The year of 2010 has been an interesting for malware researchers. From the attacks on Google through to the ShadowNet there have been many interesting cases that targeted high profile targets. However, traditional threats such as Zeus, Spyeye and fake antivirus software continue to be what most Internet users face on a daily basis. Moreover, while attacks that are motivated by politics and espionage are increasing, money continues to be the primary driving force in the malware ecosystem. Here’s my thoughts on some of the trends I’ve focused on this year that we can expect to continue into 2011.
Political motivated DoS attacks
Denial of service attacks continue to be used in order to deny access to web sites at critical times. While the attacks by Anonymous in support of Wikileaks (see Arbor’s analysis here and here) have received much media attention, the website of Wikileaks was attacked just prior to the release of leaked diplomatic cables. However, as the Berkman Center has documented, (distributed) denial of service attacks against non-governmental and independent media continue with an alarming frequency. These attacks are aimed at disabling access to key information resources at specific points in time.
My colleagues Deibert and Rohozinski argue that “[d]isabling or attacking critical information assets at key moments in time—during elections or public demonstrations, for example—may be the most effective tool for influencing political outcomes in cyberspace.” In order to achieve this level of “on demand” disruption, those behind the attacks often outsource these types of attacks to botnets for hire thus blurring the boundaries between cybercrime and politically motivated attacks. We can expect to see a continuation of politically motivated DoS attacks in 2011.
The year of 2010 began with the attacks on Google, dubbed Operation Aurora, which dramatically increased awareness of targeted malware attacks and signified that it is acceptable, and even prudent, that companies disclose such attacks. In fact, some companies began including warnings about such attacks in their SEC filings. However, it is not just companies that are the targets of such attacks, human rights organizations and government systems are compromised as well. In April 2010, the Information Warfare Monitor and the Shadowserver Foundation released a report “Shadows in the Cloud: An investigation into cyber espionage 2.0” in which we document a targeted malware network that extracted secret, confidential and restricted documents from the Indian government and military. (While this report was a follow-up to our previous report on cyber-espionage, “Tracking GhostNet” the networks are quite separate.)
While responsibility for such attacks are often attributed to state entities, 2010 also saw a series of attacks linked to the Zeus malware that appeared a lot more like espionage than crime. After Netwitness released a report on the Kneber botnet, a Zeus-based botnet with domain names registered to email@example.com, I focused on the connections between that botnet and a series of attacks against .mil and .gov email addresses using social engineering techniques. Have criminals determined that there is a market for sensitive data? It sure seems that way to me.
Abusing the Cloud
In “Shadows in the Cloud: An investigation into cyber espionage 2.0” my co-authors and I analyzed the command and control infrastructure of a network that used a complex and tiered command and control infrastructure that leveraged Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail in order to maintain persistent control over the compromised computers. Of course, such techniques are not new, in 2009, researchers found that Twitter, Jaiku, Tumblr, Google Groups, Google AppEngine and Facebook had all been used as the command and control structure for malware. In 2010, Sunbelt found a Twitter botnet creator and Trend Micro reports that the “Here You Have” worm used GMail accounts.
During my analysis of malware posted on the Contagio blog, I noticed that the malware used an encrypted connection to Gmail as a means of command and control. (It also used cloud storage at drivehq.com in order to have the compromised computers download additional malware components). As network defenses continue to include traffic analysis, I believe that we will continue to see a move toward using popular services, especially web mail as command and control elements. Unlike connections to well-known dynamic DNS services, connections to Gmail and other popular services do not necessarily stand out and are encrypted.
Although there are interesting target malware attacks that appear to have political motives, money continues to be the driving force behind the bulk of malware encountered by most Internet users. Cybercrime is profitable. In 2010, the Information Warfare Monitor released a report that documented the inner workings of Koobface. Koobface is a notorious botnet that leverages social networking platforms to propagate. The operators of Koobface have been able to successfully monetize their operations. Through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install fake antivirus software and engage in click fraud. (BlackHat SEO operators monetize their operations in a similar way., see here and here.)
However, more traditional heists based on stolen banking and credit card credentials continue thanks to malware such as Zeus and SpyEye. This year, law enforcement were able to arrest individuals that used the Zeus malware to steal $70 million dollars. Often, these operations recruit money mules and pack mules to relay stolen money and goods bought with stolen credit cards. This makes it difficult to apprehend those behind these operations.