Introduction
In this Norman report on security issues during the first half of 2010, we will go through some incidents and tendencies. We will focus on those that Norman perceives as most important in these past six months.
General tendencies and trends
The growth in malicious software
One indicator which shows the growth in malicious software during a period of time is the number of signatures for malicious programs in Norman's virus detection files. In 2007 more signatures were added than all previous years accumulated. In 2008 more signatures were added than the total number at the beginning of the year. In 2009 slightly less signatures were added than the total number at the beginning of the year. The numbers from the first half of 2010 indicate that the trend from later years continues: The growth is stabilized to be more linear as opposed to exponential in the years before 2008. The total number of new signatures at this point in time is nevertheless mind-blowing and scary.
The image below shows the growth in signatures in Norman's malware signature files during 2009 and the first half of 2010.
Using social networks for propagation of malware
Social networks like Facebook and Twitter are immensely popular. As one can expect, cyber criminals are also focusing on these social media as spreading mechanisms for malware. The first part of 2010 shows an increase in this tendency, which fully broke loose in 2009.
One example of such malware is Koobface discussed below. There are several. Clever social engineering techniques will usually be involved in successful exploitation through social networks.
Privacy issues in social networks and elsewhere
Another aspect of social networks also got quite a lot of attention in the recent six months. This had to do with privacy issues, and in particular Facebook's privacy system was heavily discussed and criticized.
Both the European Union's watchdog for privacy and senators from the United States, to name just a few groups, were extremely critical regarding changes in Facebook's privacy policy earlier this year. This controversy resulted in an announcement of a stricter Facebook privacy policy, as announced by Facebook's CEO and founder, Mark Zuckerberg.
We refer to a blog item on Norman's Security blog about Facebook's announced privacy changes.
The collection of private data by Google's Street Cars should also be mentioned in this context. This was discussed in one of our securtiy articles in May. The final outcome of this incident is not clear, as investigation and considerations regarding lawsuits are still ongoing in affected countries and by individuals.
Exploitation of vulnerabilities in operating systems and applications
Authors of malicious software continued not surprisingly to use vulnerabilities in operating systems and applications to spread their malware. Popular applications like wide-spread web browsers, Adobe's applications, Microsoft's operating systems and much-used office systems were all affected by this. In particular Adobe's systems seem to have been increasingly popular to exploit this first half of 2010.
The malware writers are very quick to utilize new vulnerabilities by creating exploit applications. One consequence of this is that the software vendors have to try to react faster and quickly publish security patches and other workarounds.
Malware writers are getting increasingly sophisticated in creating malware that exploits not only one, but several vulnerabilities - patched and not patched - in the same piece of malware. This has been made even more easy as a malicious person can purchase her own set of exploits on the Internet, and then use these in her malicious program.
Interestingly we have seen a case where a malware kit itself was abused, as reported in our Security article Cyber crime imitates legitimate business.
The fact that exploitation of vulnerabilities is perhaps the most used technique for malware spreading, inspired a separate security article in June rearding which policy to use for disclosing information about vulnerabilities, as the topic.
Vulnerability in a format specification
One particular vulnerability that was announced in late March by the security researcher Didier Stevens, received particular - and well-deserved- attention. Stevens' proof-of-concept demonstrated what might be accomplished by using a command supported in the specification of the Portable Document Format (PDF), combined with some social engineering by modification of a dialog box.
The result was very scary and pointed to potential very dangerous situations. This was not caused by a vulnerability in a piece of software, but rather in the specification of the portable document format.
Norman wrote extensively about this in our security article Scary technique utilizing functionality in the PDF specification, and used this issue also as the basis for a general discussion in our security article Reflections on the PDF vulnerability.
The vendors of programs used to show and edit PDF files, made available mitigating workarounds and program changes during the weeks and months since Stevens' publication. The newest so far are updates to Adobe Acrobat and Reader as late as 29 June this year.
Malicious software exploiting new devices
So far we have not seen any examples of major problems, which result from malware that exploits new devices. Norman has nevertheless written about this topic thrice during the last six months, in our security articles New devices vulnerable for Internet based attacks, OR: The future is here, Systems prime for exploitation? and Upcoming? The age of the cyborgs
It seems inevitable that malware on other devices than "traditional" computers will be a considerable problem in the future.When this will happen is yet to be seen.
Legitimate software reported as malicious
The fact that the number of malicious software has become so large, as shown above, represents an additional risk in itself. Legitimate software may be detected as malicious because it corresponds to a part of the antimalware vendors' signature files or other malware detection technology. This has happened also during the first six months this year, with security software from different vendors, including Norman. Some of these incidents have received considerable media attention as they had severe consequences for a large number or customers.
Unfortunately this will inevitably happen again. The most important challenge for the security vendors is to avoid such incidents for critical system files and for critical, much-used applications. To accomplish this, the vendors of security software invest heavily in equipment, thereby enabling even more thorough testing of malware detection files against all kinds of legitimate software, before signature files are published to the general customer base.
Particularly noteworthy pieces of malware
There are a few malicious programs that in particular should be mentioned.
Conficker
The Conficker worm first appeared near the end of 2008, and the Conficker family of worms reached its peak in 2009. However, it was still a major problem for many users during the first half of 2010.
W32/Conficker exists in several variants and is a network propagating worm that has the ability to update itself by downloads from the Internet. These downloads are from a subset of servers chosen by the worm from a very large set of generated potential download servers.
The worm's most noteworthy feature is that one of its spreading mechanisms is exploiting a vulnerability in Windows Server Service (which was patched a long time ago). This vulnerability allows the worm to trigger a download of itself to the remote computer without the user's knowledge. The worm also spreads to Windows shares in a network and to/from removable drives, for example USB sticks.
The former feature makes it difficult to get rid of in a network, while the latter has resulted in several infections in high-profile organizations, which normally would have had quite adequate security systems in place.
The Conficker worms have quite advanced systems to protect themselves from being disabled by antivirus and other security applications.
More details about Conficker in Norman's virus description.
Koobface
Malware in the W32/Koobface family uses spreading mechanisms through social networks like Facebook. It first appeared in 2008, became widespread during 2009, and continued to be a major threat to Facebook users in the first half of 2010.
A computer infected by Koobface, automatically sends messages with malicious links to the computer owner's contacts on various social networking sites. The worm will search through cookies on the computer looking for login credentials for various social networking sites. Using the information gathered from the cookies, the worm connects to these sites and starts sending messages to friends and contacts.
More details about Koobface in Norman's virus description.
Rogue antimalware programs
These programs - also known as fake antivirus programs - have been around for a long time. In recent years however, they have become increasingly widespread, and represent a major problem for those that get infected. The reason why is that they are usually quite difficult to get rid of, as they often consist of many different malicious elements (see also Malware cocktails below)
Rogue antimalware programs' most used spreading mechanism is drive-by infections from visiting web sites. One popular technique is to manipulate search engines to display results from web sites that are infected by fake antimalware. One focuses on "hot" search words, which might be big media events and other issues that people usually search for. New, non-planned events are those that are best suited for search engine manipulation.
Another technique is propagation through malicious advertisements.
When email is used to spread this type of malware, the scheme is usually to use social engineering techniques to trick users into downloading malicious software and/or visiting web sites with malicious content.
More details about Fake antivirus programs in Norman's virus description.
Malware cocktails
In the "good old days" of malicious programs, security organizations and users had to relate to malware in a different way than we do today. The most used technique for an author of malware then was to create one malicious program, using different techniques for propagation.
Now, we see malware cocktails as the general trend. These are composed of a whole range of different types malicious programs, as well as the same types with various functionality.
Such malware cocktails are often delivered with a rootkit, which makes detection significantly more challenging. One typical piece of malware cocktail that was a big problem in the first half of 2010, was TDSS.
Thus, the challenge for "the good guys" is fundamentally changed as it no longer suffices to detect and remove one specific malicious program. Other parts of the malware cocktail may still be active on the infected computer/network and reinfect and/or download new components. This of course severely complicates the task of cleaning infected systems.
Predictions
We refer to the Summing up 2009 - predictions for the year to come, available below, regarding predictions for 2010. As usual we view it as unfair to the faithful readers of our security articles to adjust the predictions for the year in the middle of the foretold period.
