After something of a holiday hiatus at the end of last year, malware is back – according to security firm McAfee’s threat reports for the first quarter of this year.
“Although we observed declines in the numbers( of many areas of malware and threats at the end of 2011, this quarter is almost its polar opposite. PC malware had its busiest quarter in recent history, and mobile malware also increased at a huge rate,” the report said.
McAfee reported the total number of malware samples at about 83 million, with new samples at nearly 7 million. The U.S. continues to be the prime target of malicious web content.
While fake antivirus programs declined, the company reported finding 200,000 new examples of password-stealing Trojan horses, plus increases in rootkits and malware with forged security signatures of trusted providers.
The biggest percentage spike, however, came in mobile malware, which went from fewer than 2,000 in the final quarter of 2011 to more than 8,000 in the first three months of 2012. The vast majority of that – almost 7,000 – were aimed at the Android platform. The company said some of that spike was due to better detection.
Pierluigi Paganini, a malware expert and program, delivery and maintenance director at Bit4ld said it was “an expected and unavoidable event.”
There are multiple reason for the explosion of interest in mobile platforms, the most obvious being the explosive growth of mobile devices, he said. “There is a large diffusion on mobile platform of social networking activities – millions of users always connected who share every kind of media without prevention. That’s a paradise for malware creators,” he said.
Blake Turrentine, a mobile security expert and trainer for Black Hat, added that mobile security has not kept up with the threats. “Anti-malware apps on mobile phones are in their infancy,” he said.
Couple that with a continuing lack of awareness of threats and almost casual risky behaviors like jailbreaking mobile phones or downloading apps from third-party stores that are the main vehicles for spreading malware. Paganini said it is no surprise that there is “growing interest from cyber criminals and governments in mobile platforms. Setting up a botnet, for example, is not so hard, while the consequences [for victims] are devastating.”
Not only is it relatively easy to set up bots and botnets – they are not that expensive either, given the potential payoffs. McAfee reported that on underground forums they range in price from $450 to $8,000. They found that spam levels dropped by more than 1 trillion messages per month, but botnets grew to nearly 5 million infected computers.
Apple users remain less of a target than those with PCs, but attacks on Macs are increasing. It is not just the Flashback Trojan – McAfee reported about 250 new malware samples for the Mac, plus 150 fake anti-virus malware samples.
How should enterprises confront the threat? David Marcus, research director at McAfee and one of the authors of the report, said it comes down to training and tools. “[Companies should] make sure their teams are staying current with the overall trends of the threat landscape and have training, tools and processes that allow them to react with agility,” Marcus said.
Paganini said mobile devices in particular “represent a projection of the company to the outside world and therefore require the application of all security measures necessary to protect the enterprise and the information it manages.”
Kevin McAleavey, cofounder and chief architect at the KNOS Project, said that should be obvious to CSOs. “Given that the viruses that they’re naming have been around for ages, I’d be wondering why those viruses are still out there,” he said.
McAleavey said most criminals are outsmarting current antivirus software. “Antiviruses have ‘heuristics’ these days, which spot an ‘unknown file.’ If it isn’t on their whitelist, then it must be ‘suspicious. What happens then is that they waste the user’s bandwidth uploading every ‘suspicious’ – that’s how they get those astronomical counts,” he said.
“Until a file is identified one way or another in their lab, then multiple ‘suspicious’ keep getting dumped into that bitbucket until it’s identified and either whitelisted or detected. I’d be wondering why those viruses are still out there,” he said.
“But what happens in the real world is that virus writers keep obfuscating the same old file until it’s no longer detected. They can do this with encrypting, repacking – dozens of other ways to make it no longer match the AV signatures. Once they submit the file to a testing site and it comes back not detected, then they pass it along to victims,” McAleavey said.
Turrentine said mobile protection is weak because “they can only effectively run with the same permissions as any other app. Though they can detect a degree of suspicious activity, this is still a big disadvantage.
Malware designed to jailbreak or root a smartphone OS, “always has a leg up on the mobile McAfees of the world,” he said. “The malware is being packaged with these capabilities. It can neuter/bypass the limited ‘security’ apps easier based on the fact that if it is successful in gaining root level access to the system, it can override capabilities the lower privileged, sandboxed apps have.”
Turrentine said it is better than nothing to have security apps running on mobile platforms. “But they need to be fully integrated into the kernel of the smartphones’ operating systems to provide better and more effective protection. Better yet, perhaps, baked into chipsets of smartphones themselves,” he said.
Meanwhile, CSOs should “incorporate an anti-malware solution app provisioned by their mobile device management. They should also disable allowing end users to install third party app stores,” he said.