IT Threat Evolution in Q3 2011 according to Kaspersky Lab
From Malware in QR Codes to Targeted Attack on Corporations
Kaspersky Lab announces the publication of its IT Threat Evolution report for the third quarter of 2011. The company’s analysts noted a continued growth in cyber-attacks against some of the world’s biggest corporations throughout the period. When it comes to attacking smartphones, there were clear signs that cybercriminals have made Android their platform of choice. Increasingly sophisticated operations by malicious programs were also noted in Q3 along with some tried-and-tested methods – innocuous QR codes are now being used to conceal malware and computers are facing threats even before their operating systems start as cybercriminals revisit BIOS infection methods.
The third quarter of 2011 saw corporate networks targeted by unidentified hackers as well as attacks by the hacktivist group Anonymous. Targets included the Italian cyber police, several US police units, and FBI contractors. Hackers also targeted the defence contractors Mitsubishi Heavy Industries and Vanguard Defense. These and numerous other similar attacks resulted in malicious users gaining access to employee and customer data, internal documentation, correspondence and classified data.
In July 2011, the DigiNotar certificate authority’s servers were hacked, resulting in 531 rogue certificates being generated by cybercriminals. By using fake SSL certificates for websites, the cybercriminals could access data sent to or from those sites even if an encrypted connection was used. Among the many resources targeted in the DigiNotar case were government agencies in several countries as well as major Internet services such as Google, Yahoo!, Tor and Mozilla. DigiNotar eventually had to file for bankruptcy as a result of the hack.
“The DigiNotar attack was the second time a certificate authority had been hacked this year. Although the companies that issue root SSL certificates are required to pass a security audit, it is clear that the level of security at DigiNotar and its counterpart Comodo was far from perfect,” says Yury Namestnikov, Senior Virus Analyst at Kaspersky Lab and author of the report. “The DigiNotar case should serve as a warning for other market players to strengthen their security policies.”
Individual users should also be on their guard; the number of malicious programs for mobile devices is increasing at an alarming rate. In particular, the last quarter saw the share of all mobile malware in 2011 targeting Android OS reach 40%, firmly establishing this platform as the leading target of malicious programs.
Kaspersky Lab analysts had anticipated that cybercriminals would look for new ways to make money on Android malware, and it did not take long to happen. In July, an Android Trojan of the Zitmo family was detected that works together with its desktop counterpart Trojan-Spy.Win32.Zeus to allow cybercriminals to bypass the two-factor authentication used in many online banking systems.
Sometimes, malware can penetrate a mobile device in the most unexpected ways, such as via QR codes. A QR code is essentially a barcode but with a larger storage capacity. Cybercriminals are spreading SMS Trojans disguised as Android software by encoding malicious links in QR codes. After scanning the QR codes, mobile devices automatically download a malicious file which then sends SMS messages to premium-rate numbers.
Perhaps the most curious incident in Q3 saw hackers looking to the past for ideas when they realised that the protection afforded to today’s operating systems makes it virtually impossible to install a rootkit on a running system. Virus writers have once again turned to BIOS in an attempt to infect a system before it even boots up. It may be more than 10 years since the emergence of the infamous CIH virus (a.k.a. Chernobyl) that was capable of infecting BIOS, but the technology behind it is being employed once again.
The full version of the IT Threat Evolution report for Q3 2011 can be found at: www.securelist.com/en.