TechJournal South Header

Posts Tagged ‘botnets’

Malware evading detection, attacking more economic sectors

Thursday, February 21st, 2013

lockSophisticated attacks originally targeting the financial services industry are now increasingly directed at other critical sectors of the economy, while an emerging set of new tactics and technologies are being implemented to evade industry-standard security measures, according to McAfee.

Along with the recent disclosure of cyber attacks against the New York Times, Washington Post, Apple, and others, reports such as this may raise awareness of the need for better cyber security tools. Similarly, Check Point has issued its 2013 Security Report looking at top global security threats. More and more, cyber criminals are circumventing standard anti-virus systems and firewalls.

The McAfee report showed the continued proliferation of password-stealing trojans and advanced persistent threats (APTs) such as Operation High Roller and Project Bliztkrieg, and the expansion of their attacks to government, manufacturing and commercial transaction infrastructure targets.

“We are seeing attacks shifting into a variety of new areas, from factories, to corporations, to government agencies, to the infrastructure that connects them together,” said Vincent Weafer, senior vice president of McAfee Labs.

A growing underground market

“This represents a new chapter in cybersecurity in that threat-development, driven by the lure of financial industry profits, has created a growing underground market for these cybercrime weapons, as well as creative new approaches to thwarting security measures common across industries.”

Leveraging data from McAfee’s Global Threat Intelligence (GTI) network, the McAfee Labs team of 500 multidisciplinary researchers in 30 countries follows the complete range of threats in real time, identifying application vulnerabilities, analyzing and correlating risks, and enabling instant remediation to protect enterprises and the public. In Q4 2012, McAfee Labs identified the following trends:

More Threats, More Availability, More Industries Targeted

cyber security imageAs a group, unique password-stealing trojans grew 72 percent in Q4 as cybercriminals realized that user authentication credentials constitute some of the most valuable intellectual property stored on most computers.

Now widely available, these trojans are increasingly appearing within customized threats or combined with other “off-the-shelf” threats available on the internet. Fourth quarter revelations around the Citadel trojan suggest that this trojan’s information theft capabilities are being deployed beyond the financial services sector.

Web Threats Shift from Botnets to URLs

McAfee continued to see suspicious URLs replacing botnets as the primary distribution mechanism for malware.

An analysis of web threats found that the number of new suspicious URLs increased by 70 percent in Q4. New suspect URLs averaged 4.6 million per month, almost doubling the previous 2.7 million per month figure from the last two quarters.

Ninety-five percent of these URLs were found to be hosting malware, exploits or code designed specifically to compromise computers. The decline in the number of infected systems controlled by botnet operators is driven in part by law enforcement efforts to bring botnets down, but perhaps more so by the declining appeal of the botnet business model.

Increase in Infections beneath the OS

keyThe volume of Master Boot Record-related malware climbed 27 percent to reach an all-time quarterly high. These threats embed themselves deep within the PC system storage stack, where standard antivirus solutions cannot detect them.

Once embedded, they can steal user information, download other malicious software, or leverage the infected PC’s computing power to launch attacks against other PCs or networks.

While these MBR attacks represent a relatively small portion of the overall PC malware landscape, McAfee Labs expects them to become a primary attack vector in 2013.

Malicious Signed Binaries Circumvent System Security

The number of electronically-signed malware samples doubled over the course of Q4. This clearly indicates that cybercriminals have decided that signing malware binaries is one of the best ways to circumvent standard system security measures.

Mobile Malware Continues to Increase and Evolve

The number of mobile malware samples discovered by McAfee Labs in 2012 was 44 times the number found in 2011, meaning 95 percent of all mobile malware samples appeared in the last year alone.

Android logoCybercriminals are now dedicating the majority of their efforts to attacking the mobile Android platform, with an 85 percent jump of new Android-based malware samples in Q4 alone.

The motivation for deploying mobile threats is rooted in the inherent value of the information found on mobile devices, including passwords and address books, as well as new “business” opportunities that are not available on the PC platform.

These opportunities include Trojans that send SMS messages to premium services, then charge the user for each message sent. More information on mobile-specific malware can also be found in the recently-released 2012 Consumer Mobile Trends Report:

Cybercriminals mounting more sophisticated, harder to spot attacks

Tuesday, February 19th, 2013

McAfeeThe Mobile Security: McAfee Consumer Trends Report, says cyber criminals are growing increasingly sophisticated in mounting their digital attacks.

The report identifies a new wave of techniques hackers use to steal digital identities, commit financial fraud, and invade users’ privacy on mobile devices.

Mobile platforms have become increasingly attractive to cybercriminals as consumers live more of their digital lives on smartphones and tablets.

Mobile attracting mischief

smartphonesAccording to IDC, mobile devices are surpassing PCs as the preferred way to access the Internet and the number of people using PCs to go online will shrink by 15 million over the next four years, while the number of mobile users will increase by 91 million.

With the mobile space becoming a more enticing platform for online mischief, the complexity and volume of threats targeting consumers will continue to increase. Using its extensive global threat intelligence network (GTI), McAfee Labs analyzed mobile security data from the last three quarters.

“Despite elevated consumer awareness of threats on mobile platforms, there is still a significant knowledge gap surrounding how and when devices become infected and the level of potential damage,” said Luis Blando, vice president of mobile product development at McAfee.

“Cybercriminals are exhibiting greater levels of determination and sophistication leading to more destructive, multi-faceted hacks that are harder to spot, and thus warrant a greater degree of security and vigilance. Our goal in releasing this report is to help consumers understand the risks they face and learn ways they can stay safe and compute with confidence on all of their devices.”

In the report, McAfee Labs identifies the following threats as the most severe existing and new trends consumers will encounter in 2013:

cyber security imageRisky Apps: Cybercriminals are going to great lengths to insert infected apps into trusted sources such as Google Play and the risks within each app are becoming more intricate.

As a matter of fact, McAfee Labs found that 75 percent of the malware-infected apps downloaded by McAfee Mobile Security users, who are apt to be more security conscious than the average consumer, were housed in the Google Play store, and that the average consumer has a one in six chance of downloading a risky app.

Nearly 25 percent of the risky apps that contain malware also contain suspicious URLs, and 40 percent of malware families misbehave in more than one way.

A risky app may allow someone to:

  • Steal personal information such as banking, email or wireless account details and combine that with location data to put together a complete picture of who you are
  • Perpetuate fraud such as an SMS scam that will charge you without your approval
  • Abuse a device by making it part of a criminal bot network, which allows someone to remotely control your phone

Black Market Activity: Botnet clients, downloaders, and rootkits are generic, useful software sold on black markets as part of software toolkits.

Criminals use these to commit premium SMS and click fraud, spam distribution, data theft, or bank fraud – and the complexity of these criminal activities is growing. Commercial criminals are now reusing and recombining these components to devise new, profitable schemes.

Drive-by Downloads: The first mobile drive-by downloads were seen in 2012 and we expect these to increase in 2013. On a mobile device, a drive-by download fools a user into downloading an app without knowing it. Once a user opens the app, criminals have access to the device.

Near Field Communication: In 2013, we expect to see criminals abuse the tap-and-pay near field communications (NFC) technology used in mobile payment programs, or “digital wallets.” This scam uses worms that propagate through proximity, a process we can call “bump and infect.”

The distribution path can quickly spread malware through a group of people such as in a passenger-loaded train or at an amusement park. When the newly infected device is used to “tap and pay” for the next purchase, the scammer collects the details of the wallet account and secretly reuses these credentials to steal from the wallet.

Worm malware like this will spread by exploiting vulnerabilities on devices. This development would monetize the 11.8 percent of malware families that already contain exploit behaviors.

As the mobile space evolves, criminals will look at ways to generate revenue from features only mobile devices have. During 2012, about 16 percent of malware families detected by McAfee attempted to get devices to subscribe to premium SMS messages. In 2013, we foresee an increase in threats that will have users finding out they bought premium apps only when they check their bills.

For a full copy of the Mobile Security: McAfee Consumer Trends Report from McAfee Labs, with additional threats, please visit:

Ten tips businesses can use to protect customers

Thursday, March 29th, 2012

OtaIt has been four years since the world worried about the havoc a virus called “Conficker” might wreak online on April Fool’s Day, while new threats, including the ramped up spread of botnets, virus-laden advertising and malicious spear phishing are increasing.

The Online Trust Alliance (OTA) has release of its annual “Top Ten Ways Businesses Can Protect Consumers from Being Fooled,” a list of simple-to-employ recommendations for businesses and government agencies to help protect their customers’ and employees’ personal data, financial assets and devices from being compromised.

OTA, with data from the FBI, Secret Service and forensics experts, developed the list to address the most common and dangerous threats based on a review of thousands of data loss and identity theft incidents.

Businesses overlooking fundamentals

“While businesses are making efforts, all too often they are overlooking the fundamentals which could curb upwards of 90% of online threats to their data,” said Craig Spiezle, executive director and president, Online Trust Alliance.

“We have a shared responsibility to harden our systems and those of our customers.  Secure and confident customers are good for business and for the long-term vitality of the digital economy.”

“I want to thank OTA for promoting stronger cyber privacy, security, and resilience,” said Senator Joe Lieberman. “The same way you lock up your business at night to deter criminals, you need to lock up your computer so you’re a less tempting target. OTA’s simple and inexpensive security tips can help our business community take a byte out of cyber crime.”

Top Five from top ten list

OTA’s 2012 Top 10 Recommendations address the most frequent exploits including botnets, malicious email, phishing and deceptive websites. An excerpt of the full list follows: 

  1. The browser is the first line of defense, yet over 40% of users have outdated and insecure browsers, lacking integrated anti-phishing, malware protection and online tracking privacy controls. “Why Your Browser Matters” is a helpful resource for all businesses to provide “teachable moments” to site visitors to upgrade their browser at no cost.
  2. Upwards of 10% of computers are infected by “botnets”.  Scan your systems weekly with tools and resources to help detect, prevent and remediate the threats.
  3. Deceptive and malicious email continued to grow in the past year, targeting business users, government agencies and consumers.  Implement Email Authentication to reduce the incidence of spoofed and forged email, which may lead to identity theft, and the distribution of malware and tarnish your brand reputation.
  4. Cybercriminals are increasingly snooping and eavesdropping on wireless connections, including airports, coffee shops and the library.  Always-on SSL (AOSSL) encrypts all connections and communication — including users’ names and passwords. This standard is now implemented by leading sites including Twitter, Facebook, PayPal and Microsoft.
  5. Enable automatic patch management for operating systems, applications, including add-ons and plugins. Proactive patch management can harden your system from known vulnerabilities. End-of-life applications that are no longer supported should be removed or used in isolated and secure sessions.

 Complete list has more

The complete 2012 list also includes steps regarding protections of internal infrastructures to safeguard customer data and business continuity. The list builds on OTA’s 2012 Data Protection and Breach Readiness Guide, released in January, which identifies key recommendations to help businesses protect their data and be prepared for a breach and data loss incident.

The guide highlighted that in 2011, over 125 million people were affected by data loss incidents costing businesses over $6.5 billion. Almost half of 2011’s breaches could have been avoided through implementation of simple or intermediate controls as outlined in OTA’s recommendations.

To view the complete and updated list for 2012 on ways businesses can protect consumers from being fooled, please go to:

Threats: groups using opt-in botnets to push agendas

Wednesday, April 21st, 2010

ATLANTA – Cyber criminals and protesters with a cause are increasingly turning to opt-in botnets on social networking sites and with Web 2.0 technologies that pose a growing threat to businesses, says a new report from Atlanta-based Damballa.

Damballa says its solutions identify advanced network threats, terminate criminal activity in real-time and provide remediation guidance, so it has a dog in this hunt, but company is on the forefront of reporting and stopping botnet activity.

Its newest research paper is called “The Opt-in Botnet Generation: Social Networks, Cyber Attacks, Hacktivism and Centrally-Controlled Protesting.”

The paper details the rapid adoption of opt-in botnets within social networking applications and Web 2.0 technologies by cyber criminals and protesters. It explains why anyone would opt-in to a botnet.

It says these tools have become a powerful platform for launching crippling botnet cyber attacks against any type of business or government from anywhere in the world, and Fortune 1000 companies run the risk of becoming unknowing enablers of the attacks.

“Tools and tactics that have proven invaluable for launching political protests around the globe are being reinvented, reoriented, and subsequently attacking non-political targets. Businesses are now in the cyber-protesting cross-hairs of their customers – both past and present,” says the paper’s author, Gunter Ollmann, vice president of research for Damballa.

The paper can be downloaded at Opt-In Botnet Generation.

Damballa closes C round with GRA Venture Fund investment

Tuesday, March 30th, 2010

ATLANTA – Damballa, which says it is the only network security company that enables organizations to take back command-and-control from botnets and other remote-control criminal threats, has finalized its Series C financing with an investment from Atlanta’s GRA Venture Fund. The firm did not disclose the amount of the funding, but according to a filing with the U.S. Securities and Exchange Commission, it was targeted at $9 million.

Damballa’s new round of investment was led by Palomar Ventures. Current investors InterWest Partners, Noro-Mosely Ventures and Sigma Partners all participated in this round.

According to a filing with the SEC, the round was targeted at $9 million and the company closed on $8.2 million of it in October (see TechJournal South’s report (Damballa locks up about $8.2M of $9M round for botnet security tech).

Damballa’s approach to network security finds previously unidentified threats then closes the hidden two-way communications channels that cybercriminals use to manipulate compromised corporate systems.

The Atlanta-based company points out that these attacks are silent, stealthy and the weapon of choice for online attacks, fraud and abuse.

The GRA Venture Fund LLC is a private investment fund created to help finance promising companies that have emerged from the Georgia Research Alliance VentureLab commercialization program. Since 2002, GRA’s VentureLab has evaluated the commercial potential of more than 500 inventions or discoveries at Georgia’s research universities.