On this episode of Network World’s Security Landscape, Derek Manky from Fortinet and Keith Shaw discuss the latest security threats seen worldwide. This includes the rise of do-it-yourself crimeware botnet kits, as well as the possibility of another iPhone jailbreak vulnerability on Oct. 10, 2010.

In the September edition of Security Minute with Fortinet, researcher Derek Manky talks about the most prevalent threats and threat trends plaguing the internet over the last 30 days, including the latest Twitter worm, Zeus and Zitmo, various software vulnerabilities, and the “Here You Have” virus.

In January 2010, the Fortinet’s FortiGuard Labs threat researchers issued a report outlining their predictions for The Top 10 Security Trends for 2010. Now that we’re midway through the year, we thought it would be interesting to see how right (or wrong) we were and if anything completely unexpected has come up along the way. The following report spells out the trends the team predicted at the beginning of the year and concludes with comments on where each threat exists today.

1) Security, Virtually Speaking

January 2010: “Preventing infections from cross pollinating between virtual machines will be key in securing virtual movements of servers.”

June 2010: With the ongoing progression of virtualization, it indeed becomes important to treat each virtual machine as if it were a physical box. For example, a worm could easily hop inter-VM on the same machine to another machine that has a completely different set of access credentials, creating a more potent infection. Virtualization adds another level of complexity, further widening the security gap. We have seen some interesting developments this year, including a unique Flash crash (potentially exploitable) that only occurs in a virtualized environment.

2) Information, Protect Thyself

January 2010: “Information-centric security, rather than container-centric security, will be necessary in the next decade as access to data will continue to evolve outside the traditional network.”

June 2010: We are now knee-deep in digital storage. Information can be stored anywhere: digital cameras, printers, picture frames, thumb drives, laptops / netbooks, etc. The number of containers is growing, while the sensitive information remains relatively the same. This is precisely why enterprises and administrators need to think about policies and a security framework that police information as it comes into and out of the network, no matter what the container.

3) Get Your Head, Not Your Security, Out of the Cloud

January 2010: “Adopting cloud-based services opens organizations up to many risks and vulnerabilities as information travels to and from protected networks via a public pipe, creating many more opportunities for data infection or theft.”

June 2010: Information continues to flow through public pipes. For example, Facebook has now introduced social plug-ins. Information that is already available from one source is bound to be integrated to other public platforms, spreading potentially sensitive data though cyber space. Once information leaves your fingertips, it becomes very difficult−if not impossible−to control. Thus, it is extremely important to safeguard your information before it leaves your fingertips and ultimately your data store/network.

4) Don’t Throw the Apps Out with the Bath Water

January 2010: “Second-layer security will be adopted to help enterprises have better application control beyond just allow or not allow.”

June 2010: As a packet travels, it will be shaped frequently. Second-layer (“layered”) security can be thought of as a waterfall filtering process with each tier able to extract hazardous material before it makes it to the next step. An example scenario with application control would be legitimate application traffic making it through the “allow policy,” only to abuse the application as the traffic arrives at the client. Intrusion prevention would be a good second-layer security mechanism in this example. We continue to see more vulnerabilities discovered and exploited in legitimate applications, further driving the need for layered security.

5) Security and Network Services Aren’t Strange Bedfellows

January 2010: “A natural evolution with the trend in consolidating network devices is to integrate more network functionality into security devices.”

June 2010: Fortinet has been following this trend for years, and continues to do so after pioneering the drive towards true unified threat management (UTM). For example, Fortinet’s FortiGate appliance allows both application control and intrusion prevention on one device. While they both have different goals, the underlying packet inspection technology allows enhancement on both sides.  As the attack surface grows, appropriate security technology needs to be developed to counter-attack. Integration of these technologies and ease of management is critical for threat mitigation from an administrative standpoint. Without this approach, counter-attack simply becomes exhaustive and wastes otherwise valuable resources.

6) CaaS vs. SaaS

January 2010: “Cybercriminals will take a page from the new security-as-a-service (SaaS) business model to implement their own crime-as-a-service approach, a criminal “environment for hire,” so to speak.”

June 2010: Crime services have been openly available in 2010, most notably through the use of simplified botnets – loader software that downloads and executes malware. These botnets will then report statistics back for quality control, so that the operators selling services (“loads”) can inform their customers when and where their malicious software was installed. We also continue to observe the Cutwail spam bot being distributed with different identification numbers. These are customer IDs, with each hired bot sending spam for the customers who bought them.

7) Scareware and Affiliates Find New Ground

January 2010: “With consumers becoming wise to scareware, cybercriminals are expected to up the stakes in 2010 by holding consumers’ digital assets hostage for ransom.”

June 2010: The rise of ransomware is no longer a myth, it’s a reality. We have witnessed several variations of ransomware emerge in 2010, from SMS-based locks to ones that kill applications until the user has paid the recovery fee. Detection levels have grown stronger in 2010, with variations of ransomware making their way into our top ten threat listings. While volume increases, attack strategy and technology continues to grow increasingly sophisticated. Combine this with solid encryption algorithms, and there is no doubt that ransomware will continue to plague cyberspace as we move through the remainder of 2010 and beyond.

8) Money Mules Multiply

January 2010: FortiGuard said, “Unwitting consumers may find themselves accessories to a crime as cybercriminals find new “mules” to launder their ill-gotten gains.”

June 2010: We have observed numerous instances of this trend and highlighted several examples in our threat reports. These socially-engineered attacks dupe users into fraudulent jobs that may sound innocent by description. Typically, the recurring job descriptions we observed in 2010 were accounts receivable ones, which involved the candidate receiving and forwarding funds while taking commission. Be very cautious of such promises, as there are legal implications – if it sounds too good to be true, it generally is.

9) Multiple Platforms in the Crosshairs:

January 2010: “With a growing number of users on new platforms, cybercriminals will target their attacks beyond Microsoft Windows.”

June 2010: As predicted, we have seen an increase in mobile threat activity. Symbian OS still remains a favored attack platform – viruses like Yxes are becoming more increasingly sophisticated while others, such as Enoriv, are just starting to emerge. As other operating systems such as Android continue to gain momentum, they, too, could shortly pose similar threats.

10) Botnets Hide through Legit Means

January 2010: “Botnets will no longer just obfuscate their binary codes to escape detection. Instead, they will piggyback on legitimate communications vehicles to propagate and cloak activities.”

June 2010: This year we have described several new botnets that have come into scope, each using common protocols such as HTTP to do their dirty work. On top of this, botnets, which existed before 2010, continue to remain strong and develop their protocols to obfuscate activity. This is big business and seemingly has become a primary focus for botnet developers.

A new development we discovered this year was Webwail, a Web-based scripting engine that can create accounts through the Web (such as Yahoo, Hotmail, GMail, etc) and then spam through them. In order to do this, CAPTCHAs are cracked dynamically (another example of demand for a CaaS market) by a third party, so that the Web bot may proceed as if it were human. While we have only observed Webwail to create and send spam, our analysis indicates it is much more capable. For example, it could easily spam through social networks. Other new developments include mobile threats and heavy use of document-based exploits through PDF and Flash. For more information on these, please refer to our FortiGuard Center and Blog which is regularly updated to feature such content.

Overall malware volume returned to pre-October levels this period, after two months of record activity driven by ZBot, Bredolab and Pushdo/Cutwail. Nonetheless, the Bredolab loader returned to top spot with a vengeance this period, accounting for a whopping 66.5% of total detected malware activity. Again, as we have seen time and time again these attack campaigns typically do not last longer than a couple of days, but can return quickly in mass volume. The seeding engines (largely the Cutwail spamming trojan) behind Bredolab certainly have a lot of horsepower as we have observed over recent months – so much that a single Bredolab seeding campaign can manipulate threat volume like a puppet on strings. Of course, sheer volume is not everything and such a drop should not create a false sense of security. In fact, this period we saw a rise in distinct malware, meaning more unique pieces of malicious code. ZBot attacks continue over the holiday season through the busiest time of year for online shopping – and likely online banking.

Exploitation of MS08-067 (made infamous by the Conficker worm) remains our most active attack, with Waledac botnet traffic being the second this period as listed in our Top 10 Attack list. December was a busy time for zero-days and vulnerabilities – we covered 147 new vulnerabilities and detected nearly 1/3 of those to be actively attacked. In December, FortiGuard Labs disclosed ten zero-day vulnerabilities that discovered and responsibly reported to the associated vendors: Microsoft (Indeo Codec & MS Project), Adobe and Cisco. On top of this, hackers continued to find ways to exploit zero-day attacks: CVE-2009-4324 (advisory here) was one observed through Adobe Reader/Acrobat and Javascript – an increasingly common attack vector. Current workarounds include utilizing the Javascript Blacklist Framework or simply disabling Javascript functionality. Another zero-day was addressed by Microsoft (Internet Explorer – advisory here) through MS09-072 on December 8th; as always, users should keep their software up to date when patches are released. FortiGuard Labs continues to discover new vulnerabilities and work with partner programs to develop advanced zero-day protection to mitigate threats such as these.

2010: The Perfect Storm
The large spike of activity we observed from September to November 2009 was a familiar trend to one from 2008. As you can see here, we saw a similar trend in 2008 during the first large wave of Scareware that hit cyber space. Scareware was also a major component detected during this wave in 2009, though overall volume had significantly increased to record levels over 2008. So, what do we know? We know that Scareware has flourished over this time frame, not at all shaken by any take-down attempts: affiliate programs continue to make and pay out money. In December 2009, the Internet Crime Complaint Center (IC3) issued an alert that said the FBI is aware of an estimated loss (due to Scareware fraud) in excess of $150 million USD. In 2008, a hacker by the name of NeoN posted affiliate program details showing earnings of top affiliates in excess of $150,000 USD in one month for one individual. High profile botnets continue to stay alive – Conficker, Waledac, Pushdo/Cutwail, Virut, Bredolab and of course multiple Zeus/ZBot networks. To stay alive and effective, some are beginning to enhance their malicious code and communications (see our Pushdo analysis here) – a ZBot attack was recently observed to leverage database services in the cloud (Amazon RDS). The end result is a widespread, robust and healthy infrastructure available to cyber criminals leading into 2010.

With more digital convergence undoubtedly to occur in 2010 (for example, the US Government backing digital health records and Asia’s e-Government initiative), there will be a wealth of opportunity for cyber crime. There is certainly no shortage of targets from governments and enterprise to end users and thriving social networks. There is also no shortage of infrastructure available to deliver attacks – as outlined above, malicious networks are firmly in place for use in addition to a growing array of legitimate services which can be leveraged. Finally, there is no shortage of vehicles through which to execute attacks. In 2009, we saw frequent exploitation of document formats (DOC, PDF, XLS) with many zero-days discovered and attacked in the wild. Crime services and crimeware continue to evolve and adapt, adding to the array of tools and techniques available to cyber criminals and their recruits. For example, CAPTCHAs are becoming less and less effective due to crime services leveraged by botnets like Koobface. For some more examples, refer to our blog post on adaptive crime services. With strong seeding engines in place as observed with Pushdo & Bredolab, already rampant Scareware can now quickly shift to Ransomware in high volume – leaving a potentially damaging trail in place. Digesting all of this, it becomes apparent that we are in for a wild ride in 2010 — all the elements are in place for a perfect storm in cyberspace.

Many threat trends have continued as we head into August 2009. I have highlighted notable items below from our July 2009 Threat Landscape report, which can be found on Fortinet’s FortiGuard Center.

Mobile threat development continues: In July we saw the emergence of SymbOS/Yxes.E and SymbOS/Yxes.F, the latest updated variants of Yxes that we first reported on in February. For further details, check out this blog post that is well worth the read: in particular, Yxes’ served up dynamic content via JSP indeed shows the beginning steps as to how cyber criminals are addressing a market that is largely fragmented due to multiple platforms. This is important, because malicious binaries are often written for a single target (ie: Windows, OS/X). On traditional desktops, these targets are limited: however, in the mobile market, they are growing and diversifying. Thus, dynamically addressing which malware packages to serve up, as Yxes has done, is a technique which helps alleviate this issue and hints of what is to come in this area in the near future.

Virut posts record levels while online gaming trojans flood cyberspace: W32/OnlineGames.BBR maintained and built heavily from its first place position last report – accounting for 43 percent of total detected malware activity. This latest attack saw much of its volume from July 5th onward, with a peak of activity on July 8th. This campaign continues, and comes in very frequent activity on a daily basis. Besides that, the regular faces of W32/Virut.A and JS/PackRedir built on their activity from our last report period. In fact, detected activity for W32/Virut.A this period climbed to record levels, underscoring the fact that this behemoth has become a dominant threat – particularily in Asia. New to this report’s top ten is W32/FakeAlert.EI – another rogue antivirus (“scareware”) trojan. Scareware fraud continues to be vastly popular in the digital underground, now quite diversified since we first reported on heavy attack waves nearly one year ago in August 2008.

Two in the wild exploits were making waves this period: One is the highly discussed MS ActiveX Video control (CVE-2008-0015, FortiGuard Advisory here) first patched on July 14th by Microsoft through MS09-032. Exploit activity for this vulnerability was frequent throughout the month, but remained relatively low, with most prevalent activity detected in Korea, China and Japan. As of writing, the second mentioned vulnerability, MS Office Web Components (CVE-2009-1136, FortiGuard Advisory here) remains unpatched / zero-day, also with relatively low detection rates with leading activity in China, India and Japan. Nonetheless, it should be reminded that any successful exploit can cause significant damage; exploits against the latter (zero-days) tend to be more successful since patches are not readily available. FortiGuard IPS detects and blocks malicious activity against both of these attacks as mentioned in their respected advisories above. The FortiGuard Global Security Research team first spotted public exploit code for this second mentioned vulnerability on July 11th and immediately reported the findings.

Canadian Pharmacy assaults google groups, tinypic: This month, we witnessed a flood of eCard spam continuing from last month, using various techniques – a majority of them ultimately leading victims to Canadian Pharmacy’s domains. These domains, automatically registered by combining two dictionary words as described in our January 2008 write-up, continue to be registered well over two years since the process began. Canadian Pharmacy’s success, fueled by an affiliate sponsorship model, invites many cyber criminals to advertise the fraudulent pharmaceuticals and drive traffic to the aforementioned domains on their behalf. The net result lands rather large chunks of change in both the Canadian Pharmacy gang and affiliates’ pockets. This period, the eCard spam primarily used direct links, Google Groups and the photo sharing service Tinypic.

While the automatic redirection used by the Google Groups campaign is not new, Tinypic is quite interesting as it serves as another example of how spam continues to reach out to emerging platforms. While traditional spam has not ceased to exist through email, we have predicted and reported on many spam attacks through new “Web 2.0″ platforms such as social networking sites. To help evade detection, cyber criminals have used services such as Tinyurl in the past to obfuscate their malicious URLs. Tinypic is a similar, recent example of how legitimate service providers are commonly used nowadays to piggyback malicious resources. Regardless of the image, or what the link appears to be, always observe where any hyperlink will actually take you and exercise due care. Finally, the Waledac gang was at it once again with another typical spam campaign, this time on July 4th just in time for the USA’s Independence Day. In terms of overall activity, spam rates continue to hold at high levels, while Japan jumped ahead of the USA into 2nd position for spam volume this period.