Symantec Intelligence – May 2012: Malware Moves Outside of the Windows World
For years attackers have focused on Windows PCs because of three things: they were simple to exploit, they were everywhere, and the return on investment was lucrative for the thieves. What we’re witnessing now is a shift in attention from attackers. As our computing lives have moved from the once largely exclusive Windows PC world, so too have the attackers moved, hoping to continue to exploit us.
In this month’s Symantec Intelligence Report we take a closer look at this trend, exploring some of the threats outside the sphere of the Windows world. We also take a look at some recent phishing scams preying upon the buildup to the London Olympics, free online storage space, and fake Apple discounts.
In many ways the May Report picks up where volume 17 of the Internet Security Threat Report (ISTR) left off. In particular the ISTR pointed out that, with the proliferation of Android threats in 2011, a malware shift from Windows was clearly underway. These threats moved from being somewhat of a novelty, to a regular occurrence. This trend has continued into 2012, and the pace is still quickening. By the end of May 2011, there were 11 new Android threat families; by the end of May 2012 the number will have passed 30. That’s almost a threefold increase, year on year.
Growth of new Android threat families in 2012
Of particular note is a threat family called Opfake. This threat covers a wide range of device operating systems, from Symbian, to Windows Mobile, to Android, and even targets iOS devices through an elaborate phishing scam.
It’s not just mobile devices either. While Apple’s Macintosh computers have been targeted by threats here and there, the idea that this computing platform could be compromised en mass is something Internet security experts have warned about for years.
That day has finally arrived. A trojan by the name of Flashback, which first appeared last year, had a breakout performance in April, successfully infecting approximately 600,000 Macs. We discovered the authors behind this threat may have faltered when it came to profiting from it; perhaps taken by surprise at their apparent success. However, other attackers quickly followed in their footsteps, also seeking to exploit the same weaknesses before the vulnerability was closed.
It is clear that attackers are now paying attention to other platforms outside of the Windows world. But perhaps what is even more worrying is that we’re starting to see a move to platform-independent threats.
Neloweg is a bot, with all the features and functionality you’ve come to expect to see in a bot—nothing unusual in that sense. It’s where this bot resides that is new: it performs all of these actions from within the browser. It’s not even picky about which browser; as the attackers have built it to work equally well in Internet Explorer or Firefox.
So far Neloweg is indeed a Windows-specific browser-bot, relying on the Windows registry to store its configuration data. But given how the browsers it targets aren’t all Windows-specific, it’s logical to predict that we could see this on other platforms in the future. We’ve already seen signs of Neloweg targeting Webkit, the browser engine used by both Chrome and Safari.
Why is this shift taking place? An argument could be made that Windows security has improved drastically, increasing the amount of effort required to compromise these computers. By and large, it could be said we’ve gotten wise to the ins and outs of Windows security. But what’s just as likely is attackers have simply shifted to new devices because we have. Consider the following:
- Smartphones are everywhere, and many times are the first device a user reaches for to complete various computing tasks.
- Mac ownership is growing, having reached 10% of the US market.
- Browsers are platform-independent; any Internet-enabled computing device has one. With overlaps in code bases across platforms for a particular browser, threats could theoretically be ported from one platform to another without significant effort.
It’s not to say that Windows isn’t still the target of choice of hackers. It still far outpaces all other infection targets in the threat landscape. What we’re seeing is that not only have attackers shifted their attention to these new computing platforms, but they are starting to see a measure of success in doing so, justifying further investment in exploiting these platforms.
We’ve seen shifts like this before. The popularity of file-infecting viruses in the late 90s and early 2000s gave way to the “age of worms”, where we bared witness to threats like Blaster and Sasser that spread across the Internet with abandon. Then, even as the wave of proliferative worms receded, a swell of covert, profit-driven threats could already be seen on the horizon.
Once again the landscape is shifting. But what’s different about this time is that for the first time we’re seeing a notable movement away from Windows-based threats and into the realm of other platforms, devices, and even applications. Interesting times lay ahead.
In other news, the recent discovery of W32/Flamer, uncovers a highly sophisticated and targeted threat primarily targeting a few hundred organizations and individuals located in the Middle East. Based on the latest Symantec analysis, Flamer appears to act as a general-purpose spying tool, ideally designed for cyber espionage and stealing all types of information from compromised machines. In order to shed some light, the latest Symantec Intelligence Report also provides a quick round-up of what we know so far.