According to a story at Wired.com, Internet use in China is soaring:

China’s booming Internet population has surpassed the United States to become the world’s biggest, with 253 million people online despite government controls on Web use, according to government data reported Friday.

The latest figure on Web use at the end of June is a 56 percent increase from a year ago, the China Internet Network Information Center said. It said the share of the Chinese public using the Internet is still just 19.1 percent, leaving more room for rapid growth.

Last month, we reported that China hosts over half of the infected websites reported to us by Google. Combine a whole lot of Chinese Internet users with a whole lot of infected Chinese websites, and you have the potential for one heckuva lot of bots and trojans on Chinese computers. I hope that groups in China will work together to educate the population (and software vendors, hosting companies, etc.) about the risks and how to stay safe.

Ars Technica reports on a recent report by security vendor Finjan, describing how criminal malware groups are getting more organized, much like the Mafia in The Godfather or the drug gangs in The Wire:

Finjan describes the employee structure that these cybercrime companies employ as being similar to the Mafia. In both cases, there is a “boss” who operates as a business entrepreneur and doesn’t commit the (cyber)crimes himself, with an “underboss” who manages the operation, sometimes providing the tools needed for attacks. In the Mafia, several “capos” operate beneath the underboss as lieutenants leading their own section of the operation with their own soldiers, and in cybercrime, “campaign managers” lead their own attacks to steal data with their “affiliation networks.” The stolen data are sold by “resellers,” similar to the Mafia’s “associates.” Since these individuals did not partake in the actual cybercrime, they know nothing about the original attacks. They do, however, know about “replacement rules” (for example, stolen credit cards that have been reported) and other company-specific policies, just like the sales representatives you talk to in your average store.

The more organized the criminals, the more industry players need to work together, share data, and organize ourselves against the badware threat. This is especially true if we want to thwart badware while still maintaining integrity and openness, as I described in my recent guest blog post at ZDNet.

StopBadware.org is glad to welcome Jon Kibler,the Chief Technical Officer of Advanced Systems Engineering Technology, Inc., to author a blog post on the future of malware. Jon draws on his years as a security professional to provide insight into malware developments that could have widespread implications for machinery from personal computers to medical devices. (Please note that guest blog posts are independently written, and do not represent official positions of StopBadware.org.)

The Future of Malware _by*_ Jon Kibler*

Traditional viruses and worms have almost disappeared from the malware landscape. Most malware today are Trojans, with rootkits (1, 2) and botnets (1, 2) becoming more dominant and difficult to detect.

In late 2007, the industry started seeing reports of hardware (e.g., digital picture
frames and USB memory) that apparently came from the factory as infected devices. Speculation is that most of the items were contaminated during product testing with some possibility of deliberate contamination. These contaminated devices infect the host system when activated and should be detected by AV software as infected.

The next generation of malware may avoid detection by circumnavigating the computer’s CPU, or running on non-traditional computers. A typical computer has computational power other than the CPU: video cards have a GPU and their own RAM; sound cards, modems, NICs, and HDDs all have their own processors and memory. All of these could run malware.

The end of May gave us a proof-of-concept IOS rootkit, showing that Cisco devices are subject to compromise. The FBI has bragged about the number of counterfeit Cisco devices recently seized. There are also many reports of other counterfeit computer components and equipment being seized and counterfeiters being sued. So, it is clearly possible to find ‘unclean’ devices in the marketplace — devices that may include malware.

Another potential attack vector for which there is currently little to no protection is BIOS (firmware) malware. It is a trivial matter to detect a BIOS’s version. Thus, it is surprising that malware infected system-specific BIOS updates (auto-installed by another malware payload) are not already widespread. Or could it be that they are, and we just don’t know about them?

Network infrastructure malware may overshadow PC malware. From the perspective of bad guys, inspecting network traffic has great potential to collect useful information (e.g., credentials from ftp, telnet, pop, imap, and http) and conduct man-in-the-middle attacks against encrypted connections (e.g., collect clear text identity and financial information).

While it is true that the current generation of network malware (such as the IOS rootkit) requires privileged access to compromise a device, administrative mistakes make such access possible. In my experience, at least some Cisco routers still have the privileged default login of ‘cisco cisco’ enabled, usually because administrators forgot to delete that account. There are potentially tens of thousands of Cisco routers that could be susceptible to an IOS rootkit attack. Fortunately, there are tools available that can detect the type of rootkit recently demonstrated, but they are neither widely known nor deployed.

More insidious than an IOS rootkit would be a compromise of the IOS bootloader, which, for all practical purposes, is never updated. Thus, if the bootloader was compromised, it would be possible for rootkits to persist across IOS upgrades. This would be the ultimate goal of any Cisco malware developer.

Consumer grade network devices are much more susceptible to attack than commercial equipment. How many users even change the device’s default passwords or take other security measures? Worse, not only are most of these devices susceptible to malware, an attacker can easily replace the operating system on many of these devices.

This raises a critical question: If a consumer or a company purchased a router, firewall, video card, HDD, sound card, or other PC CPU-independent device, how would the average consumer or I.T. department be able to detect that the device was infected? This is an issue the anti-malware industry is essentially ignoring. The problem is not simple, but fixing it after these types of attacks are already in the wild is far too late.

One potential solution would be to digitally sign all embedded software or firmware. With this digital signature that was checked at boot time, any compromise of the image would be readily detected. Clearly, this would not be a perfect solution (if the device was compromised, the malware could simply patch around the checks), but it should be the next layer in the defenses we deploy. What I do not understand is why the industry is not already doing this today.

The preceding concerns me, but what really scares me is malware on non-traditional computers — computers which for architecture, performance, and/or regulatory safety reasons, usually cannot even run anti-malware software.

The ‘C’ in ‘CAT scan’ is for ‘computer.’ What happens when those computers become infected by malware? Software bugs have already killed people (1, 2). What happens when malware accidentally (or intentionally) causes computerized medical or laboratory equipment to malfunction, resulting in death? Industrial controls (e.g., SCADA, PLC, DCS, etc) run much of our critical infrastructure. There have already been well documented attacks against and failures of control systems (1, 2). A recent DoE experiment demonstrated how a cyber-terrorist could destroy a generator. The potential for malware damaging critical infrastructure is great. Many experts believe that a ‘Digital Pearl Harbor’ is not a question of ‘if’, rather it is a question of ‘when.’

The problem is that computers are everywhere. A few other examples of non-traditional computers include: specialized control systems (avionics, automotive and physical security, military weapon systems), consumer devices (appliances, DVRs, PDAs, video games, digital cameras), communications systems (cell phones (1, 2), PBXes, VoIP telephones, telco central office switching), and business equipment (cash registers, credit card systems, point-of-sale systems, copiers, printers). The list is nearly endless — and every one is potentially susceptible to malware.

The malware problem is not going away. In fact, it is going to get worse. Far worse. The question is: Can we adequately anticipate the future of malware and preempt its attacks against our most critical systems?

It appears that someone took advantage of an unpatched hole in Adobe Flash player, along with a SQL injection attack, to initiate a drive-by download to visitors of some 20,000 websites. The target? “It turns out that the whole attack just steals World of Warcraft passwords…”

Even if you’re not a World of Warcraft player, you may still want to protect yourself from the download. Since the Flash vulnerability is not yet patched, this will require some combination of heeding warnings about dangerous sites and keeping your security software up to date. Or, if you want full protection with a corresponding loss of functionality, you can always uninstall Flash Player or use a browser plug-in that blocks Flash objects.

Brian Krebs at the Washington Post has this nifty piece about a website that appears to be set up to allow malicious hackers to buy and sell traffic to/from particular websites. As the post explains:

Set up a free account at Robotraff and you’re ready to buy or sell Web traffic. Got 30,000 hacked personal computers under your thumb? Super! Now you can use those systems to generate a steady income just by pointing them at Web sites requested by a buyer.

Or maybe you’re just getting started and you can’t be bothered to build your own army of hacked PCs the old-fashioned way? No problem! Now you can set up a Web site that tries to exploit Web browser or browser plug-in vulnerabilities and simply buy all the traffic you need.

This is why the “good guys” need to work together to innovate and share information to protect users. Because the bad guys are already taking advantage of everything the ’net has to offer.

In a paper titled Designing and implementing malicious hardware a team from University of Illinios Urbana (Samuel T. King, Joseph Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, and Yuanyuan Zhou) delved into the possiblity of malicious curcuits being used to circumvent current anti-virus protocols:

Hidden malicious circuits provide an attacker with a stealthy attack vector. As they occupy a layer below the entire software stack, malicious circuits can bypass traditional defensive techniques.

King and his team designed and implemented malicious circuitry using a processor called a field programmable gate array (FPGA). Connecting the FPGA to an external computer enabled the team to steal data from machines without software vulnerabilities. At the Large-Scale Exploits and Emergent Threats conference in San Francisco last month, King said this is not a threat that can be executed on the weekends, as it requires contact with hardware during the manufacturing phase, yet the reward is immense.

Symantec raised concerns over the manufacturing process in a report issued earlier this year. “The longer the manufacturing supply chain during this process, the greater the opportunity for malicious code to be embedded in the devices directly.” Similar exploits have occured already: virus infected digital picture frames, thumb drives, and counterfeit hardware.

New Scientist quotes Simha Sethumadhavan who believes the increasing complexity of both chips and their design processes increase opportunities for hackers to infiltrate undetected.

Robert McMillan over at ComputerWorld reports that Microsoft has found a significant increase in web-based attacks in the past year:

Criminals changed tactics in the last six months of 2007, dropping malicious e-mail in favor of Web-based attacks, according to data reported to Microsoft Corp. by Windows users.

The company saw the number of Trojan horse downloader programs it removed from Windows machines jump by 300%, according to Jimmy Kuo, principal architect with Microsoft’s Malware Protection Center. These programs masquerade as legitimate pieces of software, but once installed they then download malicious software such as spyware or adware onto the victim’s computer. They are typically installed via the Web.

See the ComputerWorld story or the original report for more interesting stats.

Nearly a year ago we identified hosting providers with the greatest number of infected sites (found by Google) on their networks. At the time, the dubious honor of “leader” was held by iPowerWeb, with over 10,000 infected sites. At the time, we worked with iPowerWeb as they cleaned up their infected sites and secured their servers. We did so again when they had a smaller breakout of infected sites in December.

Notably, in our latest top networks stats, you won’t see iPowerWeb. In fact, iPowerWeb is near the bottom of our list now, with only 66 infected sites on their network.

Kudos to iPowerWeb for taking steps over the past year to secure their hosting servers against attack and thereby protecting Internet users.

Reproduced with permission¹.

Two security researchers with artistic tendencies, Srikwan & Jakobsson, have created a set of cartoons to educate users on a wide variety of computer security topics. I think they tend to be a bit too focused on scaring people into awareness, but they do have some really good content, delivered in a comic style.

¹ This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License. Please visit www.SecurityCartoon.com for more material.

According to the Mac Observer, a MacBook Air was compromised via what sounds like a drive-by download style attack in a hacking competition:

On the first day of the event, contestants unsuccessfully attempted to remotely hack into the Mac, a Windows PC, and a Linux PC. On the second day, however, Mr. Miller was able to gain control over the MacBook Air in only two minutes by directing a contest organizer to visit a specially crafted Web site with the laptop.

Although the exploit code is not “in the wild” as the security industry likes to say, this still sends the message that the Mac is not immune to such attacks, even if Windows is the more commonly-exploited platform.