RSA: New Frontiers in Threat Research


At the 20th annual RSA Conference in San Francisco last week, speakers covered a wide range of topics, from secure cloud delivery and software development to data leak prevention and risk management. But to quench attendee thirst for sizzle, two entire tracks were devoted to hackers and threats – research on cutting-edge exploits and attack trends that keep security practitioners up at night. Here are a few of the findings disclosed by security researchers charting out these new frontiers.

Mobile Security - The Ugly Truth

In Patrick Traynor's talk on the disruptive potential of malware, this Assistant Professor at Georgia Institute of Technology shared eye-opening stats about theoretical DoS attacks against cellular networks.

"When it comes to mobile malware, everyone is looking for rogue apps – banking trojans, IMEI/IMSI thefts – but what about cellular network availability?" pondered Traynor. "Malicious behavior follows utility, so [this kind of] malware is inevitable, but its potential impact is poorly understood. Even relatively small botnets in this environment could cause area-code scale outages."

To illustrate, Traynor showed how an SMS (text message) flood could block incoming calls. Googling cellular numbers in given geographic area could yield a big hit list in minutes. "If you sent just 495 SMS [texts] per second, the probability of blocking calls is 71 percent – that's easily accomplished with cable modem bandwidth," he said. DoS could even occur by accident – for example, a university sending campus-wide SMS alerts might inadvertently block outgoing calls for help.

GSM data networks are even more vulnerable to DoS, due to the high cost of call setup. "Phones rely on temporary MAC layer IDs to receive data, but only a small number of those exist. An attacker that repeatedly pinged [mobile phones] could keep all IDs busy. Sending just 160Kbps could block 97 percent of legitimate data traffic. That’s a very low bandwidth attack against a high bandwidth service," said Traynor. A hacker would need to create a botnet of less than 12K phones to pull off this DoS attack – that's just a small fraction of the number of iPhones sold every month.

Profiting from Mobile Malware, Russian Style

Traynor was followed by Kaspersky Lab malware analyst Dennis Maslennikov, who described the recent evolution of SMS trojan horse programs in Russia.

"Most mobile trojans now use SMS," said Maslennikov. "In 2008, we saw primitive J2ME trojans. By 2009, we saw more advanced J2ME and some Symbian and Windows mobile trojans. Last year, we started to see more complex mobile trojans."

For example, SMS.J2ME.Konov was a relatively primitive mobile trojan, spread by a Russian social network. This small trojan used no encryption to obfuscate code and no sophisticated tricks to solicit user input. It simply churned out SMS messages to a hard-coded set of premium rate numbers, thereby generating revenue for mobile network operators, content providers, and affiliate networks.

By fall 2009, SMS.SymbOOS.Lopsoy was making the rounds as a digitally-signed Symbian S60 third edition trojan, posted on game download sites. This trojan pulled SMS content and premium rate numbers from a remote URL, making it harder to block with filters. SMS.WinCE.Sejweek targeted Windows Mobile devices in a similar fashion.

This type of SMS malware is flourishing in Russia, said Maslennikov, because affiliate networks can easily rack up $1M per month, received anonymously via electronic payment networks. "Increasingly sophisticated techniques are now being applied to different mobile platforms by hundreds of criminalized affiliate networks," he said. Although this malware largely targets Russian users today, Maslennikov has already started to see growth against users in Latvia, Lithuania, Estonia, Germany, and the U.S.

Adobe - Evaluating the World's Number One Most Exploited Software

Kaspersky Lab senior researcher Roul Schouwenberg offered a worrisome, but optimistic look at last year's exploit explosion against Adobe software. Operating system improvements like DEP (Windows XP SP2) and ASLR (Windows Vista) prompted migration towards browser-based and application attacks. To create commodity malware for a very large market, "The bad guys just had to look for other software that was broadly present on PCs," he said. This lead to a surge of Adobe Flash, Adobe Reader, and Java attacks.

Exploit kit automation and obfuscation fueled this growth, explained Schouwenberg. "This started with MPack in late 2006, which attacked PDFs, QuickTime, RealPlayer, and Internet Explorer. From 2008 on, we saw clearer kit focus on Adobe software. Kits caused growth in targeted attacks – PDF was the casualty of this; Java is increasingly the next biggest victim," he said.

Adobe Reader is targeted more often than Flash because it has a bigger code base and supports many old/proprietary features. PDFs have also become widely-popular and are less likely to be scrutinized or blocked than executables. During the Q1 2010, 48 percent of all exploits involved malicious PDFs, making Adobe Reader the most exploited software.

But in Q2of last year, PDF attacks fell to 30 percent, while Java attacks grew. "This is quite telling – it shows that improvements by Adobe, such as making sure you’re hooked in DEP and ASLR, really matter," explained Schouwenberg. "Most of the malicious PDFs out there today don’t work on Windows 7 due to DEP and ASLR." As a result, Schouwenberg believes that Java exploits may exceed PDF exploits this year.

For mitigation, Schouwenberg recommends using an alternative PDF reader, changing settings to reduce risk, and using up-to-date anti-malware. "Try Microsoft's Enhanced Mitigation Experience Toolkit (EMET) to force programs to use DEP and ASLR," suggested Schouwenberg. "That doesn’t always work, but it is worth trying – for example, to make Java a whole lot safer with the push of one button."

There's an App for That: What Mobile Apps Mean for Security

During their session, Lookout Mobile Security CTO Kevin Mahaffrey and Principal Engineer Tim Wyatt presented new findings published by the App Genome Project. This project explores iOS and Android apps, studying how they access personal data and sensitive capabilities, aiming to help users stay safe and identify threats in the wild. To accomplish this, a distributed crawler accesses the Android Market and Apple App Store, enumerating apps, retrieving metadata, and downloading free apps. By storing metadata and software for offline analysis, researchers have been able to document mobile app feature use (stated and actual) and track changes.

Android apps have more than doubled over the past six months, with paid apps spiking from 22 to 33 percent. Although the Apple App Store is still larger, it is growing far more slowly, with the percentage of paid apps dropping. Overall, more iOS than Android apps access stored contacts and current location. Specifically, 28 percent of Android Market apps and 34 percent of App Store apps can access location; 7.5 percent of Android Market apps and 11 percent of App Store apps can access contacts.

It turns out that not all apps that accessed sensitive data for unusual reasons were malicious. However, some apps were far less than up-front about what they were doing. For example, one set of cryptically-named iOS "system utilities" were found to be copies of Mobile Spy, a commercial app hidden on iPhones under surveillance. A Flashlight app actually contained an unadvertised SOCKS proxy to enable 3G tethering without tipping off Apple reviewers.

When the project branched out to third party app sites (e.g. Cydia, Chinese Android markets), they discovered that most downloads were also published at app stores. At one site, 85 percent of 22K downloadable apps were pirated paid apps, repackaged to remove DRM. At two alternative Android markets, just a few repackaged apps were pirated, but many more were free apps, repackaged to injecting ads. Repackaging was used by the Android Geinimi trojan to enable remote control over SMS texting, phone calls, and app install prompts. Similar techniques were reportedly used by the Android Hong TouTou trojan found last week.

In conclusion, Mahaffrey and Wyatt recommended that enterprise IT track mobile attack developments. "In the last two months, there have been fairly large jumps in technical sophistication in Android malware – invest ahead of threats and cut the bad guys off," they said. "Don’t ban apps, but encourage users to download responsibly. Ask: Does the app come from reputable market? A reputable developer? Does it require superfluous permissions? Use same caution when downloading apps to your phone as you use on your PC."

The Dark Side: Measuring and Analyzing Malicious Activity on Twitter

Another fast-growing trend that has become a target for malicious activity is Twitter. In their RSA session, Chief Research Officer Paul Judge and Senior Research Scientist Daniel Peck described what Barracuda Labs learned from studying Twitter traffic and attacks.

According to Judge, Twitter illustrates the gap exists between domain-level trust and user-level trust. For example, Twitter played the unwitting host to high-profile account hijackings, from Axl Rose to the New York Times. Flaws have been exploited to hack into Twitter servers, such as the April 2009 break-in affecting accounts belonging to Barrack Obama and Britney Spears. More recently, a Turkish student found syntax that could be used to force other users to follow your Twitter account. In September 2010, a cross-site scripting exploit was found that enabled forced re-tweeting.

Page 2: New Frontiers in Threat Research

Back to Page 1: New Frontiers in Threat Research

Many malicious Twitter incidents were facilitated by shortened links, including "Funniest Video" banking trojan, Bifrost backdoor trojan, and NeoSploit download attacks. To mitigate this, Twitter established it own shortening service ( to check links against known-malware/phishing sites. Twitter also replaced basic authentication with OAuth so that authorized apps can access Twitter on a user's behalf without password disclosure.

Daniel Peck described Barracuda's study, which used Twitter's API to send 20K queries per hour to gather a large volume of tweets for analysis. By modeling normal user behavior, Barracuda tried to identify characteristics correlated with malicious Twitter accounts. During the first phase, Barracuda analyzed number of tweets sent, frequency, and the number and ratio of Followers and Friends.

Among "true Twitter users," most have 1-9 Followers – just 17% had more than 100, and only 1% had over 1000. Similar percentages existed for Friends (followed-by accounts), leading Barracuda to conclude that few users have significantly more Followers than Friends or vice versa. By focusing on exceptionally popular Twitter user accounts, Barracuda identified a “Red Carpet Era” (November 2008-2009) during which 54 percent of the most popular accounts were created. This correlates with the Twitter "Crime Rate" – percentage of Twitter-suspended accounts – which spiked to 12 percent in 2009.

Additionally, Barracuda found that accounts with large negative Follower/Friend deltas were more highly correlated with apparent scams and links to illegal downloads, trojans, and rogue anti-virus installers. Finally, Barracuda showed that hackers have learned to use Twitter SEO to spread malware. Specifically, 8 percent of malware on a blacklist could be found by searching popular Twitter hash tags (compared to 38 percent on Google). Twitter users: This study's message is clear. Be careful what you click on!

Wireless Vulnerabilities in the Wild: View from the Trenches

Finally, K N Gopinath, Director of Engineering at AirTight Networks, drilled into 802.11 wireless network and client vulnerabilities. Using Wi-Fi observations collected from over 4500 Wireless IPS sensors, deployed by 156 businesses at 2155 different locations, Gopi shed light on the instance, duration, and frequency of real-world Wi-Fi vulnerabilities. This data set included over 250K unique access points (APs); roughly 70 percent of them external or unmanaged – that is, not part of the authorized WLAN. Of 118K Wi-Fi clients studied, 87 percent were external or unmanaged.

"Most IT professionals think Rogue APs are the most common Wi-Fi vulnerability," said Gopi. "But we found that's not so." In second place, 60 percent of studied networks had mis-configured APs, while just 50 percent had confirmed Rogue APs (unauthorized APs actually connected to an organization's network). Based on MAC address, most Rogue APs were consumer products; just 29 percent were secured with WPA or WPA2. "The rest present a large potential risk for backdoor attacks," warned Gopi.

However, client extrusions (authorized clients willing to connect to unauthorized APs) were by far the largest vulnerability in this study. Most laptops are at some time connected to an external home or hotspot Wi-Fi network. When workers carry those clients back to the office, they often try to reestablish connections, explained Gopi. This is why so many clients were overheard probing for unauthorized network names, including known-vulnerable SSIDs such as Free Public WiFi.

To illustrate this, Gopi turned his Nokia N900 smartphone into a "mobile honeypot" – a malicious AP trying to lure nearby clients. By running SSLStrip on his phone, Gopi intercepted a connected demo client's Yahoo! session. "Bottom line: Using a smartphone and off-the-shelf tools, we were able to capture this user’s credentials. Technology advances have made this so easy. Hacking is no longer confined to geeks," he said.

This study showed that wireless vulnerabilities present in real-world networks are often associated with external or unmanaged devices. "The enterprise wireless environment has been influenced by consumerization," said Gopi. "Mitigation [steps] should be taken to stop not just AP-based intrusions, but also client-based extrusions."

These are just a handful of many interesting research presentations delivered by speakers at RSA 2010. To hear many other presentations, check out RSA Conference session recordings and slide downloads.

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 29-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.

Back to Page 1: New Frontiers in Threat Research