Jump to content

.

Global Security Report:

End of Year Report.

Events

We'll discuss some of the bigger stories we've seen surrounding email and web threats throughout the past 6 months, including malware campaigns leveraging mobile platforms, the bigger breaches of the year, the end of the Blackhole toolkit, cybercrime takedowns, and the CryptoLocker virus.

Metrics

What's a good report without some colorful graphs? Here we'll show you various metrics from the data we have gathered this past year. This will include the actual ratio of unwanted or malicious traffic to valid, the top viral threats we've seen as well as regions of origin, among others.

Cyber World

In this section we'll discuss cyber events from around the world that have occurred during 2013. We'll look at DSD, a distraction technique used by cybercriminals as they're emptying your bank accounts, as well as the continuing rise of mobile malware and some of the techniques we saw cybercriminals use this year.

Hover your mouse on an icon for more info,
Click an icon for full story!

What We've Seen in 2013

Another year is in the books and so much happened that it was hard to decide what to put in our year-end wrap up. Everyone is still reeling from the very recent Target breach where cybercriminals made off with over 40 million credit and debit card accounts during the United States' busiest shopping time of the year. Criminals were able to place malware directly on the point-of-sale (POS) systems of each of Target's 1800 stores. They siphoned off account information and sent the data to servers in Eastern Europe. Those account credentials were immediately turned around and sold to buyers in the US for up to $100 each. This was a big hit on Target and a bigger hit on US consumers. In fact, it was the biggest since Albert Gonzalez masterminded the major TJX breach back in 2007. We also saw some of the tools that online criminals use to do their jobs come and go last year. The Blackhole toolkit and thousands of infected botnet hosts were taken down, along with the cybercriminals that ran them. This 12-month report will discuss these issues and many of the others we witnessed in 2013. In addition we will share metrics as seen by AppRiver's SecureTide™ and SecureSurf™ filters from our nodes throughout the world. We'll point out recent trends in spam and malware both from an email and web perspective and share some insight about what we can expect for the rest of the year.

Events

Once More Into the Breach(es)

Given their frequency and the new rules for disclosure, security breaches have become commonplace. This year was no exception as several high profile attacks made the news, including breaches at Target and the Ubuntu forums.

One that stood out was the breach Adobe's network, when hackers made off with 150 million emails and encrypted passwords belonging to account holders. A good chunk of source code for undisclosed Adobe products was also taken in the attack. While Adobe did hash the users' passwords, they felt it safe enough to leave the email addresses as well as their password hints in plain text. Since the stolen data was soon posted all over the internet, it was then accessible to anyone who looked for it. After analysis of the list, it was clear that a lot of people use their actual password as their password hint. Many also use the same password on multiple accounts. AppRiver discourages these dangerous practices for obvious reasons.

Breaches are always going to happen because nothing is ever perfect - especially security. That's why you owe it to yourself to be as safe as possible and not to rely solely on someone else to do it for you.

The perfect place to start is with password safety.

By using multi-layered security practices, beginning with your password, you will make it much harder for anyone to steal your private information.

The first step in making a secure password is to think length. For each character or symbol you add, its security rises exponentially. AppRiver recommends using at least seven characters.

These should appear to a stranger as nothing more than a random string of characters, incorporating a good mix of upper and lower case letters, numbers, and punctuation symbols. You should also avoid sequential or repeating instances.

One good method is to use look alike characters to substitute for other letters in your password, such as the at symbol (@) for a, the dollar sign ($) for s, and so forth. There is a risk when only using this technique in an attempt to obfuscate your password, as many password guessing programs are well aware of these rather simple substitutions and try them themselves. Therefore if you're still using common words as a basis for your password, such as "cH0c0!@t3" for the word "chocolate" you may not be any more secure.

A good trick is a nice long acronym or partial words from a phrase to throw off any sort of dictionary based attack. Take a nice long sentence that you'll remember such as "I hate making up new passwords" and turn it into "!h8MunP@$s".

Of most importance is using different passwords. Using the same password for all of your online accounts places all of your information behind a single entry point. If a hacker gets his hands on your email password (for example) they will commonly attempt to access other accounts using the same credentials. So, though it can be cumbersome at first, make the extra effort to use different passwords for different accounts.

Some people choose to use a password manager in order to keep up with all of these unique passwords for all of their different accounts. Password managers certainly can be a good thing once you realize you're running dozens of different programs all with unique log-ins. The only trouble with a password manager is that it's another single point of failure sort of situation. So, make sure that the password management application that you choose utilizes a very secure encryption algorithm.

Another strong feature to look out for is the ability to securely store and to only be able to activate your password manager through the use of a removable fob such as a USB key, or other multi-factor authentication techniques. Do not rely on simply using a master password for a password management system. And if you do use a device such as a USB key, don't leave it lying around.

Takedowns

2013 has been a busy year for agencies fighting cybercrime. Government and Private institutions have started working closely together to fight online threats and crack down on illegal operations. Microsoft has started putting a lot of effort and resources in to these takedowns and they have even created a hi- tech Digital Crimes Unit to undertake these tasks.

Midyear, Microsoft along with the FBI took down more than 1400 botnets associated with the Citadel Malware. By taking over the botnet, they were able to send new files to the infected computers allowing them to download antivirus software (which Citadel had disabled). More recently, Microsoft and the FBI again disrupted another botnet known as Zeroaccess. The Zeroaccess botnet was aimed at redirecting user clicks to ads, generating money for the botnet owners. The botnet had infected nearly 2 million computers and had done an estimated 2.7 million dollars in damage.

While doing this type of damage control with cyber threats is usually a good step, finding the root of the issue is just as, or even more important. Government agencies have more and more started focusing on finding the hackers and malware writers. By finding the source, they can get more details about the scope of the issue and possibly more on who else has been involved with it. Just recently Russian authorities arrested someone known as "Paunch" for his role in allegedly creating the Blackhole exploit kit. There aren't many details about it that have been released yet but this shows that the government is starting to play a key role in tracking down the source of malware.

Cybercrime isn't limited to just hackers and malware either. There are also black markets for goods and services in the cyber world. The most prominent market for illegal goods was known as Silk Road. Earlier this year the FBI arrested the main person behind the Silk Road, 29-year-old Ross William Ulbricht. The Silk Road focused on selling illegal goods and services using Bitcoin as a currency. While Bitcoin itself is a perfectly legal virtual currency, it was preferred for these illegal activities due to people being able to use it anonymously online. The website itself was also run anonymously using the TOR network. TOR uses the internet but it is run via nodes that connect to each other using a special type of anonymous routing called Onion Routing. A user that logs on to TOR is able to do so anonymously through this onion routing and have their traffic routed through TOR nodes to hide their source location. This method of routing not only hides the user's source location but it also hides the destinations IP location information as well.

This anonymous browsing ability and anonymous payment with Bitcoin makes it difficult for authorities to track down illegal activities online. There still isn't much known about how the FBI was able to locate the Silk Road servers but many experts think they were able to find vulnerability in the website itself and take advantage of the server to figure out its location and make the arrest.

Finding these malware coders, busting illegal online activities, and taking down botnets makes commerce safer online. It's good to see companies and governments get more sincere about online security. Many laws and businesses still have a long way to go to catch up with cyber threats, but it's always important to remember that when one thing is taken down or removed from the internet, there will usually be a similar service or malware to fill the missing void.

CryptoLocker

In late 2013, we were introduced to a new ransomware known as Cryptolocker. Cryptolocker is very similar to most other Ransomware in that an infected computer will show a pop up saying something like "you must pay us or face some sort of consequence." With most ransomware, it's some sort of empty threat like the FBI is demanding money from you or you will be arrested. Or perhaps they will go as far as locking you out of certain tasks until you pay the ransom. With Cryptolocker though, it is programmed to hold your files hostage until you pay.

Cryptolocker was able to do this using by using a strong encryption on the local pc files. Getting infected with Cryptolocker was usually done via email attachment and getting a user to run an exe. Once Cryptolocker started up, it would reach out to a remote server and get private encryption keys that only the server would know. These keys would be used to encrypt the files on the computer, and those keys would also be what were held at the remote server until you paid to have your files decrypted.

After retrieving these keys, the virus would then start scanning the computer and encrypting files. The virus didn't encrypt every single file it found though. If it did that, it would most likely break the operating system and the computer would be unusable. They normally encrypted user documents like PowerPoints, spreadsheets, and pictures. In total there are about 70 file extensions it would look for.

Once it found a file that matched its extension list and that was smaller than 100 megabytes, it would encrypt it and make a note in the registry of the file path with the newly encrypted file. It would later use those registry entries to know which files to decrypt later on. After scanning the entire computer and any attached network storage, the Cryptolocker virus would pop up and inform you of its presence. This means most people only found out they had the virus after everything had already been done.

The software would present a screen with a shield on it and big letters saying "Your personal files are encrypted!" It goes on to provide a list of the encrypted files and explain you need that private key to decrypt them. The price for the file decryption was $300. Attempting to remove the virus could end up with all of the files being lost with no chance of recovery via the ransomware interface. If people were keeping good backups, many users would have been able to remove the virus and restore the affected documents form backups. Unfortunately many users had no such option. If they chose to pay the ransom, the screen would lead them to a page for payment options.

The payment options varied through the versions of Cryptolocker but the main options that were there were to use a prepaid MoneyPak card or use Bitcoin. Selecting either option will bring up a screen to enter the relevant payment info. After doing so and clicking submit, the software will then attempt to reach out to the remote server, verify payment, get the encryption key, and decrypt files. After attempting to pay, the payment verification could take days to complete. In some cases, the payments would never go through and users simply lost all their files.

Some people may think that by just finding the remote server, authorities would be able to shut it down and stop the problem. Ideally this would work but the programmers of the virus built in a special ability to the virus to make this very difficult. The virus was programmed to come up with about 1000 unique and seemingly random domain names a day. But the domains weren't actually random. They used a special algorithm to generate them. The virus would attempt to connect to the remote server based on the domain names it generated. Without knowing the algorithm it was using to generate these names, there would be no feasible way to block the remote server based on domain name. This lead to a blind spot in network security by admins and security software being unable to stop outbound connections based on the domain name.

Cryptolocker didn't hit until later in 2013 but it was certainly one of the more widely known threats of the year. Many people had extremely important documents encrypted by Cryptolocker. Some of these infections were on personal computers and many were on business computers with sensitive information. This was leading them to go online and ask around in forums looking for advice or help. One of the more common answers given unfortunately was to just pay and hope it works. Paying the ransom only adds fuel to the fire of future ransomware campaigns though. Ideally no one should pay any of these ransoms. In the long run if no one paid, it wouldn't be worth the time for coders to make ransomware. However, we know they will, so the effectiveness of this ransomware tactic will probably be used again in the future for new campaigns.

When a Blackhole Collapses

Ok, well the jury is still out on whether or not a real black hole can actually collapse in on itself - most likely not - but general relativity is another matter. The black hole that we're referring to here is the Blackhole Toolkit and back in October of this year its creator "Paunch" was arrested. Blackhole has been the most prevalent of all toolkits utilized by internet crime rings since its original release in 2010. It continued to gather momentum and seemed to really hit its peak in early 2012 when it was everywhere we looked. It seemed that the majority of the large malware bursts during this time linked directly to the Blackhole Exploit Kit. Almost immediately following the arrest of its author and his partners, the criminal landscape discontinued its use and migrated quickly over to new exploit kits such as Magnitude, Redkit, Sweet Orange, and Phoenix.

Initially after the arrest, it appeared cybercriminals immediately turned toward Sweet Orange toolkit as occurrences rose greatly. But then about two weeks later it looked as though Magnitude had become the go-to kit. The reason for the sudden shift in this community is unclear; it could be strictly a coincidence, or possibly just an anomaly as Paunch's clients figured out what to do next.

The Cutwail botnet which began its rise to fame by distributing massive amounts of the Gameover Zeus Trojan, a well-known banking virus, soon also began utilizing the same malicious iframe technique in order to push out the ZeroAccess malware from Magnitude. The ZeroAccess family of malware concentrates mostly on sending spam, click fraud attacks and Bitcoin mining.

All of these kits make it extremely simple for even the technically challenged to infect thousands of machines and in turn steal tons of personal information and money. Sometimes a cybercriminal will get arrested, sometimes a botnet will be shut down, but one always seems to have been waiting in the wings for their moment at the top.

Other active exploit toolkits in addition to those listed above during the year 2013 were: Nuclear, Neutrino, Bleedinglife, CrimeBoss, and Styx.

Metrics

Regions of Origin

Traffic By Region

This graph represents both spam and malicious email traffic by region. Europe was again the most common region of origin for spam accounting for 38 percent of all spam traffic seen by our filters.

Total Email Traffic Volume


This chart represents spam traffic throughout 2013. Spam volume was up in 2013 peaking during the month of August. In all, we quarantined 28.3 billion spam messages in 2013. This was a 128 percent increase over the amount seen the previous year.

12 Month Virus Activity

Virus Frequency

This chart represents emails containing malware in attachments during 2013 as seen by AppRiver filters. While we are seeing a much greater amount of malware being delivered via malicious links lately, malware contained in email attachments is still a popular infection vector. In all we have quarantined just over 479 million messages containing malware as an attachment in 2013.

Top Ten Countries of Origin

This chart represents the top countries from which spam originated during 2013.

Web-Based Malware

AppRiver monitored a daily average of 4.2 million Web-based malware threats. Listed below are the top 10 threats as measured by the number of unique locations where that threat was discovered on the Web. A location is defined as a URI, domain, IP or URL pattern match.

Top Threats Email Viruses
X.W32.Sasfis.pak 138,498,866
X.W32.pay.dblxa 86,640,767
X.UPX.App.pakuberc 64,785,167
X.W32.Rapid.RogueAV.124.d 33,969,179
X.W32.kryp.pak.717 181,681
Mal/Iframe-W 24,251,279
X.Troj.Zbot.Generic.pak 10,921,769
Suspect.DoubleExtension-z 7,622,693
W32\Spy.Zbot.AAU_trojan 6,062,202
X.W32.BredoZp.njup_F 5,979,314
X.W32.UPX.uberb 4,892,916
X.W32.Bredo.App.pakc 4,735,121
X.W32.Nac.pak.1024a 4,702,423
X.DHLRed30.zip 4,701,587
JS\Redirector.NJE_trojan 4,131,043
X.W32.PX.pakb 3,955,787
X.W32.Bredo.fex.0810a 2,798,039
W32\PSW.Papras.CP_trojanF 2,315,682
X.MMSatt101.zip 2,011,667
X.Injector.AKMY.zip805 1,834,984
W32\Exploit.CVE-2012-0158 1,819,578

Top Web Threats of 2013

AppRiver monitored a daily average of 4.3 million Web‐based malware threats. Listed below are the top 20 threats as measured by the number of unique locations where that threat was discovered on the Web. A location is defined as a URI, domain, IP or URL pattern match.

  • Mal/HTMLGen-A
  • Troj/DDoS-AN
  • Mal/ObfJS-R
  • Troj/Iframe-JH
  • Mal/Badsrc-C
  • Troj/JSRedir-GS
  • Mal/Badsrc-M
  • Mal/FBJack-A
  • Mal/WinDocWr-A
  • Troj/JSRedir-JT
  • C2/Generic-A
  • Troj/Redir-X
  • Mal/FBJack-I
  • JS/RefC-Gen
  • Mal/Generic-L
  • Troj/JSRedir-GW
  • Mal/ObfJS-AL
  • Troj/Badsrc-M
  • Mal/SEORed-D
  • Mal/FunDF-A

Top Emerging Web Threats of 2013

This is a list of the Web-based threats for which we saw the most added locations during the calendar year 2013. A location is defined as a URI, domain, IP or URL pattern match.

  • Mal/HTMLGen-A
  • Troj/DDoS-AN
  • Troj/Iframe-JH
  • MALWARE
  • Troj/JSRedir-JT
  • Mal/FBJack-A
  • Mal/WinDocWr-A
  • Mal/FBJack-I
  • Mal/Badsrc-C
  • C2/Generic-A
  • Troj/Redir-X
  • Troj/JSRedir-LH
  • Troj/ExpJS-II
  • Mal/ObfJS-R
  • Troj/JSRedir-LE
  • Troj/Fujif-Gen
  • Troj/Badsrc-M
  • Mal/Generic-L
  • Mal/Badsrc-M
  • Troj/LdMon-A

The Cyber World

DSD - Distributed Spam Distraction

Early in January we ran across an identity fraud technique that we see several times a year. It has become especially prevalent here during the holiday season. This technique is highly targeted towards a specific individual, and is difficult to block in its entirety. It's also difficult to understand if you have no idea what is happening. It's been dubbed the DSD Technique, standing for Distributed Spam Distraction Technique. It hasn't quite caught on yet, but you never know

So here's the scenario, you're just minding your own business checking your email, maybe doing some work, when all of a sudden your inbox begins to fill with hundreds upon thousands of spam emails whose contents are nothing but mash-ups of words and phrases from literature. There are no links to follow, no hidden JavaScript, no pictures or advertisements, just words. Every email is different as well, nearly perfectly randomized, though if you comb through them carefully, you will begin to see some repeated content. The emails themselves are obviously botnet delivered too because all of the senders are different, usually freemail providers, the sending IPs are all different, and the rate at which they're arriving would make one's head spin.

After a blast lasting anywhere from 12 to 24 hours an inbox will receive around 60,000 of these seemingly benign annoyances, and then suddenly they'll just stop. After the binary dust settles you'll wonder what the point was.

While it certainly makes it nearly impossible to use your email, it actually had one specific goal in mind, distracting you from your actual valid email. The people behind this spam blast have somehow obtained personal account information for their target as well as their proper email address. In order to hide account transaction information confirmation emails, such as purchase receipts or balance transfers which now arrive instantly via email, the attackers, just before they make the illegal transactions, turn on this deluge of spam email in order for these very important emails to get lost in the flood. Once the bad guys are done with their activities they'll stop the flood

The best thing to do if someone notices this happening is not to try to monitor their email, but instead go directly to their account(s) activity. Possibly give any that may be at risk a call in advance. This may sound daunting, but not as daunting as sifting through tens of thousands of emails over a 24-hour period waiting for the one with the clue. These often need to be caught fast so that they can be stopped at the financial institution before they're finalized. Play it safe and if something seems fishy, like in this scenario, it probably is. Good safety precautions when performing any transaction online are key to preventing things from getting to this point to begin with.

The Mobile Landscape in 2013

Over the past several years, we have seen the proliferation of malware targeting mobile devices such as Android and IOS. The vast majority of the malware has been designed to target the former as Android's "open" policy has provided a broader attack surface and has been much more relaxed (than IOS) in policing their app market. This matters because the majority of mobile malware has been disguised as an app. Cyber-criminals have often designed mobile apps to appear to have one purpose when in fact there was a great deal of hidden functionality that could compromise the user's device. Lately though, Android has been putting an increased effort into to policing its app market. And though malware is still lurking on these app download sites, the malware distributors are looking to other methods and attack vectors to ramp up the distribution. One method they have turned to in 2013 is the tried and true technique of spamming.

In late October, we began seeing a unique malware campaign that poses a threat to PC users, Android users and some IOS users alike. The messages pose as notifications from WhatsApp (a messenger available for Android and other smartphones).

The messages attempt to lure the victim with a link to a "voice message". Interestingly, these message not only target PC users but also Android and IOS users (if the phone has been jail-broken). Clicking the links in these messages from an Android device will install a malicious app that will secretly send text messages to premium numbers and the victim will be left holding the tab. This infection will also effect IOS users but only if their phone has been jail-broken, since Apple only allows apps to be installed from their own app store. By distributing their malware in this fashion cyber-criminals can reach the masses and without having to get past app store safeguards.

There was another wrinkle as well: Many of these links also contain functionality to initiate a malware installation for Windows PC. Some of the links we visited from the Windows OS resulted in a file being offered for download that was personalized (presumably using geo-location) and was aptly named as Voicemail_NAMEOFCITY_randomnumbers.zip. So depending on where the machine that is being used to access the web page, you will be served with a file that is named accordingly. This is an effective technique since it provides some added customization that serves to make the whole process seem more legitimate. Inside the zipped file is a Trojan Downloader that can infect the system with many forms of malware in the future.

We have quarantined millions of these messages over the past several months but they are still coming in, which indicates that they must be "working" to an extent that is acceptable to the sender.

For a slight change of pace, the botnet that has been delivering the "What's My App" multi-platform malware, has been delivering a smaller differently themed campaign to coincide with the masses of the aforementioned.

This campaign is coming in the form of a wedding evite, specifically from the White Wedding Agency. This tactic has been used a couple of times this year already, but it wasn't quite as sophisticated as this latest run. If the link is clicked, the viewer is taken to one of a number of infected websites that, as mentioned above, wait to see what the user is using to connect before making a decision on what its actions will be. This version seems to prefer PCs more than mobile devices however as all of the infected sites we tested have reacted the same way. If the website detects the victim is using Firefox or IE to connect, it will first use the connecting IP to determine where the victim is located using IP geolocation and then it will push down a file customized with the victim's city in its name. The ones we pulled here in sunny Florida were named as such Wedding_Invitation_Gulf_Breeze(.exe). If the infected website detected that the victim was using Androis OS, iOS, or Safari to connect that same site would serve up a 404 Not Found Page. We believe that the mobile malware exists in this campaign as it does in the What's My App campaign, but have yet to see one that accepts a mobile connection.

The file that the PC victim receives is compressed in a zip file of the same name, different extension of course. The executable uses a packer by the name of AsPack to help jumble its code and to make it a little more difficult to reverse engineer. Once executed the malware injects itself into a generic process svchost.exe from there it makes a sleep call and then begins checking to see if it's in a debugger. Once this process is complete and it feels safe to move on, it creates the file okqfduln.exe in the C:\\%AppData\Local% directory and the original service deletes itself. Finally, the malware goes to town on the browser scraping browsing history, cookies, and modifies the browser proxy settings to redirect future http requests by the victim. This malware then sends info back to its command and control server and waits for further commands.

As the attack surface continues to broaden through the widespread use of multiple operating systems, so will the attackers methods and vectors. While these types of attacks have traditionally targeted PC users only, we are now seeing the emergence of these cross platform threats. We expect these to only increase in the future as cyber-criminal have shown their adaptability time and time again and show no signs of relenting any time soon.

To download this report in PDF format, click here.