Pierluigi Paganini September 26, 2012

Article published on Hakin9 IT Security Magazine “Raspberry Pi Hacking – Exploiting Software” 08/12

The article proposes an analysis of the main cyber threats that worry security experts and that are profoundly changing the cyber space. The exponential growth of the number of cyber threats and attacks is rebutted by a wide range of statistical provided by reports published by the major security firms. The scenario is really scaring due concomitant action of cybercriminals, hacktivists and state-sponsored hackers that are producing malware and botnets of increasing complexity.

Day by day we read about the discovery of new cyber threats that menace the integrity of user’s machines, a multitude of agents developed by cybercriminals or by state-sponsored researchers that operate stealing sensible information and in many cases destroying  targets.

Every machine that is connected to internet is exposed to serious risk to be compromised, in many cases, also having all the common defense systems in place due the exploit of zero days vulnerabilities.

There are several consequences to this malware diffusion, first of all the economic loss of the entity hit by cyber attacks, it must be considered a cross effect in many sectors of social texture from Small business to Large Industry.

Small business for example is one of the most damaged sector, the budget reserved by the companies for cyber security is usually limited and the global economic crisis has  worsened the situation exposing the businesses to continuous attacks most of them also undetected. But small business is directed linked to other sectors, in many cases small companies works directly as supplier for large industry and in the security chain they represent the weakest link that hackers hit to penetrate large organization. Similar scenario is very common in the last wave of APT (Advanced persistent threat) attacks that has hit for example defense companies all over the world.

If small business suffers the attacks the Governments and Large Industry are no better, the diffusion of malware is increased in impressive way in frequency of attacks and complexity of the malicious agents spread, the main purpose of malware is the cyber espionage, in fact sensible information and intellectual properties are privileged targets of cybercrime and foreign governments.

Thinks that cyber espionage malware are mainly developed by cybercriminal or governments is wrong, the cyberspace is also crowded by malicious agent sold by legitimate company for cyber espionage purpose. As denounced by Assange on its SpyFile web site, many legitimate companies are selling espionage products, acquired by private companies and intelligence agencies, to spy on competitors and opponents.

To provide some sample let’s remind the discovery made by Doctor Web firm, a Russian anti-virus company, that in August has detected a cross-platform Trojan horse that is able to gain full control of its victims and it is also able to can render the system unusable. The agent, named dubbed BackDoor.DaVinci.1, runs both in Windows and Mac OS X and what is singular is the characteristics of the Mac OS X release that for the first time implements rootkit technologies to hide malware processes and files. According the info available on internet, the trojan has been designed by the Italian HackingTeam a security firm  which is specialized in the development of offensive solutions for cyber investigations.

The Davinci malware is not a unique case, many companies are working on similar projects, FinFisher for example is another powerful cyber espionage agent developed by Gamma Group that is able to secretly spy on target’s computers intercepting communications, recording every keystroke and taking the complete control of the host. Unfortunately, although similar instruments designed for justifiable purposes, such as support for investigations and prevention of crime and terrorism, are too easily sold to governments that use them bloodthirsty for tracking and persecution of dissidents.  Another factor that is contributing is sensible mode to the rapid diffusion of malware and of dangerous botnets is the simplicity to acquire bot agents on the web, it has been also consolidated a “malware as service” model in which cyber criminals support the development of malicious networks for ordinary crime … a scaring alliance.

It’s quite simple to find on internet, and also in the Deep Web, on forums and web site published in the underground to exchange exploit packages continuously updated thanks to collaboration of hackers and criminals, a new markets is growing with an amazing trend involving also young person the desire to measure their capabilities in this fashioning field and that desire to make easy earns.

Cyberspace Today

The rapid evolution of cyber threats has motivated several security firms to make public data related the malware diffusion, providing useful information to private companies, CERTs of several countries and of course to the end users.

In September Symantec has published its report on cybercrime ”The yearly Norton Cybercrime report“, an interesting study on the evolution of  cyber criminal activities and their impact on the society. The report covers different technologies including and social networking and mobile reporting the impact on final customers in economic terms.

The impact of cybercrime is worrying with 556 million of victims per year, 2 on 3 adults have been victims of on line illegals in their lifetime, the total economic loss is 110 Billion with an average cost per victim of $197.

Figure 1 – Global Price Tag of consumer cybercrime

The Asian region is the most affected by cybercrime, the global pricetag of consumer cybercrime for China amounts to 46 Billion , followed by US with 21 Billion and European Area with 16 Billion.

The highest numbers of cybercrime victims were found in Russia (92 percent), China (84 percent) and South Africa (80 percent). The technologies that have suffered the major increase in cybercrime are social networking and mobile, mobile users are very vulnerable to attacks, 1/2 adults use a mobile device to access the internet and the mobile vulnerabilities doubled in 2011 respect previous year.

44% of users aren’t aware of the existence of solutions for mobile environments, and 35 of adults have lost their mobile device or had it stolen. Of particular concern is an improper use of social networks, wrong management of sessions, absence of validation of visited links and a total ignorance of any security setting expose users to fraudulent activities.

15 percent of users have had their account infiltrated, and 1 in 10 have been victims of fake links or scams.

The report confirms that cybercrime industry is an factory that has no crisis and that moves amounts of money comparable to the economical revenue of a State.

One of the most dangerous threat for internet users and also for institutions that expose their services on the web are the botnet, millions of infected computers synchronized to conduct an attack against a specific target.

In the classic architecture each machine, named bot, executes orders sent by a master unit called bootmaster, which can instruct the various components of the malicious network to perform an attack rather than exchange communication messages. The model of botnet could be used for various scopes, in military as cyber weapon, in industry for cyber espionage, in cybercrime to steal sensible information such as banking credentials.

The infection phase that represents the recruiting of the machines due the diffusion of different types of malware developed with specific and profoundly different characteristics. The most common way to build a botnet is to send the victims infected mails, containing link to compromised web site or that have attacked the malware agent that once executed on the machine it transforms it in a bot.

Usually the infected machines try to contact the C&C (Command & Control) servers to receive operative instructions, botnets represent one of the most dangerous cyber threats due their adaptive capabilities and the massive diffusion. Recent events have demonstrated that every platform could be attacked, one of the latest and most aggressive malware is Flashback Trojan, a malware created to conduct click fraud scam by hijacking people’s search engine results inside their web browsers, stealing banking or login credential. Of course once infected the system it could be used as part of a botnet causing bigger damages.

Which is the status of botnet diffusion?

McAfee Labs proposed an interesting analysis on the phenomenon in McAfee Threats Report – First Quarter 2012 that illustrates the cyber threat botnet is growing creating great concern between security experts due their diffusion, millions of compromised computers connected to the Internet are in fact daily used to realize scam and cyber attacks. Security firms tracking the volume of messages exchanged between bots and command servers are able to examine the level of infection of the malicious agents. Overall messaging botnet growth jumped up sharply from last quarter, mainly in Colombia, Japan, Poland, Spain, and the United States.

Figure 2 – Global Botnet Infections

Behind the principal botnets there is the cybercrime industry that is pushing on the diffusion of malware to infect an increasing number of machines, but also proposing new models of business, such as botnet rental or the commerce of the agents for botnet creation. The business is reaching important figures in a short time mainly due to the opportunities provided by the Deep Web.

In the last months experts of the AlienVault firm discovered a new service that offers cyber-attack tools and hosting as part of malware-as-a-service.  Once again cybercrime operates as enterprise, the products proposed are tools for the organization of cyber attacks such as spam of malware, malware hosting, and a to build up a complete command and control infrastructure (C&C) for the arrangement of botnets.

The service is called Capfire4 and it’s a good example of C2C (Cybercrime to Cybercrime), it provides technological support to criminals who haven’t necessary knowledge to conduct a cyber attack or to arrange a cyber scam.

In the simplest way, users can access to a Web portal that offers the possibility to create customized version of malware, controlling the malicious architectures through a friendly management console to coordinate the bots.

Few steps for criminal that need to create a botnet without having particular knowledge.

But Botnet creation is not only a prerogative of cybercrime, it is also considered in cyber warfare scenario as a military option for offensive purposes or cyber espionage. Deploying a botnet it is possible to attack the nerve centers of a country, isolated attacks can target its critical infrastructures, create serious problems in areas like finance, communications and transport. That is cyber warfare, no matter if behind the attack there is a foreign government or ruthless criminals, the risk is high and face the threat has high priority.

The US government is taking in serious consideration the cyber threat related to the botnet, recently administrative officials belonging to U.S. President Barack Obama’s team declared that the government had started IBG (Industry Botnet Group) a coordinated project that involves private enterprises and trade units.

One of the key features of the program is the increasing of the level of awareness on the botnet world through the cooperation of government and private sector.

Geography of cyber threats

Despite cyber space is known as a domain without borders, many studies have demonstrated that cyber criminal activities are mainly located in some area of the planet, as we can see also the victims of the attacks have a geographical features that make them attractive targets. Kaspersky Security firm has in a recent reports illustrated that factors such as the economic level of a country, its Internet population and the security level of the nation concur to define a geography of attacks. These countries present sufficient security mechanisms to defend users and also the computer system used are often equipped with last versions of operating systems  that  incorporate mechanisms to prevent cyber attacks. According the Internet World Stats  the level of Internet penetration in US and Europe is very high, internet users in these areas actively use online services  and cards associated with their banking accounts to pay for goods online:

• North America — 78.3%, 1st in the world.
• Europe – 58.3%, 3rd in the world.

Having to deal with advanced and updated defense systems the crime industry is increasing the level of sophistication of attacks developing new technologies, mainly with the principal intent to make money.  The Trojan spread are mainly used with the purpose of deliver or hide malicious agents or to steal sensible information with specific reference to banking sector.

Figure 3 – Trojan classification

The sector mainly attacked by cybercrime is the financial / banking in which the incidence of theft of information is high, some examples of malware known to chronicle are Zbot (ZeuS) and SpyEye, both are universal Trojans which targets the accounts of many banks and also e-pay services such as PayPal and E-bay, let’s remind that usually these accounts are linked to bank accounts and are considered privileged targets,  34% and 9% respectively of all phishing attacks target them.

To have an idea of the of the business and of related profits in 2010 arrested stole $9 million from more than 600 accounts in three months using Zbot. The most effective vector of attacking European and American users is still internet in the first half of 2012, 80% of all infected computers were attacked in this way, Italy and Spain are the most hit countries.

The criminals use to compromise user’s machine in one of the following mode:

• Infecting legitimate sites
• Spoofing search engines
• Spreading malicious spam on social networking sites and on Twitter

Figure 4 – percentage of users exposed to Internet attacks (H1 2012)

 The percentage of users exposed to Internet attacks (H1 2012):

• USA – 38.8%, 31st in the world;
• Germany — 28.8%, 101st in the world;
• UK — 36.8%, 42nd in the world;
• France – 36.3%, 44th in the world;
• Italy – 43.5%, 18th in the world;
• EU – 32.1%.

From the research is emerged also another interesting result, despite in Western Europe, Canada and US there is a strong legal basis for combating malicious content hosted on web site, 69% of infected code was hosted on servers located in these regions in the first half of 2012 corresponding to over the half of the malicious programs on the Internet.  The figures are not surprising, the majority of data centers providing failsafe hosting are located in these areas and usually cybercriminals and hackers compromise such servers to obtain reliable hosting that host legal sites, making hard their identification from an user’s perspective. The report reveals that domain zones .net, .com, .info and .org. account for 44.5% of repelled attacks that were launched from malicious web sites on users located in North America and Western Europe.
Users from the US, Canada and Western Europe are typically redirected to sites located in the domain zones of India (.in), Russia (.ru) and the Cocos Islands (co.сс).

You run … I’ll get you, the eternal challenge

Despite the level of alert of private companies, governments and security firms is high the incidence of cyber threat is still too high, this is possible due the increasing level of complexity of malware agents.

Meantime worldwide security expert are searching for a common strategy to decapitate the botnets, the cybercrime industry is providing new efficient solution to avoid any type of detection and mitigation.

We have different innovative factors in the menace moved by malware and botnet creators, such as new modular and destructive malicious agent and also new botnet based on the P2P (peer to peer) communication protocol that not relies on command and control (C&C) servers for receiving commands. The interesting feature is that P2P communication is used as a backup system in case the C&C servers are not reachable, creating an autonomous peer networks in which each node can operate as a slave or as master giving orders to other PC operating and exchanging information acquired illegally by the victims.

The major concern of security experts is related to the capabilities of many of these agents to exploit zero days vulnerabilities that make practically impossible the detection of the agents. But it’s dangerous justify the success of the attacks only to the exploit to unknown vulnerabilities, in many cases well known vulnerabilities are exploited due the absence of an appropriate update of the systems.

The Zeus case is not isolated, recently Kaspersky Lab, in collaboration with CrowdStrike Intelligence Team, Dell SecureWorks and members of the Honeynet Project, dismantled the second Hlux botnet (aka Kelihos).

This botnet had scary size, it has been estimated it was three times larger than the first botnet Hlux / Kelihos dismantled in September 2011. After only 5 days from the transaction, Kaspersky Lab had already neutralized more than 109,000 infected hosts. It is estimated that the first botnet Hlux / Kelihos had only 40,000 infected systems.

The event has demonstrated that it is becoming hard to tackle new generation of botnets, due the usage of the peer-to-peer technology also implemented in Kelihos. The new variant of malware incorporates P2P technology to eliminate the need for a C&C server, avoiding detection and the immunization campaigns to decapitate the malicious networks.

Another interesting improvement proposed by the cybercrime industry is the use of Tor networks is the botnet architecture as discovered in September 2012 by the German security firm G Data Software that has detected a botnet with a particular feature, it is controlled from an Internet Relay Chat (IRC) server running as a hidden service of the Tor. Despite similar choice presents some technical problems related to the latency of the Tor networks and the implicit difficulty to control the botnet, the advantage is the difficulty of localize the command and control servers, due the encryption of the connections interior to the network and the unpredictability of the routing of the information.

The challenge between security firms and attackers is open and it is fundamental to keep high the effort in the detection and fight of cyber threats to avoid dramatic consequences.

The raise of Advanced Threat … the inadequacy of the defense

Are our defense systems adequate to reply to incoming cyber threats?

Unfortunately in many cases the cyber threats present a level of complexity that make possible to avoid common security measures. The security firm FireEye has released  a report  named “Advanced Threat Report” related first half of 2012 that provides an overview of the current threat landscape, evolving advanced malware and advanced persistent threat (APT) tactics, and the level of infiltration seen in organizations’ networks today.

The report presents and alarming scenario, the organizations are assisting to an impressive increase in advanced malware that is bypassing their traditional security defenses.  In these days we are reading a lot of news on agents that are able to elude common defense mechanisms, problem that is afflicting across all sectors, from defense to energy.

The organization are facing with a dramatic explosion of the diffusion of advanced malware in terms of volume and also in effectiveness in bypassing traditional signature-based security mechanisms.

A statistic proposed by the security firms report that on average, organizations are experiencing a staggering 643 Web-based malicious events each week, incidents that have as results the impairment of final targeted systems.  This figure includes file-based threats, such as malicious executables or files that contain exploit s targeting vulnerabilities in applications, that are delivered over the web and email. The figures does not include callback activities, very common on the web.

Figure 5 – Web Infection Per Week per Company

The graph show the abnormal increase registered in the first half 2012 that is greater than the number of infection per week of the entire last year, the patterns of attacks vary substantially by industry, in particular the sector of healthcare and Energy/Utilities increased respectively up 100%, and up 60% .

Conclusions

The fight against the proliferation of botnets and more in general of any kind of malware goes through some key factors such as:

• The promotion of joint operations that involve government agencies and the major private industry players. In this sense, some large companies have already embarked on a close collaboration with governments, as in the case of Microsoft.
• Fundamental is a timely and methodical study on evolution of technological solutions on which are based botnets. It’s important to define, a universally recognized set of indicators to deterministically qualify the threat and its evolution.
• Awareness on the cyber threats and divulgation of best practices for the containment of the infection.
• Approval of regulations and penalties, recognized globally, for those who develop or contribute to the spread of botnets. Unfortunately today, different legislative frameworks represent an advantage for those who intend to commit a crime using these tools.

Despite the great effort and the increasing investments made by government and private company  many sectors still suffer the attacks of cybercrime, the situation in worrying because in many cases the cyber threats do undetected causing serious damages. As demonstrated by the provided data the number of compromised machines and infrastructures is increasing despite the adoption of security countermeasures.

Another fundamental step in the fight of malicious agent is the definition of a global agreement and the of a global strategy against cybercrime and a regulatory on the use and diffusion of any kind of cyber tool by government agencies, both on legislative and operative perspectives …

In the meantime the cyberspace is still too crowded!

Pierluigi Paganini