Symantec.com > Grandes entreprises > Security Response > Internet Security Threat Report > View the Report > Symantec Internet Security Threat Report - 2010

Symantec Internet Security Threat Report - 2010

About This Report | Executive Summary | Notable Statistics | Threat Landscape | 2010 Timeline

Threat Landscape

Targeted attacks continue to evolve

The year was book-ended by two significant targeted attacks: Hydraq (a.k.a. Aurora) rang in the New Year, while Stuxnet, though discovered in the summer, garnered significant attention through to the end of the year as information around this threat was uncovered. Although these threats have been analyzed in-depth, there are lessons to be learned from these targeted attacks.

There were large differences in some of the most publicized targeted attacks in 2010. The scale of attacks ranged from publicly traded, multinational corporations and governmental organizations to smaller companies. In addition, the motivations and backgrounds of the alleged attackers varied widely. Some attacks were also much more effective—and dangerous—than others. All the victims had one thing in common, though—they were specifically targeted and compromised.
The Trojan.Hydraq Incident
Read about the Stuxnet worm

Many organizations have implemented robust security measures such as isolated networks to protect sensitive computers against worms and other network intrusions. The Stuxnet worm, though, proved that these “air-gapped” networks can be compromised and that they still require additional layers of security. While Stuxnet is a very complex threat, not all malicious code requires this level of complexity to breach an isolated network. Because an increasing amount of malicious code incorporates mechanisms to propagate through removable media such as USB drives, isolated networks require some of the same policies and protection as user networks to prevent compromise. Endpoint protection that blocks access to external ports, such as a device control policy can help defend against these threats.

Propagation mechanisms
Source: Symantec Corporation


While many targeted attacks are directed at large enterprises and governmental organizations, they can also target SMBs and individuals. Similarly, senior executives are not the only employees being targeted. In most cases, a successful compromise only requires victimizing a user with access to even just limited network or administrative resources. A single negligent user or unpatched computer is enough to give attackers a beachhead into an organization from which to mount additional attacks on the enterprise from within, often using the credentials of the compromised user.

While Stuxnet included exploit code for an unprecedented number of zero-day vulnerabilities, such code is not a requirement for targeted attacks by any means. More commonly, research and reconnaissance are used to mount effective social engineering attacks. Attackers can construct plausible deceptions using publicly available information from company websites, social networks, and other sources. Malicious files or links to malicious websites can then be attached to or embedded in email messages directed at certain employees using information gathered through this research to make them seem legitimate. This tactic is commonly called spear phishing.

Spear-phishing attacks can target anyone. While the high profile, targeted attacks that received a high degree of media attention such as Stuxnet and Hydraq attempted to steal intellectual property or cause physical damage, many of these attacks simply prey on individuals for their personal information. In 2010, for example, data breaches caused by hacking resulted in an average of over 260,000 identities exposed per breach—far more than any other cause. Breaches such as these can be especially damaging for enterprises because they may contain sensitive data on customers as well as employees that even an average attacker can sell on the underground economy.

Average number of identities exposed per data breach by cause
Source: Based on data provided by OSF DataLoss DB


While much of the attention focused on targeted attacks is fueled by the sophisticated methods attackers use to breach their targets, the analysis often overlooks prevention and mitigation. In many cases, implementing best practices, sufficient policies, and a program of user education can prevent or expose a targeted attack. For example, restricting the usage of USB devices limits exposure to threats designed to propagate through removable media. Educating users not to open email attachments and not to click on links in email or instant messages can also help prevent breaches.

If a breach occurs, strong password policies that require the use of different passwords across multiple systems can prevent the attack from expanding further into the network. Limiting user privileges can help to reduce the number of network resources that can be accessed from a compromised computer.

Since one of the primary goals of targeted attacks is information theft, whether the attackers seek customer records or intellectual property, proper egress filtering should be performed and data loss prevention solutions employed. This can alert network operations personnel to confidential information leaving the organization.

While Stuxnet is a very sophisticated threat, not all targeted attacks need to employ such a high degree of complexity in order to succeed. Ignoring best practices enables less sophisticated attacks to be successful. However, it is almost certain that we will continue to see targeted attacks and that the tactics used will evolve and change. Stuxnet may have provided less sophisticated attackers with a blueprint to construct new threats. At the very least administrators responsible for supervisory control and data acquisition (SCADA) systems should review security measures and policies to protect against possible future threats.

Social networking + social engineering = compromise

Social networks continue to be a security concern for organizations. Companies and government agencies are trying to make the most of the advantages of social networking and keep employees happy while, at the same time, limiting the dangers posed by the increased exposure of potentially sensitive and exploitable information. Additionally, malicious code that uses social networking sites to propagate remains a significant concern.

Attackers exploit the profile information available on social networking sites to mount targeted attacks. For example, many people list employment details in their profiles, such as the company they work for, the department they work in, other colleagues with profiles, and so on. While this information might seem harmless enough to divulge, it is often a simple task for an attacker to discover a company’s email address protocol (e.g., firstname.lastname@company.com) and, armed with this information along with any other personal information exposed on the victim’s profile, create a convincing ruse to dupe the victim. For example, by finding other members of the victim’s social network who also work for the same organization, the attacker can spoof a message from that person to lend an air of additional credibility. This might be presented as an email message from a coworker who is also a friend that contains a link purporting to have pictures from a recent vacation (the details of which would have been gathered from the social networking site). With a tantalizing enough subject line, the ruse can be difficult for most people to resist because the point of social networking sites is to share this type of information.

Attackers can also gather other information from social networking sites that can indirectly be used in attacks on an enterprise. For example, an employee may post details about changes to the company’s internal software or hardware profile that may give an attacker insight into which technologies to target in an attack.

While increased privacy settings can reduce the likelihood of a profile being spoofed, a user can still be exploited if an attacker successfully compromises one of the user’s friends. Because of this, organizations should educate their employees about the dangers of posting sensitive information. Clearly defined and enforced security policies should also be employed.

Malicious code that uses social networking sites to infect users in a concerted attack is also a threat. For example, current variants of the Koobface worm can not only send direct messages from an infected user’s account on a site to all of that user’s friends in the network, but also are capable of updating status messages or adding text to profile pages. Moreover, in addition to possibly giving attackers access to an infected user’s social networking site account, some threats can also infect the user’s computer. In the case of Koobface, the worm attempts to download fake antivirus applications onto compromised computers. These threats should be a concern for network administrators because many users access their social networks from work computers.

A favorite method used to distribute an attack from a compromised profile is to post links to malicious websites from that profile so that the links appear in the news feeds of the victim’s friends. Moreover, attackers are increasingly using shortened URLs for this because the actual destination of the link is obscured from the user.1 During a three-month period in 2010, nearly two-thirds of malicious links in news feeds observed by Symantec used shortened URLs.

Malicious URLs targeting social networking users
Source: Symantec


An indication of the success of using shortened URLs that lead to malicious websites is the measure of how often these links are clicked. Of the shortened URLs leading to malicious websites that Symantec observed on social networking sites over the three-month period in 2010, 73 percent were clicked 11 times or more, with 33 percent receiving between 11 and 50 clicks. Only 12 percent of the links were never clicked. Currently, most malicious URLs on social networking sites lead to websites hosting attack toolkits.

Clicks per malicious shortened URL during three-month period in 2010
Source: Symantec


Other applications on social networking sites that appear to be innocuous may have a more malicious motive. Many surveys and quizzes ask questions designed to get the user to reveal a great deal of personal information. While such questions often focus on generic details (shopping tastes etc.), they may also ask the user to provide details such as his or her elementary school name, pets’ names, mother’s maiden name, and other questions that, not coincidentally, are frequently used by many applications as forgotten password reminders.

As more people join social networking sites and the sophistication of these sites grows, it is likely that increasingly complex attacks will be perpetrated through them. Users should ensure that they monitor the security settings of their profiles on these sites as often as possible, especially because many settings are automatically set to share a lot of potentially exploitable information and it is up to users to restrict access themselves.

Attack kits get a caffeine boost

While targeted attacks are focused on compromising specific organizations or individuals, attack toolkits are the opposite side of the coin, using broadcast, blanket attacks that attempt to exploit anyone unfortunate enough to visit a compromised website. The previous edition of the Symantec Internet Security Threat Report discussed the growing prevalence of Web-based attacks and the increased use of attack toolkits. In 2010, these kits continued to see widespread use with the addition of new tactics.

The Phoenix toolkit was responsible for the largest amount of Web-based attack activity in 2010. This kit, as well as many others, also incorporates exploits for Java vulnerabilities. The sixth highest ranked Web-based attack during the reporting period was also an attempt to exploit Java technology. One of the appeals of Java to attackers is that it is a cross-browser, multi-platform technology. This means that it runs on almost every Web browser and operating system available—a claim few other technologies can make. As such, Java can present an appealing target to attackers.

Web-based attack activity, 2010
Source: Symantec


The volume of Web-based attacks per day increased by 93 percent in 2010 compared to 2009. Because two-thirds of all Web-based threat activity observed by Symantec is directly attributable to attack kits, these kits are likely responsible for a large part of this increase. The increased volume of Web-based attack activity in 2010 is not a sudden change. Although the average number of attacks per day often fluctuates substantially from month to month, depending on current events and other factors, Web-based attacks have risen steadily since Symantec began tracking this data from the beginning of 2009 through to the end of 2010. Along with other indications of increased Web-based attack usage, such as the rise in attack toolkit development and deployment, Symantec expects this trend to continue through 2011 and beyond.

Average Web attacks per day, by month, 2009-2010
Courtesy: Symantec


Because users are more likely to be protected against older vulnerabilities, attack toolkit developers advertise their toolkits based on the rate of success of the vulnerabilities that are included and the newness of the exploits. To remain competitive and successful, attack kit developers must update their toolkits to exploit new vulnerabilities as they emerge on the threat landscape. Because of this, the kit developers either discontinue the use of less successful exploits in favor of newer ones with higher success rates, or incorporate new exploits that the kits are programmed to try first. Thus, in the future, Java exploits may be dropped or marginalized in favor of other technologies that developers consider more vulnerable. To protect against all Web-based attacks, users should employ intrusion protection systems and avoid visiting unknown websites.

Hide and seek

A rootkit is a collection of tools that allows an attacker to hide traces of a computer compromise from the operating system and, by extension, the user. They use hooks into the operating system to prevent files and processes from being displayed and prevent events from being logged. Rootkits have been around for some time—the Brain virus was the first identified rootkit to employ these techniques on the PC platform in 1986—and they have increased in sophistication and complexity since then.

The primary goal of malicious code that employs rootkit techniques is to evade detection. This allows the threat to remain running on a compromised computer longer and consequently increases the potential harm it can do. If a Trojan or backdoor is detected on a computer, the victim may take steps to limit the damage such as changing online banking passwords and cancelling credit cards. However, if the threat goes undetected for an extended period, this not only increases the possibility of theft of confidential information, but also gives the attacker more time to capitalize on this information.

The current frontrunners in the rootkit arena are Tidserv, Mebratix, and Mebroot. These samples all modify the master boot record (MBR) on Windows computers in order to gain control of the computer before the operating system is loaded. While rootkits themselves are not new, this technique is a more recent development. This makes these threats even more difficult to detect by security software.
Tidserv and Mebroot infection process
Source: Symantec Corporation


Many Tidserv infections were discovered by chance in February 2010 when they were uncovered by a patch issued by Microsoft for an unrelated security issue in Windows. The malicious code made some changes to the Windows kernel that caused infected computers to “blue screen” every time they rebooted after the patch was applied. Because the file infected by Tidserv is critical to Windows startup, the computers would not even start properly in Safe Mode, forcing users to replace the infected driver files with known good copies from a Windows installation CD.

Tidserv also made news in 2010 when a version was discovered that was capable of injecting itself into 64-bit driver processes on 64-bit versions of Windows. This shows that Tidserv developers are not only still active, but they are seeking out new techniques to allow their creation to infect the most computers possible. Since the primary purpose of Tidserv is to generate revenue, this comes as no surprise.

Computers infected with Tidserv have search queries redirected to sites hosting fake antivirus applications. By hijacking the search results, Tidserv exploits the user’s trust in the search engine they are using. Since the search terms are intercepted by the threat, the subsequently hijacked results can also be tailored to mirror the original search terms to lend a sense of credibility and potentially increase the likelihood of users falling prey to the ruse.

To date, many Trojans seen in targeted attacks have not been very advanced in features or capabilities, with their primary purpose being to steal as much information as quickly as possible before discovery. However, the longer a targeted attack remains undetected, the more likely it is that information will be compromised. Considering the media attention given to recent high-profile targeted attacks such as Hydraq and Stuxnet, many network security professionals are likely operating with increased vigilance for these threats. As such, to circumvent the increased attention, attackers will likely modify their attacks and employ techniques such as rootkit exploits. Symantec expects any advancement in rootkits to eventually make their way into targeted attacks.

Mobile threats

Since the first smartphone arrived in the hands of consumers, speculation about threats targeting these devices has abounded. While threats targeted early “smart” devices such as Symbian and Palm in the past, none of these threats ever became widespread and many remained proof-of-concept. Recently, with the growing uptake in smartphones and tablets, and their increasing connectivity and capability, there has been a corresponding increase in attention, both from threat developers and security researchers.

While the number of immediate threats to mobile devices remains relatively low in comparison to threats targeting PCs, there have been new developments in the field. As more users download and install third-party applications for these devices, the chances of installing malicious applications also increases. In addition, because most malicious code now is designed to generate revenue, there are likely to be more threats created for these devices as people increasingly use them for sensitive transactions such as online shopping and banking.

As with desktop computers, the exploitation of a vulnerability can be a way for malicious code to be installed on a mobile device. In 2010, there were a significant number of vulnerabilities reported that affect mobile devices. Symantec documented 163 vulnerabilities in mobile device operating systems in 2010, compared to 115 in 2009. While it may be difficult to exploit many of these vulnerabilities successfully, there were two vulnerabilities that affected Apple’s iPhone iOS operating platform that allowed users to “jailbreak” their devices. The process of jailbreaking a device through exploits is not very different from using exploits to install malicious code. In this case, though, users would have been exploiting their own devices.


Pjapps installation screen
Source: Symantec
Currently most malicious code for mobile devices consists of Trojans that pose as legitimate applications. These applications are uploaded to mobile app marketplaces in the hopes that users will download and install them. In March 2011, Google reported that it had removed several malicious Android applications from the Android Market and even deleted them from users’ phones remotely. Attackers also take a popular legitimate application and add additional code to it, as happened in the case of the Pjapps Trojan for Android devices. Astute users were able to spot that something was amiss when the application was requesting more permission than should have been necessary.

Until recently, most Trojans for mobile devices simply dialed or texted premium rate numbers from the phone. While Pjapps also contains this capability, it also attempts to create a bot network out of compromised Android devices. While the command-and-control servers that Pjapps is programmed to contact no longer appear to be active, the attempt to create a botnet out of mobile devices demonstrates that attackers are actively researching mobile devices as a platform for cybercrime.
Over the last several years, most malicious online activity has focused on generating revenue. While mobile device Trojans have made attempts at revenue generation through premium-rate services, this is still not as profitable as credit card fraud and the theft of online banking credentials. Some of the first threats of this kind to arrive will likely be either phishing attacks or Trojans that steal data from mobile devices. Because the blueprints for such threats are already well established on personal computers, adapting them to mobile devices should be relatively easy. For example, as mobile devices introduce new features such as wireless payments it is likely that attackers will seek ways to profit from them the way they have with personal computers. Attackers are constantly looking for new avenues to exploit and profit from unsuspecting users, but until there is adequate return on investment to be found from exploiting new devices, they will continue to use tried and true methods.

Conclusion

The volume and sophistication of malicious activity increased substantially in 2010. The Stuxnet worm became the first piece of malicious code able to affect physical devices while simultaneously attempting exploits for an unprecedented number of zero-day vulnerabilities. While it is highly unlikely that threats such as Stuxnet will become commonplace because of the immense resources required to create it, it does show what a skilled group of highly organized attackers can accomplish. Targeted attacks of this nature, along with Hydraq and others, have shown that determined attackers have the ability to infiltrate targets with research and social engineering tactics alone. This matters because recent studies have shown that the average cost per incident of a data breach in the United States was $7.2 million USD, with the largest breach costing one organization $35.3 million USD to resolve. With stakes so high, organizations need to focus their security efforts to prevent breaches.
Social networking sites provide companies with a mechanism to market themselves online, but can also have serious consequences. Information posted by employees on social networking sites can be used in social engineering tactics as part of targeted attacks. Additionally, these sites also serve as a vector for malicious code infection. Organizations need to create specific policies for sensitive information, which may inadvertently be posted by employees, while at the same time be aware that users visiting these sites from work computers may introduce an avenue of infection into the enterprise network. Home users also need to be aware of these dangers because they are at equal risk from following malicious links on these sites.

Attack toolkits continue to lead Web-based attack activity. Their ease of use combined with advanced capabilities make them an attractive investment for attackers. Since exploits for some vulnerabilities will eventually cease to be effective, toolkit authors must incorporate new vulnerabilities to stay competitive in the marketplace. Currently, attackers are targeting certain exploits, such as those for Java vulnerabilities. However, this could change if their effectiveness diminishes. Toolkit authors are constantly adapting in order to maximize the value of their kits.

While the purpose of most malicious code has not changed over the past few years as attackers seek ways to profit from unsuspecting users, the sophistication of these threats has increased as attackers employ more features to evade detection. These features allow malicious code to remain resident on infected computers longer, thus allowing attackers to steal more information and giving them more time to use the stolen information before the infections are discovered. As more users become aware of these threats and competition among attackers increases, it is likely that more threats will incorporate rootkit techniques to thwart security software.

Currently, mobile threats have been very limited in the number of devices they affect as well as their impact. While these threats are not likely to make significant inroads right away, their impact is likely to increase in the near future. To avoid the threats that currently exist, users should only download applications from regulated marketplaces. Checking the comments for applications can also indicate if other users have already noticed suspicious activity from installed applications.

1URL shortening services allow people to submit a URL and receive a specially-coded shortened URL that redirects to the submitted URL