2012: The Year Malware Went Nuclear

All in all, the recap points out that 2012 has been the year of the ever-escalating malware growth.

Although the Mac OS X Trojan Flashback/Flashfake appeared in late 2011, it wasn’t until April 2012 that it became really popular, noted Kaspersky in its analysis. “And when we say really popular, we mean really popular. Based on our statistics, we estimate that Flashback infected over 700,000 Macs, easily the biggest known Mac OS X infection to date.”

The event, spurred by the Java vulnerability CVE-2012-0507, destroyed the myth that non-Windows platforms are immune to large-scale outbreaks.

In the aftermath, Apple decided to disable Java across millions of Mac OS X users. “It might be worth pointing out that although a patch was available for the vulnerability exploited by Flashback since February, Apple users were exposed for a few months because of Apple’s tardiness in pushing the patch to Mac OS X users,” researchers noted. “The situation was different on Mac OS X, because while for Windows, the patches came from Oracle, on Mac OS X, the patches were delivered by Apple.”

Then, in August 2012, a Java zero-day vulnerability was found to be massively used in the wild (CVE-2012-4681). The exploit was implemented in the popuar BlackHole exploit kit and quickly became responsible for millions of infections worldwide.

“During the second quarter of 2012, we performed an analysis of vulnerable software found on users’ computers and found that more than 30% had an old and vulnerable version of Java installed. It was easily the most widespread vulnerable software installed,” Kaspersky said.

The No. 2 story on the list is the discovery of Flame and Gauss, the nation-state cyber-espionage campaigns that injected a new dimension into the Middle East battleground: cyber-war and cyber-warfare. “It appears there is a strong cyber component to the existing geopolitical tensions – perhaps bigger than anyone expected,” Kaspersky noted.

In mid-April 2012, a series of cyber-attacks destroyed computer systems at several oil platforms in the Middle East. “The malware responsible for the attacks, named ‘Wiper,’ was never found – although several pointers indicated a resemblance to Duqu and Stuxnet,” said Kaspersky. “During the investigation, we stumbled upon a huge cyber-espionage campaign now known as Flame.”

Flame, a highly sophisticated piece of malware, can perform a variety of functions, including audio interception, Bluetooth device scanning, document theft and the making of screenshots from the infected machine.

“The most impressive part was the use of a fake Microsoft certificate to perform a man-in-the-middle attack against Windows Updates, which allowed it to infect fully patched Windows 7 PCs at the blink of an eye,” said researchers. “The complexity of this operation left no doubt that this was backed by a nation-state. Actually, a strong connection to Stuxnet was discovered by Kaspersky researchers, which indicate the Flame developers worked together with Stuxnet developers, perhaps during the same operation.”

Flame was shortly followed by the discovery of Gauss, another highly sophisticated trojan that was widely deployed in the Middle East. It was the first government-sponsored banking trojan with the ability to hijack online banking credentials from victims, primarily in Lebanon. “Gauss is remarkable for a variety of things, some of which remain a mystery to this day,” researchers explained. “The use of a custom font named Palida Narrow or its encrypted payload which targets a computer disconnected from the Internet are among the many unknowns.”

Middle East attacks continued as a story in the middle of August, when details appeared about a piece of highly destructive malware that was used in an attack against oil giant Saudi Aramco. More than 30,000 computers were completely destroyed by the malware. Later, another attack, on RasGas, emerged in the region.

“We analyzed the Shamoon malware and found that it contained a built-in switch which would activate the destructive process on 15 August, 8:08 UTC,” said Kaspersky. “Shamoon is important because it brought up the idea used in the Wiper malware, which is a destructive payload with the purpose of massively compromising a company’s operations. As in the case of Wiper, many details are unknown, such as how the malware infected the systems in the first place or who was behind it.”

Then there were the Android bugs – the proliferation of which is one of the most headline-grabbing stories of the year. The number of samples Kaspersky received continued to grow throughout the year, peaking in June 2012, when it identified almost 7,000 malicious Android programs. Overall, in 2012, it identified more than 35,000 malicious Android programs, which is about six times more than in 2011. That’s also about five times more than all the malicious Android samples it has received since 2005 altogether.

“Looking forward, there is no doubt this trend will continue, just like it did with Windows malware many years ago. We are therefore expecting 2013 to be filled with targeted attacks against Android users, zero-days and data leaks,” it said.

The LinkedIn, Last.fm, Dropbox and Gamigo password leaks are another security lowlight for the year. On June 5, LinkedIn, one of the world’s biggest social networks for business users, was hacked by unknown assailants and the password hashes of more than 6.4 million people leaked onto the internet.

DropBox then announced that it was hacked and user account details were leaked, followed by similar attacks at Last.fm and Gamigo, where more than 8 million passwords were leaked to the public.

The attacks show that in the age of the ‘cloud’, when information about millions of accounts is available in one server, over speedy internet links, the concept of data leaks takes on new dimensions. “To get an idea of how big a problem this is, during the InfoSecSouthwest 2012 conference, Korelogic released an archive containing about 146 million password hashes, which was put together from multiple hacking incidents,” Kaspersky said. “Of these, 122 million were already cracked.”

Similarly, the Adobe certificates theft was another noteworthy moment. In September, Adobe announced the discovery of two malicious programs that were signed using a valid Adobe code signing certificate.

“This discovery belongs to the same chain of extremely targeted attacks performed by sophisticated threat actors commonly described as APT,” said Kaspersky. “The fact that a high profile company like Adobe was compromised in this way redefines the boundaries and possibilities that are becoming available for these high-level attackers.”

All in all, the powerful actors from 2011 remained the same, Kaspersky said: “hacktivist groups, IT security companies, nation states fighting each other through cyber-espionage, major software and gaming developers such as Adobe, Microsoft, Oracle or Sony, law enforcement agencies and traditional cybercriminals, Google, via the Android operating system, and Apple, thanks to its Mac OS X platform.”

It concluded, “We believe the incidents in 2012 raised eyebrows and piqued the imagination. We came to understand the new dimensions in existing threats while new attacks are beginning to take shape.”

What’s Hot on Infosecurity Magazine?