Over the past couple of years there have been news reports on the origin of targeted attacks that use sophisticated malware. Stuxnet is one such example. If these news reports are accurate and governments are developing malware as part of their military/economic espionage programs, it’s a safe bet that there have been some unintended consequences that we will continue to see in 2013 and beyond. For example, one of the vulnerabilities that Stuxnet uses is CVE-2010-2568, for which an update was released back in 2010 (MS10-046). Since then many malware authors have adapted their malware to use this vulnerability in an attempt to successfully compromise as many systems as possible. Data published in the Microsoft Security Intelligence Report volume 13 indicates that exploits targeting CVE-2010-2568 accounted for more than 85 percent of operating system exploit detections worldwide in the first half of 2012; over three quarters of a million systems reported detections of this exploit in the second quarter of 2012 alone, almost two years after the associated security updates were released.
As attackers shift their tactics, the relative prevalence of the categories of malware that Microsoft antimalware products and tools block and clean from systems all over the world change. For example, worms have come in and gone out of vogue with attackers over time as seen in the figure below. Over the past few years Trojans (and social engineering) have become the most prevalent category of threats. This is also true for mobile app marketplaces as evidenced in Figure 1 with the Unix/Lotoor threat that targets Android users. I expect this trend to continue in 2013.
The long term trends are very clear: attackers have been leveraging drive-by download attacks and cross-site scripting attacks more and more each year. Drive-by download attacks are being made easier to perpetrate by the broad availability of exploit kits, such as the Blacole exploit kit. Such kits allow attackers to focus on vulnerabilities in ubiquitous software that is infrequently updated or hard to keep up to date. I don’t think I’m making a risky prediction that attackers will continue to use drive-by attacks and cross-site scripting as much, or even more in 2013, than they did in 2012.
- What You Should Know About Drive-By Download Attacks - Part 1
- What You Should Know About Drive-By Download Attacks – Part 2
As the drive-by download data above indicates, many attackers rely on outdated software to successfully compromise systems. This has been a successful tactic for many years and attackers will continue to use it in the foreseeable future. As I predicted above we will see large numbers of detections and blocks of drive-by download attacks and exploit attempts in 2013. But these attacks will become less effective than they have been in the past. We started to see some signs of this already. For example, following a surge in detections that peaked in the third quarter of 2011, detections of exploits that target vulnerabilities in Adobe Flash Player have decreased significantly in every subsequent quarter, likely due to the ease of keeping it updated.
Two new technologies, Unified Extensible Firmware Interface (UEFI) and secure boot, provide more protection against rootkits and other boot loader attacks. As systems that leverage these technologies become more pervasive, I expect to see purveyors of rootkits attempt to innovate and evolve their malware.