I presented Trend Micro’s Threat Research groups observations on Tuesday (24 April 2012) at Usenix LEET 2012 in San Jose, California. This was an invited industry position paper, so it was not a difficult task for me to collect several observations from my team which reflect significant developments in the current threat landscape, submit a position paper, and subsequently present the rationale for those observations.

Trend Micro’s Threat Research group is specially tasked with looking forward on the threat landscape and working with technology and/or various product development groups inside the company to ensure that, as a company, we deliver the appropriate security solutions to address emerging threats to our customers. To accomplish this requires our threat research group to understand, explore, and deconstruct various malicious technologies, campaigns, vulnerabilities, and exploits which are currently being perpetrated on victims today.

Our esteemed director, Martin Roesler, likes to compare us to Army Scouts — we go out ahead of the troops to assess enemy troop strength, location, capabilities, etc., so that our  commanders can formulate an effective battle plan.

Briefly, I’d like to share the highlights of these emerging threats observations here. These issues represent what we consider to be significant developments on the emerging threats landscape, warranting mention insofar as the threat they represent from a security perspective.

Evolution, Commoditization, Professionalism of Exploit Kits

Exploit kits, such as the ever-popular Black Hole Exploit Kit, have skyrocketed in both popularity and volume as the “weapon of choice”. We observe that this phenomena has served to increase the attack surface enormously for victimization, and see this trend increasing. The ongoing life-cycle support and development factors, and the fact that these these kits have become commoditized (being bought, sold, and bartered in the criminal underground) indicate that we will see a continual use of them by cybercriminals.

Increasing Sophistication of Traffic Direction Systems (TDS)

Traffic Direction Systems (TDS) are used to (as the name implies) direct victim traffic to various landing pages, such as exploit kits, Rogue AV, fake pharmaceuticals, etc., depending on the pay-per-click or pay-per-install campaign, in essence to track traffic, browser referrers, affiliate campaigns, and manage the monetization of these campaigns. They are quite efficient and useful for the groups using them (from a “business” perspective) and we see that these TDS systems, like the popular Sutra TDS, growing in usage and popularity.

Smaller, Diversified Botnets

We are also seeing that cybercriminals are shifting to smaller, more diversified botnets as opposed to larger, more monolithic botnets simply to avoid losing all their infrastructure due to a “take-down”, whether it be simply a domain registrar suspending domains involved in the campaign, disconnection of communication services, or law enforcement seizure of assets. This follows the “all your eggs in one basket” rule-of-thumb, and cybercriminals are simply moving to blend with the noise as much as possible. It stands to reason that it is much harder to take-down 600 botnets of 1,000 bots each than it it is to take-down one botnet of 600,000 bots.

Modularization

Modularization is a phenomena we are seeing especially with Banking Trojans such as ZeuS, SpyEye, Carberp, etc., wherein special-purpose plug-ins are being developed which can be “snapped in” at will. For example, plug-ins for screen-grabbers, back-connects, web injects, etc., allow simplified feature sets to purchased and used individually. This further commoditizes specialized Trojans and creates a market for specialized crime. We are already seeing this development elsewhere in the threat landscape with exploit kits, so there is reason to believe that this an area of concern which needs to be monitored.

Evolution of Mobile Threats

Regardless of the sheer numbers of mobile threats appearing currently on various marketplaces, for the most part we see most of these are simply “proof-of-concept” – while they may indeed be malicious, steal victim information, hijack accounts, send premium SMS, and so on, they do not reflect what we consider to be “significant crime” at this point – there is no real concerted effort to target e-commerce or banking applications. We expect that to change dramatically with the next generation of handsets that fully support NFC (Near Field Communications) functionality in firmware, when a dramatically much larger percentage of the consumer market will begin to adopt more e-commerce and financial applications. Once there is significant profit to be made, we expect a much larger, more serious targeting of the mobile landscape by “professional” cybercriminals.

Read the rest of this entry »

There is welcome news today of the arrests of 8 individuals in Russia by the Russian MVD, or Ministry of Internal Affairs (Ministerstvo Vnutrennikh Del). Gary Warner (University of Alabama at Birmingham) has a great write-up of the arrests over on his blog, “Cybercrime and Doing Time”, so I will not reproduce the details here.

Having said that, I just wanted to point out that this is yet another great example of international collaboration between both private industry research and international law enforcement. I certainly hope that we see more of this in the future, such that serious Internet criminals do not think that they are outside the reach of the “long arm of the law”.

Cybercriminals should not think that they can successfully hide in any particular country or jurisdiction and avoid prosecution due to differences in international laws. This – and other recent arrests in Eastern Europe – shows that the international reach of law enforcement can also reach them.

As mentioned in Professor Warner’s blog, Trend Micro Threat Research did quite a bit of research into CARBERP a couple of years ago, especially into the area of enumerating targeted victims. We saw victims in Government, Industry, and Academia all targeted, showing the wide swath of victims who unwittingly had funds stolen from their bank accounts.

CARBERP is a particularly nasty banking Trojan, with the capability to to install itself without Administrator Privileges, effectively defeating Windows 7 and Vista’s User Account Control (UAC) feature.

While we have not seen the same volume and popularity of CARBERP as we have with ZeuS and SpyEye, since CARBERP’s appearance in the latter half of 2009 we seen steady increase in numbers (see Figure 1).

Also, our telemetry shows that almost a quarter of Carberp infections were in Germany (see Figure 2).

We applaud the efforts and actions of the Russian authorities in this case, and we hope to see more international cooperative efforts to bring cybercriminals to justice around the world.

As we move into the new week, we wanted to take a moment and provide an update on the vulnerability addressed by Microsoft Security Bulletin MS12-020.

Trend Micro has been monitoring the situation aggressively. Like others, we have seen the emergence of “proof of concept” code over the past few days. As of this posting, Trend Micro products with the latest updates (Deep Security, OfficeScan with the Intrusion Defense Firewall plugin, Threat Discovery Appliance) provide effective protections against the proof of concept code currently out there.

It’s clear that this is a high-profile vulnerability with heavy interest and we may see actual exploits emerge over the next few days. Trend Micro already released updates that should cover the exploits that are expected to appear. Furthermore, our Deep Security Labs teams are monitoring and will release updates as necessary to help protect against attempts to exploit this vulnerability.

The next major escalation for this situation would be an active attack. While there are no attacks at this time, because of the potential for widespread compromise in the event of an attack, we again urge customers to test and deploy Microsoft’s security update as soon as possible.

We also encourage customers to implement additional protections in their environment while they test and deploy the security update. Specifically, keeping Trend Micro products up-to-date, implementing the workaround recommended by Microsoft and blocking or monitoring RDP (TCP port 3389). Additionally, Trend Micro Deep Security and IDF customers can turn off remote desktop sharing conveniently on systems where it’s not required by applying the rule 1002508 – Application Control For RDP.

We will continue to monitor the situation and update you about any important new developments through this blog.

Update as of March 21, 2012 12:56 AM (PST)

Trend Micro customers may refer to the Threat Encyclopedia for further details on the corresponding solution.

Update as of March 23, 2012 9:01 AM (PST)

Trend Micro detects the hacking tool found to exploit the Remote Desktop Protocol vulnerability (MS12-020). More information on the hacking tool is posted in this Threat Encyclopedia page.

While everyone on the Internet seems to want to add commentary on the announced Lulzsec arrests today, I might as well jump in with my own thoughts on the matter.

While it is great to see those who break the law get brought to justice, I think there is a much larger issue underlying the growing Hacktivist phenomenon.

First, I think the more important message here, and that is that these arrest really don’t change the trajectory of Hacktivist attacks – the hackings & attacks will continue, and in fact they may even escalate.

Why? Because they can.

The underlying story here is this – it should not be so trivially easy for Hacktivists (or anyone else for that matter) to hack people’s networks.

These Hacktivists are – for the most part – not truly “professional criminals”. The real professional cybercriminals are still out there in Eastern Europe and China (and elsewhere), and they are not posting their pilfered data to Pastebin or announcing their purloined data caches on Twitter. I highly doubt that law enforcement, for the most part, will be able to properly identify these “professional” criminals, much less get them arrested, extradited, and prosecuted.

And while I think that most people want lawbreakers arrested, I think it is unrealistic to think that it will happen in anything approaching a majority of these cases. In fact, that may even be the wrong primary approach.

The real target here is the poor security posture, awareness, and operational practices of organizations around the world with regards to unauthorized access to their intellectual property, PII (Personally Identifiable Information), control systems, credit card data, and other valuable information & systems.

Sure, I’m glad these guys got arrested, but I think there is a much more important message here which is not being put forward – organizations are simply not doing a good enough job of protecting their assets.

There needs to be a much more holistic approach to this problem, and I’m not even exactly sure where to start – perhaps with the basics? There is a plethora of network and data protection practices which organizations can take to continue to “raise the bar” in the effort to change the odds in their favor. It is a continual assessment posture – a holistic security operational practice of the OODA Loop (observe, orient, decide, act) phenomenon, which is widely accepted combat practice geared towards “optimal situational awareness”.

What I really like about the OODA Loop reference model is that it forces organizations to do constant “care and feeding” of their security posture, observations, measurements, and adjustments.

Now, this may sound like a bunch of hooey, but this is actually a known successful security posture which has been advocated by network security professionals for over 20 years. The first thing you need to do, as an organization, is understand what your network looks like, properly segment & protect the assets according to their intrinsic value, and then constantly protect & monitor traffic which may indicate improper or unauthorized access.

I could go on about these concepts for many, many pages (and perhaps I will in a future white paper), but the bottom line is that, when you are connected to the Internet, there is no 100% security. The best you can do is continually “raise the bar”on protecting your assets, making it more & more difficult for your organization’s security to be penetrated.

No amount of Hacktivist arrests can do that job for you.

ICS (Industrial Control Systems) Networks have been really big news lately, due to a spate of vulnerabilities, high-publicized breaches, and various other security concerns.

ICS Networks are defined as networks or collections of networks that consist of elements that control and provide telemetry data on electromechanical components. Such components include valves, regulators, switches, and other electromechanical devices that one may find in various industries such as oil and gas production, water processing, environmental control, electrical power generation and distribution, manufacturing, transportation, and many other industrial settings.

Without getting into detail for each particular industry segment, each of these ICS environments share a common fate —- they are not “traditional” IT network environments and should not be treated as such. Most ICS networks share similar security challenges because of this uniqueness. These challenges are made more complex by the interaction of ICS elements with physical industrial components.

Failure to properly control or restrict access to these elements can lead to catastrophic accidents. Many of the industrial systems managed by these elements are considered “critical infrastructure (CI)” and require a much more specialized security architecture than traditional IT environments.

Read the rest of this entry »