Increased collaboration on cybercrime syndicate crackdowns
As 2010 comes to a close, information security companies are trying to predict the amount of problems we’ll have to deal with next year. Below is a list of 5 security trends for 2011 by Fortinet.
1. Increased global collaborative takedowns
This year, we’ve seen examples of countries working together, such as such as Operation Bot Roast (FBI initiative), Conficker Working Group and the recent Mariposa/Pushdo/Zeus/Bredolab busts, to bring syndicates down but these takedown operations are only focused on the most visible violators and sometimes only cause a temporary impact.
While there were other notable takedowns, these operations only focused on the most visible violators and sometimes only caused a temporary impact. For example, while authorities took down the massive Koobface botnet in November, the servers were reconfigured and back up and running at full capacity a week later.
2. Infected machine inflation
Today, we’re seeing a territorial concern for criminals building their malware empire(s), since control over managed infections can lead to longer up times and greater cash flow. Features advertised as “bot killers” are being implemented into new bots to generically kill other threats that may lurk on the same system. For example, we’ve seen one bot enumerating process memory to look for commands used by resident IRC bots. Once it finds processes that use these commands, it will kill them since they are perceived as a territorial threat.
As attackers infect machines in 2011, the value of already infected machines will increase. As a result, we’re likely to see; a price increase for crime services, such as bot rentals that load malicious software on machines and malware that includes machine maintenance to maximize an infected machine’s uptime.
To keep infections discrete, malware operators may turn to quality assurance services that would, say, refuse to load software that may crash a machine or otherwise impact their business. As part of the package, malware operators may also include leasing infection process time. When the lease is up, the malware would clean up after itself, reducing the amount of load/threats on a single machine.
3. 32- to 64-bit infections
Security technologies such as address space layout randomization (ASLR), data execution prevention (DEP), virtualization, PatchGuard/kernel driver signing and sandboxing, a technique for creating confined execution environments, are becoming more commonplace, along with the 64-bit machines running them. This evolution has certainly restricted malware stomping grounds, which will drive demand in 2011 to break through these chains.
In 2010, we saw JIT-spraying and return oriented programming (ROP) used to defeat ASLR/DEP with PDF/Flash exploits. In addition, we saw 64-bit rootkits such as Alureon, which bypassed PatchGuard and signing checks by infecting the master boot record to stage the attack.
Expect more 64-bit rootkits to follow in the quest to gain a foothold on newer machines and further, innovative attacks that circumvent defences like ASLR/DEP and sandboxing.
4. Cybercriminals hang out the “Help Wanted” sign
As money mules are taken off line in the coming year, there will be a need for immediate replacements. Additional jobs we see growing in demand include developers for custom packers and platforms, hosting services for data and drop-zones, CAPTCHA breakers, quality assurance (anti-detection) and distributors (affiliates) to spread malicious code. As demand grows for these resources in 2011, criminal operations will effectively expand head count.
New affiliate programs will likely create the most head count by hiring people who sign up to distribute malicious code. Botnet operators have typically grown their botnets themselves, but, we believe more operators will begin delegating this task to affiliates (commissioned middle-men) in 2011. The Alureon and Hiloti botnets are two examples that have already grasped this concept by establishing affiliate programs for their own botnets; paying anyone who can help infect systems on the operator’s behalf. By using an army of distributors, botnets will continue to thrive.
5. Spreading source
Malware today can appear under multiple names and aliases. Cross-detection between various security vendors is adding to the confusion as well. This is the result of a growing development community that is fuelled by available source code and libraries that are “borrowed” to create and sell new malware. Oftentimes, two pieces of malware we are evaluating are nearly identical in nature except for a small component inside of it that has changed. This type of “copy and paste” malware is an indication that multiple developers have adopted the same source code.
In 2011, we predict more cyber criminals will enter the game by attempting to make money using recycled existing source code. This trend will create more threat names/variants as they begin to circulate in the wild, which, in turn, will only create further confusion and dilute the meaning of these names. While public source code will continue to create problems on the security landscape, private source code will increase in value as will jobs for adept developers. We also expect to see new cases of leaked private source that are employed by new up-and-comers, thus continuing the vicious cycle.