Botnets and Spam

The biggest threat to botmasters is the unrecoverable loss of their botnets. International cooperation in policing spam, malware, child exploitation, and illegal pills has made that loss a reality for many major botnets over the past few years, and will continue to threaten the proliferation of botnets. When the largest botnets get taken down, then the next largest botnets become the new targets. Botmasters have already reacted to this activity by subdividing botnets and increasing the costs associated with activities that are easily detectable (such as DDoS and spam). It is only a matter of time before botmasters implement fail-safes to reestablish command of a botnet that has lost all of the control servers it usually reports to.

In many cases botnets are temporarily hijacked by whitehat security researchers. Due to possible negative side effects, however, these takeovers do not lead to new commands reaching the infected hosts. There is a massive liability issue associated with the unauthorized remote operation of systems, even with the best of intentions. Pushing new commands to an old Windows machine serving a hospital could turn the PC into a brick and lead to incorrect care or even the death of a patient. Botmasters will take advantage of this reluctance by the good guys to meddle by hard wiring their botnets to reestablish control after a take down.

“Snowshoe” spam will continue to increase
When a shady marketing company approaches your marketing people and tells them that they have a list of email addresses that have already opted into receiving whatever advertising you want to send them, it should set off alarm bells. Unfortunately those bells don’t ring often enough. Well known companies selling products from cell phones to cigars to language-learning software to satellite TV to medical supplies have all signed on with these shady advertisers. The shady companies blast out millions and millions of blatantly illegal spam messages every day from newly rented hosts in hosting companies until they get evicted from their subnets or move on after they have turned those addresses, and sometimes the subnets, into permanently blacklisted wastelands. Recipients have their in boxes bombarded with these spam messages and are unable to opt out of them.

Because this sort of activity is not as malicious as the most newsworthy hacks and malware, this area has been mostly ignored by the authorities. Nonetheless, this practice of snowshoe spamming has exploded during the past two years and is currently one of the biggest problems in the spam world. Attempts by researchers to expose this sort of activity have resulted in threats of defamation lawsuits by the companies using these shady marketers. In that environment, this sort of activity will only continue to increase at the breakneck pace that we have seen.

SMS spam from infected phones
Cell phone providers are working to prevent SMS spam. Their primary method of receiving reports from consumers is for the latter to forward messages to SPAM (7726) on their phones and report the messages so that they can be blocked. An infected phone can also send spam text messages; then the victims face the problem of having their accounts closed by the providers.

Threats to HTML5

HTML5 is the next version of the standard language of Internet browsers. It provides language improvements, capabilities to remove the need for plug-ins, new layout rendering options, and new powerful APIs that support local data storage, device access, 2D/3D rendering, web-socket communication, and many other features. Websites are quickly adopting HTML5 for its richer user experience. HTML5 continues the move to the browser, and away from the operating systems, as the platform to run applications. HTML5-based applications are increasing in number, with major players taking advantage of freedom from app stores and improved cross-browser and cross-device compatibility.

Browsers have long been one of the primary vectors for security threats, and HTML5 won’t change that. With HTML5 the threats landscape will shift and broaden. We will see a reduction in exploits focused on plug-ins as browsers provide this functionally via their new media capabilities and APIs. However, HTML5 will offer other opportunities for attackers because the additional functionality will create a larger attack surface. Powerful JavaScript APIs that allow device access will expose the browser as websites gain direct access to hardware.

One example is WebGL, which provides 3D rendering. Prior to WebGL, HTML content not based on plug-ins was interpreted and rendered by the browser. This provided a layer of technology between the untrusted data on the Internet and the operating system. WebGL browsers, however, expose the graphics driver stack and hardware, significantly increasing the attack vectors. Researchers have already demonstrated graphics memory theft allowing the web application to steal screenshots from the desktop and denial of service attacks using all popular browsers supporting WebGL and popular graphics driver stack providers.

One of the primary separations between a native application and an HTML application has been the ability of the former to perform arbitrary network connections on the client. HTML5 increases the attack surface for every user, as its features do not require extensive policy or access controls. Thus they allow a page served from the Internet to exploit WebSocket functionality and poke around the user’s local network. In the past, this opportunity for attackers was limited because any malicious use was thwarted by the same-origin policy, which has been the cornerstone of security in HTML-based products. With HTML5, however, Cross Origin Resource Sharing will let scripts from one domain make network requests, post data, and access data served from the target domain, thereby allowing HTML pages to perform reconnaissance and limited operations on the user’s network.

Windows 8 is the next big target for Cyber criminals?

Criminals go where the money is. And if this means they have to cope with a new, more secure version of Windows, that’s just what they will do. In many cases they attack the user and not the OS. Via phishing and other techniques users are tricked into revealing information or installing a malicious program. So if you upgrade, don’t rely solely on Windows to protect your system: Remain vigilant and watch out for phishing scams.

Windows 8 should provide improved security against malware and exploits compared with earlier versions of Windows, at least for a while. Now that the underground market for attack and malware kits is much more competitive than three years ago, it is likely that Windows 8 specific malware will be available quicker than Windows 7 specific malware appeared. Systems running the new Unified Extensible Firmware Interface are still vulnerable to MBR-based rootkits, just as previous OS versions were, according to one research company. On the day of Windows 8’s release, the firm announced for sale to its customers the availability of a zero-day vulnerability that circumvents all new security enhancements in Windows 8 and Internet Explorer 10.

Big-Scale Attacks
Destructive payloads in malware have become rare because attackers prefer to take control of their victims’ computers for financial gain or to steal intellectual property. Recently, however, we have seen several attacks some apparently targeted, others implemented as worms in which the only goal was to cause as much damage as possible. We expect this malicious behavior to grow in 2013. Whether this is hacktivism taken to a new level, as some claim, or just malicious intent is impossible to say, but the worrying fact is that companies appear to be rather vulnerable to such attacks. As with Distributed Denial of Service (DDoS) attacks, the technical bar for the hackers to hurdle is rather low. If attackers can install destructive malware on a large number of machines, then the result can be devastating.

An inside or outside attacker who has elevated privileges on the network for a long time could time-bomb many systems on multiple sites. This effect is likely worse than what is covered in many disaster recovery plans, so the IT staff may have to make some updates. The priority is to keep the business running, which is best achieved by having production networks, SCADA systems, etc. completely separated from the normal network, preventing them from getting hit in the first place. Then there will be a massive loss of data to deal with because users just love to store their data on their local machines. One challenge will be to reinstall thousands of machines while ensuring that the time bomb doesn’t resurface. Technologies that may prove useful include remote management features that are independent of the state of the PC and its OS, but these features will need to be tested before an incident happens.

All measures to detect and block these persistent threats should also be effective against the preliminary steps of such attacks, while the attacker tries to gain and elevate access. Remote application control would prevent servers and key systems from being affected unless an attacker has already taken full control of the update process, which can be determined by carefully monitoring who does what on the management systems. To keep the loss of data to a minimum, a reliable network backup process needs to be in place, as well as backing up local data and blocking attackers from shredding data on shared drives and folders on the network.