Malware was spread in unique ways in 2012, particularly through drive-by exploits. In 2013, organizations can expect more exploits targeting social networks, says Adam Kujawa of anti-malware vendor Malwarebytes.
"The method in which the links to drive-bys have been spread was pretty unique [in 2012]," says Kujawa, a malware intelligence analyst. "We can see that moving over into 2013."
Kujawa says cybercriminals are increasingly targeting social networking sites and communication tools such as LinkedIn and Skype. And the growing sophistication of social engineering is a cause for concern, as it becomes even harder to differentiate truthful and deceptive messages online.
"About a decade ago, you could see a phishing e-mail that was a poorly written attempt," he says in an interview with Information Security Media Group [transcript below]. "It was pretty apparent back then that these were fake e-mails. Today, we see almost exact duplicates [of corporate communications] that are easy to fall for."
These simple yet effective methods are what organizations need to pay attention to as the year progresses. "Methods like that ... really get to the core of the human mind and act on our kneejerk reactions with how comfortable we have become with technology," Kujawa says.
In an interview about 2013 malware trends, Kujawa discusses:
- Top malware threats to organizations;
- How malware will be delivered in 2013;
- How to counter these threats.
Kujawa is a computer scientist with more than eight years experience in reverse-engineering and malware analysis. He has worked at a number of United States federal and defense agencies, helping these organizations reverse-engineer malware and develop defense and mitigation techniques. He has also previously taught malware analysis and reverse-engineering to personnel in both the government and private sectors. He is the malware intelligence lead for Malwarebytes Corp.
TOM FIELD: To start out, why don't you tell me a little bit about yourself and your expertise in malware, please?
ADAM KUJAWA: I'm a malware researcher with over eight years of experience. I previously worked for the U.S. government, both directly and indirectly as a contractor, and currently I'm the malware intelligence lead for Malwarebytes. That pretty much includes researching new and unique malware threats, as well as informing our user base of such threats and providing education on how people can protect themselves from those threats.
Top Malware Stories of 2012
FIELD: I know you've spent a lot of time looking back on 2012 as you make your predictions for 2013. What would you say were the top malware stories of 2012?
KUJAWA: The top threats of 2012 really involved a high rise in drive-by exploits that were found being spread by malicious advertisements, phishing e-mails and cyber criminals posing as legitimate users. In addition, the widespread ransomware infections being spread by the exploits, as well as Trojan malware and remote access Trojans, or RATs, that steal principal and financial information, we found in record-breaking numbers.
The big malware stories of 2012 also included a discovery of numerous state-sponsored malware running on the networks of governments in the Middle East. The biggest threats to the users were from drive-by exploits. They had just gone up in massive amounts, and we were calling it the golden age of drive-bys because of that and the kind of malware that they're spreading.
Ransomware, Trojan malware and RATs have just been exploiting not only the users' systems but the users themselves by means of tricking people or fooling people into believing that they're being infected by government malware or that the government had indeed hijacked their system or locked it out because of some illegal activity they may or may not have performed. Then, [there's the] classic kind of malware that we see that hides on the system very well and changes almost daily, requiring a more up-to-date, quicker response time on the side of the cybersecurity community.
Golden Age of Drive-By Exploits
FIELD: One thing you said in your report - you said it again just a moment ago - is that we're living in the golden age of drive-bys. What exactly do you mean by that?
KUJAWA: Over the last few years, the cybersecurity community has seen a dramatic increase in the amounts of drive-by exploits being deployed to infect users. The cyber criminals are targeting poorly-secured websites set up by users - for example, work websites - to install drive-by exploit code that's executed on the system of any user visiting the site. In issuing the links to these exploits, sites are being spread via social networking, taking e-mails and hijacked communication accounts like Skype. We're calling it the golden age because of the sheer number of incidents reported daily of drive-by exploits. We can say that this has been happening for the last few years and is really starting to peak even more in the last year because of just the sheer amount of vulnerability out there in applications that people use every single day. They're targeting commonly-used applications like Java and Flash that run on numerous operating systems to gain the best chance of infection.
Exploits that attack outdated vulnerabilities are also the most common method of infection that we've seen because users are not updating their software with the latest security patches. A vulnerability that we might have seen a year ago that was quickly patched and taken care of can still be exploited by cyber criminals via these drive-by attacks. For a user that has failed to update something like Java or Flash or whatever is being exploited, it's a big problem and hopefully one that's going to be taken care of a little bit as users become more and more aware of the security threats out there and what they need to do to keep themselves safe.
New Malware Trends
FIELD: Let's look ahead to 2013. What are some of the new ways you're seeing malware being spread this year?
KUJAWA: In 2012 we saw a lot of malware being spread in different ways than the typical method. Drive-bys, of course, is one of them. But the method in which the links to drive-bys have been spread was pretty unique, and we can see that moving over into 2013, things like seeing links for drive-by attacks on social networking sites, communication tools like Skype, through phishing or fake e-mails. We'll continue to see that going on.
The way in which they're being spread, more than just the actual communication avenue, but also the social engineering aspect that's gone into it, cyber criminals evolved in their methods of fooling people. About a decade ago, you could see a phishing e-mail that was a poorly written attempt at telling people "I'm Prince of Nigeria" or to log into your bank account. It was pretty apparent back then that these were fake e-mails.
Today, we see almost exact duplicates that are easy to fall for if you didn't know that it was already happening, other than a security notice has gone out or something saying that we see lots of these kinds of attacks. We expect that to continue and evolve even more where it really becomes less about exploiting the system - which is obviously a huge part of it - but also fooling the user, making them believe something.
Earlier in 2012, we saw a type of malware that hijacks Skype and was sent out to all contacts, a simple one-line message that said, "Laugh out loud. Is this you?" and provided a link. The link was for malware, but it was very effective. Even me being in the security field as long as I have been, if I got a message from a friend of mine that I talk with often and it said that or had that link, I would even have a hard time deciding whether or not to click on that link.
Methods like that which seem very simple but nonetheless really get to the core of the human mind and act on our kneejerk reactions with how comfortable we have become with technology, with using the Internet and with sharing our lives, it's really the path that cyber criminals are going to take.
FIELD: That's a good transition to talk about mobile security. BYOD is the theme of your report. What are some of the bring-your-own-device risks that organizations are overlooking now?
KUJAWA: In the past, organizations had the ability to set up their own networks and have their employees use their own equipment that's been carefully examined, carefully designed by their IT department or whoever is dealing with that. It was very locked down and, despite attacks from external sources, it was very easy to kind of keep everything where it should be.
When you bring in the BYOD risks, users can bring in their own mobile devices, their tablets, their phones, and they connect into the network of the corporation or the organization. You don't know what exactly the user has been looking at, if they have malware already loaded on their system, how easy it is for the user to download something from their mobile device to the system that belongs to the organization and how easy it would be to spread malware that way.
While it's been happening throughout the years - users bring in their own CDs, DVDs and USBs and things like that - by embracing this bring-your-own-device methodology, it's really a huge security risk for any organization, especially ones that are targeted often by cyber criminals. Not being able to control what devices are being brought in on a mass scale like that is a lot of risk and organizations should really think twice before they decide to employ some of those methods. It's possible to protect your system or your network only so much from external threats; but if the threat is coming internally, then it's even harder.
Smarter Users in 2013
FIELD: One of the predictions you make is that we're going to see smarter users in 2013. How do you see this happening?
KUJAWA: With as much cyber-crime activities we've been seeing, the media is really picking up on it. We see lots of news articles every day - blogs, things on television - that talk about cyber crime and how it's rampant and it's everywhere. The average user should be seeing these things. It's kind of in their face now. They don't have a choice. And beyond that is the fact that even some people who consider themselves fairly computer-savvy have been infected with things like ransomware. I personally have known numerous people just face-to-face that have been infected by ransomware without ever doing anything that they would consider unsecure.
Having that kind of experience, seeing it on the news, hearing it from friends and family, it's really going to inspire people to become more security-conscious. And hopefully in 2013 we will see that reflected in how successful the malware threats are because if users are updating more often, if they're employing the use of security tools like ad blockers, anti-virus and anti-malware tools, and that they're being a little more safe and cautious when they're on the Internet, then the activity of cyber criminals will probably start to drop.
Malware Counter Measures
FIELD: Let's talk about what organizations can do. I'd be curious what they can do to encourage smarter users to increase awareness and get people to be downloading updates, especially to their mobile devices. But what are some of the effective counter measures that organizations can explore as well?
KUJAWA: Education is the best tool in my opinion. While there are definitely corporations that go out and have mandatory training for cybersecurity, I don't think that they drill it in hard enough. [Maybe] have users experiment or try out a sample infection to see what it's actually like, to see what would actually happen. It's one thing to read it on a piece of paper that says, "You're going to get infected if you do this." It's another to actually practice it.
Organizations might want to try to employ the use of penetration testing teams that come in and attempt to exploit the network and see how easy it is for them because that's just the best way. People would have a more effective time retaining information, retaining and deploying the security practices in their everyday routine, if they've seen what could happen.
Not just relying on the IT department, not just relying on quarterly training that's done via websites for 20 minutes, but making cybersecurity and information security a very large and very important part of every employee's day or a person's day can really go a very long way.
2013: The Year of Mobile Malware?
FIELD: Everybody sort of has an opinion on whether 2013 is or is not going to be the year of mobile malware. Where do you come down on that question?
KUJAWA: I think that we will see some very, very advanced and very dangerous malware being released in 2013 for mobile devices. People are using them more and more every single day and relying on them for their information, for paying bills, checking their bank accounts, talking to friends and family and leaving their desktops at home. Why do they need them? The natural progression for cyber criminals is to evolve their practices for the mobile platforms. It's a little different. They're designed differently than most Windows PCs.
The initial jump to mobile malware has been like it's been - a little bit rough. I haven't seen anything that's impossible to stop yet. But it's coming, and as soon as the cyber criminals figure out how to do it, then they'll be on top of that. It would be in everyone's best thought process to start securing their phones and their mobile devices. Anti-malware and anti-virus products are out there. Apps are out there right now to try and secure the system. They should secure their mobile devices before it's too late because we will most likely see the biggest and most dangerous mobile malware without ever knowing that it existed right beneath our noses.