12345

12/01/2011

Issues on 2011 and predictions of upcoming 2012

1. Introduction

When will we be free from various security threats?
We don't want to say the word "As usual" though, this year, we were suffered by various security threats AS USUAL.
From now, we are going to organize big issues which were happened through this year and expect security threats for upcoming year.
Due to constant hacking incidents, the importance of security threats is getting bigger and bigger.
Trend of hacking is also changing from bragging hacker himself to targeting financial gain.


* Review 2011's big issues

1. Targeting SNS including Facebook and Twitter


With increasing use of social network services, security threats are also booming.
Shorten address and fake e-mails were the most prevalent technique for inducing user.

* SNS(Social Network Service) is...

an online service, platform, or site that focuses on building and reflecting of social networks or social relations among people, who, for example, share interests and/or activities.

Following figure is looked like sent from Facebook, however, clicking [View This Wall Post] led user to malicious web site.



Using SNS for spreading malicious file is the fastest, public, available to use shorten URL, and . For these reasons, we must be careful on using internet.

2. March 3, DDoS attacking signature has been reported

On march 3, some of South Korean web sites detected the signature of DDoS. For this reason, INCA Internet (Security Response Center / Emergency Response Team) worked before and after the day. Furthermore, since that malicious file interrupted update process of Korean Anti-Virus product, INCA Internet made and distributed another Anti-Virus product for separate use.
Following image is the code for changing update address of each Anti-Virus program.



Following lists are targeted web sites.
These sites are including web portal site, e-commerce site, and public institutions and so on.

 http://www.naver.com/ 
 http://www.daum.net/ 
 http://www.auction.co.kr/
 http://www.hangame.com/
 http://www.dcinside.com/
 http://www.gmarket.co.kr/
 http://www.cwd.go.kr/
 http://www.mofat.go.kr/
 http://www.nis.go.kr/
 http://www.unikorea.go.kr/
 http://www.assembly.go.kr/
 http://www.korea.go.kr/
 http://www.dapa.go.kr/
 http://www.police.go.kr/
 http://www.nts.go.kr/
 http://www.customs.go.kr/
 http://www.mnd.mil.kr/
 http://www.jcs.mil.kr/
 http://www.army.mil.kr/
 http://www.airforce.mil.kr/
 http://www.navy.mil.kr/
 http://www.usfk.mil/
 http://www.dema.mil.kr/
 http://www.kunsan.af.mil/
 http://www.kcc.go.kr/
 http://www.mopas.go.kr/
 http://www.kisa.or.kr/
 http://www.ahnlab.com/
 http://www.fsc.go.kr/
 http://www.kbstar.com/
 http://www.wooribank.com/
 http://www.hanabank.com/
 http://www.keb.co.kr/
 http://www.shinhan.com/
 http://www.jeilbank.co.kr/
 http://www.nonghyup.com/
 http://www.kiwoom.com/
 http://www.daishin.co.kr/
 http://www.korail.com/
 http://www.khnp.co.kr/

3. Spreading tampered files via file-sharing sites on weekends

Unlike past cases, malicious file creators tampered certain web sites and used to the spreading point of malicious files especially on weekends.
As a result, a lot of file-sharing web site users who particularly visited sharing site on weekend were suspected to be infected.
Besides, in case of certain malicious files, which infected system file or run malfunction on system, finally it made BSOD to victim's screen.


[Warning] Variant malicious files changing Windows system files are increasing
http://en-erteam.nprotect.com/2011/06/warning-variant-malicious-files.html

[Warning] An error occurred on booting while being infected tampering system files.
http://en-erteam.nprotect.com/2011/07/caution-error-occurred-on-booting-while.html

4. Appearance of financial targeting ZeuS botnet P2P version

Typical malicious files, ZeuS and Spyeye which are aiming at online banking web site, are constantly on progress.
Since anti-virus companies made their effort to block against ZeuS, it had widened its activity range to P2P.


Image by abuse.ch

The latest version of ZeuS contains infected IP lists and can spread new malicious file via P2P. And infected PC can update its ZeuS' version if needed.
Zeus and Spyeye are spreading via attachments of e-mail, SNS, tampered web site, therefore, users need to be careful on using internet.

5. Fake Anti-Virus SW for Mac OS

Fake Anti-Virus S/Ws have been come out since Apple's products gained popularity.
The most popular Anti-Virus product is MacDefender which is skillfully disguised as a real Anti-Virus product.

Following screen shot is the MacDefender which shows user incorrect information and induces user to pay for fixing from its infection.


[Warning] Detected Fake Anti-Virus SWs (Mac Defender, Mac Security, Mac Protector) based on MAC OS
http://en-erteam.nprotect.com/2011/05/warning-detected-fake-anti-virus-sws.html

6. Security threats of SCADA, Stuxnet and Duqu

SCADA(supervisory control and data acquisition) generally refers to industrial control systems (ICS): computer systems that monitor and control industrial, infrastructure, or facility-based process.

Stuxnet is a computer worm discovered in June 2010. It initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment. While it is not the first time that hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit.

Duqu is a computer worm discovered on 1 September 2011, thought to be related to the Stuxnet worm. The Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics in Hungary, which discovered the threat, analyzed the malware and wrote a 60-page report, naming the threat Duqu.

These kinds of networks are well separated from the accesses outside. But accessing USB from outside and using internet can cause security threats to isolated network.
One of hacker whose name is Pr0f said that we must know the severity of SCADA's security threats and ICS(Industry Control System)-CERT.


 
7. APT(Advanced Persistent Threat) issues

Advanced persistent threat (APT) usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage, but applies equally to other threats such as that of traditional espionage or attack.

Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated hacking attacks aimed at governments, companies, and political activists, and by extension, also to refer to the groups behind these attacks.


8. Rapid increase of Android malicious file

From the second half of 2011, the number of Android malicious file have increased rapidly. Those files are being generated from China or Russia mostly.
But we expect these Android malicious file become new security threats with increase of Android users.

[Information] Status for Android-based mobile malicious file
http://en-erteam.nprotect.com/2011/11/information-status-for-android-based.html

[Information] Android malicious application inducing charge for targeting various countries
http://en-erteam.nprotect.com/2011/11/information-android-malicious.html

[Warning] Identified malicious application disguised as a Battery Doctor
http://en-erteam.nprotect.com/2011/10/warning-identified-malicious.html

[Warning] Android malicious application which steals E-mail account and password has been reported.
http://en-erteam.nprotect.com/2011/10/warningandroid-malicious-application.html

Malicious Spyeye application for Android
http://en-erteam.nprotect.com/2011/09/malicious-spyeye-application-for.html


9. Hangul (also known as Hangul Word Processor or HWP) exploit

Several HWP exploits have been reported.

Hangul (also known as Hangul Word Processor or HWP)
http://en-erteam.nprotect.com/2011/11/information-continuous-appearance-of.html

[Warning] HWP document file including malicious file
http://en-erteam.nprotect.com/2011/09/warning-hwp-document-file-including.html

In case of HWP document file, malicious file distributors used Zero-Day exploit to attack APT.
Furthermore, general users can hardly recognize whether victim's PC is infected by malicious file or not with its normal content.

Following diagram is the process of executing file which contains HWP exploit.



10. Malicious files tampered with BIOS and MBR

For the long life and infection, malicious files were adopted various techniques.
One of the most prevalent techniques is Rootkit which has been reported as being infected BIOS and MBR especially aiming on certain users of South Korean online games.

BIOS(Basic Input Output System)

- The basic input/output system (BIOS), also known as the System BIOS or ROM BIOS, is a de facto standard defining a firmware interface.

MBR(Master Boot Record)

- It is a type of boot sector popularized by the IBM Personal Computer. It consists of a sequence of 512 bytes located at the first sector of a data storage device such as a hard disk. MBRs are usually placed on storage devices intended for use with IBM PC-compatible systems.


[Caution]Malicious file trying to tampering BIOS and MBR found.
http://en-erteam.nprotect.com/2011/09/cautionmalicious-file-trying-to.html

Due to the nature of BIOS and MBR, complete treating by Anti-Virus is difficult.
To use PC safely from security threats of these malicious files, users must use MBR protection program for MBR including MBR Guard of INCA Internet.

nProtect MBR Guard v2.0.1.4 (For Windows XP, Vista, 7)
http://avs.nprotect.net/FreeAV/NPMBRGuardSetup.exe

11. Digital signatures of companies were used for malicious files.

A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit.

Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering.

The biggest reason of using digital signature is disguising as a normal file.
Following figure is the preference of available digital signature.


12. Breached personal information of various public web portal, companies and online game companies

A lot of public web portals, companies and online game companies failed to keep the personal information of their users.
Besides, leaked information was used as voice phishing and spam.




  
13. Trying DDoS attack with tampering one of normal media player program

DDoS attack on July 7, 2009 adopted malicious file with tampering file-sharing site and spreading to public.
By the way, another case injecting malicious file on installation file has been reported recently.
Since various new techniques are emerging, administrators need to effort for preserving its integrity of web site.

Spreading DDoS malicious file tampered with KMPlayer
http://en-erteam.nprotect.com/2011/11/spreading-ddos-malicious-file-tampered.html


* Predictions for upcoming 2012

First of all, social engineering will be the best way to spread malicious files. APT and Zero-Day will also be big issue in next year. To be safe from these malicious factors, Chief Security Officers must examine security holes thoroughly and set manual from these possible threats. Especially, officers have to fortify security training for internal staffs from data breach.
Supply of Android based smartphone will be increased and mobile based service such as SNS will be more become effective than this year. Therefore, using SNS need to be more careful.
Malicious files and its variants along with social issues will be constantly generated. Various techniques for DDoS attack will be generated including APT attack.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

1 comment:

  1. When this movie was released there were rumors that same is going to happen very soon. It was nothing more than a sensation for drawing the attention of every person towards it.

    ReplyDelete