Malware in 2012 took a major acceleration – something that was predicted in 2011 – and they were right…
December is “prediction season” in the cybersecurity industry. Every major anti-virus software maker and digital-security provider issues its own forecasts of what computer users face in the coming year – malware, hacking, etc – all are part of these predictions.
So far this month, the predictions for 2013 look a lot like those for 2012: more Android malware, increased cyberattacks by nation-states and greater activity by “hacktivist” groups such as Anonymous.
However, a few companies go back and check their own predictions at the end of the year to see what they got right — and wrong.
One company that does so is Moscow-based Kaspersky Lab, one of the top five anti-virus companies in the world.
“In 2011, we really saw a number of things rising up: hacktivism; big database breaches; attacks against Androids; attacks against Macs; data espionage became daily business in 2011,” said Roel Schouwenberg, senior researcher at Kaspersky’s Boston-area office. “When we look at 2012, we saw a further evolution of all these new trends.”
Kaspersky made the following predictions for 2012:
Hacktivist groups, who attack computer systems for political or social reasons, would continue to increase their activities
A higher rate of “advanced persistent threat” attacks, or state-sponsored espionage efforts
More incidents of cyberwarfare involving customized, state-sponsored malware
Attacks on software and game developers such as Adobe, Microsoft, Oracle and Sony
More aggressive actions from law-enforcement agencies against cybercriminals
An increasing rate in the growth of threats to the Android mobile platform
Successful attacks on Apple’s Mac OS X computer platform
Let’s examine five of the top security incidents that shaped 2012 and check the accuracy of the Kaspersky researchers in light of those predictions.
1. More Mac OS X malware
Security experts had anticipated an outbreak of malware targeting Mac OS X for years; 2012 was when it finally happened.
The bug that did it, called the Flashback or Flashfake Trojan, first appeared near the end of 2011, but didn’t reach its peak rate of infection until March of 2012.
Flashback infected more than 700,000 Macs around the world, the largest known Mac OS X infection to date.
“In 2011, we predicted that we would see more Mac malware attacks,” said Kaspersky Lab’s Costin Raiu and David Emm in a blog posting. “We just never expected it would be this dramatic.”
Why did Flashback wreak such havoc?
One reason was a well-documented Java vulnerability, which Apple took a long time to patch even after it had been publicly disclosed. The Flashback authors took advantage of Apple’s delay to incorporate the Java exploit into their otherwise unremarkable creation.
The second reason was the general lack of awareness among Mac users about security. Proper anti-virus software would have stopped Flashback’s attack, yet most Mac users felt they didn’t need it.
Flashback wasn’t the only successful attack on Mac OS X systems in 2012. There were multiple espionage-related attacks on Macs used by Tibetan dissidents and exiles. Some of the attacks used corrupted files purporting to come straight from the Dalai Lama, Tibet’s exiled leader.
“The espionage angle may be a bigger factor for Mac right now than regular consumer malware,” Schouwenberg said. “For general cybercrime, most criminals go after Windows because that’s what they know. That’s what’s easiest for them.”
“But when it comes to these targeted attacks, the attackers go after whichever machines the targets are using. So if the targets are using Macs, they’ll go after Macs.”
Schouwenberg said in terms of the proportion of available systems infected, Flashback was the most successful malware outbreak of the year.
“When you look at relative market share, the Flashback malware in terms of prevalence was the size of [the infamous Windows worm] Conficker,” he said. “This was an absolutely huge event in the Apple world. When you extrapolate [the number of Macs infected] to Windows numbers, that’s about 10 million.”
2. Cyberweapons: Flame…
Cyberwarfare is a term that often gets hyped up, especially when a politician or general is speaking.
In fact, the Stuxnet worm, which crippled an Iranian uranium-enrichment facility in the summer of 2010, was for nearly two years the only known cyberweapon that had destroyed anything.
That changed this past spring, when a series of cyberattacks destroyed computer systems at oil facilities in Iran, as well as in the offices of the Iranian oil ministry.
Wiper, the malware thought to be responsible for the attacks, was never found, although certain tell-tale signs indicated it was similar to Stuxnet and its cousin Duqu.
During the investigation in May, however, researchers from Kaspersky, the Iranian computer emergency response team MAHER and the CrySyS Lab at Budapest University in Hungary discovered something else —possibly the most sophisticated piece of malware ever seen. Kaspersky’s team called it “Flame.”
The size, age and sophistication of Flame were startling. It was 20 megabytes in size, as large as a complex smartphone game, while most malware is only a few dozen kilobytes in size.
Flame contained a dozen different modules that could be added and subtracted according to the task at hand, which made it extremely versatile as spyware.
It could map out networks, index files, record audio and video, log keystrokes, take screenshots and archive emails and instant messages. When its job was done, it would destroy all signs of itself on any 32-bit Windows PC, and sometimes the host system as well.
Yet despite its size, Flame was at least five years old at the time of its discovery —an enormous amount of time for a piece of malware to be “in the wild.”
As Raiu said in a press release, Flame was “an example of a complex malicious program that could exist undetected for an extended amount of time while collecting massive amounts of data and sensitive information from its victims.”
A couple of weeks after its discovery, Dutch researchers found that Flame’s creators had pulled off a mathematical breakthrough.
Using unknown techniques, Flame’s creators had created a nearly-impossible cryptologic collision that allowed Flame to present itself as a signed, genuine Windows update package direct from Microsoft. No anti-virus software could have stopped it.
In August, Kaspersky researchers found a highly sophisticated Trojan in the Middle East, this time spying on Lebanese banks.
Like ordinary criminal banking Trojans, this new malware, which Kaspersky researchers dubbed “Gauss,” stole online-banking credentials to break into accounts. Yet Gauss didn’t steal any money —just information.
In their year-end review, Raiu and Emmer said Gauss added a “new dimension to nation-state cyber-campaigns,” even if it was nowhere as sophisticated as Flame.
“It appears there is a strong cyber component to the existing geopolitical tensions —perhaps bigger than anyone expected,” they added.
… and Shamoon
That would prove to be an understatement. Later in August, Shamoon, a piece of especially destructive, yet simple, malware, made its world debut.
Named after a piece of text embedded deep in its code, Shamoon launched an attack against the state-owned Saudi Arabian oil company Saudi Aramco and destroyed data on more than 30,000 computers.
Shamoon was crude but effective. It searched an infected system for certain files, sent a list of those files to a remote server, and then methodically deleted key parts of the installed Windows system, rendering the infected machine useless.
“You have the hacktivist movement claiming credit for that attack, which may or may not be the case,” Schouwenberg said.
“Shamoon wasn’t really that sophisticated, but when you look at the relevance of the incidence, it’s extremely, extremely important,” Schouwenberg added, “especially when you consider the fact that Saudi Aramco announced just recently that they strongly believe that Shamoon’s real target was to mess with the oil production rather than just sabotaging the machines in the corporate network.”
Kaspersky researchers said many details about Shamoon were still unknown, such as how the malware infected Saudi Aramco’s systems in the first place, or who was behind the malware.
Some observers suspect Iran created and used Shamoon as an attempt to cripple Saudi Arabia’s oil production, which would cause oil prices to rise, benefiting cash-strapped Iran.
3. Exponential growth in Android malware
During 2011, there was an explosion in the number of malicious threats against the Android platform. It was obvious that the trend would go on.
Kaspersky, as well as most of its competitors, accurately predicted that the number of threats for Android would continue to grow at an alarming rate in 2012.
“We predicted we would see an explosion in Android malware and that’s what we saw,” Schouwenberg said. “There is a huge amount of Android malware these days, although not anywhere near the amount of Windows malware that we see. But it’s grown very dramatically.”
“The number of samples we received continued to grow and peaked in June 2012, when we identified almost 7,000 malicious Android programs,” Raiu and Emmer wrote. “Overall, in 2012, we identified more than 35,000 malicious Android programs, which is about six times more than in 2011.”
So why is there so much Android malware, and so little malware targeting its competition, Apple’s iOS?
It’s because iOS is locked down tight. Apple oversees every part of the hardware and software development, and strictly controls which apps can be installed on iOS devices.
Android, however, is a free-for-all. Dozens of manufacturers make hundreds of Android devices, and the operating system is a little different on each one. Manufacturers and cellular carriers refuse to update Android in a timely manner, resulting in security holes that are left unpatched for months or years.
“Off-road” app markets flourish, especially in China where access to the official Google Play store is restricted. Google has belatedly tightened security in both Android itself and in the Google Play store, yet its efforts have a long way to go before they can match Apple’s.
Still, the tighter security in the latest versions of Android may be having an effect. Kaspersky’s own figures show that while the number of new Android threats continued to grow in the second half of 2012, the rate of growth began to slow.
4. Advanced persistent threats go quiet
Advanced persistent threat hackers, i.e. cyberspies, were certainly active in 2012, yet didn’t have the spectacular successes they’d had in previous years.
Perhaps the most visible attack on Western targets was the discovery in September 2012 that two pieces of malware had been signed using a valid Adobe code-signing certificate.
Apparently, someone, somehow, had broken into an Adobe server and stolen authentication certificates.
“This discovery belongs to the same chain of extremely targeted attacks performed by sophisticated threat actors commonly described as APT,” wrote Raiu and Emmer. “The fact that a high profile company like Adobe was compromised in this way redefines the boundaries and possibilities that are becoming available for these high-level attackers.”
5. Data breach after data breach
One thing that Kaspersky failed to anticipate in 2012 was the seemingly unending parade of huge data breaches involving companies and organizations with inadequate security.
In early June, the business-networking website LinkedIn had 6.4 million passwords stolen. The passwords were encrypted, but in a very simple way that meant most could easily be deciphered.
A day later, online-dating service eHarmony suffered a similar breach, losing 1.5 million passwords, also poorly encrypted.
In July, struggling Web giant Yahoo was embarrassed by a data breach that revealed 450,000 passwords had been stored without any encryption at all. It wasn’t entirely Yahoo’s fault, since the database was acquired with the 2010 purchase of another company, but it was also evident that no one had bothered to check.
Worst of all was the revelation in late October that vital personally identifiable information on 3.8 million adult residents of South Carolina, plus 1.9 million dependents and 700,000 businesses, had been stolen from the state tax agency.
Entire tax records, containing names, addresses, dates of birth and, worst of all, Social Security numbers, were all stored unencrypted. Virtually the entire state population of 4.7 million people was put at grave risk of identity theft.
Weeks after the breach was revealed, the state government was blaming the federal IRS for not providing strong security guidelines, and was itself being criticized by security experts for not revealing enough about what had happened.
Looking back, and forward
“There isn’t too much that was shocking news over 2012, just these up-and-coming things [from] 2011 that really established themselves in 2012,” Schouwenberg said. “But we also saw some examples of new nation-state [campaigns] like Flame and Gauss. But from my personal point of view, the most significant event of the year was Shamoon.”
As for 2013, “we expect the next year to be packed with high-profile attacks on consumers, businesses and governments alike, and to see the first signs of notable attacks against the critical industrial infrastructure,” Raiu said in a company press release. “The most notable trends of 2013 will be new examples of cyberwarfare operations, increasing targeted attacks on businesses and new, sophisticated mobile threats.”
TechNewsDaily at NBC