by RSS Derek Manky  |  Dec 13, 2010  |  Filed in: Security Research

We’re quickly coming to the end of 2010, which means it’s time for Fortinet’s FortiGuard team to roll out the crystal ball and predict what the biggest security trends are going to be in the coming year. In short, we’re predicting increased global collaboration on cybercrime syndicate crackdowns; a price increase for tomorrow’s crime services; an increase in 64-bit attacks; increased job demand for developers, CAPTCHA breakers, QA and distributors; and more cyber criminals will enter the game by attempting to use recycled source code. The full report is outlined below.

_1) _****_Increased Global Collaborative Takedowns _

This year, we’ve seen examples of countries working together on efforts, such as such as Operation Bot Roast (FBI initiative), Conficker Working Group and the recent Mariposa/Pushdo/Zeus/Bredolab busts, to bring syndicates down but these takedown operations are only focused on the most visible violators and sometimes only cause a temporary impact. While there were other notable takedowns, these operations only focused on the most visible violators and sometimes only caused a temporary impact. For example, while authorities took down the massive Koobface botnet in November, the servers were reconfigured and back up and running at full capacity a week later.

In 2011, we predict authorities will consolidate global collaborative efforts and partner with security task forces to shut down cyber criminal operations that are growing in number. The Zeus takedown that occurred in 2010, leading to charges by authorities in both the US and United Kingdom, is a great example, and we believe foreshadows things to come._ _

_2) _****_Infected Machines Stimulate Inflation _

Today, we’re seeing a territorial concern for criminals building their malware empire(s), since control over managed infections can lead to longer up times and greater cash flow. Features advertised as “bot killers” are being implemented into new bots to generically kill other threats that may lurk on the same system. For example, we’ve seen one bot enumerating process memory to look for commands used by resident IRC bots. Once it finds processes that use these commands, it will kill them since they are perceived as a territorial threat.

As attackers infect machines in 2011, the value of already infected machines will increase. As a result, we’re likely to see a price increase for crime services, such as bot rentals that load malicious software on machines and malware that includes machine maintenance to maximize an infected machine’s uptime. To keep infections discrete, malware operators may turn to quality assurance services that would, say, refuse to load software that may crash a machine or otherwise impact their business. As part of the package, malware operators may also include leasing infection process time. When the lease is up, the malware would clean up after itself, reducing the amount of load/threats on a single machine.

3) _****_32- to 64-Bit Infections

Security technologies such as address space layout randomization (ASLR), data execution prevention (DEP), virtualization, PatchGuard/kernel driver signing and sandboxing, a technique for creating confined execution environments, are becoming more commonplace, along with the 64-bit machines running them. This evolution has certainly restricted malware stomping grounds, which will drive demand in 2011 to break through these chains. In 2010, we saw JIT-spraying and return oriented programming (ROP) used to defeat ASLR/DEP with PDF/Flash exploits. In addition, we saw 64-bit rootkits such as Alureon, which bypassed PatchGuard and signing checks by infecting the master boot record to stage the attack.

Expect more 64-bit rootkits to follow in the quest to gain a foothold on newer machines and further, innovative attacks that circumvent defences like ASLR/DEP and sandboxing.

4) _****_Cybercriminals Hang Out the “Help Wanted” Sign

As money mules are taken off line in the coming year, there will be a need for immediate replacements. Additional jobs we see growing in demand include developers for custom packers and platforms, hosting services for data and drop-zones, CAPTCHA breakers, quality assurance (anti-detection) and distributors (affiliates) to spread malicious code. As demand grows for these resources in 2011, criminal operations will effectively expand head count. New affiliate programs will likely create the most head count by hiring people who sign up to distribute malicious code. Botnet operators have typically grown their botnets themselves, but, we believe more operators will begin delegating this task to affiliates (commissioned middle-men) in 2011. The Alureon and Hiloti botnets are two examples that have already grasped this concept by establishing affiliate programs for their own botnets; paying anyone who can help infect systems on the operator's behalf. By using an army of distributors, botnets will continue to thrive.

5) _****_Spreading Source

Malware today can appear under multiple names and aliases. Cross-detection between various security vendors is adding to the confusion as well. This is the result of a growing development community that is fuelled by available source code and libraries that are “borrowed” to create and sell new malware. Oftentimes, two pieces of malware we are evaluating are nearly identical in nature except for a small component inside of it that has changed. This type of “copy and paste” malware is an indication that multiple developers have adopted the same source code.

In 2011, we predict more cyber criminals will enter the game by attempting to make money using recycled source code. This trend will create more threat names/variants as they begin to circulate in the wild, which, in turn, will only create further confusion and dilute the meaning of these names. While public source code will continue to create problems on the security landscape, private source code will increase in value as will jobs for adept developers. We also expect to see new cases of leaked private source that are employed by new up-and-comers, thus continuing the vicious cycle.

by RSS Derek Manky  |  Dec 13, 2010  |  Filed in: Security Research