Nov. 20: Update with details of memorial service at the end of this post.

Earlier this week the security industry lost one of the pioneers of antimalware research, with the untimely death of Peter Szor. He was a Senior Director of Malware Research at McAfee but, more than that, he was a colleague and very good friend to all of us at McAfee Labs. In the past few days the words that have most frequently come to mind to describe him are very smart, very humble, and very caring.

Peter Szor

I first met Peter in 1999 on a very cold winter night in Helsinki, Finland. He enthralled me with his vision for the industry, his depth of technical understanding, and his humility as he explained some very complex hooking and intercept techniques in a way that made it seem very simple. It was easy to understand why Peter had such a good feel for this field, as by then he had developed and supported one of the industry’s first antivirus products–Pasteur AntiVirus in Hungary from 1990-1995–and later was a lead virus researcher and engine developer at F-Secure.

Peter and I worked together for almost 13 years, first at Symantec and now at McAfee Labs, with only a short break in the middle. On a technical and professional level, he was a prolific researcher, author, surfer, and educator and holds more than 39 patents on computer security and antivirus research. He also wrote the best-selling book The Art of Computer Virus Research and Defense. He had a deep passion for his family, especially his son, Daniel, and loved to surf in the waters off Malibu and Newport Beach, California.

A few of Peter’s colleagues at McAfee Labs offered their thoughts:

“It is so very sad and I truly cannot take it in that we will not see Peter anymore–neither his friendly smile nor his insights into countless malware families which he analysed. He was a brilliant researcher and I am glad that his book will stay behind as his legacy and be a reminder for all of us of that brilliance. It will help to keep memory about Peter.”–Igor Muttik, from his blog on virusbtn.com

“The cyberworld has been a much safer place in the past 23 years thanks to Peter Szor. Not only because of Peter’s personal accomplishments, but because his book has helped inspire the malware security interests and careers of a new generation of cybersecurity professionals such as myself.”–Hiep Dang

“I am so very sad as I write this. I ‘met’ Peter Szor initially through his writings. If you were in any way involved in the world of antivirus, it was virtually impossible not to know who he was. Peter was a brilliant researcher but also possessed something else. Something, in fact, very few people have: the ability to communicate highly technical subjects in an understandable manner. Peter was also one of the kindest people I have known and worked with. He didn’t talk down to people ‘less’ brilliant than himself and he always seemed to be ready to help others with their ideas.

“I benefited from his wisdom and knowledge on more than a few occasions, and he always made time to chat or answer my questions. I remember how it felt to have him ask for my opinion. Me. Peter Szor asked for my opinion. It meant a lot. It still does. He knew so many things about malware research and he was always glad to discuss them, openly and with his characteristic humility. We discussed many things, but I will always remember his kindness and smile. I’ll miss those the most.”–David Marcus

We offer our sincere condolences to Peter’s family and friends. He will be buried at a private funeral in his native Hungary. Details for his memorial event in the United States are below.

We will remember Peter with great fondness and respect.

Memorial for Peter Szor

Monday, November 25, 11:30 am.

TeWinkle Park, Shelter #2, 970 Arlington Drive, Costa Mesa, CA 92626

Feel free to bring a blanket or chair. This park holds many good memories for Peter and his family. The family would like for those who wish to speak to be prepared to do so. Refreshments and snacks will be provided.

If you would like to send flowers: 314/A 20^th Street, Huntington Beach, CA 92648

 A memorial page has been set up. If you would like to donate money in lieu of flowers: http://peterszormemorial.tumblr.com/

One of the most startling revelations in the McAfee Labs Threats Report, Third Quarter 2013 is that the observed instance of digitally signed malware increased nearly 50%, to more than 1.5 million new signed binaries. The implications of this trend are profound both for security practitioners and the global trust infrastructure.

 New Signed Malware

However, before we look at these implications, let’s first take a look at why the cybercriminal community even bothers to sign their malicious payloads.

Many enterprise defense systems have had a rule in place for many years that basically says, “If a binary attachment is signed, it’s probably good. Let it pass.”For a long time it was a valid rule. Unfortunately, a few years ago the cybercriminal community figured this out and started signing their own binaries.

This trend poses three key questions:

• How would a cybercriminal gang get a supposedly legitimate certificate for their own use?
• Isn’t it the job of the Certificate Authorities (CAs) to issue certificates only to legitimate business concerns and monitor their usage?
• How does an enterprise protect itself from this change in the threat landscape?

The answer to the second question is “Yes,” but it’s a hard problem for a few reasons. First, the 50+ big Root Certificate Authorities distribute their certificates through hundreds of “retail” CAs globally, and it’s nearly impossible to monitor the behavior of all of them. Second, there are rogue CAs operating primarily beyond the reach of global law enforcement that will issue legitimate-looking certificates to anyone with a credit card (or Bitcoin). Third, legitimate certificates do get stolen periodically and subverted for use by cybercriminals.

So, from a cybercriminal’s perspective, getting access to a legitimate-looking digital certificate isn’t very hard, isn’t very expensive, and might increase the “reach” of their malware quite significantly. One of the interesting aspects of this trend is that although there are likely thousands of digital certificates being used to sign malware, cybercriminals definitely have their favorites. McAfee Labs announced at the Focus 2013 conference that we found a handful of certificates that had each been used to sign more than 1,000 distinct pieces of malware. We found another dozen certificates that had been used to sign more than 500 pieces of malware. This would be a logical point to explain how and why the certificate validation schemes fail to identify these rogue certificates, but that’s beyond the scope of this particular piece.

So, to our final question, what should we do to protect ourselves from this latest tactic by “the adversary”? The first thing is to recognize that in the current threat landscape a signed binary is inherently no safer than an unsigned one. This means we all need to have other defenses in place to mitigate this threat. The two most commonly used are application reputation (whitelisting) solutions such as McAfee Application Control and advanced threat detection products that include sandboxing technology such as McAfee Advanced Threat Defense. When skillfully deployed together, these two are capable of identifying most malicious binaries–signed or not. In certain environments it may also be necessary to deploy network intrusion prevention functionality as found in the McAfee Network Security Platform.

If you’re operating in a particularly sensitive environment, you may also want to require that all devices comply with a “common operating environment” policy, in which a single disk image is used by all systems and contains only known good applications and utilities. It’s a brute-force approach and flies into the teeth of the Bring Your Own Device trend, but it is a viable option in certain environments.

Over time, Certificate Reputation services will appear that will very substantially mitigate this new threat. Until then, however, vigilance and a multilayered security approach in the cloud, at the perimeter, and on the endpoint are required.

There have been many reports today of Android malware that steals users’ sensitive information and threatens the privacy of smartphone users. McAfee has recently found suspicious chat applications for Japanese users on Google Play. These apps are capable of retrieving a user’s phone number and secretly sending it to the developer’s web server. This information-leaking code is implemented using JavaScript.

Figure 1: Two suspicious chat applications found on Google Play Japan.

Figure 2: The app’s description page emphasizes “Registration Not Required.”

Despite the developer’s claim that registration is “not required” on Google Play’s description page, the phone number of the device is sent to a remote web server managed by the developer once the user tries to connect to the chat service, and with no notice. The retrieved phone number is actually encrypted before sending, but it is apparent that the developer can decrypt the data later on the server.

We do not know whether the developer will use these phone numbers for malicious purposes, but gathering such sensitive information without a user’s knowledge is a big problem. We can also assume the developer is deceiving or at least misleading users. Finally, the chat service does not appear to work, at least in our research. Fortunately, we count fewer than several hundred downloads of these two applications.

Figure 3: When users tap the button on this chat screen, their phone numbers are secretly sent to the developer.

Unlike most Android malware, this suspicious code is implemented in HTML/JavaScript, hosted on the server, that interfaces with a custom JavaScript interface using WebView to call Android APIs. In the Java code, the application defines a custom JavaScript method getNo(), which calls the TelephonyManager.getLine1Number() method of the Android API and returns the encrypted phone number. The app then exports the method in the “android” object to be used from the JavaScript code. The code in the HTML hosted on the server calls the android.getNo() method to get the data and send it to the same server via XMLHttpRequest (or HTTP POST via form, as used in another variant) when the user takes a certain action on the page such as tapping a button.

Figure 4: Java code for the custom JavaScript object to access the device’s phone number.

Figure 5: This JavaScript code accesses the phone number using the custom object and sends it to server.

The JavaScript code is implemented so that it can work even outside the Android application, for example, when the chat site is visited via web browsers. In this case, an unimportant string generated from the current date is used instead of the phone number, which means the service can work even without using phone numbers. From this, we can also see the developer’s malicious intent of trying to steal private information whenever it is accessed from the Android app.

There are some well-known HTML/JavaScript-based development frameworks, such as Apache Cordova (a.k.a. PhoneGap), which allow developers to write application logic in HTML/JavaScript and also access Android APIs internally using the same mechanism described above. In most of these cases, the HTML/JavaScript code is packaged in the application package file (APK), together with the development framework library, where it is easy to analyze potentially risky or malicious code.

On the other hand, this suspicious application’s code is hosted on the server, not in the APK, making static analysis more difficult than usual, especially due to the dynamic nature of its server HTML/JavaScript code. What is worse, the custom JavaScript object can be abused by other malicious sites as well to steal sensitive information once the users navigate using WebView from the original application to such sites.

With HTML/JavaScript gaining popularity as an application development language especially for mobile devices, along with their being expected as the main application vehicle in new Web-oriented mobile platforms like Tizen and Firefox, we predict an increase in this type of mobile threat in near future.

McAfee Mobile Security detects these suspicious applications as Android/ChatLeaker.A.

In a recent blog, McAfee Labs reported on suspicious JavaScript-based Android chat applications for Japanese users. These apps were found on Google Play, and steal users’ phone numbers. We have now found about 120 applications that use similar, but not the same, JavaScript techniques to steal a device’s phone number. These apps seem to mainly target Korean users. These apps use a JavaScript-based hybrid mobile application development framework, Appspresso.

Figure 1: Examples of suspicious apps on Google Play that target Korean users.

These apps appear to have been uploaded to Google Play since early November. The total number of downloads ranges from 170,000 to 640,000 so far, according to Google Play statistics. Because the user interface of these apps supports only Korean, we guess the main target of these applications is Korean users. However, we can also find these apps on Google Play Japan by searching for words related to pornography. Most of them, though not all, are related to adult content.

Figure 2: One of the suspicious apps offers (non-adult) wallpaper.

When launched, these apps automatically retrieve the device’s phone number and send it to a server managed by the developer, without any prior notice to the user. Because the use of the phone number does not seem related to the app’s functionality, we can safely say they are designed to secretly collect users’ phone numbers.

Figure 3: Several screens from one of the phone number-stealing Korean-language apps.

Appspresso, a JavaScript-based, cross-platform hybrid mobile application development framework, is used in all of these applications. This framework enables developers to write application logic in HTML and JavaScript while using functionalities of the underlying platform, Android in this case, via JavaScript APIs. That is, the framework bridges between Java and JavaScript. This framework also allows developers to add custom plug-ins implementing additional JavaScript APIs.

These apps implement the custom plug-in for retrieving a device’s phone number, using the TelephonyManager.getLine1Number() API, and enabling their JavaScript code to use the “phone” interface to get the phone number. Then the JavaScript code sends the information to the developer’s server, specifying it as a query parameter in the URL loaded into the custom WebView at application launch.

Figure 4: Java code for defining the plug-in’s phone() method used from JavaScript.

The Java code preprocesses the retrieved phone number only if the number starts with “+82,” the country code of South Korea.

Figure 5: JavaScript code to get a phone number and send it to another server.

McAfee Mobile Security detects these applications as Android/AxLeaker.A.

In two recent blogs, McAfee Labs described Japanese and Korean Android apps on Google Play that steal a mobile device’s phone number. We have now found two more Japanese chat apps that show similar behavior. These two apps have been downloaded between 10,000 and 50,000 times each. The developers of these apps have manipulated the ratings of their apps on Google Play in a prohibited, unfair way and also operate several suspicious sites offering adult-dating services.

Figure 1: Two Japanese chat apps steal a device’s phone number.

The apps, Chatline and Connect Line, give users the impression that the apps are related to Line, a popular messaging app in Japan, though they actually have no relationship at all.

The apps retrieve a device’s phone number, International Mobile Equipment Identity (IMEI), and Subscriber Identity Module (SIM) serial numbers, and send them to a remote web server. This occurs when users launch the apps and before they create user profiles for the chat service. Moreover, if a user creates a profile for the service, information such as nickname, gender, city of residence, birthday, and self-introduction provided on the application screen are sent with the other numbers. A user is not required to input real information, if a user adds more detailed personal or attribute data–such as hobby and preferences while chatting–this information might be stored on the developer’s site, associated with the phone number. This can be a big privacy risk.

Figure 2: The application screens of the two suspicious chat apps.

Figure 3: An example of sensitive data sent from the apps to the developer’s web server.

The apps request READ_PHONE_STATE and other permissions at installation, but do not tell users that they will retrieve the device’s phone number and other information and send that to the developer’s server. There’s no hint in the description of the apps, their screens, the terms and conditions, or the privacy policies. These apps know how to keep a secret.

On Google Play these apps are getting very high scores in user reviews, but these unnaturally high scores seem to come from cheating. In these apps, users need to pay a service fee to chat. Users receive a small amount of free credit to start using the service, and this credit is soon exhausted. Then users are prompted to buy new credits via Google Wallet to continue chatting. At this point, the service makes attractive offer to give more free credits if users will give a high review score (4 or 5) to the app on Google Play. App-ratings manipulation by offering incentives to users is strictly prohibited by Google Play Developer Program Policies. It is clear that the apps violate this policy, which tells us the developers are already breaking the rules.

Figure 4: Chatline offers incentives to users for manipulating its ratings on Google Play.

The implementation code of these two apps is almost the same, which implies they were built and published by the same developer or by related parties. Our investigation into the developers–based on the company information found on the apps–reveals they operate several suspicious adult-dating sites. We have not confirmed that the collected phone numbers and other information are being used for fraudulent or other malicious purposes. But users of these apps should be aware that their private information is being sent to such companies in the adult-dating business.

Figure 5: Adult-dating services operated by the developers of these apps.

Users of Android devices should always be careful about potential information leaks caused by apps. They should check permission requests by an app at its installation, the application’s description page on Google Play, the privacy policy, and terms and conditions. If such an information leak is possible, users should always check if the developer of an app is really trustworthy. We strongly recommend against installing very new chat/communication/SNS-related apps published by unknown developers.

McAfee Mobile Security detects these apps as Android/ChatLeaker.B.

An Indian investigative portal Cobrapost, recently released a report on alleged online reputation smearing/management/campaigns designed to gain/destroy political capital for who ever was the highest bidder or “customer”. Online world (social media) was abuzz with political motivations, and some where perplexed if it was even possible (amazed, surprised, dismissive etc.)

Some of the bloggers/twitterati offered their own explanations, instantly building near myths and false narratives in the process. My attempt is to disabuse readers from such false narratives and myths. I would skip political aspects of this conversation and  focus on technological aspects.

Myth 1 – It is not possible to have fake followers on either Facebook or Twitter.

Fortunately, this myth has  been widely debunked. Sites like Twitter Audit or Social Bakers can be easily used to discover if a twitter user has fake followers or not. Such fake followers are largely bots or proxy accounts  run on behalf of real/fake individuals.

In fact, acquiring fake followers is not a difficult task and is actually a full-fledged online business. Take the case of twitterwind.com, a site that offers different packages for the numbers of followers a customer would like to acquire, so forth and so on.

There is an excellent story on this by New York times that describes buying and selling of fake twitter followers the worst kept secret in the Industry. Here is a NBC news post that questioned Mitt Romney’s sudden jump in his twitter account following by a factor of 100,000 followers last year. In may last year, NPR published a news article  on how as low as $75 one could purchase 1000 Likes

Myth – 2  Real people are running any social media campaign, there is NO concept of fake (automated bots) followers.

This is largely a defensive reaction of individuals who find themselves on the other side of the first myth. However, even this myth/narrative is false.

Automated bots or bot-nets have existed since the initial days of attacks on computers and networks by hackers and malware/computer virus authors. Bots are compromised systems/user accounts that could be used for launching a malicious digital campaign/attack on an unsuspecting user/corporation or public at large.

In the case of social media, there are three ways to create such bots.

First way is to use an automated bot (compromised system) to do key-logging of individuals to find username/password of an existing user.

Second way is to create fake accounts through auto programming. Two Italian researchers Italian security researchers Andrea Stroppa and Carlo De Micheli reported on how such fake accounts could be created using software for sale. Washington post carried this story. NewYorker magazine also has an excellent article on such twitter bots.

Third way is to launch a phishing attack on real users and harvest their Twitter/Facebook accounts. Social media phishing is a new phenomenon. Some users would recall how AP had tweeted about bombing in white house, once their account had been phished and hacked. Even the satire magazine Onion had suffered a similar phishing attack

Twitter and Facebook both have taken a lot of steps to weed out such followers. Facebook cracked down last year on both fake followers and likes.

Impact of some of the user’s friends and followers after Facebook decided to crack down on fake followers

Myth – 3 There are no companies that actually can run such reputation enhancing/smearing campaigns. 

There is actually a proper world for this activity – Crowd-Turfing!

“Crowd-Turfing” – term represents an activity of malicious crowd sourcing system that exist on social media and internet and display following behaviors – crowd sourcing and astro-turfing. University of California – Santa Barbara came out with this term in their paper “Serf and Turf: Crowdturfing for Fun and Profit“

In other words, not only it is possible to manipulate social media through automated and manual means, it is very much prevalent in many countries such as US and China. Crowd-turfing is neither novel or earth shattering, however it might be a complete novelty for some Indians. However, it is largely illegal but requires extensive skill set in establishing a trail of evidence to legally nail the culprit.

This story is pretty old now from rest of the world perspective. UC Santa Barabara report on crowd-turfing mentioned such bots existing on very popular QQ services of Tencent and internet companies like Zubhajie again in China. This report documents purported activities of these companies including account creation, forum post, QQ blog post etc.

WhatsApp has received more than its fair share of hits from Trojans attempting to target its large user base and worldwide popularity, but only a handful of those possesses the threat level of this new discovery that appears to be aimed primarily at Latin America.

Recently revoked from Google Play, Android/Balloonpopper is a game that carries a Trojan which secretly uploads WhatsApp conversations and pictures. This Trojan takes advantage of the fact that encryption on WhatsApp is easy to break. Plus its (recent) position on Google Play helped to lower the guard of its victims.

The stolen conversation and pictures are stored by the app developer and can be retrieved by anyone who knows the phone number of the victim. For complete information, a buyer must pay the developer an unspecified amount.

The game itself is both simple and real. It distracts the victim while stealing the data. Other apps–from this developer or others–could easily copy this technique. As long as the developer remains in business, there is no telling what tactic or app might appear next on Google Play.

Android/Balloonpopper is a perfect example of the threats we see affecting the mobile landscape in 2013. Protecting privacy is at the forefront of mobile security, but an effective attack can turn personal information into a commodity for cybercriminals.

Recently we caught a malicious sample that exploits a PDF vulnerability–CVE-2013-3346, we believe–and executes after a use-after-free condition occurs. During our analysis we noticed that this PDF sample also exploits a zero-day local Windows vulnerability–CVE-2013-5065–to escalate privilege. This zero-day occurs in NDProxy.sys under Windows XP and 2003. The exploitation of this flaw is similar to CVE-2010-2743, known as the Win32k keyboard layout vulnerability. Let’s take a closer look.

After the PDF exploit succeeds and shellcode executes, it fills the first page in memory, starting from address 0, with hundreds of NOP instructions and then fills with kernel shellcode. Next it gets a handle to \\.\NDProxy via the API CreateFileA, and then uses this handle by calling the API DeviceIoControl with the IOCTL code 0x8fff23c8. Next the execution flaw goes into the NDProxy!PxIoDispatch function in Ring 0. (PxIoDispatch is the function that handles input-output control coming from user mode.)  

While coming to the branch that handles IOCTL code 0x8fff23c8, PxIoDispatch processes the input buffer supplied by the attacker:

The esi register points to the input buffer coming from user mode, and the content of input buffer is set like this:

After calculating, the eax value is (0×7030125-0×7030101)*3*4=0x1b0, which will be used as an index to a function table later:

Now for the vulnerability: Let’s see how long the function table is that resides at off_18008. The beginning of the table:

The end of the table:

The end offset, 0x181b0, minus the beginning offset, 0×18008, gives us 0x1a8. In our case the index is 0x1b0, which is already out of the table, and references the second dword at the next table, with the value 0×38. So the execution flaw now goes to address 0×38 thanks to the call instruction, and everything is under the attacker’s control.

In the kernel shellcode, the exploit replaces the current process’ token with the SYSTEM process’ token, which should escalate its privilege as SYSTEM, and return to the caller. Now the following user mode shellcode will run at privileged level. The exploit then drops a temp file with a random name such as xxx.tmp, a Trojan, in the temporary directory, and launches it by calling the API WinExec.

Thanks to my colleagues Vinay Karecha, Bing Sun, and Lijun Cheng for their support and help with this analysis.

On November 27th, 2013, Microsoft published Security Advisory 2914486, which coverers a elevation of privilege vulnerability in certain versions of Windows XP and Windows Server 2003.

The flaw lies in the NDProxy component of the windows kernel.  Note, exploitation requires that an attacker holds local login credentials.

This threat is currently being exploited in limited and targeted attacks.  Functional exploitation and malware artifacts have been identified in the wild.

Remediation / Mitigation

Microsoft
Microsoft has provided a workaround to address this issue. Details are available at:

http://technet.microsoft.com/en-us/security/advisory/2914486

McAfee Labs
The following McAfee products / content provide coverage

McAfee Vulnerability Manager
McAfee MVM / FSL Content Release of 11/28/2013
McAfee Antivirus
Coverage is provided in the 7276 DATs, released on 12/1/2013
Name – Exploit-CVE2013-5065

Further reading:

Analyzing the Recent Windows Zero-Day Escalation of Privilege Exploit

The Google account ID (or account name), which in most cases is a Gmail address, is one of the key identifiers of Android device users. McAfee has confirmed a substantial amount of suspicious apps secretly collect Google account IDs on Google Play. In these cases, the corresponding Google account password is not collected, but leaking only IDs still poses a certain level of security and privacy risk.

Two particular apps, one a dating service app and the other a fortune app, retrieve Google account IDs and send them to their web server just after they launch and without prior notice to users. The total number of download of each app is between 10,000 and 50,000. McAfee Mobile Security detects these apps as Android/ChatLeaker.D.

These two suspicious apps leak Google account IDs.

Another set of suspicious apps, from various categories, shown in the figure below secretly send a device’s Google account ID, IMEI, and IMSI to a single, shared remote web server just after launch and without any prior notice. The aggregate download count of this set of apps amounts to at least several million, probably because they are localized for many languages. It appears the main targets are Japanese users. We detect these apps as Android/GaLeaker.A and its variants.

More than 30 suspicious apps leak Google account IDs, IMEI, and IMSI

We have not confirmed why the app developers secretly collect Google account IDs, or how they use them and how they manage the data securely. And we have not so far observed any malicious activities based on the stolen data. But at least these apps should notify users of the collection and of the intended use of their data–and give them opportunity to decline the data transfer.

Android apps can retrieve Google account IDs with GET_ACCOUNTS permission granted at installation and by using one of the methods of the AccountManager class. This permission is often requested when an app uses the Google Cloud Messaging feature, which is a standard mechanism provided by Google to allow server-to-device push notification. As such, users cannot judge if granting this permission is really safe; some apps request this permission for GCM, but others for collecting account information for potentially malicious purposes.

A GET_ACCOUNTS permission request.

Although the account passwords cannot be retrieved in this case, leaking only account IDs still creates several types of risks.

• Attackers can share account IDs with other malicious parties including email address collectors.
• Attackers can directly send spam/scam emails to the address.
• Attackers can break passwords and illegally access accounts if users employ easy-to-guess passwords.
• Attackers can identify a user’s personal information on social networking services related to Google account IDs, for example, Google+.

Users should be especially careful about registering SNS/communication services using a Gmail address with services that encourage users to be searchable by their email addresses. If users have enabled the feature and make their profiles public, which is the default on many services, an attacker can easily identify personal information using the email address as a search key.

A User’s real name is suggested based using the Gmail address as a search key.

With the GET_ACCOUNTS permission granted, Android apps can also retrieve account names for services other than Google that have been registered in the device, including Facebook, Twitter, LinkedIn, Tumblr, WhatsApp, and so on. Users will face these same issues once these other account names are stolen.

Account names for various services can be easily retrieved.

We strongly recommend that users review the privacy settings on all the services they employ and disable the “allow search by email address” option unless they really want it. Users should also not expose their account names in public unless it is necessary.

You wouldn’t hand your unlocked mobile phone to strangers, would you? Especially not if they keep it for some minutes, unmonitored, to make configuration changes, right?

I’m currently traveling in parts of the world where my German network provider charges outrageous roaming prices. For the price of a one-minute call I can buy a prepaid SIM card from a local provider, usually with plenty of minutes to anywhere and 1GB or more of data. The data alone is literally worth thousands(!) of Euros in roaming charges. So everybody buys those cards, and in many airports there are numerous providers to chose from.

Of course being helpful and service minded they don’t give you a SIM with instructions, but instead you give them your unlocked phone, so they can set up and activate the card for you, happily typing away, until they hand it back to you, with a smile, stating that now everything works. What could possibly go wrong?

Well, handing out a phone in this way pretty much bypasses all defenses and safeguards that may be in place. It takes only seconds of unattended phone access to plant malware on a device, disabling security solutions beforehand, and it is also a safe bet that agencies in some countries are well aware of this kind of user behavior, possibly exploiting it to “backdoor” the smartphones and tablets of selected travelers.

A funny thing happened in Bangkok: The guy in front of me in line (with a UK accent) simply told the provider his password (excusing himself with “sorry for that, we have a company policy that enforces passwords on our corporate mobile devices”). His password was “qwer.”

No one questioned this ridiculous practice of unlocking and handing over. With one exception, the service people were surprised when I told them to forget it and to just give me the SIM and instructions. One provider in Sydney refused to sell me just the SIM without installation service, telling me they don’t have instructions to hand out and no one had ever asked them before. The exception? When I asked the guys in Kuala Lumpur today about why they didn’t seem surprised by my request, they told me two months ago they had a number of people saying “just the SIM, please.” Must have been attendees of HITB, a hacker conference running at that time.

It’s important to think about the possible consequences. Companies might do well to prepare a quick guide for non-tech personnel, so they can change a SIM themselves.

On my next trip I plan to bring an old device as a honeypot–to see if someone actually tries to tamper with it.

Figure 1. Batch file to launch Reveton.

Reveton comes with various flavors of encryption to evade antimalware detections. In this blog we will give a brief overview of one of the cryptors used by Reveton in recent variants.

Some previous versions of Reveton had random alphanumerical export names, similar to dsde34fefew, which looked suspicious and were easy to identify. Recent versions have new cryptors and use export names that look legitimate.

Some of the new export names can be seen in Figure 2 and in the following list:

• AndroidDesktoCompression
• AndroidTerminal
• DeviceFor
• OfficeAppKeyBoard

Figure 2. Import table.

The cryptor fakes the version information to look like a legitimate file. In this case it uses the version info of a Microsoft file, as shown in Figure 3.

Figure 3. Fake version information.

Multiple sections of the cryptor can be seen in Figure 4. A decryption key sits in the “.data” section, and the encrypted executable file can be found in one of the other data sections.

Figure 4. Data sections.

“GetProcessheap” followed by “rtlAllocateHeap” APIs reserve a chunk of heap memory to decrypt the data, as shown in Figure 5.

Figure 5. Heap memory allocation.

The first layer of encryption is quite simple. The cryptor stores a key that might be one, six, twelve, or sixteen bytes in size. The key usually lies within the first 500 bytes, followed by zeroes, as shown in Figure 6.

Figure 6. The encryption key.

The data is decrypted to the allocated heap (allocated from RtlAllocateHeap) by subtracting the key from the encrypted bytes. (In this case from the fourth section named .xdata.) If the key is of size n, the key is subtracted from first n bytes of the .xdata section and then is subtracted from the next n bytes.

The decrypted data looks like an executable file; however, it doesn’t look like a completely decrypted file. We can see in Figure 7 that section headers are not completely decompressed and that the UPX and .rsrc section names are jumbled.

Figure 7. A partially decrypted UPX file.

The cryptor calls the RtlDecompressBuffer API to deflate this partially compressed data, as shown in Figure 8.

Figure 8. A call to RtlDecompressBuffer.

This functions supports Huffan and LZ compression. The parameters supplied to this function include compressed buffer, and the size of compressed and uncompressed data.

Figure 9. A completely decompressed UPX file.

Figure 10. A completely decompressed section header.

The section names of the UPX packer are fully visible at this point, as show in Figures 9 and 10. Decompressing the UPX file gives us the decrypted Reveton code. Code around the original entry point of Reveton can be seen in Figure 11.

Figure 11. The malware’s original entry point.

McAfee detects this variant of Reveton with following names:

• Ransom-FFK!
• Ransom-FFM!
• Ransom-FFN!
• Ransom-FFO!
• Ransom-FFQ!

Ransomware has become one of the most prevalent threats. Malware writers keep on finding new means to evade detection. As we have seen here, this particular threat employs a few levels of encryption to avoid easy analysis and detection. It’s vital to keep antimalware products updated, and it’s always a good idea to keep a backup of important data.

Thanks to my colleagues Arvind Gowda and Avelino Rico for their valuable support.

As we wind down the year, it’s a time to reflect, but also to look forward. Some of us may be thinking about resolutions and what we need to do in the upcoming year—exercise more, eat better, have better work/life balance, etc. Others of us will be thinking about how we’re going to ring in the New Year.

This time of year the McAfee Labs™ team is busy looking at what the new threats are going to be and what are new trends they expect to see. Today they released their 2014 Threats Predictions, and here’s what they believe will be in store for us:

Mobile Malware

While this is not new, this category of malware is growing like wildfire and McAfee Labs sees no slow down on this in 2014. And besides continued growth in this category (mostly on the Android platform), they believe that some  types of mobile attacks will become prevalent.

One of these growing attacks is ransomware targeting mobile devices. Once the cybercriminal has control of your device, they will hold your data “hostage” until you pay money (whether that’s conventional or virtual, like Bitcoin) to the perpetrator. But as with traditional ransomware, there’s no guarantee that you really will get your data back.

Other mobile tactics that will increase include exploiting the use of the Near Field Communications (NFC) feature (this lets consumers simply “tap and pay,” or make purchases using close-range wireless communications), now on many Android devices, to corrupt valid apps and steal data without being detected.

Virtual Currencies

While the growth of Bitcoin and other virtual currencies is helping promote economic activity, it also provides cybercriminals using ransomware attacks with a perfect system to collect money from their victims. Historically, payments made from ransomware have been subject to law enforcement actions via the payment processors, but since virtual currency is not regulated and anonymous, this makes it much easier for the hackers to get away with their attacks.

Attacks via Social Networking Sites

We’ve already seen the use of social networks to spread malware and phishing attacks. With the large number of users on Facebook, Twitter, Instagram and the likes, the use of these sites to deliver attacks will continue to grow.

In 2014, McAfee Labs also expects to see attacks that leverage specific features of these social networking sites, like Facebook’s open graph. These features will be exploited to find out more information about your friends, location or personal info and then be used for phishing or real-world crimes.

The other form of social attacks in 2014 will be what McAfee Labs calls “false flag” attacks. These attacks trick consumers by using an “urgent” request to reset one’s password. If you fall for this, your username and password will be stolen, paving the way for collection of your personal information and friend information by the hacker.

Here’s some security resolutions to help you stay safe online in 2014:

• Strengthen your passwords: If you’re still using easy to remember passwords that include your home address and pet’s name, it’s time to get serious about creating strong passwords that are at least eight characters long, and a combination of numbers, letters and symbols. Don’t include any personal information that can be guessed by hackers.
• Don’t open or click on suspicious emails, text or links: By simply opening an email with a piece of ransomware within it you could be leaving your devices vulnerable to hijacking.
• Be aware when downloading apps: Since apps are the main way mobile malware is spread today, make sure to do your research before downloading any app and only download from reputable app stores.
• Limit your use of NFC, Wi-Fi and Bluetooth: If your phone has NFC capabilities, you may be unaware of default settings. Turning this feature off, as well as turning off Bluetooth and Wi-Fi connections, will not only help you save battery life on your devices, but prevent attacks from hackers looking to exploit your wireless connections.
• Check your bank statements and mobile charges regularly: This way, you can discover and report any suspicious charges
• Install comprehensive security on all your devices: With the growing amount of threats that we’re seeing, you want to make sure that your all your devices (not just your PC) are protected. Consider installing security software such as McAfee LiveSafe™ service that protects your data, identity and all your devices (PCs, Macs, smartphones and tablets).

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

This post is the first in a series of articles that will expand on the recently released McAfee Labs 2014 Threats Predictions. In this and upcoming posts, McAfee Labs researchers will offer their views of new and evolving threats we expect to see in the coming year. This article was written by Dr. Igor Muttik and Ramnath Venugopalan.

Big Data is a popular term. The concept feels important, and menacing, because we know that the amount of knowledge available on the Internet is enormous and it grows at a staggering rate. But data accessible via the Internet is only the tip of an iceberg: The Internet as we know it is only the public part of massive amounts of online data. Knowledge is power; that hasn’t changed. And extensive knowledge (which Big Data provides) leads to a lot of power.

Those of us who often shop online notice that commercial websites are getting better at focused personal advertising; sometimes they identify our interests even before we realize them ourselves. Commercial sites gather and share (often indirectly, via ad providers) information about web pages we visit. In 2014 we expect commercial companies will become more effective and more aggressive in tracking consumers by analyzing their growing pieces of Big Data. Driven by further adoption of “do not track” functionality in browsers, we foresee an accelerated shift from tracking based on cookies toward fingerprinting based on browsers and behavior. As a result, there will be deeper and wider online tracking and an increasing number of privacy concerns. Unprotected users will continue to lose control over who analyses and records their online actions and when it happens. Staying anonymous when browsing will be harder next year.

Security companies are also creating Big Data stores, but the data we gather is very different from the information that commercial interests and cybercriminals seek. Security products do not need personally identifiable information to discover malware, spam, and other intrusions—only the data to uncover new attacks.

Tracking consumers using Big Data is easy. However, discovering new and unknown intrusions is much harder as we deal with professionally organized malware-writing gangs. Despite their efforts, we predict that machine learning and data analytics based on Big Data will improve the discovery of targeted attacks and persistent threats in 2014.

Many large-scale organizations are deploying Big Data analytics, at the cost of millions of dollars, to identify threats within their environments. In 2014 and beyond, however, we expect to see the first signs of evasion maneuvers targeting Big Data analytics as malware and spam gangs, for example, will attempt to poison security telemetry to make their activities less noticeable.

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Aditya Kapoor.

In order to maximize profits, cyberattackers quickly adapt to popular forms of communication; they go where their victims go. Sometimes they even seem to get there first. Every time a new medium gains popularity, fast-moving attackers find the new medium’s flaws and take advantage of its new users. This tactic works because many new services haven’t fully worked out security measures even as their popularity skyrockets.

Email and traditional Internet messaging (Yahoo, Google Talk, MSN, and others) have seen plenty of malware attacks. When we use these “old” systems, most of us know to not open attachments or click on links from strangers. But new systems often seem fresh and different when we first use them.

A survey by McKinsey’s iConsumer report (published by Forbes) confirms the obvious: email usage has been declining for years (36% of users in 2012, down from 42% in 2008), while social media usage rose to 26% in 2012 from a meager 15% in 2008. Overall, people are still communicating primarily by email, but its use continues to drop. More and more people now connect and interact via services such as Facebook, Twitter, Snapchat, Instagram, LinkedIn, WhatsApp, and others. These services are available on any device.

As we flocked to Facebook, it was new and seemed safe. But starting in 2008 and peaking in late 2009, Koobface malware was one of the primary threats against Facebook users. Until it lost steam in 2011, Koobface employed a lot of advanced features in its botnet: using URL-shortening services to send malicious links, hijacking users’ accounts, autoresolving CAPTCHAs, and other methods. Many of these features are still present in similar but much smaller threats.

Three categories of attacks on social media are the most prevalent: data theft, money theft, and profile and network-identity theft. This triumvirate isn’t likely to diminish because its appeal is fundamental to the goals of cybercriminals.

Data theft: malware installation

Social media features change rapidly; many users have a hard time determining what is legitimate versus what is not. Attackers take advantage of the confusion of ever-changing applications and policies. Recently we have seen numerous social-engineering tactics that trick users into installing an application for a service that does not exist. These campaigns use a similar tactic: Users receive an email purportedly from a social media company with a link to a “new” app. After clicking the link, they are asked to download a plug-in, which installs malware and steals information. For example, one recent attack sent an email with a “voice message notification” apparently from WhatsApp. Listening to the message, however, added the user’s machine to a botnet. These methods are not new, but mixing the malware message with social media often confuses users who don’t know what the norm is.

Money theft: spam and scam

Scammers also use fake notification systems that masquerade as updates from social media sites. A notification email apparently from a social media site claims there are unread messages. Clicking the message redirects users to fake pharmaceutical items, for example. Some users buy these items, sending money to crooks.

Scammers are quick to use new communication mechanisms and abuse them to generate money or steal personal information. Recently criminals used Snapchat in a pay-per-install affiliate model: Users received nude pictures and in order to see more snaps, they had to download an application, which in turn paid the spammer money for the installation.

Snapchat has become very popular for the wrong reasons—such as sending explicit images—because the service promises to delete the images after a set time. Recently scammers used Snapchat to show “leaked” pictures; users had to enter their Facebook login credentials to access the information. You can guess where the login information went—to the scammer’s server.

Profile and network-identity theft: Spearphishing on social media

Social media sites like Facebook have done a lot of work to keep their users safe. It is difficult for scammers to pose a malicious link to another user who is not in the friend network. But a social network is only as strong as the weakest link, which can compromise the entire friend network because we tend to trust our friends and what they post. (Security blogger Dancho Danchev writes about one example in “Continuing Facebook ‘Who’s Viewed Your Profile’ Campaign Affects Another 190k+ Users, Exposes Malicious Cybercrime Ecosystem.”)

LinkedIn has become fertile ground for attackers. By watching for the updated status of executives or sales people and their new connections, online spies might gain a competitive edge or knowledge of unannounced products.

What’s coming

The social media landscape is changing rapidly, with new services being introduced faster than they can be secured. Scammers and malware authors abuse these services and make the most of them while people are still learning about the new security risks. When the security bar is raised high enough, these scammers move on to newer mass communication methods. Their methodologies and motives remain largely the same.

In the coming year we are likely to see an increase in corporate espionage via social networks such as LinkedIn. It’s a good idea to verify a message even when a known person tries to contact you on social networking sites. A simple IM or email to verify identity is enough to keep scammers at bay.

Scammers will use apps like Poke and Snapchat to prompt victims to “win a free iPad,” for example, by visiting a website within 10 seconds. Some unsuspecting users will give out their information as fast as possible, succumbing to rush tactics.

A continuing worry about social media services is the false sense of privacy they encourage. We will continue to see children and adults become complacent and share private pictures and other information. Parents need to talk to their kids who use social media about safe sharing practices.

In the coming year social media attacks will continue and mature, as attackers find new ways to craft their attacks. We expect spam and phishing attacks will gain momentum. In the corporate world, stealing data related to business social networks and contacts will become a greater target than passwords or credit card information.

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Ramnath Venugopalan.

We foresee three broad threat areas that will affect cloud computing in 2014: data breaches and data loss, denials of service, and malicious uses.

Data breaches and data loss

In 2014, we expect to see an increase in attacks aimed at shared resources in any IaaS, PaaS, or SaaS (Infrastructure, Platform, or Software as a Service) cloud environment. Attackers will make an effort to access all client data on a multitenant cloud service by compromising a flaw in one tenant. Attempting to avoid data loss by leveraging alternate sites also opens up additional avenues for data breaches. Trying to avoid data breaches using encryption runs the risk of loss of data due to the loss of the key. This approach also makes the cloud less useful as a storage mechanism because searching for content based on keywords will be that much harder without searchable encryption, which is not very mature as a technology.

Customers risk a loss of control over their data as various free cloud providers effectively own the data that customers place with them. A failure at a cloud provider could result in the complete loss of all data stored there. Many consumers do not back up data at multiple providers or locally; they could lose everything if their cloud service fails.

We expect to see an increase in attempts to compromise vulnerabilities in the APIs exposed by cloud service providers. Cloud customers build upon these APIs, in effect adding attack surfaces that may lie outside cloud provider policies and defenses.

Every year, we add more and more personal data to cloud services such as Facebook, Google, Picasa, LinkedIn, and others. Compromising the authentication data of any one of those clouds could provide attackers with a wealth of information. They might be able guess or gather other authentication data leading to work-related systems, identity theft, family budget figures, physical theft from a residence, threats to personal security, and so on. The online reputation and connections of a compromised account could also be used to launch further attacks using social engineering or malware to infiltrate workplace computers or those of the victim’s connections. These threats will increase in 2014 as the value to be gained grows every year because more data is available and more people are connected.

Denials of service

With the increase in adoption of IaaS and PaaS solutions, denial-of-service attacks will also increase, causing service outages as well as direct financial losses—due to cloud providers billing the costs of the network and computing cycles incurred during an attack to the target of the attack. Victims will lose twice. Thus DoS attacks will have an impact on both the customers of a cloud service as well as on the providers of applications running on a cloud service.

Malicious uses                                                                    

In a related vein, we anticipate next year a rise in attackers using the computing power, flexibility, and ease of deployment of cloud computing to launch large-scale, targeted attacks on businesses and governments. We’ll see more “Dark Cloud” providers that either encourage such attacks or do little to prevent them.

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Jimmy Shah.

We wrote last year about the future dangers of mobile worms exploiting near-field communications. This year many high-end phones came with NFC hardware. Next year we should see NFC-capable phones that let consumers pay with their phones everywhere they can pay with a credit card. Unfortunately, we’ll also see thieves find ways to turn your grande latte order into a more expensive event.

There are now more ways to pay for things via mobile phone, using services such as Square, PayPal, or Coin. Attackers will find ways to skim cards using mobile credit card readers, or swipe information from apps on the phone. More ways to pay will lead to more ways for attackers to hijack your money.

Malware developers are hard at work creating ransomware for mobile phones. Currently we see malware that pretends to lock your phone, offering to release it upon payment of a ransom. It’s a short step for malware writers to encrypt your phone’s disk and make the threat real.

As more apps are converted from proprietary platforms to HTML5 in the name of cross-platform compatibility, attackers will put more resources into exploiting such apps. Attackers will develop exploits that target HTML5 apps or native drivers (audio, video, file system, etc.).

How about a bit of good news? Android 4.2 includes a security feature that makes it harder for SMS-sending malware to steal money without an owner’s knowledge. The feature informs users whenever a message is about to be sent to a premium-rate number. This simple step will cut into the easy money attackers made because users will no longer be unaware that the new app they installed costs money.

Last month the Pony Botnet became a household name when it was revealed that it had stolen more than two million social networking account passwords. This rather eye-catching headline is a side effect of the data that the botnet actually steals, which includes stored passwords, cache, and cookies from the following applications:

McAfee offers detection for Pony Botnet as Backdoor-FJW. This malware did not change much between May and November 2013, aside from the common tricks of malware authors to use custom packers to obfuscate their code from analysis. During a recent analysis of this threat, however, we have discovered a variant of the botnet that has added a small trick to its repertoire.

Once we removed the malware from its obfuscated shell we were able to see two small but important additions to the strings we would normally see in a pony botnet sample.

The preceding image shows the strings “wallet.dat” and “\Bitcoin” have been appended to the list of strings that we commonly see associated with this threat.Bitcoin has been in the news during the past year for its rising popularity, value, and the attention it has attracted from the cybercrime community. However, this is the first malware we have analyzed that seeks wallet.dat for exfiltration from a system. A close look at the functions used to accomplish this reveals that they work in much the same way that the malware has always stolen FTP credentials and server information.Using hardcoded strings and file names, the malware locates specific installed software from the list above in the registry and then extracts data from the data files known to coincide with that software.

The malware operates in similar fashion here:

There are two important takeaways from this analysis. The first is that encrypting your important information (Bitcoin wallet, confidential data, login information, etc.) cannot be overlooked. Simply having an encrypted Bitcoin wallet would render this new module useless for the malware authors. The second is that storing passwords or credentials in browsers or other software that you use to connect to any remote host is a bad idea. The threat landscape is constantly evolving: Even threats that have seemingly run their course pop up again with new tricks to meet their monetary goals.

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Ramnath Venugopalan.

Software Defined Networking was developed in an attempt to simplify networking and make it more secure. By separating the control plane (the controller)—which decides where packets are sent—from the data plane (the physical network)—which forwards traffic to its destination—the creators of SDN hoped to achieve scalability and agility in network management. The application layer (virtual services) is also separate. SDN increasingly uses elastic cloud architectures and dynamic resource allocation to achieve its infrastructure goals.

Network security today primarily aims to increase control over tightly segmented networks. This increases the complexity of the overall network and makes it harder to manage. This trend will continue as the quest to prevent the lateral movement of malware competes with the need to manage all of these networks. SDN can help provide greater security without increasing management headaches for complex virtual networks in data centers.

SDN can boost security by routing traffic, as appropriate, through a central next-generation firewall and intrusion prevention system as well as by dynamically reprogramming and restructuring a network that is suffering a distributed denial-of-service attack. SDN can also provide capabilities such as automatically quarantining an endpoint or network that has been infected with malware.

In spite of these benefits, SDN also opens potential security holes, especially connections between controllers and network elements, through which the SDN stack itself might be the subject of a distributed denial of service attack. Security is not built into the SDN concept; it needs to be designed in from the beginning of development. SDN configuration errors can have more complex consequences than in traditional settings. Thus SDN requires meticulous adherence to the basic principles of information security and proper policy management. This need will become more important as SDN implementations vary with each provider and begin to cover very large virtual networks with several subnetworks, each with its own policy. Furthermore, SDN has a centralized architecture; compromising the central control could give an attacker command of the entire network.

Security zones are not typically built into VPN solutions, so users must annually coordinate network access policies, port locations of security devices, and any exceptions. Because flexibility is a reason for SDN migration, it is likely that a change in the network might not be adequately reflected in the security infrastructure, or vice versa. Further, open APIs for security functions to SDN have not yet appeared and have not begun to standardize, so API incompatibilities may also cause security holes to appear.

In 2014 and beyond, we will begin to see increased adoption of SDN in data centers, not just in university networks, where they began. We also expect to see targeted attacks, which are likely to leverage policy configuration errors for infiltration and lateral movement. We also anticipate DoS attacks that attempt to overwhelm the links between the network controller and the other two sections.

Exploiting human errors will be the first avenue of attack. As SDN management gets stronger and enterprise adoption of these networks grows, targeted attacks will focus on exploiting the SDN central controller to take over the network and completely bypass network protections.

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by François Paget.

The Bitcoin saga will continue

In May, after the Liberty Reserve shutdown, cybercriminals looked for new sources of virtual currency to finance their businesses. They turned to Perfect Money, WebMoney (for a second time), and Bitcoin. But associating these virtual currencies with electronic or conventional (state guaranteed) moneys remained difficult. Cybercriminals had to use their virtual currencies primarily on the underground market, among themselves, to purchase drugs, services, or equipment. This money was directly reinvested in the black market and was difficult to launder. It was also difficult to retrieve “good money” like dollars or Euros.

But cybercriminals, and lawful users, have found a bit of relief. Some nation-states have decided to recognize Bitcoin: In August, Germany became one of the first countries in the world to recognize Bitcoin as a “private money”; in October, we saw the opening of the world’s first Bitcoin ATM in Vancouver, Canada. At the same time, French boutiques started offering branded perfume for sale and nights at luxurious hotels, Los Angeles restaurants accepted Bitcoin for payment; and an online newspaper claimed a Norwegian citizen bought an Oslo apartment—all with Bitcoin.

Given this increasing acceptance and barring a virtual stock market crash, we predict Bitcoin will remain popular and become a target for cybercriminals in 2014. With more access to the public, Bitcoin will certainly be used for money laundering. Attacks and fraud on exchange platforms, which have already occurred, will increase. Up to now, virtual money has been a platform on which cybercriminals worked in a closed world. In 2014, they will be able to hunt for newcomers.

This interest in virtual and decentralized money will attract more attention from law enforcement and justice officials. Following the money (and the criminals) will become more difficult. The battle against the Dark Web will not be easy to win.

Opportunities for cybercrime

In the coming year, the frontier between cybercrime and state-sponsored attacks will grow more porous. We expect to see advanced spying as a service, “waterholing” as a service, and cracking as a service. As with past aggressive marketing proposals, the distinction between legitimate and illegal activities will be more difficult to determine. Some illicit services will hide among legitimate ones.

As a complement to ATM or point-of-sale skimming, cybercriminals will improve ways to directly infect ATM machines. 3D printers are sometimes used to create skimming devices. These printers will become more popular in cybercrime circles. We anticipate ready-to-use firearms will be the next hot 3D objects sold online.

Snowden boosts hacktivism movement

In November the “Million Mask March” organized by Anonymous attracted people in 450 locations around the world. This success can partially be attributed to the Edward Snowden affair, which will cause new supporters to join the movement. Fearing big brother surveillance systems, many citizens distrust their local administrations, forcing governments to delay the introduction of some legal procedures to fight cybercrime.

However, the varied motivations of Anonymous members will prevent most of their Internet operations from gaining much success. They will be numerous, as in 2013, but rarely highly damaging for their victims.

The Anonymous movement is only one face of hacktivism. Next year its signature will continue to be misappropriated by individuals or groups that range far from Anonymous’ ideals of freedom. Hacktivism in and from the Middle East will continue to grow.

Cyberwarfare a reality

Resulting from a voluntary attack or out-of-control spreading, malware can not only destroy computer data, but also disrupt people’s lives.

In September, malware in Israel caused the closure of a major roadway. One expert, speaking on the condition of anonymity, explained the attack was the work of unknown, sophisticated hackers, similar to the Anonymous group that led attacks on Israeli websites in April.

Politically motivated attacks will continue to increase. We’ll see more from patriots hiding behind the Anonymous brand or labeling themselves cyberarmies. Others will arrive from online spies of governments developing cyberoffensive capabilities. If cyberattacks against critical infrastructure succeed, we will have truly reached the age of cyberterrorism.

The 2014 Sochi Winter Olympics (in February) and the FIFA World Cup in Brazil (June-July) will be massive opportunities for criminals to exploit people’s curiosity to infect their systems with crimeware (for example, via booby trapped email or compromised sites). Hacktivists will also take advantage of these events to promote their ideas. In recent years, we’ve seen destructive malware associated with some politically motivated attacks. These attacks will continue in 2014.

Rioting and racism

Criminals have understood for years that it is easier and less dangerous to steal money online rather than in the physical world. This may be the year that rioting demonstrators will learn the same lesson. Data destruction just for pleasure may become a new threat if politicians cannot mollify certain violent elements of the population.

Racism is not dead and may become a new motivation for defacement. It’s growing on social networks (Facebook, Twitter, etc.). More of the Internet may be poisoned if we are not careful. Information manipulation is another threat we expect to see next year. Massive deliberately propagated digital misinformation could lead to confusion or worse.

Malware in humans a future nightmare

At some point in the future, physical attacks through the cyberworld will move beyond to science fiction to reality. We expect to see real attacks or nasty proofs of concept against human implants in the coming years. We might also see psychological attacks via virtual reality games that lead to physical consequences.

Patient medical data, political party databases, and personal data from online VIP services will be increasingly targeted. Hackers will enjoy more successes searching for sensitive information on politicians, sports figures, and celebrities. Depending on the attackers’ motivation (money or ill intent), they will carry out blackmail or damage to reputations.