2016 was not a good year for information security. The inexorable rise of ransomware, major breach reports, the emergence of massive IoT-based DDoS attacks, the rise of the Kovter malware family, and the arrival of alleged international political interference all combined to make 2016 an exceptional year. Now a new state of malware analysis puts figures behind the malware element of 2016 threats.
Anti-virus firm Malwarebytes examined almost 1 billion malware instances from June to November 2016. Data was drawn from nearly 100 million Windows and Android devices in more than 200 countries, together with additional data from its own honeypots. The ensuing report (PDF) looked at six threat categories: ransomware, ad fraud malware, Android malware, botnets, banking trojans, and adware.
The two standout malware categories are ransomware and ad fraud. Malwarebytes suggests this indicates a growing trend among cybercriminals — the desire to realize monetary return as quickly and easily as possible. “Kovter [the most prevalent of the ad fraud malware],” notes Malwarebytes, “and ransomware both provide a source of direct profit for the attackers. Rather than selling password dumps, credit card information, and social media accounts to other criminals, these attacks demand payment from victims directly to retrieve their important files or use the victims to defraud the advertising industry, resulting in more profit for less effort.”
“The use of ransomware and ad fraud, specifically Kovter,” explains Adam Kujawa, Malwarebytes director of malware intelligence, “have taken off because they provide a source of direct profit for attackers. This is the future of cybercrime, and it is imperative that we continue to study how these methods evolve over time.”
In both ransomware and ad fraud, the United States is the most attacked country. Ransomware attackers, suggests the report, “target Americans not only because of the populace’s wide accessibility to technology, but also their means to pay the ransom and, possibly, their ideological views.” Russia does not figure highly in either category. While this may be unsurprising for ad fraud, Malwarebytes suggests that fewer ransomware incidents may be “an indicator that Russian ransomware developers might shy away from targeting their own.”
Noticeably, while 81% of ransomware detected in corporate environments occurred in North America, 51% of home/consumer detections occurred in Europe.
The three most prevalent ransomware families in 2016 were TeslaCrypt, Locky and Cerber. In May, the TeslaCrypt authors shut down and released their encryption master key. TeslaCrypt disappeared from radar, but the void it left was rapidly filled by Cerber and Locky; with Cerber being the dominant family by the end of the year.
Kovter dominates the ad fraud detections. Although the malware first appeared in 2015, in 2016 it started to concentrate on ad fraud. Kovter now hijacks the victim computer and uses it to add fraudulent clicks to ad campaigns run either by the criminals behind the malware or their clients. This offers huge potential. In January 2016, the Association of National Advertisers estimated that $7.2 billion would be lost globally because of non-human traffic.
Kovter is sophisticated and evolving malware. It has “the ability to infect systems without dropping a file but instead creating a special registry key, making it difficult for many antivirus products to detect. In addition, Kovter employs rootkit capabilities to further hide its presence, and will actively identify and disable security solutions.” Malwarebytes also noticed that the drive-by exploit method of distribution was augmented in 2016 by “a massive surge in malicious phishing emails”.
“One of the biggest changes in distribution in 2016 was the use of attached scripts to phishing emails,” reports Malwarebytes. Email delivered malware also saw the return of malicious macros embedded within Office documents. The documents are often contained within protected Zip files that attempt to bypass anti-malware defenses. Social engineering in the email body then seeks to persuade the target to open the attachment and allow the macro to run. The attachment password is contained within the email. “This gives an increased sense of legitimacy to the attack as well as being an effective method of defeating automatic analysis of the attack e-mail by malware research tools, including honeypots and sandboxes.”
The rise of email-borne malware coincides with the decline of the Angler exploit kit. Like TeslaCrypt, Angler shut its doors early in 2016. Since then, however, the RIG EK has grown in popularity and is likely to increase doing so in 2017. But one of the biggest threats going forwards will be the growing likelihood of massive and disruptive denial of service campaigns.
IoT-based denial of service attacks came to prominence with the Mirai botnet. In September 2016, it was used to bring down several individual websites, including KrebsOnSecurity. A month later it was used against DNS service provider, Dyn. Mirai infects susceptible internet-connected devices. It scans the internet looking for such devices, and uses an internal database of default usernames and passwords to gain access. Since many users never change these defaults, it is a rich source. The botmaster is then able to direct the entire botnet against any target of choice.
The process has since been adopted by other botnets. For example, the Kelihos botnet grew 785 percent in July and 960 percent in October, while IRCBot grew 667 percent in August and Qbot grew 261 percent in November.
“Our findings,” says Marcin Kleczynski, Malwarebytes CEO, “demonstrate that the frequency and variety of new cyberattacks has crashed into people and businesses at an alarming rate. The last year involved an onslaught of ransomware, a surge of pernicious ad fraud and new, dangerous uses for botnets. These threats have the potential to erode many of the gains that computing is providing global society. Both consumers and businesses need to better understand how these new attack methodologies may impact them.”