Events , Governance & Risk Management , Incident & Breach Response

In Britain, Malware No. 1 Cyberthreat

Zeus Banking Trojan Threats Still Dominate, CERT-UK Warns
In Britain, Malware No. 1 Cyberthreat

Malware - and in particular the Zeus banking Trojan - remains the most prevalent online threat facing U.K. businesses and consumers.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

That finding comes via the first-ever annual report from the U.K.'s computer emergency response team, or CERT-UK. From April 2014 through March 2015, the organization says, it counted 2.6 million Zeus infections inside the U.K., followed by 1.8 million infections of ZeroAccess search-engine-poisoning malware, 816,000 Conficker banking malware infections, 112,000 Sality malware infections, and 99,000 Torpig rootkit infections.

CERT-UK says those figures were gathered by studying a variety of malware information feeds, as well as "sinkholing" botnets to redirect them to sites controlled by law enforcement agencies, thus neutering them. It cautions, however, that the numbers are not meant to represent "a definitive picture of U.K. cyber health," but rather to highlight the general types of malware that are currently most popular with cybercriminals. In part, that's because there are some obvious omissions in the findings. "Some malware types, such as Dridex and Shylock, were not observed from these feeds and they are known to have been prolific this last year," CERT-UK says.

The finding that so many online criminals are still using malware - compared with more targeted hack attacks - is "no big surprise," says Dublin-based information security consultant Brian Honan, who will be moderating a keynote discussion "Know Your Adversary: Who is the Cybercriminal?" at the upcoming Infosecurity Europe conference in London. "Lots of automated worms try to compromise vulnerable systems, and Zeus is one of the most virulent families of malware - with numerous variants - so it is heavily used by criminals."

Zeus Declines, For Now

CERT-UK reports that after a spike in Zeus infections in the spring of 2014, it saw a marked decrease in infections following Operation Tovar. That law enforcement effort - led by the U.K.'s National Crime Agency, with CERT-UK assisting - targeted Gameover Zeus malware and Cryptolocker ransomware, although the number of related infections later began to rebound (see Gameover Zeus Trojan Continues Resurgence).

Still, the overall quantity of malware infections declined toward the end of 2014, although officials expect them to - inevitably - resurge again soon. "We will see another type of malware come to the forefront in the coming year ... This may already be Dridex, or Dyre - two major concerns particularly to the financial sector," CERT-UK says.

Indeed, information security experts have recently been warning about an increase in spam campaigns distributing a variant of Dridex that uses macros to attempt to infect PCs. Likewise, researchers have recently warned about "The Dyre Wolf" - a Dyre variant - that is being distributing via phishing campaigns, and which is designed to target commercial bank accounts.

U.K. Malware Infections Detected

Source: CERT-UK, Codenomicon

CERT-UK: 2014 Launch

CERT-UK formally launched in March 2014, as part of the country's five-year National Cyber Security Strategy, which began in 2011. It is led by Chris Gibson, formerly a director at financial services firm Citi.

CERT-UK's responsibilities include cyber-security incident management at a national level; helping to support critical infrastructure companies as well as help them respond to security incidents; promoting "cybersecurity situational awareness" for the public, businesses and academia; and serving as a single point of contact for coordinating or collaborating with other national CERTs.

This isn't the first time that a CERT has been at work in the country. "The U.K. has had a number of CERTs in existence over the past number of years, so it is not as if the U.K. has not been served by CERTs in the past," says Honan, who established Ireland's first CERT in late 2012 and early 2013. "CERT-UK is now the national CERT for the U.K. This is a result of an EU directive that required all member states to have a competent national CERT in place."

Information-Sharing Push

CERT-UK also maintains the U.K.'s Cybersecurity Information Sharing Partnership, and says that eligible U.K. businesses and organization, which must be sponsored by a government department, existing "CiSP" member or a trade/body association.

Any CiSP member can sign up for free network monitoring reports, which provide immediate, emailed warnings whenever CERT-UK sees any evidence that malicious operators have been on the member's network - for example, if a corporate IP address shows up in botnet command-and-control servers logs or during the course of a law enforcement digital forensics investigation.

"It is a feature that is offered by various CERTs (both commercial and non-commercial) and also by security firms," Honan says. "The U.K. also had an earlier version of this in the form of WARPs - warning advice and reporting points."

CERT-UK says that when it absorbed the CiSP program last year, there were about 300 members, but notes that almost 1,000 organizations are now participating. Gibson, the organization's director, notes in an introduction to the CERT-UK report that CiSP helped disseminate immediate remediation advice in the wake of both the Heartbleed and Shellshock vulnerabilities being discovered. "My team shared information through CiSP and our website; we provided swift advice to increase people's understanding of the issues and to begin mitigation against the vulnerabilities," Gibson says. "I stress the importance of checking and acting - where appropriate - on our alerts and advisories, and joining CiSP to get early warning of such incidents."

Funding for the CiSP program has only been guaranteed through April 2015, according to CERT-UK's website. But the Cyber Security Strategy - that has been funding the program - was launched by the coalition government, of which the Conservatives represented a majority, and with the Conservatives now in sole power, following the May 7 general election, it seems likely that they will continue to invest in cybersecurity programs.

CERT-UK officials did not immediately respond to a related request for comment.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.