Having singled out the three major waves of malicious code evolution, Sophos’ James Lyne proceeds with his presentation, describing exploit toolkits, rogue antivirus activity patterns and the gradual, yet steadily growing trend of mobile viruses distribution.The bad guys are also getting much smarter about how they target our computers. They are producing pretty impressive tools, like Crimepack for instance. There are lots of competing products here. Interestingly, all with wonderfully modern web user interfaces and really quite nice product design, they are obviously very good at using the latest web development toolkits. These tools are designed to provide an attacker with access to the latest zero-day exploits. But interestingly, more often than not the most successful campaigns are targeted in applications and vulnerabilities that are quite old.
For example, if we look at the breakdown of vulnerabilities in the most popular crime kits out there at the moment, you can see the lion share focus is on PDF. And interestingly, if you go to any CISO1 and say “When did you have MS08-067 (the Conficker2) patch deployed?”, they’ll know. It may have taken two days, it may have taken a month, but they will have a solid picture. Ask them what version of Adobe PDF they are running, and they through their hands into the air and have absolutely no idea whatsoever.
The bad guys know what we in IT all suck at – deploying, and that’s what they are targeting. These exploit packs make it really easy for the bad guys to go after things like PDF, Internet Explorer, Firefox, and Java – all the things that aren’t so well controlled in the IT environment. So good for Microsoft that they’ve managed to get themselves out of the frame to a large extent, that patching is paying off to security responsiveness. The bad guys are now targeting the application layer, and we all need to be thinking about how we keep apps up-to-date.
Another terrifying trend of 2010 that will undoubtedly continue in 2011 and 2012 – fake antivirus. Now, if imitation is the highest form of flattery, then antivirus companies should be very flattered indeed.These are everywhere, all over the Internet, injecting themselves into good web pages, using black search engine optimization to gain the attention of users. And the premise is simple: you type in “I’ve got a virus, I need cleanup”, and you get told: “Oh my God, you’ve got 216 threats on your computer, it’s the end of the world, and you really need to clean up your computer right now!” And the user sits there looking at this fake antivirus screen, and it looks just like a real AV product. In fact, often these fake AV products look more attractive than real antivirus products. So perhaps a good security policy suggestion would be: if it looks nice – uninstall it.
Anyway, they sit there and they think: “Right, the IT administrator told me about viruses and worms and trojans, and how they wirelessly connect to my fridge and put my milk off and scare my cat at 2 a.m.” They get the details wrong but they basically know that viruses are bad. So they type in their credit card details to ‘register’ the product to clean up the malicious code, compromising their personal finances, providing an attacker with backdoor access to a corporate asset and the access to data, and potentially joining it to a large-scale botnet.
The astonishing thing here is that it used to be free to get infected with malicious code, but now people actually pay for the privilege. People pay to run malicious code from the bad guys. And these are all over the web, they make Conficker look like a pussy cat.
But it’s not just Windows. We see it happening on other platforms too now as well. I am a Mac user, I have been for a long time. I had the understanding that while running a Mac I should run antivirus because I would feel bad if I accidentally infected a PC user. There wasn’t really this feeling of risk of actually compromising your own computer. The metaphor for this is Typhoid Mary, a woman that worked in a hospital in the U.S and was a carrier of Typhus and could infect other people, but wouldn’t actually become ill herself.Those days for the Mac user have gone. And whilst there may be very little malicious code for the Macintosh platform versus the PC, it’s still serious stuff. Here we can see the iMunizator3 – brilliant product name, wonderful user interface. Steve Jobs would have been proud of this, it is very nice-looking, and all of the buttons work. It’s incredibly convincing, comes localized in about 20 different languages.
Some of these products actually have support, you can call them up and get technical assistance on how better to use their fake antivirus, it’s insane! But if you are a Mac user, if you are a CEO regularly giving presentations, if you are in a creative team, if you are in IT sitting there with lots of access to privileged information – be aware that the bad guys are targeting you too now, and you need to be protecting yourself appropriately. Times have changed.
The other big trend that we are at the beginning of the wave – we will certainly see more of it in the next couple of years – is mobile. I just have to say this – really, mobile. For the last seven or eight years, certain vendors, certain parts of security industry have been running around, waving their hands in the air saying: “This is the year that all of the malware will go from the Windows PC, and it will stop targeting them, and it will affect Symbian”. And, you know, every year nothing happens.So we’ve all got used to this notion that mobiles are kind of secure. We do our Internet banking, we install applications. And whilst the security team and the CISO are worrying about these devices, most users don’t have the same inbuilt sense of acceptable use and threat they had on the desktop environment. They are much more happy to click on things.
Over this year, we started to see malicious code. I am showing here the consequences of the first known malicious code for jailbroken iPhones, which you knew you were infected when this picture of Rick Astley came up in the background with the line: “Ikee is never gonna give you up” – apologies for that inadvertent rickroll. It is rumored that Rick Astley was Rick-rolled by his own phone, but no one has been able to confirm that for me yet.
This malware may be low distribution, but it is the beginning of a huge trend. The reason the bad guys haven’t been targeting these platforms is not because they are eminently secure, actually they are a bit like Windows 95; the reason is that until recently there wasn’t interesting data on these platforms to steal. But as we all use these devices more and more as a replacement for our laptop, as they become more and more a part of our lives and our identity – they are going to be more targeted.
So we need to see people focusing on protecting these devices. It’s not about the same protection model as the conventional PC. It’s not about antivirus in the same sense. But we do need to be thinking about compliance, patching and security to keep these devices safe.
1 – CISO (Chief Information Security Officer) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets are adequately protected.
2 – Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet.
3 – iMunizator is a rogue antivirus application targeting Mac OS. It performs a bogus system scan and claims to detect imaginary privacy issues on the targeted machine, subsequently asking the user to pay for resolving the ‘problems’.