Typical of this war between attacker and defender has been the Blackhole exploit kit. Blackhole is the endpoint of a drive-by attack centered on the user’s browser. Victims are lured to a compromised or malicious site where Blackhole seeks to use any one of an arsenal of exploits to install its malware, anything “from fake antivirus and ransomware to Zeus and the infamous TDSS and ZeroAccess rootkits.”
The good guys have responded by improving the security of the underlying operating system and the browser. “The ready availability of DEP, ASLR, sandboxing, more restricted mobile platforms and new trusted boot mechanisms (among others) made exploitation more challenging,” notes James Lyne, the Sophos director of technology strategy. “While we’re not expecting exploits to simply disappear, we could see this decrease in vulnerability exploits offset by a sharp rise in social engineering attacks across a wide array of platforms,” he predicts for 2013.
Much of the malware delivered by Blackhole is polymorphic. Put simplistically this just means that it changes its characteristics to avoid detection by the AV detection engines. This is not new. Originally the ‘mutation engine’ had to be included with the malware, allowing the AV companies to capture the engine and become adept at predicting or following the mutations. What is new is the criminals’ use of the cloud to develop server side polymorphism (SSP). The mutation engine is now held on a remote server in the cloud and used via the web; meaning that the AV companies rarely see it and have difficulty in predicting and following the mutations to the malware.
Sophos has responded by developing its own form of genetic technology. “Using a finely tuned scoring system reflecting all the malware we’ve ever collected,” it explains, “we can identify combinations of genes (genotypes) that distinguish malware from legitimate code. We can compare this information with genes seen in known good files, minimizing false positives,” while detecting likely malware that it has never seen before.
Of course the malware authors have also responded. “Sophisticated malware authors are constantly attempting to determine which portions of their code are being detected,” notes Sophos. “We’ve seen attackers modify and replace compromised code within hours. Of course, we’re also working non-stop to anticipate and respond.”
It is this continuous back and forth experience between the good guys and the bad guys that provides the basis for the Sophos predictions for 2013. Although it notes that exploitation is becoming more difficult, it expects toolkits such as Blackhole to respond by becoming evermore sophisticated. “In the coming year we will likely see a continued evolution in the maturation of these kits replete with premium features that appear to make access to high quality malicious code even simpler and comprehensive,” warns Lyne.
Sophos also sees an increase in ransomware, which encrypts the users’ data and holds it for ransom. “The availability of public key cryptography and clever command and control mechanisms has made it exceptionally hard, if not impossible to reverse the damage,” says Lyne. “Over the coming year we expect to see more attacks...”
His final warning he labels ‘integration, privacy and security challenges.’ It arises largely because of the growth of mobile devices and social networking. 2012 has already seen the beginnings of mobile malware evolving from ‘simple’ premium call malware to more sophisticated bank fraud; but the integration of social media and new technologies will increase opportunities for the bad guys. “New technologies – like near field communication (NFC) being integrated into these platforms – and increasingly creative use of GPS to connect our digital and physical lives means that there are new opportunities for cybercriminals to compromise our security or privacy.” This, he warns, is a trend “identifiable not just for mobile devices, but computing in general. In the coming year watch for new examples of attacks built on these technologies.”