Malware and Ransomware

Kits lead to an explosion in malware for OS X and mobile
Given the popularity of mobile computing, we should perhaps be surprised that cybercriminals have taken so long to extensively exploit this field. In 2012, however, we’ve seen the number of mobile threats go up dramatically. As we look at them in more detail, we see the large amount of Windows based malware owes its existence to the easy availability of malware kits in the underground market. In 2013, there is a good chance ransomware kits will take the lead from malware kits. Now the first ransomware kits are being marketed in the underground.

Ransomware continues to expand to mobile devices
Ransomware on Windows PCs has more than tripled during the past year. Attackers have proven that this “Business Model” works and are scaling up their attacks to increase profits. One way ransomware is different from other types of malware such as backdoors, keyloggers and password stealers is that attackers do not rely on their victims using the infected systems for financial transactions to separate them from their money. Instead these criminals hijack the users ability to access data, communicate or use the system at all. The victims are faced with either losing their data or paying a ransom in the hope of regaining access.

One limitation for many malware authors seeking profit from mobile devices is that more users transact business on desktop PCs rather than on tablets or phones. But this trend may not last; the convenience of portable browsers will likely lead more people do their business on the go. Attackers have already developed ransomware for mobile devices.

Botnets and Spam

The biggest threat to botmasters is the unrecoverable loss of their botnets. International cooperation in policing spam, malware, child exploitation, and illegal pills has made that loss a reality for many major botnets over the past few years, and will continue to threaten the proliferation of botnets. When the largest botnets get taken down, then the next largest botnets become the new targets. Botmasters have already reacted to this activity by subdividing botnets and increasing the costs associated with activities that are easily detectable (such as DDoS and spam). It is only a matter of time before botmasters implement fail-safes to reestablish command of a botnet that has lost all of the control servers it usually reports to.

In many cases botnets are temporarily hijacked by whitehat security researchers. Due to possible negative side effects, however, these takeovers do not lead to new commands reaching the infected hosts. There is a massive liability issue associated with the unauthorized remote operation of systems, even with the best of intentions. Pushing new commands to an old Windows machine serving a hospital could turn the PC into a brick and lead to incorrect care or even the death of a patient. Botmasters will take advantage of this reluctance by the good guys to meddle by hard wiring their botnets to reestablish control after a take down.

“Snowshoe” spam will continue to increase
When a shady marketing company approaches your marketing people and tells them that they have a list of email addresses that have already opted into receiving whatever advertising you want to send them, it should set off alarm bells. Unfortunately those bells don’t ring often enough. Well known companies selling products from cell phones to cigars to language-learning software to satellite TV to medical supplies have all signed on with these shady advertisers. The shady companies blast out millions and millions of blatantly illegal spam messages every day from newly rented hosts in hosting companies until they get evicted from their subnets or move on after they have turned those addresses, and sometimes the subnets, into permanently blacklisted wastelands. Recipients have their in boxes bombarded with these spam messages and are unable to opt out of them.

Because this sort of activity is not as malicious as the most newsworthy hacks and malware, this area has been mostly ignored by the authorities. Nonetheless, this practice of snowshoe spamming has exploded during the past two years and is currently one of the biggest problems in the spam world. Attempts by researchers to expose this sort of activity have resulted in threats of defamation lawsuits by the companies using these shady marketers. In that environment, this sort of activity will only continue to increase at the breakneck pace that we have seen.

SMS spam from infected phones
Cell phone providers are working to prevent SMS spam. Their primary method of receiving reports from consumers is for the latter to forward messages to SPAM (7726) on their phones and report the messages so that they can be blocked. An infected phone can also send spam text messages; then the victims face the problem of having their accounts closed by the providers.

Threats to HTML5

HTML5 is the next version of the standard language of Internet browsers. It provides language improvements, capabilities to remove the need for plug-ins, new layout rendering options, and new powerful APIs that support local data storage, device access, 2D/3D rendering, web-socket communication, and many other features. Websites are quickly adopting HTML5 for its richer user experience. HTML5 continues the move to the browser, and away from the operating systems, as the platform to run applications. HTML5-based applications are increasing in number, with major players taking advantage of freedom from app stores and improved cross-browser and cross-device compatibility.

Browsers have long been one of the primary vectors for security threats, and HTML5 won’t change that. With HTML5 the threats landscape will shift and broaden. We will see a reduction in exploits focused on plug-ins as browsers provide this functionally via their new media capabilities and APIs. However, HTML5 will offer other opportunities for attackers because the additional functionality will create a larger attack surface. Powerful JavaScript APIs that allow device access will expose the browser as websites gain direct access to hardware.

One example is WebGL, which provides 3D rendering. Prior to WebGL, HTML content not based on plug-ins was interpreted and rendered by the browser. This provided a layer of technology between the untrusted data on the Internet and the operating system. WebGL browsers, however, expose the graphics driver stack and hardware, significantly increasing the attack vectors. Researchers have already demonstrated graphics memory theft allowing the web application to steal screenshots from the desktop and denial of service attacks using all popular browsers supporting WebGL and popular graphics driver stack providers.

One of the primary separations between a native application and an HTML application has been the ability of the former to perform arbitrary network connections on the client. HTML5 increases the attack surface for every user, as its features do not require extensive policy or access controls. Thus they allow a page served from the Internet to exploit WebSocket functionality and poke around the user’s local network. In the past, this opportunity for attackers was limited because any malicious use was thwarted by the same-origin policy, which has been the cornerstone of security in HTML-based products. With HTML5, however, Cross Origin Resource Sharing will let scripts from one domain make network requests, post data, and access data served from the target domain, thereby allowing HTML pages to perform reconnaissance and limited operations on the user’s network.