Sophos security threat management report: update July 2006.In this update to our December 2005 annual security threat management report, we look at how the threat landscape has changed in the first six months of 2006 and what the likely trends are for the rest of the year. Once again we have seen those responsible for securing an organization's network challenged in new and inventive ways. The demands being placed on IT have continued to be challenging as cybercriminals invent new ways to exploit human and computer vulnerabilities to steal and extort To compel or coerce, as in a confession or information, by any means serving to overcome the other's power of resistance, thus making the confession or admission involuntary. To gain by wrongful methods; to obtain in an unlawful manner, as in to compel payments by means of threats of money from computer users and companies. The numbers of malware increased, and the growing emphasis on secrecy and stealth that we saw at the end of last year has continued to spiral upwards. Spyware and phishing Pronounced "fishing," it is a scam to steal valuable information such as credit card and social security numbers, user IDs and passwords. Also known as "brand spoofing," an official-looking e-mail is sent to potential victims pretending to be from their ISP, bank or retail establishment. remain two of the biggest threats that businesses now face, and malware attacks are almost universally targeted on a small number of victims compared to the massmailing worms of the past, in an attempt to avoid drawing unnecessary attention to themselves. The Global Security Survey released in June 2006 by the Financial Services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. Industry and conducted by Deloitte Touche Tohmatsu Deloitte & Touche (also referred to as Deloitte Touche Tohmatsu, and branded as Deloitte.) is the second largest professional services firm in the world, and one of the Big Four auditors, along with PricewaterhouseCoopers, Ernst & Young and KPMG. reported that more than three-quarters (78%, up from 26% in 2005) of respondents confirmed a security breach from outside the organization. 1 The survey called identity theft the "crime of the 21st century". Growth rates Growth Rates The compounded annualized rate of growth of a company's revenues, earnings, dividends, or other figures. Notes: Remember, historically high growth rates don't always mean a high rate of growth looking into the future. The number of threats has continued to grow. By June 2005 the number of different pieces of malware protected against by Sophos Anti-Virus Sophos Anti-Virus is an anti-virus, anti-spyware and HIPS software program by Sophos plc, which is aimed primarily at corporate environments. Centralised management is performed via Sophos Enterprise Console. It is believed to be the Anti-Virus used by Gmail[1]. stood at 140,118*. A year later, by June 2006, Sophos Anti-Virus was identifying and protecting against 180,292* different viruses, spyware, worms, Trojan horses It may never be fully completed or, depending on its its nature, it may be that it can never be completed. However, new and revised entries in the list are always welcome.
Similarly, the number of computers targeted by each spam attack was reduced so that the threat would sneak under the radar This article is about the magazine. For other uses, see Under the Radar (disambiguation). Under the Radar is an American magazine that bills itself as "The solution to music pollution." It features interviews with accompanying photo-shoots. of anti-spam techniques that measure email volume. Sophos research reveals that only 1 in every 91 of all emails were viral so far this year, compared with one in every 35 for the same period in 2005--further proof that email worm attacks have dropped off in favor of other methods of malicious attack. Top ten malware threats Sophos has a global network of tens of thousands of monitoring stations capturing data about the latest viruses spreading via email, giving it a unique insight into the health of email systems and early warning of emerging virus outbreaks. Interestingly, the top ten chart (seen in Figure 1) is dominated by viruses which have been around for a considerable time, as can be seen in the graph below. [FIGURE 1 OMITTED] malware first seen Sober-Z 22.4% Nov05 Netsky-P 12.2% Mar04 Zafi-B 8.9% Jun04 Nyxem-D 5.9% Jan06 Mytob-FO 3.3% Nov05 Netsky-D 2.4% Mar04 Mytob-BE 2.3% Jun05 Mytob-EX 2.2% Oct05 Mytob-AS 2.2% Jun05 Bagle-Zip 1.9% Mar04 Note: Table made from bar graph. The hardest hitting threat from January to June 2006 was the Sober-Z worm, which, at its peak, accounted for one in every 13 emails. The worm, which masqueraded as an email from the FBI or CIA CIA: see Central Intelligence Agency. (1) (Confidentiality Integrity Authentication) The three important concerns with regards to information security. Encryption is used to provide confidentiality (privacy, secrecy). claiming that the recipient is believed to have accessed illegal websites, dominates the charts despite being programmed to stop spreading from 6 January 2006. The only new worm to have broken into the top ten list of malware is the Nyxem-D worm (also known as Kama Sutra Kamasutram, generally known to the Western world as Kama Sutra, is an ancient Indian text widely considered to be the standard work on love in Sanskrit literature. This is authored by Mallanaga Vatsyayana. A portion of the work deals with human sexual behavior. ), which spread via email posing as obscene pictures and sex movies. This data underlines that more recent attacks have been more insidious, subtly infecting smaller groups of people in an attempt to avoid drawing attention to themselves. Trojans The first six months of 2006 showed that virus authors continue to prefer infecting Windows machines with Trojans over viruses and worms. In 2005, Trojans outnumbered Outnumbered is a British sitcom that aired on BBC One in 2007.[1] It stars Hugh Dennis and Claire Skinner as a mother and father who are outnumbered by their three children. viruses and worms almost 2 to 1; today, computer users are four times more likely to be hit by a Trojan than by a virus or worm. Figure 2: New Trojans (82%) and viruses (18%) threats In every 2 Trojans in the first six months of the year has contained spyware components--performing activities such as logging key strokes, stealing information like user names, passwords or credit card details, and giving third-party access Third party access policies require owners of natural monopoly infrastructure facilities to grant access to those facilities to parties other than their own customers, usually competitors in the provision of the relevant services, on commercial terms comparable to those that would to infected computers. [FIGURE 2 OMITTED] As Trojans cannot spread on their own, the author must consider ways to entice computer users to download or run the malware. Email is exploited because it is a cheap and immediate method of communication. Rather than having a message contain an infected attachment, spam messages today will often display a link to a website. Should the recipient visit the webpage, malicious code hidden on it will attempt to gain access to the machine via a vulnerability on the Windows machine--this could be a software bug A problem that causes a program to produce invalid output or to crash (lock up). The problem is either insufficient logic or erroneous logic. For example, a program can crash if there are not enough validity checks performed on the input or on the calculations themselves, and the computer or insufficient firewall or anti-virus defenses--in order to download itself without alerting the user. New threats Ransomware This year has seen Trojans being used to bring old-fashioned blackmail into the digital age, and highlights more than anything the view that malware authors are turning more towards focused attacks against specific small groups of people rather than a mass-bombardment of internet users Internet user n → internauta m/f Internet user Internet n → internaute m/f . Ransomware is malicious software, often Trojan horses, that stops users accessing their files--usually by encrypting them--and then demands money with menaces. We have seen several examples of this at SophosLabs. Zippo, for example, which arrived on the scene in March 2006 encrypted files and demanded $300. (5) Ransom-A prevented victims from accessing their computer data until a ransom of $10.99 was paid via Western Union. It threatened to delete one file every 30 minutes until the ransom was paid. It also displayed pornographic images and an unsavoury message. If the user tried using CTRL+ALT+DEL to stop the Trojan running, they were subjected to a taunting message. Arhiveus (shown in Figure 3) demanded that the victim buy goods from an online drugstore. [FIGURE 3 OMITTED] Rootkits A rootkit is a set of software tools placed on a computer by a third party and intended to conceal running processes, files or system data. The concept came to prominence at the end of 2005 when Sony used one on its music CDs to protect its copyright. However, it opened up a vulnerability that was exploited by a number of Trojan horses. Sony has accepted that this cost users and businesses money and inconvenience and has offered them their money back. The threat, though, still exists with bespoke be·spoke v. Past tense and a past participle of bespeak. adj. 1. Custom-made. Said especially of clothes. 2. Making or selling custom-made clothes: a bespoke tailor. Trojans often employing rootkits, and installing themselves on a small number of systems to call very little attention to themselves. It is likely that we will see increasing sophistication so·phis·ti·cate v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates v.tr. 1. To cause to become less natural, especially to make less naive and more worldly. 2. in this tactic over the coming months. They are, however, difficult to write and so we tend to see variants of existing rootkits. Whether they will work under Vista--Microsoft's new operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. to be released in 2007--remains to be seen. Spammers Medical-related spare (which primarily covers medication which claims to assist in sexual performance, weight loss, or human growth hormones human growth hormone (HGH): see growth hormone. ), and spam containing adult content remain prolific. And stock-related spare, continues to remain hugely successful for unscrupulous spammers. in mid-June 2006, there was a widespread spare campaign detected by Sophos experts that encouraged users to buy stock in a company called Southern Cosmetics. (9) The spammed emails, which consisted of an embedded Inserted into. See embedded system. graphic in an attempt to avoid detection by anti-spam filters, told recipients that savvy investors would be wise to buy stock in the company because of business deals it was making with Naomi LLC (Logical Link Control) See "LANs" under data link protocol. LLC - Logical Link Control , a cosmetics firm endorsed by country music singer Naomi Judd  should be added to this article, to conform with Wikipedia's Manual of Style.Please discuss this issue on the talk page. This article has been tagged since September 2007. . Southern Cosmetics' stock price rose dramatically following the spam email. An examination of the company's share price shows that there was a marked increase in trading in the stock, with the share price rising to a high of 6.6 cents from its prespam campaign low of less than one cent per share. What lies ahead? Mobile Since the late 1990s some anti-virus companies have predicted the imminent arrival of a major mobile phone virus See smartphone virus. outbreak, but this has still not emerged. To date, there have been no large-scale incidents involving mobile phone or PDA (Personal Digital Assistant) A handheld computer for managing contacts, appointments and tasks. It typically includes a name and address database, calendar, to-do list and note taker, which are the functions in a personal information manager (see PIM). viruses and the overall threat to mobile devices is tiny compared to viruses affecting Microsoft Windows See Windows. (operating system) Microsoft Windows - Microsoft's proprietary window system and user interface software released in 1985 to run on top of MS-DOS. Widely criticised for being too slow (hence "Windoze", "Microsloth Windows") on the machines available then. computers. One of the reasons why mobile viruses have not become a problem is that the organized criminal gangs responsible for much malware written today see no benefit in targeting the devices, compared to the larger number and more vulnerable population of Windows computers. Viruses can spread successfully, and quickly, on the common Windows platform without having to worry about the different operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. and differences seen in the varied cell phone market. As mobile devices become more ubiquitous, and common operating systems come into widespread use, we are likely to see more malware being written for the platforms. Despite the present extremely low threat posed by mobile malware See smartphone virus. , security vendors are building technology to protect mobile devices from malware, and we can expect to see more announcements regarding protection solutions in 2006. Windows Vista The current version of Windows for the desktop. It was released in late 2006 for businesses and early 2007 for consumers. Vista adds numerous features, including improved security and advanced multimedia capabilities. In March 2006 Microsoft announced that the release of the next version of their operating system, Windows Vista, is being delayed until at least 2007. The delay in Vista's launch is bad news for security-conscious computer users as it incorporates a number of new features which should harden the operating system against attack. One feature of Vista is the inclusion of Defender, an antispyware tool designed for home users. Attacks against consumers have allowed hackers to make significant profits through zombie computers This article is about computers that have been compromised by malware. For other meanings, see Zombie (disambiguation). A zombie computer (often abbreviated zombie . Windows Vista will also probably force malware writers to re-assess the techniques they are using for both regular malware and rootkits. Existing rootkits will most likely not work simply because of changes in the underlying operating system. However, it may just be a matter of time before the bad guys learn enough about Vista to build rootkits or other malware with the equivalent degree of stealth capability. Macintosh Although the first malware for Mac OS X was seen in February 2006, it has not spread in the wild and not heralded an avalanche of new malicious code for Apple's operating system. Hackers remain happy to primarily target Microsoft Windows users and not spread their wings to other platforms. It seems likely that Macintosh will continue to be a safer place for computer users to be for some time to come. The campaign email was spammed out on 21 April rocketing the volume of shares sold to nearly 400,000 and more than hiking the share price by 74%. A week later, a followup spam saw prices go even higher. This sort of spam is usually sent at the weekend because most vendors--unlike Sophos--do not have researchers analyzing new spam and distributing new rules to block it at the weekend It uses exactly the same techniques of a pre-internet, centuriesold con. The spammer (often part of an organized crime ring) buys the stock at low prices, talks up the stock (via spammed emails), sees the share price rise, and then sells. The spammer makes a small fortune, the buyer is left with overpriced o·ver·price tr.v. o·ver·priced, o·ver·pric·ing, o·ver·pric·es To put too high a price or value on. overpriced Adjective costing more than it is thought to be worth Adj. stock and the company financial strategies are left in disarray. Social engineering Most people have wised up to the fact that if they click on an attachment purporting to be of a semi-clad celebrity they will end up with more than a cheap thrill. So the social engineering has moved on and become more subtle. Political issues, topical news events and tugging at the heartstrings have made recognizing the trap more difficult for users, and put a big onus on organizations to have watertight security in place. Sophos has continued to intercept a wide variety of this type of email scam (SCSI Configured AutoMatically) A subset of Plug and Play that allows SCSI IDs to be changed by software rather than by flipping switches or changing jumpers. Both the SCSI host adapter and peripheral must support SCAM. See SCSI. . In June 2006, a version of the Stinx Trojan claimed that George W Bush and Tony Blair Noun 1. Tony Blair - British statesman who became prime minister in 1997 (born in 1953) Anthony Charles Lynton Blair, Blair were involved in a Middle East oil price cover-up, while the Sixem worm lured victims in the run-up to the World Cup soccer tournament by claiming to contain pictures of football fans engaged in a naked match. The top spam relaying Sending mail to a destination via a third-party mail server or proxy server in order to hide the address of the source of the mail. When e-mail servers (SMTP servers) are used, it is known as an "open relay" or "SMTP relay," and this method was commonly used by spammers in the past when countries Spare is increasingly a worldwide problem, benefiting from the fact that wherever the spammer is based, they can take advantage of insecure broadband home computer connections anywhere in the world to send their unwanted marketing messages. The United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. continues to head the list of the "dirty dozen" countries from which spam is sent (23.4%) but is continuing to relay less of the world's spam than it did during 2004 due to a number of factors, including jail sentences jail sentence jail n → peine f de prison for spammers, tighter legislation and better system security. The US is followed by China (20.5%) and South Korea (8.7%). However, Asia as a whole is responsible for relaying more spare than the US. Need for protection Insufficiently protected computers continue to come under attack in shorter timescales than ever before. Exploits, taking advantage of software flaws, can spread without human intervention. Hackers are increasingly releasing malware before users have been able to apply the security patch A fix to a program that eliminates a vulnerability exploited by malicious hackers. See vulnerability and patch. from Microsoft, or even--in some instances--before a patch has been published. The Oscor-B Trojan horse See Trojan. Trojan Horse hollow horse concealed soldiers, enabling them to enter and capture Troy. [Gk. Myth.: Iliad] See : Deceit (application, security) Trojan horse , for example, exploits a day-zero vulnerability in Microsoft Word A full-featured word processing program for Windows and the Macintosh from Microsoft. Included in the Microsoft application suite, it is a sophisticated program with rudimentary desktop publishing capabilities that has become the most widely used word processing application on the market. , allowing it to infect computers when infected Word documents are opened. Summary The growing quantity of new threats, the speed with which they spread, and the hugely complex task of protecting networks against them are going to have significant implications for businesses throughout the second half of 2006. As cybercriminals become more cunning and use increasingly inventive methods to try to avoid their malware being detected, organizations will look to single vendors with cross-threat expertise and consolidated product solutions to protect their systems, their data and their business continuity. Sources (1) Global Security Survey, Financial Services Industry and Deloitte Touche Tohmatsu, June 2006 (2) The latest news on the Sober-Z worm outbreak, 1 in 13 emails are now infected by the Sober worm www.sophos.com/pressoffice/news/articles/2005/11/soberz. html (3) Sober-Z worm poses as bogus messages from FBI or CIA www.sophos.com/pressoffice/news/articles/2005/11/soberfbi.html (4) Obscene Kama Sutra worm spreads via email www sophos.com/pressoffice/news/articles/2006/01/nyxemd.html (5) Zippo Trojan horse demands $300 ransom for victims' encrypted data www.sophos.com/pressoffice/news/articles/2006/03/zippo.html (6) Ransom Trojan horse demands money with menaces www.sophos.com/pressoffice/news/articles/2006/04/ransom.html (7) Devious de·vi·ous adj. 1. Not straightforward; shifty: a devious character. 2. Departing from the correct or accepted way; erring: achieved success by devious means. Arhiveus ransomware kidnaps data from victims' computers www.sophos.com/pressoffice/news/articles/2006/06/arhiveus.html (8) Refunds for music fans hit by Sony DRM (1) (Digital Radio Mondiale) A digital audio broadcasting (DAB) system for AM radio in Europe. See HD Radio. (2) (Digital Rights M rootkit www.sophos.com/pressoffice/news/articles/2006/05/ sonysettlement.html (9) Cosmetics company's stock price rises sharply following spam campaign www.sophos.com/pressoffice/news/articles/2006/06/ stockspam.html (10) Spammed Trojan claims Bush/Blair Middle East oil cover-up www.sophos.com/pressoffice/news/articles/2006/06/stinxw.html (11) Nude World Cup worm spreads via email www.sophos.com/pressoffice/news/articles/2006/06/sixem.html (12) Trojan horse exploits zero day Microsoft Word vulnerability www.sophos.com/pressoffice/news/articles/2006/05/oscorb.html * Note that we have changed the way we calculate and report the threats that we protect against so that we more accurately reflect the number of individual threats detected by our proactive Genotype genotype (jēn`ətīp'): see genetics. genotype Genetic makeup of an organism. The genotype determines the hereditary potentials and limitations of an individual. technology. Beware Aware Of Rootkits When administrators and security professionals hear the word rootkit, many think first of a UNIX-based system. But the fact is that Windows rootkits do exist, and you need to be able to detect them. Get the details from Mike Mullins Mike Mullins was born in New Zealand but played international rugby union for Ireland and Munster. He played inside center. in this edition of Security Solutions. When administrators and security professionals hear the word rootkit, most think first of a UNIX-based system. Unfortunately, this only leads to a false sense of security for Windows-based systems. The fact is that Windows rootkits do exist, and you need to be able to detect them. What is a rootkit? To clarify, a rootkit is not an exploit--it's the code or program an attacker leaves behind after a successful exploit. The rootkit then allows the hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. to hide his or her activity" on a computer, and it permits access to the computer in the future. To accomplish its goal, a rootkit will modify the execution flow of the operating system or manipulate the data set that the operating system relies on. Windows operating systems support programs or processes running in two different modes: user mode and kernel mode. Traditional Windows rootkits such as SubSeven and NetBusoperate in user mode. Also known as backdoors or Trojans, user-mode rootkits run as a separate application or within an existing application. They have the same level of system privileges as any other application running on the compromised machine. Since these rootkits operate in user mode, applications such as antivirus scanners See antivirus program. can detect the rootkit's existence if they have a signature file. On the other hand, a kernel-mode rootkit is remarkably different--and much more powerful and elusive, kernel-mode rootkits have total control over the operating system and can corrupt the entire system. By design, kernel-mode rootkits control the operating system's Application Program Interface (API (Application Programming Interface) A language and message format used by an application program to communicate with the operating system or some other control program such as a database management system (DBMS) or communications protocol. ). The rootkit sits between the operating system and the user programs, choosing what those programs can see and do. In addition, it uses this position to hide itself from detection, if an application such as an antivirus scanner tries to list the contents of a director' containing the rootkit's files, the rootkit will suppress the filename file·name also file name n. A name given to a computer file to distinguish it from other files, often containing an extension that classifies it by type. from the list. It can also hide or control any process on the rooted system. Rootkit detection Methods to detect rootkits fall into two categories: Signature-based and heuristic/behavior-based detection. Signature-based detection: As its name implies, this method scans the file system for a sequence of bytes that comprise a "fingerprint" that's unique to a particular rootkit. However, the rootkit's tendency to hide files by interrupting the execution path of the detection software can limit the success of signature-based detection. Heuristic/behavioral-based detection: This method works by identifying deviations in normal operating system patterns or behaviors. For example, this method could detect a rootkit by determining that a system with 200-GB hard drive that reports 160 GB of files has only 15 GB of free space available. Rootkits are hard to detect. But there are programs--some flee and from reputable companies such as and--to help you detect their presence on your systems. Microsoft has even stepped up to the plate with its, designed to detect and remove Windows rootkits. Final thoughts. If you discover someone has compromised your machine, it's vital that you take the necessary, steps to find out if the attacker has installed a rootkit--and then eliminate the threat. Applying vulnerability patches after someone has installed a rootkit on your machine won't close the security, holes that already exist on your network. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion