Магазин SSL сертифікатів . купити ssl сертифікат, openssl, https, ssl в Україні, протокол ssl, ADGRAFICS Украинский сертификационный центр WebTrust Регистратор Доменных имен Хостинг провайдер СП Адграфикс Украина

About Symantec

Symantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Headquartered in Mountain View, Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com. .topic { font-size:11px; padding-top:2px; padding-left:10px; color:#FFF; }

2011 In Review

2011 In Numbers

Executive Summary

Symantec blocked more than 5.5 billion malicious attacks in 2011ⁱ; an increase of more than 81% from the previous year. This increase was in large part a result of a surge in polymorphic malware attacks, particularly from those found in Web attack kits and socially engineered attacks using email-borne malware. Targeted attacks exploiting zero-day vulnerabilities were potentially the most insidious of these attacks. With a targeted attack, it is almost impossible to know when you are being targeted, as by their very nature they are designed to slip under the radar and evade detection. Unlike these chronic problems, targeted attacks, politically-motivated hacktivist attacks, data breaches and attacks on Certificate Authorities made the headlines in 2011. Looking back at the year, we saw a number of broad trends, including (in roughly the order they are covered in the main report):

Malicious attacks skyrocket by 81 percent

In addition to the 81% surge in attacks, the number of unique malware variants also increased by 41% and the number of Web attacks blocked per day also increased dramatically, by 36%. Greater numbers of more widespread attacks employed advanced techniques, such as server-side polymorphism to colossal effect. This technique enables attackers to generate an almost unique version of their malware for each potential victim.

At the same time, Spam levels fell considerably and the report shows a decrease in total new vulnerabilities discovered (-20%). These statistics compared to the continued growth in malware paint an interesting picture. Attacks are rising, but the number of new vulnerabilities is decreasing. Unfortunately, helped by toolkits, cyber criminals are able to efficiently use existing vulnerabilities. The decrease in Spam - another popular and well known attack vector did not impact the number of attacks. One reason is likely the vast adoption of social networks as a propagation vector. Today these sites attract millions of users and provide fertile ground for cyber criminals. The very nature of social networks make users feel that they are amongst friends and perhaps not at risk. Unfortunately, it’s exactly the opposite and attackers are turning to these sites to target new victims. Also, due to social engineering techniques and the viral nature social networks, it’s much easier for threats to spread from one person to the next.

Cyber espionage and business: Targeted attacks target everyone

We saw a rising tide of advanced targeted attacks in 2011 (94 per day on average at the end of November 2011). The report data also showed that targeted threats are not limited to the Enterprises and executive level personnel. 50% of attacks focused on companies with less than 2500 employees, and 18% of attacks were focused on organizations with less than 250 employees. It’s possible that smaller companies are now being targeted as a stepping stone to a larger organization because they may be in the partner ecosystem and less well-defended. Targeted attacks are a risk for businesses of all sizes – no one is immune to these attacks.

In terms of people who are being targeted, it’s no longer only the CEOs and senior level staff. 58% of the attacks are going to people in other job functions such as Sales, HR, Executives Assistants, and Media/Public Relations. This could represent a trend in attackers focusing their attention on lower hanging fruit. If they cannot get to the CEOs and senior staff, they can get to other links inside the organizations. It is also interesting to note that these roles are highly public and also likely to receive a lot of attachments from outside sources. For example, an HR or recruiter staff member would regularly receive and open CVs and other attachments from strangers.

Mobile Phones under Attack

Growth of mobile malware requires a large installed base to attack and a profit motive to drive it. According to the analyst firm, Gartner, smartphones and tablets began to outsell conventional PCs in 2011, with sales of smartphones predicted to reach 645 million by the end of 2012. And while profits remain lucrative in the PC space, mobile offers new opportunities to cybercriminals that potentially are more profitable. A stolen credit card made go for as little as USD 40-80 cents. Malware that sends premium SMS text messages can pay the author USD $9.99 for each text and for victims not watching their phone bill could pay off the cybercriminal countless times. With the number of vulnerabilities in the mobile space rising (a 93.3% increase over 2010) and malware authors not only reinventing existing malware for mobile devices but creating mobile specific malware geared to the unique the opportunities mobile present, 2011 was the first year that mobile malware presented a tangible threat to enterprises and consumers.

Mobile also creates an urgent concern to organizations around the possibility of breaches. Given the intertwining of work and personal information on mobile devices the loss of confidential information presents a real risk to businesses. And unlike a desktop computer, or even a laptop, mobile devices are easily lost. Recent research by Symantec shows that 50% of lost phones will not be returned. And that for unprotected phones, 96% of lost phones will have the data on that phone breached.

Certificate Authorities and Transport Layer Security (TLS) v1.0 are targeted as SSL use increases

High-profile hacks of Certificate Authorities, providers of Secure Sockets layer (SSL) Certificates, threatened the systems that underpin trust in the internet itself. However, SSL technology wasn’t the weak link in the DigiNotar breach and other similar hacks; instead, these attacks highlighted the need for organizations in the Certificate Authority supply chain to harden their infrastructures and adopt stronger security procedures and policies. A malware dependent exploit concept against TLS 1.0 highlighted the need for the SSL ecosystem to upgrade to newer versions of TLS, such as TLS 1.2 or higher. Website owners recognized the need to adopt SSL more broadly to combat Man-In-The-Middle (MITM) attacks, notably for securing non-transactional pages, as exemplified by Facebook, Google, Microsoft, and Twitter adoption of Always On SSLⁱⁱ.

232 million identities stolen

More than 232.4 million identities were exposed overall during 2011. Although not the most frequent cause of data breaches, breaches caused by hacking attacks had the greatest impact and exposed more than 187.2 million identities, the greatest number for any type of breach in 2011, according to analysis from the Norton Cybercrime Indexⁱⁱⁱ. The most frequent cause of data breaches (across all sectors) was theft or loss of a computer or other medium on which data is stored or transmitted, such as a USB key or a back-up medium. Theft or loss accounted for 34.3% of breaches that could lead to identities exposed.

Botnet takedowns reduce spam volumes

It isn’t all bad news; the overall volume of spam fell considerably in the year from 88.5% of all email in 2010 to 75.1% in 2011. This was largely thanks to law enforcement action which shut down Rustock, a massive, worldwide botnet that was responsible for sending out large amounts of spam. In 2010, Rustock was the largest spam-sending botnet in the world, and with its demise, rival botnets were seemingly unable or unwilling to take its place. At the same time, spammers are increasing their focus on social networking, URL shorteners and other technology to make spam-blocking harder.

Taken together, these changes suggest that a growing number of untargeted but high-volume malware and spam attacks is matched by an increasingly sophisticated hard core of targeted attacks, advanced persistent threats and attacks on the infrastructure of the Internet itself. Organizations should take this message to heart. They need to be successful every time against criminals, hackers and spies. The bad guys only need to be lucky once.

ⁱ NB. This figure includes attack data from Symantec.cloud for the first time. Excluding these figures for comparison with 2010, the total figure would be 5.1 billion attacks.

ⁱⁱhttps://otalliance.org/resources/AOSSL/index.html

ⁱⁱⁱhttp://www.nortoncybercrimeindex.com/

Safeguarding Secrets: Industrial Espionage in Cyberspace

Cyber-espionage in 2011

The number of targeted attacks increased dramatically during 2011 from an average of 77 per day in 2010 to 82 per day in 2011. And advanced persistent threats (APTs) attracted more public attention as the result of some well publicized incidents.

Targeted attacks use customized malware and refined targeted social engineering to gain unauthorized access to sensitive information. This is the next evolution of social engineering, where victims are researched in advance and specifically targeted. Typically, criminals use targeted attacks to steal valuable information such as customer data for financial gain. Advanced persistent threats use targeted attacks as part of a longer-term campaign of espionage, typically targeting high-value information or systems in government and industry.

In 2010, Stuxnet grabbed headlines. It is a worm that spreads widely but carried a specialized payload designed to target systems that control and monitor industrial processes, creating suspicion that it was being used to target nuclear facilities in Iran. It showed that targeted attacks could be used to cause physical damage in the real world, making real the specter of cyber-sabotage.

In October 2011, Duqu came to light^iv. This is a descendent of Stuxnet. It used a zero-day exploit to install spyware that recorded keystrokes and other system information. It presages a resurgence of Stuxnet-like attacks but we have yet to see any version of Duqu built to cause cyber-sabotage.

Various long term attacks against the petroleum industry, NGOs and the chemical industry^v also came to light in 2011. And hactivism by Anonymous, LulzSec and others dominated security news in 2011.

Figure 1: Targeted attacks trend showing average number of attacks identified each month, 2011. Source: Symantec

Advanced Persistent Threats

Advanced persistent threats (APTs) have become a buzzword used and misused by the media but they do represent a real danger. For example, a reported attack in March 2011 resulted in the theft of 24,000 files from a US defense contractor. The files related to a weapons system under development for the US Department of Defense (DOD).

Government agencies take this type of threat very seriously. For example, the US DOD has committed at least $500 (USD) million to cyber security research and development and the UK Government recently released its Cyber Security Strategy, outlining a National Cyber Security Programme of work funded by the GBP £650 million investments made to address the continuously evolving cyber risks, such as e-crime as well as threats to national security^vi.

All advanced persistent threats rely on targeted attacks as their main delivery vehicle, using a variety of vectors such as drive-by-downloads, SQL injection, malware, phishing and spam.

APTs differ from conventional targeted attacks in significant ways:

They use highly customized tools and intrusion techniques.
They use stealthy, patient, persistent methods to reduce the risk of detection.
They aim to gather high-value, national objectives such as military, political or economic intelligence.
They are well-funded and well-staffed, perhaps operating with the support of military or state intelligence organizations.
They are more likely to target organizations of strategic importance, such as government agencies, defense contractors, high profile manufacturers, critical infrastructure operators and their partner ecosystem.

The hype surrounding APTs masks an underlying reality—these threats are, in fact, a special case within the much broader category of attacks targeted at specific organizations of all kinds. As APTs continue to appear on the threat landscape, we expect to see other cybercriminals learn new techniques from these attacks. For example, we’re already seeing polymorphic code used in mass malware attacks and we see spammers exploit social engineering on social networks. Moreover, the fact that APTs are often aimed at stealing intellectual property suggests new roles for cybercriminals as information brokers in industrial espionage schemes.

While the odds of an APT affecting most organizations may be relatively low, the chances that you may be the victim of a targeted attack are, unfortunately, quite high. The best way to prepare for an APT is to ensure you are well defended against targeted attacks in general.

Targeted Attacks

Targeted attacks affect all sectors of the economy. However, two-thirds of attack campaigns focus on a single or a very limited number of organizations in a given sector and more than half focus on the defense and aerospace sector, sometimes attacking the same company in different countries at the same time. On average they used two different exploits in each campaign, sometimes using zero-day exploits to make them especially potent.

Figure 2: Targeted email attacks, by top-ten industry sectors, 2011. Source: Symantec.cloud

Figure 3: Attacks by size of targeted organization. Source: Symantec.cloud

It is, however, a mistake to assume that only large companies suffer from targeted attacks. In fact, while many small business owners believe that they would never be the victim of a targeted attack, more than half were directed at organizations with fewer than 2,500 employees; in addition, 17.8% were directed at companies with fewer than 250 employees. It is possible that smaller companies are targeted as a stepping-stone to a larger organization because they may be in the supply chain or partner ecosystem of larger, but more well-defended companies.

While 42% of the mailboxes targeted for attack are high-level executives, senior managers and people in R&D, the majority of targets were people without direct access to confidential information. For an attacker, this kind of indirect attack can be highly effective in getting a foot in the door of a well-protected organization. For example, people with HR and recruitment responsibilities are targeted 6% of the time, perhaps because they are used to getting email attachments such as CVs from strangers.

Figure 4: Analysis of job functions of recipients being targeted. Source: Symantec

Where attacks come from

Figure 5 represents the geographical distribution of attacking machines’ IP addresses for all targeted attacks in 2011. It doesn’t necessarily represent the location of the perpetrators.

Figure 5: Geographical locations of attacking machines’ IP addresses. Source: Symantec

Case study

In 2011, we saw 29 companies in the chemical sector (among others) targeted with emails that appeared to be meeting invitations from known suppliers. These emails installed a well-known backdoor trojan with the intention of stealing valuable intellectual property such as design documents and formulas.

^ivhttp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

^vhttp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf

^vihttp://www.cabinetoffice.gov.uk/sites/default/files/resources/WMS_The_UK_Cyber_Security_Strategy.pdf

Against the Breach: Securing Trust and Data Protection

Political activism and hacking were two big themes in 2011; themes that are continuing into 2012. There were many attacks last year that received lots of media attention. Hacking can undermine institutional confidence in a company, and loss of personal data can result in damage to an organization’s reputation.

Although not the most frequent cause of data breaches, hacking attacks had potentially the greatest impact and exposed more than 187.2 million identities, the greatest number for any type of breach in 2011, analysis from the Norton Cybercrime Index revealed. Despite the media interest around these breaches, old-fashioned theft was the most frequent cause of data breaches in 2011.

Data Breaches in 2011

2011 was the year of data breaches. Analysis of the industry sectors showed that companies in the Computer Software, IT and healthcare sectors accounted for 93.0% of the total number of identities stolen. It is likely that hackers perceived some of the victims as softer targets, focused on consumer markets and not information security. Theft or loss was the most frequent cause, across all sectors, accounting for 34.3%, or approximately 18.5 million identities exposed in 2011.

Worldwide, approximately 1.1 million identities were exposed per breach, mainly owing to the large number of identities breached though hacking attacks. More than 232.4 million identities were exposed overall during 2011. Deliberate breaches mainly targeted customer-related information, primarily because it can be used for fraud.

A recent study^vii from the Ponemon Institute, commissioned by Symantec, looked at 36 data breaches in the UK^viii and found the average per capita cost was GBP £79 and an average incident costs GBP £1.75 million in total. Similarly in the US, Ponemon examined 49 companies and found the per capita cost of a breach was USD $194 and an average incident costs USD $5.5 million in total. Echoing the Norton Cybercrime Index data above, the Ponemon study also found that negligence (36% of cases in the UK and 39% in the US) and malicious or criminal attacks (31% in the UK and 37% in the US) were the main causes.

The study’s findings revealed that more organizations were using data loss prevention technologies in 2011 and that fewer records were being lost, with lower levels of customer churn than in previous years. Taking steps to keep customers loyal and repair any damage to reputation and brand can help reduce the cost of a data breach.

Figure 6: Timeline of data breaches showing identities breached in 2011. Source: Symantec

Figure 7: Top-ten sectors by number of data breaches, 2011. Source: Symantec

Figure 8: Top-ten sectors by number of identities exposed, 2011. Source: Symantec

Certificate Authorities under attack

Certificate Authorities (CAs), which issue SSL certificates that help encrypt and authenticate websites and other online services, saw an unprecedented number of attacks in 2011.

Notable examples of attacks against CAs in 2011 included:

March: An attack compromised the access credentials of a Comodo partner in Italy and used the partner’s privileges to generate fraudulent SSL certificates .
May: It was reported that another Comodo partner was hacked: ComodoBR in Brazil^x.
June: StartCom, the CA operating StartSSL was attacked unsuccessfully in June^xi.
June: Diginotar was hacked in June. But no certificates were issued at first^xii.
July: An internal audit discovered an intrusion within DigiNotar’s infrastructure indicating compromise of their cryptographic keys. Fraudulent certificates are issued as a result of the DigiNotar hack for Google, Mozilla add-ons, Microsoft Update and others^xiii.
August: Fraudulent certificates from the DigiNotar compromise are discovered in the wild. Hacker (dubbed ComodoHacker) claims credit for Comodo and DigiNotar attacks and claims to have attacked other certificate authorities as well. Hacker claims to be from Iran.
September: Security researchers demonstrate “Browser Exploit Against SSL/TLS” (BEAST for short)^xiv, a technique to take advantage of a vulnerability in the encryption technology of TLS 1.0, a standard used by Browsers, Servers and Certificate Authorities.
September: GlobalSign attacked, although the Certificate Authority was not breached, their web server was compromised^xv., but nothing else^xvi. ComodoHacker claims credit for this attack as well.
September: Dutch government and other Diginotar customers suddenly had to replace all Diginotar certificates as the major Web browser vendors removed Diginotar from their trusted root stores^xvii. DigiNotar files for bankruptcy.
November: Digicert Sdn. Bhd (Digicert Malaysia) an intermediate certificate authority that chained up to Entrust (and is no relation to the well-known CA, DigiCert Inc.) issued certificates with weak private keys and without appropriate usage extensions or revocation information. As a result Microsoft, Google and Mozilla removed the Digicert Malaysia roots from their trusted root stores^xviii. This was not as the result of a hacking attack; this was a result of poor security practices by Digicert Sdn. Bhd.

These attacks have demonstrated that not all CAs are created equal. These attacks raise the stakes for Certificate Authorities and require a consistently high level of security across the industry. For business users, they underline the importance of choosing a trustworthy, well-secured Certificate Authority. Lastly, consumers should be using modern up-to-date browsers and become more diligent about checking to verify that sites they visit are using SSL issued by a major trusted CA and we have included some advice in the best practices section at the end of this report.

Building Trust and Securing the Weakest Links

Law-abiding users have a vested interest in building a secure, reliable, trustworthy Internet. The latest developments show that the battle for end-users’ trust is still going on:

Always On SSL. Online Trust Alliance^xix endorses Always On SSL, a new approach to implementing SSL across a website. Companies like Facebook^xx, Google, PayPal, and Twitter^xxi are offering users the option of persistent SSL encryption and authentication across all the pages of their services (not just login pages). Not only does this mitigate man-in-the-middle attacks like Firesheep^xxii, but it also offers end-to-end security that can help secure every Web page that visitors to the site use, not just the pages used for logging-in and for financial transactions.
Extended Validation SSL Certificates. EV SSL Certificates offer the highest level of authentication and trigger browsers to give users a very visible indicator that the user is on a secured site by turning the address bar green. This is valuable protection against a range of online attacks. A Symantec sponsored consumer survey of internet shoppers in Europe, the US and Australia showed the SSL EV green bar increases the feeling of security for most (60%) shoppers^xxiii. Conversely, in a US online consumer study, 90% of respondents would not continue a transaction if they see a browser warning page, indicating the absence of a secure connection^xxiv.
Baseline Requirements for SSL/TLS Certificates. The CA/Browser Forum released “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates”, the first international baseline standard for the operation of Certification Authorities (CAs) issuing SSL/TLS digital certificates natively trusted in browser software. The new baseline standard was announced in December 2011 and goes into effect July 1, 2012.
Code signing certificates and private key security. High profile thefts of code signing private keys highlighted the need for companies to secure and protect their private keys if they hold digital certificates^xxv. Stealing code signing keys enables hackers to use those certificates to digitally sign malware and that can help to make attacks using that malware much harder to recognize. That is exactly what happened with the Stuxnet and Duqu attacks.
DNSSEC. This technology is gaining momentum as a method of preserving the integrity of the domain name system (DNS). However, it is not a panacea for all online security needs, it does not provide website identity authentication nor does it provide encryption. DNSSEC should be used in conjunction with Secure Sockets Layer (SSL) technology and other security mechanisms.
Legal requirements. Many countries, including the EU Member States^xxvi and the United States (46 states) have at least sectoral data breach notification legislation, which means that companies must notify authorities and, where appropriate, affected individuals if their data is affected by a data breach. As well as a spur to encourage other territories with less regulation, these requirements can reassure users that in the event of a breach they will be quickly notified and will be able take some action to mitigate against potential impact, including changing account passwords.

^viiTBC: ADD URL TO UK PONEMON RESEARCH

^viii2011 Cost of Data Breach Study: United Kingdom, Ponemon Institute, March 2012

^ixCertificate Authority hacks (Comodohacker), breaches & trust revocations in 2011: Comodo (2 RAs hacked), https://www-secure.symantec.com/connect/blogs/how-avoid-fraudulent-ssl, http://www.thetechherald.com/articles/InstantSSL-it-named-as-source-of-Comodo-breach-by-attacker/13145/

^xhttp://www.theregister.co.uk/2011/05/24/comodo_reseller_hacked/

^xiStartCom attacked, http://www.internet-security.ca/internet-security-news-archives-031/security-firm-start-ssl-suffered-a-security-attack.html, http://www.informationweek.com/news/security/attacks/231601037

^xiihttp://www.theregister.co.uk/2011/09/06/diginotar_audit_damning_fail/

^xiiiDigiNotar breached & put out of business, https://www-secure.symantec.com/connect/blogs/why-your-ca-matters, https://www-secure.symantec.com/connect/blogs/diginotar-ssl-breach-update, http://www.arnnet.com.au/article/399812/comodo_hacker_claims_credit_diginotar_attack/, http://arstechnica.com/security/news/2011/09/comodo-hacker-i-hacked-diginotar-too-other-cas-breached.ars, http://www.darkreading.com/authentication/167901072/security/attacks-breaches/231600865/comodo-hacker-takes-credit-for-massive-diginotar-hack.html http://www.pcworld.com/businesscenter/article/239534/comodo_hacker_claims_credit_for_diginotar_attack.html

^xivAttacks & Academic proof of concept demos: BEAST (http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html) and TLS 1.1/1.2, THC-SSL-DOS, LinkedIn SSL Cookie Vulnerability (http://www.wtfuzz.com/blogs/linkedin-ssl-cookie-vulnerability/),

^xvhttp://www.itproportal.com/2011/09/13/globalsign-hack-was-isolated-server-business-resumes/

^xvihttp://www.theregister.co.uk/2011/09/07/globalsign_suspends_ssl_cert_biz/

^xviihttp://www.pcworld.com/businesscenter/article/239639/dutch_government_struggles_to_deal_with_diginotar_hack.html

^xviiihttp://www.theregister.co.uk/2011/11/03/certificate_authority_banished/

^xixhttps://otalliance.org/resources/AOSSL/index.html

^xxhttp://blog.facebook.com/blog.php?post=486790652130

^xxihttp://blog.twitter.com/2011/03/making-twitter-more-secure-https.html

^xxiihttp://www.symantec.com/connect/blogs/launch-always-ssl-and-firesheep-attacks-page

^xxiiiSymantec-sponsored consumer web survey of internet shoppers in the UK, France, Germany, Benelux, the US, and Australia in December 2010 and January 2011 (Study conducted March 2011).

^xxivhttp://www.symantec.com/about/news/release/article.jsp?prid=20111129_01

^xxvhttp://www.symantec.com/connect/blogs/protecting-digital-certificates-everyone-s-responsibility/

^xxvihttp://www.enisa.europa.eu/act/it/library/deliverables/dbn/at_download/fullReport

^xxviihttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/

Consumerization and Mobile Computing: Balancing the Risks and Benefits in the Cloud

Risks with ‘bring your own device’

Employees are increasingly bringing their own smartphones, tablets or laptops to work. In addition, many companies are giving employees an allowance or subsidy to buy their own computer equipment. These trends, known as ‘bring your own device’, present a major challenge to IT departments more used to having greater control over every device on the network. There is also the risk that a device owned by an employee might be used for non-work activity that may expose it to more malware than a device strictly used for business purposes only.

The proliferation in mobile devices in the home and in business has been fueled in large part by the growth in cloud-based services and applications, without access to the Internet many mobile devices lack a great deal of the functionality that has made them attractive in the first place.

Threats against mobile devices

Over the past ten years we have seen a proliferation of mobile devices but there has not yet been a corresponding rise in mobile threats on the same level as we have seen in PC malware. If we look at how PC malware evolved, there are three factors needed before a major increase of mobile malware will occur: a widespread platform, readily accessible development tools, and sufficient attacker motivation (usually financial). The first has been fulfilled most recently with the advent of Android. Its growing market share parallels the rise in the number of mobile threats during 2011.

Figure 9: Total mobile malware family count 2010-2012. Source: Symantec

Unlike closed systems such as Apple’s iPhone, Android is a relatively open platform. It is easier for developers, including malware writers, to write and distribute applications. In 2011, we saw malware families, such as Opfake; migrate from older platforms to Android. The latest strains of Opfake have used server-side polymorphism in order to evade traditional signature-based detection. Without a single Android marketplace for apps and central control over what is published, it is easy for malware authors to create trojans that are very similar to popular apps , although Android users must explicitly approve the set of permissions that is outlined for each app.

Currently, more than half of all Android threats collect device data or track users’ activities. Almost a quarter of the mobile threats identified in 2011 were designed to send content and one of the most popular ways for phone malware authors to make money is by sending premium SMS messages from infected phones. This technique was used by 18% of mobile threats identified in 2011. Increasingly, phone malware does more than send SMS. For example, we see attacks that track the user’s position with GPS and steal information.

The message that is coming through loud and clear is that the creators of these threats are getting more strategic and bolder in their efforts. People regard their phones as personal, private, intimate parts of their life and view phone attacks with alarm. The motivations for such attacks are not always monetary: in this example, it was about gathering intelligence and personal information.

Mobile threats are now employing server-side polymorphic techniques and the number of variants of mobile malware attacks is currently rising faster than the number of unique families of mobile malware. Monetization is still a key driver behind the growth in mobile malware and the current mobile technology landscape provides some malicious opportunities; however, there are none at the same revenue scale achievable in Windows, yet.

What mobile malware does with your phone

Figure 10: Key functionality of mobile risks. Source: Symantec

Consumerization of IT and cloud computing

As more people are bringing their own devices to work, consumer technology is invading the office.. They’re also using social networking sites for a variety of purposes, including marketing. And they’re using cloud applications instead of company-managed software to store files or communicate.

In some cases, this is being done ‘below the radar’ by individual employees without the support of the company. In other cases, businesses are embracing the benefits of cloud computing, mobile working and the price/performance of consumer devices to reduce costs and improve productivity. For example, 37% of businesses globally are already adopting cloud solutions^xxviii.

The risks of unmanaged employee adoption of cloud computing or the use of consumer devices and consumer websites in business are clear. But even if companies deliberately choose consumerization, there are still security challenges. It makes it harder for companies to erect an impermeable boundary around the business and control exactly what is on employees’ PCs and how data is stored, managed and transferred, especially when tracking how and where corporate data and information is being used.

Confidence in the Cloud: Balancing Risks

Many companies are keen to adopt cloud computing. It can reduce costs by outsourcing routine services, such as email or CRM, to third-party specialists and by swapping upfront capital expenditure with lower, more predictable per-user fees. It can also give companies access to newer and better technology without the difficulties of installing or upgrading in-house hardware.

However, it is not without its risks. The first risk is unmanaged employee use of cloud services. For example, an employee starts using a file sharing Web site to transfer large documents to clients or suppliers, or sets-up an unofficial company page or discussion forum on a popular social networking site. In fact, the tighter the IT department holds the reins, the more likely it is that employees will work around limitations using third party Web sites.

The main risks involved in the use of ad-hoc cloud computing services include:

Security and compliance - the interfaces between users, endpoints and backend systems all need to be secure with appropriate levels of access control in place.
Is data encrypted as it is transferred over the internet?
Non-compliance with data protection regulations –for example, if the data is hosted overseas, from a European standpoint this could result in a breach of privacy legislation.
Lack of vendor validation – is the service reputable and secure? Can the users easily transfer their data to another vendor should the need arise?
Public and private cloud providers depend on system availability and strong service level agreements (SLAs) can help to promote high availability.
Secure access control over company data stored on third party systems. Does the service offer control over how the data is stored and how it can be accessed?
If the service is unavailable for any reason, the company may be unable to access its own data.
Are there legal risks and liabilities that may arise as a result of vendor terms and conditions? Always make sure the terms and conditions are clear and service level performance can be monitored against the agreed SLAs.

IT managers and CISOs can address these concerns by validating an approved list of cloud applications in the same way that they would authorize on-premise software. This needs to be backed-up with the appropriate acceptable usage policies, employee training and, if necessary, enforcement using Web site access control technology. In addition, where employees access consumer sites for business use, such as using social networking services for marketing, companies need to protect users against potential attacks from Web-hosted malware and spam.

^xxviiiAppendix D: Vulnerability Trends: Figure D.3

Spam Activity Trends

Spam in 2011

Despite a significant drop in email spam in 2011 (dropping to an average of 75.1% of all email in 2011 compared with 88.5% in 2010), spam continues to be a chronic problem for many organizations and can be a silent-killer for smaller businesses, particularly if their email servers become overwhelmed by millions of spam emails each day. With the power of botnets, robot networks of computers infected with malware and under the control of cybercriminals, spammers can pump out billions of spam emails every day, clogging-up company networks and slowing down communications. There were, on average, 42 billion spam messages a day in global circulation in 2011, compared with 61.6 billion in 2010.

In 2011, we saw spam, phishing and 419 scams exploit political unrest (e.g. the Arab spring), the deaths of public figures (e.g. Muammar Gadhafi, Steve Jobs and Amy Winehouse) and natural disasters (e.g. the Japanese tsunami). They are the same topics that newspapers cover and for the same reasons: they attract readers’ attention.

Unlike spam, phishing activity continued to rise (up to 0.33% or 1 in 298.0 of all email in 2011, from 0.23% or 1 in 442.1 in 2010). The proportion of phishing emails varied considerably by company size with the smallest and largest companies attracting the most, but the proportion of spam was almost identical for all sizes of business.

Figure 11: Percentage of email identified as spam, 2011. Source: Symantec

Impact of botnets on spam

Overall in 2011, botnets produced approximately 81.2% of all spam in circulation, compared with 88.2% in 2010. Between March 16th and March 17th, 2011, many Rustock command and control (C&C) servers located in the US were seized and shut down by US federal law enforcement agents, resulting in an immediate drop in the global spam volume from 51 billion spam messages a day in the week before the shutdown to 31.7 billion a day in the week afterwards.

The changing face of spam

Between 2010 and 2011, pharmaceutical spam fell by 34%, in large part owing to the demise of the Rustock botnet, which was mainly used to pump-out pharmaceutical spam. In contrast, messages about watches and jewelry, and sex and dating both increased as a percentage. Not only were there fewer spam emails in circulation, but smaller message sizes were the most common and English remained the lingua franca of spam^xxix, with Portuguese, Russian and Dutch the next most popular languages (albeit with a much smaller ‘market share’).

As the popularity of social networking and micro-blogging sites continues to grow, spammers increasingly target them as well as traditional email for their messages. Having your content go viral is not just the dream of legitimate marketers, but cybercriminals distributing malware and spam are also finding new ways to exploit the power of social media and are even tricking users into spreading their links for them.

Figure 12: Top ten spam email categories, 2010-2011. Source: Symantec.cloud

URL shortening and spam

Spammers are making greater use of URL shortening services, even establishing their own shortening services along the way. These sites take a long website address and shorten them, making them easier to share. This has many legitimate uses and is popular on social networking and micro-blogging sites. Spammers take advantage of these services to hide the true destination of links in their unwanted messages. This makes it harder for users to know what they are clicking on and it increases the work needed for spam filtering software to check if a link in an email is legitimate or not.

Spammers sometimes redirect a website address through many different shortened links. There are so many shortening services that if one gets shut down or improves security, spammers can move on to the next site. In May 2011, the first evidence^xxx of spammers using their own URL shortening services appeared, and spammers were hosting their own shortened Web sites redirecting visitors to spam Web sites. These shortened links first pass through bona fide URL shortening services, in a bid to hide the true nature of the spam URL from the legitimate shortening service.

Initially, spammer-operated link shorteners were rudimentary and based on freely-available open source tools. Spammers used these services to make it more difficult to detect and block spam activity based on the URLs involved, and further conceal the true location of the promoted sites. They generated different URLs for use in different environments, such as social networking, micro-blogging and email campaigns. Spammers also used fake profiles on Twitter to send messages containing the same shortened links, with each profile using different trending topics to promote their messages.

As an added bonus, link shortening sites can give them feedback through a dashboard provided by the URL shortening service about the number of click-throughs on a given link so that they can use this information to target the messages better. In other words, they can find out what people like to click and send out more of that, increasing the effectiveness of their campaigns.

^xxixAppendix C: Spam and Fraud Activity Trends

^xxxhttp://www.symanteccloud.com/en/gb/mlireport/MLI_2011_05_May_FINAL-en.pdf

Malicious Code Trends

Malware in 2011

By analyzing malicious code we can determine which threats types and attack vectors are being employed. The endpoint is often the last line of defense, but it can often be the first-line of defense against attacks that spread using USB storage devices, insecure network connections and compromised, infected websites. Symantec’s cloud-based technology and reputation systems can also help to identify and block new and emerging attacks that haven’t been seen before, such as new targeted attacks employing previously unknown zero-day exploits. Analysis of malware activity trends both in the cloud and at the endpoint can help to shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers.

Corresponding to their large internet populations, the United States, China and India remained the top sources for overall malicious activity. The overall average proportion of attacks originating from the United States increased by one percentage point compared with 2010, while the same figure for China saw a decrease by approximately 10 percentage points compared with 2010.

The United States was the number one source of all activities, except for malicious code and spam zombies, where India took first place. Around 12.6% of bot activity originated in the USA as did 33.5% of web-based attacks, 16.7 % of network attacks and 48.5% of phishing websites.

Website malware

Drive-by attacks continue to be a challenge for consumers and businesses. They are responsible for hundreds of millions of attempted infections every year. This happens when users visit a website that is host to malware. It can happen when they click on a link in an email or a link from social networking site or they can visit a legitimate website that has, itself, been infected.

Attackers keep changing their technique and they have become very sophisticated. Badly-spelled, implausible email has been replaced by techniques such as ‘clickjacking’ or ‘likejacking’ where a user visits a website to watch a tempting video and the attackers use that click to post a comment to all the user’s friends on Facebook, thereby enticing them to click on the same malicious link.

As result, Facebook has implemented a ‘Clickjacking Domain Reputation System’ that has eliminated the bulk of clickjacking attacks by asking a user to confirm a Like before it posts, if the domain is considered untrusted.

Based on Norton Safe Web^xxxi data – Symantec technology that scans the Web looking for websites hosting malware – we’ve determined that 61% of malicious sites are actually regular Web sites that have been compromised and infected with malicious code.

By category, the top-5 most infected websites are:

Blogs and Web communications
Hosting/Personal hosted sites
Business/Economy
Shopping
Education and Reference.

It is interesting to note that Web sites hosting adult/pornographic content are not in the top five, but ranked tenth.The full list can be seen in figure 16.

Moreover, religious and ideological sites were found to have triple the average number of threats per infected site than adult/pornographic sites. We hypothesize that this is because pornographic website owners already make money from the internet and, as a result, have a vested interest in keeping their sites malware-free – it’s not good for repeat business.

Figure 13: Average number of malicious Web sites identified per day, 2011. Source: Symantec.cloud

In 2011, the Symantec VeriSign website malware scanning service^xxxii scanned over 8.2 Billion URLs for malware infection and approximately 1 in 156 unique websites were found to contain malware. Websites with vulnerabilities are more risk of malware infection and Symantec began offering its SSL customers a website vulnerability assessment scan from October 2011. Between October and the end of the year, Symantec identified that 35.8% of websites had at least one vulnerability and 25.3% had a least one critical vulnerability.

Email-borne Malware

The number of malicious emails as a proportion of total email traffic increased in 2011. Large companies saw the greatest rise, with 1 in 205.1 emails being identified as malicious for large enterprises with more than 2,500 employees. For small to medium-sized businesses with up to 250 employees, 1 in 267.9 emails were identified as malicious.

Criminals disguise the malware hidden in many of these emails using a range of different attachment types, such as PDF files and Microsoft Office documents. Many of these data file attachments include malicious code that takes advantage of vulnerabilities in the parent applications, and at least two of these attacks have exploited zero-day vulnerabilities in Adobe Reader.

Malware authors rely on social engineering to make their infected attachments more clickable. For example, recent attacks appeared to be messages sent from well-known courier and parcel delivery companies regarding failed deliveries. In another example, emails purporting to contain atachments of scanned images sent from network-attached scanners and photocopiers. The old guidance about not clicking on unknown attachments is, unfortunately, still relevant.

Figure 14: Ratio of malware in email traffic, 2011. Source: Symantec.cloud

Moreover, further analysis revealed that 39.1% of email-borne malware comprised hyperlinks that referenced malicious code, rather than malware contained in an attachment. This is an escalation on the 23.7% figure in 2010, and a further indication that cybercriminals are attempting to circumvent security countermeasures by changing the vector of attacks from purely email-based, to using the Web.

Border Gateway Protocol (BGP) Hijacking

In 2011 we investigated^xxxiii a case where a Russian telecommunications company had had its network hijacked by a spammer. They were able to subvert a fundamental Internet technology - the Border Gateway Protocol - itself to send spam messages that appeared to come from a legitimate (but hijacked) source. Since spam filters rely, in part, on blacklists of known spam senders, this technique could allow a spammer to bypass them. Over the course of the year, we found a number of cases like this. Even though this phenomenon remains marginal at this time, compared to spam sent from large botnets, it is one to watch in the coming year.

Polymorphic threats

Polymorphic malware or specifically, “server-side” polymorphism is the latest escalation in the arms race between malware authors and vendors of scanning software. The polymorphic technique works by constantly varying the internal structure or content of a piece of malware. This makes it much more challenging for traditional pattern-matching based anti-malware to detect. For example, by performing this function on a Web server, or in the cloud, an attacker can generate a unique version of the malware for each attack.

In 2011, the Symantec.cloud email scanner frequently identified a polymorphic threat, Trojan.Bredolab, in large volumes. It accounted for 7.5% of all email malware blocked, equivalent to approximately 35 million potential attacks throughout the whole year. It used a range of techniques for stealth including server-side polymorphism, customized packers, and encrypted communications. Figure 15 below, illustrates this rise in Bredolab polymorphic malware threats being identified using cloud-based technology. This chart shows detection for emails that contained a document-style attachment purporting to be an invoice or a receipt, and prompting the user to open the attachment.

Figure 15: Rise in email-borne Bredolab polymorphic malware attacks per month, 2011. Source: Symantec.cloud

Exploiting the Web: Attack toolkits, rootkits and social networking threats

Attack toolkits, which allow criminals to create new malware and assemble an entire attack without having to write the software from scratch, account for nearly two-thirds (61%) of all threat activity on malicious websites. As these kits become more widespread, robust and easier to use, this number is expected to climb. New exploits are quickly incorporated into attack kits. Each new toolkit version released during the year is accompanied with increased malicious Web attack activity. As a new version emerges that incorporates new exploit functionality, we see an increased use of it in the wild, making as much use of the new exploits until potential victims have patched their systems. For example, the number of attacks using the Blackhole toolkit, which was very active in 2010, dropped to a few hundred attacks per day in the middle of 2011, but re-emerged with newer versions generating hundreds of thousands of infection attempts per day towards the end of the year.

On average, attack toolkits contain around 10 different exploits, mostly focusing on browser independent plug-in vulnerabilities like Adobe Flash Player, Adobe Reader and Java. Popular kits can be updated every few days and each update may trigger a wave of new attacks.

They are relatively easy to find and sold on the underground black market and web forums. Prices range from $40 to $4,000.

Attackers are using Web attack toolkits in two main ways:

Targeted attacks. The attacker selects a type of user he would like to target. The toolkit creates emails, IMs, blog posts to entice the target audience to the infected content. Typically, this will be a link to a malicious website that will install the malware on the victim’s system.
Broadcast attacks. The attacker starts by targeting a broad range of websites using SQL injection, web software, or server exploitation. The objective is to insert a link from an infected website to a malicious site that will infect visitors. Once successful, each subsequent visitor will be attacked.

Rootkits

A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality. Rootkits have been around for some time—the Brain virus was the first identified rootkit to employ these techniques on the PC platform in 1986—and they have increased in sophistication and complexity since then.

Rootkits represent a small percentage of attacks but they are a growing problem and, because they are deeply hidden, they can be difficult to detect and remove. The current frontrunners in the rootkit arena are Tidserv, Mebratix, and Mebroot. These samples all modify the master boot record (MBR) on Windows computers in order to gain control of the computer before the operating system is loaded. Variants of Downadup (aka Conficker), Zbot (aka ZeuS), as well as Stuxnet all use rootkit techniques to varying degrees.

As malicious code becomes more sophisticated it is likely that they will increasingly turn to rootkit techniques to evade detection and hinder removal. As users become more aware of malicious code that steals confidential information and competition among attackers increases, it is likely that more threats will incorporate rootkit techniques to thwart security software.

Social media threats

With hundreds of millions of people on social networking sites, it is inevitable that online criminals would attack them there. A social medium is perfect for social engineering: it’s easier to fool someone when they think they’re surrounded by friends. More than half of all attacks identified on social networking Web sites were related to malware hosted on compromised Blogs/Web Communications Web sites. This is where a hyperlink for a compromised Web site was shared on a social network. It is also increasingly used for sending spam messages for the same reasons.

All social media platforms are being exploited and in many different ways. But Facebook, as the most popular, provides some excellent examples on how social engineering flourishes in social media. Criminals take advantage of people’s needs and expectations. For example, Facebook doesn’t provide a ‘dislike’ button or the ability to see who has viewed your profile, so criminals have exploited both concepts.

Quick Response (QR) codes

QR codes have sprung up everywhere in the last couple of years. They are a way for people to convert a barcode into a Web site link using a camera app on their smartphone. It’s fast, convenient and dangerous. Spammers are already using it to promote black-market pharmaceuticals and malware authors have used it to install a trojan on Android phones. In combination with link shortening, it can be very hard for users to tell in advance if a given QR code is safe or not, so consider a QR reader that can check a Web site’s reputation before visiting it.

Once the bait has been taken the victim must be reeled in. The next step in these attacks fools the user into taking an action to propagate the threat, for example installing an app, downloading ‘update’ to your video software or clicking on a button to prove you’re human. The attackers persuade their victims to infect themselves and spread the bait to everyone in their social circles.

It must be stated that this is not just a Facebook issue; variations of these threats run on all social media platforms. The number of threats on each of these platforms is directly proportional to the number of users on these sites. It is not indication of the “security” or safety of a site.

Dangerous Web sites

Figure 16: Most dangerous Web site categories, 2011. Source: Symantec

Macs are not immune

The first known Mac-based bot network emerged in 2009 and 2011 saw a number of new threats emerge for Mac OS X, including trojans like MacDefender, a fake anti-virus program. It looks convincing and it installs without requiring admin permission first. Mac users are exposed to sites that push trojans by means of SEO poisoning and social networking. In May 2011, Symantec found a malware kit for Mac (Weyland-Yutani BOT) the first of its kind to attack the Mac OS X platform, and Web injections as a means of attack. While this type of crime kit is common on the Windows platform, this new Mac kit is being marketed as the first of its kind^xxxiiv. In addition, many attack tools have become cross-platform, exploiting Java exploits whether they are on Macs or Windows PCs. As a result of these trends, Mac users need to be more mindful of security risks and can’t afford to assume that they are automatically immune from all threats.

Figure 17: MacDefender trojan screenshot. Source: Symantec

^xxxiFor more information on Norton Safe Web, please visit http://safeweb.norton.com

^xxxiiFor more information on the Symantec website vulnerability assessment service:http://www.symantec.com/theme.jsp?themeid=ssl-resources

^xxxiiiFurther information can be found in Appendix C: Spam and Fraud Activity Trends

^xxxivhttp://krebsonsecurity.com/tag/weyland-yutani-bot/

Closing the Window of Vulnerability: Exploits and Zero-day Attacks

A vulnerability is a weakness, such as a coding error or design flaw that allows an attacker to compromise availability, confidentiality, or integrity of a computer system. Early detection and responsible reporting helps to reduce the risk that a vulnerability might be exploited before it is repaired.

Number of vulnerabilities

We identified 4,989 new vulnerabilities in 2011, compared to 6,253 the year before. (See Appendix D for more historical data and details on our methodology.) Despite this decline, the general trend over time is still upward and Symantec discovered approximately 95 new vulnerabilities per week.

Weaknesses in critical infrastructure systems

SCADA systems (Supervisory Control and Data Acquisition) are widely used in industry and utilities such as power stations for monitoring and control. We saw a dramatic increase in the number of publicly-reported SCADA vulnerabilities from 15 in 2010 to 129 in 2011. Since the emergence of the Stuxnet worm in 2010^xxxv, SCADA systems have attracted wider attention from security researchers. However, 93 of the 129 new published vulnerabilities were the product of just one security researcher.

Old vulnerabilities are still under attack

On PCs, a six-year old vulnerability^xxxvi in many Microsoft operating systems was, by far, the most frequently attacked vulnerability in 2011, clocking in at over 61 million attacks against the Microsoft Windows RPC component^xxxvii. It was more heavily attacked than the next four vulnerabilities put together^xxxviii.

The most commonly exploited data file format in 2011 was PDF. For example, one PDF-related vulnerability attracted more than a million attacks in 2011.

Patches are available for all five of the most-attacked vulnerabilities, so why do criminals still target them? There are several explanations.

They are cheaper to attack. Criminals have to pay a premium on black market exchanges^xxxix for information about newer vulnerabilities but they can buy malware off the shelf to target old ones.
Attacking newer vulnerabilities may attract more attention than going after older, well-known weaknesses. Some online criminals prefer a lower profile.
There is a still a large pool of potential victims because a proportion of the user base can’t, won’t or don’t install patches or install a current and active endpoint security product.

Web browser vulnerabilities

Web browsers are a popular target for criminals and they exploit vulnerabilities in browsers such as Internet Explorer, Firefox or Chrome as well as plugins such as PDF readers. Criminals can buy toolkits for between USD $100 and USD $1,000 that will check up to 25 different vulnerabilities when someone visits an infected Web site.

In 2011, we saw a big drop off in reported vulnerabilities in all the popular browsers from a total of 500 in 2010 to a total of 351 in 2011. Much of this improvement was due to a big reduction in vulnerabilities in Google Chrome.

Overall, the number of vulnerabilities affecting browser plug-ins dropped very slightly from 346 to 308.

New zero-day vulnerabilities create big risks

A zero-day attack exploits an unreported vulnerability for which no vendor has released a patch. This makes them especially serious because they are much more infective. If a non-zero-day attack gets past security, it can still be thwarted by properly-patched software. Not so a zero-day attack.

For example, in 2011 we saw vigorous attacks against a vulnerability in Adobe Reader and Adobe Acrobat that lasted for more than two weeks. It peaked at more than 500 attacks a day before Adobe released a patch on December 16, 2011.

The good news is that 2011 had the lowest number of zero day vulnerabilities in the past 6 years. While the overall number of zero day vulnerabilities is down, attacks using these vulnerabilities continue to be successful which is why they are often used in targeted attacks, such as W32.Duqu.

Figure 19: Browser vulnerabilities in 2010 and 2011. Source: Symantec

Figure 20: Web browser plug-in vulnerabilities. Source: Symantec

^xxxvFor more on Stuxnet see: http://www.symantec.com/connect/blogs/hackers-behind-stuxnet and http://www.youtube.com/watch?v=cf0jlzVCyOI

^xxxviCVE-2008-4250 See http://www.securityfocus.com/bid/31874

^xxxvii61.2 million attacks were identified against Microsoft Windows RPC component in 2011, and were mostly using the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). See http://www.securityfocus.com/bid/31874

^xxxviiiAppendix D: Vulnerability Trends: Figure D.3

^xxxixSee http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/231900575/more-exploits-for-sale-means-better-security.html

Conclusion: What’s Ahead in 2012

A wise man once said, ‘Never make predictions, especially about the future’. Well, this report has looked back at 2011 but in the conclusion we’d like to take a hesitant peak into the future, projecting the trends we have seen into 2012 and beyond¹.

Targeted attacks and APTs will continue to be a serious issue and the frequency and sophistication of these attacks will increase.
Techniques and exploits developed for targeted attacks will trickle down to the broader underground economy and be used to make regular malware more dangerous.
Malware authors and spammers will increase their use of social networking sites still further.
The CA/Browser Forum will release additional security standards for companies issuing digital certificates to secure the internet trust model against possible future attacks.
Consumerization and cloud computing will continue to evolve, perhaps changing the way we do business and forcing IT departments to adapt and find new ways to protect end users and corporate systems.
Malware authors will continue to explore ways to attack mobile phones and tablets and, as they find something effective and money-making, they will exploit it ruthlessly.
In 2011, malicious code targeting Macs was in wider circulation as Mac users were exposed to websites that were able to drop trojans. This trend is expected to continue through 2012 as attack code exploiting Macs becomes more integrated with the wider web-attack toolkits.
While external threats will continue to multiply, the insider threat will also create headlines, as employees act intentionally – and unintentionally – to leak or steal valuable data.
The foundation for the next Stuxnet-like APT attack may have already been laid. Indeed Duqu may have been the first tremors of a new earthquake, but it may take longer for the aftershock to reach the public domain.

¹Source and inspiration: http://www.symantec.com/connect/blogs/it-predictions-2012-qa-francis-desouza

Threat Activity Trends

The following section of the Symantec Global Internet Security Threat Report provides an analysis of threat activity, as well as other malicious activity, data breaches, and Web-based attacks that Symantec observed in 2011. The malicious activity discussed in this section not only includes threat activity, but also phishing, malicious code, spam zombies, bot-infected computers, and attack origins. Attacks are defined as any malicious activity carried out over a network that has been detected by an intrusion detection system (IDS) or firewall. Definitions for the other types of malicious activities can be found in their respective sections within this report.

This section will discuss the following metrics, providing analysis and discussion of the trends indicated by the data:

Spam and Fraud Activity Trends

Malicious activity usually affects computers that are connected to high-speed broadband Internet because these connections are attractive targets for attackers. Broadband connections provide larger bandwidth capacities than other connection types, faster speeds, the potential of constantly connected systems, and a typically more stable connection. Symantec categorizes malicious activities as follows:

Malicious code: This includes programs such as viruses, worms, and Trojans that are covertly inserted into programs. The purposes of malicious code include destroying data, running destructive or intrusive programs, stealing sensitive information, or compromising the security or integrity of a victim’s computer data.
Spam zombies: These are remotely controlled, compromised systems specifically designed to send out large volumes of junk or unsolicited email messages. These email messages can be used to deliver malicious code and phishing attempts.
Phishing hosts: A phishing host is a computer that provides website services in order to illegally gather sensitive user information while pretending that the attempt is from a trusted, well-known organization by presenting a website designed to mimic the site of a legitimate business.
Bot-infected computers: Malicious programs have been used to compromise these computers to allow an attacker to control the targeted system remotely. Typically, a remote attacker controls a large number of compromised computers over a single, reliable channel in a botnet, which can then be used to launch coordinated attacks.
Network attack origins: This measures the originating sources of attacks from the Internet. For example, attacks can target SQL protocols or buffer overflow vulnerabilities.
Web-based attack origins: This measures attack sources that are delivered via the Web or through HTTP. Typically, legitimate websites are compromised and used to attack unsuspecting visitors.

Methodology

This metric assesses the sources from which the largest amount of malicious activity originates. To determine malicious activity by source, Symantec has compiled geographical data on numerous malicious activities, namely: malicious code reports, spam zombies, phishing hosts, bot-infected computers, network attack origins, and Web-based attack origins. The proportion of each activity originating in each source is then determined. The mean of the percentages of each malicious activity that originates in each source is calculated. This average determines the proportion of overall malicious activity that originates from the source in question and the rankings are determined by calculating the mean average of the proportion of these malicious activities that originated in each source.

Data

Figure A.1. Malicious activity by source: Overall rankings, 2010-2011. Source Symantec

Figure A.2. Malicious activity by source: Malicious code, 2010-2011. Source: Symantec

Figure A.3. Malicious activity by source: Spam zombies, 2010-2011. Source: Symantec

Figure A.4. Malicious activity by source: Phishing hosts, 2010-2011. Source: Symantec

Figure A.5. Malicious activity by source: Bots, 2010-2011. Source: Symantec

Figure A.6. Malicious activity by source: Web attack origins, 2010-2011. Source: Symantec

Figure A.7. Malicious activity by source: network attack origins, 2010-2011. Source: Symantec

Commentary

In 2011, the United States and China remained the top two sources overall for malicious activity. The overall average proportion of attacks originating from the United States in 2011 increased by 1.8 percentage points compared with 2010, while the same figure for China saw a decrease by approximately 7 percentage points compared with 2010.
The United States was ranked in first position for the source of all activities except for Malicious Code, Spam Zombies and Network Attacks, for which India was ranked in first position in the first two cases, and China the latter.
12.6% of bot activity originated in The United States: The United States was already the main source of bot-infected computers for the Rustock until in March 2011¹, when the botnet was disrupted. Rustock had been one of the largest and most dominant botnets in 2010 and frequently associated with the Tidserv Trojan. Rustock was estimated to comprise of approximately 1.5 million bot-infected computers and was taken out of action in March 2011. This resulted in a seismic shift in the botnet landscape. By the end of 2011, other botnets with spam zombies in other parts of the world were able to take on a more dominant role in spam distribution.
33.5% of Web-based Attacks originated in the United States: Web-based attacks originating from the United States increased by 26.0 percentage points in 2011. Factors that contributed to this activity include attacks related to the Blackhole and Phoenix Web attack kits, exploiting legitimate websites that have been compromised in order to conduct further attacks. Web-based attacks originating from China decreased by 55.8 percentage points in 2011.
26.9% of Network Attacks originated in China. China has the largest population of Internet users² in the Asia region, with approximately 513 million internet users in 2011. The internet penetration rate in China was 38.4% in 2011.
48.5% of Phishing websites were hosted in the United States. In 2011, with approximately 245 million internet users, The United States had an internet penetration rate of 78.3%.
17.5% of Spam Zombies were located in India, an increase of 11.0 percentage points compared with 2010. The proportion of spam zombies located in the United States fell by 6.4 percentage points to 1.8%, resulting in the United States being ranked in 15th position in 2011, compared with 2nd position in 2010. This decline was in large part as a result of the disruption of the Rustock botnet, which at its peak in 2010 had an estimated 1.5M computers under its control.
15.3% of all Malicious Code activities originated from India, an increase of 2.7 percentage points compared with 2010. India is home to the second largest population of internet users in Asia in 2011, with an estimated 121.0 million users and an Internet penetration rate of 10.2%.

¹http://www.messagelabs.com/mlireport/MessageLabsIntelligence_2010_Annual_Report_FINAL.pdf, page 15

²Internet population and penetration rates in 2011 courtesy of Internet Word Stats - http://www.internetworldstats.com

Malicious Website Activity

Background

The circumstances and implications of Web-based attacks vary widely. They may target specific businesses or organizations, or they may be widespread attacks of opportunity that exploit current events, zero-day vulnerabilities, or recently patched and publicized vulnerabilities that some users have yet to protect themselves against. While major attacks may have individual importance and often receive significant attention when they occur, examining overall Web-based attacks provides insight into the threat landscape and how attack patterns may be shifting. Analysis of the underlying trend can provide insight into potential shifts in Web-based attack usage and can assist in determining if attackers are more or less likely to employ Web-based attacks in the future.

Methodology

This metric assesses changes to the prevalence of Web-based attack activity by tracking the trend in the average number of malicious websites blocked each day by users of Symantec.cloud Web security services, for websites that have been compromised and contain malicious code. Underlying trends observed in the sample data provide a reasonable representation of overall malicious Web-based activity trends.

This reflects the rate at which websites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity. As detection for Web-based malware increases, the number of new websites blocked decreases and the proportion of new malware begins to rise, but initially on fewer websites.

Data

Figure A.8. Malicious website activity, 2010-2011. Source: Symantec

Commentary

The average number of malicious websites blocked each day rose by 36.0% in 2011 to 4,595, compared with 3,379 in 2010.
The peak rate of malicious activity was 9,315 in December 2011, when approximately double the average number of malicious websites was being blocked each day. This increase was related to a rise in the number of malicious IFRAME tags being blocked. Detection for a malicious IFRAME is triggered in HTML files that contain hidden IFRAME elements with JavaScript code that attempts to perform malicious actions on the computer; for example, when visiting a malicious Web page, the code attempts to quietly direct the user to a malicious URL while the current page is loading.
In 2011, the number of malicious domains blocked rose to 55,294 compared with 42,926 in 2010, an increase of 28.8%.
Further analysis of malicious code activity may be found in Appendix X: Malicious Code Trends - Top Malicious Code Families.

Analysis of Malicious Web Activity by Attack Toolkits

Background

The increasing pervasiveness of Web browser applications, along with increasingly common, easily exploited Web browser application security vulnerabilities, has resulted in the widespread growth of Web-based threats. Attackers wanting to take advantage of client-side vulnerabilities no longer need to actively compromise specific networks to gain access to those computers. Symantec analyzes attack activity to determine which types of attacks and attack toolkits attackers are utilizing. This can provide insight into emerging Web attack trends and may indicate the types of attacks with which attackers are having the most success.

Methodology

This metric assesses the top Web-based attack activity originating from compromised legitimate sites and intentionally malicious sites set up to target Web users in 2011. To determine this, Symantec ranks attack activity by the volume of associated reports observed during the reporting period. The top 10 Web-based attack activities are analyzed for this metric.

Data

Figure A.9. Malicious website activity: Attack toolkit trends, 2011. Source: Symantec

Figure A.10. Malicious website activity: Overall frequency of attack toolkits, 2011. Source: Symantec

Commentary

Web-based client side exploit toolkits, or web-kits, have been around since about March of 2006 with the release of WebAttacker. For some time, these web-kits expanded their list of targeted victim software, but existed with essentially the same business model; nefarious users could purchase the attack kit and use it to build their hijacked computer networks. Once the market was established, prices steadily increased from WebAttacker’s $15 (USD) price tag on into the $1,000 (USD) range. The market existed in this fashion, with the web-kits including ever more exploits, and ever more IPS (Intrusion Prevention Systems) evasion techniques until about 2009 when web-kits began to be sold as a service, or simply kept as private.

Since this time, web-kit taxonomy has been much more difficult. Often Symantec will find new web-kits in operation in the field, with little to no concrete evidence of which web-kit it is a variant of. Gone are the days when a login, or stats page would be installed at a known location revealing the web-kit name, and version. The analyst is required to rely on techniques such as comparing core similarities, install bases and methods in order to determine whether a new web-kit may be a strain of an existing one.

Users are often targeted by Web exploitation kits in either of two main ways; targeted, or broadcast, sometimes referred to as sniper and shotgun:

Targeted attacks begin with the attacker selecting a specific victim, or type of user they would like to target. Associated emails, Instant Messages, blog-posts, etc. are then created to entice the target audience to infected content. This infected content will effectively be a redirection from an otherwise benign Web page or email to an attack site. Such attack sites will typically then launch a drive-by attack against the victim.

Broadcast attacks, on the other hand, typically begin with an attack against a broader body of websites. This may come in the form of SQL Injection, Web software compromise, or server vulnerability exploitation. Each of which has the goal of inserting a redirection URL into the content on that webserver. Once successful, each subsequent visitor will be served the attack kit.

Public vs. Private web-kits

Symantec has seen a variety of web exploit kits sold in the public for several years now. Some are offered as a buy outright, service contract, or license models. Other web-kits on the other hand appear to remain private for their lifetime. In these cases, it is likely that the operators are either selling infected machines, or more likely using the infected machines in house.

Web-kits are interesting because of their level of maintenance. An unmaintained web-kit version, or attack site would be of little threat as it would be defeated by even rudimentary security measures. Above is a chart in figure A.10, highlighting some of the major web-kits that have been maintained regularly for a length of time and were active in 2011. Some of these are kits that either are, or at least once were publicly available for sale, or rent, and some others that appear to have been privately operated for their duration. Whilst these can be tracked, and protection can be provided against the evolution of the attack kit, it is not always possible to know by what name the maintainers have given to these kits. For these, Symantec has assigned internal placeholder names.

For example, the private kit that Symantec has been tracking as NumDir internally came by this name because although deployed on several different attack servers, each new version was installed into a fixed, named numeric directory. This kit has been around since at least mid-2010 and has been maintained on a regular basis since this time with only brief interruption. It is not unusual for Symantec to be blocking between 50,000 and 120,000 attacks from it per day.

At the other end of the spectrum are public kits like Blackhole. Owing to its once public nature, Blackhole is tracked by many security researchers. Similarly, it is updated approximately every couple of days, and Symantec blocks in the order of 100,000 to 220,000 attacks using Blackhole each day. The large periodic fluctuations in the number of attacks appear to be a product of the attack waves themselves, as well as the rate at which our users encounter them.

The variety of public and seemingly private exploit kits does not lend itself to universal taxonomy, and while web-kits such as Blackhole, Incognito, and Phoenix are understood to be the names that their authors use, Symantec has been tracking kits such as NumDir, and DoubleSemi, using simple names derived roughly from attributes in the attack encodings.

Payloads

The malware installed via a web-kit infection is frequently comprehensive, and includes various Peer-to-peer and IRC bots, rootkits, and misleading apps. Web-kits have been a major contributor to several pervasive malware families, including Qakbot, Bredolab, TidServe, ZeroAccess, Bamital, Zeus, Waledac, Zlob, Virut, Sasfis, Bank-stealing Trojans, Sality, Vundo, MebRoot, KoobFace and CycBot. For more information on these malware families, please visit http://www.symantec.com/security_response/.

One of the more problematic malware systems recently has been ZeroAccess³. It has been observed being delivered over DoubleSemi, Blackhole, and Phoenix.

³http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99

Analysis of Web-based Spyware and Adware Activity

Background

One of the main goals of a drive-by Web-based installation is the deployment of malicious code, but often a compromised website is also used to install spyware or adware code. This is because the cyber criminals pushing the spyware and adware in this way are being paid a small fee for each installation. However, most adware vendors, such as those providing add-in toolbars for Web browsers, are not always aware how their code came to be installed on the users’ computers; the expectation that is that it is with the permission of the end-user, when this is typically not the case in a drive-by installation and may be in breach of the vendors’ terms and conditions of use.

Methodology

This metric assesses the prevalence of Web-based spyware and adware activity by tracking the trend in the average number of spyware and adware related websites blocked each day by users of Symantec.cloud Web security services. Underlying trends observed in the sample data provide a reasonable representation of overall malicious Web-based activity trends.

Data

Figure A.11. Malicious Web activity: Spyware and adware blocked, 2011. Source: Symantec.cloud

Commentary

Only two examples of spyware were found in the top-ten list of unwanted programs in 2011, including Spyware.Perfect and Spyware.Keylogger. Spyware.Perfect is a program that tracks the keystrokes on the computer and logs them in a file. It can be configured to periodically send the log files by email.
The most frequently blocked adware code was related to the Zugo search-based toolbar products and the FunWeb family of adware.
Adware:W32/FunWeb is a family of adware programs that are used to display unsolicited advertising content, often through the use of pop-up windows. FunWeb variants are often bundled with other applications, games and browser plug-ins. Some variants of FunWeb may also redirect users’ browser home page and download additional code functionality.
57.1% of spyware and adware was detected using generic techniques.

Analysis of Web Policy Risks from Inappropriate Use

Background

Many organizations implement an acceptable usage policy to limit employees’ use of internet resources to a subset of Web sites that have been approved for business use. This enables an organization to limit the level of risk that may arise from users visiting inappropriate or unacceptable Web sites, such as those containing sexual images and other potentially illegal or harmful content. Often there will be varying degrees of granularity imposed on such restrictions, with some rules being applied to groups of users or rules that only apply at certain times of the day; for example, an organization may wish to limit employees access to video sharing Web sites to only Friday lunchtime, but may also allow any member of the PR and Marketing teams access at any time of the day. This enables an organization to implement and monitor its acceptable usage policy and reduce its exposure to certain risks that may also expose the organization to legal difficulties.

Methodology

This metric assesses the classification of prohibited websites blocked by users of Symantec.cloud Web security services. The policies are applied by the organization from a default selection of rules that may also be refined and customized. This metric provides an indication of the potential risks that may arise from uncontrolled use of Internet resources.

Data

Figure A.12. Web policies that triggered blocks, 2011. Source: Symantec.cloud

Commentary

46.6% of Web activity blocked through policy controls was related to Advertisement & Popups. Web-based advertisements pose a potential risk though the use of “malvertisements,” or malicious advertisements. These may occur as the result of a legitimate online ad-provider being compromised and a banner ad being used to serve malware on an otherwise harmless website.
The second most frequently blocked traffic was categorized as Social Networking, accounting for 22.7% of policy-based filtering activity blocked, equivalent to approximately one in every 4 Web sites blocked. Many organizations allow access to social networking Web sites, but in some cases implement policies to only permit access at certain times of the day and block access at all other times. This information is often used to address performance management issues, perhaps in the event of lost productivity due to social networking abuse.
Activity related to streaming media policies resulted in 18.9% of policy-based filtering blocks in 2011. Streaming media is increasingly popular when there are major sporting events or high profile international news stories. This activity often results in an increased number of blocks, as businesses seek to preserve valuable bandwidth for other purposes. This rate is equivalent to one in every 5 websites blocked.

Analysis of Website Categories Exploited to Deliver Malicious Code

Background

As organizations seek to implement appropriate levels of control in order to minimize risk levels from uncontrolled Web access, it is important to understand the level of threat posed by certain classifications of websites and categories in order to provide better understanding of the types of legitimate websites that may be more susceptible to being compromised and potentially expose users to greater levels of risk.

Methodology

This metric assesses the classification of malicious Web-sites blocked by users of Norton Safe Web⁴ technology. Data is collected anonymously from over 50 million computers worldwide, where customers voluntarily contribute to this technology, including Norton Community Watch. Norton Safe Web is processing more than 2 billion real-time rating requests each day, and monitoring over 12 million daily software-downloads. Reputation ratings are being tracked for more than 25 million Web sites.

This metric provides an indication of the levels of infection of legitimate Web sites that have been compromised or abused for malicious purposes. The malicious URLs identified by the Safe Web technology were classified by category using the Symantec Rulespace⁵ technology. RuleSpace proactively categorizes Web sites into more than 80 categories in 17 languages.

Figure A.13. Malicious Web activity: Categories that delivered malicious code, 2011. Source: Symantec

Figure A.14. Malicious Web activity: Infected Web sites by category, 2011. Source: Symantec

Figure A.15. Malicious Web activity: Malicious code by number of infections per site, 2011. Source: Symantec

Figure A.16. Malicious Web activity: Fake anti-virus by category, 2011. Source: Symantec

Figure A.17. Malicious Web activity: Browser exploits by category, 2011. Source: Symantec

Figure A.18. Malicious Web activity: Social networking attacks by category, 2011. Source: Symantec

Commentary

Approximately 61% of Web sites used to distribute malware were identified as legitimate, compromised Web sites. This figure excludes URLs that contained just an IP address and did not include general domain parking and pay-per-click Web sites.
19.8% of malicious Web site activity on legitimate, compromised domains was classified in the Blogs and Web Communications category.
Interestingly, pornographic Web sites were not exploited much overall, accounting for 2.4% of all infected Web sites; however, infected pornographic Web sites were found to host a greater number of threats than other categories (except for Religion/Ideologies and Hosting/Personal Hosted Sites – see below). Ranked in third position in figure A16, approximately 25 threats were identified on each infected pornographic Web site, with 44% of these threats being identified as Trojans.
1 in 67 web sites classified as Blogs/Web Communications were found to be compromised with potentially harmful malicious content, compared with 1 in 164 for Education/Reference.
Web sites classified as Religion/Ideologies were found to host the greatest number of threats per site than other categories, with an average of 115 threats per Web sites, the majority of which related to Fake or Rogue Antivirus software.
Analysis of Web sites that were used to deliver drive-by Fake Antivirus attacks revealed that 82% of threats found on compromised Religion/Ideologies Web sites were related to Fake Antivirus software. 26.4% of Fake Antivirus attacks were found on compromised Religion/Ideologies Web sites.
Analysis of Web sites that were used to deliver attacks using browser exploits revealed that 66.5% of threats found on compromised Business / Economy Web sites were related to browser exploits. 23.3% of browser exploit attacks were found on compromised Business / Economy Web sites.
53% of attacks used on social networking Web sites were related to malware hosted on compromised Blogs / Web Communications Web sites. This is where a URL hyperlink for a compromised Web site is shared on a social network. Compromised Hosting/ Personal hosted sites similarly accounted for 44% of social networking attacks.

⁴For more details about Norton Safe Web, please visit http://safeweb.norton.com/

⁵For more details about Symantec Rulespace, please visit http://www.rulespace.com/

Bot-infected Computers

Background

Bot-infected computers, or bots, are programs that are covertly installed on a user’s machine in order to allow an attacker to control the targeted system remotely through a communication channel, such as Internet relay chat (IRC), P2P, or HTTP. These channels allow the remote attacker to control a large number of compromised computers over a single, reliable channel in a botnet, which can then be used to launch coordinated attacks.

Bots allow for a wide range of functionality and most can be updated to assume new functionality by downloading new code and features. Attackers can use bots to perform a variety of tasks, such as setting up denial-of-service (DoS) attacks against an organization’s website, distributing spam and phishing attacks, distributing spyware and adware, propagating malicious code, and harvesting confidential information that may be used in identity theft from compromised computers—all of which can lead to serious financial and legal consequences. Attackers favor bot-infected computers with a decentralized C&C⁶ model because they are difficult to disable and allow the attackers to hide in plain sight among the massive amounts of unrelated traffic occurring over the same communication channels, such as P2P. Most importantly, botnet operations can be lucrative for their controllers because bots are also inexpensive and relatively easy to propagate.

Methodology

A bot-infected computer is considered active on a given day if it carries out at least one attack on that day. This does not have to be continuous; rather, a single such computer can be active on a number of different days. A distinct bot-infected computer is a distinct computer that was active at least once during the period. Of the bot-infected computer activities that Symantec tracks, they can be classified as actively attacking bots or bots that send out spam, i.e. spam zombies.

Distributed denial-of-service (DDoS) campaigns may not always be indicative of bot-infected computer activity, DDoS activity can occur without the use of bot-infected computers. For example, systems that participated in the high-profile DDoS “Operation Payback” attacks used publically available software such as “Low Orbit Ion Cannon” (LOIC) in a coordinated effort to disrupt many businesses Web site operations. Users sympathetic to the Anonymous cause could voluntarily download the free tool from the Web and participate en masse in a coordinated DDoS campaign and required very little technical knowledge. These attacks began at the end of 2010 and continued in 2011, with a wide variety of targets. Interestingly, because of the way the software operated, some attackers didn’t bother to disguise their machines online identifiers, resulting in a number of legal actions later in the year. The analysis reveals the average lifespan of a bot-infected computer for the highest populations of bot-infected computers. To be included in the list, the geography must account for at least 0.1% of the global bot population.

Data

Commentary

Bots located in Romania were active for an average of 29 days in 2011; 1 in 737 of bots worldwide was located in Romania. Romania has one of the lowest fixed-broadband adoption rates in Europe, with fewer than 15%⁷ of households being connected to high-speed Internet access.
It takes more than twice as long to identify and clean-up a bot-infected computer in Romania than in the United States, although the number of infections in the United States is on a magnitude of more than a hundred times greater than that of Romania. One factor contributing to this disparity may be a low level of user-awareness of the issues involved combined with the lower availability of remediation guidance and support tools in the Romanian language.
In the United States, which was home to 1 in 8 (12.6%) of global bot-infected computers, the average lifespan for a bot was 13 days.
Further analysis revealed that 65.2% of bots were controlled using HTTP-based command and control channels.

⁶Command and control

⁷http://ec.europa.eu/information_society/digital-agenda/scoreboard/pillars/broadband/index_en.htm

Analysis of Mobile Threats

Background

Since the first smartphone arrived in the hands of consumers, speculation about threats targeting these devices has abounded. While threats targeted early “smart” devices such as those based on Symbian and Palm OS in the past, none of these threats ever became widespread and many remained proof-of-concept. Recently, with the growing uptake in smartphones and tablets, and their increasing connectivity and capability, there has been a corresponding increase in attention, both from threat developers and security researchers.

While the number of immediate threats to mobile devices remains relatively low in comparison to threats targeting PCs, there have been new developments in the field. And as malicious code for mobile begins to generate revenue for malware authors, there will be more threats created for these devices, especially as people increasingly use mobile devices for sensitive transactions such as online shopping and banking.

As with desktop computers, the exploitation of a vulnerability can be a way for malicious code to be installed on a mobile device.

Methodology

In 2011, there were a significant number of vulnerabilities reported that affect mobile devices. Symantec documented 315 vulnerabilities in mobile device operating systems in 2011, compared to 163 in 2010, an increase of 93.3%.

Symantec tracks the number of threats discovered against mobile platforms by tracking malicious threats identified by Symantec’s own security products and confirmed vulnerabilities documented by mobile vendors.

Currently most malicious code for mobile devices consists of Trojans that pose as legitimate applications. These applications are uploaded to mobile application (“app”) marketplaces in the hope that users will download and install them, often trying to pass themselves off as legitimate apps or games. Attackers have also taken popular legitimate applications and added additional code to them. Symantec has classified the types of threats into a variety of categories based on their functionality.

Data

Figure A.20. Mobile threats: Newly discovered malicious code, 2010-2011. Source: Symantec

Figure A.21. Mobile threats: Newly discovered malicious code, 2010-2011. Source: Symantec

Figure A.22. Mobile threats: Malicious code families, 2010-2011. Source: Symantec

Figure A.23. Mobile threats: Malicious code by type, 2011. Source: Symantec

NB. For a more detailed breakdown of these larger categories: each subcategory is color-coded to indicate with primary category above it belongs to.

The following are specific definitions of each subcategory:

Collects Device Data—gathers information that is specific to the functionality of the device, such as IMEI, IMSI , operating system, and phone configuration data.
Spies on User—intentionally gathers information from the device to keep monitor a user, such as phone logs and SMS messages, and sends them to a remote source.
Sends Premium SMS—sends SMS messages to premium-rate numbers that are charged to the user’s mobile account.
Downloader—can download other risks on to the compromised device.
Back door—opens a back door on the compromised device, allowing attackers to perform arbitrary actions.
Tracks Location—gathers GPS information from the device specifically to track the user’s location.
Modifies Settings—changes configuration settings on the compromised device.
Spam—sends spam email messages from the compromised device.
Steals Media—sends media, such as pictures, to a remote source.
Elevates Privileges—attempts to gain privileges beyond those laid out when installing the app bundled with the risk.
Banking Trojan—monitors the device for banking transactions, gathering the sensitive details for further malicious actions.
SEO Poisoning—periodically sends the phone’s browser to predetermined URLs in order to boost search rankings.

Commentary

Mobile applications (“apps”) with malicious intentions rose to prominence in 2011, presenting serious risks to users of mobile devices. These metrics show the different functions that these bad mobile apps performed during the year. The data was compiled by analyzing the key functionality of malicious mobile apps. Symantec has identified five primary mobile risk types:

Collect Data. Most common among bad mobile apps was the collection of data from the compromised device. This was typically done with the intent to to carry out further malicious activities, in much the way an information-stealing Trojan might. This includes both device- and user-specific data, ranging from configuration data to banking details. This information can be used in a number of ways, but for the most part, it is fairly innocuous with IMEI⁸ and IMSI⁹ numbers, taken by attackers as a way to uniquely identify a device. More concerning is data gathered about the device software, such as operating system (OS) version or applications installed, to carry out further attacks (say, by exploiting a software vulnerability). Rarer, but of greatest concern is when user-specific data, such as banking details, is gathered in an attempt to make unauthorized transactions. While this category covers a broad range of data, the distinction between device and user data is given in more detail in the subcategories below.

Track User. The next most common purpose was to track a user’s personal behavior and actions. These risks take data specifically to spy on the individual using the phone. This is done by gathering up various communication data, such as SMS messages and phone call logs, and sending them to another computer or device. In some instances they may even record phone calls. In other cases these risks track GPS coordinates, essentially keeping tabs on the location of the device (and their user) at any given time. Gathering pictures taken with the phone also falls into this category.

Send Content. The third-largest group of risks is bad apps that send out content. These risks are different from the first two categories because their direct intent is to make money for the attacker. Most of these risks will send a text message to a premium SMS number, ultimately appearing on the mobile bill of the device’s owner. Also within this category are risks that can be used as email spam relays, controlled by the attackers and sending unwanted emails from addresses registered to the device. One threat in this category constantly sent HTTP requests in the hopes of bumping certain pages within search rankings.

Traditional Threats. The fourth group contains more traditional threats, such as back doors and downloaders. Attackers seem keen to port these types of risks from PCs to mobile devices, and progress has been made in 2011.

Change Settings. Finally there are a small number of risks that focus on making configuration changes. These types attempt to elevate privileges or simply modify various settings within the operating system. The goal for this final group seems to be to perform further actions on the compromised devices.

Growth in Android Threats

The Opfake family, a threat targeting Eastern Europe, is a good example. This threat was originally written for Windows Mobile/Symbian/JAVAME phones. Similar experiments have occurred in China where Android.Adsms and Android.Stiniter have appeared. Both originated as Symbian threats before the malware authors moved to Android. We expect this to be a common trend, especially among affiliate network related threats

Old tricks moving to new platforms

Premium SMS dialers have always been a problem on the mobile threat landscape, especially in Eastern Europe, where dialers showed up on mobiles phones not to long after the introduction of the micro edition of Java virtual machine for mobile devices. It should be no surprise that the authors who have been leveraging this lucrative revenue source appear to be making a switch to the newer, popular platforms.

The creators of mobile threats are getting more strategic and bolder in their efforts. A good example of this is the attempts to complicate the uninstallation of an infection. One such strategy being used is to breakdown the malicious packages into staged payloads. The idea is simple, instead of having one payload carry the entire malicious content; not to mention the telltale sign of a huge overzealous permissions list that goes with it; break the threat into separate download modules. The smaller pieces are easier to hide, appear to be harmless updates and complicate the revocation process built in by the service provider, market place etc.

Figure A.24. Mobile threats: Staged payload. Source: Symantec

This still requires the end user to accept the installation of subsequent “update” download, potentially a major hurdle. But another threat discovered in the wild in 2011, ‘Android.Jsmshider’ found a way around this hurdle.

Although this trick only worked for custom mods, by signing the payload with an ASOP (Android Open Source Project) certificate, it allowed installation to take place without any interactions or prompts. The underlying devices considered the payload to be a system update or new component, by virtue of the certificate.

Figure A.25. Mobile threats: Android.Jmshider. Source: Symantec

With all this complication you may be forgiven for thinking that the final rivaled something like Stuxnet, but in fact the final payload in the majority of the cases was nothing more than a garden variety premium SMS sender.

Most premium SMS senders and/or dialers lack sophistication and depend largely on social engineering to work. However, they have been around for many years and can have the quickest return on investment for the criminals behind them. Research suggests that the average price of stolen credit card can be as low as 40 – 80 cents (USD), but a typical dialer targeting North America would pay the author $9.99 (USD) per successful install and execution. Moreover, if it was not detected by the user, each subsequent execution would result in another payment, creating a continuous revenue stream. This stream would only stop once the device owner recognized the charge on his bill as fraudulent.

Another interesting trend that Symantec observed is the use of in-app promotions to encourage the downloading of other apps. This app may require the user to download from a browser or a third party app store and is undocumented functionality of the app from the official market place.

Figure A.26. Mobile threats: Example of in-app promotion to download threat. Source: Symantec

Even though user interaction is required to install any additional apps, the concern here is that this sort of vector has an element of social engineering because the end user assumes that since the first app was downloaded from the official channel any additional apps would also be originating from there.

Social engineering a key tool used by mobile malware authors

Because of the so called “Hardware Fragmentation¹⁰” ” issue surrounding the Android Platform, a popular online streaming video service in the US; had initially pushed an Android client app in a limited release, only to certain devices that provided the best user experience.

Owing to the popularity of the service, shortly after the initial release multiple unsanctioned developer projects sprung up around to port an unofficial copy of the app to devices that were not officially supported.

A gap in availability for certain devices combined with large interest from users in getting the app on their Android device created the perfect cover for Android.Flicker, a text-book example of an info-stealer targeting account information.

The malicious app is not at all complex to understand. Divided into two main parts, the app is largely just a splash screen followed by a login screen where the user info is captured and posted to a server. There are multiple permissions requested at the time of installation, usually a sign of a malicious app. But in this case they are identical to the permissions required by the legitimate app. This was probably done to further the illusion that the legitimate app is being installed.

There was no attempt to verify if the data entered by an unsuspecting user was accurate or not. Right after clicking on the sign in button, a user is presented with a screen indicating incompatibility with the current hardware and the recommendation to install another version of the app. On hitting the “Cancel” button, the app then attempts to uninstall itself. Attempts to cancel the uninstall process results in the user returning back to the prior screen with the incompatibility message.

The rise of mobile threats with political agendas

Hactivism is not restricted to PC. Mobile malware with no visible monetary gain but instead with a goal is to send a message was seen in 2011. An example: for many across the Arab World, December 18 2010 marked the birth of what is now come to be commonly known as the ‘Arab Spring’. Among the many tools used to coordinate and inform, to get the word out about the mass ‘market protests’; Symantec discovered a Trojan mass mailer/downloader embedded in an Android App.

Figure A.27. Mobile threats: Android.DroidDreamLight – GameService. Source: Symantec

The Trojan was embedded into a pirated version of a popular Islamic compass app. From our research the Trojanized version was only distributed via forums focusing on Middle Eastern issues. The official version of the app available on the Android Market is not infected. After the installation of the pirated app, the code goes to work on device startup/reboot, silently working in the background as a service called ‘alArabiyyah’. It picks out one link randomly from a list of eighteen and then sends out a SMS message to every contact in the address book of the infected device, sending them a link to a forum site. The content on the forum site appears to be a tribute to Mohamed Bouaziz¹¹.

App Store here… App Store there… App everywhere….

With the projected growth of smart phone sales set to overtake that of regular featured phones, it’s no surprise to see the demand for content drive the emergence of new application market places, app stores, and download sites. Sales in 2011 alone are expected to bring in $15 billion dollars (USD).

Taking advantage of the growing demand for content, not to mention the absence of official outlets presences in certain regions, the number of unregulated markets has seen a dramatic rise, providing a perfect incubator and propagation engine for malware.

Figure A.28. Mobile threats: Additional components/updates being downloaded. Source: Symantec

From a security analyst’s perspective, the mobile content distribution ecosystem can be broken down roughly into three groups:

Group I, the traditional file download site and user forum file share sites. These services have been around as long as the Internet. Originally started to cater to content hungry users looking for software for Windows and Mac users, these sites started adding on download sections for handheld devices and now phones. They may or may not provide file hosting mirrors of the software. User feedback on apps is usually either inconclusive or very basic. On one of these sites, Symantec discovered a download link to a live threat, right next to an RSS feed of a blog talking about the threat. Security measures to screen software tend to be limited to using off the shelf anti-virus software, often not anti-virus software for a mobile device, but Windows-based software.

Group II, “Vendor certified/Web 2.0 Markets.” These manufacturers and vendors have introduced concepts such as on device signature verification, a single point of distribution, and platform app certification, (which sanitized code by extensive and rigorous testing to ensure that software meets not only the manufactures design and platform standards). But by no means is any screening system foolproof and the occasional threat slipped through (once, twice, and even a third time) becoming the focus of many security analysts’ blogs.

Group III, A loose coupling of independent pockets of cloud hosted file repositories brought together via a storefront app (usually only accessible via a mobile device) these fly by night operations seem to be using the same play book used by radio pirates operating off the coast of England in the 1970s.

Their operations tend to be limited in their broadcast. Once they are discovered and/or have to move for one reason or another, the user is required to update the repository list or download a newer version of the app with the location of the file server or repositories.

Figure A.29. Mobile threats: Group III type mobile threats – storefront apps. Source: Symantec

In regions such as China Symantec has noticed these service providers tend to be a little bolder and operate with what can be best described as entrepreneurial flair. In addition to having the usual mobile storefront app, they also have a strong visible Web presence and use that visibility (and the absences of an official market place) to encourage local authors to submit original content; using ad revenue sharing as the monetary incentive. Ironically, in some cases they use the same ad revenue services as managed and/or owned by official marketplaces; thus blurring the line even more between legitimate sites dealing with pirated content uploaded by rouge users and illegal site trying to go legitimate after growing a user base off the back of pirated content sharing.

With projected sales of around $15 billion in 2011, the number of app stores in China will continue to grow at a dramatic rate. As the primary screening mechanisms for content is usually user feedback, pirated or malicious content isn’t immediately flagged and site administrators are quick to point out this fact and disclaim any warranty on damages arising from the usage of downloaded software. From a malicious author’s perspective, these sites tend to be the easiest to target, as the users who patronage these sites have turned off device security checks to allow the installation of unsigned software. This is called side loading.

China (followed closely by Eastern Europe) has long been plagued with threats and trojanized apps targeting mobile platforms. Threats that silently send out SMS messages to premium numbers have become so prevalent that the Chinese government had to take setup regulations to crack down on not only the creators but also on unscrupulous handset resellers. These resellers were intentionally selling phones preloaded with malware that carried out charge backs. The smaller the charge back, the longer it takes before a user suspects anything is wrong, especially in the case of first time buyers who aren’t used to normal monthly charges for their phone bills.

In conclusion, malware threats against mobile platforms are still relatively uncommon when compared with threats targeting desktop operating systems; however, it is clear that a significant step change occurred in 2011, where mobile attacks have grown considerably and we expect this trend to continue in 2012.

⁸

⁹International Mobile Subscriber Identity

¹⁰http://www.symantec.com/connect/blogs/hardware-fragmentation-thwarts-android-call-recording-trojan

¹¹http://www.time.com/time/magazine/article/0,9171,2044723,00.html

Data Breaches that Could Lead to Identity Theft

Background

Political activism and hacking were two big themes resulting in data theft in 2011, and ones that continue to persevere into 2012. There were many high profile hacking breaches last year that received lots of media attention for obvious reasons. Hacking can undermine institutional confidence in a company, and loss of personal data can result in damage to an organizations reputation. Despite the media hype around these breaches, hacking came in second to old-fashioned theft as the greatest source of data breaches last year according to the Norton Cybercrime Index data¹². In the event of a data breach, many countries have existing data breach notification legislation that regulates the responsibilities of organizations conducting business after a data breach has occurred. For example, the EU¹³, the United States (46 states)¹⁴, the District of Columbia, Puerto Rico, and the Virgin Islands have all enacted legislation requiring notification of security breaches involving personal information.

Methodology

The data for the data breaches that could lead to identity theft is procured from the Norton Cybercrime Index (CCI). The Norton CCI is a statistical model which measures the levels of threats including malicious software, fraud, identity theft, spam, phishing and social engineering daily. Data for the CCI is primarily derived from Symantec Global Intelligence Network and for certain data from ID Analytics¹⁵. The majority of the Norton CCI's data comes from Symantec's Global Intelligence Network, one of the industry's most comprehensive sources of intelligence about online threats. The data breach section of the Norton CCI is derived from data breaches that have been reported by legitimate media sources and have exposed personal information, including name, address, Social Security numbers, credit card numbers, or medical history. Using publicly available data the Norton CCI determines the sectors that were most often affected by data breaches, as well as the most common causes of data loss.

The sector that experienced the loss along with the cause of loss that occurred is determined through analysis of the organization reporting the loss and the method that facilitated the loss.

The data also reflects the severity of the breach by measuring the total number of identities exposed to attackers, using the same publicly available data. An identity is considered to be exposed if personal or financial data related to the identity is made available through the data breach. Data may include names, government-issued identification numbers, credit card information, home addresses, or email information. A data breach is considered deliberate when the cause of the breach is due to hacking, insider intervention, or fraud. A data breach is considered to be caused by hacking if data related to identity theft was exposed by attackers, external to an organization, gaining unauthorized access to computers or networks. (Hacking is an intentional act with the objective of stealing data that can be used for purposes of identity theft or other fraud.)

It should be noted that some sectors may need to comply with more stringent reporting requirements for data breaches than others do. For instance, government organizations are more likely to report data breaches, either due to regulatory obligations or in conjunction with publicly accessible audits and performance reports¹⁶. Conversely, organizations that rely on consumer confidence may be less inclined to report such breaches for fear of negative consumer, industry, or market reaction. As a result, sectors that are not required or encouraged to report data breaches may be under-represented in this data set.

Figure A.30. Timeline of data breaches showing identities breached in 2011, global. Source: Based on data provided by Norton Cyber Crime Index

Data and commentary for Data and commentary for data breaches that could lead to identity theft by sector

Figure A.31. Data breaches that could lead to identity theft and identities exposed by sector. Source: Based on data provided by Norton Cyber Crime Index

Top-ten sectors by number of data breaches

Healthcare, government and education sectors ranked top for number of data breaches, but ranked lower for number of identities exposed: Although the healthcare, government and education sectors accounted for the top three largest percentages for number of data breaches in 2011, those breaches accounted for approximately 9.7% of all reported identities exposed during 2011 (figure A.31).
This is due to the average number of identities exposed in each of the data breaches in these sectors being relatively low. The average number of identities exposed per data breach was approximately 133,500 for these three sectors combined, compared with an average of 19.4 million identities exposed per breach for the computer software sector alone (figure A.32).

Figure A.32. Average number of identities exposed per data breach by notable sector. Source: Based on data provided by Norton Cyber Crime Index

Top data breaches are reflected in top sectors for identities exposed: The top three sectors of Computer Software, IT and Healthcare had the largest number of identities exposed due to data breaches in 2011; these three sectors accounted for 93.0% of the total number of identities exposed.

Data and commentary for data breaches that could lead to identity theft by cause

Top causes for data breach by number of breaches

Figure A.33. Data breaches that could lead to identity theft and identities exposed, by cause. Source: Based on data provided by Norton Cyber Crime Index

Top causes for data breach by number of identities exposed

Theft or loss was the top cause for data breaches: The most frequent cause of data breaches (across all sectors) that could facilitate identity theft in 2011 was theft or loss of a computer or other medium on which data is stored or transmitted, such as a USB key or a back-up medium (figure A.33).
Theft or loss accounted for 34.3% of breaches that could lead to identities exposed in 2011 and this equated to approximately 18.5 million identities exposed in total.
The second most frequent data breach type was related to Hackers (29.0%), which exposed approximately 187.2 million identities in 2011, the greatest number for any cause of breach in 2011.

Figure A.34. Average number of identities exposed per data breach, by cause. Source: Based on data provided by Norton Cyber Crime Index

Hacking was the leading source for reported identities exposed: Although hacking was the second most common cause of data breaches that could lead to identity theft in 2011, it was the top cause for the number of reported identities exposed. Hacking was responsible for over 80.5% of the identities exposed in the largest data breaches that occurred in 2011.
The average number of identities exposed per data breach in Hacking incidents was approximately 3.3 million.

Data and Commentary for type of information exposed in deliberate breaches

Figure A.35. Type of information exposed in deliberate breaches. Source: Based on data provided by Norton Cyber Crime Index

The most common types of identity information leaked in deliberate data breaches was names, addresses and credit card numbers; accounting for one-third of the identities breached in 2011.
Names, phone numbers, email addresses and passwords were found in 16% of breaches.
Usernames, passwords and purchase information were identified in 16% of the identity breaches.

¹²http://www.nortoncybercrimeindex.com/

¹³http://www.enisa.europa.eu/act/it/library/deliverables/dbn/at_download/fullReport/

¹⁴http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx

¹⁵http://www.idanalytics.com/

¹⁶For example, the Fair and Accurate Credit Transactions Act of 2003 (FACTA) of California. For more on this act, please see: http://www.privacyrights.org/fs/fs6a-facta.htm. Another example is the Health Insurance Portability and Accountability Act of 1996. For more information see: http://www.cms.hhs.gov/HIP AAGenInfo/

Vulnerability Trends

A vulnerability is a weakness that allows an attacker to compromise the availability, confidentiality, or integrity of a computer system. Vulnerabilities may be the result of a programming error or a flaw in the design that will affect security.

Vulnerabilities can affect both software and hardware. It is important to stay abreast of new vulnerabilities being identified in the threat landscape because early detection and patching will minimize the chances of being exploited. This section discusses selected vulnerability trends, providing analysis and discussion of the trends indicated by the data.

The following metrics are included:

Total Number of Vulnerabilities

Background

The total number of vulnerabilities for 2011 is based on research from independent security experts and vendors of affected products. The yearly total also includes zero-day vulnerabilities that attackers uncovered and were subsequently identified post-exploitation. Calculating the total number of vulnerabilities provides insight into vulnerability research being conducted in the threat landscape. There are many motivations for conducting vulnerability research, including security, academic, promotional, software quality assurance, and, of course, the malicious motivations that drive attackers. Symantec gathers information on all of these vulnerabilities as part of its DeepSight vulnerability database and alerting services. Examining these trends also provides further insight into other topics discussed in this report.

Discovering vulnerabilities can be advantageous to both sides of the security equation: legitimate researchers may learn how better to defend against attacks by analyzing the work of attackers who uncover vulnerabilities; conversely, cybercriminals can capitalize on the published work of legitimate researchers to advance their attack capabilities. The vast majority of vulnerabilities that are exploited by attack toolkits are publicly known by the time they are exploited.

Methodology

Information about vulnerabilities is made public through a number of sources. These include mailing lists, vendor advisories, and detection in the wild. Symantec gathers this information and analyzes various characteristics of the vulnerabilities, including technical information and ratings in order to determine the severity and impact of the vulnerabilities. This information is stored in the DeepSight vulnerability database, which houses over 47,000 distinct vulnerabilities spanning a period of over 20 years. As part of the data gathering process, Symantec scores the vulnerabilities according to version 2.0 of the community-based CVSS (Common Vulnerability Scoring System)¹. Symantec adopted version 2.0 of the scoring system in 2008. The total number of vulnerabilities is determined by counting all of the vulnerabilities published during the reporting period. All vulnerabilities are included, regardless of severity or whether or not the vendor who produced the vulnerable product confirmed them.

Data

Figure D.1: Total vulnerabilities identified, 2006-2011. Source: Symantec

Figure D.2: New vulnerabilities month-by-month, 2010 & 2011. Source: Symantec

Figure D.3: Most frequently attacked vulnerabilities in 2011. Source: Symantec

Commentary

Actual number of new vulnerabilities reported is down, but trend is still upwards: The total number of new vulnerabilities reported in 2011 stood at 4,989. This figure works out to approximately 95 new vulnerabilities a week. Compared with the number from 2010 which was 6,253, it represents a decrease of 20% from that of 2010. While this may seem like positive news, it must be viewed in the context of a longer time window. When we look at the trend over the longer term, we can see that the overall pattern is still on an upward trajectory. So far, the number of vulnerabilities reported in January 2012, amounts to 488 and is already well ahead of the numbers reported in the same month last year.
The most often exploited vulnerabilities are not the newest: From observation of in-field telemetry, we can see that the most frequently used vulnerability in attacks is not the newest. Our data show that the most commonly attacked component by a wide margin is the Microsoft Windows RPC component. The attacks against this component are mostly using the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874 ). This vulnerability was first reported back in October 2008 and Symantec blocked 61.2 million attempts to exploit it in 2011. This figure represents 4.7 times the volume of the second most exploited vulnerability, the Microsoft Windows RPCSS DCOM Interface Denial of Service Vulnerability (BID 8234 ), from July 2003.
The next two most often used vulnerabilities are the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108 ⁴), dating from April 2004 and the Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409⁵ ), from August 2008.
Finally the fifth most exploited vulnerability is the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (BID 35759⁶ ), reported in July 2009.
All of the top five vulnerabilities are several years old with patches available: So why are they used so often even several years after patches are available? There could be several reasons why this is the case:
- Trading of vulnerabilities⁷ either through legitimate or clandestine channels has given exploitable vulnerabilities a significant monetary value. Because of the restricted information available on some of these new vulnerabilities, criminals may not be able to take advantage of them unless they are willing to pay the often substantial asking prices. If they are unable or unwilling to pay, they may resort to existing, widely available, tried and tested vulnerabilities to achieve their goals, even if it may potentially be less effective.
- For those willing to pay, they will want to ensure maximum return on their investment. This could mean they will use it discretely and selectively rather than making a big splash and arousing the attention of security vendors and other criminal groups looking for new vulnerabilities to use.
- Older vulnerabilities have a more established malware user base and so account for a greater amount of traffic. For example, widespread and well-established malware threats, such as W32.Downadup⁸ and its variants, use the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), which continues to register over 200,000 hits each day. Because these threats use vulnerabilities to spread in an automated fashion, the number of attacks they can launch would generally be far higher than for targeted attacks.
- For various reasons, not all of the user population apply security patches quickly or at all. This means older vulnerabilities can often still be effective, even years after patches are available. Because of this, there will always a window of opportunity for criminals to exploit and they are all too aware of this.
File based vulnerabilities: The most commonly exploited data file format is the PDF file format. One of the PDF related vulnerabilities, Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (BID 35759⁹ ) registered as the fifth most often used vulnerability in 2011 with just over 1 million attacks reported. PDF files containing vulnerabilities are often associated with Advanced Persistent Threat (APT¹⁰ ) style attacks, rather than self-replicating malware. However, in this particular case, the vulnerability in question was most often used in Web toolkit based attacks. This attack scenario involves creating malicious websites to host exploit code. Users may then be tricked into visiting these malicious toolkit websites either by website redirection (e.g. malicious IFRAMEs), SEO poisoning or by sending out spam emails, instant messages or social media updates with links to the malicious website.
One thing to note, websites hosting malicious toolkits often contain multiple exploits that can be tried against the visitor. In some cases, the kit will attempt to use all exploits at its disposal in a non-intelligent fashion whereas in more modern advanced kits, the website code will attempt to fingerprint the software installed on the computer before deciding which exploit(s) to send to maximise the success rate. The fact that there are so many Web kit based exploit attempts made using this old vulnerability may suggest that a considerable number of users have not updated their PDF readers to a non-vulnerable version.

¹ http://www.first.org/cvss/cvss-guide.html

² See http://www.securityfocus.com/bid/31874

³ See http://www.securityfocus.com/bid/8234

⁴ See http://www.securityfocus.com/bid/10108

⁵ See http://www.securityfocus.com/bid/19409

⁶ See http://www.securityfocus.com/bid/35759

⁷ See http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/231900575/more-exploits-for-sale-means-better-security.html

⁸ See http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99

⁹ See http://www.securityfocus.com/bid/35759

¹⁰ See http://go.symantec.com/apt

Zero-Day Vulnerabilities

Background

Zero-day vulnerabilities are vulnerabilities against which no vendor has released a patch. The absence of a patch for a zero-day vulnerability presents a threat to organizations and consumers alike, because in many cases these threats can evade purely signature-based detection until a patch is released. The unexpected nature of zero-day threats is a serious concern, especially because they may be used in targeted attacks and in the propagation of malicious code.

Methodology

Zero-day vulnerabilities are a sub-set of the total number of vulnerabilities documented over the reporting period. A zero-day vulnerability is one that appears to have been exploited in the wild prior to being publicly known. It may not have been known to the affected vendor prior to exploitation and, at the time of the exploit activity, the vendor had not released a patch. The data for this section consists of the vulnerabilities that Symantec has identified that meet the above criteria.

Figure D.4: Volume of Zero-day vulnerabilities 2006 – 2011. Source: Symantec

Figure D.5: Zero-day Vulnerabilities Identified in 2011. Source: Symantec

Commentary

2011 produced the lowest number of zero-day vulnerabilities in the past 6 years. There was a 43% drop in vulnerabilities seen in 2011 compared with 2010. However the number of vulnerabilities seen in 2010 was somewhat inflated due to W32.Stuxnet, which itself contributed to four¹¹ of the zero-day vulnerabilities seen in that year.

There was only one zero-day browser vulnerability seen in 2011, a drop of 3 from 2010. This corresponds with the overall drop in browser vulnerabilities seen in 2010. While browser vulnerabilities continue to be attractive for attackers, increased security built into browsers have made it more difficult for attackers to create reliable exploits. Examples of these security features are Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP)¹² .

While the overall number of zero-day vulnerabilities is down, attacks using these vulnerabilities continue to be successful. The majority of these vulnerabilities are leveraged in targeted attacks. Adobe Flash and Reader vulnerabilities are widely used in targeted attacks and account for 50% of the zero-day vulnerabilities seen in 2011.

¹¹ http://www.symantec.com/connect/blogs/stuxnet-using-three-additional-zero-day-vulnerabilities

¹² http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx

Notable Zero-day Attacks

RSA

A number of high-profile attacks in 2012 utilized zero-day vulnerabilities. In March RSA revealed that they were the victim of a targeted attack in which data related to their SecurID™ product was stolen¹³. This stolen data was then used in further attacks against a number of military contractors. In order to gain access to the RSA network the attackers first sent a crafted email message to a number of employees with the subject line “2011 Recruitment Plan”. The message contained an attachment called 2011 Recruitment Plan.xls, as shown in figure D.6.

Figure D.6: Example of email used in notable targeted attack. Source: Symantec

The attachment contained an embedded Flash file which exploited CVE-2011-0609 in order to install a Backdoor program. Once the attackers had backdoor access they were able to install the PoisonIvy remote access tool in order to iterate through the network gathering credentials and eventually getting to the target machine which contained the sought-after data.

W32.Duqu

W32.Duqu was discovered in September 2012 was determined to have been based on the same source code as W32.Stuxnet. W32.Duqu is designed to capture and exfiltrate data which may be used to enable a future Stuxnet-like attack.

The initial W32.Duqu installer was a Microsoft Word document (.doc) which exploited a previously unknown kernel level vulnerability that allows code execution. This vulnerability was later named as CVE-2011-3402, Win32k True Type Font Parsing Vulnerability. The .doc was sent as an attachment to the targeted organization. The .doc was crafted to specifically target the recipient organization, e.g. by taking a document from the organization’s website, such as a form, and modifying it in order to exploit the vulnerability. When launched, the document triggers the exploit code which then loads shellcode to decrypt the driver and installer. The shellcode executes the driver which then in turn injects the installer into services.exe. The following diagram illustrates the infection routine:

Figure D.7: Process involved in W32.Duqu targeted attack. Source: Symantec

The Sykipot Attacks

The Sykipot threat has been in existence since 2006 but gained attention in December 2012 due to a series of targeted attacks in which it exploited CVE-2011-2462 - Adobe Reader/Acrobat U3D Memory Corruption Vulnerability, a zero-day vulnerability. This wasn’t the first time that the Sykipot attackers used a zero-day vulnerability. In March 2010 the same attackers used an Internet Explorer zero-day to download and install Backdoor.Sykipot - CVE-2010-0806, Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability.

In the December 2012 attacks, the attackers sent targeted emails with a malicious PDF attachment, as shown in figure D.8.

Figure D.8: Example of email used in Sykipot targeted attack. Source: Symantec

The targeted email was sent to a number of individuals in a variety of organizations which cover many industry sectors, such as:

Defense contractors
Telecommunications
Computer Hardware
Chemical
Energy
Government Departments
When the PDF attachment is launched it exploits CVE-2011-2462 in order to install the Backdoor program, Backdoor.Sykipot. Backdoor.Sykipot can then receive a variety of commands from the attackers, ultimately leading to the exfiltration of sensitive documents.

Window of Exposure for Zero-day Vulnerabilities

The window of exposure for vulnerabilities is the difference in days between the time when exploit code affecting a vulnerability is made public and the time when the affected vendor makes a patch publicly available for that vulnerability. During this time, the computer or system on which the affected application is deployed may be susceptible to attack. Attackers will attempt to maximize the window of exposure by making swift use of exploits in attacks.

Commentary

An example of attackers taking advantage of the window of exposure is the usage of CVE-2011-2462 Adobe Acrobat and Reader U3D Memory Corruption Vulnerability. This vulnerability was used in targeted attacks in the wild on December 1st 2011. An advisory was published by the vendor on December 6th 2011¹⁴ confirming that the vulnerability was being exploited in attacks against Adobe Reader 9.x. Version 10.x was also vulnerable but was not being exploited in the wild. On December 16 Adobe Reader and Acrobat version 9.4.7 was released to correct this vulnerability for versions 9.x. Version 10.2 was released on January 10th 2012 to correct version 10.1.

The window of exposure for Adobe Reader and Acrobat 9.x was therefore 10 days. During this time heightened activity was seen against this vulnerability. The vulnerability was being exploited in crafted PDFs which were sent as email attachments. Once launched the attachment would exploit CVE-2011-2462 in order to install a backdoor program onto the victim’s machine. Symantec.cloud observed a significant spike in these malicious attachments in the period just after the vulnerability was published:

Figure D.9: CVE-2011-2462: Attack Volume by Day. Source: Symantec

The vulnerability was used in limited targeted attacks in the period leading up to public disclosure. A few days after the vulnerability was publicly disclosed by the vendor, the vulnerability was seen being exploited in reasonably widespread attacks. It was actively used in the wild for 6 days, leading up a patch being released on December 16. The numbers above demonstrate the attractiveness of a zero-day vulnerability to attackers and how they will attempt to maximize the effectiveness of the exploit code during the window of exposure.

¹³ http://www.rsa.com/node.aspx?id=3872

¹⁴ http://www.adobe.com/support/security/advisories/apsa11-04.html

Web Browser Vulnerabilities

Background

Web browsers are nowadays ever-present components for computing for both enterprise and individual users on desktop and on mobile devices. Web browser vulnerabilities are a serious security concern due to their role in online fraud and in the propagation of malicious code, spyware, and adware. In addition, Web browsers are exposed to a greater amount of potentially untrusted or hostile content than most other applications and are particularly targeted by multi-exploit attack kits.

Web-based attacks can originate from malicious websites as well as from legitimate websites that have been compromised to serve malicious content. Some content, such as media files or documents are often presented in browsers via browser plug-in technologies. While browser functionality is often extended by the inclusion of various plug-ins, the addition of plug-in component also results in a wider potential attack surface for client-side attacks.

Methodology

Browser vulnerabilities are a sub-set of the total number of vulnerabilities cataloged by Symantec throughout the year. To determine the number of vulnerabilities affecting browsers, Symantec considers all vulnerabilities that have been publicly reported, regardless of whether they have been confirmed by the vendor. While vendors do confirm the majority of browser vulnerabilities that are published, not all vulnerabilities may have been confirmed at the time of writing. Vulnerabilities that are not confirmed by a vendor may still pose a threat to browser users and are therefore included in this study.

Data

This metric examines the total number of vulnerabilities affecting the following Web browsers:

Apple Safari
Google Chrome
Microsoft Internet Explorer
Mozilla Firefox
Opera

Figure D.10: Browser vulnerabilities in 2010 and 2011. Source: Symantec

Commentary

Chrome vulnerabilities dropped off dramatically in 2011. After a spike in 2010 (191), the documented vulnerabilities for Chrome browser dropped to 62 for 2011, which is a similar level as in previous years. A reason for the 2010 spike might have been the introduced bug bounty program and the rapid development of the browser in 2010.
For Firefox, Internet Explorer, Safari and Opera the number of reported vulnerabilities decreased marginally in 2011.
These five browsers combined had 351 reported vulnerabilities in total in 2011, which is a strong decrease from 500 in 2010. This decline can be attributed to the decrease of Chrome browser vulnerabilities. However, a decline in the number of reported vulnerabilities does not necessarily imply that risk levels have diminished; many Web-based attack kits will continue to exploit existing vulnerabilities and rapidly incorporate exploits for new vulnerabilities.

Web Browser Plug-in Vulnerabilities

Background

This metric examines the number of vulnerabilities affecting plug-ins for Web browsers. Browser plug-ins are technologies that run inside the Web browser and extend its features, such as allowing additional multimedia content from Web pages to be rendered. Although this is often run inside the browser, some vendors have started to use sandbox containers to execute plug-ins in order to limit the potential harm of vulnerabilities.

Many browsers now include various plug-ins in their default installation and, as well, provide a framework to ease the installation of additional plug-ins. Plug-ins now provide much of the expected or desired functionality of Web browsers and are often required in order to use many commercial sites. Vulnerabilities affecting these plug-ins are an increasingly favored vector for a range of client-side attacks, and the exploits targeting these vulnerabilities are commonly included in attack kits. Some plug-in technologies include automatic update mechanisms that aid in keeping software up to date, which may aid in limiting exposure to certain vulnerabilities. To help mitigate the risk, some browsers have started to check for the version of installed third party plug-ins and inform the user if there are any updates available for install.

Methodology

Web browser plug-in vulnerabilities comprise a sub-set of the total number of vulnerabilities cataloged by Symantec over the reporting period. The vulnerabilities in this section cover the entire range of possible severity ratings and include vulnerabilities that are both unconfirmed and confirmed by the vendor of the affected product. Confirmed vulnerabilities consist of security issues that the vendor has publicly acknowledged, by either releasing an advisory or otherwise making a public statement to concur that the vulnerability exists. Unconfirmed vulnerabilities are vulnerabilities that are reported by third parties, usually security researchers, which have not been publicly confirmed by the vendor. That a vulnerability is unconfirmed does not mean that the vulnerability report is not legitimate, only that the vendor has not released a public statement to confirm the existence of the vulnerability.

Data

Symantec analyzed the following plug-in technologies:

Adobe Reader
Adobe Flash Player
Apple QuickTime
Microsoft ActiveX
Mozilla Firefox extensions
Oracle Sun Java Platform Standard Edition (Java SE)

Figure D.11: Plugin Vulnerabilities in 2010 and 2011. Source: Symantec

Commentary

In 2011, 308 vulnerabilities affecting browser plug-ins were documented by Symantec, a slight decrease, compared to 346 vulnerabilities affecting browser plug-ins in 2010.
ActiveX vulnerabilities decreased further in 2011, continuing the trend for the recent years. This may be due to the increased usage of Internet Explorer 8 which has an enhanced security features surrounding ActiveX plug-ins¹⁵ .
Adobe Flash and Java vulnerabilities increased both by 3 percent in 2011. This trend was already visible in 2010 and grew again. This is also reflected in the vulnerability usage in attack toolkits which have focused around Adobe Flash, Adobe PDF Reader and Java in 2011.

¹⁵ See http://blogs.msdn.com/b/ie/archive/2008/05/07/ie8-security-part-ii-activex-improvements.aspx

Web Attack Toolkits

Web attack toolkits are a collection of scripts, often PHP files, which are used to create malicious web sites that will use Web exploits to infect visitors. There are a few dozen known families used in the wild. Many toolkits are traded or sold on underground forums for 100-1,000$ (USD). Some are actively developed and new vulnerabilities are added over time, such as Blackhole and Eleonore toolkits, which both added various Adobe Flash vulnerabilities during 2011.

Each new toolkit version released during the year is accompanied with increased malicious Web attack activity. As a new version emerges that incorporates new exploit functionality, we see an increased use of it in the wild, making as much use of the new exploits until potential victims have patched their systems. For example, the number of attacks using the Blackhole toolkit, which was very active in 2010, dropped to a few hundred attacks per day in the middle of 2011, but re-emerged with newer versions generating hundreds of thousands of infection attempts per day towards the end of the year.

Since many toolkits often use the same exploits, it is often difficult to identify the specific attack toolkit behind each infection attempt. On average, the attack toolkits contain around 10 different exploits, mostly focusing on browser independent plug-in vulnerabilities found in applications such as Adobe Flash , PDF viewers and Java . In general, older exploits are not removed from the toolkits, since some systems may still be unpatched. This is perhaps why many of the toolkits still contain an exploit for the old Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (BID 17462) from 2006. The malicious script will test all possible exploits in sequence until one succeeds. This may magnify the attack numbers seen for older vulnerabilities, even if they were unsuccessful.

For more information on Web attack toolkits, please read Appendix A: Threat Activity Trends - Analysis of Malicious Web Activity by Attack Toolkits.

SCADA Vulnerabilities

Background

This metric will examine the SCADA (Supervisory Control and Data Acquisition) security threat landscape. SCADA represents a wide range of protocols and technologies for monitoring and managing equipment and machinery in various sectors of critical infrastructure and industry. This includes—but is not limited to—power generation, manufacturing, oil and gas, water treatment, and waste management. Therefore, the security of SCADA technologies and protocols is a concern related to national security because the disruption of related services can result in the failure of infrastructure and potential loss of life—among other consequences.

Methodology

This discussion is based on data surrounding publicly known vulnerabilities affecting SCADA technologies. The purpose of the metric is to provide insight into the state of security research in relation to SCADA systems. To a lesser degree, this may provide insight into the overall state of SCADA security. Vulnerabilities affecting SCADA systems may present a threat to critical infrastructure that relies on these systems. Due to the potential for disruption of critical services, these vulnerabilities may be associated with politically motivated or state-sponsored attacks. This is a concern for governments and/or enterprises that are involved in the critical infrastructure sector. While this metric provides insight into public SCADA vulnerability disclosures, due to the sensitive nature of vulnerabilities affecting critical infrastructure there is likely private security research conducted by SCADA technology and security vendors. Symantec does not have insight into any private research because the results of such research are not publicly disclosed.

Data

The number of SCADA vulnerabilities rose dramatically in 2011: In 2011, there were 129 public SCADA vulnerabilities, a massive increase over the 15 vulnerabilities in 2010.

Commentary

The security of SCADA systems has always been an area of concern, but prior to 2010 it was on a more theoretical level. Since the emergence of W32.Stuxnet in 2010 there has been an increased focus on the security of SCADA systems. The security of these systems also gained attention in November 2011 when reports emerged of 2 separate alleged breaches. On November 10, 2011 the Illinois Statewide Terrorism & Intelligence Center (STIC) issued a report stating that the SCADA system at an Illinois water systems had been breached and that resulting action has caused a water pump to burn out. ICS-CERT later issued a report stating that there was no evidence to support these claims¹⁶ . On November 18th a hacker who goes by the name pr0f posted a statement to pastebin¹⁷ in which he claimed to have accessed the SCADA system used to manage water and sewage systems in South Houston, Texas.

The large increase in SCADA vulnerabilities in 2011 can for the most part be attributed to one security researcher, Luigi Auriemma¹⁸, who discovered 93 out of the 129 vulnerabilities published.

¹⁶ See http://www.us-cert.gov/control_systems/pdf/ICSB-11-327-01.pdf

¹⁷ See http://pastebin.com/Wx90LLum

¹⁸ See http://www.digitalbond.com/2011/03/22/interview-with-luigi-auriemma-of-34-0days-ics-vulnerabilities

Malicious Code Trends

Symantec collects malicious code information from our large global customer base through a series of opt in anonymous telemetry programs, including Norton Community Watch, Symantec Digital Immune System and Symantec Scan and Deliver technologies. Well over 133 million clients, servers and gateway systems actively contribute to these programs. New malicious code samples, as well as detection incidents from known malicious code types, are reported back to Symantec. These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in malicious code activity in the threat landscape. Reported incidents are considered potential infections if an infection could have occurred in the absence of security software to detect and eliminate the threat.

Malicious code threats are classified into four main types — backdoors, viruses, worms, and Trojans:

Backdoors allow an attacker to remotely access compromised computers.
Viruses propagate by infecting existing files on affected computers with malicious code.
Worms are malicious code threats that can replicate on infected computers or in a manner that facilitates them being copied to another computer (such as via USB storage devices).
Trojans are malicious code that users unwittingly install onto their computers, most commonly through either opening email attachments or downloading from the Internet. Trojans are often downloaded and installed by other malicious code as well. Trojan horse programs differ from worms and viruses in that they do not propagate themselves.

Many malicious code threats have multiple features, for example, a backdoor will always be categorized in conjunction with another malicious code feature. Typically, backdoors are also Trojans, however many worms and viruses also incorporate backdoor functionality. In addition, many malicious code samples can be classified as both worm and virus due to the way they propagate. One reason for this is that threat developers try to enable malicious code with multiple propagation vectors in order to increase their odds of successfully compromising computers in attacks.

The following malicious code trends are analyzed for 2011:

Top Malicious Code Families

Background

Symantec analyzes new and existing malicious code families to determine which threats types and attack vectors are being employed in the most prevalent threats. This information also allows system administrators and users to gain familiarity with threats that attackers may favor in their exploits. Insight into emerging threat development trends can help them to bolster security measures and mitigate future attacks.

The endpoint is often the last line of defense and analysis; however, the endpoint can often be the first-line of defense against attacks that spread using USB storage devices and insecure network connections. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway or cloud-based filtering.

Methodology

A malicious code family is initially compromised up of a distinct malicious code sample. As variants to the sample are released, the family can grow to include multiple variants. Symantec determines the most prevalent malicious code families by collating and analyzing anonymous telemetry data gathered for the reporting period. Over the course of 2011, such products reported 1.8 billion such malicious code detections, compared with 1.5 billion in 2010. This figure includes malicious code detections identified in Symantec endpoint technology, including Norton as well as the Symantec.cloud security services for email and Web.

Malicious code is classified into families based on variants in the signatures assigned by Symantec when the code is identified. Variants appear when attackers modify or improve existing malicious code to add or change functionality. These changes alter existing code enough that antivirus sensors may not detect the threat as an existing signature. The total number of variants identified in 2011 was 403.8 million, compared with 286 million in 2010.

Overall, the top-ten list of malicious code families accounted for 47.2% of all potential infections blocked in 2011.

Data

Figure B.1. Overall Top Malicious Code Families, 2011. Source: Symantec

Figure B.2: Relative volume of reports of top 10 malicious code families in 2011, by percentage. Source: Symantec

Figure B.3: Relative proportion of top 10 malicious code blocked in email traffic by Symantec.cloud in 2011, by percentage and ratio. Source: Symantec.cloud

Figure B.4: Relative proportion of top 10 malicious file types blocked in email traffic by Symantec.cloud in 2011. Source: Symantec.cloud

Figure B.5: Trend of malicious code blocked in email traffic by Symantec.cloud in 2011. Source: Symantec.cloud

Figure B.6: Relative proportion of top 10 malicious code blocked in Web traffic by Symantec.cloud in 2011, by percentage and ratio. Source: Symantec.cloud

Figure B.7: Relative proportion of top 10 malicious file types blocked in Web traffic by Symantec.cloud in 2011. Source: Symantec.cloud

Commentary

Ramnit overtakes Sality to become the most prevalent malicious code family in 2011. Ranked sixth in 2010, the top malicious code family by volume of potential infections in 2011 was Ramnit.
Samples of the Ramnit family of malware were responsible for significantly more potential infections than the second ranked malicious code family in 2011, Sality. This is primarily the result of activity by W32.Ramnit!html, which accounts for 51% of all Ramnit malware blocked in 2011.
W32.Ramnit!html is a generic detection for .html files infected by W32.Ramnit.
First discovered in 2010, W32.Ramnit!html has been a prominent feature of the threat landscape since then, often switching places with Sality throughout the year as the two families jockey for first position.
Ramnit spreads by encrypting and then appending itself to DLL, EXE and HTML files. It can also spread by copying itself to the recycle bin on removable drives and creating an AUTORUN.INF file so that the malware is potentially automatically executed on other computers. This can occur when an infected USB device is attached to a computer. The reliable simplicity of spreading via USB devices and other media makes malicious code families such as Ramnit, Sality (as well as SillyFDC and others) effective vehicles for installing additional malicious code on computers.
The Sality family of malware, ranked second, remains attractive to attackers because it uses polymorphic code that can hamper detection. Sality is also capable of disabling security services on affected computers. These two factors may lead to a higher rate of successful installations for attackers. Sality propagates by infecting executable files and copying itself to removable drives such as USB devices. Similar to Ramnit, Sality also relies on AUTORUN.INF functionality to potentially execute when those drives are accessed.
Downadup is losing momentum: Downadup (a.k.a. Conficker) was ranked in fourth position in 2011, compared with 2010 when it was ranked second-most malicious code family by volume of potential infections in 2010. Downadup propagates by exploiting vulnerabilities in order to copy itself to network shares. Downadup was estimated still to be on more than 3 million PCs worldwide at the end of 2011¹ , compared with approximately 5 million at the end of 2010.
Overall in 2011, 1 in 238.8 emails was identified as malicious, compared with 1 in 284.3 in 2010; 39.1% of email-borne malware comprised hyperlinks that referenced malicious code, in contrast with malware that was contained in an attachment to the email. This figure was 23.7% in 2010, an indication that cyber criminals are attempting to circumvent security countermeasures by changing the vector of attacks from purely email to the Web.
In 2011, 17.9% of malicious code detected in 2011 was identified and blocked using generic detection technology. Many new viruses and Trojans are based on earlier versions, where code has been copied or altered to create a new strain, or variant. Often these variants are created using toolkits and hundreds of thousands of variants can be created from the same piece of malware. This has become a popular tactic to evade signature-based detection, as each variant would traditionally need its own signature to be correctly identified and blocked. By deploying techniques, such as heuristic analysis and generic detection, it’s possible to correctly identify and block several variants of the same malware families, as well as identify new forms of malicious code that seek to exploit certain vulnerabilities that can be identified generically.
Trojan.Bredolab was the most frequently blocked malware in email traffic by Symantec.cloud in 2011. This was owing to a rise in the number of strains of aggressively polymorphic malware, where variants of the Bredolab Trojan were contained in the payload of the email attachment.
Trojan.Bredolab is an example of highly polymorphic malware; malicious code that is continually changed (by structure or content) to hide its presence from security countermeasures and in 2011, Symantec.cloud stopped Trojan.Bredolab in substantial volumes using Skeptic™ technology.
Trojan.Bredolab frequently acts as a downloader or installer for many secondary threats, including Trojan.Fakeavalert, Backdoor.Rustock, Trojan.Srizbi, and W32.Waledac
The email would often use social engineering to encourage the recipient into opening it. Many such variants were also deployed by URL hyperlinks contained in some variations of the attacks using embedded links or attachments of the HTML file type.
Attached HTML files were the most frequently blocked malicious email attachment in 2011.
Web-based ZIP file format archives were the most frequently blocked malicious file type in 2011.
Trojan.JS.Iframe.AOX was the most frequently blocked malicious activity in Web traffic filtered by Symantec.cloud in 2011. Detection for a malicious IFRAME is triggered in HTML files that contain hidden IFRAME elements with JavaScript code that attempts to perform malicious actions on the computer; for example, when visiting a malicious Web page, the code attempts to quietly direct the user to a malicious URL while the current page is loading.
Stuxnet in 2011: Despite being developed for a very specific type of target, the number of reports of potential Stuxnet infections observed by Symantec in 2011 placed the worm at rank 18 among malicious code families, compared with 29 in 2010. The Stuxnet worm generated a significant amount of attention in 2010 because it was the first malicious code designed specifically to attack Programmable Logic Controller (PLC) industry control systems.² Notably, Stuxnet was the first malicious code family that may directly affect the physical world and proves the feasibility for malicious code to cause potentially dramatic physical destruction.
Duqu, the precursor to a new Stuxnet? In October 2011, Symantec received reports of a new threat (W32.Duqu³ ) that was created from the same code base as Stuxnet. Whilst the code base was near identical, and the methods around the attacks are similar, the purpose of the new threat appears to be completely different from Stuxnet. Where Stuxnet was primarily designed to sabotage industrial machinery, Duqu appears to be designed for information theft, particularly information related to industrial systems and other secrets. This activity could be carried out with a goal to use the stolen information to plan and mount future attacks of a similar nature to those made by Stuxnet.

² http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

³ http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/
w32_duqu_the_precursor_to_the_next_stuxnet.pdf

Analysis of Malicious Code Activity by Geography, Industry Sector and Company Size

Background

Malicious code activity trends can also reveal patterns that may be associated with particular geographical locations, or hotspots. This may be a consequence of social and political changes in the region, such as increased broadband penetration and increased competition in the marketplace that can drive down prices, increasing adoption rates. Of course there may also be other factors at work, based on the local economic conditions that may present different risk factors. Similarly, the industry sector may also have an influence on an organization’s risk factor, where certain industries may be exposed to different levels of threat, by the nature of their business.

Moreover, the size of an organization can also play a part in determining their exposure to risk. Small to medium-sized businesses (SMBs) may find themselves the target of a malicious attack by virtue of the relationships they have with other organizations; for example, a company may be subjected to an attack because they are a supplier to a larger organization and attackers may seek to take advantage of this relationship in forming the social engineering behind subsequent attacks to the main target, using the SMB as a springboard for these later attacks. SMBs are perceived to be a softer target as they are less likely to have the same levels of defense-in-depth as a larger organization is more likely to have greater budgetary expenditure applied to their security countermeasures.

Methodology

Analysis of malicious code activity based on geography, industry and size are based on the telemetry analysis from Symantec.cloud clients for of threats detected and blocked against those organizations in email traffic during 2011.

This analysis looks at the profile of organizations being subjected to malicious attacks, in contrast to the source of the attack.

Data

Figure B.8. Proportion of email traffic identified as malicious - by industry sector, 2011. Source: Symantec.cloud

Figure B.9. Proportion of email traffic identified as malicious - by organization size, 2011. Source: Symantec.cloud

Figure B.10. Proportion of email traffic identified as malicious - by geographic location, 2011. Source: Symantec.cloud

Commentary

The rate of malicious attacks carried by email has increased for eight of the top-ten geographies being targeted; malicious email threats fell in 2011 for organizations in both Vietnam and China.
Businesses in the Republic of Korea (South Korea) were subjected to the highest average ratio of malicious email-borne email in 2011, with 1 in 94.2 emails blocked as malicious, compared with 1 in 209.6 in 2010.
Globally, organizations in the Government and Public sector were subjected to the highest level of malicious attacks in email traffic, with 1 in 41.1 emails blocked as malicious in 2011, compared with 1 in 65.7 for 2010.
Malicious email threats have increased for all sizes of organizations, with 1 in 205.1 emails being blocked as malicious for large enterprises with more than 2,500 employees in 2011, compared with 1 in 259.7 in 2010.
1 in 267.9 emails were blocked as malicious for small to medium-sized businesses with between 1-250 employees in 2011, compared with 1 in 300.0 in 2010

Propagation Mechanisms

Background

Worms and viruses use various means to spread from one computer to another. These means are collectively referred to as propagation mechanisms. Propagation mechanisms can include a number of different vectors, such as instant messaging (IM), Simple Mail transfer protocol (SMTP), Common Internet File System (CIFS), peer-to-peer file transfers (P2P), and remotely exploitable vulnerabilities.⁴ Some malicious code may even use other malicious code as a propagation vector by locating a computer that has been compromised through a backdoor server and using it to upload and install itself.

Methodology

This metric assesses the prominence of propagation mechanisms used by malicious code. To determine this, Symantec analyzes the malicious code samples that propagate and ranks associated propagation mechanisms according to the related volumes of potential infections observed during the reporting period. ⁵

Figure B.11. Propagation mechanisms. Source: Symantec

Commentary

As malicious code continues to become more sophisticated, many threats employ multiple mechanisms.

Executable file sharing activity increases: In 2011, 76 percent of malicious code propagated as executables, an increase from 74 percent in 2010. This propagation mechanism is typically employed by viruses and some worms to infect files on removable media. For example, variants of Ramnit and Sality use this mechanism, and both families of malware were significant contributing factors in this metric, as they were ranked as the two most common potential infections blocked in 2011.
Remotely exploitable vulnerabilities increase: The percentage of malicious code that propagated through remotely exploitable vulnerabilities in 2011 at 28 percent was 4 percentage points higher than in 2010. Examples of attacks employing this mechanism also include Downadup, which although seems to be in decline, is still a major contributing factor to the threat landscape, ranked on fourth position in 2011.
File transfer using CIFS is in decline: It is worth noting that despite an increase in between 2009 and 2010, the percentage of malicious code that propagated through CIFS file transfer fell by four percentage points between 2010 and 2011. Fewer attacks exploited CIFS as an infection vector in 2011.
File transfer via email attachments continues to decline: It is worth noting the continued decline in the percentage of malicious code that propagated through email attachments for the fifth year running. Between 2010 and 2011, the proportion of malware using this mechanism fell by four percentage points.
While this propagation mechanism is still effective, Symantec anticipates that this downward trend will continue into the near future. This is in part owing to a shift in malicious attacks through malicious URLs contained in emails rather than attachments, compared with 2010. In 2011, 39.1% of email attacks used malicious URLs, compared with 23.7% in 2010.

⁴ CIFS is a file sharing protocol that allows files and other resources on a computer to be shared with other computers across the Internet. One or more directories on a computer can be shared to allow other computers to access the files within.

⁵ Because malicious code samples often use more than one mechanism to propagate, cumulative percentages may exceed 100 percent.

Industrial Espionage: Targeted Attacks and Advanced Persistent Threats (APTs)

Background

With targeted attacks and advanced persistent threats being very much in the news in 2011, in this section we review targeted attacks and look more closely at what has been described as “advanced persistent threats” or APTs for short. Terms such as APT have been overused and sometimes misused by the media, but APTs are a real threat to some companies and industries.

As noted earlier in this section, overall in 2011, 1 in 238.8 emails were identified as malicious, but approximately one in 8,300 of those were highly targeted. This means that highly targeted attacks, which may be the precursor to an APT, account for approximately one in every two million emails, still a rare incident rate. However, targeted malware in general has grown in volume and complexity in recent years, but as it is designed to steal company secrets, it can be very difficult for recipients to recognize, especially when the attacker employs compelling social engineering techniques, as we highlight in this report.

Targeted attacks have been around for a number of years now, and when they first surfaced back in 2005, Symantec.cloud identified and blocked approximately one such attack in a week. Over the course of the following year, this number rose to one or two per day and over the following years it rose still further to approximately 60 per day in 2010 and 154 per day by the end of 2011.

A highly targeted attack is typically the precursor to an APT, and the typical profile of a highly targeted attack will commonly exploit a maliciously crafted document or executable, which is emailed to a specific individual, or small group of individuals. These emails will be dressed-up with a social engineering element to make it more interesting and relevant.

The term “APT” has evolved to describe a unique category of targeted attacks that are specifically designed to target a particular individual or organization. APTs are designed to stay below the radar, and remain undetected for as long as possible, a characteristic that makes them especially effective, moving quietly and slowly in order to evade detection. Unlike the fast-money schemes typical of more common targeted attacks, APTs may have international espionage and/or sabotage objectives.

The objective of an APT may include military, political or economic intelligence gathering, confidential or trade secret threat, disruption of operations, or even the destruction of equipment. Stuxnet was a good, albeit extreme example of the latter: the malware enabled an attacker to disrupt the industrial control systems within the Uranium enrichment process of a particular target.

Another characteristic of an APT is that it will also be part of a longer-term campaign, and not follow the opportunistic “smash-and-grab” approach typical of most malware in circulation today. Its purpose will be to remain undetected for as long as possible, perhaps using a variety of attacks over that period; if one attack fails then a process of continual monitoring will ensure that a follow-up attack may be more likely to succeed a few weeks later with a different approach. If successful, an attacker can use the compromised systems as a beachhead for subsequent attacks.

All of which illustrate how these attacks can be both advanced and persistent threats: A threat because its purpose is to steal data or interfere with the operations of the targeted company, and potentially exploit the compromised network now under the attacker’s control to target users in other organizations. They are advanced because of the methods employed to avoid detection, such as the use of zero-day exploits, and the means used to communicate with the command and control network; command and control instructions often involve encrypted traffic, typically sent in small bursts and disguised as normal network traffic. The key to ensuring that any stolen information can be exfiltrated without detection requires the attacker to avoid using easily detectable encryption, and to use common protocol channels that would not look out of place, but whilst making sure the data remains hidden.

Furthermore, they can be described as persistent because the aim is to maintain a foothold within the compromised company’s infrastructure, and in order to achieve this, the attacker will use numerous methods to achieve this. The attackers have a very clear and specific objective, they are well-funded and well-organized and without the right protection in place, these threats have both the capability and the intent to achieve their desired goals.

Methodology

Defining what is meant by targeted attacks and APT is important in order to better understand the nature of this mounting threat and to make sure that you have invested in the right kinds of defenses for your organization.

The types of organizations being targeted tended to be large, well-known multi-national organizations, and were often within particular industries, including the public sector, defense, energy and pharmaceutical. In more recent years the scope has widened to include almost any organization, including smaller and medium-sized businesses. But what do we really mean by targeted attacks and advanced persistent threats?

An attack can be considered as targeted if it is intended for a specific person or organization, typically created to evade traditional security defenses and frequently makes use of advanced social engineering techniques. However, not all targeted attacks lead to an APT; for example, the Zeus banking Trojan can be targeted and will use social engineering in order to trick the recipient into activating the malware, but Zeus is not an APT. The attacker doesn’t necessarily care about who the individual recipient is; they may have been selected simply because the attacker is able to exploit information gathered about that individual, typically harvested through social networking Web sites.

Social engineering has always been at the forefront of many of these more sophisticated types of attack, specially designed to penetrate a company’s defenses and gain access to intellectual property or in the case of Stuxnet, to interfere with the physical control systems of an operation. Without strong social engineering, or “head-hacking,” even the most technically sophisticated attacks are unlikely to succeed. Many socially engineered attacks are based on information harvested through social networking and social media Web sites. Once the attackers are able to understand their targets’ interests, hobbies, with whom they socialize, and who else may be in their networks; they are often able to construct more believable and convincing attacks.

The data in this section is based on analysis of targeted email malware identified and blocked by Symantec.cloud on behalf of its customers in 2011.

Data and Commentary

In 2010 Stuxnet and Hydraq grabbed headlines and gave clear demonstration to warnings the security community had raised for years; that malware could be used for cyber-terrorism, real world destruction and industrial espionage.

In 2011 Stuxnet became a teachable moment for many trying to explain the need for better cyber-defenses, and as an inspiration for security researchers searching for new types of systems that could be hacked. Duqu, discovered in October 2011, brought the news back to the actual threat of Stuxnet. Based in part on actual Stuxnet code, Duqu was discovered performing reconnaissance within a handful of organization, its future target not yet clear. Reports from Iran of a Star virus, may have been an early report of Duqu (exfiltration of data by Duqu was hidden appended to the end of a JPG file containing a picture of the solar system), but Duqu contained no payload and we have yet to see any version of Duqu built to cause cyber-sabotage. This offspring of Stuxnet, to this point, remains only interested in gather information.

Figure B.12. Average number of targeted email attacks per day, 2011. Source: Symantec.cloud

Various long term attacks against the petroleum industry, NGOs and the chemical industry (as reported by Symantec as the Nitro attacks) also came to light in 2011. And of course “hactivism” driven attacks by Anonymous, LulzSec and others dominated security news in 2011. The ongoing arrests of some of the people behind these attacks will clearly dominate coverage in 2012; at least for a while. The hactivism on 2011 brought on much needed discussion on fixing poor security practices. And clearly protecting customer’s information should be a top priority for all companies in 2012 and beyond. But hacktivim and high profile attacks tended to obscure how common targeted attacks had become. And fruitless arguments about the appropriate use of the term Advanced Persistent Threat (APT) drove debate but shed no real light on targeted attacks.

To understand the nature of targeted attacks Symantec collected data on over 26,000 attacks that could clearly be identified as targeted. These attacks were email based and contained a malicious payload.

Using our advanced data analytics framework, named TRIAGE⁶, we were able to identify distinct targeted attack campaigns as well as define characteristics and dynamics of these attack campaigns. From this study we have drawn conclusions about targeted attacks, which contradict some popular, but admittedly not universally held, assumptions about targeted attacks.

Assumption: Only large corporations, governments and defense industries are being targeted for attack.

The total number of attacks aimed at organizations with less than 2500 employees is roughly equal to attacks aimed at organization with greater than 2500 employees.

Assumption: Only Senior Managers and subject matter experts get targeted

Attackers want to capture the knowledge workers who have access to intellectual property (IP), but they don’t have to attack them directly to get the information they want.

Assumption: A targeted attack is a single attack

Too often organizations think that if they are not the target of a high profile attack, or if one attack has been blocked, that their troubles are over. However, our research shows that a targeted attack can go on for months. The attack will change over time, with new social engineering, new malware, and often leveraging multiple zero day vulnerabilities. What our research does not show is attackers giving up after one attempt to breach an organization.

6Developed by Symantec in the context of the European funded WOMBAT research project (http://www.wombat-project.eu/), TRIAGE is a novel attack attribution method based on a multi-criteria decision algorithm. This technique has been implemented and used to analyze various types of threats. In 2009, it has been used to provide input to the Symantec Report on Rogue Security Software. TRIAGE is currently improved and enriched with Visual Analytics technologies in the context of another European funded research project named VIS-SENSE (http://www.vis-sense.eu/), in which Symantec collaborates with five other partners.

The Characteristics of a Targeted Attack

Defining a larger versus medium versus small company can be somewhat arbitrary. For the purposes of our research we have defined large companies as those having over 2,500 employees. Medium companies are between 250 and 500; and small as those companies with less than 250 employees. When comparing the number of targeted attacks directed at companies with 2,500 or more employees and companies with less than 2,500 we see an equal split.

28.3% of all targeted attacks are targeted at small to medium-sized companies as illustrated in figure B.13. And despite the commonly held believe of small businesses that they would never be the victims of a targeted attack, 17.8% of all targeted attacks are directed at small businesses with up to 250 employees.

Figure B.13. Targeted attacks by company size, 2011. Source: Symantec.cloud

Each of these targeted attacks is a single attack against a single individual. However, this does not mean that each individual is only attacked once. In the targeted attack campaigns analyzed by Symantec a clear picture emerges on the restlessness of attackers once they find a targeted. The data below shows attacks against an individual we’ve given the alias Mr. X. Mr. X was attacked repeatedly over a nine-month period. In the month of June of 2011 alone Mr. X was attacked 24 times - almost daily.

Figure B.14. Targeted attacks against one individual (Mr. X), 2011. Source: Symantec.cloud

On average a target will see quite a few less attacks than Mr. X, but this may reflect the quick success of such attacks, rather than the attackers giving up quickly. Additionally, the ability of Mr. X to avoid infection may well be countered by the attackers infecting co-workers.

The strategy of using co-workers to move towards the ultimate targeted is quite common and may be the go-to-method against targets as resilient as Mr. X. Additionally, a large number of attacks against one organization may be used as the opening gambit in an attack where valuable individual targets have not yet been identified by the attacker.

This “spray and pray” method allows attackers to get a foothold into an organization and use that foothold to gather intelligence and to leap to their ultimate target. Think of these as massive attacks, and yet targeted organizationally; in other words a Massive Organizational Targeted Attack (MOTA). Based on our research, the average targeted attack campaign will comprise 78 attacks targeting 61 email addresses within a 4 day period. And yet some attack campaigns were observed lasting up to 9 months and targeting as many as 1,800 mailboxes. Who are these targets?

Figure B.15. Targeted attacks against job function, 2011. Source: Symantec.cloud

While 42% of the mailboxes targeted for attack are high-level executives, senior managers and people in R&D, the majority of targets are people that are unlikely to have such information. Why then are they targeted?

As we’ve said, they provide a stepping-stone to the ultimate target. And in the case of Personal Assistants, Sales and Media (Public Relations) they work closely with people who are the ultimate target. But just as important, these people are also easy to find and research online: email addresses for public relations people, shared mailboxes and recruiters are commonly found on a company’s web site.

Additionally, these people are used to being contacted by people they do not know. And in many cases part of the job requires them to open unsolicited files from strangers. Think of how many resumes a recruiter receives each day in a document or PDF file attachment. Finally, under the illusion that targeted attacks are only aimed at high level executives or those working with the company’s intellectual property (IP), they are less likely to have their guard up against social engineering.

Figure B.16: Breakdown of document types being attached to targeted attacks, 2011. Source: Symantec.cloud

In Figure B.16, we can see that malicious PDFs continue to be largely used in targeted attacks (over one third of attacks). However, malicious Zip and RAR archives start to be commonly used by attackers (27% of the attacks). It is worth noting that PE32 executable files attached to emails are very infrequent in targeted attacks.

Looking at the break out of targeted attacks by industry it is not surprising that the most frequently targeted organizations are Governments. These organizations see the most attacks and this data will come as no surprise to them. However, other industries clearly are experiencing targeted attacks.

Symantec research shows that “niche” sectors are usually more targeted by highly focused attacks. While Government and Defensive industries are more likely to see a MOTA type of attack, industries like Agriculture, Construction, Oil and Energy mainly see attacks that are highly targeted at a small number of companies and individuals within them.

Figure B.17: Analysis of targeted attacks by top-10 industry sectors, 2011. Source: Symantec.cloud

This is not to say that Government and Defense Industries do not see highly targeted attacks. Two-thirds of attack campaigns involved either a one-off or a very limited number of attacks against organizations active in the same sector.

Over 50% of those single-sector campaigns target the Government and Defense industry sectors. This type of highly targeted attack campaign can be illustrated with the Sykipot attacks. These attacks were part of a long-running series of attacks using the Sykipot family of malware. Sykipot has been used in targeted attacks for at least the past couple of years, and unconfirmed traces date back to as early as 2006. The latest wave spiked on December 1, 2011 with a huge increase of targeted individuals being sent a PDF containing a zero-day exploit against Adobe Reader and Acrobat (CVE-2011-2462). The attackers involved in Sykipot have a history of attacking various industries; however, a majority of these attacks belong to the defense industry. More details on Sykipot attacks can be found later in this section and also in Appendix D – Vulnerability Trends.

One in three targeted attack campaigns are instead organized on a large-scale and fit the profile of a Massive Organizationally Targeted Attack; they target multiple people in multiple organizations, in different sectors, over multiple days. Most of these large-scale campaigns are very well resourced, with up to 4 different exploits used during the same campaign. Some are even multilingual: the language used in the email attack is tuned to the targeted recipients (such as the use of Chinese for .cn recipient domains, Japanese for .jp, Russian for .ru, etc.).

Examples of this type of attack campaign include the long-running series of Taidoor attacks, or more recently the Nitro attack waves. The bulk of the Nitro attacks were launched in late July 2011 and continued into mid-September and late October 2011. The purpose of the attacks appears to be industrial espionage, mainly targeting the chemical and petroleum industries, collecting intellectual property for competitive advantage. However, our research shows that the Nitro attackers could also have targeted senior executives working in the Defense industry and the Aerospace domain in another series of attacks that took place in October 2011. More details on the Taidoor and Nitro attack campaigns can be found later in this section.

Case Study – MOTA campaign

NR4 is one mass-scale attack campaign out of 130 that the Symantec’s TRIAGE technology analyzed. (There is no significance to the name NR4). We do not know the ultimate goal of the attackers behind this campaign, but we do know that they targeted diplomatic and government organizations.

month period. The attacks all originated from accounts on a popular free Web-based email service. All attacks came from one of three different sender aliases. Multiple email subject lines were used in the targeted attacks, all of potential interest to the recipients, with the majority being about current political issues. Almost all targeted recipients were put in BCC field of the email.

Figure B.18: Example TRIAGE analysis of targeted attack campaign NR4, 2011. Source: Symantec

The first wave of attacks began 28 April 2011, from a single email alias. Four organizations were targeted in this first series of attacks. One of these organizations saw the CEO as well as media and sales people targeted. Over the course of the attack campaign the CEO was targeted 34 times.

On 13 May 2011, a new email account began sending email to targets. It was from this account that the majority of the attacks occurred. This aliases continued attacks on the four previous organizations but added dozens of additional organizations. One organization first targeted in this attack wave was targeted 450 times. A total of 23 people in the organization were targeted, with the main focus being on researchers within the organization.

The final attack wave started 30 June 2011, and ended 19 days later. While attacking a number of organizations already part of the campaign, it also targeted 5 new organizations.

By 19 July 2011, the NR4 targeted campaign came to an end. During the 3 months of this campaign hundreds of emails, in English and in Chinese (used against Chinese speaking targets) arrived in targeted users mailboxes. While the content of the email was constantly being changed, each email contained an attached PDF or RAR file with the same exploit that would infect users once the attachment was opened. Interestingly, our research also showed that the three attackers involved in this NR4 campaign have been using the same command and control (C&C) servers for controlling compromised machines and exfiltrating data.

Conclusion

Targeted attacks should be concern for all organization, large and small. While C-level executives and those that work with a company’s IP should be careful, everyone in an organization is at risk of being targeted. This is especially true of workers who in the course of their jobs typically receive email from people they don’t know. In the end, no matter the size or type of organization you have or your role in that organization, you are at risk and best practices must be followed to protect the organization. Don’t become the weakest link in the supply chain.

TRIAGE Analysis of Targeted Attacks

Background

Symantec’s advanced TRIAGE data analytics technology aims at answering some fundamental questions about targeted attacks, such as:

Attribution: Can we link series of similar attacks, perhaps targeting different organizations - on the same or different dates - to larger-scale campaigns likely organized by the same group of individuals?
How many different groups of attackers can we identify based on their modus operandi?
What are the characteristics and dynamics of such attack campaigns? Can we observe multiple connections among those attacks, for example regarding the subjects used the malicious attachments, the targeted recipients or the date of the attack?

Methodology

To identify series of targeted attacks that are likely performed by the same individuals, we have used a novel attack attribution named TRIAGE. Developed by Symantec in the context of the European funded WOMBAT research project (http://www.wombat-project.eu/), TRIAGE is a novel attack attribution method based on a multi-criteria decision algorithm. This new attribution method has been implemented in an analytical software framework that is now being maintained in the context of VIS-SENSE, a European research project that aims at improving security analysis with novel Visual Analytics technologies.

By leveraging our TRIAGE data analytics, targeted attacks are automatically grouped together based upon common elements likely due to the same root cause. As a result, we are able to identify complex patterns showing various types of relationships among series of targeted attacks, giving insights into the manner by which attack campaigns are orchestrated. The TRIAGE approach is illustrated in figure B.19, below.

Data and Commentary

Insights into targeted attack campaigns
Symantec’s TRIAGE technology has identified 130 clusters of attacks, which are quite likely reflecting different campaigns organized by the same groups of individuals. Indeed, within the same cluster, all attacks are linked by at least 3 or 4 characteristics among the following ones:

The origins of the attack (Email ‘From’ address or IP address used by the attacker).
The attack date.
The characteristics of the malicious file attached to the email (MD5 checksum, AV signature and file name).
The email subject.
The targeted recipient (‘To:’ or ‘Bcc:’ address fields in the email).

Figure B.19: Illustration of Symantec's TRIAGE methodology. Source: Symantec

The Table below gives some global characteristics calculated across all attack campaigns identified by Symantec in 2011.

Figure B.19: Characteristics identified in targeted attacks, 2011. Source: Symantec

The Table shown below in figure 20, gives some global characteristics calculated across all attack campaigns identified by Symantec in 2011.

Figure B.20: Characteristics identified in targeted attacks, 2011. Source: Symantec

Based on the number of targeted recipients and sectors, we have classified the attack campaigns into two main types (Figure B.21):

Type 1 - Single-sector: highly focused attack campaigns targeting one (1.a) or several (1.b) organizations within the same activity Sector;
Type 2 - Multi-sector: larger-scale campaigns that usually target a large number of organizations across multiple sectors. This type of attacks fit the profile of Massive Organizationally Targeted Attack (MOTA).

Figure B.21: Classification of campaigns according to the number of targeted recipients and activity sectors. Source: Symantec

Type 1 – Highly targeted campaigns: Sykipot attacks

Two-thirds of attack campaigns identified by Symantec were targeting either a single, or a very limited number of organizations active in the same sector. Over 50% of those single-sector campaigns target the Government and Defense sectors. However, other industries clearly are experiencing such highly targeted attacks. Symantec research shows that “niche” sectors are usually more targeted by highly focused attacks. Industries active in sectors like Agriculture, Construction, Oil and Energy mainly see attacks that are highly targeted at a small number of companies and individuals within them.

A good example of such highly targeted campaign is the Sykipot series of attacks using the Sykipot family of malware, with a majority of these attacks targeting the defense industry or governmental organizations. The modus operandi of the attackers is always the same: they send to specifically chosen recipients an email with an appealing subject, sometimes using a spoofed email address in relation to the activity or the position of the targeted recipient, and containing a malicious document, which exploits some unknown vulnerability in Adobe Reader and Acrobat or in Microsoft Office software products. Figure B.22, below shows an example of such email. The name and address used by the attacker was those of a high-level executive having a position of Associate General Counsel within the targeted Defense industry.

Figure B.22: Example of targeted email using Sykipot malware. Source: Symantec

Figure B.23, below visualizes Sykipot attack waves identified by Symantec’s TRIAGE technology during April 2011. Three different attackers (red nodes) have sent about 52 emails to at least 30 mailboxes of employees working for two different Defense industries on three different dates. The subject lines, indicated in yellow, are shared among attackers and two of them used the same mailer agent from the very same IP address to launch the attacks. Three different MD5s were used in this Sykipot campaign (nodes in gray).

Figure B.23: A Sykipot campaign identified by Symantec's TRIAGE methodology. Source: Symantec

Type 2 – Massive Organizational Targeted Attacks (MOTA): Nitro and Taidoor attacks

One third of attack campaigns were organized on a large-scale and fit the profile of a Massive Organizationally Targeted Attack (MOTA): they target multiple people in multiple organizations, in different sectors, over multiple days. Most of these large-scale campaigns are very well resourced, with up to 4 different exploits used during the same campaign. Some are even multilingual: the language used in the email attack is tuned to the targeted recipients.

The Taidoor attacks illustrate perfectly this type of mass-scale attack campaign. These attacks can include a long series of attack waves, sometimes spread over a long period of time (several months, or even a few years in some cases). As illustrated in the figure below, the relationships between attackers in those campaigns are usually much more complex, involving many inter-relationships at different levels (for example, common MD5s, same mailer or IP address, etc.).

This may indicate that several teams of attackers are collaborating or sharing some of their resources (like malicious code, virtual servers to launch attacks, or intelligence data on the targets). They usually target a very large number of recipients working for different organizations, which can be active in completely different sectors.

Figure B.24: A Nitro campaign identified by Symantec's TRIAGE methodology. Source: Symantec

The Nitro attacks are another example of mass-scale attack campaign. The bulk of the Nitro attacks was launched in late July 2011 and continued into mid-September. Another unconfirmed Nitro campaign was also identified later in October 2011. The purpose of the attacks appears to be industrial espionage, mainly targeting the chemical and petroleum industries, to collect intellectual property for competitive advantage.

An example of email sent during those Nitro attack waves is shown in figure B.25, below. In this campaign, Symantec.cloud blocked over 500 attacks of this type, in which the attackers use a spoofed email address (presumably coming from an IT support desk) to entice users to install a fake Adobe software update packaged in a zip file, and which contains a zero-day exploit to compromise the users machines.

While most targeted recipients were employees working for chemical industries, our research has showed that the Nitro attackers have also targeted senior executives working in the Defense industry and the Aerospace domain during the same series of attacks in October 2011.

Figure B.25: Example of an email using the Nitro malware. Source: Symantec

Attack campaigns are quite often characterized by the use of specific Mailers. In our research, we have observed a substantial amount of attacks sent through free Webmail providers. The second most frequently used Mailer agents are Microsoft Outlook (Express), accounting for 18% and 6% respectively, as shown in figure B.26, below.

However, some other, less frequent Mailers have also been used in targeted attacks, such as GMX Web Mailer, which was used during the Sykipot attacks in December 2011 while targeting Defense contractors and Governmental organizations.

Figure B.26: Most frequent Mailers used in targeted attacks. Source: Symantec

Spam and Fraud Activity Trends

Fraud activity discusses phishing and spam trends. It also discusses activities observed on underground economy servers because this is where much of the profit is made from phishing and spam attacks.

organization by mimicking (or spoofing) a specific, usually well-known brand. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they can then use to commit fraudulent acts. Phishing generally requires victims to provide their credentials, often by duping them into filling out an online form. This is one of the characteristics that distinguish phishing from spam-based scams (such as the widely disseminated “419 scam¹” and other social engineering scams).

Spam is usually defined as junk or unsolicited email sent by a third party. While it is certainly an annoyance to users and administrators, spam is also a serious security concern because it can be used to deliver Trojans, viruses, and phishing attempts. Spam can also include URLs that often link to malicious sites that, without the user being aware of it, attack a user’s system upon visitation. Large volumes of spam could also cause a loss of service or degradation in the performance of network resources and email services.

This section discusses the following metrics:

¹http://www.symantec.com/connect/blogs/419-oldest-trick-book-and-yet-another-scam

Analysis of Spam Activity Trends

Background

This section discusses the patterns and trends relating to spam message volumes and the proportion of email traffic identified as spam during 2011.

Methodology

The analysis for this section is based global spam and overall email volumes for 2011. Global values are determined based on the statistically representative sample provided by Symantec’s Brightmail² operations and spam rates include spam blocked by Symantec.cloud.

Data and Commentary

Figure C.1. Global spam volume in circulation, 2011. Source: Symantec

There were approximately 41.1 billion spam emails in circulation worldwide each day overall in 2011, compared with 61.6 billion in 2010; a decrease of 31.8% in global spam volume.