AhnLab Inc (www.ahnlab.com), a leading provider of integrated security solutions, today announced major mobile security threat trends in 2011 and Threat Predictions for 2012. According to AhnLab, 2011’s major mobile security threats include: the explosive increase in the number of the malicious code that make direct billing; malware disguised as famous applications; increasing numbers of privacy-violation applications; malicious codes target personal commercial information.
Major mobile security issue predictions for 2012 are: mass distribution of malicious codes that exploit vulnerability of applications and OS; rootkit that attacks kernel; emergence of ‘zombie smartphone’ and botnet; and localized mobile malware that targets specific region.
Major Mobile Security Threat Trends in 2011
1) Mass distribution of malicious codes that exploit vulnerability of application and OS
The most widely used malware distribution channel for Window-based PC is to compromise a website to distribute malware to many users who do not have updated software patches for the vulnerabilities. This same method is expected to be used for mobile environments as the number of smartphone users has constantly increased and, consequently, more web pages are accessed through smartphones. Just like a PC, mass distribution of malicious code to mass users could result in a significant security threat. Attackers will also try to exploit the vulnerabilities of SNS (social network service) or email applications.
2) Development of rootkit that attacks smartphone’s kernel
Rooting of Android OS or ‘jail breaking’ the iPhone generally exploits applications’ vulnerabilities. These methods enable the users to get ‘super user’ permission, allowing for full control of the kernel of the operating system. While super user permission allows users to control many restricted functions of the smartphone, this mighty authority can bring serious security threats when in the wrong hands. For instance, the attackers with super user permission can delete the system to disable all functions of the smartphone, or install undeletable malicious applications. The possibility of distribution of kernel-attacking technology could sharply increase as the number of mobile malware is increasing.
3) Emergence of ‘zombie smartphone’ and botnet
Zombie smartphone, the smartphone that has been infected by bot and can be used to perform malicious tasks under remote direction, can emerge as the new security threat, if the mass distribution of malicious code prevails. Attackers can use smartphones to deliver DDoS (distributed denial of service), just like they use zombie PCs. A malicious code that attempts to establish botnet, which is a Zombie smartphone’s network, was found in the third party market in China.
4) Localized mobile malware that targets specific region
Although 2011 was a year where various malicious codes for mobile devices were found, most malware targeted large targets including Europe, Russia and China. However, reflecting on the fact that there are small countries with large amounts of smartphone users, such as Korea, it is expected that attackers will turn their attention to those markets. There is a strong possibility that new types of malware that reflect the local mobile environment could be developed.
Major smartphone malware trends in 2011
1) Explosive increase in the number of the malicious codes that perform direct billing
Malicious applications that perform direct billing were the bulk of Android based threats in 2011. This type of malware exploits the fact that the smartphone OS includes calling and texting functions by using premium call settings. When the device is infected with this type of malware, it sends text messages to a certain number that generates a premium fee to the sender without permission from the user. Android-Trojan/Pavelsms is the most recently malicious code discovered in a scam app, which is also known as the ‘ruFraud’.
2) Malicious applications disguised as famous applications
Some malware were disguised as famous applications that have a significant number of users, such as Google Search, Google+, Angry Birds, Opera, and Skype. This type of disguised malicious code is mainly distributed in the third party market. It is difficult for the user to determine the authenticity of the application as these malicious applications look exactly the same with real ones from names to icons. Repackaging type malware is another form of disguise-type malware which functions just as normal applications, but adds malware into the program for redistribution.
3) Increasing numbers of privacy-violation applications
As smartphones contain personal information more relevant to daily life with calls, text messaging, cameras and GPS functions, the leakage of this type of information could intrude users’ privacy. For instance, malware like “Android-Spyware/Nicky” collects user location information, text transmission records, and call history. This malware can also wiretap calls by recording the calls with a voice recording function. In 2012, the number of this type of ‘digital stalking’ malicious codes is expected to grow.
4) Malicious codes target personal commercial information
It was found that Zues, the notorious malicious code that steals online banking information, also operates in various mobile environments. The malicious code called Zitmo (Zues In The Mobile) was first discovered in Symbian and Blackberry, and is recently found in the Android Platform. Zitmo in Android has disguised itself as an online banking security product. It taps text transmission history to penetrate a two-factor authentication system that requires two factors, including OTP (One Time Password) and text messaging, for authentication.
AhnLab Inc (www.ahnlab.com), a leading provider of integrated security solutions, today announced the top 7 security threats for 2012. Among these threats, sophisticated APT (Advanced Persistent Threat) attack tops the list. The remaining 6 threats include: heightened threat-levels for smartphones; increasing security threat through SNS; localization of threats that exploit applications’ vulnerabilities; increasing targeted threats for infrastructure system of specific country or industry; threats targeting cloud computing and virtualization environment; and finally, an increasing threat to the connected systems via network.
1) Evolving APT Attack
APT attacks targeting enterprises and organizations will continue in 2012, and the method to deliver the attack is expected to become increasingly sophisticated. Hitherto, the major attack route used for APT attack was sending a fake work email to specific members of enterprises or organizations targeted. The attackers collect email addresses and other information such as friends and personal network via SNS, then attach the malicious attachment with vulnerabilities or insert malicious URL to the fake email. In this case the attacker is impersonating somebody trusted by the target based on the information collected via SNS. Some attacker modified update files of the commercial software widely used by the business. In the future, an internal attack is expected to be increased exploiting handheld device including smartphones that can easily be carried into an organization, or through the equipment or software of third party companies as it is often difficult for an organization to adequately supervise its security management.
2) Heightened threat-level for smartphones
In 2010 there was anticipation for possibilities of producing and distributing malicious applications that run on smartphones, especially on those based on the Android OS. In 2011, malicious applications were able to develop means for exploiting OS vulnerabilities and were massively produced. In 2012, the malicious applications are expected to be improved through the adoption of techniques used in the past for malware targeted on conventional PC software, leading to an increase in the infection efficiency for smartphones. Examples of such techniques include a stealth technique that hides malicious codes inside a smartphone, and acquiring super user authority exploiting the vulnerabilities of the mobile device’s operating system.
Inducing users to download malware from a website through social engineering techniques, or by a automatically infecting devices using the vulnerabilities of mobile web-browser are also expected to emerge as common attacks. There are likely to be malicious applications that target financial or credit card information from Internet banking or online commercial applications installed on smartphones.
3) Increasing security threat through SNS
As SNS becomes an increasingly popular channel for instant communications and information-sharing worldwide, cases that exploit it are also on the rise. As shortened-URLs do not provide the full form of the linked website’s address, malware-distributing websites and phishing websites were increasingly distributed in the form of a shorten-URL. In 2012, such cases are expected to increasingly emerge, with SNS also being a potential intrusion route for an APT attack.
4) Localization of threats that exploits applications’ vulnerabilities
In 2011, the number of cases of attacks against the vulnerabilities of widely used applications, such as operating systems, decreased, while the number of cases exploiting the vulnerability of applications used in a specific geographical locations showed increased. Typical examples include Hangul, the word processor program that widely used in Korea, exploiting the vulnerability of the video player software, P2P and web storage programs. The infection technique used was in sending emails with files that contained vulnerabilities, or automatically infecting PCs through access to a website. This trend is expected to continue in 2012 and, furthermore, applications’ vulnerabilities could also be exploited in various security threats, such as in an APT attack.
5) Increasing attacking attempts targeting infrastructure / industrial systems.
Whether for financial gain, or for political or religious reasons, the threat of attacks to the infrastructure and/or industrial systems of specific country is expected to increase. It is thought likely that this could expand into a fully-fledged cyber war between nations if a national institution is revealed as being directly or indirectly involved in such an attack. When an internal system is accidently connected to the Internet or to an external system, owing to the negligence of the user involved, this can trigger an attack. Attacks are also likely to exploit the vulnerabilities of the specific software used in national industrial or institutional systems.
6) Threats to cloud-computing and the virtualization environment
Recently, a large number of enterprises have been adopting cloud services, based on virtualization technologies, as a business model. While offering the maximum utilization of resources, cloud services and virtualization technologies can be turned into a security threat, should their vulnerabilities become exploited. In fact, many security vulnerabilities were found in the widely adopted virtualization products in 2011. With these vulnerabilities, SpyEye code, which steals financial information, was distributed by exploiting the vulnerability of Amazon’s cloud-service. AhnLab predicts that with the increase in cloud-computing and virtualization services, they will become the target of various types of malware.
7) Increasing threat to network-connected systems such as Smart TV
Security threats to ‘smart devices’, such as smart TV and smart phone, which have embedded software to link a device to the network, are expected to increase. In particular, home appliances, which are widely used in daily life and, which usually have a long replacement cycle, are thought to possibly become exposed to persistent attacks. In one case fromJapan, for example, an attack exploited a DVD recorder connected to the Internet. A hacker demonstrated that control of a specific system was possible externally by installing Linux on a Nintendo DS terminal at a security conference. As the embedded system designed for simple repetitive tasks have of late become increasingly linked to a network, the possibility of becoming a hacking target or a DDoS attack is also increased.
Furthermore, hacktivism, a social phenomenon through which a system is hacked or else a DDoS attack is attempted as a means of promoting particular political or social ends, is expected to emerge in 2012 as a widely reported issue, especially given the present global environment, with presidential elections forecast in Korea, the US and Russia.
“As IT devices and the Internet environment improves, the techniques or distribution routes used by security threats is becoming increasingly complicated,” emphasized Howoong Lee, director of ASEC (AhnLab Security Emergency response Center). “Therefore, it is important to consider security when constructing infrastructure or in the development of a new device. Moreover, individual or enterprises and institutions should be sure to maintain information security awareness as part of their daily routine.”
It’s time to say goodbye to 2011.
AhnLab listed top 10 security trends in 2011.
1) Number of APT attacks targeting enterprises has increased
The distinct feature of APT (Advanced Persistent Threat) attack is to target a specific enterprise or organization for a particular reason and persistently attack the target. Typical examples of the attack include ‘Operation Aurora,’ which attacked 34 organizations including Google, Adobe Systems, Juniper Networks, and Yahoo, and ‘Stuxnet,’ which damaged the uranium enrichment infrastructure in Iran, and ‘Night Dragon’ which aimed at global oil, gas, and petrochemical enterprises. Such attacks targeting enterprises or organizations have occurred constantly overseas. Within Korea too, a series of the APT attacks aimed at financial and Internet enterprises have occurred and have wrought tremendous damage, in terms of a massive information leakage.
2) Rapid increase in malware targeting smartphones
As the number of mobile phone user increased, malware for mobile phones has also rapidly increased. Large amounts of malware targeting the Android operating system was detected, and the attack was believed to have been driven by it having the highest market share. One of the major causes of this rapid increase was the introduction of a revenue model called Premium Call/SMS which is a payment plan whereby a call or SMS charge is paid by the sender. In fact, in 2011, 45% of the malware found in Android phones used this type. The second major cause was the growth of the ‘Third-Party Market,’ which is not administered by any particular manufacturer. The third reason was thought to be that as a mobile phone contains a lot of important personal information, there is likely to be an increase in the amount of malware used to fish for such information.
3) Generalization of web-server attacks, such as DDoS and SQL Injection
Attacks aimed at HTTP based web-servers, which utilize the commonly-used internet protocol, are constantly increasing – and this year is no exception. SQL Injection, Cross-Site Scripting (XSS) and IFRAME are typical examples of this type of attack, which doesn’t, in general, require specialist levels of skills, partly due to the massive production of the automated tools for those attacks. DDoS became the typical attack making a web service unavailable to use. In fact, 90% of DDoS attacks target web-servers. The foreign-based sites most commonly reported as being the targets of DDoS attack in 2011 were VISA, Mastercard, Pay-Pal, Sony Playstation Network, WordPress, and the Hong Kong Stock Exchange. Domestically, the 3/4 DDoS attack was the most common example. The damage brought by the attack was not that severe when compared to the 7/7 DDoS crisis in 2009, but it nevertheless served as a potent reminded of what a DDoS strike can do.
4) Malware, exploiting the weaknesses of web application, continues to spread
The spread of malware is based upon exploiting the weaknesses of the most widely used web applications such as Internet Explorer, Firefox, and Adobe Flash Player, and it is a trend which has persisted. The main purpose of such malware is to sell the information obtained for money. Internationally, many cases were reported of online banking information being stolen using ‘Zeus’ and ‘SpyEye’ malware that spread through spam mail to random users. By contrast, within Korea, the majority of malware has been found to target online-game user information databases.
5) Evolution of malware self-preservation techniques
As the malware diagnosis mechanisms of vaccination have been enhanced, the self-preservation techniques of malware bypassing or evading the mechanisms also have become sophisticated. This evolution is accelerating due to the proliferation of malware production and preservation techniques. The most advanced type of the self-preservation techniques is infecting a MBR (Master Boot Record) sector. In addition, as such malware alters or modifies part of the window system files, it bypasses the diagnosis mechanisms, with the resulting consequence that it’s difficult for anti-virus programs to find the file of origin.
6) An increase in malware attacks exploiting a weakness in the Digital Signature
There has been an increase in the number of cases in which malware exploits a weakness in the Digital Signature. Digital Signature is a mechanism used to demonstrate the authenticity of a specific file produced by a specific entity and malware impersonates itself as an authenticated file produced by an entity signed with a legitimate digital certificate. This is in order to bypass diagnosis by anti-virus products. Examples of malware which exploits the Digital Signature include ‘Stuxnet,’ that aims to paralyze network, or ‘Zeus,’ which steals online financial information. Malware exploiting the government’s Digital Signature was found in Malaysia, while in Korea it is known that the Digital Signatures of some software companies and portal companies have been exploited by malware.
7) Attacks exploiting the weaknesses of general applications have increased
Attacks aim for the weaknesses of general applications (software), which is neither an operation system nor a web browser, have shown a rising tendency. The weaknesses in Adobe Flash Player (SWF), Adobe Acrobat Reader (PDF), and MS Office have been the most exploited. In the second half of the year, the attack abusing the weaknesses in Area-A Hangul was also discovered. In particular, the malwares exploiting Zero-day vulnerabilities through Adobe Flash Player were used in the APT attack aimed at Mitsubishi, a Japanese defense industry, and EMC/RSA, an American IT security firm. Such malware uses the weakness of common applications combined with contents that might be of interest and are disseminated through e-mail and SNS. These attacks have a high success rate as users pay less attention to install security patches compared to the weaknesses of operation systems or web browsers. Hence, it is expected that the weaknesses of general applications will be constantly abused.
8 ) Increase in attempt to attack industrial or national infrastructure
The targets of the past malware attacks have been mainly individuals or enterprises but recently the trend is expanding to the industrial base and national infrastructure. Basic infrastructures needed for the production activity of society and enterprises such as transportation, communication, energy, distribution facilities have become a target. In fact, a virus called ‘Duqu’, which is thought to be created by the same authors as ‘Stuxnet’, has been found in various countries and was center stage in the issue of the hacking of Japanese and Norwegian oil and defense industries as well as the water supply system in Illinois in the US. The damages that the threat caused were limited to an attempted attack and information leakage but, nonetheless, it is a serious problem which has the potential to cause huge damage should the attacker take control of the system control authority externally.
9) Sharp increase in online game hacking for financial purposes
As of November 2011, the number of detected online game hacking tools was 6138, surpassing the total number in 2010 of 4268. As the market for game items grew, such attacks for financial purposes have also increased.
10) Developed through social networks and for intense psychological warfare
There has been a dramatic increase of malware used for social engineering and which exploits such social issues as the devastating earthquake in Japan, and the death of Osama bin Laden, Steve Jobs, or Kim Jong-il. Previously, such malware spread through e-mail attachments in the form of executable file (EXE) or compressed file (ZIP) but, this year, many cases have been reported of MS Office or Adobe Reader (PDF) being used. Due of the increased popularity of SNS, such malware is proliferating faster than ever before, and is therefore a distinct feature of 2011.
Continued from Part 1
* Follow @AhnLab_RSA on Twitter for more security information www.twitter.com/AhnLab_RSA
AhnLab TrusGuard DPX’s DDoS attack response methodology
AhnLab TrusGuard DPX (referred to hereafter as “TrusGuard DPX”) can detect and block various types of DDoS attack traffic without managing sessions. Accordingly, no session overload will occur, and it is possible to distinguish normal traffic from DDoS attack traffic in a network environment running with the Asymmetric Routing Path,.
Also, to detect normal traffic, TrusGuard DPX provides an Anti-Spooling Filter that self-determining whether the traffic is a normal TCP session connection, and whether the TCP status information is correct. It also offers the BotNet filter for determining whether the traffic accessing the web is normal or not so that it is possible to respond to attacks bypassing the existing URL Redirect technique. On this technical basis it automatically detects source IPs that are accessing normally, and, in a case of emergency, blocks source IP traffic that is not accessing normal way. In addition, it also can respond to not only TCP traffic with status information, but also packets without any status information such as UDP/ICMP.
As a matter of course, it offers the threshold-based filter, which is the traditional method of responding to DDoS attacks. Should a normal source IP, detected in the previous normal traffic determination, be sending more traffic than usual, it detects and blocks it based on the threshold. So it provides far more accuracy and less false positive than the existing single policy based on the threshold. Additionally, to calculate accurate thresholds, it offers the Automatic Self-Learning function and the function to learn up to 128 thresholds of source IPs, which are normal but transmit a great deal of traffic, for each protection target.
<Dashboard screen capture of AhnLab TrusGuard DPX>
To cope with large-scale DDoS traffic in excess of the performance of a single product, 2 or more systems must be operated in the Active-Active structure. TrusGuard DPX provides the clustering function to run up to 12 systems as a single system. As a result, it can handle a bandwidth of up to 120Gbps, add to it, it synchronizes the information of normal source IP that sends normal traffic among up to 12 products in the cluster so that the administrator can run multiple products as a single system. It supports the inline configuration method, locating the system in the middle of the network line, and provides the Fault Tolerance function with bypassing in case of system failures. It also supports the out-of-path configuration with the system not in the middle of the network line to offer a advanced auto-recovery function so that it can be applied to a large-scale network configuration. The out-of-path configuration may be interoperated with the routers and switches of the Cisco product group.
Future DDoS attacks will need smaller traffic, and by exploiting vulnerability, it will create a greater service load. An effective way to respond to it is IPS that blocks packets which is based on such vulnerability. Accordingly, TrusGuard DPX is already using the Signature Based Filter, and thus can cope with new threats more effectively.
Prediction of future changes in DDoS attacks and suggestion of response methods
As described above, there are many different types of DDoS attacks. To carry out the attacks more effectively, attackers are continuously developing various DDoS attack techniques. In contrast, defenders are constantly researching techniques for defending against new type of DDoS attacks. In this environment attackers and defenders are still caught in a game of cat and mouse. For security firms to emerge as the winner in this battle, a new DDoS attack response technique is needed. That is to say, focusing on defense against simple threshold-based DDoS attacks like existing DDoS attack response products will inevitably be a limited option in effectively coping with ever changing DDoS attacks.
AhnLab is organically applying TrusGuard DPX, a product specializing in responding to DDoS attacks, to various kinds of malicious code information and DDoS attack information. It analyzes the information on malicious codes infecting zombie PCs, the source of DDoS attacks, and quickly updates and reflects related information and policies to endpoint products and network appliance products. That is, it analyzes new DDoS attack techniques and promptly applies new DDoS attack defense techniques to TrusGuard DPX.
DDoS attacks are likely to increasingly use zombie PCs for small-scale traffic access to bypass those products dedicated to responding to threshold-based DDoS attacks. Accordingly, the focus must be shifted from blocking attack traffic to the detection of normal traffic so that new DDoS attacks can be blocked in advance if they are not normal traffic and it will consequently be possible to respond quickly to DDoS attacks. TrusGuard DPX is a clustering technology used for handling large-scale traffic. As it supports various configuration methods, it is a perfect product for thoroughly defending against DDoS attacks, and ensuring the continuity of service for customers.
- WooKyum Kim
Product manger, AhnLab. Inc.
* Follow @AhnLab_RSA on Twitter for more security information www.twitter.com/AhnLab_RSA
Today most enterprises maintain an online presence, with the Internet being used to communicate with customers, sell products, provide services and ensure business continuity.
Consequently, if the kinds of information provided on the Internet become blocked, the resulting damaged continuity of business directly affects company health. In other words, attacks called ‘denial-of-service’ directly impair and impact the continuity of business.
There are many types of denial-of-service attacks. Examples include hacking the web server to shut down the server, acquiring authorization and completely destroying the system. The easiest method of denial-of-service attack is the technique used for inducing large volumes of traffic, known as the DDoS (Distributed Denial-of-service) threat. In fact, DDoS does not require high-level technology such as the prior acquisition of server authorization. It refers to sending large volumes of traffic to the server or the service infrastructure providing the service, and thus increasing the load on it so that normal users will have difficulty receiving the service or else the service itself will become paralyzed.
Various products and solutions are already available in the market for responding to DDoS threats. The most popular response technique is uses the DDoS Mitigator to detect and block large volumes of traffic in the network traffic infrastructure. However, recent DDoS attacks are evolving to pass through or bypass the defense mechanism of the DDoS Mitigator. As a result, DDoS attacks take place endlessly, and the damage caused by them continues to be wrought.
This article analyzes the development of recent DDoS attacks, and introduces the DDoS defense technique provided by AhnLab’s TrusGuard DPX.
Evolution of DDoS threats
Attacks come from sizable attack sources. Indeed, the most popular method is to transmit large volumes of traffic simultaneously in order to induce denial-of-service. For this purpose, the attacker may acquires a host of many zombie PCs, and control these zombie PCs centrally to manipulate DDoS attacks. The attacker infects PCs with malicious codes through diverse sources, which happens unbeknown to the PC users, with the subsequently infected PCs being employed as zombie PCs. The zombie PC, connected to the attacker PC, receives various commands and executes them. For example, zombie PCs can carry out a series of actions, such as taking part in DDoS attacks that transmit large quantities of traffic to a certain homepage, or updating with the attack file including additional attacks.
Recent DDoS attack techniques are evolving from simply generating large volumes of traffic to generating small volumes of traffic similar to normal users’ traffic. Normal users’ access traffic does not involve large amounts of traffic per second sent to the server, but DDoS attack-traffic transmits more traffic than normal. If a denial-of-service attack targets a web page, a normal user will send web access traffic, but when DDoS attacks transmit excessive levels of data, there is no web access traffic possible. Accordingly, if traffic whose capacity or characteristics are different than normal traffic are blocked, DDoS attacks can be effectively dealt with.
However, such a defense has brought about changes in the attack, such that the attacker sends small volumes of web access traffic similar to the pattern of normal user’s traffic; this bypasses the blocking technique even though it is attack traffic. Needless to say, in this case, with a large enough number of zombie PCs, a denial-of-service attack can be generated easily.
Furthermore, techniques taking advantage of the weaknesses of applications are used to strengthen denial-of-service attacks. For example, new technologies will allow you to send one packet every 10 seconds while maintaining the session based on HTTP Post to overload the service, or use the URL Redirect method that validates HTTP traffic.
DDoS techniques are proliferating at increasing speeds. Conventional zombie PCs came into being regardless of the knowledge of PC users, but more recently as more people tag along with such attacks, as in Hacktivism, the number of voluntary zombie PCs has been increasing. As the users of voluntary zombie PCs install and update new attack tools on their own, new DDoS attack techniques are quickly updated. Accordingly, with the fast development of DDoS attack techniques, there is a growing concern that their speed of spreading may accelerate as well.
Key technologies to respond to evolving DDoS attacks
As described above, DDoS attack techniques continue to be developed, and particularly DDoS attack techniques transmitting traffic similar to that sent by normal users are increasing all the time. Additionally, a large number of zombie PCs are used to concentrate traffic in a short period of time.
Existing security products have the following limitations in coping with it:
A. Firewall product group
a. If normal sessions are generated by a large number of zombie PCs, a concurrent session overload will take place.
b. As sessions are connected in a short amount of time, CPS (Connection Per Second) performance capacity will be exceeded.
c. The connections of normal access sessions will be delayed or interrupted.
d. DDoS attacks target normal service. As the Firewall product group is always open to normal service, it is unsuitable for DDoS defense.
B. IPS products
a. Like firewall products it suffers from session overload.
b. IPS intends to block malicious packets, but as DDoS attack traffic does not have the signature defining it as a harmful packet, it cannot be blocked.
C. Existing DDoS product group
a. IPS-based DDoS products suffer from session overload as well.
b. It blocks the traffic if it exceeds normal traffic volume
c. Looking at recent DDoS attacks, the volume is similar to or less than normal traffic volume. Accordingly, they bypass the DDoS attack blocking methodology above (b).
In order to stand against ever evolving DDoS attacks, the following new technologies are necessary:
A. Stateless technology without session management must be used.
a. To avoid Concurrent Session and Connection Per Second limitations
B. The focus needs to be shifted from the viewpoint of ‘malicious traffic blocking’ to ‘normal traffic detection.’
a. Large volumes of traffic need to be detected and blocked.
b. Separating DDoS attacks which use similar traffic patterns from normal traffic.
C. Strategy for responding to large traffic
a. Adopting the clustering technique for responding to mass volumes of traffic that cannot be handled by a single product is needed.
b. Technology for detecting normal traffic must be provided along with the clustering technique.
D. Diverse configuration methods:
a. Inline configuration with the bypass function for easy installation and effective response to failures
b. Out-of-path configuration for improved stability over large networks
E. Responding DDoS attack traffic based on the application vulnerability
a. Responding to attacks based on signatures, the strength of existing IPS products
b. Criteria & technology of sorting normal traffic based on existing L4/L7
c. Threshold-based method from existing DDoS products
- WooKyum Kim
Product manger, AhnLab. Inc.
To be continued in part2
AhnLab just opened its RSA website as the company participates RSA 2012.
Visit http://conference.ahnlab.com and find AhnLab’s booth location, latest products and more.
You also can follow @AhnLab_RSA on Twitter for more security information
AhnLab ASEC Blog already talked about some cases of the malware distribution using online ad banner. This one is not so far from previous cases.
1. How was it distributed?
The picture below shows how the malware was distribute
[pic. 1] Malware distribution route
2. The way it infect the PC
As you can see in Pic.1, when the ad banner with malicious script is exposed to the vulnerable PC, the PC will be infected
[Pic.2] Malicious script that inserted to ad banner
When the malicious script starts its work, the first thing it does is downloading another malicious code from follwong address: http://***.78.***.175/Ags/AGS.gif There can be little bit difference according to the version of the internet browser and vulnerabilities of PC.
The malicious script is using following vulnerabilities to download other malicious codes.
※ Cumulative Security Update for Internet Explorer (2482017)
http://technet.microsoft.com/en-us/security/bulletin/ms11-003
※ Adobe Flash Player vulnerability: CVE-2011-2140
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2140
http://www.adobe.com/support/security/bulletins/apsb11-21.html
The shell code inserted in malicious script that exploits the vulnerabilities above has encrypted URL. This is designed to be downloaded and be run after decoding.
[Pic. 3] Decoding routine of the Shellcode
[Pic. 4] urlmon.URLDownloadToFileA
• edi= URL of malicious code to download, http://***.78.***.175/Ags/AGS.gif
• ebx= path to save the downloaded malicious code: %USERPROFILE%\Application Data\Y.exe
When Y.exe runs, it creates and back ups the file as Pic. 5 below
[Pic. 5] Running process of Y.exe
As you can see in [Pic. 5], malicious ws2help.dll is a gamehack malware to steal ID and PW of users of the specific online game, Inline Patching HttpSendRequestA() on Memory.
[Pic. 6] Before&after of HttpSendRequestA() by ws2help.dll
In [Pic. 6], You can see it is designed to be branch off to 0x100030f0 when HttpSendRequestA() is pached by ws2help.dll. This is to steal inputed data (ID/PW) before it send them to chosen site below in Pic. 7.
[Pic. 7]ID/PW data sent to specific site
AhnLab’s V3(version 2011.11.21.00 or later) detects it as:
- JS/Shellcode
- JS/Downloader
- Dropper/Win32.OnlineGameHack
If you cannot run antivirus because of the infection, please try following cure tool from AhnLab.
GameHackKill cure tool(download)
You really need to stay updated.
Recently, certain Russian website has abused by spreading the mobile malwares. The website also provided QR code and URL for promoting the app.
Middle of the website shows URL address which is directly connected to the app downloading. It also has scanning page for the QR code, as well as introduction of the app.
[Pic 1. Russian website spreading the malware app ]
SEND_SMS authority is required when the text message has received. It is critical to define whether it is malware or not.
Double chech the app, it needs to use SEND_SMS or not.
[Pic 2. Information of the malware]
The malware is enabling to send SMS messages to premium rate number 2476 which costs 6 USD. Moreover, the malware is hard read when it is disassembled.
[Pic 3. SMS message code]
Hi guys, we moved to new place, from Yeouido to Pangyo. It’s our own building for the first time in AhnLab’s history! Let’s take a look! Please remember that the keyword is ‘communication between people’
< AhnLab’s new home: Can you figure out big A in the picture?>
<CEO room: actually, it’s not a room. You can see there’s no door>
<Cafeteria: all AhnLab’s employees can enjoy low-price & high-quality coffee>
<The ground floor: There is big wooden steps where employees can rest or chat>
<Green Shaft: Unlike other buildings, AhnLab placed those stairs right in the middle of the building, from ground floor to the top. So people don’t need to wait the elevator if they wnat. People also can have mini meeting in the wooden part>
<Rooftop park: AhnLab made rooftop a place for the rest and communicate >
<Dining facility: Tonight, we dine in AhnLab’s mess hall!!>
We’ll update the pictures of AhnLab : )
Interest in zombie PCs is growing, as they have been labeled as the main culprit in recent major customer information leakages. Since the incidents, ‘zombie PC’ has been ranked high as a search terms in several portals. The concept of a zombie PC is not very different from that of a malicious code. If so, why do similar terms keep coming up?
The term computer ‘virus’ has been known to the public since 1988. At the time, the term was an unfamiliar one, and many people confused the term with a biological virus and thought that an infected disc was not usable. Actually, I did give a virus-infected floppy disc to my friends because I thought the same thing, although I was an elementary school kid at the time. The price of a floppy disc was around KRW1500 to KRW2000, but since bus fair for elementary students was KRW60, the price of the floppy disc was rather expensive. It took several years to learn that a virus is a program that is capable of self-duplication.
The confusion regarding viruses began in 2000 when the term ‘worm’ was introduced. Unlike viruses, worms do not infect other files but spread through emails and shared folders, and were called ‘worm viruses.’ The reason for the different terms was that worms were not common knowledge, and they were different from viruses in certain characteristics. However, for general convenience, several companies did not separate worms from viruses, and even categorized all self-spreading malicious codes as viruses.
The bigger confusion happened in 2004 when malicious codes became well known. Malicious codes were first written in the 1990s, and since the early 2000s, the term ‘malicious code’ was used to indicate viruses, worms, and Trojans. However, inKorea, the term caught on as some companies started to use the term to describe adware, which became common around 2003. Also, vaccine companies started to use the term ‘malicious code’ more than the term ‘virus’. That is why some users thought malicious codes were different from viruses. Currently, both media and users use the term ‘malicious code’ more than ‘virus’ because the word ‘code’ is more computer-friendly and can reduce the confusion with biological viruses.
The recently used term ‘zombie PC’ also indicates malicious codes in terms of history and technology. The term ‘zombie’ refers to a corpse that is revived by Voodoo priests of South African religions, and the priest can control the corpse as a slave. However, the zombies in the movies are different from the original zombies. They are not controlled, and when they bite human flesh, the bitten person becomes a zombie. These are the zombies that appear in the movie <Night of the Living Dead> by director George A. Romero, and they became the mainstream zombies in the movies. The zombie in ‘zombie PC’ is rather like the original zombies.
The concept of a zombie PC is not new. The method of controlling other people’s PCs remotely through the Internet has been possible since 1998, and attacking through many infected PCs has also been popular since 2003. Therefore, details may differ, but in a broader meaning, a virus is malicious code, and a malicious code produces a zombie PC.
Then why has this rather old term ‘zombie PC’ suddenly become popular? Maybe the term ‘malicious code’ is too broad in meaning to attract interest from users, and a term such as ‘zombie PC’ was better.
Other new terms regarding security threats keep appearing. Gtbot, pmang, crimeware, and spearphishing are a few examples. However, except for ATPs (advanced persistent threats), these new terms have not yet caught on.
Perhaps the reason for using different terms is that the old terms cannot capture the users’ attention due to users’ insensitivity to information security. Maybe that is why bolder and more sensational terms are appearing. I wonder what new malicious codes and new terms will appear in the future?
- Jacky Cha, Principal Researcher @ ASEC Department, AhnLab
Trojans remain the most reported malicious code in the third quarter according to recent findings from AhnLab Inc. (www.ahnlab.com), a leading provider of integrated security solutions. In the most recent AhnLab Security Emergency Response Center (ASEC) report, Trojans represented the most reported malicious code at 37.2%, as well as accounting for 36% of the top new malicious codes during the third quarter of 2011.
Based on a sampling pool of users in Korea, Trojans dominated the top twenty most reported malicious codes for the third quarter, followed by script (20.7%), and worm (10.8%). When examining the top 20 malicious codes reported in the third quarter of 2011, Textimage/Autorun ranks top at 16.2% (1,702,118 reported cases), followed by JS/Agent at 13.6% (1,429,508 reported cases) and the new Html/Agent at 9.7% (1,016,109 reported cases).
“Korea is regarded as one of the most advanced markets when it comes to IT, and we have found that research around threats and prevention in this market can reflect international patterns,” said Mr. Hongsun Kim, CEO of AhnLab. “The most recent ASEC report serves as an important reminder to users to remain alert to, and conscientious of, the myriad attacks threatening online security.”
The third quarter saw a decrease in malicious code reports as compared to the previous quarter, which dropped 6,601,706 to 39,606,178. However, 13 new malicious identified codes made up part of the top 20 malicious codes for the quarter.
Trojans are the most reported new malicious code, representing 36% of the top reported new malicious codes. It is followed by script at 22% and adware at 12%. Specifically, TextImage/Autorun is the most reported new malicious code at 17.1% (1,699,603 reported cases) of the top 20 new malicious codes, followed by JS/Agent at 14.4% (1,429,439 reported cases).
According to AhnLab’s security program, SiteGuard, in the third quarter the number of reported malicious codes increased 34% to 253,613 codes, as compared to the previous quarter. Furthermore, the number of reported types of malicious code increased 11% to 2,296 compared to the previous quarter. On the other hand, the number of reported domains with malicious code decreased by 5% to 1,971 as compared to the previous quarter.
The ASEC Report revealed that Microsoft security updates continue to demonstrate vulnerabilities. As in the first and second quarters, system vulnerabilities were the most prominent, marking 41% of updates, while IE vulnerabilities marked the least amount of updates at 4%.
Global Malicious Code Trends—Third Quarter
In its most recent ASEC report, AhnLab emphasizes that malicious code trends in the third quarter are similar to that of the second quarter. The number of malicious codes distributed by exploiting vulnerabilities remains high.
As has been seen previously, most malicious code variants are restricted by specific regions. As regionalization of malicious codes becomes more pervasive, global malicious code statistics are no longer significant. Distribution of malicious codes remains common by hacking websites and exploiting vulnerabilities to insert malicious codes. However, distributing malicious codes via email or social network sites, such as Facebook and Twitter is also becoming increasingly common.
Bootkits, a type of malware that infects the Master Boot Record and allows malicious programs to be executed before the operating system boots, were also on the rise in the third quarter. In August, a new malware that modifies and infects Award BIOS was reported, and in September a bootkit that downloads online game hacking malware was reported in Korea. While numerous bootkits have appeared, they are not multiplying as these are more difficult to create compared to other malware. However, as bootkits are not easily detected and difficult to remove, cyber criminals are increasingly interested in their development.
Threats to smartphone security remain an issue in the third quarter. A malware posing as a PDF file was reported to infect Mac OS X and a new piece of Android Malware called GingerMaster has been found exploiting Andoid 2.3 (Gingerbread). GingerMaster exploits Android 2.3 and harvests data on infected Android smartphones and then sends the stolen information to a remote server. AhnLab cautions that extra care must be taken as smartphone security threats will continue to increase.
Cloud computing represents one of the most exciting technology trends and the antivirus industry has not been slow to embrace this opportunity. In fact, AhnLab, Inc. has added a cloud-based technology, AhnLab Smart Defense (ASD) to its product line. Hackers and cyber criminals have also been quick to take advantage of this trend and a rogue cloud antivirus ‘OpenCloud Antivirus’ was reported in September. This rogue system pretends to scan the system and claims to identify multiple infected files. Similar to other rogue antivirus, this system will trick victims into purchasing a license for the software. AhnLab warns users to exercise caution when implementing a cloud antivirus system.
To view the full ASEC Report, please visit: http://global.ahnlab.com/en/site/threat/asec/asecReportList.do
About AhnLab, Inc.
Headquartered in South-Korea, AhnLab Inc. (KSE: 053800) develops industry-leading security solutions and provides professional services that are designed to secure and protect critical business and personal information. As a leading innovator in the information security arena since 1988, AhnLab’s cutting edge products and services have been fulfilling the stringent security requirements of both enterprises and individual users. AhnLab’s products and services include anti-virus solutions, network, mobile and online game security, security management and consulting services. Today, AhnLab boasts a network of sales and research operations in more than 20 countries worldwide.
Ⅰ. Security Trends- September 2011
1. Malicious Code Trend
(1) Malicious Code Statistics
■ Top 20 Malicious Code Reports
The table below shows the percentage breakdown of the top 20 malicious codes reported in September 2011.
[Table 1-1] Top 20 Malicious Code Reports
As of September 2011, TextImage/Autorun is the most reported malicious code, followed by JS/Redirector and Html/Agent, respectively. 7 new malicious codes were reported this month.
The table below shows the percentage breakdown of the top 20 malicious code variants reported this month, and identifies the malicious code trend of this month.
[Table 1-2] Top 20 Malicious Code Variant Reports
As of September 2011, Win-Trojan/Agent is the most reported malicious code, representing 12.2% (700,839 reports) of the top 20 reported malicious code variants, followed by Win-Trojan/Downloader (700,699 reports) TextImage/Autorun (543,545 reports).
■ Breakdown of Primary Malicious Code Types
The chart below categorizes the top malicious codes reported this month.
[Fig. 1-1] Primary Malicious Code Type Breakdown
As of September 2011, Trojan is the most reported malicious code, representing 38.7% of the top reported malicious codes, followed by script (20.6%) and worm (12.1%).
■ Comparison of Malicious Codes with Previous Month
[Fig. 1-2] Top Malicious Code Type Comparison Chart
Compared to last month, the number of reports on Trojan, worm, virus and dropper increased, whereas, the number of reports on script, adware, appcare, downloader and spyware decreased. The number of Clicker was similar to the previous month.
■ Monthly Malicious Code Reports
[Fig. 1-3] Monthly Malicious Code Reports
There has been a decrease in malicious code reports in September, which dropped 2,605,706 to 11,061,009, from 11,718,469 the previous month.
■ Top 20 New Malicious Code Reports
The table below shows the percentage breakdown of the top 20 new malicious codes reported this month.
[Table 1-3] Top 20 New Malicious Code Reports
As of September 2011, Dropper/Malware.495616.HT is the most reported new malicious code, representing 16.7% (146,828 reports) of the top 20 reported new malicious codes, followed by SWF/Iframe (93,825 reports).
[Fig. 1-4] New Malicious Code Type Breakdown
As of Septempber 2011, Trojan is the most reported new malicious code, representing 59% of the top reported new malicious codes. It is followed by dropper (16%) and adware (12%).
(2) Malicious Code Issues
n Bootkit steals account data for online games
A bootkit is a type of malware that infects the Master Boot Record (MBR, the first 512 bytes of the physical hard drive) to allow the malicious program to be executed before the operating system boots.
The structure of the bootkit distributed this month is as below:
[Fig. 1-5] Bootkit structure
Once the computer boots, the malicious code executes itself and restores the original MBR for Windows to be loaded without revealing the existence of the bootkit.
[Fig. 1-6] Bootkit process
The original MBR is encrypted as below:
[Fig. 1-7] MBR before and after encryption by malware
The encrypted MBR of a compromised system gets backed up in the 54th physical sector of the hard disk through the routine below:
[Fig. 1-8] DeviceIoControl() called to back up encrypted MBR on hard disk
The first 8 bytes defines the location of the sector and the number of sectors.
• 0×000000036 = (Dec) 54, sector location
• 0×000000001 = (Dec) 1, no. of sectors
[Fig. 1-9] Bootkit removal tool
Please refer to the report below for details on Smitnyl Bootkit found overseas.
PDF file (Page 17, MBR Infector: Smitnyl analysis): http://image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.16_Eng.pdf
There is a common characteristic found in the bootkit distributed in Korea – it uses various sophisticated techniques to “live” longer, accomplish its goal and stay undiscovered. To prevent bootkits from taking hold of your system:
- always keep current with the latest security fixes for Windows and Adobe Flash Player;
- always keep your antivirus software updated and scan your system regularly;
- be careful when downloading programs from the Internet; and
- do not open any email from unknown senders- just delete it.
n Malware exploits Windows XP folder name bug when using dot
Cyber criminals are constantly upgrading malware for stealing online game account information to make money. The online game hacking malware reported this month propagated via an old Windows XP bug to stay unnoticed.
After it infects the system, it creates and runs a batch file, and then a folder with a name ending with a dot (for e.g. ‘tmp.’).
[Fig. 1-10] Part of the batch script file to create the malicious folder, “tmp.”
If you open the “tmp.” folder, the error message below will appear. The folder name ends with a dot to prevent the user or antivirus from detecting and removing the malware (tmp.exe). Some antivirus programs are not capable of spotting folders that contain a dot in its name.
[Fig. 1-11] Error message when tmp. folder is opened
[Fig. 1-12] tmp. folder created by malware
The tmp.exe file changes the ws2help.dll filename to ws3help.dll, and uses ws2help.dll as the filename for the malicious dll file, to load at startup.
[Fig. 1-13] Malicious ws2help.dll file
To check whether your ws2help.dll file is malicious, check the date modified or scan your system with the removal tool below.
The removal tool can be downloaded from:
- http://global.ahnlab.com/en/site/download/removal/removalList.do > V3 GameHack Kill
The removal tool diagnosed the malicious ws2help.dll file as Win-Trojan/.Gen.
[Fig. 1-14] Malicious ws2help.dll file detected
V3 detects this malware as Win-Trojan/Onlinegamehack.6333784.
n Malware propagation via obfuscated iframe link
MySQL.com was hacked to distribute malware on September 26. The website was injected with a script that generates an iFrame that redirects the visitors to a page serving malware, such as banking Trojans and bots.
[Fig. 1-15] Javascript with obfuscated iFrame link
You must not only keep your operation system updated at all times, but also the third party products you are using. Also, install an antivirus program and regularly update it to the latest version. V3 detects this malware as:
- Dropper/Win32.Mudrop
n Rogue cloud antivirus
This rapid increase in the number and complexity of malware is forcing antivirus companies to research and implement new ways to identify, classify and delete malware. Cloud computing is the latest technology trend and the antivirus industry has not been slow to embrace the opportunity. AhnLab, Inc. has also added a cloud-based technology, ASD (AhnLab Smart Defense), into their product line. This new technology has created new opportunities for hackers and cyber criminals – they are starting to use the buzzword, “cloud”.
A rogue cloud antivirus, ‘OpenCloud Antivirus’, was reported this month. It creates a copy of itself in the path below:
- C:\Documents and Settings\[User Name]\Application Data\OpenCloud Antivirus\OpenCloud Antivirus.exe
It disguises itself as a legitimate antivirus for cloud computing.
[Fig. 1-16] OpenCloud Antivirus
When run, the malware performs a fake scan of the system, and falsely claims that a number of files on the system are infected with malware.
[Fig. 1-17] Fake detection of infected files
After showing the false result, it will deliver a fake warning alert on the system tray.
[Fig. 1-18] Fake security warning
Like other rogue antivirus, it will trick victims into purchasing a license for the software. (At the time we tested this rogueware, we were not redirected to the webpage for payment.)
[Fig. 1-19] Failed to access payment page
V3 detects this Trojan as:
- Win-Trojan/Fakescanti.2420224
n Windows Blocked ransomware
Windows Blocked ransomware is a new type of malware that blocks access to the Internet and takes control of certain functions – it basically holds your system for ransom asking that you purchase a bogus security application. In the beginning of this month, the scam posed as a message from Microsoft claiming that the operating system was a counterfeit.
[Fig. 1-20] Bogus Windows activation screen pitched to German-language speakers
The malware displays a screen with a fake Microsoft Windows activation request. The ransomware locks down the infected system and demands a 100 EURO payment to Microsoft Corporation for unlocking it. V3 detects this Trojan as:
- Trojan/Win32.FakeAV
n Vulnerability in Adobe Flash Player and Reader (CVE-2011-0611)
The vulnerability (CVE-2011-0611) is being exploited in targeted attacks via files delivered as an email attachment. We have mentioned this vulnerability before, but not in details.
The vulnerability is caused due to an error when parsing ActionScript that adds custom functions to prototypes.This results in incorrect interpretation of an object (i.e. object type confusion) when calling the custom function. This causes an invalid pointer to be dereferenced file embedded in a Microsoft Word (.doc) file delivered as an email attachment.
The remote attacker uses social engineering techniques to send spam mail and exploit the vulnerability by executing a SWF file embedded in a PDF or MS Office file, or web page. When successful, it will corrupt the memory and may allow arbitrary code execution.
n Malicious Chinese Android application, “站点之家”
Android-Trojan/ROMZhanDian that steals personal information and changes the mobile browser’s favorites was reported in China.
[Fig. 1-21] Application name and permissions
[Fig. 1-22] Icon and shortcut
[Fig. 1-23] Android-Trojan/ROMZhanDian screen and newly added favorites
The malicious application is only installed on Android 1.5 and later and is designed to start automatically when you turn on your smart phone.
[Fig. 1-24] AndroidManifest information
When the malware is downloaded, subscriber information, including OS version, IMEI, IMSI, model number and installed applications, is sent to a server.
[Fig. 1-25] Codes to steal information
2. Security Trend
(1) Security Statistics
■ Microsoft Security Updates- September 2011
[Fig. 2-1] MS Security Updates
[Table 2-1] MS Security Updates for September 2011
Out of the five security updates issued by Microsoft this month, three are for MS Office.
3. Web Security Trend
(1) Web Security Statistics
■ Web Security Summary
[Table 3-1] Website Security Summary
This month, SiteGuard (AhnLab’s web browser security service) blocked 39,740 websites that distributed malicious codes. There were 792 types of reported malicious code, 522 reported domains with malicious code, and 3,351 reported URLs with malicious code. The number of reported malicious codes, types of malicious code, and domains and URLs with malicious code have decreased from last month.
■ Monthly Blocked Malicious URLs
[Fig. 3-1] ] Monthly Blocked Malicious URLs
As of September, the number of blocked malicious URLs decreased 42% to 39,740, from 68,406 the previous month.
■ Monthly Reported Types of Malicious Code
[Fig. 3-2] Monthly Reported Types of Malicious Code
As of September, the number of reported types of malicious code decreased 4% to 792, from 827 the previous month.
■ Monthly Domains with Malicious Code
[Fig. 3-3] Monthly Domains with Malicious Code
As of September, the number of reported domains with malicious code decreased 20% to 522, from 650 the previous month.
Monthly URLs with Malicious Code
[Fig. 3-4] Monthly URLs with Malicious Code
As of September, the number of reported URLs with malicious code decreased 24% to 3,351, from 4,076 the previous month.
■ Top Distributed Types of Malicious Code
[Table 3-2] Top Distributed Types of Malicious Code
As of September, adware is the top distributed type of malicious code with 15,412 (38.8%) cases reported, followed by Trojan with 13,001 (32.7%) cases reported.
■ Top 10 Distributed Malicious Codes
[Table 3-3] Top 10 Distributed Malicious Codes
As of September, Win-Adware/ToolBar.Cashon.308224 is the most distributed malicious code, with 7,170 cases reported. 6 new malicious codes, including Win-Adware/ToolBar.Cashon.308224, emerged in the top 10 list this month
(2) Web Security Issues
■ September 2011 Malicious Code Intrusion: Website
[Table. 3-4] Monthly malicious code intrusion: website
More websites were intruded to distribute malicious codes in September than August. It is because many of the main websites that were intruded had sub websites, and malicious script was inserted into the JS script used by the sub websites.
For instance:
- Main website: http://www.aaaa.com
- Sub website: http://test.aaaa.com, http://sisx.aaaa.com
- Inserted malicious script: http://www.cheaxx-******.com
The malicious script exploited the CVE-2011-2110 or MS10-018 vulnerability to infected the visitor’s system.
-. CVE-2011-2110: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2110
-. MS10-018: http://technet.microsoft.com/ko-kr/security/bulletin/ms10-018
CVE-2011-2110 vulnerability that was reported recently is found in IE8, and MS10-018 that was discovered in the beginning of 2010 is a vulnerability in IE6. MS10-018 is still being exploited as people are still using IE6. Microsoft has stopped providing technical support for IE6 and many websites are suggesting users to use a newer IE version to access their sites. IE6 users are adviced to upgrade their IE to a newer version.
[Table 3-5] Top 10 malicious codes distributed via websites
The table above shows the top 10 malicious codes distributed via websites. Win-Trojan/Onlinegamehack55.Gen and Win-Trojan/Onlinegamehack56.Gen were the most reported malicious codes this month, each distributed via 27 websites. The number is similar to last month. But, there is a malicious code you should take note of – Backdoor/Win32.Rootkit. This rootkit was distributed via 22 websites to steal online game account information.
Ⅱ. Security Trends- 3Q 2011
1. Malicious Code Trend
(1) Malicious Code Statistics
The table below shows the percentage breakdown of the top 20 malicious codes reported in Q3 of 2011.
[Table 4-1] Top 20 Malicious Code Reports
As of Q3 2011, TextImage/Autorun is the most reported malicious code, followed by JS/Agent and Html/Agent, respectively. 13 new malicious codes were reported this month.
■ Top 20 Malicious Code Variant Reports
The table below shows the percentage breakdown of the top 20 malicious code variants reported this quarter.
[Table 4-2] Top 20 Malicious Code Variant Reports
As of Q3 2011, Win-Adware/Korad is the most reported malicious code, representing 11.6% (2,384,017 reports) of the top 20 reported malicious codes. It is followed by Win-Trojan/Downloader representing 10.9% (2,239,061 reports), and Win-Trojan/Agent, representing 10.1% (2,066,989 reports) of the top 20 reported malicious codes.
■ Breakdown of Primary Malicious Code Types
The chart below categorizes the top malicious codes reported in Q3 2011.
[Fig. 4-1] Primary Malicious Code Type Breakdown
As of Q3 2011, Trojan is the most reported malicious code, representing 37.2% of the top reported malicious codes, followed by script (20.7%), and worm (10.8%).
[Fig. 4-2] Monthly Malicious Code Reports
There has been a decrease in malicious code reports this quarter, which dropped 6,601,706 to 39,606,178, from 46,207,884 the previous quarter.
■ Top 20 New Malicious Code Reports
The table below shows the percentage breakdown of the top 20 new malicious codes reported in Q3 2011.
[Table 4-3] Top 20 New Malicious Code Reports
As of Q3 2011, TextImage/Autorun is the most reported new malicious code, representing 17.1% (1,699,603 reports) of the top 20 reported new malicious codes, followed by JS/Agent (1,429,439 reports).
■ Breakdown of New Malicious Code Types
[Fig. 4-3] New Malicious Code Type Breakdown
As of Q3 2011, Trojan is the most reported new malicious code, representing 36% of the top reported new malicious codes. It is followed by script (22%) and adware (12%).
(2) Malicious Code Issues
n Increased exploitation of CVE-2011-2110 Adobe Flash vulnerability
Most of the malicious Flash files found in Korea were inserted in the hidden “iframe” page and designed to download malicious contents from a specific URL in the “info” parameter. The malicious content downloaded from the URL was not a PE file (that starts with MZ header), but partial shell codes. This creates NOP+shell code to implement heap spray in the Flash file. The vulnerability in Flash player is exploited to decode the downloaded shell codes using XOR, so the downloaded file could be malicious. This vulnerability will be continued to be exploited to conduct web attacks. Always make sure your Adobe products are updated to the latest versions.
n Exploitation of MS10-087 vulnerability
Most MS Word based attacks exploit “MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)” that was distributed on November 2010. Most of them were distributed as email attachments, so be careful not to open Word file attachments from untrusted sources.
n Risk of targeted attacks
There are two general forms of targeted attacks: those that attack the corporate network and those that attack the server network. The first form is a common hacking method, and the latter form is more diverse: social engineering, malware attack, phishing, keylogging, exploitation of vulnerabilities, reverse shell command execution and database hacking. A more complex security system is needed to defend against these various threats.
n Increasing smartphone security threats
A new piece of Android malware called GingerMaster has been found exploiting Android 2.3, (or “Gingerbread”), the current version of Android’s operating system for smartphones. The CVE-20111-1823 vulnerability is also found in Gingerbread 2.3.3. GingerMaster exploits Android 2.3, harvests data on infected Android smartphones and sends the stolen information, including device IDs and phone numbers, to a remote server. Extra caution must be taken as smartphone security threats will increase.
2. Security Trend
(1) Security Statistics
n Microsoft Security Updates- Q3 of 2011
Microsoft released 22 security updates this quarter.
[Fig. 5-1] 3 MS Security Updates
As in Q1 and Q2, there were the most system vulnerabilities (41%), and the least IE vulnerabilities (4%). There were one critical update in July and two in August. The increase in Office vulnerabilities this month increased the number malware that uses social engineering techniques, such as attaching malicious files to spam mails. You must download the patches to fix the vulnerabilities as soon as they are released.
3. Web Security Trend
(1) Web Security Statistics
■ Web Security Summary
[Table 6-1] Website Security Summary
As of Q3 of 2011, there were 253,613 reported malicious codes, 2,296 types of reported malicious code, 1,971 reported domains with malicious code, and 12,290 reported URLs with malicious code. These statistical figures were derived from the data collected by SiteGuard, AhnLab’s web security program.
■ Monthly Reported Malicious Codes
[Fig. 6-1] ] Monthly Reported Malicious Codes
As of Q3 of 2011, the number of reported malicious codes increased 34% to 253,613, from 189,948 the previous quarter.
■ Monthly Reported Types of Malicious Code
[Fig. 6-2] Monthly Reported Types of Malicious Code
As of Q3 of 2011, the number of reported types of malicious code increased 11% to 2,296, from 2,060 the previous quarter.
■ Monthly Domains with Malicious Code
[Fig. 6-3] Monthly Domains with Malicious Code
As of Q3 of 2011, the number of reported domains with malicious code decreased 5% to 1,971, from 2,072 the previous quarter.
Monthly URLs with Malicious Code
[Fig. 6-4] Monthly URLs with Malicious Code
As of Q3 of 2011, the number of reported URLs with malicious code increased 60% to 12,290, from 7,687 the previous quarter.
■ Top Distributed Types of Malicious Code
[Table 6-2] Top Distributed Types of Malicious Code
[Table 6-5] Top Distributed Types of Malicious Code
Adware is the most distributed type of malicious code representing 38.4% (97,433 reports) of the top distributed type of malicious codes, followed by Trojan that represent 31.7% (80,376 reports).
Top 10 Distributed Malicious Codes
[Table 6-3] Top 10 Distributed Malicious Codes
Win-Adware/ADPrime.837241 is the most distributed malicious code (49,450 reports), followed by Win-Trojan/Downloader.765408 (30,612 reports).
III. Overseas Security Trends
1. Malicious Code Trend- Japan, Q3
The most prominent security threats in this quarter are notable increase in online banking threats by botnets; propagation of malware via Android-based smartphones; Conficker and Antinny variants distributed by exploiting Windows vulnerabilities; and malware that corrupts Windows system files.
■ Botnet poses serious online banking threats[1]
A botnet started harversting online banking credentials for financial gain from June this year. Cyber criminals are reported to have used SpyEye to steal online banking details. This malware is known to spread via hacked websites by exploiting system vulnerabilities or spam mail.
■ Conficker and Antinny worm attacks
The table below shows the top malicious codes in Japan as ranked by Trend Micro Japan (http://jp.trendmicro.com).
[Table 7-1] Monthly malicious code threats (Source: Trend Micro Japan)[2]
The Conficker worm, “WORM_DOWNAD.AD”, was the most reported malicious code for two months. This worm exploits Windows vulnerabilities to infect other systems in the network and spreads via mobile disk external storage, like Autorun worms.
Antinny attacks that target P2P file-sharing networks have been ongoing for some time now. The damages inflicted by its variants are significant. New Antinny worm variants will keep on appearing, so you must continue to be cautious.
Viruses such as PE_PARITE.A and adware were also high up in the ranks. There are not many variants of Parite, but they are still being reported in numerous countries. The number of reports is high, but it does not have the function to self-propagate, so it usually spreads via infected programs on P2P networks.
■ Autorun attacks
The chart below shows the monthly damages caused by malicious codes reported by IPA (http://www.ipa.go.jp).
[Fig. 7-1] Malicious code trend: July and August 2011 (Source: IPA, Japan)[3]
The number of Netsky and Mydoom worm that propagates via email was high, and also Autorun worm. Email worms usually send mass email to the email addresses saved to the infected system.
Another thing that should be noted in the chart above is Win32/Gammima that steals online game accounts. This type of malware has been rampant in Korea for several years and numerous websites were hacked to spread the malware. This sort of attack is now starting in Japan. It usually replaces Windows files, such as imm32, or uses rootkit techniques to hack online games.
2. Malicious Code Trend- China, Q3
■ H1 2011 security threats in China by Rising
Rising, a Chinese security solutions provider, reported the statistics and issues of security threats that occurred in China in the first half of 2011. The number of malware reported in the first half of 2011 is 5,286,791, which increased 25.2% from last year.
[Fig. 7-2] Breakdown of security threats in China in H1 2011
The chart above categorizes the top malicious codes reported in H1 2011. As of H1 2011, Trojan horse is the most reported malicious code, representing 76.12%. It is followed by virus (8.44%), backdoor (5.16%), dropper (3.26%), adware (2.91%), worm (2.61%) and other malicious codes (1.5%). Approximately 740 million computers were reported to be infected by malware in H1 2011, which shows that an average of 4.11 million computers were infected a day.
The table below shows the top 10 malicious codes reported in H1 2011.
[Table 7-2] Top 10 malicious codes reported in China
According to Rising, there has been an increase on viruses that infect files. Viruses are usually written in Assembly language, which is one of the low level languages, but the viruses reported by in China were written in Assembly language and high level language. Viruses written in both low and high level languages have the same functions of traditional viruses while cutting down the creation period. Virus represented 8.44% of the malicious codes reported in H1 2011, which is 445,957 in numbers.
Recent Comments