Threat report H2 2012

H2_2012_incidents_calendar

Threat report H2 2012

This time of the year is always interesting. It is the time when Labs looks back on the past half-year to summarize what has happened in the threat landscape. I can proudly announce that the report for H2 2012 has been published and is free for you to download and read!

The report is once again packed with highly interesting reading on the threats that we all face when using the net. And this report is not just a repetition of what has been published in the media. A compilation like this makes it easier to spot the trends and the big picture. Thanks guys for putting it all together! And of course for the continuous research effort that it is based on. (I’m not going to list all the names here, the full list of contributors can be found in the report.)

Here’s some teasers…

Botnets. ZeroAccess was easily the most prevalent botnet we saw in 2012, with infections most visible in France, United States and Sweden. It is also one of the most actively developed and perhaps the most profitable botnet of last year. Read more about ZeroAccess and botnets in general at page 15 – 20.

Exploits. Java was the main target for most of the exploit-based attacks we saw during the past half year. This is aptly demonstrated in the statistics for the top 10 most prevalent detections recorded by our cloud lookup systems. Learn more about exploits at page 25-27.

Banking trojans. With regards to banking-trojans, a botnet known as Zeus—which is also the name for the malware used to infect the user’s machines—is the main story for 2012. Browse to page 21-24 to read how the traditional way to rob a bank has become hopelessly old-fashioned.

The web. Common sense is still important when surfing, but it is becoming increasingly difficult to spot the dangerous places. Ad-networks are integrated in an increasing number of sites and can distribute malware through web portals that should be trustworthy. More about the web’s dangerous places at page 28-31.

Mobile devices. Did you know that there is malware on all commonly used mobile platforms? But Android has the questionable honor to lead the pack, and the others are far behind. The full story is on page 35-37.

The threat report covers all this and a lot more. Why not make sure that you are up to date on the threat scenario by continuing to the report. It is highly recommended reading.

Micke

More posts from this topic

Android

Android’s Stagefright bug – phone vendors taken with their pants down

You have all heard the classic mantra of computer security: use common sense, patch your system and install antivirus. That is still excellent advice, but the world is changing. We used to repeat that mantra over and over to the end users. Now we are entering a new era where we have to stress the importance of updates to manufacturers. We did recently write about how Chrysler reacted fairly quickly to stop Jeeps from being controlled remotely. They made a new firmware version for the vehicles, but didn’t have a good channel to distribute the update. Stagefright on Android demonstrates a similar problem, but potentially far more widespread. Let’s first take a look at Stagefright. What is it really? Stagefright is the name of a module deep inside the Android system. This module is responsible for interpreting video files and playing them on the device. The Stagefright bug is a vulnerability that allows and attacker to take over the system with specially crafted video content. Stagefright is used to automatically create previews of content received through many channels. This is what makes the Stagefright bug really bad. Anyone who can send you a message containing video can potentially break into your Android device without any actions from you. You can use common sense and not open fishy mail attachments, but that doesn’t work here. Stagefright takes a look at inbound content automatically in many cases so common sense won't help. Even worse. There’s not much we can do about it, except wait for a patch from the operator or phone vendor. And many users will be waiting in vain. This is because of how the Android system is developed and licensed. Google is maintaining the core Linux-based system and releasing it under an open license. Phone vendors are using Android, but often not as it comes straight from Google. They try to differentiate and modifies Android to their liking. Google reacted quickly and made a fix for the Stagefright bug. This fix will be distributed to their own Nexus-smartphones soon. But it may not be that simple for the other vendors. They need to verify that the patch is compatible with their customizations, and releasing it to their customers may be a lengthy process. If they even want to patch handsets. Some vendors seems to see products in the cheap smartphone segment as disposable goods. They are not supposed to be long-lived and post-sale maintenance is just a cost. Providing updates and patches would just postpone replacement of the phone, and that’s not in the vendor’s interest. This attitude explains why several Android vendors have very poor processes and systems for sending out updates. Many phones will never be patched. Let’s put this into perspective. Android is the most widespread operating system on this planet. 48 % of the devices shipped in 2014 were Androids (Gartner). And that includes both phones, tablets, laptops and desktop computers. There’s over 1 billion active Android devices (Google’s device activation data). Most of them are vulnerable to Stagefright and many of them will never receive a patch. This is big! Let’s however keep in mind that there is no widespread malware utilizing this vulnerability at the time of writing. But all the ingredients needed to make a massive and harmful worm outbreak are there. Also remember that the bug has existed in Android for over five years, but not been publically known until now. It is perfectly possible that intelligence agencies are utilizing it silently for their own purposes. But can we do anything to protect us? That’s the hard question. This is not intended to be a comprehensive guide, but it is however possible to give some simple advice. You can stop worrying if you have a really old device with an Android version lower than 2.2. It’s not vulnerable. Google Nexus devices will be patched soon. A patch has also been released for devices with the CyanogenMod system. The privacy-optimized BlackPhone is naturally a fast-mover in cases like this. Other devices? It’s probably best to just google for “Stagefright” and the model or vendor name of your device. Look for two things. Information about if and when your device will receive an update and for instructions about how to tweak settings to mitigate the threat. Here’s an example.   Safe surfing, Micke Image by Rob Bulmahn under CC BY 2.0

July 30, 2015
BY 
hacking team, hack like a champion, why hacking team matters

3 reasons the Hacking Team story matters from Mikko Hypponen

Hacking is in the news. The U.S. recently disclosed that it was the victim of what may the biggest, most consequential hack ever. We hacked some politicians. And a group called "Hacking Team" was hacked itself. Brian Krebs reports: Last week, hacktivists posted online 400 GB worth of internal emails, documents and other data stolen from Hacking Team, an Italian security firm that has earned the ire of privacy and civil liberties groups for selling spy software to governments worldwide. The disclosure of a zero-day vulnerability for the Adobe Flash Player the team has used has already led to a clear increase of Flash exploits. But this story has a larger significance, involving serious questions about who governs who can buy spyware surveillance software companies and more. Our Chief Research Office Mikko Hyppönen has been following this story and tweeting insights and context. Reporters from around the world have asked him to elaborate on his thoughts. Here's a look at what he's been telling them 1) What is your opinion about the Hacking Team story? This is a big story. Companies like Hacking Team have been coming to the market over the last 10 years as more and more governments wanted to gain offensive online attack capability but did not have the technical know-how to do it by themselves. There's lots of money in this business. Hacking Team customers included intelligence agencies, militaries and law enforcement. Was what Hacking Team was doing legal? Beats me. I'm not a lawyer. Was what Hacking Team was doing ethical? No, definitely not. For example, they were selling hacking tools to Sudan, whose president is wanted for war crimes and crimes against humanity by the International Criminal Court. Other questionable customers of Hacking Team include the governments of Ethiopia, Egypt, Morocco, Kazakhstan, Azerbaijan, Nigeria and Saudi Arabia. None of these countries are known for their great state of human rights. List of Hacking Team customers: Australia - Australian Federal Police Azerbaijan - Ministry of National Defence Bahrain - Bahrain Chile - Policia de Investigation Colombia - Policia Nacional Intelligencia Cyprus - Cyprus Intelligence Service Czech Republic - UZC Cezch Police Ecuador - Seg. National de intelligencia Egypt - Min. Of Defence Ethiopia - Information Network Security Agency Honduras - Hera Project - NICE Hungary - Special Service National Security Kazakstan - National Security Office Luxembourg - Luxembourg Tax Authority Malaysia - Malaysia Intelligene Mexico - Police Mongolia - Ind. Authoirty Anti Corruption Morocco - Intelligence Agency Nigeria - Bayelsa Government Oman - Excellence Tech group Oman Panama - President Security Office Poland - Central Anticorruption Bureau Russia - Intelligence Kvant Research Saudi Arabia - General Intelligence Presidency Singapore - Infocomm Development Agency South Korea - The Army South Korea Spain - Centro Nacional de Intelligencia Sudan - National Intelligence Security Service Thailand - Thai Police - Dep. Of Correction Tunisia - Tunisia Turkey - Turkish Police USA - FBI Uzbekistan - National Security Service 2) What happens when a company of this kind is a victim of an hacking attack and all of its technology assets are published online?  This was not the first time something like this happened. Last year, Gamma International was hacked. In fact, we believe they were hacked by the same party that hacked Hacking Team. When a company that provides offensive hacking services gets hacked themselves, they are going to have a hard time with their customers. In the case of Hacking Team, their customer list was published. That list included several secretive organizations who would rather not have the world know that they were customers of Hacking Team. For example, executives of Hacking Team probably had to call up the Russian secret intelligence and tell them that there's been a breach and that their customership was now public knowledge. The Hacking Team leak also made at least two zero-exploits public and forced Adobe to put out emergency patches out for Flash. This is not a bad thing by itself: it's good that unknown vulnerabilities that are being exploited become public knowledge. But Adobe probably wasn't happy. Neither was New York Times, as they learned that Hacking Team was using a trojanized iOS app that claimed to be from New York Times to hack iPhones. 3) Is it possible to be protected from malware provided by companies like Hacking Team? Yes. We've added detection for dozens of Hacking Team trojans over the years. Hacking Team had a service where they would update their product to try to avoid signature-based antivirus detections of their programs. However, they would have much harder time in avoiding generic exploit detections. This is demonstrated by their own internal Wiki (which is now public). Let me attach a screenshot from their Wiki showing how we were able to block their exploits with generic behavioural detection: Cheers, Sandra [Image by William Grootonk | Flickr]

July 13, 2015
adobe flash, uninstall, auto-update, click-to-play

3 ways to make Adobe Flash less annoying and/or risky

Time to update Adobe Flash if you use it. So if you do, do it now. Of course, it always feels like time to update Flash. As an internet user, it's become all of our collective part-time job. It's a reminded that while the software is free, your time isn't. This particular update was necessitated by an event you may have heard about. "The flaw was disclosed publicly over the weekend after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups," Brian Krebs explained. The Hacking Team hack raised interesting questions about government surveillance and helped rattle nerves this week as computer systems kept planes out of the air and shut down the New York Stock Exchange -- freak incidents that are completely unrelated, according to disclosures thus far. But it doesn't take events like this remind us Flash exploits are so common that they're part of the business model of criminal operations like the Angler exploit kit. The key to security is always running the latest version of everything. So how do you get yourself out of the business of constantly mitigating Adobe Flash risks? Here are three ways. 1. Quit it. This is Brian Krebs' solution. He's lived without it for more than a month as an experiment. "It is among the most widely used browser plugins, and it requires monthly patching (if not more frequently)," Krebs said. And did he notice life without it? "...not so much." So instead of updating, you can just get rid of it. 2. Auto-update. If you're going to keep it, this is the minimum precaution our Security Advisor Sean Sullivan recommends. This will make sure you're getting all the updates and will prevent you, hopefully, from being tricked into downloading malware posing as an update. So turn those "background upgrades" on. 3. Click-to-play. If you're doing number 2, you probably want to do this too. Click-to-play means Flash elements run when you tell them to. Here's how to do it in all your browsers. Not only does this expose you to fewer risks, it makes the internet less annoying and can make your browser quicker. So why not? So what did you choose? Let us know in the comments. Cheers, Jason  

July 10, 2015
BY