by Malyssa Woodward
Malware is on the rise in 2011, as are high-profile attacks against government entities and corporations, according to the Mid-Year Security Threat Report published recently by IT security and data protection company Sophos. The report focuses first on malware, which saw a huge increase in 2011. Since the start of this year, the team at SophosLabs has seen 150,000 different samples of malware each day, a 60 percent increase from the malware analyzed in 2010. To give a little perspective, this year’s numbers represent a unique file nearly every half second, according to the report.
So what exactly defines malware? Malware, or “malicious software,” can show itself in several forms, including viruses, worms and Trojans. Viruses are self-replicating malicious computer programs that are spread from computer to computer via removable media like disks and USB drives, or by infecting a file stored on a computer that is part of a network. A virus makes copies of itself, but in order to spread, it needs the ability to execute code and save to memory. Because of this, most viruses attach themselves to programs. When the user launches the program, the virus is launched at the same time.
There are two types of viruses: resident and non-resident. Resident viruses load their replication modules onto the infected system’s memory, where they can then execute themselves each time a certain action is performed by the operating system, thus spreading to multiple programs on the computer. A non-resident virus goes one step further in that it contains a finder module as well as a replication module. The finder module will seek out new files to infect and then call on the replication module to infect them.
A worm differs from a virus in that it does not need to attach itself to a program to work. A worm takes advantage of a computer’s weakness to infiltrate the system, where it then creates copies of itself and sends them to all computers on the network. Unlike a virus, a worm can replicate and spread without any action by the user. Where a virus infects or changes certain files on a target computer, a worm can damage computers on a network, even if it means simply taking up the bandwidth and slowing the network down. Worms are often used to create zombie computers for use in spamming botnets. A popular example of this is the infamous Waledac botnet, which infected as many as 90,000 computers worldwide before it was brought down by Microsoft last year.
Another kind of malware is the Trojan, which as its name implies, is a malicious program disguised as one that is seemingly useful. This program infects the target computer in order to steal sensitive information or harm the system. Trojans differ from worms and viruses in that they do not replicate themselves. Trojans can give hackers remote access to a system or use infected computers as part of botnet schemes used for spamming or denial-of-service (DDoS) attacks. They can also be used to log keystrokes on a machine or crash the infected computer.
A popular form of Trojan, and one that Sophos reports is still a persistent threat in 2011, is the Trojan that presents itself as an anti-virus application. In this scam, users are tricked by a fake anti-virus pop-up window warning them that their computer is infected. They are then convinced to purchase a rogue application to rid their computer of the virus. The program not only fails to protect the computer, but most likely installs some form of malware onto the system. This wreaks more havoc for the victim, who has just sent their money straight into the scammer’s pocket. According to the Sophos report, the FBI estimates that nearly one million people were duped into buying fake anti-virus software from one particular cybergang, netting the criminals over $72 million.
An example of a persistent Trojan that continues to evolve and target new devices is the Zeus banking Trojan. Recently, researchers discovered a variant of the Zeus malware called “Zitmo,” which can run on Android phones as well as Symbian, Windows Mobile and Blackberrys. The malware intercepts one-time passcodes sent to these devices as a form of added two-factor security, which then allows the hacker access to private information like bank accounts. The increase in consumers who use their smartphones and tablets for sensitive personal and business transactions makes these devices desirable targets for hackers.
According to the Sophos report, Google’s Android platform is proving particularly difficult to secure, and has been a popular target for hackers in the first part of 2011. In June, Google removed several Android applications from the market because they contained data-swiping Plankton malware. Tablets running the Android operating system are also at risk for similar attacks. With more consumer technology making its way into the professional workplace, IT managers have new concerns on their hands as they try to keep their organizations secure.
While much attention has been paid this year to large-scale strikes on major targets, the Sophos report found that attacks against consumers continue to be a threat. Social networking scams, email scams and spear phishing campaigns are still popular, as is SEO poisoning. In SEO poisoning, the hacker takes advantage of popular keyword searches as a way to target the most victims, redirecting users to malicious sites where a variety of malware is downloaded onto their system. Often the malware is hosted on legitimate sites that have been infiltrated by hackers. To see a video demonstration of how this technique works, watch this Sophos video on YouTube.
Even Mac OS X, long believed to be the most secure operating system, is no longer safe in the current hacking landscape. The fake anti-virus malware Mac Defender and its many variants took users and Apple by surprise this spring. Apple was slow to respond to the influx of tech support calls, drawing much criticism. The company finally conceded that the malware was indeed a reality and offered steps to remove it.
Perhaps the most glaring light this year has shone on the many high-profile targeted attacks against huge corporations, government entities and their partners. The hack of RSA’s SecureID two-factor authentication system led to subsequent assaults on defense contractors Lockheed Martin and L-3 Communications. The CIA was also a victim of hackers, as was the International Monetary Fund (IMF). Mega-corporation Sony is likely still reeling from the persistent attacks launched against it earlier this year.
These and other attacks have spurred legislation addressing cybersecurity concerns. The Department of Defense launched a new program in June that aims to help defense contractors protect themselves against cyber attacks. The program, called the Defense Industrial Base (DIB) Cyber Pilot, will share classified information about cyber threats with defense contractors, as well as help them determine how to defend their networks.
The Obama administration is trying to crack down on hacking and cyber attacks that affect government systems or cause a potential national security threat by proposing increased sentences for hackers. Hackers targeting government computers may face up to 20 years in prison for such attacks.
The new Cybersecurity and Internet Freedom Act of 2011 establishes the National Center for Cybersecurity and Communications (NCCC) at the Department of Homeland Security, which will work to protect federal networks as well as public and private sector networks from cyber threats. The Act spurred controversy early on due to a “kill switch” provision that would essentially allow the President to shut down portions of the Internet during a cyber attack. That provision has since been removed.
On the business front, a new data breach bill is in the works, currently being debated on and refined. The bill would require companies suffering a data breach to report the breach and begin notifying customers within 48 hours if the data compromised could lead to identity theft or other harm. The requirement would standardize the currently varying state laws regarding data breaches, which experts say is both good and bad for businesses.
Whether or not this increased attention to cybersecurity will help stave off serious attacks and create a more secure online environment remains to be seen, but clearly progress is being made. However, the first half of 2011 shows us that there is much work to be done. If you would like to read the full Sophos mid-year report, you can download it by visiting this link. You will need to provide some basic information first, including name and email address.
Your Net Guard can help ensure your network is secure in this ever-evolving landscape of cyber threats. Call Ron today to discuss your security concerns.
