22
2011 Summary PandaLabs annual Report
2011 Summary
PandaLabs annualReport
01 Introduction
06 About PandaLabs
05 Conclusion
04 2012 Security Trends
03 Malware figures in 2011
02 2011 at a glance
-Socialnetworks-Cyber-crime-Cyber-war-Mac-Mobilemalware-Cyber-activism
Introduction
01| Introduction
Hereyouwillfindasummaryofthemostnotablefiguresregardingmalwarecreation
andinfectionsin2011,ayearthathassetanewrecordformalwarewith26millionnew
strainsincirculation.
Wealsocoversocialnetworks,whereFacebookisstillkingbothintermsofusersandthe
numberofattackssuffered,andwetakealookatthecellphoneandtabletsector,where
Androidhasbecomethenumberonetargetforcyber-crooks.
2011hasundoubtedlybeentheyearofcyber-securityawareness,withtheheadlines
frequentlyfeaturingreportsofseriouscyber-attacks.Wehaveseenthelargestdatabreach
todate,asSony’sPlayStationNetworkwashacked,affectingmillionsofusers.Inall,Sony
sufferedoveradozenattacks,withtheftofover100millionuserdetails.Similarly,Steam,
Valve’sonlinegamingplatform,washitbyattackerswhostolepersonalinformation
belongingtomorethan35millioncustomers.
Cyber-warhasalsobeenoneofthetopstoriesoftheyear.Therehavebeencasesallover
theworldandnumerousnationshavebeenaffected.Thiskindofattacknotonlyaffects
governments,butalsogovernmentcontractorslikeweaponsmanufacturers.
Thisreportrecapsthemajorcomputersecurityeventsthatoccurredin2011,andforecasts
futuretrendsfor2012.
2011 at a glance
02| 2011 at a glance
SocialnetworksplayavitalroleinthelifeofInternetusers,withFacebookandTwitteras
theworld’sbiggestsocialmediasites.Thisyearwehaveseenthelaunchofanewsocial
networkingserviceinabidtorivalFacebook:Google+.
Social networks
GOOGLE+.
Despiteitsrapidgrowth,withmorethan25millionusersregisteredinjustfewweeks,
Google+isstillfarawayfromitsdirectcompetitor,Facebook,whichmakesitlessofa
targetforcyber-crooks.However,wehaveseenacuriousattack:Rightafteritslaunch,
asinvitationswerenotopentoeveryoneandtherewashugeexpectationandinterestin
gettingone,Google+becamethesubjectofascam…onFacebook.Fraudsterscreateda
Facebookpagetitled“GetGooglePlusInvitationFREE”whereusersjusthadtoclickthe
‘Like’buttontogetaninvitation.Obviously,youalsohadtoprovideyouremailaddressto
receivetheinvitationwhich,unfortunately,nevercame.
FIG.01.MARK ZUCKERBERG’S FACEBOOK PAGE HACKED.
Finally,ifthereisonethingthatsocialnetworksprove,itisthatusersareverymuchcapableof
makingthesamemistakesoverandoveragain.MalwarecampaignsfoolingFacebookusersinto
believingtheywilldiscoverwhoissecretlyviewingtheirprofilesarestillhugelysuccessful,and
infectthousandsofcomputerusersaroundtheworld.
ThesescamsareactuallyquitefrequentonFacebook,cyber-crooks’favoriteplatformfor
launchingsocialengineeringattacksbyexploitingrealorfakenewsstories.
Forexample,afewhoursafterSteveJobs’sdeath,scammershadcreatedaFacebookpagecalled
R.I.PSteveJobs,attractingthousandsofusers.Thepagegainedfivenewfanseverysecondand
amassedmorethan90,000fansinjustafewhours.ItcontainedamaliciousURLandatext
claimingthat50freeiPadswerebeinggivenaway‘inmemoryofSteveJobs’.Obviously,thiswas
nothingbutascam,andoncetheuserclickedtheURL(whichendedwith“restinpeace-steve-
jobs”),theyweretakentoawebsiteofferingprizeslikeiPads,SonyBraviaTVs,etc.However,in
returnusershadtosubmittheirpersonaldetails:name,telephonenumber,emailaddress,etc.
2011 at a glance
2011hasseenareductioninthenumberofattacksonTwitter,theshort-messagesocial
network,anddespitetherecontinuestobeattacksbasedonexploitingTwitter’s‘Trending
Topics’,theyaredecreasingprobablyduetobetterfilteringbyTwitter’sownteam.Inany
event,itcontinuestobeexploitedasaplatformtosendoutspamandhackaccounts,as
showninthefollowingexamples:OnJuly4,FoxNews’sTwitteraccountwashackedand
startedtopostaseriesofalarmingtweetsreportingthatU.S.PresidentBarackObamahad
beenassassinated.Inaddition,theTwitteraccountofPayPalUKwashackedandusedto
criticizeitspoorsecurityinoffensivelanguage.
However,otherattackshadfarmoreseriousconsequences.Agroupofattackershackedthe
TwitteraccountofafinancialinstitutionandstartedsendingDirectMessages(DMs)toits
followersinstructingthemtoclickonalinkduetoasecurityproblemintheiraccounts.This
linktookuserstoaphishingpagethatimitatedthatofthebankandrequesteddatathat
couldthenbeusedbyattackerstoimpersonatethevictimsandstealtheirmoney.
WhentalkingaboutFacebookattacks,mostofustendtothinkthatcyber-criminalsusethe
platformtospreadtheirmalware,butthatisnotusuallythecase.Aswehavesaidonmany
occasions,usersgiveawaytoomuchinformationontheirsocialnetworkingprofiles,which
jeopardizesprivacyandfacilitateshackingofemailandevenFacebookaccountsthemselves.
GeorgeS.BronkwasarrestedinCaliforniaforcarryingoutthistypeofillegalactivity.Using
informationavailableonFacebook,hemanagedtogainaccesstovictims’emailaccounts.
Havinghijackedtheaccount,hewouldsearchforpersonalinformationhecouldthenuseto
blackmailthevictim.
Itwouldseemthatanyonecouldbecomeavictimofthesetypesofattacks,asevenMark
Zuckerberg–creatorofFacebook–hadhisFacebookfanpagehacked,displayingamessagethat
started“Letthehackingbegin”.
2011 at a glance
Cyber-crimeCyber-criminals’goalistostealinformationtheycanturnintocash.Thisexplainswhybanking
Trojans,targetingfinancialinstitutionsandtheircustomers,aretheirweaponofchoice,
althoughtherearealsoothertypesofattacks.InJanuary,ThePentagonFederalCreditUnion
reportedthefactthatcyber-criminalshadusedaninfectedPCtoaccessoneoftheirdatabases
containingconfidentialcustomerinformation.Thestoleninformationincludedeachindividual’s
name,address,socialsecuritynumberandeitherbankaccountinformationorcredit/debitcard
information.
AnotherfrequentstrategyistheuseofATMsequippedwithduplicatecardreaders.InJanuary,
twomen,aged32and31,weresentencedto7and5yearsinprisonrespectivelyforthistype
ofscam.ThesetwomenweresuspectedtobemembersofagangofRussianandAmerican
criminalsoperatingallovertheU.S.
Butitisnotonlythebankingsectorthatisatrisk.AfteratheftintheCzechRepublicand
attemptedhackinginAustria,theEuropeanCommissionwasforcedtosuspendtradinginCO2
emissioncredits.Ofcourseasusual,thecyber-criminalswereseekingtoprofitfromtheattack.
Therewasasimilarattacksomemonthsago,whenahackerstole1.6millioncarbontradingcredits
fromtheHolcimcementcompanyinRomania.At15euroseach,thatrepresentedlossesofsome
€24million.Thesetypesofattacks,inadditiontothefinancialloss,underminetheentiresystem.
Thisdiversificationispresentinotherareasaswell.Thisyearsawtheappearanceofanumberof
variantsoftheinfamousZeuSbankingTrojanaimedatonlinepaymentplatformslikeWebmoney
orMoneyBookers.
OneoftheseattackshittheUKGovernment,whichadmittedtohavingsufferedatargeted
attackwithaZeuSvariantdesignedtostealnotonlybankaccountcredentialsbutalsoallkindsof
personalinformation.
RSA,thesecuritydivisionofEMCCorporation,announcedinmid-Marchthattheyhadsuffereda
breachontheirnetworksystemsthathadexposedproprietaryinformationabouttheirtwo-factor
hardware-basedauthenticationsystem“SecurID”.
FIG.02. FACEBOOK PAGE EXPLOITING STEVE JOBS’S DEATH.
FIG.03. RSA WAS ATTACKED IN MARCH.
2011 at a glance
InMay,LockheedMartin,thelargestproviderofITservicestotheU.S.governmentandmilitary,
sufferedanetworkintrusionstemmingfromdatastolenpertainingtoRSA.Itseemsthatthe
cyber-thievesmanagedtocompromisethealgorithmusedbyRSAtogeneratesecuritykeys,and
thecompanyhadtoreplacetheSecurIDtokensofmorethan40millioncustomersaroundthe
world,includingsomeoftheworld’sbiggestcompanies.Somemonthslater,RSAstatedthatthey
wereconvincedthehackershadbeenfundedbyaforeigngovernmentand,inOctober,security
analystBrianKrebspublishedalistof760othervictimshitbythesameattackers.
InJune,theInternationalMonetaryFundsaidithadbeentargetedbyasophisticatedcyber-attack
formonths,eventhoughtheorganizationmadenopublicstatementaboutthemotivationbehind
it.Thenatureoftheinformationstoredbytheinstitutionwouldseemtoindicatethatthiswas
atargetedattack,however,wecannotruleoutthepossibilitythatitwasjustacommoncaseof
cyber-crime.
ThewebsiteoftheEuropeanSpaceAgencywasalsohackedintoandalotofinformationwas
stolenandmadepublic.Thisdataincludedusernames,FTPaccountsandevenFTPlogindetails
stored…inplaintextfiles!
AlsoinMayCitigrouprevealedthatinformationformorethan360,000U.S.creditcardaccounts
hadbeencompromisedbyawebsitehack.Theworstthingaboutthisattackisthefactthatthe
datathievesdidnotevenhavetohackaserver,butwereabletopenetratethebank’sdefenses
andleapfrogbetweentheaccountsofdifferentcustomerssimplybyinsertingvariousnumbers
intoastringoftextlocatedinthebrowser’saddressbar.
JapanesevideogamecompanySegaalsofellvictimtoacyber-attack.Thecompanyconfirmed
thatinformationbelongingto1.3millioncustomerswasstolenfromitsdatabase.Names,birth
dates,emailaddressesandevenencryptedpasswordsforSegaPassonlinenetworkweretaken.
Thefactthatthepasswordswereencryptedshouldminimizetheimpactofthehackingincident,
butonlyifstrongencryptionwasused,whichisnotalwaysthecase.
PerhapsthemostinfamousattackoccurredthisyearwastheonesufferedbySony.Everything
startedwiththetheftofdatafromtheirPlayStationNetwork(PSN),affecting77millionusers
worldwide.Notonlywasthisthebiggestdatatheftever,butthesituationwasalsoparticularly
badlyhandledbythecompany.Theyhidtheproblemfordays,andwhentheyfinallymade
itpublictheysimplysaidthattherewasevidencethatsomeuserdatacouldhavebeen
compromised,eventhoughtheyknewperfectlywellthatthesituationwasfarmoreseriousthan
that..
Tomakethingsworse,thestolen
datawasespeciallysensible,including
users’names,billingaddresses,
emailaddresses,PSNIDs,passwords
(apparentlyunencrypted),birthdates,
purchasehistory,creditcardnumbers
(fromapproximately10%ofusers),
creditcardexpirationdates,etc.
Ifthiswasnotsufficient,SonyOnline
Entertainmentwassubjecttoanother
attackafewdayslater,adatatheft
thataffectedanother24millionusers.
FIG.04. DATA FROM 100 MILLION USERS WAS STOLEN IN 2 ATTACKS SUFFERED
BY SONY.
InJuly,RogelioHackett,25,wassentencedto10yearsinprisonanda$100,000fineforstealing
675,000creditcardnumbersandrelatedinformation.Thefactthattherearetoughsentences
beinghandedoutisveryimportantasitsendsoutastrongdissuasivemessagetocriminals:
impunityisnotasoption.
Cyber-crookscontinuetousesocialengineeringtechniquestodeceiveusersandstealtheir
data,takingadvantageofheadline-grabbingeventssuchastheuntimelydeathofsingerAmy
WinehouseorSteveJobs.
InNovember,hackersbrokeintoadatabasewithcustomerinformationatSteam,theonline
platformofvideogamingfirmValve,stealinginformationfromover35millionusers,including
creditcardnumbersandpasswords.Fortunately,thisinformationwasencrypted,sothechances
ofthievesaccessingtheactualdetailsareslim
2011 at a glance
FIG.05. 35 MILLION STEAM USERS HIT BY HACKERS .
Oneofthekeyinstrumentsin
thefightagainstcyber-crimeis
internationalcooperation.Cyber-
crimeistransnationalandrequires
atransnationalresponsetotackle
it.Inthisrespect,thecollaboration
agreementsignedbetweenthe
UnitedStates’andIndia’sComputer
EmergencyResponseTeams(US-
CERTandCERT-Inrespectively)is
veryimportant.Thegeneralization
ofthistypeofagreementrepresents
amajorstepforwardinthefight
againstcyber-crime.
Whilealotofdatathievesareaftermoney,thatisnotalwaysthecase.Lastyearwesawa
numberofcelebritieswhohadpersonalphotosstolen(themostnotoriouscasebeingthatof
ScarletJohansson,whosecellphonepicsleakedtotheInternet).Therewasspeculationthat
anorganizedcrimegangcouldbebehindtheattacks,but,inreality,everythingturnedoutto
bemuchsimplerthanitseemed.Theculpritturnedouttobea35-year-oldunemployedman
namedChristopherChaney,whobrokeintothecellphonesofstartsbyguessingtheirpasswords.
Chaneymonitoredsocialmediasitesandotheronlinesourcesforpersonalinformationthatwould
yieldcluesaboutpotentialpasswordsand,withabitofpatience,gainedaccesstohisvictims’
personalmailaccounts.Healsohadapenchantforbeautifulwomen,assomeofhisvictims
includedScarlettJohansson,JessicaAlba,VanessaHudgens,MileyCyrusorChristinaAguilera.
Unfortunately,themajorityofusersalsousepasswordswhichareveryeasytoguess–knownas
weakpasswords-,whicharestronglydiscouragedbysecurityexperts..
FIG.06. CHRISTOPHER CHANEY, 35, STOLE PRIVATE PHOTOSOF OVER 50 HOLLYWOOD CELEBRITIES.
2011 at a glance
Cyber-warCyber-warhasbeenoneofthetopbuzzwordsfor2011.Therehavebeensomanycasesof
cyber-warandcyber-espionagethisyearthatyoucouldwriteapaperjustonthem.Welivein
atimewhereeverybodyandeverythingisconnectedtotheInternet,whichpresentsaworldof
opportunitiesforcyber-thieveswhileauthoritiesandgovernmententitiesworkactivelytotackle
thisproblem.
InJanuary,welearntthatCanada’sMinistryofEconomyhadbeenhitwithasophisticated
targetedattack.Whiletheinvestigationsseemedtoindicatethattheattackoriginatedfrom
China,itisactuallyverydifficulttofindtheculprit.Also,nodetailshavebeenreleasedaboutthe
stoleninformation.
BackinFebruary,U.S.securityfirmMcAfeereportedon“OperationNightDragon”,acasein
whichanumberofenergycompanieshadsufferedcyber-espionageattacksforatleasttwoyears.
LaterinvestigationshaverevealedthattheaffectedcompaniesincludedthelikesofExxonMobil,
RoyalDutchShell,BP,MarathonOil,ConocoPhillips,andBakerHughes.Theattackscameonce
againfromChina,eventhoughthereisnodirectevidenceofinvolvementbyChineseauthorities.
InMay,theNorwegianmilitarystatedthatithadbeenthevictimofaseriouscyber-attackthat
tookplaceattheendofMarch.Theattackhappenedwhen100seniormilitarypersonnelreceived
anemailinNorwegianwithanattachment.TheattachedfilewasinrealityaTrojandesignedto
stealinformation.Atleastonepersonopenedtheattachment,buttheattackwasafailureandno
datawaslost.
AtthebeginningofMarchitwaspublishedthatFrance’sMinistryofEconomyhadbeensubject
toacyber-attack,linkedtoChinayetagain.Theaimofthisactionwastostealinformation
abouttheG-20meetingheldinParisinFebruary.Over150computerswereaffected,andother
FrenchMinistriesalsosufferedunsuccessfulintrusionattempts.AlsoinMarch,40SouthKorean
governmentwebsitesfellvictimtoadenialofserviceattack.Thisattackwasverysimilartoone
in2009andwasblamedonNorthKorea,despitethefactthatlaterinvestigationslinkeditto…
China.
InMay,China’sdefenseministryspokesman,GengYansheng,admittedforthefirsttimethat
theyhadaneliteunitofcyber-warriorsintheirarmy.Britishintelligencestatedthattheunithad
beenactiveforatleast2years.Attheendofthesamemonth,thePentagondeclaredthatcyber-
attacksthatoriginatedabroadcouldqualifyasactsofwar.
FIG.07. 24,000 PENTAGON FILES STOLEN IN MAJOR CYBER-BREACH.
InJuly,theUSDeputyDefenseSecretary
BillLynnrevealedthatforeignintruders
hadtaken24,000filesofclassified
informationaboutatopsecretweapon
systemduringanattacksuffered
inMarch.Lynnsaidthata“foreign
intelligenceservice”wasmostcertainly
behindthetheftofthesecretweapon
blueprints,butdeclinedtospecifywhich
nationhadcarriedouttheattack.
Somedayslater,U.S.MarineCorpsGeneralJames‘Hoss’CartwrightstatedthattheDoD”was
prettymuchintheStoneAge”.
Ifsomethingcanbesaidaboutcyber-warorcyber-espionageattacksisthatmostofthemappear
tooriginatefromChina.However,ononehanditisobviousthatChinaisnotbehindevery
singleattackand,ontheother,Chinaitselfmustbesufferingattacksfromothers.Oneofthe
differencesbetweenademocraticandanon-democraticcountryistheamountofinformation
theymakeavailabletothepublic.When,forexample,theU.S.oracountryintheEuropean
Unionsuffersacomputerattack,ashashappenedsomanytimesthisyear,itbecomespublic
knowledge.However,thisisnotthecaseinothercountries.Isitthatsomecountriesarenever
attacked?Absolutelynot,itisjustthattheydonotmakeattacksknown.AndChina,foronce,
hasopenedtotherestoftheworldandhasadmittedthatitwashitbynearly
500,000cyber-attackslastyear,abouthalfofwhichoriginatedfromforeigncountries.
2011 at a glance
InSeptember,welearnedthatJapanesecompanyMitsubishiHeavyIndustrieshadalsobeenhit
byacyber-attack.Almost100computershadbeencompromised,despitethecompanyclaiming
thatnoconfidentialinformationhadbeenstolen.Thiscompanybuildshighlycriticalequipment,
likeguidedmissiles,rocketenginesandnuclear-powerequipment.Chineselanguagewasfound
inoneofthevirusesusedinthecyber-attack,soonceagainalleyesturnedtotheAsiangiant.
Finally,theworstfearsbecamerealitysometimelater,whenitwasconfirmedthathackershad
actuallygainedaccesstoconfidentialinformationrelatedtojetfightersandhelicoptersaswellas
powerplants.
InOctober,itbecameknownthatseveralUSAirForce’sUAVs(unmannedaerialvehicles)had
beeninfectedwithmalware.Afterspeculationofwhetherornotthishadbeenatargetedvirus
attack,itwasdiscoveredthattheinfectionwasaccidentalandthedronesoftwarewasinfected
throughtheuseofUSBdrivesusedtosharemapupdates.
InDecember,theIraniangovernmentpublishedimagesofaUSdronetheyhadcaptured
unharmed.Theinterestingthingabouttheincidentisthattheymanagedtohackthedrone’sGPS
signal,andlandeditinIranatwhatthedronethoughtwasitshomebaseinAfghanistan.
FIG.08. IRAN HACKS AND CAPTURES U.S.’S DRONE.
STUXNET
Thisisthefirstmajorcyberwarfareattackbyanationstatetodate.DiscoveredinJuly2010,the
malwareaimedatsabotagingIran’snuclearplan.In2011,newrevelationsemergedpointingto
Israelastheculprit,asIsraelDefenseForcesChiefofStaffGeneralGabiAshkenazitookcreditfor
itinhisfarewellparty.
Alsolastyear,theDEBKAfilewebsitepublishedareportciting“intelligencesources”toclaimthat
theIraniangovernmenthadhadtoreplaceanestimated5,000uranium-enrichingcentrifugesas
aresultoftheattack,andthatsincethenthecountryhadnotbeenabletoreturnitsuranium
enrichmenteffortsto‘normaloperation’.Infact,theforeignministryofIranacknowledgedthat
theywereinstalling“newerandfaster”centrifugestospeeduptheuraniumenrichmentprocess.
InJuly,theU.S.DepartmentofHomelandSecuritysaidtotheCongressthatitwasawarethata
Stuxnet-likeviruscouldbeusedtoattackcriticalinfrastructuresinthecountry.Othershavesimilar
fears.WithinDHS,manyworrythatotherattackerscoulduse‘increasinglypublicinformation’
aboutthewormtolaunchvariantsthatwouldtargetotherindustrialcontrolsystems.
2011sawtheappearanceofDuqu,alsocalled“Stuxnet2.0”and“TheSonofStuxnet”,aTrojan
horserelatedtoStuxnetandcreatedtostealinformation.ItspreadinWordfilesattachedto
emailssenttotargetedvictimsandexploiteda0-dayvulnerabilityforwhichtherewasnoavailable
patch.
MacThisyearhasseenthefirstlarge-scaleattackonMac,usingroguewareorfalseantivirussoftware.
Despitethousandsofusersbeingaffectedbythefakeantivirusprogram(calledMacDefender),
Appleverymuchtriedtoburyitsheadinthesand,denyingthatanyattackevertookplace.Afew
dayslater,however,theyacknowledgeditandreleaseda“securityupdate”toprotectagainstthe
malware.Butmerehoursaftertheupdate,cyber-criminalshadalreadyreleasednewvariantsof
themalware,likeMacShield,whicheasilybypassedApple’ssecuritypatch.Thiswasratherlogical
ifyouconsiderthefactthatthepatchwasbasedon20-year-oldtechnologies,fullyobsoleteand
totallyuselessunlesscombinedwithmoderntechniqueslikebehavioranalysis.
2011 at a glance
Cyber-criminalsarecontinuingtoshowincreasinginterestintargetingtheAppleMaccommunity
andhaveincreasedthenumberofattacksonthisplatform.Wehaveseentheappearanceofthe
firstMac-specificTrojancapableofdetectingifitisbeingrunonavirtualmachine.Thistechnique
iscommonlyusedinWindows-basedmalwaretomakedetectionmoredifficult,andthefact
thatitisbeingusedonMacplatformsindicatesthatcriminalsareturningtheirattentiontothis
operatingsystem.
Mobile malware2011hasbeendominatedbyheadlineswithnewsaboutmalwareformobilephones.
Additionally,Androidisbecomingthedominantplatformofmobilecomputingandislikelytowin
thetabletmarketshortly.
Cyber-crooksarebeginningtorealizetheexistenceofanemergingmarkettheyarewillingto
exploit,andaretryingnewtechniqueswhilecontinuingtouseprovenstrategies,likeusing
malwaretogetinfectedphonestosendSMStextmessagestopremiumratenumbers
.
Atthebeginningoftheyear,anewAndroidmalwaretookthespotlight.TheTrojan–detected
asTrj/ADRD.A–stolepersonalinformationandsentittocyber-crooks.Oneofthemostfrequent
recommendationstocombatthesethreatsistoavoiddownloadingapplicationsfromunofficial
andquestionableplaces.Inthiscase,theTrojanwasdistributedfromChineseAndroidapp
markets(notfromtheofficialstore)togetherwithaseriesofgamesandwallpapers.
UnliketheiPhone’siOS,theAndroidOSletsyouinstallapplicationsfromanywhere,anaspect
cyber-crooksarebeginningtoexploit.However,thisisnottheonlydifferencebetweenboth
operatingsystems,asapplicationsuploadedtoAndroid’sofficialstore(AndroidMarket)arenot
examinedasscrupulouslyasAppleones,whichhasalreadyledtosomenastysurprises.
Afewdayslater,anotherAndroidTrojanstartedtospreadfromChinaonceagain.Thistime,the
legitimateappshadbeenrepackagedwithmalware,thusdeliveringanastypresent.ThisTrojan
wasdesignedtocarryoutanumberofactions,fromsendingSMStextmessagestovisitingWeb
pages.ItcouldalsostopinboundSMSmessages.
ThebeginningofMarchsawthe
largestmalwareattackonAndroidto
date.Onthisoccasion,themalicious
applicationswereavailableinthe
officialAndroidMarket.Injustfour
daystheseapplications,whichinstalled
aTrojan,hadrackedupover50,000
downloads.TheTrojaninthiscase
washighlysophisticated,notonly
stealingpersonalinformationfromcell
phones,butalsodownloadingand
installingotherappswithouttheuser’s
knowledge.
FIG.09. ANDROID HAS BECOME A FAVORITE TARGET FOR CYBER-CROOKS.
Googlemanagedtoriditsstoreofallmaliciousapps,andsomedayslaterremovedthemfrom
users’phones.
Thefirstmonthsofthisyearsawanothermajorattackengineeredbythewritersoftheinfamous
ZeusbankingTrojan.Theattackwasdesignedtobypassthedoubleauthenticationsystem
implementedbybankinginstitutionsformobiledevices.IfyourPCwasinfectedandyoutried
tomakeanonlinetransaction,thebankwoulddisplayapage(modifiedbytheZeuSTrojan)
promptingyoutoenteryourphonenumberandmodelinordertosendyouamessagetoinstall
a“securitycertificate”onyourphone.However,thiscertificatewasinrealityaTrojandesignedto
interceptallmessagesyoureceived.
Ifthiswasnotenough,welearnedthatAndroidhassomeverybasicsecurityholes,asshownby
thefactthatitstoresthepasswordsforemailaccountsonthephone’sfilesysteminplaintext,
withnoencryption.Thismakesitaneasytargetforcriminals,whocaneasilyextractallpasswords
oncetheyhavehackedintothedevice.
2011 at a glance
TheappearanceofnewAndroidmalwareisbecomingincreasinglyfrequent,andthefinal
objectiveisalwaysthesame:tostealusers’data.Thus,wehaveseenmalwarewhichnotonly
copiesdatafromthedeviceandsendsittocyber-crooks,butalsorecordsphonecalls.
Inall,Googlehasremovedabout100maliciousapplicationsfromitsAndroidMarketappstore
throughout2011,whichhasundoubtedlydeliveredablowtotheconfidenceofAndroidusers.
Cyber-activismIn2010weanticipatedthatcyber-activismwouldbeoneofthemajorstoriesinthecomingyear
andourpredictionshavebeenconfirmed.
InEgypt,theInternetbecamealmostabattlefieldbetweentheEgyptiangovernmentand
protesters,especiallyonFacebookandWebpageslikethatoftheAnonymousgroup.
FIG.10. ANONYMOUS GROUP POSTER ANNOUNCING THEIR CAMPAIGN IN FAVOR OF THE EGYPTIAN PROTESTERS.
TheEgyptiangovernmentwassodesperate
thatittooktheunprecedentedstepof
shuttingdownthecountry’sInternet
connectionandmobilephonenetwork.
Similarly,policeinseveralEuropeancountries
arrestedscoresofallegedparticipantsin
2010’scyber-attacksindefenseofWikileaks
(“Operation:Payback”).
ThosearrestedweremainlyteenagersthatusedtheLOICtooltotakepartintheattackswithout
usinganykindofanonymousproxiesorvirtualprivatenetworktocovertheirtracks.Everything
seemstoindicatethatthiswasaretaliatoryactionfromgovernments(Holland,UnitedKingdom
andtheUSA)wantingtoscareoffprotesters.
Another‘battle’worthmentioningistheonewagedbetweentheU.S.securityfirmHBGary
FederalandtheAnonymousgroup.EverythingstartedwhenAaronBarr,CEOoftheAmerican
company,claimedtoknowthenamesoftheAnonymousgroupleadersandsaidhewasgoingto
makethempublic.Anonymousthenthreatenedtohackintothecompany...andmanagedtodo
soinlessthananhour.Theynotonlyhackedintothecompany’sWebpageandTwitteraccount,
butmanagedtostealthousandsofemailsthattheylaterondistributedfromThePirateBaysite.
Ifthatwerenotenough,thecontentofsomeofthesemailswashighlyembarrassingforthe
company,astheybroughttolightunethicalpractices(suchastheproposaltodeveloparootkit)
forcingAaronBarrtostanddown.
ThiswasonlythetipoftheicebergofaseriesofcriminalactivitiesperpetratedbyAnonymous,
asitseemsthattheonlywaytheycanprotestisbycommittingillegalacts.However,asstated
inpreviousreports,ifthemembersofthegroupweresmartenough,theywouldrealizethat
theirconstantbreakingofthelawunderminesthelegitimacyoftheirprotests.Overthelastfew
monthstheyhavelaunchedattacksonSonyandthewebsitesoftheU.S.ChamberofCommerce,
Spain’snationalpoliceforce,severalgovernmentalinstitutions,etc.
Well,ifyoudidn’thaveenoughalreadyofAnonymous,anewhackercollectivecalledLulzSec
emerged,whoseclaimedmainmotivationissimply‘tohavefunbycausingmayhem.
2011 at a glance
FIG.11. LULZSEC’S TWITTER PROFILE PICTURE.
LulzSechasspecializedinstealingand
postinginformationfromcompanies
withpoorsecurity(PBS,Fox,etc.),aswell
ascarryingoutdenialofserviceattacks
(againsttheCIAwebsite,forexample).
Theyalsoreleasedafulllistofuserdata
theyhadpreviouslystolensuchasemail
addresses,passwords,etc.whichhasled
toaccounthijackingandotherformsof
identitytheft..
AttheendofJune,LulzSecteamedupwithAnonymousfor“Operation:Anti-Security”,
encouragingsupporterstohackinto,stealandpublishclassifiedgovernmentinformationfrom
anysource.
Butnoteverythinghasbeenbadnews:asignificantnumberofsuspectedmembersofthe
Anonymousgroupwerearrestedduring2011.
IntheUnitedStates,AnonymouswentonestepfurtherandhackedintothesystemsofBooz
AllenHamilton(agovernmentcontractorwithstrongtiestotheUSDepartmentofDefense–
DoD),stealing90,000militaryemailaddressesandpasswords.Theymanagedtoenterthesystem
throughanoutdatedserverwithnoantivirusprotectionatall.
Soonaftertheseattacks,theFBIarrested16AnonymousmembersintheUS.Allofthesepeople
couldface5to10yearsinjailiffoundguilty.
However,noneoftheseactionsseemtohavestoppedAnonymous,whoactuallyseemsto
haveredoubleditsefforts.Justdaysafterthearrests,AnonymouspostedlinkstotwoNATO
confidentialdocuments,andclaimedtohaveonemoregigabyteofconfidentialdatawhichthey
refusedtopublishasitwouldbe“irresponsible”.
FIG.12. MESSAGE POSTED BY ANONYMOUS, BOASTING OF THEIR LATEST ATTACK.
Inaddition,theyreleasedthestolenpersonaldataofthousandsofU.S.lawenforcementofficers,
includingtheiremailaddresses,usernames,passwordsandinsomecaseseventheirsocialsecurity
numbers.Andtheydiditagainafewweekslater,astheyexposedpersonaldataofSanFrancisco-
areasubwaypoliceofficers.But,ifthiswasnotenough,thegrouphackedyetanotherU.S.
DepartmentofDefensecontractor(thistimeVanguardDefenseIndustries),stealing1gigabyteof
datasuchasemailsandconfidentialdocumentsfromoneofthecompany’stopexecutives.
Attheendoftheyear,Anonymoushackedthousandsofcreditcardnumbersandotherpersonal
informationbelongingtocustomersoftheU.S.-basedsecuritythinktankStratfortodonateto
charity.Theyalsopublishedasmallsliceofthe200gigabytesofdatathattheyclaimedtohave
stolen.ThelistofStratfor’scustomersincludesentitiesrangingfromAppleInc.totheU.S.Air
Force,whichgivesanideaoftheseriousnessoftheattack.
Meanwhile,AnonymousstrokeonceagaininEurope,stealingover8gigabytesofdatafromItaly’s
CNAIPIC(NationalCenterforComputerCrimeandtheProtectionofCriticalInfrastructure).
Malware figures in 2011
FIG.12. NEW MALWARE CREATED IN 2011, BY TYPE .
03| Malware figures in 2011
26millionnewmalwaresampleshavebeenidentifiedin2011,some73,000strainsper
day;quiteafrighteningnumber,thehighestever.Thiscouldprettymuchsumupthe
malwaresituationin2011,however,let’slookbeyondthenumberstoknowexactlywhatis
happening.Firstly,let’stakealookatthetypeofmalwarecreatedinthelast12months:
Trojanscontinuedtoaccountformostofthenewthreats,growingspectacularly.In2009,Trojans
madeup60percentofallmalware,whereasthepercentagedroppedto56percentin2010.
Thisyeartheyhavejumpedupto73percent,sothatnearlythreeoutofeveryfournewmalware
strainscreatedin2011wereTrojans.Allothermalwarecategorieshavelostgroundwithrespect
toTrojans,onceagaintheweaponofchoiceforcyber-crooks’intrusionanddatatheftefforts.
FIG.13. MALWARE INFECTIONS BY TYPE IN 2011.
FIG.14. COUNTRIES WITH THE HIGHEST MALWARE INFECTION RATES.
Malware figures in 2011
Asforthenumberofinfectionscausedbyeachmalwarecategory,itisworthrememberingthat
Trojanscannotreplicateautomatically,sotheyarelesscapableoftriggeringmassiveinfections
thanvirusesorworms,whichcaninfectalargenumberofPCsbythemselves.Thegraphbelow
showsthedistributionofmalwareinfectionsthisyear.
Asyoucansee,thereisnotabigdifferencebetweenthedifferenttypesofmalwarecreatedand
theinfectionscausedbyeachofthem,withoneexception:thepercentageofcomputersinfected
byadware/spywarealmosttriplesthepercentageofnewadware/spywarestrainscreated.
Whatisthereasonforthis‘anomaly’?Thiscategoryincludesfakeantivirussoftwareor
rogueware:applicationscreatedbycyber-crooksthattrytopassthemselvesoffaslegitimate
softwareapplicationsinordertotrickusersbyfalselyinformingthemthattheircomputersare
infected,andpromptingthemtobuyaprogramtodisinfectthem.
Roguewareisidealforcyber-criminals,whonolongerneedtostealusers’informationtomake
theirmoney;instead,userspartwiththeircashvoluntarily.Thisiswhycomputercriminalsare
spreadingroguewaretoasmanypeopleandasquicklyaspossible.Themoreinfections,themore
profit.
Let’slookatthegeographicdistributionofinfections.Whichcountriesaremostinfected?Which
countriesarebestprotected?TheaveragenumberofinfectedPCsacrosstheglobestandsat
38.49percent,withthemostinfectedcountrybeingChina(60.57percentofinfectedPCs),
followedbyThailand(56.16percent)andTaiwan(52.82percent).Thesearetheonlycountries
thatexceed50percentofinfections.Thegraphbelowshowsthe10countrieswiththehighest
malwareinfectionratesin2011.
Malware figures in 2011
Asthetableshows,therearehigh-infectioncountriesinalmosteverycontinent.TheU.S.barely
escapedthelist,astheyranked11thwithslightlymorethan39percentofitsPCsinfected,also
aboveworldaverage.
ThelistofleastmalwareinfectednationsistoppedbyEuropeancountries,withtheexceptionof
AustraliaandJapan.Swedencameinlowestwithonly24percentofitsPCsattackedbymalware.
FIG.15. LEAST MALWARE INFECTED COUNTRIES.
2012 Security Trends
04| 2012 Security Trends
Wehaveseenwhathashappenedin2011:malwarecreationrecord,highestnumber
ofTrojansever,attacksinsocialnetworks,cyber-crimeandcyber-wareverywhere.
Whatdowehavetoexpectforthenext12months?
Social networksSocialengineeringtechniquesexploitingusers’weaknesseshavebecometheleadingattack
methodinsocialnetworks.TrendingtopicssuchastheOlympicsorthenextUSPresidential
electionswillbeusedasabait.Cybercriminalswillcontinuetotargetsocialmediasitesto
stealpersonaldata.
Malware increaseInthepastfewyears,thenumberofmalwarethreatshasgrownexponentially,and
everythingseemstoindicatethatthetrendwillcontinuein2012.Infact,malwareisthe
weaponusebycybercriminalstocarryontheirattacks.
Troyanstheyarecyber-crooks’weaponofchoicefortheirattacks,asshownbythefactthatthree
outofeveryfournewmalwarestrainscreatedin2011wereTrojans,designedtositsilently
onusers’computersandstealtheirinformation.
2012 Security Trends
Cyberwarormaybeitismoreaccuratetosaycyberespionage.2011hasbeentheyearwithmostintrusions
everaimedatcompaniesandgovernmentagencies.FromNewZealandtoCanada,fromJapanto
theEuropeanParliament,therehavebeencountlessattacksaimedatstealingsecretorclassified
information.Weliveinaworldwherealltheinformationisindigitalform,somodern-dayspies
nolongerneedtoinfiltrateabuildingtostealinformation.Aslongastheyhavethenecessary
computerskills,theycanwreakhavocandaccessthebest-keptsecretsoforganizationswithout
everleavingtheirliving-rooms.In2012wewillseethesekindofattacksevenmore.
Mac malwareAsthemarketshareofMacuserscontinuestogrow,thenumberofthreatswillgrow.Fortunately
enough,itseemsthatMacusersarenowmoreawarethatMacisnotimmunetomalware
attacksandtheyareincreasinglyusingantivirusprograms,hinderingcyber-crooks.Thenumberof
malwarespecimensforMacwillcontinuetogrowin2012,althoughmuchlessthanforPCs.
Mobile malwareOvertenyearsago,antiviruscompaniesstartedmakingdirepredictionsofamobilemalware
epidemic.Yearslater,asthesituationwasnotasapocalypticaspredicted,theystartedclaiming
thattheinstallationofantivirussoftwareonmobilephoneshadpreventedthecatastrophe.Well,
theywerewrongagain.Ifhavinganantivirussolutionwereenoughtosolvealltypesofmalware
problems,theworldwouldbeahappierplace.Unfortunatelythough,bothusersandsecurity
vendorsalikeareinthehandsofcyber-crooks,whoaretheoneswhodecidewhichplatformto
target.Inthiscontext,lastyearPandaLabspredictedasurgeincyberattacksonmobilephones,
andthefactthatAndroidhasbecomethenumberonemobiletargetforcyber-crooksin2011
confirmsthatprediction.In2012therewillbenewattacksonAndroid,butitwillnotbeona
massivescale.Newmobilepaymentmethods–viaNFCforexample–couldbecomethenextbig
targetforTrojansbut,asalways,thiswilllargelydependontheirpopularity.
Malware for tabletsThefactthattabletssharethesameoperatingsystemassmartphonesmeansthattheywillbe
soontargetedbythesamemalwareasthoseplatforms.Inaddition,tabletsmightdrawaspecial
interestfromcyber-crooksaspeopleareusingthemforanincreasingnumberofactivitiesand
theyaremorelikelytostoresensitivedatathan,say,asmartphone.
Cybercriminals targeting small to medium-sized companiesWhydocybercriminalstargetonlinebankingcustomersinsteadofdirectlyattackingbanking
institutionstostealmoney?Theanswertothisquestionhastodowiththecost-benefitratio
oftheattack:Financialentitiesareusuallyverywellprotected,andthechanceoflaunchinga
successfulattackisremoteandverycostly.However,attackingtheircustomerstostealtheir
identityandimpersonatethemismuchsimpler.Thesecurityofsmalltomedium-sizedcompanies
isnotthatstrong,andthismakesthemveryattractiveforcyberthieves,whocanstealdatafrom
hundredsorthousandsofusersinonego.Onmanyoccasions,smalltomedium-sizedcompanies
donothavededicatedsecurityteams,whichmakesthemmuchmorevulnerable.
Windows 8ThenextversionofMicrosoft’spopularoperatingsystemisscheduledforNovember2012,soeven
thoughitisnotsupposedtohavemuchonanimpactonthemalwarelandscapeinthecoming
year,itwillsurelyoffercyber-crooksnewopportunitiestocreatemalicioussoftware.Windows
8willallowuserstodevelopapplicationsforvirtuallyanydevice(PCs,tabletsandsmartphones)
runningWindows8,soitwillbepossibletodevelopmaliciousapplicationslikethoseforAndroid.
This,inanyevent,willprobablynottakeplaceuntil2013.
05| ConclusionConclusion
Lastyearwefinishedourreportbycommentingonthebleakfuturethatlaidaheadfor
thesecuritysectorin2011.Unfortunatelywewereright,andcyber-attacksanddatatheft
havedominatedheadlinesallthroughtheyear.Wedonotwanttobepessimistic,but
2012doesnotlookmuchbetter.
Cyber-espionageandsocialnetworkingattackswillbethepredominantthreatsto
safeguardagainstthisyear.Theriseofsocialmedia,whichhasincreasedcommunication
betweenpeopleallovertheworld,hasitsowndisadvantagestoo.Cyber-thievescan
infectandstealdatafromthousandsormillionsofusersinonego.Younolongerneed
tobeacomputerwhiztogaincontrolofasystemoreditmaliciouscodetogeneratenew
malwarestrains.
ThegrowingnumberofInternetusersmeansthereisnoshortageofpotentialvictims.
Cyber–criminalsarejustlikepickpocketsinabusycitysquareduringtheChristmas
shoppingseason.Theproblemisthattodaythenumberofcitiesandsquares(platforms,
socialnetworkingsites,cellphones,tabletcomputers,etc.)hasmultipliedandtheyare
busierthanever,leavingyouwithmorechancesofexposingyourwalletanditscontents
(creditcards,photos,money)tothieves.Therearemorepotentialvictimsformore
pickpockets.
Butthisratherbleakoutlookshouldnotstopyoufromenjoyingthebenefitsofthe
Internet:onlinebankingandshopping,instantcommunicationwithfriendsandrelatives
allaroundtheworld,theabilitytoreadbooksonyourphoneortablet…Youjustneedto
takeafewprecautions.
06| About PandaLabsAbout PandaLabs
PandaLabsisPandaSecurity’santi-malwarelaboratory,andrepresentsthecompany’s
nervecenterformalwaretreatment:
PandaLabscreatescontinuallyandinreal-timethecounter-measuresnecessaryto
protectPandaSecurityclientsfromallkindofmaliciouscodeonagloballevel.
PandaLabsisinthiswayresponsibleforcarryingoutdetailedscansofallkindsof
malware,withtheaimofimprovingtheprotectionofferedtoPandaSecurityclients,as
wellaskeepingthegeneralpublicinformed.
Likewise,PandaLabsmaintainsaconstantstateofvigilance,closelyobservingthevarious
trendsanddevelopmentstakingplaceinthefieldofmalwareandsecurity.Itsaimisto
warnandprovidealertsonimminentdangersandthreats,aswellastoforecastfuture
events.
Forfurtherinformationaboutthelastthreatsdiscovered,consultthePandaLabsblog
at:http://pandalabs.pandasecurity.com/
https://www.facebook.com/PandaUSA
https://twitter.com/PandaSecurity
google+
http://www.gplus.to/pandasecurity
youtube
http://www.youtube.com/pandasecurity1
This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Panda Security. © Panda Security 2012. All Rights Reserved.
