The year 2010 in a data security retrospective

Introduction

December is the month to look back on the year that is coming to an end. We will attempt to sum up the situation seen from a security company's point of view. The most significant data security incidents to mention from the year are the sophisticated malware Stuxnet and incidents in the wake of WikiLeaks publication of U.S. embassy cables late November. More about both below.

General tendencies and particularly interesting incidents

The growth in malicious software

One indicator which shows the growth in malicious software during a period of time is the number of signatures for malicious programs in Norman's virus detection files. In 2007 more signatures were added than all previous years accumulated. In 2008 more signatures were added than the total number at the beginning of the year. In 2009 and 2010 slightly less signatures were added than the total number at the beginning of these years. The growth is stabilized to be more linear as opposed to exponential in the years before 2008. The total number of new signatures at this point in time is nevertheless mind-blowing and scary.

The image below shows the growth in signatures in Norman's malware signature files during 2010.

The huge number of malicious software that is targeting the Internet community inspired this security article in October: Are security products losing the battle?

Using social networks for propagation of malware

Social networks like Facebook and Twitter have become immensely popular in later years. As one can expect, cyber criminals are also focusing on these social media as  spreading mechanisms for malware. The first part of 2010 shows a significant increase in this tendency, which fully broke loose in 2009.

One example of such malware is Koobface discussed below. However, there are several other. Clever social engineering techniques will usually be involved in successful exploitation through social networks, but during the year several vulnerabilities in the social networks' infrastructure were also revealed.

Privacy issues in social networks and elsewhere

Another aspect of social networks also got quite a lot of attention in the year that is now closing. This had to do with privacy issues, and in particular Facebook's privacy system was heavily discussed and criticized.

Both the European Union's watchdog for privacy and senators from the United States, to name just a few groups, were extremely critical regarding changes in Facebook's privacy policy earlier this year. This controversy resulted in an announcement of a stricter Facebook privacy policy, as announced by Facebook's CEO and founder, Mark Zuckerberg.

We refer to a blog item on Norman's Security blog about Facebook's announced privacy changes.

The collection of private data by Google's Street View Cars should also be mentioned in this context. The issue was that information sent over the network from unsecured network was collected. This was discussed in one of our securtiy articles in May.  In October Google admitted that the Street View Cars had also collected URLs and even passwords, which was commented in this Norman blog item. 

Another hot topic for users of social network was the appearance of FireSheep. A small plugin to the Firefox browser that could easily hijack sessions over open wi-fi networks. Firesheep was discussed in our security article in the beginning of November.

Different aspects of social networks have been the topics for several of our security discussions this year. See for example:

• Communication consolidation or security nightmare
• Privacy and security in Social networks - part I
• Privacy and security in Social networks - part II
• Privacy and security in Social networks - part III

Exploitation of vulnerabilities in operating systems and applications

Authors of malicious software continued not surprisingly to use vulnerabilities in operating systems and applications to spread their malware. Popular applications like wide-spread web browsers, Adobe's applications, Microsoft's operating systems and much-used office systems were all affected by this. In particular Adobe's systems seem to have been increasingly popular and successful to exploit in 2010.

The malware writers are very quick to utilize new vulnerabilities by creating exploit applications. One consequence of this is that the software vendors have to try to react faster and quickly publish security patches and other workarounds. 

Malware writers are getting increasingly sophisticated in creating malware that exploits not only one, but several vulnerabilities - patched and not patched - in the same piece of malware. This has been made even more easy as a malicious person can purchase her own set of exploits on the Internet, and then use these in her malicious program.

Interestingly we have seen a case where a malware kit itself was abused, as reported in our Security article Cyber crime imitates legitimate business.

The fact that exploitation of vulnerabilities is perhaps the most used technique for malware spreading, inspired a separate security article in June regarding which policy to use for disclosing information about vulnerabilities. Another security article in September discussed the fact that the number of known vulnerabilities in software seems to be increasing.

Vulnerability in a format specification

One particular vulnerability that was announced in late March by the security researcher Didier Stevens, received particular - and well-deserved- attention. Stevens' proof-of-concept demonstrated what might be accomplished by using a command supported in the specification of the Portable Document Format (PDF), combined with some social engineering also supported by the specification.

The result was very scary and pointed to potentially very dangerous situations. This was not caused by any flaw in a piece of software, but rather in the specification of the portable document format.

Norman wrote extensively about this in our security article Scary technique utilizing functionality in the PDF specification, and used this issue also as the basis for a general discussion in our security article Reflections on the PDF vulnerability.

The vendors of programs used to display and edit PDF files, made available mitigating workarounds and program changes during weeks and months after Stevens' publication.

The numerous vulnerabilities in e.g. Adobe Reader may have been one of the reasons why Adobe late in the year released the new Reader X, which uses sandboxing technology to isolate processing of Portable Document Format (PDF) from other parts of the computer. See this blog item from Adobe for more information.

Malicious web sites

The most used propagation vector for malware is at the moment probably web sites that are infected. There are two different types of malicious web sites: Legitimate web sites that spread malware after they have been compromised, and web sites that by design are malicious. One should think that the latter would easily lead to finding the cybercriminal responsible. There are, however, commercial interests that facilitate setting up such web sites and largely remain anonymous - so-called "bullet-proof hosting"..

The problem with malicious web sites was discussed in one of our security articles in November.

Bots and botnets

Bots and botnets are an increasing problem for the Internet community, and this tendency continued in 2010. Some of the botnets are huge and may even represent a threat to the functionality of critical Internet infrastructure if the botnet operators want to use the botnet that way. 

In one of our security articles in September we discussed different aspects regarding how botnets are used, including the "botnet for hire" issue. Our follow-up article one week later pointed to the fact that the owners of different botnets may engage in combat against each other. One of the fighters was the loosely organized group Anonymous (see the WikiLeaks chapter below).

Together with police authorities from the Netherlands, Norman participated in disabling one of the major botnets through The Taurus Botnet Monitoring project. Read more about this in our blog item in November.

Incidents in the wake of the WikiLeaks disclosure of U.S. embassy cables

In late November the whistleblower web site WikiLeaks disclosed a huge number of classified cables from United States of America embassies around the world.

This lead to hectic activity by individuals and groups that were both in favour of or against Wikileaks. Some attempted to take down WikiLeaks by launching Distributed Denial of Service (DDoS) attacks against the organization's ' web sites. WikiLeaks' supporters on the other hand engaged in attacks on web sites that they meant had treated WikiLeaks unfairly, and several high-profile web sites experienced downtime, including MasterCard, VISA and PayPal. The pro WikiLeaks entity which got the most attention in this activity, was a group calling itself Anonymous, formerly most known for advocating free access to music and movies on the Internet.

Some referred to this battle over Internet resources as the first global Internet war, while other described the actions in which Anonymous and other engaged, as a form for innocent protesting.

When this yearly retrospective is written the pro and against WikiLeaks actions are still continuing.

Particularly noteworthy pieces of malware

There are a few malicious programs that in particular should be mentioned.

Conficker

This Conficker worm first appeared near the end of 2008, and the Conficker family of worms reached its peak in 2009. However, it was still a major problem for many users during 2010.

W32/Conficker exists in several variants and is a network propagating worm that has the ability to update itself by downloads from the Internet. These downloads are from a subset of servers chosen by the worm from a very large set of generated potential download servers.

The worm's most noteworthy feature is that one of its spreading mechanisms is exploiting a vulnerability in Windows Server Service (which was patched a long time ago). This vulnerability allows the worm to trigger a download of itself to the remote computer without the user's knowledge. The worm also spreads to Windows shares in a network and to/from removable drives, for example USB sticks.

The former feature makes it difficult to get rid of in a network, while the latter has resulted in several infections in high-profile organizations, which normally would have had quite adequate security systems in place.

The Conficker worms have quite advanced systems to protect themselves from being disabled by antivirus and other security applications.

More details about Conficker in Norman's virus description.

Koobface

Malware in the W32/Koobface family uses spreading mechanisms through social networks like Facebook. It first appeared in 2008, became widespread during 2009, and continued to be a major threat to Facebook users in 2010.

A computer infected by Koobface, automatically sends messages with malicious links to the computer owner's contacts on various social networking sites. The worm will search through cookies on the computer looking for login credentials for various social networking sites. Using the information gathered from the cookies, the worm connects to these sites and starts sending messages to friends and contacts.

More details about Koobface in Norman's virus description.

Rogue antimalware programs

These programs - also known as fake antivirus programs - have been around for a long time. In recent years however, they have become increasingly widespread, and represent a major problem for those that get infected. The reason why is that they are usually quite difficult to get rid of, as they often consist of many different malicious elements (see also Malware cocktails below)

Rogue antimalware programs' most used spreading mechanism is drive-by infections from visiting web sites. One popular technique is to manipulate search engines to display results from web sites that are infected by fake antimalware. One focuses on "hot" search words, which might be big media events and other issues that people usually search for. New, non-planned events are those that are best suited for search engine manipulation.

Another technique is propagation through malicious advertisements.

One new technique that was introduced during 2010 is discussed in one of our security articles from September. 

When email is used to spread this type of malware, the scheme is usually to use social engineering techniques to trick users into downloading malicious software and/or visiting web sites with malicious content.

More details about fake antivirus programs in Norman's virus description.

Malware cocktails

In the "good old days" of malicious programs, security organizations and users had to relate to malware in a different way than we do today. The most used technique for an author of malware then was to create one malicious program, using different techniques for propagation.

Now, we see malware cocktails as the general trend. These are composed of a whole range of different types malicious programs, as well as the same types with various functionality.

Such malware cocktails are often delivered with a rootkit, which makes detection significantly more challenging. One typical piece of malware cocktail that was a big problem in 2010, was TDSS.

Thus, the challenge for "the good guys" is fundamentally changed as it no longer suffices to detect and remove one specific malicious program. Other parts of the malware cocktail may still be active on the infected computer/network and re-infect and/or download new components. This of course severely complicates the task of cleaning infected systems.

Stuxnet

However, the most interesting and most commented piece of malware that reached fame in 2010 was Stuxnet.

Stuxnet was first discovered by the Belarus security company VirusBlokAda in June. However, it is assumed that the malware was created and released in the wild months before. As weeks and months passed, the analyses of Stuxnet revealed increasingly new characteristics and sophistication. Some of the features and techniques used by Stuxnet are:

• The initial spreading mechanism was by USB sticks using the .LNK vulnerability, for which Microsoft released an out-of-band security update 2 August.
• Stuxnet uses four different software vulnerabilities. 
• Stuxnet used stolen certificates to sign the rootkit drivers
• Stuxnet uses rootkit technologies to avoid detection.
• Stuxnet targets a particular type of industrial control systems (ICS) - Supervisory Control And Data Acquisition (SCADA) from Siemens, and attempts to infect the Programmable Logic Controller (PLC). Since Siemens' systems seem to be the main target, Siemens has published an advisory for users with potentially vulnerable Siemens software.

Stuxnet is the most sophisticated piece of malware that has been seen in the wild. It is assumed that no single person would be able to create a malware this complex, hardly an ordinary group of cybercriminals. Stuxnet's ultimate target is not clear, though most speculations tend to point to Iran's nuclear facilities. 

This has resulted in speculations that the entity behind Stuxnet has to be a nation, and several hypotheses about which nation exist. As of now the authors have not been revealed, probably they never will.

You may find more information from Norman about Stuxnet from the links below:

• Exploits for .LNK vulnerability are growing fast (security advisory)
• A new generation of malware (security article)
• W32/Stuxnet.A (malware description)
• Understanding the Stuxnet and the Next Generation of Malware (white paper - PDF format)

Predictions for 2011

Our forecast for 2011 does not introduce fundamentally new security issues (though they may nevertheless appear, of course). The forecast is rather "increased focus on recent popular trends".

We expect that these security trends will be in focus in 2011:

• More and increasingly sophisticated exploitation of social networks. As these networks continue to grow, and are increasingly used also by organizations, they will be even more interesting targets for cybercriminals.
• Rogue security software will continue to be popular. The potential for "easy money" is too great to be ignored with current protection mechanisms.
• The malware cocktails will persist, be more flexible and increasingly advanced rootkit technology will evolve.
• The Stuxnet malware will inspire other malware that targets special systems.
• Automatic updates of malware will be more innovative.
• Suggestions about more regulation of the Internet will emerge and be heavily discussed.
• More widespread malware for handheld devices will emerge.
• More focus on virtualized environments

Previous years' discussions are available from links below