending large volumes of traffic to the server or the service infrastructure providing the service, and thus increasing the load on it so that normal users will have difficulty receiving the service or else the service itself will become paralyzed.
Various products and solutions are already available in the market for responding to DDoS threats. The most popular response technique is uses the DDoS Mitigator to detect and block large volumes of traffic in the network traffic infrastructure. However, recent DDoS attacks are evolving to pass through or bypass the defense mechanism of the DDoS Mitigator. As a result, DDoS attacks take place endlessly, and the damage caused by them continues to be wrought.
This article analyzes the development of recent DDoS attacks, and introduces the DDoS defense technique provided by AhnLab’s TrusGuard DPX.
Evolution of DDoS threats
Attacks come from sizable attack sources. Indeed, the most popular method is to transmit large volumes of traffic simultaneously in order to induce denial-of-service. For this purpose, the attacker may acquires a host of many zombie PCs, and control these zombie PCs centrally to manipulate DDoS attacks. The attacker infects PCs with malicious codes through diverse sources, which happens unbeknown to the PC users, with the subsequently infected PCs being employed as zombie PCs. The zombie PC, connected to the attacker PC, receives various commands and executes them. For example, zombie PCs can carry out a series of actions, such as taking part in DDoS attacks that transmit large quantities of traffic to a certain homepage, or updating with the attack file including additional attacks.
Recent DDoS attack techniques are evolving from simply generating large volumes of traffic to generating small volumes of traffic similar to normal users’ traffic. Normal users’ access traffic does not involve large amounts of traffic per second sent to the server, but DDoS attack-traffic transmits more traffic than normal. If a denial-of-service attack targets a web page, a normal user will send web access traffic, but when DDoS attacks transmit excessive levels of data, there is no web access traffic possible. Accordingly, if traffic whose capacity or characteristics are different than normal traffic are blocked, DDoS attacks can be effectively dealt with.
However, such a defense has brought about changes in the attack, such that the attacker sends small volumes of web access traffic similar to the pattern of normal user’s traffic; this bypasses the blocking technique even though it is attack traffic. Needless to say, in this case, with a large enough number of zombie PCs, a denial-of-service attack can be generated easily.
Furthermore, techniques taking advantage of the weaknesses of applications are used to strengthen denial-of-service attacks. For example, new technologies will allow you to send one packet every 10 seconds while maintaining the session based on HTTP Post to overload the service, or use the URL Redirect method that validates HTTP traffic.
DDoS techniques are proliferating at increasing speeds. Conventional zombie PCs came into being regardless of the knowledge of PC users, but more recently as more people tag along with such attacks, as in Hacktivism, the number of voluntary zombie PCs has been increasing. As the users of voluntary zombie PCs install and update new attack tools on their own, new DDoS attack techniques are quickly updated. Accordingly, with the fast development of DDoS attack techniques, there is a growing concern that their speed of spreading may accelerate as well.
Key technologies to respond to evolving DDoS attacks
As described above, DDoS attack techniques continue to be developed, and particularly DDoS attack techniques transmitting traffic similar to that sent by normal users are increasing all the time. Additionally, a large number of zombie PCs are used to concentrate traffic in a short period of time.
Existing security products have the following limitations in coping with it:
A. Firewall product group
a. If normal sessions are generated by a large number of zombie PCs, a concurrent session overload will take place.
b. As sessions are connected in a short amount of time, CPS (Connection Per Second) performance capacity will be exceeded.
c. The connections of normal access sessions will be delayed or interrupted.
d. DDoS attacks target normal service. As the Firewall product group is always open to normal service, it is unsuitable for DDoS defense.
B. IPS products
a. Like firewall products it suffers from session overload.
b. IPS intends to block malicious packets, but as DDoS attack traffic does not have the signature defining it as a harmful packet, it cannot be blocked.
C. Existing DDoS product group
a. IPS-based DDoS products suffer from session overload as well.
b. It blocks the traffic if it exceeds normal traffic volume
c. Looking at recent DDoS attacks, the volume is similar to or less than normal traffic volume. Accordingly, they bypass the DDoS attack blocking methodology above (b).
In order to stand against ever evolving DDoS attacks, the following new technologies are necessary:
A. Stateless technology without session management must be used.
a. To avoid Concurrent Session and Connection Per Second limitations
B. The focus needs to be shifted from the viewpoint of ‘malicious traffic blocking’ to ‘normal traffic detection.’
a. Large volumes of traffic need to be detected and blocked.
b. Separating DDoS attacks which use similar traffic patterns from normal traffic.
C. Strategy for responding to large traffic
a. Adopting the clustering technique for responding to mass volumes of traffic that cannot be handled by a single product is needed.
b. Technology for detecting normal traffic must be provided along with the clustering technique.
D. Diverse configuration methods:
a. Inline configuration with the bypass function for easy installation and effective response to failures
b. Out-of-path configuration for improved stability over large networks
E. Responding DDoS attack traffic based on the application vulnerability
a. Responding to attacks based on signatures, the strength of existing IPS products
b. Criteria & technology of sorting normal traffic based on existing L4/L7
c. Threshold-based method from existing DDoS products
- WooKyum Kim
Product manger, AhnLab. Inc.
To be continued in part2
AhnLab just opened its RSA website as the company participates RSA 2012.
Visit http://conference.ahnlab.com and find AhnLab’s booth location, latest products and more.
You also can follow @AhnLab_RSA on Twitter for more security information
AhnLab ASEC Blog already talked about some cases of the malware distribution using online ad banner. This one is not so far from previous cases.
1. How was it distributed?
The picture below shows how the malware was distribute
2. The way it infect the PC
As you can see in Pic.1, when the ad banner with malicious script is exposed to the vulnerable PC, the PC will be infected
[Pic.2] Malicious script that inserted to ad banner
When the malicious script starts its work, the first thing it does is downloading another malicious code from follwong address: http://***.78.***.175/Ags/AGS.gif There can be little bit difference according to the version of the internet browser and vulnerabilities of PC.
The malicious script is using following vulnerabilities to download other malicious codes.
※ Cumulative Security Update for Internet Explorer (2482017)
※ Adobe Flash Player vulnerability: CVE-2011-2140
The shell code inserted in malicious script that exploits the vulnerabilities above has encrypted URL. This is designed to be downloaded and be run after decoding.
[Pic. 4] urlmon.URLDownloadToFileA
• edi= URL of malicious code to download, http://***.78.***.175/Ags/AGS.gif
• ebx= path to save the downloaded malicious code: %USERPROFILE%\Application Data\Y.exe
When Y.exe runs, it creates and back ups the file as Pic. 5 below
As you can see in [Pic. 5], malicious ws2help.dll is a gamehack malware to steal ID and PW of users of the specific online game, Inline Patching HttpSendRequestA() on Memory.
In [Pic. 6], You can see it is designed to be branch off to 0x100030f0 when HttpSendRequestA() is pached by ws2help.dll. This is to steal inputed data (ID/PW) before it send them to chosen site below in Pic. 7.
[Pic. 7]ID/PW data sent to specific site
AhnLab’s V3(version 2011.11.21.00 or later) detects it as:
If you cannot run antivirus because of the infection, please try following cure tool from AhnLab.
You really need to stay updated.
Recently, certain Russian website has abused by spreading the mobile malwares. The website also provided QR code and URL for promoting the app.
[Pic 1. Russian website spreading the malware app ]
SEND_SMS authority is required when the text message has received. It is critical to define whether it is malware or not.
Double chech the app, it needs to use SEND_SMS or not.
The malware is enabling to send SMS messages to premium rate number 2476 which costs 6 USD. Moreover, the malware is hard read when it is disassembled.
[Pic 3. SMS message code]
Hi guys, we moved to new place, from Yeouido to Pangyo. It’s our own building for the first time in AhnLab’s history! Let’s take a look! Please remember that the keyword is ‘communication between people’
< AhnLab’s new home: Can you figure out big A in the picture?>
<CEO room: actually, it’s not a room. You can see there’s no door>
<Cafeteria: all AhnLab’s employees can enjoy low-price & high-quality coffee>
<The ground floor: There is big wooden steps where employees can rest or chat>
<Green Shaft: Unlike other buildings, AhnLab placed those stairs right in the middle of the building, from ground floor to the top. So people don’t need to wait the elevator if they wnat. People also can have mini meeting in the wooden part>
<Rooftop park: AhnLab made rooftop a place for the rest and communicate >
<Dining facility: Tonight, we dine in AhnLab’s mess hall!!>
We’ll update the pictures of AhnLab : )
Interest in zombie PCs is growing, as they have been labeled as the main culprit in recent major customer information leakages. Since the incidents, ‘zombie PC’ has been ranked high as a search terms in several portals. The concept of a zombie PC is not very different from that of a malicious code. If so, why do similar terms keep coming up?
The term computer ‘virus’ has been known to the public since 1988. At the time, the term was an unfamiliar one, and many people confused the term with a biological virus and thought that an infected disc was not usable. Actually, I did give a virus-infected floppy disc to my friends because I thought the same thing, although I was an elementary school kid at the time. The price of a floppy disc was around KRW1500 to KRW2000, but since bus fair for elementary students was KRW60, the price of the floppy disc was rather expensive. It took several years to learn that a virus is a program that is capable of self-duplication.
The confusion regarding viruses began in 2000 when the term ‘worm’ was introduced. Unlike viruses, worms do not infect other files but spread through emails and shared folders, and were called ‘worm viruses.’ The reason for the different terms was that worms were not common knowledge, and they were different from viruses in certain characteristics. However, for general convenience, several companies did not separate worms from viruses, and even categorized all self-spreading malicious codes as viruses.
The bigger confusion happened in 2004 when malicious codes became well known. Malicious codes were first written in the 1990s, and since the early 2000s, the term ‘malicious code’ was used to indicate viruses, worms, and Trojans. However, inKorea, the term caught on as some companies started to use the term to describe adware, which became common around 2003. Also, vaccine companies started to use the term ‘malicious code’ more than the term ‘virus’. That is why some users thought malicious codes were different from viruses. Currently, both media and users use the term ‘malicious code’ more than ‘virus’ because the word ‘code’ is more computer-friendly and can reduce the confusion with biological viruses.
The recently used term ‘zombie PC’ also indicates malicious codes in terms of history and technology. The term ‘zombie’ refers to a corpse that is revived by Voodoo priests of South African religions, and the priest can control the corpse as a slave. However, the zombies in the movies are different from the original zombies. They are not controlled, and when they bite human flesh, the bitten person becomes a zombie. These are the zombies that appear in the movie <Night of the Living Dead> by director George A. Romero, and they became the mainstream zombies in the movies. The zombie in ‘zombie PC’ is rather like the original zombies.
The concept of a zombie PC is not new. The method of controlling other people’s PCs remotely through the Internet has been possible since 1998, and attacking through many infected PCs has also been popular since 2003. Therefore, details may differ, but in a broader meaning, a virus is malicious code, and a malicious code produces a zombie PC.
Then why has this rather old term ‘zombie PC’ suddenly become popular? Maybe the term ‘malicious code’ is too broad in meaning to attract interest from users, and a term such as ‘zombie PC’ was better.
Other new terms regarding security threats keep appearing. Gtbot, pmang, crimeware, and spearphishing are a few examples. However, except for ATPs (advanced persistent threats), these new terms have not yet caught on.
Perhaps the reason for using different terms is that the old terms cannot capture the users’ attention due to users’ insensitivity to information security. Maybe that is why bolder and more sensational terms are appearing. I wonder what new malicious codes and new terms will appear in the future?
- Jacky Cha, Principal Researcher @ ASEC Department, AhnLab
Trojans remain the most reported malicious code in the third quarter according to recent findings from AhnLab Inc. (www.ahnlab.com), a leading provider of integrated security solutions. In the most recent AhnLab Security Emergency Response Center (ASEC) report, Trojans represented the most reported malicious code at 37.2%, as well as accounting for 36% of the top new malicious codes during the third quarter of 2011.
Based on a sampling pool of users in Korea, Trojans dominated the top twenty most reported malicious codes for the third quarter, followed by script (20.7%), and worm (10.8%). When examining the top 20 malicious codes reported in the third quarter of 2011, Textimage/Autorun ranks top at 16.2% (1,702,118 reported cases), followed by JS/Agent at 13.6% (1,429,508 reported cases) and the new Html/Agent at 9.7% (1,016,109 reported cases).
“Korea is regarded as one of the most advanced markets when it comes to IT, and we have found that research around threats and prevention in this market can reflect international patterns,” said Mr. Hongsun Kim, CEO of AhnLab. “The most recent ASEC report serves as an important reminder to users to remain alert to, and conscientious of, the myriad attacks threatening online security.”
The third quarter saw a decrease in malicious code reports as compared to the previous quarter, which dropped 6,601,706 to 39,606,178. However, 13 new malicious identified codes made up part of the top 20 malicious codes for the quarter.
Trojans are the most reported new malicious code, representing 36% of the top reported new malicious codes. It is followed by script at 22% and adware at 12%. Specifically, TextImage/Autorun is the most reported new malicious code at 17.1% (1,699,603 reported cases) of the top 20 new malicious codes, followed by JS/Agent at 14.4% (1,429,439 reported cases).
According to AhnLab’s security program, SiteGuard, in the third quarter the number of reported malicious codes increased 34% to 253,613 codes, as compared to the previous quarter. Furthermore, the number of reported types of malicious code increased 11% to 2,296 compared to the previous quarter. On the other hand, the number of reported domains with malicious code decreased by 5% to 1,971 as compared to the previous quarter.
The ASEC Report revealed that Microsoft security updates continue to demonstrate vulnerabilities. As in the first and second quarters, system vulnerabilities were the most prominent, marking 41% of updates, while IE vulnerabilities marked the least amount of updates at 4%.
Global Malicious Code Trends—Third Quarter
In its most recent ASEC report, AhnLab emphasizes that malicious code trends in the third quarter are similar to that of the second quarter. The number of malicious codes distributed by exploiting vulnerabilities remains high.
As has been seen previously, most malicious code variants are restricted by specific regions. As regionalization of malicious codes becomes more pervasive, global malicious code statistics are no longer significant. Distribution of malicious codes remains common by hacking websites and exploiting vulnerabilities to insert malicious codes. However, distributing malicious codes via email or social network sites, such as Facebook and Twitter is also becoming increasingly common.
Bootkits, a type of malware that infects the Master Boot Record and allows malicious programs to be executed before the operating system boots, were also on the rise in the third quarter. In August, a new malware that modifies and infects Award BIOS was reported, and in September a bootkit that downloads online game hacking malware was reported in Korea. While numerous bootkits have appeared, they are not multiplying as these are more difficult to create compared to other malware. However, as bootkits are not easily detected and difficult to remove, cyber criminals are increasingly interested in their development.
Threats to smartphone security remain an issue in the third quarter. A malware posing as a PDF file was reported to infect Mac OS X and a new piece of Android Malware called GingerMaster has been found exploiting Andoid 2.3 (Gingerbread). GingerMaster exploits Android 2.3 and harvests data on infected Android smartphones and then sends the stolen information to a remote server. AhnLab cautions that extra care must be taken as smartphone security threats will continue to increase.
Cloud computing represents one of the most exciting technology trends and the antivirus industry has not been slow to embrace this opportunity. In fact, AhnLab, Inc. has added a cloud-based technology, AhnLab Smart Defense (ASD) to its product line. Hackers and cyber criminals have also been quick to take advantage of this trend and a rogue cloud antivirus ‘OpenCloud Antivirus’ was reported in September. This rogue system pretends to scan the system and claims to identify multiple infected files. Similar to other rogue antivirus, this system will trick victims into purchasing a license for the software. AhnLab warns users to exercise caution when implementing a cloud antivirus system.
To view the full ASEC Report, please visit: http://global.ahnlab.com/en/site/threat/asec/asecReportList.do
About AhnLab, Inc.
Headquartered in South-Korea, AhnLab Inc. (KSE: 053800) develops industry-leading security solutions and provides professional services that are designed to secure and protect critical business and personal information. As a leading innovator in the information security arena since 1988, AhnLab’s cutting edge products and services have been fulfilling the stringent security requirements of both enterprises and individual users. AhnLab’s products and services include anti-virus solutions, network, mobile and online game security, security management and consulting services. Today, AhnLab boasts a network of sales and research operations in more than 20 countries worldwide.