Today the principal channel for malware diffusion is considered internet, large diffusion of exploit kits and crimeware such as BlackHole, Cool Exploit and Incognito have automated the infection process over the network. Majority of attacks exploits vulnerabilities in large use applications, such as browsers, and the leak of responsive patch management expose users to serious risks.
Unfortunately in some cases are exploited zero-day vulnerabilities rendering useless any defense system of the user, in this case the patch management process once discovered the flaw is determinant to mitigate the cyber threat.
According the Threat Report related to H2 proposed by F-Secure the principal menaces that characterized the security landscape were botnets (e.g. ZeroAcess), exploits in particular against the Java development platform and banking trojans (e.g. Zeus).
ZeroAccess is considered the most profitable botnet of 2012 but other notable botnets of 2012 are Zeus, Carberp, Dorkbot and the mobile botnet SpamSoldier. ZeroAccess botnet infected millions of machines globally in 2012, with up to 140,000 unique IPs in the US and Europe.
Windows machines continues to be the main target for attacks despite an increasing number of cyber threats hit the Mac platform, F-Secure detected 121 new, unique variants in all of 2012, the majority of them backdoors, twice the previous year.
While Java was the main target for most of exploit-based attacks the banking sector has been mainly hit by Zeus botnet, F-Secure has also revealed an increase of multi-platform attacks, both desktop and mobile, conducted with multiple malware.
“Rather than a single major event, perhaps the most noteworthy aspect of H2 2012 is the way that the various trends we saw emerging in the first two quarters of the year have continued to grow apace—that is, the growth of botnets, the ‘standardization’ of vulnerability exploitation and the increasing ‘establishment’ of exploit kits.”
One of the most interesting phenomena observed during second part of 2012 is the changing of techniques for cyber espionage campaigns, before, almost all recorded corporate espionage cases were based on using specially crafted documents containing a malware payload meanwhile in Q4 the attackers have started to exploit vulnerabilities in in web browsers and browser plugins.
The consolidated technique known as ‘watering hole’ attack was the most efficient for cyber spies that were able to infecting every visitors of a particular website compromised for the campaign.
“The rise of web-based attacks in corporate espionage raises two points: first, this trend means that any corporation with an online presence that serves such potentially ‘interesting‘ targets may be at risk of unwittingly serving as an attack conduit, and secondly; obviously, such organizations must now find a way to mitigate such a risk, in order to protect themselves and their clients.”
Every company that manager online resources must be aware of this technique of attack, defending against watering hole attacks does not require additional defense systems except for attacks that exploit zero-day vulnerabilities against which is necessary a multi layered security approach.
The report dedicates a very interesting sections to the principal vulnerabilities exploited by the toolkit available on the market providing interesting information of exploit kits and their geographic distribution.
Of course it is impossible not to mention the mobile threat landscape that continues to be focused on two platforms, Android, which accounted for 79% of all new malware variants identified in 2012 and Symbian, with 19% of the remaining new variants. In Q2 2012, China officially surpassed the United States as the world’s largest market for smartphone consumers. Android handsets accounted for 81% of that market and it’s therefore probably not surprising that many of the new malware families detected last year were targeted specifically to Android users in mainland China.
“Given its dominance, the Android platform has naturally become the main target for active malware development, with a total of 238 new, unique variants found on the platform during that period.The majority of these malware are distributed as trojanized apps, in which a legitimate program has been engineered to include a malicious component. Most of the new variants found are categorized as trojans or monitoring-tools, which are able to either compromise the user’s data or track the user’s movements and activities.”
The report is full of interesting info let close the post with an overview on banking trojan ecosystem:
…. The bank robberies are exploiting new channels, and malware are their passepartout.