RSA: New Frontiers in Threat Research
RSA speakers drill into emerging attacks and trends, from unruly apps to malicious tweets.
At the 20th annual RSA Conference in San Francisco last week, speakers covered a wide range of topics, from secure cloud delivery and software development to data leak prevention and risk management. But to quench attendee thirst for sizzle, two entire tracks were devoted to hackers and threats research on cutting-edge exploits and attack trends that keep security practitioners up at night. Here are a few of the findings disclosed by security researchers charting out these new frontiers.
Mobile Security - The Ugly Truth
In Patrick Traynor's talk on the disruptive potential of malware, this Assistant Professor at Georgia Institute of Technology shared eye-opening stats about theoretical DoS attacks against cellular networks.
"When it comes to mobile malware, everyone is looking for rogue apps banking trojans, IMEI/IMSI thefts but what about cellular network availability?" pondered Traynor. "Malicious behavior follows utility, so [this kind of] malware is inevitable, but its potential impact is poorly understood. Even relatively small botnets in this environment could cause area-code scale outages."
To illustrate, Traynor showed how an SMS (text message) flood could block incoming calls. Googling cellular numbers in given geographic area could yield a big hit list in minutes. "If you sent just 495 SMS [texts] per second, the probability of blocking calls is 71 percent that's easily accomplished with cable modem bandwidth," he said. DoS could even occur by accident for example, a university sending campus-wide SMS alerts might inadvertently block outgoing calls for help.
GSM data networks are even more vulnerable to DoS, due to the high cost of call setup. "Phones rely on temporary MAC layer IDs to receive data, but only a small number of those exist. An attacker that repeatedly pinged [mobile phones] could keep all IDs busy. Sending just 160Kbps could block 97 percent of legitimate data traffic. Thats a very low bandwidth attack against a high bandwidth service," said Traynor. A hacker would need to create a botnet of less than 12K phones to pull off this DoS attack that's just a small fraction of the number of iPhones sold every month.
Profiting from Mobile Malware, Russian Style
Traynor was followed by Kaspersky Lab malware analyst Dennis Maslennikov, who described the recent evolution of SMS trojan horse programs in Russia.
"Most mobile trojans now use SMS," said Maslennikov. "In 2008, we saw primitive J2ME trojans. By 2009, we saw more advanced J2ME and some Symbian and Windows mobile trojans. Last year, we started to see more complex mobile trojans."
For example, SMS.J2ME.Konov was a relatively primitive mobile trojan, spread by a Russian social network. This small trojan used no encryption to obfuscate code and no sophisticated tricks to solicit user input. It simply churned out SMS messages to a hard-coded set of premium rate numbers, thereby generating revenue for mobile network operators, content providers, and affiliate networks.
By fall 2009, SMS.SymbOOS.Lopsoy was making the rounds as a digitally-signed Symbian S60 third edition trojan, posted on game download sites. This trojan pulled SMS content and premium rate numbers from a remote URL, making it harder to block with filters. SMS.WinCE.Sejweek targeted Windows Mobile devices in a similar fashion.
This type of SMS malware is flourishing in Russia, said Maslennikov, because affiliate networks can easily rack up $1M per month, received anonymously via electronic payment networks. "Increasingly sophisticated techniques are now being applied to different mobile platforms by hundreds of criminalized affiliate networks," he said. Although this malware largely targets Russian users today, Maslennikov has already started to see growth against users in Latvia, Lithuania, Estonia, Germany, and the U.S.
Adobe - Evaluating the World's Number One Most Exploited Software
Kaspersky Lab senior researcher Roul Schouwenberg offered a worrisome, but optimistic look at last year's exploit explosion against Adobe software. Operating system improvements like DEP (Windows XP SP2) and ASLR (Windows Vista) prompted migration towards browser-based and application attacks. To create commodity malware for a very large market, "The bad guys just had to look for other software that was broadly present on PCs," he said. This lead to a surge of Adobe Flash, Adobe Reader, and Java attacks.
Exploit kit automation and obfuscation fueled this growth, explained Schouwenberg. "This started with MPack in late 2006, which attacked PDFs, QuickTime, RealPlayer, and Internet Explorer. From 2008 on, we saw clearer kit focus on Adobe software. Kits caused growth in targeted attacks PDF was the casualty of this; Java is increasingly the next biggest victim," he said.
Adobe Reader is targeted more often than Flash because it has a bigger code base and supports many old/proprietary features. PDFs have also become widely-popular and are less likely to be scrutinized or blocked than executables. During the Q1 2010, 48 percent of all exploits involved malicious PDFs, making Adobe Reader the most exploited software.
But in Q2of last year, PDF attacks fell to 30 percent, while Java attacks grew. "This is quite telling it shows that improvements by Adobe, such as making sure youre hooked in DEP and ASLR, really matter," explained Schouwenberg. "Most of the malicious PDFs out there today dont work on Windows 7 due to DEP and ASLR." As a result, Schouwenberg believes that Java exploits may exceed PDF exploits this year.
For mitigation, Schouwenberg recommends using an alternative PDF reader, changing settings to reduce risk, and using up-to-date anti-malware. "Try Microsoft's Enhanced Mitigation Experience Toolkit (EMET) to force programs to use DEP and ASLR," suggested Schouwenberg. "That doesnt always work, but it is worth trying for example, to make Java a whole lot safer with the push of one button."
There's an App for That: What Mobile Apps Mean for Security
During their session, Lookout Mobile Security CTO Kevin Mahaffrey and Principal Engineer Tim Wyatt presented new findings published by the App Genome Project. This project explores iOS and Android apps, studying how they access personal data and sensitive capabilities, aiming to help users stay safe and identify threats in the wild. To accomplish this, a distributed crawler accesses the Android Market and Apple App Store, enumerating apps, retrieving metadata, and downloading free apps. By storing metadata and software for offline analysis, researchers have been able to document mobile app feature use (stated and actual) and track changes.
Android apps have more than doubled over the past six months, with paid apps spiking from 22 to 33 percent. Although the Apple App Store is still larger, it is growing far more slowly, with the percentage of paid apps dropping. Overall, more iOS than Android apps access stored contacts and current location. Specifically, 28 percent of Android Market apps and 34 percent of App Store apps can access location; 7.5 percent of Android Market apps and 11 percent of App Store apps can access contacts.
It turns out that not all apps that accessed sensitive data for unusual reasons were malicious. However, some apps were far less than up-front about what they were doing. For example, one set of cryptically-named iOS "system utilities" were found to be copies of Mobile Spy, a commercial app hidden on iPhones under surveillance. A Flashlight app actually contained an unadvertised SOCKS proxy to enable 3G tethering without tipping off Apple reviewers.
When the project branched out to third party app sites (e.g. Cydia, Chinese Android markets), they discovered that most downloads were also published at app stores. At one site, 85 percent of 22K downloadable apps were pirated paid apps, repackaged to remove DRM. At two alternative Android markets, just a few repackaged apps were pirated, but many more were free apps, repackaged to injecting ads. Repackaging was used by the Android Geinimi trojan to enable remote control over SMS texting, phone calls, and app install prompts. Similar techniques were reportedly used by the Android Hong TouTou trojan found last week.
In conclusion, Mahaffrey and Wyatt recommended that enterprise IT track mobile attack developments. "In the last two months, there have been fairly large jumps in technical sophistication in Android malware invest ahead of threats and cut the bad guys off," they said. "Dont ban apps, but encourage users to download responsibly. Ask: Does the app come from reputable market? A reputable developer? Does it require superfluous permissions? Use same caution when downloading apps to your phone as you use on your PC."
The Dark Side: Measuring and Analyzing Malicious Activity on Twitter
Another fast-growing trend that has become a target for malicious activity is Twitter. In their RSA session, Chief Research Officer Paul Judge and Senior Research Scientist Daniel Peck described what Barracuda Labs learned from studying Twitter traffic and attacks.
According to Judge, Twitter illustrates the gap exists between domain-level trust and user-level trust. For example, Twitter played the unwitting host to high-profile account hijackings, from Axl Rose to the New York Times. Flaws have been exploited to hack into Twitter servers, such as the April 2009 break-in affecting accounts belonging to Barrack Obama and Britney Spears. More recently, a Turkish student found syntax that could be used to force other users to follow your Twitter account. In September 2010, a cross-site scripting exploit was found that enabled forced re-tweeting.