Hackers taking rootkit exploits to the next level: F-Secure (Updated)

By Edwin Yapp February 4, 2013

Cyber-criminals engaging in novel methods; includes renting ‘malware-as-a-service’ model
Java exploits and Android malware also on the rise; same motive – financial gains

[Updated with a link to the actual report at the end of this story]
\WHILE there has been no single major event that dominated the information security threat landscape in the last half of 2012 as in previous years, several new trends are beginning to surface that should be of concern to both general consumers and enterprises, notes a new study.

According to Finnish-based F-Secure, the three emerging trends due to dominate the threat security landscape this year are: The increasing use of botnet exploit kits by cyber-criminals; the standardization of vulnerability exploitation; and the increase in mobile malware exploiting the Android-based ecosystem.

Hackers taking rootkit exploits to the next level: F-Secure (Updated) Speaking to Digital News Asia ahead of the release of its bi-annual threat security report on February 5, Goh Su Gim (pic), security advisor for Asia at F-Secure, said while the use of botnets to exploit users is not a new phenomenon, the rise of botnet exploitation kits is fairly new.

Explaining what the differences between the two were, Goh said profiteering trojans – which cyber-criminals use by fooling users to download software from malicious websites, and thereafter stealing their money through unauthorized access to users’ account – is the new era in ‘bank robbing’ but this phenomenon is not new.

“What is new, is that cyber-criminals are offering these malware in a bundled form, kind of like a ‘Do It Yourself’ (DIY) package – off the black marketplace,” he explained.

“This would allow anyone with minimal hacking skills to configure certain parameters, such as the kind of credit card number they want to steal, and facilitate the unauthorized transfer of money.

"To top it off, not only can you get the bundled rootkit, you can even get a complete, step-by-step manual to teach you how to do it!”

What’s more, Goh revealed, is that these DIY rootkits either come in a ‘pay-per-installation’ or ‘rent-a-botnet’ scheme, which essentially allows attackers to use the combined power of the infected host to perform attacks or to engage in other nefarious activities.

On what the differences were between these schemes, Goh said the ‘pay-per-installation’ is a one-off payment – usually much more expensive than the other scheme, in which the rootkit is rented to the user, much like a ‘renting-malware-as-a-service’ model.

“Think of the first method as a person buying a house, paying a sum for the entire transaction; the second as renting a house, a pay-per-use model,” Goh said.

Asked how much they cost, Goh said the price of a rootkit ranges between US$4,000 and US$10,000, depending on what the rootkit is based on.

“A Zeus toolkit can cost up to US$10,000,” he revealed. “So hackers who are starting out prefer to rent and make money as they go along as opposed to those who could afford it, and prefer to buy the rootkits one off.”

Java undermined

Another change, noted F-Secure in its soon-to-be-released report, is the rise of vulnerability exploitation, often in tandem with established social engineering tactics. Unlike previous years, when most of the infections it saw involved trojans, 2012 was the year of the exploit as these accounted for 28% of F-Secure’s cloud lookup systems in the back half of the year.

Goh noted that in particular, Java exploits in the past six to nine months peaked, and that F-Secure has detected that vulnerabilities related to the Java development platform make up 68% of all exploit-related detection systems in the last six months of 2012.

According to Goh, vulnerability exploits are nothing new but the trend is shifting towards exploiting Java because many of today’s operating systems have been hardened over the years, and cyber-criminals are targeting a lower hanging fruit in the form of Java exploits

“Users today are more educated than before and software vendors have upped their defenses on the core operating system,” he said. “But while users often patch the operating system, they are not so vigilant when it comes to things like Java and Adobe plugins, which are where cyber-criminals target.”

Goh suggested that users turn off Java if they do not need it by default but if they do, to ensure that it’s always patched with up-to-date software.

Android to the fore

Another burgeoning trend that will be highlighted in F-Secure’s report is the rise of mobile malware, particularly that affecting Google’s Android operating system, Goh said.

F-Secure noted that in the third quarter of 2012, Android reportedly accounted for 75% of the global smartphone market, effectively making it the most common mobile operating system in the world.

In China, Android handsets accounted for 81% of that market and it’s therefore not surprising that many of the new malware families F-Secure detected last year were targeted specifically at Android users in China alone.

In November last year, Digital News Asia (DNA) reported that endpoint security provider Bit9 claimed that out of the more than 400,000 apps evaluated on the Android store, it found that 72% of all Android apps (more than 290,000) access at least one high-risk permission.

Goh said that it’s no surprise that with the rise of Android as an operating system, cyber-criminals would target it as they always go where there is profit to be made (click chart to enlarge).

As opposed to Apple’s operating system, iOS (it has been very difficult for cyber-criminals to infiltrate into Apple’s App Store due to its tight requirements), Android’s marketplace is a much easier platform for cyber-criminals to push their wares, Goh added.

F-Secure also noted that there were 238 new, unique variants found on Android’s marketplace in the last half of 2012, with the majority of malware being distributed as trojanized apps, in which legitimate programs have be engineered to include malicious components.

Asked if Google’s revamped Play Store, formerly known as Android Marketplace, has made a difference in filtering out these malicious software, Goh said there are some improvements observed by F-Secure.

These efforts include the addition of exploit mitigation features in the [Android] 4.1 update and an (optional) app verification feature in the 4.2 update, Goh noted.

F-Secure’s upcoming report also noted that though the effectiveness of Google’s security-related effort has come under criticism, they do represent concrete steps towards better protecting the data and device security of Android users.

“It used to be worse in the Play Store but it has gotten better,” Goh said. “Nonetheless, it’s still a big target for cyber criminals.”

The F-Secure bi-annual threat security report will be available on Feb 5. [Update] For a pdf copy, click here.