Webshop
|
Kontakt zu Norman
|
Über Norman
|
Standort auswählen
Corporate
Norge
France
Deutschland
Sverige
Danmark
Suomi
Nederland
Schweiz
España
United States
United Kingdom
Italia
Proaktive IT-Sicherheit
Privatanwender / Home Office Kleine und mittlere Unternehmen Großunternehmen Unsere Technologie Sicherheitscenter Norman als Geschäftspartner Support   Partner-Web
Startseite
>
Sicherheitscenter
>
Artikel zum Thema Sicherheit – Archiv
>
2009
>
Summing up 2009 - predictions for the year to come
Norman SandBox center
Datei zur SandBox-Analyse einsenden [EN]
Malware-Analysedatenbank durchsuchen [EN]
Aktuelle SandBox-Analysen anzeigen [EN]
Malware-Statistiken [EN]
Virenbeschreibungen [EN]
Artikel zum Thema Sicherheit – Archiv
Arten von Malware [EN]
Bedrohungs-Level [EN]
Aktuelle Virenbedrohungen [EN]
Sicherheits-Blog [EN]
E-Mail-Statistiken [EN]
Bücher, allgemeine Whitepaper und vieles mehr [EN]

Summing up 2009 - predictions for the year to come

2009-12-17 [Betrachtung zu Malware, Social Engineering, Verbreitungsmechanismen, Trends & Prognosen]

Introduction

December is the month to look back on the year that is coming to an end, and we will attempt to sum up the situation seen from a security company's point of view. The most significant observation to make from this year's malware activity, is that different social networks became a major target for authors of malicious programs.

Particularly noteworthy pieces of malware

There are some malware incidents that in particular require attention.

Conficker

Although this worm first appeared at the end of 2008, it was in 2009 the worm caused most problems for end users, and in particular organizations. The worm was most active in the first part of 2009, but is still active when this is written at the end of the year.

W32/Conficker exists in several variants and is a network propagating worm that has the ability to update itself by downloads from the Internet. These downloads are from a subset of servers chosen by the worm from a very large set of generated potential download servers .

The worm's most noteworthy feature is that one of its spreading mechanisms is exploiting a vulnerability in Windows Server Service. This vulnerability allows the worm to trigger a download of itself to the remote computer without the user's knowledge.

The worm also spreads to Windows shares in a network and to/from removable drives, f.ex. USB sticks. The former makes it difficult to get rid of in a network, while the latter has resulted in several infections in high-profile organizations, which normally would have had quite adequate security systems in place.

The Conficker worms have quite advanced systems to protect themselves from being disabled by antivirus and other security applications.

More details about Conficker in Norman's virus description.

Virut

W32/Virut is a family of highly polymorphic viruses. Several spreading mechanisms are used, including the autorun functionality for USB sticks, which will run the virus when such a device is attached to a computer (unless this fucntionality is disabled).

In addition to its highly polymorphic nature, Virut's most interesting feature is that some variants have the ability to disable Windows' file protection system in order to infect essential protected Windows system files.

The Virut viruses use techniques to protect themselves from being disabled by antivirus and other security applications by blocking access from infected computers to a series of security web sites.

The viruses in the Virut family were active throughout the year, and will most likely still be seen in new variants in the year to come.

More details about Virut in Norman's virus description.

Koobface

W32/Koobface is of interest primarily because it uses spreading mechanisms through social networks like Facebook. It first appeared in 2008, but 2009 was the year when it reached its peak (so far).

A computer infected by Koobface, automatically sends messages with malicious links to the computer owner's contacts on various social networking sites. The worm will search through cookies on the computer looking for login credentials for various social networking sites. Using the information gathered from the cookies, the worm connects to these sites and starts sending messages to friends and contacts.

More details about Koobface in Norman's virus description.

Malware cocktails

In the "good old days" of malicious programs, security organizations and users had to relate to malware in a different way than now. The most used technique for an author of malware was then to create one malicious program, using different techniques for propagation.

Over the years this has changed, and the situation today is fundamentally different. Now, we see malware cocktails as the general trend. These are composed of a whole range of different types malicious programs, as well as the same types with various functionality.

Such malware cocktails are often delivered with a rootkit, which makes detection significantly more challenging. Some of the standard rootkits use very advanced technology to hide itself and the malware cocktail's other components.

As one of Norman's malware analysts coined it: "it is like a Swiss army knife of malware".

Thus, the challenge for "the good guys" is fundamentally changed as it no longer suffices to detect and remove one specific malicious program. Other parts of the malware cocktail may still be active on the infected computer/network and reinfect and/or download new components. This of course severely complicates the task of cleaning infected systems.

General tendencies and trends

The growth in malicious software

One indicator which shows the growth in malicious software during a period of time is the number of signatures for malicious programs in Norman's virus detections files. In 2007 more signatures were added than all previous years accumulated. In 2008 more signatures were added than the total number at the beginning of the year. In 2009 slightly less signatures were added than the total number at the beginning of the year.

This seems to indicate that the growth is stabilized to be more linear as opposed to exponential in the years before 2008. The total number of new signatures at this point in time is nevertheless mind-blowing compared to the number at the beginning of the decade.

The image below shows the growth in signatures in Norman's malware signature files during 2008 and up till the middle of December 2009.

Legitimate software reported as malicious

The fact that the number of malicious software has become so large, represents an additional risk as legitimate software may be detected as malicious as it corresponds to a part of the antimalware vendors' signature files or other malware detection technology. This has happened also this year, with security software from different vendors, including Norman.

Unfortunately this will inevitably happen again. The most important challenge for the security vendors is to avoid such incidents for critical system files and for critical, much-used applications. To accomplish this, the vendors of security software invest heavily in equipment, which enables thorough testing of malware detection files against all kinds of legitimate software, before the signature files are published to the general customer base.

In a security article earlier this year, we discussed this issue in general using a similar issue in Google's system for identifying malicious web sites as the basis for the discussion.

More rogue computer programs

Computer programs that pretend to be what they are not, have been around almost forever (in the age of computing). The trend that was observed in 2008, with an increased flow of rogue computer programs masquerading as antivirus and antispyware applications, continued in 2009.

During 2009 this even multiplied. By the end of the year, rogue computer programs have grown into a substantial industry.  The potential for economic profit for those involved is substantial, at the same time as the risk involved is minor.

Using social networks for propagation of malware

Social networks like Facebook and Twitter have grown increasingly popular during the year. Not surprisingly this has corresponded with the use of social media as spreading mechanisms for malware.

We refer to Koobface discussed above as one example of malware utilization of social media. There are several. It is important to be aware of the fact that clever social engineering techniques will often be involved in successful exploitation.

As mentioned in the introduction: If one should pick one particular security issue as the most important in 2009, it is the use of social networks as targets for malware propagation and exploitation - usually by using social engineering.

Different aspects of social networks have been the topics for several of our security discussions this year. See for example:

Vulnerabilities in operating systems and applications are still exploited

The tendency continues, for authors of malicious software use vulnerabilities in operating systems and applications to propagate. Popular applications like wide-spread web browsers, Adobe's applications, much-used office systems etc. were all affected by this. Not only were the most used applications from Microsoft targeted, several other vendors' popular software were affected.

In previous years the malware authors' focus was primarily on vulnerabilities in operating systems. Recently however, this has changed, and the much used applications like the ones mentioned above, are increasingly targeted. A particular challenge for users is the fact that there are no standard for distributing updates and patches to applications, which means that a multitude of updating mechanisms must be used.

The malware writers are very quick to utilize new vulnerabilities by creating exploit applications. One consequence of this is that the software vendors have to try to react faster with security patches and other workarounds. 

Malware writers are getting increasingly sophisticated in creating malware that exploits not only one, but several vulnerabilities - patched and not patched - in the same piece of malware. This has been made even more easy as a malicious person can purchase her own set of exploits on the Internet, and then use these in her malicious program.

Creating a malicious program is now possible without any programming skills. One of the implications from this is that social engineering skills on the malware "designer's" part are getting more crucial in order for a particular piece of malware to succeed among the multitude of others.

During 2009 these issues were discussed at length in our security articles - see f.ex.

Big media events are used as triggers for malware distribution

This is not a new and revolutionary observation. However, during 2009, we have observed that this tendency has increased. Authors of malware are more eager to launch malware using social engineering techniques piggybacking on major media events.

Several examples of this have been seen. The most prominent is probably those inspired by the Michael Jackson's death and funeral.

There are numerous tools available for a person who wishes to use her social engineering skills combined with Internet instruments. In special security articles this year, we have discussed:

Malicious software exploiting new devices

An interesting phenomenon! This year two examples of this have been observed, both of which have qualified for discussion in separate security articles:

Presumably this is only the tip of the iceberg. In the future malware attacking devices never viewed as vulnerable or dangerous by ordinary users, may turn out to be exactly that. This is particulary scary as we need to stress again and again: People have learned to be aware of malware that is distributed through traditional means. As soon as new spreading mechanisms are used, the defences fail.

Awareness of threats to the Internet by top politicians

Finally it is appropriate to mention that in the middle of the year, the Internet as a critical part of modern societies' infrastructure was stressed. US President Barack Obama focused on this in particular in a much-commented speech 29 May.

It is particularly welcomed within the security community that challenges that have been strongly felt within this group, now have reached a higher level. Modern communities as such now acknowledge that security issues that involve the Internet and related infrastructure, should be in focus and seen as a potential threat to a modern nation's ability to function appropriately.

More details in our security article here:

Predictions for 2010

Our forecast for 2010 is not one which introduces fundamentally new security issues (though they may nevertheless appear, of course).  The forecast is rather "increased focus on recent popular trends".

We expect that these security trends will be focused upon by creators of malware in 2010:

  • More and increasingly sophisticated exploitation of social networks.
  • Rogue security software will continue to be popular.
  • The malware cocktails will persist, be more flexible and increasingly advanced rootkit technology will evolve.
  • Automatic updates of malware will be more innovative.

Two issues in particular should be "under close observation":

  • Will we finally see malware for mobile phones that represents a real threat for a significant number of users?
  • Will "in the cloud" technology be maliciously abused?

Previous years' discussions are available from links below 

Typ Titel Kommentar Verwendung
Jahresrückblick 2008 und Prognosen für 2009    
Rückblick auf die Sicherheitstrends 2006    
Rückblick auf die Sicherheitstrends 2005    
Rückblick auf die Sicherheitstrends 2004    
2003 - the worst year ever regarding malicious programs?    
2002 - a quiet year with respect to malicious programs, or not?    

Verwandte Artikel zum Thema Sicherheit

Cyber crime imitates legitimate business [en]
The Internet Crime Complaint Center's report for 2009 [en]
Handling an infected computer as an infected human being [en]
Code injection [en]
W32/Zimuse [en]
RSS FEEDS
Latest Security articles
Latest Blog items
Latest News
Latest Support issues
Current Virus treats
RSS feed
Impressum
|
Datenschutzrichtlinie
|
Lizenzvereinbarung
|
Marken
|
Site-Übersicht