Skip to content

Five Cybercrime Trends Likely to Continue into 2013


20121212_2013_freshskimmed_crop2012 has been a challenging year for incident responders and security analysts. Ne’er-do-wells of the Internet have been flooding our inboxes with malicious spam; scattering exploit kits around the ‘net; and spreading malware to, and from, the four corners of the Earth. With the context of what’s happened in the past year in mind, we once again dusted off the crystal ball to deliver a short list of predictions of what we can expect over the coming 12 months. In no particular order, they are…

More Attacks Staged Through Compromised Websites


Attacks delivering malware rapidly earn the Web domain hosting the attack, or its IP address, a bad reputation. This kind of activity also doesn’t remain under the radar for long. Once the really big reputation services, like Google SafeBrowsing, flag a domain as a source of malicious stuff, browsers that hook into that information (such as Firefox) throw dire warnings in the face of visitors, cautioning them away from the site delivering an infection.

Ending up on one of those reputation filters is like a death sentence to a malware campaign. So one way that malware distributors try to stretch out the amount of time an attack URL will remain viable is to abuse someone else’s website — preferably, one with a good reputation, but almost any will do. Malware distributors use links to pages hosted on these legitimate websites to bounce computers destined for infection to another site delivering the infectious code.

Because the compromised, legitimate site merely redirects the traffic elsewhere and doesn’t deliver the actual infection, the domain doesn’t (reputationally, at least) self-destruct as rapidly as a freshly-minted domain with no behavioral history to speak of otherwise would. As a result, this has become the preferred first stage for broadly distributed, spam-driven attacks. With a virtually unlimited supply of potential victim-Web-sites, it’s hard to imagine this problem getting any better before it gets worse.

If you own or operate a Web site, you can take steps now to protect yourself. Credential compromise usually comes down to one of three methods: password-stealing malware swipes saved FTP credentials or sniffs them as they’re typed in by the user; unpatched or no-fix-available vulnerabilities in commercial web hosting, blog, and CMS software leaves passwords in plain text or easily crackable; or phishing.

If you regularly upload files to a website or manage it through a CMS, you’re in the crosshairs. Using a non-Windows computer as a Web site management box will prevent the most common Windows-based password-stealing malware from functioning. If you use a popular, free CMS like or Joomla, make sure that not only are you running the latest version of the CMS software itself, but also that you’ve updated any third-party plugins or add-ons, and that you’ve removed all components of ones you don’t need — silly things like photo gallery plugins can cause big headaches if someone discovers that the plugin, for example, stores its credentials in plaintext in a standard location.

Increased Use of Blended/Multi-Stage Threats


Solera Networks has observed an increased use of “self-perpetuating” email worm modules by botnet malware, and predicts that the use of this model will expand in 2013.

The malware, spread by front-line downloader Trojans such as Kuluoz or Cridex, most often appears on infected machines as a second stage payload. The spam relayer component then leverages the infected machines to perpetuates the infectious links or attachments via spam email messages; The screenshot above shows a frequency-distribution analysis of the most frequently used Subject: lines used by one such Trojan, which last week sent 685 spam email messages from a single infected testbed within a 25 minute timespan.

On an infected system, it can be next to impossible to detect that the spam relayer is operational without using specialized tools. Like many botnet Trojans, the malware hooks itself to legitimate Windows processes, such as svchost.exe, and runs from within the legitimate program’s memory space. A casual observer looking at Process Explorer or Task Manager would see a totally ordinary, predictable list of running processes.

One might be able to infer its presence if the computer becomes less responsive, but you’d have to have Rain Man skills to detect the performance hit in this age of multi-core desktops and speedy broadband network connections. Trickling out 500 messages at a time, over a prolonged period, periodically pausing, wouldn’t even register at an ISP unless and until spam filtering services began adding your computer’s IP address to their “source of spam” lists. Even then, not all ISPs notice or care.

Both businesses and ISPs can restrict the use of unauthenticated SMTP on their networks, but that tends to interfere with the users of uninfected computers; At the very least, businesses should watch for spikes in the email traffic volume of individual non-mail-server computers on their networks as an indication that malware is acting as a postman spewing letter bombs.

For now, those letter bombs are actually highly prone to being duds. Check out the broken anchor tag in the screenshot of one of these relayed spams. As a result of the hrefttp in the HTML source of the message, the malicious links a victim would have to click in order to infect his or her computer don’t actually work. D’oh! We saw the Trojan spam out thousands of these broken messages. D’oh squared! If past performance is any indication, they won’t stay that way for long. I expect they’ll discover, and fix, this temporary problem in the near future. But seriously, that’s pretty dumb.

The Resurgence of the Zero-day Vulnerability

Despite increased efforts by OS vendors to shore up their systems and increased efforts by attackers to expand to other targets, such as Adobe Flash or PDF, work to discover new vulnerabilities goes on, with greater automation thanks to a plethora of fuzzing and memory analysis tools. With a brand-new version of Windows on the market, it seems like a safe bet that one or more zero-day threats will strike in the coming year, but even without Windows 8, nothing seems safe — not even tools used by security professionals. Don’t get cocky and watch your back, Red Team.

Hacktivism: DDOS on the Rise

While some identifiable members of the hacktivist community were arrested or convicted in the past year, the movement as a whole remains viable. Next year, we will likely see an increase in hacktivist attacks. In some cases, the growing availability of tools for conducting DDoS attacks may contribute to the frequency of their use.

We may also see attacks by hacktivists involving “intentional misattribution,” in which the attackers try to make it look like attacks originate elsewhere in order to taint the reputation of the misattributed host or its owner.

Lateral Attacks: The Rediscovery of the RAT

Based on trends observed in recent months, Solera Networks predicts an increase in the use of remote access trojan (RAT) malware as a drive-by download deliverable. Unlike botnet malware, in which a single operator can send commands to huge botnets all at once, RATs (such as Andromeda) require more active, personal involvement on the part of the attacker.

But just because the attack doesn’t involve botnet-style automation, it doesn’t mean its actions are benign or any less threatening. An attacker in control of an Andromeda-infected computer can leverage that machine to gain a foothold inside a network and determine what other machines or valuable information resources can be accessed. Bespoke RATs can be harder for conventional antivirus tools to detect than broadly available botnet malware, as fewer examples exist from which antivirus software companies can build detection signatures.

Malware distributors know that botnets and RATs specialize in performing different tasks, and they use both to their advantage. Don’t underestimate the threat level of either type of malware.

Comments are closed.

%d bloggers like this: