[Please view this presentation with notes] In 2012, we saw attackers extend their reach to new platforms like cloud services and mobile devices, adopt malware toolkits to build smarter attacks and target badly-configured websites to expose passwords and deliver malware. What does 2013 hold? Get the full report here: www.sophos.com/threatreport
16. Stay ahead of the curve
nakedsecurity.sophos.com
@NakedSecurity
@Sophos_News
www.facebook.com/SophosSecurity
Sophos North America
1-866-866-2802
nasales@sophos.com
UK & Worldwide
+44(0)8447 671131
sales@sophos.com
Our more attentive viewers will be scratching their heads at this point. The title says Java but the image is clearly an installer for Adobe Flash Player. However, as with all things in security it’s not that simple. One story this year pulled together so many of the common security topics that we just have to discuss it. Vulernabilities, patching and of course non-Windows platforms. That story was the Flashback botnet. A network of around 600,000 OS X computers that were infected due to an unpatched version of Java. During the infection the malware claimed to be an update for Adobe Flash player, just to add to the buzzword confusion. There are several good lessons in the story:Firstly – ignoring security patches because you think you’re not a target is just a bad idea. Apple, who were at the time responsible for updating Java on OSX, failed to distribute a security patch for 6 weeks after Windows users were update. This gave the bad guys a nice opportunity to make best use of a know vulnerability which they duly did.Secondly – Adding steps in the update chain causes delays and leave users exposed. Although Oracle have taken Java updating on OS X back from Apple to close this hole we do see the same problem in other areas. Most notably in the mobile space where security patches to Android have to pass through Google, the handset vendor and the mobile network before they get to the end user. We’ll see later that Android can’t afford to lag with security patches either.Thirdly – one of the big lessons to learn from this, particularly with respect to Java is that if you don’t need to have something installed then don’t have it. Java plugins have been a rich target for attackers on both Windows and OS X in the last year and many users are opening themselves up to attack when they don’t even need Java. May seem an odd place to start but a discussion of vulns here (not just Java?) will lead nicely into Blackhole
Blackhole is the most commonly seen exploit kit.Describe kit activity + business model.Overview of v1For the astronomy geeks that’s an artist’s impression of GRO J1655-40, a binary system of a black hole and star.
OK, this is in Russian but there are some interesting points in the release announcement for BHv2.“Are pleased to welcome you to a brand new version of the bundle of exploits. For more than 2 years of existence of our project, the old engine arrival and ligaments badly worn, AV companies have become very quick to recognize that this kind of criteria BlackHole and flag it as malware.”Further down in the announcement are several interesting claims, some of which are summarised below:“prevent direct download of executable payloadsonly load exploit contents when client is considered vulnerabledrop use of PluginDetect library (performance justification)remove some old exploits (leaving Java atomic & byte, PDF LibTIFF, MDAC)change from predictable url structure (filenames and querystring parameter names)”Our own observations of the BH v2 kit have shown that the authors have indeed restricted the exploits they are using to Java vulnerabilities, PDF vulnerabilities and an old IE6 exploit which we can only assume their telemetry tells them is still useful.The query strings they are using to call home to their download servers are much more randomised than before, in an attempt to confuse IDS filters.And they announced the new pricing too:“Rent on our server:-Day rental - $ 50 (limit traffic 50k hits)-Week rental - $ 200 (limit traffic 70k hits a day)-Month rental - $ 500 (limit traffic 70k hits a day)if needed, traffic limit can be raised for the additional feeThe license for your server:-License for 3 months $ 700-The license for six months $ 1,000License for 1 year $ 1500multidomain bundle version - $ 200 one-time fee for the duration of the license (not binding to the domain and the ip)change of the domain on the standard bundle version - $ 20change ip for multidomain bundle version - $ 50a one-time cleaning - $ 50auto-updates for a month - $ 300 (auto-update, as soon as your cryptor is identified)“
So what is BHv2 actually delivering?Research done in August and September shows a variety of payloads being delivered by the kit ….Notable in this is the rise of Ransomware, now a more common payload than FakeAv.
The payload statistics from Blackhole clearly illustrate another of the threat trend we saw in 2012, the rise of ransomware.Ransomware has in fact been around for many years in one form or another. The business model is pretty simple. As the name suggests the malware holds your data for ransom, releasing it only when you pay the bad guys. There are several ways this can be done. The simplest is to lock the user out of their PC until the ransom is paid, this was a common technique in Russian ransomware a few years ago. When trying to log in to their PCs the victims would instead see a message telling them to send a code by text message to a premium rate number. In return they would receive a password to unlock their PC and the criminals would collect the proceeds from the premium rate SMS number. This had some obvious drawback, notable the need to set up premium rate SMS numbers in any country that the criminals wanted to target.The more modern versions of ransomware use a variety of messages to target the victim and tend to use anonymous online payment services for their ransom payments. In some cases the message purports to come from a local law enforcement agency, tailored to the victims location of course (FBI in the US, Scotland Yard in the UK,) fining them for possession of illegal material. As with many other types of threat ransomware has evolved technically as security companies have adapted to counter it. In others the user’s personal files are encrypted and a simple ransom demand is issued. Initially comparatively simple encryption was used to prevent users accessing their files. Enough to keep the average user out but not so secure that it couldn’t be broken. Several security companies produced tools that could reverse the encryption and release the files. In response the malware authors moved to a public-key encryption scheme that cannot be easily broken, leaving the victims to rely on backups to restore their data. The authors must convince the victim that the threat is genuine and therefore to pay the ransom while also making the threat technically sophisticated enough that the victim cannot simply download a free tool to fix their problem.Of course some criminals solve this by removing the social engineering element entirely. They just encrypt the files and demand a ransom.
Of course ransomware isn’t the only threat using technology in an attempt to defeat security software. Blackhole itself and many other threats extensively use polymorphism to hide their code. Like ransomware this isn’t a brand new technique but we are now seeing it in ever increasing numbers, especially in web-based attacks. We can see here the result of research done by SophosLabs studying around 7 million attacks over a 3 month period. It shows how many attacks are launched by each individual version of a threat. Three quarters of binaries are unique to the victim of that particular attack. As we can see the numbers drop away rapidly for 2, 3 or more victim organizations. What this means in practice is that if you encounter malware there’s a 75% chance that no-one else anywhere has seen that exact piece of malware before. In effect a unique attack has been generated just for you. The actual effects of the attack will be exactly the same as those that everyone else sees but the form it takes will be slightly different. This is all done to avoid detection by security software
So what is polymorphism and how does it work.Well, here we have three code snippets from a Blackhole attack. Specifically these are extracted from a malicious PDF that Blackhole generates to attack an Adobe Reader vulnerability. You’ll notice that they are very similar, except for the highlighted digits, which are changed in each version. This is of course a very simple version of polymorphism and is easily defeated by a security scanner but even with this simple trick Blackhole can generate a mind-bogglingly huge number of version of the PDF (specifically that absurdly long number filling the rest of the slide.)<discuss polymorphism, history thereof, advantages of server side, esp for attacks against mobile – asymmetrical resources>
To find out just how at-risk mobile devices are we looked at the feedback data from our security software in the field. SophosLabs measured the Threat Exposure Rate over a three month period. Effectively this is the percentage chance that your device will encounter a malicious threat during the three month period. As you can see, in most regions the threat to PCs (both desktop and laptop) is far greater than that to mobile devices but in some countries like the United States,Australia and Germany the risk to mobile devices has actually drawn level and in some cases surpassed the risk to traditional PCs. These are, of course, richer countries with higher percentages of smartphone use, making them more lucrative targets for attackers.But what are these attacks?...<discuss various mobile attacks>
For the latest news on malware, exploit kits, botnets and many other security topics stay up to date with the Naked Security blog or follow our security experts on Twitter and Facebook.