I presented Trend Micro’s Threat Research groups observations on Tuesday (24 April 2012) at Usenix LEET 2012 in San Jose, California. This was an invited industry position paper, so it was not a difficult task for me to collect several observations from my team which reflect significant developments in the current threat landscape, submit a position paper, and subsequently present the rationale for those observations.
Trend Micro’s Threat Research group is specially tasked with looking forward on the threat landscape and working with technology and/or various product development groups inside the company to ensure that, as a company, we deliver the appropriate security solutions to address emerging threats to our customers. To accomplish this requires our threat research group to understand, explore, and deconstruct various malicious technologies, campaigns, vulnerabilities, and exploits which are currently being perpetrated on victims today.
Our esteemed director, Martin Roesler, likes to compare us to Army Scouts — we go out ahead of the troops to assess enemy troop strength, location, capabilities, etc., so that our commanders can formulate an effective battle plan.
Briefly, I’d like to share the highlights of these emerging threats observations here. These issues represent what we consider to be significant developments on the emerging threats landscape, warranting mention insofar as the threat they represent from a security perspective.
Evolution, Commoditization, Professionalism of Exploit Kits
Exploit kits, such as the ever-popular Black Hole Exploit Kit, have skyrocketed in both popularity and volume as the “weapon of choice”. We observe that this phenomena has served to increase the attack surface enormously for victimization, and see this trend increasing. The ongoing life-cycle support and development factors, and the fact that these these kits have become commoditized (being bought, sold, and bartered in the criminal underground) indicate that we will see a continual use of them by cybercriminals.
Increasing Sophistication of Traffic Direction Systems (TDS)
Traffic Direction Systems (TDS) are used to (as the name implies) direct victim traffic to various landing pages, such as exploit kits, Rogue AV, fake pharmaceuticals, etc., depending on the pay-per-click or pay-per-install campaign, in essence to track traffic, browser referrers, affiliate campaigns, and manage the monetization of these campaigns. They are quite efficient and useful for the groups using them (from a “business” perspective) and we see that these TDS systems, like the popular Sutra TDS, growing in usage and popularity.
Smaller, Diversified Botnets
We are also seeing that cybercriminals are shifting to smaller, more diversified botnets as opposed to larger, more monolithic botnets simply to avoid losing all their infrastructure due to a “take-down”, whether it be simply a domain registrar suspending domains involved in the campaign, disconnection of communication services, or law enforcement seizure of assets. This follows the “all your eggs in one basket” rule-of-thumb, and cybercriminals are simply moving to blend with the noise as much as possible. It stands to reason that it is much harder to take-down 600 botnets of 1,000 bots each than it it is to take-down one botnet of 600,000 bots.
Modularization is a phenomena we are seeing especially with Banking Trojans such as ZeuS, SpyEye, Carberp, etc., wherein special-purpose plug-ins are being developed which can be “snapped in” at will. For example, plug-ins for screen-grabbers, back-connects, web injects, etc., allow simplified feature sets to purchased and used individually. This further commoditizes specialized Trojans and creates a market for specialized crime. We are already seeing this development elsewhere in the threat landscape with exploit kits, so there is reason to believe that this an area of concern which needs to be monitored.
Evolution of Mobile Threats
Regardless of the sheer numbers of mobile threats appearing currently on various marketplaces, for the most part we see most of these are simply “proof-of-concept” – while they may indeed be malicious, steal victim information, hijack accounts, send premium SMS, and so on, they do not reflect what we consider to be “significant crime” at this point – there is no real concerted effort to target e-commerce or banking applications. We expect that to change dramatically with the next generation of handsets that fully support NFC (Near Field Communications) functionality in firmware, when a dramatically much larger percentage of the consumer market will begin to adopt more e-commerce and financial applications. Once there is significant profit to be made, we expect a much larger, more serious targeting of the mobile landscape by “professional” cybercriminals.