docGlobal Threat Trends 1H 2010
download 
Report Transcription
Global Threat Trends 1H 2010
Trend Micro TrendLabs Global Threat Trends 1H 2010 Table of Contents Threat Trends 4 Email Threat Trends 5 Web-Based Threat Trends 8 File-Based Threat Trends 9 Cybercrime and Botnets 10 Underground Economy 12 High Profile Incidents of 1H2010 12 Vulnerabilities 15 Trend Micro Technology and Protection 16 Smart Protection Network 16 Solutions and Services 16 Trend Micro Enterprise Security 16 Trend Micro SecureCloud 16 Trend Micro Worry-Free Business Security 16 Trend Micro Titanium 17 Advice for Businesses Adopting Cloud Strategies 17 Advice for Businesses 17-18 Top Tips for End Users 19 About TrendLabs 20 Introduction Cybercrime is now a fully fledged, but highly illegal business. And it’s all about money. As the Underground Economy has grown and flourished, cybercriminals have developed new methods for tricking victims. Their scams are amazingly lucrative, with profits totaling in the billions per year. Many perpetrators hail from Eastern Europe where cybercrime is rampant and considered business as usual. Canadian pharmacy spam, fake antivirus and others are part of a well-organized business model based on the concept of affiliate networking. In the case of cybercrime, products sold via affiliate marketing may be highly profitable, although highly illegal—such as click fraud and selling credit card details. In this report covering January to June 2010, we examine various cybercrime incidents, the criminal’s use of multiple tools such as botnets, and look at threat trends and activity currently causing, and likely to continue to cause the most pain, cost and disruption to connected users across the world. Many threats have evolved in recent times, becoming more silent, and more insidious. Threats are intertwined – meaning almost every threat comprises multiple components for attacking, infecting and compromising data. Components always relate to one or more of the following three vectors – email, web and file. During the first six months of 2010 TrendLabsSM identified Europe as the largest source of spam emails, while Education is the industry most affected by malware compromise. Meanwhile, the US is the primary source of malicious URL’s. Vulnerability exploits are a key asset used by cybercriminals. They buy and sell vulnerability information, exploit code, as well as other types of malware. In the first half of 2010, over 2500 common vulnerabilities and exposures (CVE’s) were recorded. Professional criminals are widely known to be the perpetrators of almost all threats. Botnets are managed and run as an enterprise organization manages its network. Making money is the primary aim. 3 Threat Trends The Trend Micro™ Smart Protection Network™ infrastructure delivers advanced protection from the cloud, blocking threats in real-time before they reach you. Leveraging a unique, cloudclient architecture, it is powered by a global network of threat intelligence sensors, email, Web, and file reputation technologies that work together to dramatically reduce infections. The Smart Protection Network is now seeing 45 billion queries every 24 hours, while it blocks 5 billion threats and processes 2.5 terabytes of data on a daily basis. On average 80 million users are connected to the network each day. This community of users helps enable Trend Micro Smart Protection Network to continue evolving and improving protection in real-time. The following data points, taken from Smart Protection Network and other supporting monitoring systems, provide a comprehensive insight into the threats Trend Micro protected its users against, in the first six months of 2010. 4 Email Threat Trends Spam Spam continued to grow between January and June 2010, albeit with a brief interval during April. Regional Spam Sources - Q2 3% 0% 11% 28% Spam Volume APAC Europe 3,500,000,000 North America 14% South America 3,000,000,000 Unknown 2,500,000,000 Africa 2,000,000,000 1,500,000,000 44% 1,000,000,000 500,000,000 JUN MAY APR MAR JAN FEB 0.00 The most notable change between the first and second quarters of 2010, was the reduction in spam from APAC and the increase in spam from Europe. Countries strongly contributing to the growth in spam from Europe include Germany, UK, Italy and France. Most of the spam tracked during the past six months fall under the following three categories: Commercial (28%), Scams (22%), or Health/Medical (15%). In terms of spam technique, 37% of total samples use HTML, followed by Plain Text (25%) and Short Spam (10%). Spam Technique Distribution HTML 4% 2% 10% RAR/Zip attached 5% 1% 0% XLS attached DOC/TXT attached HTML Inserts 31% APAC 3% Short Spam 6% Europe North America 14% PDF/RTF attached GIF/JPEG attached 3% 0% 14% Image 25% 6% Regional Spam Sources - Q1 Plain Text Salad 37% Others South America Unknown Africa 38% Currently, TrendLabs monitors 38 languages and dialects used in spam. This coverage is continuously being improved to provide increased protection against highly localized spam. More than 95% of spam is in English. For the non-English spam, the top most common languages received are Russian, Japanese, Chinese, Spanish, and French. 5 Email Threat Trends Commercial, Scams and Health/Medical spam made up the vast majority – a total of 65 percent of the total spam tracked in the first half of 2010. Spam Type Distribution The below chart demonstrates the quantity of spam per ASN (Autonomous System Number) in the first six months of 2010. An ASN is allocated to each ISP or organization that manages a large group of IP routing prefixes1. Health/Meds Spam volume by ASN (past 6 months) Stocks 11% Educ/Degree 15% 4% 0% 1% 0% 2% 6% 800.000 600,000 400,000 200,000 0 Jobs Scam Adult/Porn/Dating 9829 45899 12322 3209 24560 9050 20115 3320 27699 18403 3462 7738 2856 3269 25019 5089 9050 3209 24560 12322 45899 9829 APR MAY JUN JAN Others 4% 7% Phishing FEB Malware (attachment) 22% 28% MAR Malware (URL) 6830 Commercial 28573 6849 4766 8167 1267 13184 6799 Financial 5089 25019 3269 2856 7738 3462 6849 4766 8167 1267 13184 6799 6830 18403 27699 3320 20115 28573 Spam volume by ASN (past 6 months) The quantity of spammed messages distributed via botnets is astronomical. Spam continues to be a vector of choice for criminals owing to the speed of distribution and delivery, the vast target list and relatively low cost of investment when compared to the profit on offer. Spam Volume by Country 800,000,000 700,000,000 600,000,000 500,000,000 400,000,000 300,000,000 JUN APR MAY MAR JAN 100,000,000 0 FEB 200,000,000 USA IND DEU BRA GBR FRA VNM ITA KOR POL ROM RUS NLD ESP UKR COL TWN SAU PRT ISR ARG GRC CAN TUR others As can be seen from the chart above, certain ASNs are working hard to reduce the spam distributed via their networks; however, these efforts seem to be countered by a number of providers not acting to manage the spam problem. One way ISP’s can help combat botnets and spam is by blocking email on port 25—the port responsible for SMTP transfers. Botnet communications use port 25 when sending spam and other junk mail. By blocking port 25 and moving email communications to a different internal port, the spam communications will become ineffective. Generally speaking, users will not notice any direct change, as most use their ISPs’ own servers or free email services from providers like Gmail, Windows Live Hotmail, or Yahoo Mail. As an example of how and why the issue of spam is now overwhelming, according to Trend Micro research, spam now accounts for around 97% of all email in circulation2. In a recent laboratory controlled investigation, the quantity of spam generated by a single bot infested computer in a 24 hour period totaled around 2,553,9403. http://en.wikipedia.org/wiki/Autonomous_System_Number 1 http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis q3_2009_spam_report.pdf 2 3 6 https://blog.trendmicro.com/how-many-spam-can-a-spam-bot-spam/ The following chart shows the total number of spam bot infected computers TrendLabs identified per country. A spam bot is an infected computer controlled by a botnet known to prolifically distribute spam, although it is unlikely to be limited to only this type of activity. Note, that this is not the total number of infected computers – as many bots are not used to distribute spam. • B anca Carige: a commercial Italian bank, including some of its subsidiaries like Cassa di Risparmio di Carrara and Cassa di Risparmio di Savona However, the total number of active spamming IP’s in India and Brazil are well ahead of their closest rival, Germany. In the past 6 months, both India and Brazil have fully emerged as central countries in the cyber criminal landscape. • C assa di Risparmio di Ferrara: a commercial Italian bank 1H10 Total Host Count by Country 25,000,000 • Banca Cesare Ponti: a commercial Italian bank • Banca Sai: a commercial Italian bank • B attle.net: an online gaming service operated by Blizzard Entertainment • C enturyLink: a telecommunications company in the United States • F irstCaribbean International Bank: a Barbados-based bank operating in the Caribbean • iQuebec: a French-language Internet portal • Lottomatica: an Italian gaming company 20,000,000 • Nantahala Bank & Trust Company: an American bank • NCSoft: an online gaming service provider 15,000,000 • Pinnacle Bank: an American bank 10,000,000 • President’s Choice Financial: a Canadian bank • Public Bank Berhad: a Malaysian Bank 0 IND BRA DEU VMN RUS USA ITA GBR UKR SAU COL ESP POL CHN ARG TWN ROM THA TUR SRB GRC PRT IDN PAK others 5,000,000 Phishing Targeted Entities In alphabetical order, the four most popular entities targeted via both phishing email and spoofed sites in the first six months of 2010 were (1)Bank of America, (2)eBay, (3)HSBC, and (4)PayPal . • SCRIGNO for Banca Popolare Di Sondrio: an Italian bank Phishing Techniques Between January and June 2010, phishers continued the trend of explicitly display phishing URLs. This indicates victims still trust that a site is authentic based on more obvious visual clues such as the site’s appearance and use of correct company logos, instead of inspecting the URL address bar. While the majority of the top 10 targeted entities are commercial or financial entities, social media platforms like Facebook and Twitter, as well as MMORPGs like World of Warcraft, were also consistently present. The majority of the new entities being targeted by phishers are local banks in specific countries (e.g., Italy, Malaysia, United States) and online gaming services (see below, in alphabetical order): • Air Academy FCU: a credit union with branches in Colorado • Banca Del Monte di Lucca 7 Web-Based Threat Trends The onslaught of threats using the Web as a means to propagate will increasingly cause challenges for organizations and end users. # Apr May Jun Q2 1 United States United States United States United States 2 China China Ireland China 3 Netherlands Romania China Ireland 4 Germany Germany Romania Romania 5 Romania Japan Japan Germany 6 Japan United Kingdom Germany Japan 7 United Kingdom Netherlands United Kingdom Netherlands 8 Russian Federation Ukraine Netherlands United Kingdom 2,500,000,000 9 Ukraine Russian Federation Russian Federation Russian Federation 2,000,000,000 10 France France Ukraine Ukraine 1,500,000,000 11 Canada South Korea France France 1,000,000,000 12 South Korea Canada South Korea Canada 13 Italy Australia Canada South Korea 14 Australia Italy Sweden Australia 15 Sweden Belgium Belgium Sweden 16 Turkey Sweden Australia Belgium 17 Bahamas Taiwan Latvia Italy 18 Singapore Bahamas Italy Bahamas 19 Czech Republic Singapore Bahamas Latvia 20 Poland Poland Taiwan Taiwan Growth in Malicious URLs 4,000,000,000 3,500,000,000 3,000,000,000 500,000,000 JUN MAY APR MAR JAN FEB 0 Bad Actors vs. Victims Bad Actors refers to the source of malicious URL’s. The United States has consistently been the primary source of malicious URLs, while Japan accessed the greatest number of malicious URLs. Similarly, North America is the top continent that has the most malicious URLs, while Asia is the continent with most victims. Monthly Top 20 Bad Actors by Country Top URLs and Domains Blocked Below is the list of the URLs that consistently appeared in the top 10 for 4-6 months (in no particular order): URL # 8 Jan Feb Mar Description Q1 ad. globe7.com:80/iframe3 (USA) Contains malicious IFRAME code bid. openx.net:80/json (USA) Known to download TROJ_AGENT variants delivery. adyea.com:80/lg.php (DEU) Known to download worms; sets drives to autoplay by creating autorun.inf in the drives’ root directories dt . tongji.linezing.com:80/tongji.do (CHN) Related to JS_DLOADR.ATF hot1. xgazo.info:80/pic.php (USA) Proxy avoidance site newt1. adultadworld.com:80/jsc/z5/ff2. html (USA) Adult website openxxx. viragemedia.com:80/www/ delivery/afr.php (NLD) Known to host adware 1 United States United States United States United States 2 China China China China 3 Netherlands Netherlands Netherlands Netherlands 4 Russian Federation Germany Germany Germany 5 Germany Russian Federation Romania Russian Federation 6 Romania Japan Japan Romania 7 Japan Romania Russian Federation Japan 8 France France United Kingdom France 9 United Kingdom United Kingdom France United Kingdom 10 Ukraine Canada Canada Canada 11 Bosnia and Herzegovina Ukraine Ukraine Ukraine 12 Canada South Korea South Korea South Korea 13 South Korea Italy Italy Sweden 14 Sweden Sweden Sweden Italy 15 Portugal Poland Australia Poland 16 Poland Turkey Bahamas Bosnia and Herzegovina 17 Italy Australia Turkey Turkey 18 Turkey Czech Republic Poland Australia 19 Australia Taiwan Czech Republic Portugal 20 Israel Panama Panama Czech Republic Below is the list of domains that consistently appeared in the top 10 for 4-6 months (in no particular order): URL Description bid. openx.net (USA) Known to download TROJ_AGENT variants delivery. adyea.com (DEU) Known to download worms; sets drives to autoplay by creating autorun.inf in the drives’ root directories dt. tongji.linezing.com (CHN) Related to JS_DLOADR.ATF hot1. xgazo.info (USA) Proxy avoidance site newt1. adultadworld.com (USA) Adult website openxxx. viragemedia.com (NLD) Known to host adware trafficconverter. biz (USA) Known to be accessed by Conficker/ DOWNAD variants File-Based Threat Trends Unique Samples Added New Malware Creation In order to ensure wide sourcing of malware samples, Trend Micro has its own research and monitoring systems and also collaborates with multiple independent third parties. Included among these independent third parties is AV-test.org. Calculations based upon the total number of unique samples collected in 2009, a new piece of malware is created every 1.5 seconds. Infections according to Industry The chart below clearly indicates that Education as an industry has been hardest hit by infections in the first half of 2010. This is likely owing to the number of students using old and out of date software and security, and possibly visiting suspect websites. These issues compound the challenges related to securing a complex, distributed and diverse infrastructure. Infection breakdown by Industry New Unique Samples Added to AV-Test.org’s Malware Collection Banking Communication/Media 2,000,000 Education NEW 2% 2% 0% 3% 1% 10% 1% Threat Every 1.5 1,500,000 Seconds Forecast 2010-03 2009-11 2010-01 2007-07 2007-09 2009-03 2009-05 2008-11 2009-01 2008-07 2008-09 2008-05 2008-01 Growth 3 Month Median 2008-03 2007-07 2007-09 2007-05 2007-01 2007-03 500,000 TEST Fast-Moving Consumer Goods Financial Food and beverage 4% 2% 0% 0% 6% 0% 4% 1,000,000 0 Energy 1% Government Healthcare Insurance Manufacturing 10% 44% 2% 3% 0% 1% Materials Retail Media Technology Oil and gas Telecommunications Other Transportation Real estate Utilities Infections tracked, by Industry over Time 200,000,000 Utilities Technology Other Materials Healthcare Financial Education *5,! Transportation Retail Oil and Gas Manufacturing Government Fast-Moving Consumer Goods (FMCG) Communications and Media *56! 257! JUN MAY APR 0 MAR 50,000,000 FEB Trojans account for about 60 percent of new signatures created by TrendLabs, and 53 percent of overall detections as of June. Backdoors and Trojan-spyware, often associated defined as crimeware or data-stealing malware, come in second and third places, respectively. However, the majority of Trojans lead to data-stealing malware. 150,000,000 100,000,000 JAN TrendLabs now sees in the region of 250,000 samples each day. However, recent estimates place the number of unique new malware samples introduced in a single day at greater than 60,000 unique samples. Telecommunications Real estate Media Insurance Food and beverage Energy Banking 8.3! 9:;! D.6.:=EE5,B:+A=,C! 9 Cybercrime and Botnets Botnets are the tool of choice for distributing malware, perpetrating attacks and sending slews of spam email. Through these botnets, botnet herders – the Cybercriminals behind the botnets earn millions of dollars in money stolen from innocent computer users. These cybercriminals buy and sell, build partnerships and rent services just as above-board business would; the main difference being the legitimacy and legality of the products, solutions and services they handle. In an effort to help better explain cybercrime, in April 2010, TrendLabs forward looking research group published the following correlation map to provide a pictorial representation of the cybercriminal business model4. CUTWAIL spammed messages contain BREDO variants, therefore it can be assumed that the criminals behind BREDO are paying the criminals behind CUTWAIL to send spam containing BREDO. It is also likely that they are paid per machine infected by the BREDO variant they spammed. Note that these infected machines, which are part of the CUTWAIL botnet, report back to the BREDO botnet master. The same thing happens between ZeuS and BREDO. The criminals behind ZeuS pay the criminals behind BREDO to install their (ZeuS) malware on infected machines. As we all know, ZeuS malware steals bank account information, among other things (e.g., POP3 and FTP accounts). This chart may on the face of it, seem quite complicated, but we can illustrate by using BREDO and CUTWAIL as an example. CUTWAIL How the thread is delivered a.k.a. PUSHDO SPAM ZEUS Pay per Install notorious information stealer BREDO a.k.a BREDOLAB BREOLAB TDSS FAKEAV Approved for rootkit capabilities spamware used to extort money from victims. IT exchange for fake security software SASFIS used to deliver Malware as pay per install or pay per access models WALEDAC KOOBFACE usually found in social networking sites 4 10 http://blog.trendmicro.com/spotlighting-the-botnet-business-model/ There is an ongoing cycle of money moving from one place to another. In another example, criminals behind FAKEAV get paid if users buy their fake antivirus programs and they use this money to pay other botnets to spread their programs. At the end of the day, the aim of this succession of infections is to steal money from affected users. Keep in mind that every time a primary botnet downloads another malware, criminals behind the botnet are paid. TrendLabs experts see this cycle continuing, and evolving constantly. Arguably two threats that have had the most impact in the past six months are ZeuS and KOOBFACE. ZeuS ZeuS is primarily a crimeware kit designed to steal users’ online banking login credentials, among other things. It is the handiwork of Eastern European organized criminals that has now entered the underground cybercriminal market as a commodity. ZeuS has proliferated in part due to the availability of these ZeuS toolkits, which allow cybercriminals to rapidly create ZeuS variants in a matter of minutes. Hundreds of new ZeuS variants are seen by Trend Micro every day, and this is not likely to change in the near future. KOOBFACE KOOBFACE has been around since last year, gearing up to become the largest social networking threat to date. In the early part of this year, TrendLabs experts noted that the KOOBFACE gang was continuously updating their botnet: changing the botnet’s architecture, introducing new component binaries, and merging the botnet’s functions with other binaries. They also began encrypting their C&C communications to avoid monitoring and takedown by security researchers and the authorities. KOOBFACE attacks users on several social networking sites, and given the increasing usage across all demographics, the KOOBFACE gang will not likely let go of this money-generating scheme. In fact, it had begun tracking visitors, as evidenced by a short JavaScript code found in the fake video pages the gang has set up. This enables the creators to correlate user activity based on time of day and volume of successful KOOBFACE infections6. A new version of the ZeuS malware has also been encountered in the wild since the start of the year. These new versions, frequently referred to as ZeuS 2.0 versions, have had their behavior changed to become more difficult to detect and remove from systems. In addition, this new version also includes default support for current versions of Windows, where before it had to be acquired as an “upgrade”5. 5 http://us.trendmicro.com/imperia/md/content/us/trendwatch researchandanalysis/zeusapersistentcriminalenterprise.pdf 6 http://us.trendmicro.com/imperia/md/content/us/trendwatch researchandanalysis/web_2_0_botnet_evolution_-_koobface_revisited__may_2010_.pdf 11 Underground Economy During their monitoring, experts from TrendLabs identified the following items and their average price tag, for sale on the underground. Documents Scan Resale Services: Passport/utility bill/statement - $20 Credit card (front and back) - $25 Passport/utility bill/statment - $20 Original docs - starts from $4 Passport - $20 Drivers License - $20 Credit cards - $30 Utility bill - $10 US Credit Card Sales: US credit cards selling: USA /Master Card / VISA Price – $0.80c - $1 each EU credit cards Credit cards: Denmark, Greece, Ireland (Eire), Latvia, Netherlands, Norway, Sweden Price - $3 per card Credit Card Money Cashers Card information input service Person inputs the information of the credit card in online shops, for delivery to the requested address Price - $5 PayPal accounts selling Sell Hacked PayPal accounts Price - 30% of the current balance on the PayPal account High Profile Incidents of 1H2010 Between January and June 2010, there were many high profile threat incidents. The following threat incidents are those we believe had most impact on users and/or the security industry. 1 – The IE and other Zero Day Attacks7 In January, spammed emails loaded with malware files were sent to users and malicious sites were been found to contain hidden JavaScript malware that took advantage of a zero-day vulnerability exploit in Internet Explorer. All versions of Internet Explorer (except v5.01) were affected and the exploit was known to send backdoor Trojans to affected systems. Once executed, these malicious backdoor files stole information which was sent to a remote user. This zeroday vulnerability was subsequently reprogrammed to avoid a security feature in Internet Explorer – forcing Microsoft to release an out-of-band patch (Microsoft Security Bulletin MS10-002) on 21 January. Some reports also suggest that cybercriminals are also launching attacks using recent vulnerabilities found in Adobe Reader and Acrobat. Independent researchers surmised that about 34 companies were affected by what was been described as a “highly sophisticated and targeted attack.” This situation is in line with the Trend Micro prediction that there would be “No global outbreaks, but localized and targeted attacks”. 2 – ZeuS, ZBOT and Kneber ZeuS, Kneber and ZBOT all relate to the notorious ZeuS crimeware. In February, Kneber hit the headlines and shone a spotlight on ZeuS, an established toolkit known to be leveraged by many other threats, it is one of the most dangerous threats online. ZeuS is often mistakenly referred to as a botnet – in fact, ZeuS is made up of many, many small botnets, all linked by their use of the same crimeware. ZeuS may arrive as an attachment or link in a spammed message or be unknowingly downloaded via compromised websites. Most ZeuS botnets target bank-related websites, however, in the first 6 months of 2010, Trend Micro monitored activity including: 7 12 http://threatinfo.trendmicro.com/vinfo/web_attacks/Zero-Day_Internet Explorer_Bug_Downloads_HYDRAQ.html • • • Spam targeting government agencies Phishing attacks that target AIM users ZBOT variants that target the social networking site Facebook In order to defraud victims, the criminals behind this threat generate a list of bank-related websites or financial institutions from which they steal user names, passwords and other sensitive banking information. They harvest credentials such as those used for online shopping, online payment and FTP, and insert extra form elements to legitimate pages (eg. Online banking) that ask for additional information such as PIN numbers. TrendLabs published a comprehensive insight into ZeuS in March 2010 – ZeuS a Persistent Criminal Enterprise8. 3 - Mariposa Botnet Uses Mariposa, “butterfly” in Spanish, refers to a network of 13 million compromised systems in more than 190 countries worldwide that is managed by a single command-andcontrol (C&C) server in Spain. This botnet has been dubbed as one of the biggest networks of zombie PCs in cyberspace alongside the SDBOT IRC, DOWNAD/ Conficker, and ZeuS botnets. The Mariposa botnet was in existence as early as December 2008, and rose to fame in May 2009. However, in March 2010 came its shutdown and the subsequent arrest of three of its main perpetrators. Typically, botnets carry with them binaries or malicious files that their perpetrators use for various purposes. At the time its notoriety was growing, Trend Micro threat analysts found WORM_AUTORUN.ZRO, a worm retrieved from compromised systems that were found to be part of the Mariposa botnet. This worm has the ability to spread via instant-messaging (IM) applications, peerto-peer (P2P) networks, and removable drives. Some binaries were also capable of spreading by exploiting a vulnerability in Internet Explorer (IE). Just like any other botnet, Dias de Pesadilla (DDP), aka the Nightmare Days Team, used Mariposa to make money. The botnet was being used to steal information such as credit card numbers, bank account details, user names and passwords to social-networking sites, and important files found on affected systems’ hard drives, which cybercriminals may use in a number of ways. Experts also found that DDP stole money directly from banks using money mules in the United States and Canada. Further digging into Mariposa’s business model revealed that its administrators also offered underground services to potential clients. Some of these services included hacking servers to take control, encrypting bots to make them invisible to security applications, and creating anonymous VPN connections to administer bots. More than 200 binaries of the Mariposa botnet have been found in the wild. Among these, users should be most wary of information stealers that compromise not just banking information but also a user’s identity. 4 - Shanghai World Expo as Bait in Cyber Attack At the end of March/beginning April 2010, TrendLabs identified a new attack, using a previously known Adobe exploit. In the attack, emailed messages, purportedly coming from Bureau of Shanghai World Expo, asked recipients to open a file attached to the message, and to update their submitted registration forms. There were indications that the attack was intentionally targeted toward Western journalists in Asia. It is unclear how the details of persons registered to attend the Expo were accessed by the criminals, however it’s worth noting that the World Expo website stated that it expected around 70 million attendee’s to the event this year9. The attachment within the spammed message was a .PDF file that took advantage of a known vulnerability (patched by Adobe in February 2010) in Adobe Acrobat and Reader (CVE-2010-0188). Once successfully exploited, the .PDF file dropped a backdoor program onto the affected system, which in turn enabled attackers to gain full control of a victim’s machine. The method used to exploit this vulnerability, on this occasion, differed from that used previously. Trend Micro researchers identified that the .PDF files had an embedded malicious .TIFF file. This embedded .TIFF file, when processed by vulnerable Adobe products, triggered the vulnerability and the execution of arbitrary code. In this attack, system information such as Computer name, CPU information, OS version, and IP address of the affected system was stolen and sent to a remote server. http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ zeusapersistentcriminalenterprise.pdf 8 http://threatinfo.trendmicro.com/vinfo/web_attacks/Shanghai_Expo_Spam_Carries_ Backdoor.html 9 13 5 - New, Shortened URLs in IM Spam, Now result in KOOBFACE Malware Cybercriminals are very adept at employing new techniques in order to trick and infect more users. In the middle of April this year, TrendLabs identified attacks of spam over IM, using shortened URL’s for their misdemeanor. The twist to this story is a relationship between spam over IM, BUZUS and KOOBFACE. Most users of instant messenger applications have on various occasions seen attempts to dupe them into clicking on spam received over IM or strange friend requests. It seems the cybercriminals may have also realized that their past techniques may be becoming less effective, and TrendLabs has just recently discovered that these criminals are now using shortened URLs to spam malware. URL-shortening services are normally used to compress long and unreadable URLs into short, bite-sized ones. These short URLs are more portable, and are now generally preferred over the (normally long) actual URLs when sharing news within networks, blogs, Tweets, and other social media tools. URL-shortening services can be used to hide malicious links from view, thereby tricking users into clicking suspicious links. KOOBFACE is a notorious botnet that originally targeted innocent Facebook users. Since then, it has gone on to target other social networks, and so it is not surprising that the criminals behind the threat are looking to new avenues through which to extend their network of compromised machines. KOOBFACE causes so much consternation that TrendLabs has published 3 separate research reports on the subject10. A few of the methods they use are listed below: • • • • Stealing from users directly by convincing them to download, install, and then pay for fake software. Infecting users through malicious links placed in search results – poisoned search results are otherwise known as Black Hat SEO. Delivering a payload of malicious routines or installers that leave additional malware on the infected system. Using social engineering sites such as Twitter, to trick users Unlike most threats, FAKEAV software displays a visual element to the targeted user. This comes in the form of fake user interfaces that universally claim that the system has been infected. Interestingly, FAKEAV has also become localized, with the same “tool” being found in multiple languages, as can be seen in the following screenshot: 6 – FAKEAV, the standard revenue generator11 Throughout the first six months of 2010, FAKEAV (or Rogue Antivirus) continued to be used by cybercriminals as a key revenue generator. Programs designed to look professional, even to the point of offering telephone support services, have been maliciously pushed to innocent users under the pretence of infection and vulnerability. FAKEAV leverages social engineering to capture users’ attention and make threats believable. Cybercriminals use multiple vectors to deliver their threats. 10 http://us.trendmicro.com/us/trendwatch/research-and-analysis/whitepapers-andarticles/index.html http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ threatbrief_final.pdf 11 14 Vulnerabilities The scale of this threat has been documented independently. A paper presented at the Ninth Workshop on the Economics of Information Security delved into the online adult industry, but also profiled whether users were running browsers that contained vulnerable plug-ins. Their study12 concluded that a staggering 88.28 percent of users were vulnerable, a sobering number by any reckoning. With these threats in mind, the following looks at key vulnerability statistics related to the first half of 2010. The Trend Micro Threat Encyclopedia14 includes a Security Advisory section in which details of all covered vulnerabilities can be found. Vulnerability Statistics Publicly-known vulnerabilities are commonly referenced by the Common Vulnerabilities and Exposures (CVE) system, which assigns a unique identifier to each vulnerability. In the first half of 2010, a total of 2,552 CVEs were published. This number is slightly below the similar number for the first half of 2009, where a total of 3,086 CVEs were published. However, it should be noted that this does not mean that the vulnerability threat is lessening. Not all vulnerabilities receive a CVE; many vulnerabilities that are privately reported to vendors are not included in the system. 2010 2,500 2,000 1,500 1,000 500 0 CVEs By vendor, Apple had the most CVEs issued in the first half of the year: CVEs 200 Redhat FreeBSD PHP Apache HP Novell Linux Mozilla IBM Sun Cisco CVEs Oracle 180 160 140 120 100 80 60 40 20 0 Adobe Trend Micro receives information about vulnerabilities both publicly and privately. Private vulnerability information is received both from vendors (such as Microsoft), third-party groups such as TippingPoint’s ZeroDay Initiative12, and from the cybercriminal underground. 2009 Apple In addition, servers are coming under increasing fire as well. Assuming well-established server management procedures are in place, vulnerabilities become the best means of trying to execute malware on servers. While this may be more difficult than compromising a single user system, the potential reward is consequently greater as well. 3,500 3,000 Microsoft Vulnerabilities in applications have always been a part of the security landscape, but recent developments towards the Web have made these even more significant. For end users, vulnerabilities have facilitated “drive-by” threats, where all that is necessary to become infected by malware is to visit a website. The website need not be malicious; it may be compromised (via malicious advertisements, or the addition of iframes or Javascript code). This poses a large problem that is not easy to mitigate. While some vendors receive a significant amount of press attention for vulnerabilities, this chart serves as a reminder that the vulnerability threat is far more multipronged than just patching Windows or updating Flash and Acrobat/Reader. In addition, some of the vendors with large numbers of vulnerabilities focus on enterprise software, with correspondingly longer patch cycles that potentially leave users at risk. In addition, the presentation of vulnerability information to the general public leaves much to be desired. While some vendors present vulnerability information publicly in well-organized bulletins, others do so in a more ad hoc manner or hide the information behind paywalls on their websites. This makes proper threat assessment on the part of users–both enterprise and consumer–much more difficult. The overall scale of the threat posed by vulnerabilities and exploits is clearly visible when looking at the number of TROJ_PIDIEF malware seen by Trend Micro in the first half of the year. The PIDIEF malware family is specifically made up of malware that arrives as PDF files, which exploit vulnerabilities in the Acrobat family of products. In the first half of the year, a total of 666 new detection names were added to Trend Micro products. Each detection name represents multiple in-the-wild variants, resulting in a total number of new PDF threats numbering into the thousands – in only six months. http://www.zerodayinitiative.com/ 12 http://weis2010.econinfosec.org/papers/session2/weis2010_wondracek.pdf 13 http://threatinfo.trendmicro.com/vinfo/default.asp?page=1§=SA 14 15 Trend Micro Technology and Protection Smart Protection Network The Trend Micro™ Smart Protection Network™ infrastructure delivers advanced protection from the cloud, blocking threats in real-time before they reach you. By continuously processing the threat intelligence gathered through its extensive global network of honeypots, customers and partners, Trend Micro delivers automatic protection against the latest threats and provides “better together” security, much like an automated neighborhood watch that involves the community in protection of others. Because the threat information gathered is based on the reputation of the communication source, not on the content of the specific communication, the privacy of a customer’s personal or business information is always protected. Trend Micro Smart Protection Network uses patentpending “in-the-cloud correlation technology” with behaviour analysis to correlate combinations of web, email and file threat activities to determine if they are malicious. By correlating the different components of a threat and continuously updating its threat databases, Trend Micro has the distinct advantage of being able to respond in real time, providing immediate and automatic protection from email, file and Web threats. Another key component of the Trend Micro Smart Protection Network is integrated Smart feedback that provides continuous communication between Trend Micro products as well as the company’s 24/7 threat research centers and technologies in a two-way update stream. Each new threat identified via a single customer’s routine reputation check, for example, automatically updates all of Trend Micro’s threat databases around the world, blocking any subsequent customer encounters of a given threat. Further information and benchmarks for Trend Micro Smart Protection Network can be found in the Core Technologies area of TrendWatch15. Solutions and Services Trend Micro™ Enterprise Security Trend Micro Enterprise Security is a tightly integrated offering of content security products, services, and solutions that take full advantage of the Trend Micro Smart Protection Network™. Optimized to deliver immediate protection, Trend Micro Enterprise Security also dramatically reduces the cost and complexity of security management. For further information about Trend Micro Enterprise Security, visit the Enterprise section of trendmicro.com16 Trend Micro SecureCloud™ Now available as a Beta release for early adopters of cloud computing17, Trend Micro SecureCloud is a hosted key-management and data-encryption solution designed to protect and control confidential information that you deploy into public and private cloud-computing environments. Trend Micro Worry-Free Business Security Designed specifically to fit the needs of small businesses, Worry-Free Business Security protects your computers wherever they’re connected—in the office, at home or on the road. Powered by the Trend Micro Smart Protection Network, threats are detected faster to keep your data safe and your protection constantly updated. Further details and the benefits of Trend Micro Worry-Free Business Security can be found on the Small Business section of trendmicro.com18. Trend Micro Titanium Combining easy-to-use security with cloud-client technologies Trend Micro Titanium blocks threats such as infected websites, phishing attacks, viruses and spyware before they can reach a users’ computer. State-of-the-art protection for users’ data is delivered while ensuring that computer performance is not impacted. Details of the Trend Micro Titanium product line can be found at www.trendmicro.com/titanium. http://us.trendmicro.com/us/trendwatch/core-technologies/index.html 15 http://us.trendmicro.com/us/home/enterprise/ 16 http://trendmicro.mediaroom.com/index.php?s=43&news_ item=830&type=current&year=0) 17 http://us.trendmicro.com/us/home/small-business/ 18 16 Advice for Businesses Adopting Cloud Strategies Advice for Businesses In March 2010 the Cloud Security Alliance (CSA) published “Top Threats to Cloud Computing V 1.0”19 to help organizations better understand the risks of cloud computing and to consequently make more informed risk management decisions when adopting cloud strategies. Use effective solutions to protect your business. • To protect your company network, deploy solutions that use cloud-based protection. Technology such as the Trend Micro Smart Protection Network combines Internet-based (“in-the-cloud”) technologies with lighter-weight, clients to help businesses close the infection window and respond in real time before threats can even reach a user’s PC or compromise an entire network. By checking URLs, emails, and files against continuously updated and correlated threat databases in the cloud, customers always have immediate access to the latest protection wherever they connect. With the right approach and security solutions the public cloud can be just as secure as a typical traditional corporate data centre. We recommend that organizations provide their own layers of security in addition to that which is afforded by cloud providers. 1. E ncrypt all sensitive data – the information that is exclusive to, and owned by, your organization. The operating system and applications are less important here – typically in the cloud they are standard images that are simply recycled back to a master image on shutdown. It’s the information proprietary to you, or that you have collected from customers and business partners, which you generally have a legal obligation to protect. 2. E nsure that your Firewall, IPS, and IDS protect each of your virtual machines separately. Particularly in a Public Cloud environment the other virtual machines running on the same physical hardware as you should be considered hostile. The firewall at the cloud providers’ perimeter can’t help you here. 3. O nly decrypt your data within that secure container you’ve established for your virtual machine. Be sure you check for tampering and data stealing malware before decrypting your data. 4. M ake sure that you are in control of the encryption keys – it’s your data! • P hishing poses a significant threat for organizations. Phishing sites can compromise your brand and/or your company’s image as well as your ability to keep your customers’ confidence while conducting business over the Internet. Protect your employees and customers by procuring all brand-related and look-alike domain names. • S tay ahead of the threats by reading security-related blogs and related information pages (i.e., Threat Encyclopedia21, Cloud Security Blog22, TrendLabs Malware Blog23 and social networks such as Twitter24) which can help warn and educate users who might otherwise be drawn to web sites under false pretenses. • E ducate your employees about how cybercriminals lure victims to their schemes; make use of threat information provided on security vendor sites like TrendWatch. • T ry downloading tools such as the Trend Micro Threat Widget to help raise awareness Trend Micro offers two products – Deep Security™ and SecureCloud™ which when layered together can achieve the four recommendations above and counter the threats identified. Deep Security is available and already in widespread use and SecureCloud entered public beta over the summer following successful pilot trials20. 19 http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf http://trendmicro.mediaroom.com/index.php?s=43&news item=830&type=current&year=0 20 http://threatinfo.trendmicro.com/vinfo/default.asp?sect=SA 21 http://cloudsecurity.trendmicro.com/ 22 23 http://blog.trendmicro.com http://twitter.com/trendmicro 24 17 Safeguard your customers’ interests. • Standardize company communications and let your customers know about your email and website policies. This way, you can help your customers better identify legitimate messages. 18 A void sending “phishy”-looking email messages by following these guidelines: Do not request personal information through email. Personalize email when possible. Do not redirect to another domain from the URL provided to customers. Do not rely on pop-up windows for data collection, especially those with no address bars or navigational elements. Do not use instant messaging or chat with customers unless they initiate the communication. Be explicit in the detail of communications that require the immediate action or attention of recipients. Establish and implement effective IT usage guidelines. • Just as you would never leave your front door unlocked when you are not home, you must take the same precautions with your computer system to make sure your business is protected. Protecting your business requires you to educate yourself and your employees about safe cybersecurity practices. A comprehensive set of IT usage guidelines should focus on the following: Prevention. Identify solutions, policies, and procedures to reduce the risk of attacks. Resolution. In the event of a computer security breach, you should have plans and procedures in place to determine what resources you will use to remedy a threat. Restitution. Be prepared to address the repercussions of a security threat with your employees and customers to ensure that any loss of trust or business is minimal and short-lived. Top Tips for End Users Keep your personal computer current with the latest software updates and patches. • A pply the latest security updates and patches to your software programs and OSs and enable automatic updates where possible. Since cybercriminals typically take advantage of flaws in the software to plant malware on your PC, keeping your software current will minimize your exposure to vulnerabilities. Protect yourself and your personal computer. • If you receive an email requesting personal or confidential information, do not respond or provide this information via links or phone numbers in the email. Legitimate organizations such as credit card companies and banks will never request this information via email. • B eware of unexpected or strange-looking emails and instant messages (IMs) regardless of sender. Never open attachments or click links in these emails and IMs. If you trust the sender, scan the attachments before opening. Never provide personal information in your email or IM responses. • D o not provide personal information to unsolicited requests for information. • If it sounds too good to be true, it probably is. If you suspect an email is spam, delete it immediately. Reject all IMs from people whom you do not know. • W hen shopping, banking, or making other transactions online, make sure the website address contains an s as in https:// www.bank.com. You should also see a lock icon in the lower right area of your Web browser. Choose secure passwords. • Use a combination of letters, numbers, and symbols and avoid using your first and last names as your login name. • A void using the same password for all your login needs. Do not use the same password for your banking site that you use for your social networking sites. • Change your password every few months. • R egularly check your bank, credit, and debit card statements to ensure that all transactions are legitimate. • B eware of Web pages requiring software installation. Scan programs before executing them. Always read the end-user license agreement (EULA) and cancel if you notice other programs being downloaded in conjunction with the desired program. 19 About TrendLabs TrendLabs is a multinational research, development, and support center with an extensive regional presence committed to 24/7 threat surveillance, attack prevention, and timely and seamless solutions delivery. With more than 1,000-strong staff of threat experts and support engineers deployed round-the-clock at labs around the globe, TrendLabs enables Trend Micro to: • • • • • Continuously monitor the threat landscape across the globe Deliver real-time data to detect, preempt, and eliminate threats Research and analyze technologies to combat new threats Respond in real-time to targeted threats Help customers worldwide minimize damages, reduce costs, and ensure business continuity TrendLabs has facilities in the following 12 locations: • • • • • • • • • • • • Manila, Philippines (HQ) Arlington, TX, USA Cupertino, CA, USA Lake Forest, CA, USA Shanghai, China Sao Paulo, Brazil Cork, Ireland Paris, France Tokyo, Japan Taipei, Taiwan Marlow, United Kingdom Munich, Germany Note that these facilities can perform all or part of critical Trend Micro services such as technical support, malware analysis and solutions delivery. TrendLabs Locations About Trend Micro: Trend Micro Incorporated, a global leader in Internet content security, focuses on securing the exchange of digital information for businesses and consumers. A pioneer and industry vanguard, Trend Micro is advancing integrated threat management technology to protect operational continuity, personal information, and property from malware, spam, data leaks and the newest Web threats. Visit TrendWatch at www.trendmicro.com/go/ trendwatch to learn more about the latest threats. Trend Micro’s flexible solutions, available in multiple form factors, are supported 24/7 by threat intelligence experts around the globe. Many of these solutions are powered by the Trend Micro™ Smart Protection Network™ infrastructure, a next-generation cloud-client innovation that combines sophisticated cloud-based reputation technology, feedback loops, and the expertise of TrendLabs(SM) researchers to deliver real-time protection from emerging threats. A transnational company, with headquarters in Tokyo, Trend Micro’s trusted security solutions are sold through its business partners worldwide. Please visit www.trendmicro.com.
