Malware Trends According to Symantec

The Norton product division at Symantec invited TopTenREVIEWS to attend a computer security briefing in San Francisco (Summer 2011), which included an analysis of malware trends. Norton's analysis of these trends is instructive because at any particular moment, armies of hackers are attempting to breach Norton's anti-malware and antivirus software with increasingly sophisticated methods. If you visit the chat rooms that hackers frequent, you will find that the completeness of Norton's multi-layered approach to anti-malware products frustrates the bad guys.

Norton described trends toward fully undetectable malware, exploitation of social networks, rootkits that conceal zero-day attacks, java-only attacks, and malware for mobile phones and Macintosh. Norton also described at great length a "malware" called Stuxnet. At TopTenREVIEWS We Do the Research So You Don’t Have To.™

Fully Undetectable Malware
The Holy Grail for hackers is fully undetectable malware. The method is to create a master malware file, generate millions of mutant variants using a crypter, and then submit them to cloud-based scanner farms that scan each variant and check for detection by popular security products. These pro-hacker, cloud-based services charge as little as one dollar for 24 hours of unlimited malware detection service. The bad guys then release the malware variants that successfully escape notice into the webosphere to perpetrate evil.

Exploitation of Social Networks
Social networks are an excellent platform for criminals. It is easy to spread spam and scams via news feeds. Hackers launch social network attacks by impersonating "friends." And because 65 percent of the social-network URLs are the shortened versions, victims will click on links they might not have attempted if they could see the full URL.

Rootkits that Conceal Zero-Day Attacks
Hackers who exploit obscure operating system vulnerabilities are finding fewer opportunities. So when they discover something to exploit, they combine it with a rootkit to conceal the malware at the hardware level. Rootkits give privileges to the attackers that the administrator cannot detect.

Java-Only Attacks It's hard work to be a hacker. It takes a lot of time to write malware for specific operating systems. So by writing malware in Java, hackers can attack Windows, Linux and Macintosh with platform-independent code. Java attack kits are particularly good at spreading on FaceBook by attaching to friends' lists and dangling tempting but malicious links that download malware.

Malware for Mobile
Attacks on mobile phones involve trojanizing legitimate applications. Some schemes sneak onto your phone by adding permissions to application updates that weren't there when you first installed the application.

Macintosh Malware
The Macintosh is more of a target for hackers now than it used to be. MacDefender is a particularly good-looking fake antivirus software.

Industrial Attacks
It's a topsy turvy world. Most malware results from bad-guy ingenuity. But now we are seeing "malware" attacks by the good guys. Witness, for example, the cyber attack on President Mahmoud Ahmadinejad's uranium enrichment facility. This good-guy malware, called Stuxnet, temporarily delayed Iran's progress toward weapons-grade uranium.

Stuxnet represents a brand new level of hacker technology. Stuxnet used five mechanisms to conceal itself and was able to mount different attacks depending on what security software it found on each host machine. Bluffing its way with two different rootkit techniques and two stolen digital signatures, it took up residence in Iran's uranium enrichment facility. Stuxnet monitored the centrifuge frequencies and recorded operations for 13 days. When Stuxnet determined that the centrifuges were operating at the uranium enrichment frequency range (807Hz to 1210Hz), it launched the attack by taking control of the centrifuges and alternating their frequencies to between 1410Hz and 2Hz while displaying healthy instrument behavior to the technicians so that they would not be alerted. Stuxnet also disabled the kill switch. Clearly, this is not your father's malware.

Additionally, it's worth noting that this malware used seven mechanisms to deploy in Iran, six of which used zero-day vulnerabilities. Impressive, when you consider that there were only a total of 14 zero-day attacks in the world during the past 12 months. Also consider that Stuxnet has 15 different modules with 50 times more code than average threats contain. In the Iranian attack, it managed to reprogram 10,000 lines of code on a proprietary microchip inside of a programmable logic controller. Obviously,
Stuxnet is not from some 15-year-old kid hacking from his mother's basement.

Stuxnet destroyed 1,000 of Iran's 9,000 uranium-enrichment centrifuges and delayed Ahmadinejad's rush toward nuclear arms – results that just a few years ago would have required traditional warfare to accomplish. And it all came about because some good guys used "malware" on steroids to delay evil.

However, this malware ups the ante in a dangerous way because it is so ambitious that hackers now have a whole new level to imitate. The Stuxnet genie is out of the bottle, and the bad guys now have a vision of malware that has implications for the security of gas pipelines, manufacturing plants, elevator and building control systems, smart grid power systems, hospitals and banking systems.

Summary
Hackers continue to imagine and deploy malware that is a testament to the cunning genius of evil. Now, for the first time, the forces of good are borrowing a tool formerly associated with wrongdoing in order to fight the good fight.