TLP WHITE

An introduction to malware
 TLP WHITE

Contents
Introduction ............................................................................................................................................................ 3
Viruses and worms ................................................................................................................................................. 4
The SQL Slammer worm ..................................................................................................................................... 4
CiSP Analysts recommend .................................................................................................................................. 4
Trojans .................................................................................................................................................................... 5
GameoverZeus .................................................................................................................................................... 5
CiSP Analysts recommend .................................................................................................................................. 6
Phishing .................................................................................................................................................................. 7
Spear phishing in the defence and telecommunications industries ................................................................... 7
CiSP Analysts recommend .................................................................................................................................. 8
Example O2 phishing email................................................................................................................................. 8
Ransomware ........................................................................................................................................................... 9
CryptoLocker....................................................................................................................................................... 9
CiSP Analysts recommend .................................................................................................................................. 9
Keyloggers ............................................................................................................................................................ 10
Haxdoor and Heartbleed .................................................................................................................................. 10
CiSP Analysts recommend ................................................................................................................................ 11
Rootkits ................................................................................................................................................................. 12
Mebroot and Necurs......................................................................................................................................... 12
CiSP Analysts recommend ................................................................................................................................ 12
Cutwail and Asprox ........................................................................................................................................... 15
CiSP Analysts recommend ................................................................................................................................ 15
Watering Holes ..................................................................................................................................................... 16
The VOHO campaign ......................................................................................................................................... 16
CiSP Analysts recommend ................................................................................................................................ 16
Future Focus ......................................................................................................................................................... 17
The expansion of ransomware ............................................................................................................................. 17
The diversification of watering holes ............................................................................................................... 17
The rise of mobile malware .............................................................................................................................. 17
New exploits for old software .......................................................................................................................... 18
Increasing attacks in the cloud ......................................................................................................................... 18
Conclusion ............................................................................................................................................................ 18
Annex A: 10 Steps to Cyber Security .................................................................................................................... 19
Bibliography .......................................................................................................................................................... 20

1
 TLP WHITE

“We worried for decades about

weapons of mass destruction.
Now it is time to worry about a
new kind of WMD – weapons of
mass disruption.”
John Mariotti, Technology Journalist and CEO of
‘The Enterprise Group’

2
 TLP WHITE
Introduction
Malicious software, or malware, is used by cybercriminals, hacktivists and nation states to disrupt computer
operations, steal personal or professional data, bypass access controls and otherwise cause harm to the host
system (1). Appearing in the form of executable code, scripts, active content or other software variants, there are
many different classes of malware which possess varying means of infecting machines and propagating
themselves.

Malware remains a dangerous and consistent threat and its success has spawned a host of improved detection
and prevention technologies. The resulting arms race means that the technologies of attackers continue to evolve
in order to remain ahead of security vendors (Figure 1). This has resulted in the constant invention of new fraud
mechanics to evade existing security solutions, and commoditization in which cutting-edge limited circulation
techniques are turned into mainstream capabilities.

Given the importance of the user in facilitating malware propagation, raising awareness remains one of the key
components in tackling cybercrime. This report will therefore review some of the most common malware variants,
including: viruses/worms, Trojans, phishing, ransomware and bots. Each description is accompanied by a case
study to provide real-world context, followed by a brief discussion of steps which can be taken to reduce user
vulnerability and a review of future trends. Where relevant, references are also made to the work of CERT-UK and
members of CiSP, the UK’s Cyber Security Information Sharing Partnership, which sits within CERT-UK and draws
together experts from across government, academia and industry, to securely share information on recent cyber
developments and techniques, to enable the effective identification and amelioration of threats (2).

Further information on all topics covered can be found on the CiSP environment: https://share.cisp.org.uk
Known Number of Malware Threats

Year

Figure 1: The increase in the known number of malware threats from 1991 to 2011. Adapted from Microsoft (3).

3
 TLP WHITE
Viruses and worms
Probably the most well-known form of malware, viruses consist of harmful programs
which can self-replicate and are designed to infect legitimate software programs.
The majority of viruses are attached to an executable file, which means that the
malware can remain inactive on the host system and will not be spread until a user
runs or opens the malicious content. Once the infected programme has been run or
installed the virus is activated and begins to spread itself to other programs on the
current system (4). This is often followed by damage to additional areas, for example
the deletion of critical files within the operating system, and the use of email
programmes to facilitate dissemination to other machines (5). Worms are a variation on a similar theme, the
primary difference being that the latter is able to operate as a stand-alone program and transmit itself across a
network directly.

The SQL Slammer worm

In late January 2003 the internet was hit with a new web-server worm which brought down several important
systems, including the ATM service for Bank of America. The worm in question is referred to as SQL Slammer, and
operated by causing a denial of service (DoS) on several internet hosts to significantly inhibit web traffic. Despite
its title, the malware did not use the SQL language itself, but operated by exploiting a buffer overflow bug in
Microsoft’s SQL Server and Desktop Engine database products. The malicious piece of code functioned by
generating random IP addresses which it would then use to distribute itself in the hope that the selected host
would be running an unpatched copy of Microsoft SQL Server. In such cases, the host immediately became
infected and began to spread the malware to other potential victims (6). The progress of SQL Slammer is well
documented; within minutes of the first internet server infection the number of victims doubled every 15 seconds.
After a mere fifteen minutes SQL Slammer had infected approximately half of the servers that act as the pillars of
the internet (7). Interestingly, CiSP members have recently seen the re-emergence of this old threat, which
emphasises the importance of constant vigilance and knowledge sharing in efforts to avoid malware attacks (8).

CiSP Analysts recommend

Install suitable anti-virus software and activate a firewall; when selecting software, choose a program that offers
tools for detecting, quarantining, and removing multiple types of malware. Anti-malware software should protect
against viruses, spyware, adware, Trojans, and worms (1). In combination with a firewall, this will ensure all
incoming and existing data gets scanned for malware and that the majority of existing malware can be removed
following detection.

4
 TLP WHITE
Trojans
Similar to its historical namesake, a Trojan horse is a malicious program disguised to
trick an unsuspecting user into downloading and installing it. Once this takes place the
malware purposefully performs an action or actions that the user doesn’t expect (9).
This often involves providing remote access to the infected machine, allowing attackers
to steal data, install additional malware or monitor user activity. Trojans don’t replicate
(as a worm would), nor do they infect other files (like a virus), but they can be equally
destructive.

Many of the earlier Trojans were used to launch distributed denial-of-service (DDoS) attacks, an attempt to make
a server or a network resource unavailable to users, with notable victims including both Yahoo and eBay during
1999 (10). Today, Trojans are often focussed on gaining backdoor entry to a system, before contacting a controller
who can then benefit from unauthorised access to the infected machine.

GameoverZeus

GameoverZeus (GoZ) is a highly sophisticated banking Trojan, which has been described as the most damaging
botnet ever encountered by US Deputy Attorney General James Cole (11). Used to capture information necessary
to access online accounts, GoZ is believed to be responsible for the theft of millions of pounds from consumers
across the globe. It is also an important example of how cybercriminals can combine different malware variants
to increase the effectiveness and scope of their activities, a technique termed a ‘blended threat’. In this case, GoZ
is often delivered as a zip archive in spear-phishing emails distributed by the Cutwail botnet (details of which can
be found below). Following GoZ infection, hackers can hijack computer sessions and steal confidential and
personal financial information. What’s more, if no such information is available, the malicious package can install
ransomware, such as CryptoLocker, which prevents users accessing their files until a ransom is paid. As such, a
single attack can provide cybercriminals with multiple potential revenue streams (12).

CERT-UK recently supported a US government and NCA-led multi-national operation to disrupt the GoZ botnet,
termed Operation Tovar. This involved the use of sinkholing (13), a technique that redirects the traffic from each
client away from the malicious command-and-control (C&C) server governing the botnet and towards research
servers for analysis.

5
 TLP WHITE
CiSP Analysts recommend

A key component of a Trojan infection is its dependence on tricking the user into performing a desired action in
order to run the malicious .exe file and install the server side of the application. As such, users should be made
aware of common techniques to reduce risk, and platforms such as CiSP are an ideal means of improving
understanding of current malware trends. As well as raising awareness, consider limiting user privileges wherever
possible to reduce the probability of malicious software being downloaded and executed (14). This is particularly
important as many malware threats need full system access to run properly and will allow administrators to
receive notification if any software or application tries to make changes to the primary system.

6
 TLP WHITE
Phishing
Phishing is a form of activity which uses social engineering techniques to
fraudulently acquire personal information, such as passwords, usernames and
credit card details, by masquerading as a trustworthy person or business in an
apparently official electronic communication (9). Emails or instant messages
claiming to originate from banks, online payment processors or IT
administrators are common, and the risk has grown exponentially following the
advent of social media. Communications typically direct users to enter details,
including financial information, at a fake website which almost identically mirrors the appearance and operation
of the legitimate domain (15). Given the importance of the user in this form of malware attack, attempts to deal
with the growing number of reported phishing incidents are focussed on improving user training and public
awareness.

Spear phishing represents a more sophisticated form of traditional phishing attacks, in which select groups or
individuals are targeted, often with the intent of harvesting very specific information or infecting certain entities
with malware. In these situations, actors craft emails that appear to be from a legitimate source, often addressing
targets by name, rank, or title, in an attempt to offer sufficient reassurance for users to trust and interact with
the malicious content. According to a 2012 Trend Micro report, 94% of spear phishing emails use attachments
while the remaining 6% use alternative methods, such as links to websites used to drop malware on a victim’s
computer (16).

Spear phishing in the defence and telecommunications industries

In mid-2014, a defence company shared indicators with fellow CiSP members with regards to a spear phishing
campaign using an exploit in a common internet browser. The emails were sent from only three senders and all
originated from a specific IP address. The links were unique to each user in that an alphanumeric code was present
at the end of varying links. The site contained Java script with checks of browser versions and hex strings. A flash
file was loaded and when decompiled contained an object named "tope" and similar code to recent browser
exploits. Following this, CiSP members belonging to multiple other defence companies reported that they had
also seen the same email campaign against their organisation, indicating this was a specific and targeted attack.

In May 2014 another spear phishing campaign saw emails, purportedly sent from O2, informing customers that
they had an unusually high balance and providing a link to view their bill (17). Interestingly, the email contained a
mixture of malicious and legitimate links, strengthening the apparent authenticity of the source and highlighting
the constant improvements in malware attacks.

7
 TLP WHITE
CiSP Analysts recommend

Once again, raising user awareness is key in limiting the scope of phishing attacks. Remain suspicious of any
unexpected email asking for personal information, confirming its validity with a phone call to the supposed
sender, if necessary. Take heed of the advice distributed by your organisation and commercial partners. In the
case of the O2 scam, the absence of the recipient’s name and the email’s arrival outside of the normal billing date
all suggest that the source is not genuine (Figure 2). If you believe that you have opened a phishing email, you
should notify your IT team immediately and CiSP members should provide the platform with details of the
associated content for further advice and analysis.

Example O2 phishing email

Dear Customer,

Your O2 bill for 28/05/14 is now ready. You can look at your bill here.
In total, your bill for this month comes to £372,85. We’ll request this amount from your chosen account on, or
just after, the date in your bill.
To see your bill, you’ll need the username and password you were given when you joined O2. If you’ve
forgotten them, we can give you a reminder.
Is your bill more than you were expecting?
If so, here’s a few reasons why this might be:
 You could have gone over the minutes, texts or data that’s in your allowance.
 You could have called or sent texts to numbers that can’t be taken from your allowance such as
International, 0800, 0845 numbers or directory enquiries.
 You could have used your phone for calls, text or data whilst abroad.
To view any charges outside your allowance click here
If you have any questions, just ask Lucy. She’s our online virtual agent. You can also find out more about what’s
included in your bill with an online demonstration.
Best regards,
O2

Figure 2: An example of the emails used in the recent O2 spear-phishing campaign (17). Indicators which suggest
the email is fake are highlighted using blue ovals. From top to bottom these are: i) the use of a zero rather than
the letter ‘O’ in the subject heading, ii) the absence of the recipient’s name, iii) the bill arriving outside of the
normal billing date, iv) the use of a comma rather than a decimal point in the billing amount, and v) a large number
of links with unclear destinations. These errors are not common to all phishing attacks, but are typical of the kind
of indicators which may suggest that an email is not legitimate.

8
 TLP WHITE
Ransomware
Ransomware is a particularly sinister form of malware that restricts access
to the computer system it infects. Once the restriction is in place, the
programme demands a ransom be paid to the creator, either in the form of
normal currency or virtual bitcoin, before the restriction will be lifted (18).
Some forms of ransomware encrypt files on the system's hard drive
(cryptoviral extortion), while others will simply lock the system and display
messages intended to coax the user into paying the fee.

Ransomware typically enters a system through a downloaded file or a vulnerability in a network service and
propagates itself in a manner comparable to a conventional computer worm (19). Once a machine is infected, the
program will then run a payload that begins to encrypt personal files on the hard drive, with the malware author
being the only individual with access to the necessary decryption key.

CryptoLocker

CryptoLocker is a ransomware Trojan, first observed by Dell SecureWorks in September 2013, which targets any
machine running a Windows operating system. An attack may stem from various sources, but once activated
CryptoLocker encrypts certain types of files stored on local and mounted network drives. As opposed to many
other malware families, which use custom cryptographic implementation, CryptoLocker uses strong third-party
certified cryptography offered using commercial-grade 2048-bit RSA encryption, meaning the private encryption
and decryption keys are stored solely on the malware's control servers (20). Following infection and activation,
the malware then displays a message which offers to decrypt the data if a payment is made by a stated deadline,
and threatens to delete the private key if the deadline passes. If the deadline is not met, the malware offers to
decrypt data via an online service provided by the malware's operators for a significantly higher price. Figures
suggest that approximately 545,000 machines have been infected with CryptoLocker between September 2013
and May 2014 (21). Fortunately, during the recent Operation Tovar (details above), law enforcement agencies
were able to obtain a copy of the victim database, which should allow a significant proportion of victims to retrieve
their files for free (22).

CiSP Analysts recommend

Unfortunately, whilst ransomware itself is usually easily removed, without the decryption key the files remain
encrypted in a way that researchers often consider infeasible to break (23). Nevertheless, there’s no guarantee
that payments will be honoured and many security firms advise against agreeing to any transactions. Instead,
regular back-ups of data are encouraged, allowing users to revert to a previous clean version of their files, if
required.

9
 TLP WHITE
Keyloggers

Unlike other forms of malware, keyloggers present no threat to the

system itself. However, they can be used to intercept passwords and
other confidential information entered via the keyboard, and as such
pose a serious threat to users. The principle behind a key logger is to get
between the chain of events that link a key press to the subsequent
information displayed on the monitor. This intervention can be
achieved either using physical devices, such as video surveillance and
hardware bugs, or malicious software packages, which can substitute
the keyboard driver, intercept kernel functions, and request
information from the keyboard (24). The data collected includes keystrokes and screen-shots, thereby allowing
attackers to gain access to a host of valuable information, such as PIN codes, account numbers and proprietary
commercial content, all of which can be used to facilitate online fraud.

Haxdoor and Heartbleed

In August 2006 the Scandinavian bank Nordea was the victim of one of the world’s most publicised keylogging
incidents, resulting in the theft of over $1 million from client accounts. During the initial phases of the attack,
Nordea clients began to receive email correspondence, allegedly from the bank, suggesting that they install an
anti-spam product attached to the message. However, once the file was opened and downloaded it would initiate
infection of the well-known Haxdoor Trojan. This piece of malware would subsequently be activated the next time
the victim registered at Nordea’s online service, resulting in an error message in which the user was asked to re-
enter the registration information (25). The keylogger incorporated in the Trojan would then record the data
entered by the bank’s clients before sending the information on to a specific server. As a result, the attackers
were able to access client accounts and withdraw funds, and there are allegations that the same method of attack
has been used successfully against banks in other nations.

In 2014 a new threat capitalised on the fear generated by the Heartbleed bug to scare users into installing a
keylogger onto their machines. Recipients received an email informing them that their computer was infected
and encouraged them to open a docx file. Interestingly, this differs from an executable file attachment, which is
often associated with malicious content, and suggests that attackers are becoming aware of the common
indicators used by consumers to identify malware (26). On opening the docx file the user was presented with an
encrypted zip file which, once extracted, runs the malicious heartbleedbugremovaltool.exe file. As a consequence,
a keylogger was downloaded onto the compromised host, which recorded keystrokes and took screenshots,
before returning the information to a free hosted email provider.

10
 TLP WHITE
CiSP Analysts recommend

Keyloggers can be especially cunning, often bypassing antivirus software by hiding alongside downloads that
appear to be safe and legitimate. As such, the use of one-time passwords, two-step authentication and virtual
keyboards can all help to reduce the risk of exposure, as well as limiting the impact if any passwords are
intercepted. These steps could be combined with the installation of specific anti-keylogger software (27), which
can detect keyloggers that often make it past standard security software, including those that steal data from
clipboards or keystrokes on a virtual keyboard. Many such software packages exist, including SpyShelter,
KeyScrambler and Keylogger Detector.

11
 TLP WHITE
Rootkits

A rootkit is a form of software which enables other malicious processes or programs

to continue to benefit from privileged access to a computer by masking their
existence from normal detection methods (28). Rootkits can either be installed
automatically or manually once an attacker has gained root or administrator access.
After the infection has taken place, a rootkit provides the remote user with access
to all of the folders on a system, including private data and system files, without the
knowledge of the primary user(s). Rootkits may also go deeper to infect the basic
input/output system (BIOS), a chip located on all motherboards that contains
instructions for how the system should boot-up and operate (29).

Mebroot and Necurs

Mebroot is a Trojan which modifies the computer BIOS, before opening a back-door and allowing a remote user
to take control of the compromised system. A key component of the Trojan is its sophisticated rootkit techniques
which hide its presence and prolong the threat exposure. Mebroot modifies the BIOS so that it is able to execute
before Windows is initialised, thereby bypassing security processes and pervading deeper into the core of the
operating system (30). Additional features include the ability to hook low-level network drivers in order to bypass
firewalls and intercept read/write operations.

The use of another notorious rootkit, Necurs, has been observed throughout 2014, with a surge beginning in
February and peaking in March (31). Infection often occurs through downloads by other malware, such
as UPATRE, or as a consequence of opening malicious email attachments. Necurs is particularly dangerous, being
able to hide itself at root level, avoiding detection and even preventing security applications from functioning
(32). In addition, Necurs contains backdoor functionality, allowing remote access and control of the infected
computer as well as monitoring and filtering of network activity. Necurs has recently been seen coupled with
Gameover Zeus (33), to protect malware files on the disk and in memory thereby making it harder to find and
remove the Trojan once it is active.

CiSP Analysts recommend

Due to their invasive nature, rootkits are difficult to remove using normal security products, whilst administrative
access allows the remote user to modify the existing system to make detection more difficult. As a result, manual
methods are often required in rootkit detection, including monitoring computer behaviour to identify irregular
activity, storage dump analysis and signature scanning (1).

12
 TLP WHITE
Risk of rootkit infection can be reduced by regularly patching vulnerabilities in software applications and operating
systems, updating virus definitions, performing static analysis scans and avoiding suspicious downloads. However,
due to the depths that most rootkits penetrate, if an infection is encountered then removal may require hardware
replacement or reinstallation of the operating system (34). As such, regular data back-ups and cloud storage are
advised.

Understanding how current malware operates is vital to improve network security. It is advisable to become
familiar with malware analysis systems and sandboxes, isolated computing environments with specific system
restrictions, which can be used to safely test programming code (35). Commercial malware analysis systems
automate the process, running multiple virtual machines to test malware affects, signatures and methods of
infection. Once this information has been collated the virtual machines can be shut down, eliminating the malware
with no effect on the underlying system.

13
 TLP WHITE
Bots
A bot is a form of malware generated to automatically perform specific operations, with infected machines often
being referred to as 'zombies'. Multiple bots communicating together are termed a ‘botnet’ and can be used to
help execute DoS (denial-of-service) attacks against websites, host phishing attacks or send out thousands of
spam email messages (36). Luring users into making a drive-by download, exploiting web browser vulnerabilities,
or tricking the user into running a Trojan, are all means of executing the malicious software needed to recruit a
computer into a botnet. The malware will then usually install modules that allow the computer to be commanded
and controlled by the botnet's operator.

The software controlling the botnet is hidden in a similar fashion to a rootkit, but a distinction lies in the bot’s
ability to communicate with a command and control (C2) infrastructure, allowing a remote user to provide the
bot with new instructions and malicious capabilities, as required. The C2 topology of botnets continues to evolve
with more advanced configurations displaying greater resilience to shutdown, enumeration or discovery (37).
Typical configurations include: Star (a), Multi-server (b), Hierarchical (c), and Random (d, Figure 3). Recently a
number of botnets have been scaling back to avoid detection.

a) b)

c) d)

Figure 3: Typical C2 botnet configurations: Star (a), Multi-server (b), Hierarchical (c), and Random (d). Adapted
from Ollman, G 2009 (37).

14
 TLP WHITE
Cutwail and Asprox

Cutwail is a well-known spam botnet which has been involved in launching campaigns to distribute the Gameover
Zeus Trojan along with other malware variants (38). Often installed via a separate Trojan, termed Pushdo, Cutwail
utilises an automated template-based system to dynamically generate unique emails and an encrypted
communication protocol to evade spam filters. The Cutwail topology is relatively simple, with bots connected
directly to a C2 server which provides instructions regarding the emails to be sent. Once a task is complete, bots
provide the controller with statistics on the number of emails delivered and errors reported (39). Security
provider MessageLabs has estimated that, at its peak, the total size of the botnet was around 1.5 to 2 million
individual computers, capable of sending 74 billion spam messages a day, which is equivalent to 46.5% of
worldwide spam volume (40).

Asprox is another significant and ongoing botnet threat due to its evolution and strategic deployment. Indeed,
threat actors have continuously tweaked the botnet’s malware payloads, changing hardcoded strings, remote
access commands, and encryption keys (41), whilst the botnet itself has purposely shrunk in size to avoid the
focus of the cybersecurity community. The botnet has been used in a number of recent email spamming
campaigns targeting users across the globe, with the current iteration shifting from sending links to malicious sites
and malware downloads, to embedding malicious code in attachments pretending to be a Microsoft Office
document (42). Asprox then issues commands that instruct compromised computers to download additional
payloads provided by a pay-per-install (PPI) affiliate, from which botnet operators earn revenue (43).

CiSP Analysts recommend

Within CiSP, we routinely publish an aggregated list of the (C2) servers we have identified as being used by
malware. CERT-UK are able to take in a large volume of ‘abuse’ information that has been traced to the UK, which
could be anything from a botnet infected client to an IP address in the UK launching automated scans across the
internet. In addition to utilising this information to produce a list of C2 servers that businesses can use to identify
malicious activity on their networks, CiSP also provides a free automated alerting system to members. As the
abuse reports are automatically processed, they are checked against the network information that members have
provided, either in the form of IP addresses, autonomous system numbers (ASN) or domain names. Should the
system correlate a piece of abuse with a member’s network information an automatic email alert is sent to the
listed point of contact. The email alert contains as much information as we are able to provide, but as a minimum
will offer sufficient information to initiate an internal investigation to locate the abuse.

15
 TLP WHITE
Watering Holes
Although not a form of malware in their own right, watering holes,
or ‘strategic web compromises’ are an increasingly common means
of introducing malware onto a victim’s system (44). Their goal is not
to disseminate malware to as many systems possible, but rather to
run exploits on trusted sites that are likely to be visited by the
attacker’s target victims. Common exploits include SQL injection,
malicious iFrames or cross-site scripting code; all of which
automatically infect users once they visit the compromised site. After a user’s machine is infected, an attacker is
able to gain access to the victim’s system and obtain passwords, usernames and other privileged data.

Watering hole attacks are known to preferentially target unpatched vulnerabilities by incorporating zero-day
exploits, i.e. a vulnerability in a computer application that was previously unknown or developers have not had
time to patch (45). Relying on websites that are known and trusted makes watering holes an extremely efficient
attack vector, even for groups that have become resistant to spear phishing, and has resulted in their exponential
increase during recent years. This can be attributed to overall website security; in 2013 Symantec reported that
77% of legitimate websites possess an exploitable vulnerability (46), providing attackers with a plethora of
opportunities to host malware and entrap victims.

The VOHO campaign

In mid-2012, RSA identified a campaign known as VOHO aimed primarily at North American financial and
technology services in which malicious JavaScript was inserted into carefully selected sites by the attackers (47).
When visitors arrived at the site the exploit prompted the installation of “gh0st RAT”, a commonly observed
Remote Access Trojan that has historically been used to perform surveillance and intelligence collection by
advanced persistent threat (APT) groups (48) and is capable of surreptitiously operating webcams and
microphones on compromised PCs. Analysis of server logs suggest that the attack affected approximately 32,000
individual hosts across 4000 organisations.

CiSP Analysts recommend

Given the importance of zero-day exploits in facilitating watering hole attacks, the primary defence is to ensure
all systems are updated with the latest software patches offered by vendors. Check regularly for available fixes
and take advantage of organisations, like Microsoft, Linux and Apple, who offer automatic update services
whenever you are online (14). In the event that a suitable patch or fix isn’t available, consider vulnerability
shielding or virtual patching. This operates on the premise that exploits take a definable network path in order to
use a vulnerability (49), thereby helping administrators to scan suspicious traffic and identify any deviations from
typical protocols to prevent exploits.

16
 TLP WHITE
Future Focus

Unfortunately, cybercriminals continue to adapt the malware they use in

the face of increased security measures and target awareness.
Throughout 2014 we anticipate an increase in several key areas,
including:

The expansion of ransomware

With many victims continuing to make payments, ransomware remains a lucrative business for cybercriminals. In
mid-2013 data released by McAfee, the security software vendor, indicated that the 250,000 unique ransomware
samples collected in the first quarter of that year had more than doubled from the comparable period in 2012
(50). New variants of file-encrypting malware have been popping up since April 2014, including Cryptowall and
Cryptodefence. Interestingly, SophosLabs have noted that there has been an evolution in the delivery mechanism
used to propagate Cryptowall; whereas most ransomware attacks use spam emails to trick users into executing a
file download, Cryptowall can infect any machine visiting a site hosting either the RIGs or Angler exploit kits (51).

The diversification of watering holes

Watering holes have increased in number dramatically over the previous few years, with many hackers who were
using spear phishing turning to this new attack method. As user awareness increases expect to see greater
subtlety and variation in the attack set-up. Analysts have recently reported seeing refined watering hole variants
that only target a specific range of IP addresses (52), reducing the chance that perpetrators will be identified by
the cyber community.

The rise of mobile malware

Worms first attacked Symbian Series 60 mobile phones as far back as 2004.
However, whilst the principal of mobile malware is nothing new, there has
recently been a rapid expansion in number, variety and sophistication. One
of the most common mobile malware variants are SMS-senders, such as
Andr/AdSMS (53). Once installed, a malicious application disguised as a
pirated app is often displayed in conjunction with a hidden module which
will start sending SMS messages to premium rate numbers at the user’s
expense (54). Since individuals often fail to closely interrogate their mobile
bills, it may take some time for any changes to be noticed.

17
 TLP WHITE
New exploits for old software

2014 saw the end of corporate support for Microsoft XP and Office 2003 meaning no further security patches or
fixes will be released without the arrangement of custom support agreements. This has extremely significant
implications given that 31% of all PCs were still running XP as of September 2013 (55). Although products will
continue to function, new threats won’t be addressed and experts have suggested that hackers will attempt to
reverse engineer future patches for more modern systems to identify and subsequently exploit any shared
vulnerabilities (56). Unfortunately, the situation is likely to become even more complicated once Microsoft ends
support for Windows Server 2003 in July 2015.

Increasing attacks in the cloud

With businesses increasingly relying on cloud services to manage financial assets, customer data and commercial
plans, expect a surge in attacks targeting endpoints and credentials to gain access to cloud accounts. The specific
form of attack may vary, but industry experts are suggesting ransomware may be adapted to take hostage of
documents beyond the physical machine (55). As a result, stringent cloud data access policies and strong account
passwords are more important than ever. In addition, check the security policies of your cloud provider and make
sure you are comfortable with how they are storing your data.

Conclusion
The evolution of malware represents an ongoing arms race between cybercriminals, hacktivists, nation states and
network defenders, with the continual emergence of new threats and techniques to evade existing security
measures. Whether you are an IT professional, entrepreneur, or individual user, defending against these new
attacks requires everyone to become more aware and increase their understanding of malware operations (55).
You can reduce the potential avenues for attack by applying a range of mitigations, such as limiting user privileges,
removing unused platforms, installing patches/updates, enabling suitable antivirus software and ensuring your
staff know what to look out for.

The battle for IT security will never end, but the application of best practice and the effective sharing of available
knowledge, through platforms such as CiSP, will give every organisation the best chance of staying safe in the
digital age.

18
 TLP WHITE
Annex A: 10 Steps to Cyber Security
As discussed under each individual heading, basic information risk management can stop up to 80% of the cyber-
attacks seen today, allowing companies to concentrate on managing the impact of the other 20%. We recommend
that as a business you take steps to review, and invest where necessary, to improve security in the following key
areas:

19
 TLP WHITE
Bibliography
1. Nate, L. Common Malware Types: Cybersecurity 101. [Online] http://blog.veracode.com/2012/10/common-
malware-types-cybersecurity-101/.
2. CISP. Cyber Information Sharing Partnership. [Online] https://www.cisp.org.uk/.
3. Microsoft. Microsoft Security Intelligence Report: Evolution of Malware. [Online] 2011.
http://www.microsoft.com/security/sir/story/default.aspx#!10year_malware.
4. CISCO. What is the Difference: Viruses, Worms, Trojans and Bots? [Online]
http://www.cisco.com/web/about/security/intelligence/virus-worm-diffs.html.
5. Barraco, L. What are the Most Common Types of Malware. [Online] December 2013.
http://www.alienvault.com/blogs/security-essentials/what-are-the-most-common-types-of-malware.
6. Ducklin, P. Memories of the Slammer Worm: Ten Years Later. [Online] January 2013.
http://nakedsecurity.sophos.com/2013/01/27/memories-of-the-slammer-worm/.
7. Boutin, P. Slammed: An Inside View of the Worm that Crashed the Internet in 15 Minutes. [Online]
http://archive.wired.com/wired/archive/11.07/slammer.html.
8. CERT-UK. C-SAWR Extract 22. [Online] June 2014. https://www.cert.gov.uk/wp-content/uploads/2014/06/C-
SAWR-Extract-22.pdf.
9. McAfee. Virus Information. [Online] http://home.mcafee.com/virusinfo.
10. Landesman, M. Trojan. [Online] http://antivirus.about.com/od/whatisavirus/g/trojan.htm.
11. Silver, J. Governments disrupt botnet “Gameover ZeuS” and ransomware “Cryptolocker”. [Online] June
2014. http://arstechnica.com/tech-policy/2014/06/governments-disrupt-botnet-gameover-zeus-and-
ransomware-cryptolocker/.
12. The Week. Gameover Zeus and Cryptolocker: how to protect yourself. [Online] June 2014.
http://www.theweek.co.uk/technology/58794/gameover-zeus-and-cryptolocker-how-to-protect-yourself.
13. Sancho, D and Link, R. Sinkholing Botnets. [Online] http://www.trendmicro.co.uk/media/misc/sinkholing-
botnets-technical-paper-en.pdf.
14. Microsoft. Help Prevent Malware Infection on your PC. [Online]
http://www.microsoft.com/security/portal/mmpc/shared/prevention.aspx.
15. TechTerms. Phishing. [Online] http://www.techterms.com/definition/phishing.
16. TrendMicro. Spear-Phishing Email: ATP Most Favoured Attack Bait. [Online] 2012.
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-spear-phishing-
email-most-favored-apt-attack-bait.pdf.
17. O2. Phishing Alert: Mid-2014. [Online] May 2014. http://news.o2.co.uk/2014/05/29/phishing-alert-may-
2014/.
18. Microsoft. Ransomware. [Online]
http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx.
19. WhatIs.com. Ransomware. [Online] http://whatis.techtarget.com/definition/ransomware-cryptovirus-
cryptotrojan-or-cryptoworm.
20. Jarvis, K. Cryptolocker Ransomware. [Online] December 2013. http://www.secureworks.com/cyber-threat-
intelligence/threats/cryptolocker-ransomware/.
21. Leyden, J. CryptoLocker victims offered free key to unlock ransomed files. [Online] August 2014.
CryptoLocker victims offered free key to unlock ransomed files.

20
 TLP WHITE
22. Wilhoit, K and Dawda, U. Your Locker of Information for Cryptolocker Decryption. [Online] August 2014.
http://www.fireeye.com/blog/corporate/2014/08/your-locker-of-information-for-cryptolocker-decryption.html.
23. Wolter, J. Cryptolocker', A "Hackers" Dream. [Online] May 2014. http://www.nesteggg.com/news/item/520-
cryptolocker-a-hackers-dream.
24. Grebennikov, N. Keyloggers: How they work and how to detect them. [Online] March 2007.
https://www.securelist.com/en/analysis/204791931/Keyloggers_How_they_work_and_how_to_detect_them_
Part_1.
25. Espiner, T. [Online] January 2007. http://www.zdnet.com/swedish-bank-hit-by-biggest-ever-online-heist-
3039285547/.
26. Truta, F. HeartBleed Virus Removal Tool Actually Carries a Trojan. [Online] May 2014.
http://news.softpedia.com/news/HeartBleed-Virus-Removal-Tool-Actually-Carries-a-Trojan-444179.shtml.
27. Snoke, C. Anti-Keylogger Software Review. [Online] http://anti-keylogger-software-
review.toptenreviews.com/.
28. McAfee. Rootkits Part 1 of 3: The Growing Threat. [Online] April 2006.
http://web.archive.org/web/20060823090948/http:/www.mcafee.com/us/local_content/white_papers/threat_
center/wp_akapoor_rootkits1_en.pdf.
29. Computer Hope. BIOS. [Online] http://www.computerhope.com/jargon/b/bios.htm.
30. Symantec. Trojan.Mebroot. [Online] August 2012.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99.
31. Certeza, R. A. Necurs: The Malware That Breaks Your Security. [Online] http://about-
threats.trendmicro.com/us/webattack/3133/NECURS+The+Malware+That+Breaks+Your+Security.
32. Wilson, T. Necurs Rootkit Spreading Quickly, Microsoft Warns. [Online] November 2012.
http://www.darkreading.com/attacks-breaches/necurs-rootkit-spreading-quickly-microsoft-warns/d/d-
id/1138822.
33. Wyke, J. Notorious "Gameover" malware gets itself a kernel-mode rootkit. [Online] February 2014.
http://nakedsecurity.sophos.com/2014/02/27/notorious-gameover-malware-gets-itself-a-kernel-mode-rootkit/.
34. Romano, C. How to Remove a Rootkit from a Windows System. [Online] http://www.technibble.com/how-
to-remove-a-rootkit-from-a-windows-system/.
35. Rouse, M. Sandbox. [Online] September 2005. http://searchsecurity.techtarget.com/definition/sandbox.
36. Bradley, T. What Is A Bot? [Online]
http://netsecurity.about.com/od/frequentlyaskedquestions/qt/pr_bot.htm.
37. Ollmann, G. Botnet Communication Topologies: Understanding the intricacies of botnet command-and-
control. [Online] 2009.
https://www.damballa.com/downloads/r_pubs/WP_Botnet_Communications_Primer.pdf.
38. Dell SecureWorks. Cutwail Spam Swapping Blackhole for Magnitude Exploit Kit. [Online] October 2013.
Cutwail Spam Swapping Blackhole for Magnitude Exploit Kit - See more at:
http://www.secureworks.com/resources/blog/research/cutwail-spam-swapping-blackhole-for-magnitude-
exploit-kit/#sthash.TuRzgOpO.dpuf.
39. Stone-Gross, B, Holz, T, and Stringhini G. The Underground Economy of Spam: A Botmaster’s Perspective.
[Online] http://cs.ucsb.edu/~gianluca/papers/cutwail-leet11.pdf.
40. MessageLabs. MessageLabs Intelligence: 2009 Annual Security Report. [Online] 2009.
https://www.inteco.es/file/27gHxrzWsYwImu8Dl6FREw.
41. Stewart, A and Timcang, G. A Not-So Civic Duty: Asprox Botnet Campaign Spreads Court Dates and Malware.
[Online] June 2014. http://www.fireeye.com/blog/technical/malware-research/2014/06/a-not-so-civic-duty-
asprox-botnet-campaign-spreads-court-dates-and-malware.html.

21
 TLP WHITE
42. Mimoso, M. Asprox Malware Borrowing Stealth From APT Campaigns. [Online] June 2014.
https://threatpost.com/asprox-malware-borrowing-stealth-from-apt-campaigns/106691.
43. Villeneuve, N, Torre, J and Sancho, D. Asprox Reborn. [Online] 2013. http://www.trendmicro.com/cloud-
content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf.
44. Abendan, O. C. A. Watering Hole 101. [Online] http://about-
threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101.
45. Hoffman, S. Security 101: Watering Hole Attacks. [Online] October 2013. http://blog.fortinet.com/Security-
101--Watering-Hole-Attacks/.
46. Symantec. Internet Security Threat Report 2014. [Online] April 2014.
http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-
us.pdf.
47. Cox, A, Eilsan, C, Gragido, W, Harrington, C and McNeill, J. The VOHO Campaign: An In-depth Analysis.
[Online] 2012. http://blogs.rsa.com/wp-content/uploads/VOHO_WP_FINAL_READY-FOR-Publication-
09242012_AC.pdf.
48. Gragido, W. Lions at the Watering Hole – The “VOHO” Affair. [Online] July 2012. https://blogs.rsa.com/lions-
at-the-watering-hole-the-voho-affair/.
49. TrendMicro. Vulnerability Shielding. [Online] 2011. http://la.trendmicro.com/media/misc/virtual-patching-
solution-brief-en.pdf.
50. Samson, T. Cyber criminals using Android malware and ransomware the most. [Online] June 2013.
http://www.infoworld.com/t/security/mcafee-cyber-criminals-using-android-malware-and-ransomware-the-
most-219916.
51. Zorabedian, J. What's next for ransomware? Cryptowall picks up where CryptoLocker left off. [Online] June
2014. http://nakedsecurity.sophos.com/2014/06/18/whats-next-for-ransomware-cryptowall-picks-up-where-
cryptolocker-left-off/.
52. Greenberg, J. Watering hole attacks are becoming increasingly popular, says study. [Online] September
2013. http://www.scmagazine.com/watering-hole-attacks-are-becoming-increasingly-popular-says-
study/article/313800/.
53. Klein, A. The Most Dangerous Malware Trends for 2014. [Online] November 2013.
http://www.trusteer.com/blog/the-most-dangerous-malware-trends-for-2014.
54. Sophos. When Malware Goes Mobile. [Online] 2014. http://www.sophos.com/en-us/security-news-
trends/security-trends/malware-goes-mobile/business-of-cybercrime.aspx.
55. —. Security Threat Report 2014. [Online] 2014. http://www.sophos.com/en-
us/medialibrary/PDFs/other/sophos-security-threat-report-2014.pdf.
56. Wolpe, T. Windows XP: What To Expect Once Microsoft Shuts Down Support. [Online] February 2014.
http://www.zdnet.com/windows-xp-what-to-expect-once-microsoft-shuts-down-support-7000025348/.
57. Microsoft. Unexpected reboot: Necurs. [Online] December 2012.
http://blogs.technet.com/b/mmpc/archive/2012/12/06/unexpected-reboot-necurs.aspx.
58. Paulson, L. D. Hackers Strengthen Malicious Botnets By Shrinking Them. [Online] April 2006.
http://www.computer.org/csdl/mags/co/2006/04/r4017.pdf.
59. Sophos. Not Just for PCs Anymore: The Rise of Mobile Malware. [Online] 2014. https://www.sophos.com/en-
us/security-news-trends/whitepapers/gated-wp/not-just-for-pcs-rise-of-mobile-malware/thank-
you.aspx?a=%7b0551810C-E3AB-43BC-A036-
BAEE2D1AE88C%7d&d=MDMvMDcvMjAxNCAwOTo0NzoxMA&k=S5xMk4fACZt76xsPU5h9QQ&rw=%7b0D2692
BA-1EED-4296-89B5-.

22
 TLP WHITE

www.cert.gov.uk
@CERT_UK

A CERT-UK PUBLICATION
COPYRIGHT 2014 ©

23