Sophos chief technology officer Gerhard Eschelbeck comments on the main issues.
“The outstanding trend is the growing ability of malware authors to camouflage their attacks. They can now easily buy advanced botnet and exploit kit source code to create innovative and diverse new attacks. The result is a sharp increase in ransomware attacks (use of very strong encryption to make users’ files inaccessible and extort cash) – the vicious Cryptolocker in particular.”
“Advanced Persistent Attacks (APT) that gather company/government data were well-planned and well-funded. The difference was that after an APT achieved its aims it continued to monitor and provide convenient back door access.”
“The growing popularity of the “Internet of Things” (e.g., mobile devices, applications, social networks, and interconnected gadgets and devices) makes the threat landscape a moving target. New threats arise with emerging technologies like near field communications (NFC) being integrated into mobile platforms. Innovative uses of GPS services to connect our digital and physical lives present new opportunities for cybercriminals to compromise our security and privacy. Such systems could yield attacks that have a very personal impact on each of us.”
Following is a 1500 word summary of the full report
Since Sophos first detected Android malware in August 2010, it has recorded well over 300 malware families with increasing innovation in how they avoid via polymorphism, and counter detection methods via encryption and obfuscation.
Large-scale botnets* are now part of the Android community. Andr/GGSmart-A uses centralized command and control to instruct mobile devices to send premium SMS messages that are charged to the device owner. It can change and control premium SMS numbers, content, and even affiliate schemes across its entire large network. This makes it better organized, and more dangerous.
Ransomware has come to Android. Android Defender – a fake antivirus/ransomware app demands a $99.99 payment to restore access to your Android device.
Bank Account theft has come to Android with Andr/Spy-ABN. It has already targeted French, Dutch and Indian financial institutions. It intercepts user information in the browser or app before it is encrypted and forwarded to financial institutions.
Google made some progress in securing its Android platform from version 4.3 but older Android is not as secure. It also changed its Google Store. Despite this Android attacks continue to grow in complexity and maturity.
Linux is targeted it is used widely used to run websites and deliver web content.
Linux servers are widely assumed safer than other operating systems, so they can be overlooked as infection targets. This means an infected Linux server may remain infected for months or years, offering exceptional return on investment to criminal organizations.
Every month Sophos identifies tens of thousands of suspicious samples of PHP code (a server-side scripting language commonly used on websites) running on Linux servers
Mac OS X
There was a steady stream of evolving, modest, creative, and diverse attacks – Mac is no longer immune from Malware and virus.
Ransomware has also come to Macs via a security hole in Safari browser.
Apple reluctantly removed any reference in marketing materials that Macs do not get virus. The key issues are to:
- Remover Java - or at worst turn it off in Safari
- Keep software patched
- Only use software installed from the Mac App Store
- Install Antivirus on the Mac
- In corporate environments its vital to protect Mac servers more comprehensively
Sophos does not mention Apple’s iOS. As all iOS software must be loaded from the App store and it has ways of protecting its integrity it is reasonable at this time to say its virus and malware free. However, jailbreak phones can download apps from non-approved sources and may contain malware or virus.
One billion computers run Windows – over 90% of desktop/notebook and 50% of commercial servers = 31% still run XP. But, the real virus/malware focus now is one the billion Android devices that have little or no protection.
From April 2014 XP and Office 2003 are finished – no more patches or security fixes. To be blunt – no one should run this software past this date.
Windows however has become one of the easiest platforms to protect simply because it was first to be attacked and has such good free and paid software to protect it. The key is to patch regularly. The problem is that in commercial environments like Point of Sale or medical diagnostic equipment there is often no one responsible for doing this. If it connects to a network and the Internet, it must be patched.
Sophos does not mention Windows Phone or RT – for reasons similar to Apples’ iOS these are presently virus and malware free.
Are the creation of an infected network of computers to launch attacks like Cryptolocker or to perpetrate advertising click fraud, run DDOS attacks and more.
Botnets are now more resilient integrating multiple backup forms of command and control that can restore a botnet client if a sever is discovered and taken out. There are millions of infected computers running as part of botnets and the use of these is becoming more aggressive.
By October 2013, ZeroAccess controlled thousands of endpoints throughout the U.S. and UK, and it was widely detected in Germany, Australia, and Italy.
This is the delivery mechanism of most malware. The aim is to get you to click on a link to an infected file.
To do this spammers use emotional headlines relating to health, sex, weight loss, celebrities and much more.
Botnets are used to send spam. The infected PC uses its owner’s data allowance.
Prevention is better than a cure
Sophos rounds out its report with a comment that pattern based detection – via definitions - is old hat and context based detection needs to be used. It is using its own version of ‘big data’ to correlate massive amounts of information coming from protected endpoints and servers to identify emerging attacks; and to collect binaries, URLs and telemetry to help it develop better protection.
Emerging trends and threats for 2014
Attacks on corporate and personal data in the cloud - as businesses increasingly rely on cloud services for managing customer data, and financial assets, there will be an emergence of attacks targeting endpoints, mobile devices, and credentials as means to gaining access to corporate or personal clouds.
APTs meet financially motivated malware – attacks for the purposes of industrial espionage will inspire financial malware gangs to adopt the same techniques.
Android malware, increasingly complex, seeks out new targets. While Android’s security will improve, cybercriminals will improve faster and continue to explore new avenues for Android malware monetization. Android is an attractive launching pad for attacks aimed at social networks and cloud platforms. BYOD is another issue where consumer grade Android will be used as the attack vector to get to corporate networks.
Personal data danger from mobile apps and social networks. The continuing adoption of emerging apps for personal and business communication widens the attack surface, particularly for socially engineered scams and data exfiltration attempts. Your address book and your social connections are a treasure trove for cyber-crooks.
Cyberhackers have the same tools as the good guys – who will win? There is a never-ending fight between the cybercriminals and security vendors. There will be new weapons aimed at the latest cyber-defence mechanisms. Reputation services, cloud security databases, whitelisting, and sandboxing layers will be attacked in new and sinister ways. There will be more malware signed with stolen digital signatures, attempts to poison security data and telemetry analytics, new sandbox detection and bypass techniques, and increased use of legitimate tools for malicious purposes.
Undermining hardware, infrastructure and software at the core - who can you trust? The revelations of government agency spying and backdoors (not only by governments, but also commercial organizations) showed the world that broad-scale compromise of the core infrastructure has happened. We will need to re-evaluate technologies and trusted parties.
Hacking everything. The security ecosystem is not well developed for the internet of everything. For those wishing to harm us, embedded devices in our homes, offices, and even cities represent interesting attack targets. New electronic currencies and payment techniques make far more than just the credit card worth considering.
About Sophos - More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. It is headquartered in Oxford, UK.