So let’s take a look at a few predictions which are more likely to hit the mark:

1. Social Networks

Social networks are malware creators’ field of opportunity. Why? Think about it, social media users share information (sometimes too personal) with their ‘friends’ and click on their friend’s posts and links without the slightest suspicion that that link might be malicious. They don’t see the link; they see who posted it and associate it with him/her – a friend they trust. This is just what hackers want – victims delivered on a silver platter. There are various methods of stealing social networking logins, gain access and then use these trusted profiles to send spam email and share other malicious content. We’ve already seen this happen in 2011 with the Ramnit virus which was used to steal 45,000 passwords, and it will surely be used more often. Social network details will be sold in the online blackmarket, and will become a much sought after resource leading to more and more attacks.

On the same lines, celebrity Twitter accounts will also become lucrative targets. With millions of followers, a compromised account could result in millions of victims in a few hours. Lady Gaga was the notorious target in 2011. Who will it be in 2012?

2. Social Engineering

Highly targeted social engineering will remain hackers’ top method of attack. Malware creators will design new and highly targeted techniques which will win them their victims’ trust and guide them into giving the information they’re after. We can expect variants of existing techniques to flourish as well.

3. Mobile Malware

What about your mobile device? With so many smart phones around (especially in the business sphere – where people are using these phones to check their work mail even when outside the office), this is a brilliant opportunity for malicious individuals to get information from their victims. And to add insult to injury, few mobile users are aware of the threats. They tend to install any app without reviewing permissions or the small print (or lack of it), making it so easy for rogue apps to make it onto their device. There’s definitely going to be more news of adware, spyware and other malware targeting mobile devices this year!

4. Topical News

And once we’re at it, the end of the world predictions (and with it, the Mayan calendar), the London Olympics, the elections in the US, and any other major events will definitely be used to spread more malicious attacks.

How can you prevent these threats from turning 2012 into a year that will mark the end of the world for your business?

The first and most important step is to educate your employees. You can invest in the best security software and control most of what goes on in your infrastructure, but what about what happens outside work? Who is going to stop an employee from giving out confidential information to malicious sites whilst working from home? Your employees need to understand the danger and they need to know how to distinguish phishing and malicious mail from genuine email, malicious URLs and downloads from the real thing and so on.

One way to educate employees is for the IT department and Human Resources to work together to create an acceptable usage policy which employees can refer to. Not only will this document clearly state what is acceptable or not, but it will help employees to understand what threats exist and how their actions can cause problems for the company and for themselves.

The next step: do not believe that every employee is going to follow policy to the letter or do everything right. You need to complement education with an investment in the right security tools. Even the most cautious of employees can be misled by websites that appear to be genuine. Protect your corporate network by investing in good web monitoring, web filtering and web security solutions; suggest to your employees to invest in a good anti-virus solution for their phones; and if those phones are sanctioned by the company, make sure you have the tools in place to implement security and protect the network. Also invest in a comprehensive email security solution.

Are you seeing any other forms of cybercrime making the headlines this year? Leave us a comment and let us know!

February 7th will be a fun day indeed if you love the smell of Malware in the morning.

GFI SandBox 4.0 will make advanced malware analysis quicker and easier, and comes with a new Malware Determination Engine which will provide users with risk levels of “Low”, “Medium”, “High” or “Known” for each potential malware sample.

More over at Dark Reading.

Christopher Boyd

Of course, one doesn’t need to go hunting for a YouTube page for the URL. Here it is: http://www(dot)mediafire(dot)com/?i1o0fsa9t5gvpld.

Users visiting the page can readily download and extract the compressed file Pro Evolution Soccer 2012 Keygen. In it are three files: an HTML file, a text file, and another compressed file, which contains the key generator application. The text file doesn’t actually contain the password it claims to have. Instead, it contains a shortened URL users must visit to get the password from.

http://tinyurl(dot)com/64ad4m is actually http://lnkgt(dot)com/7RM, a survey page that users must answer before their password is given to them.

Unfortunately, after users fill in the survey, gets the password to be used to run the keygen, they inevitably end up installing malware on their systems. Not just any malware; it’s a rootkit: ZeroAccess, a sophisticated rootkit known for overwriting critical OS files. Luckily, almost all AV vendors detect this one. Take a look.

Do note that the MediaFire URL is also mentioned on other website platforms that allow the embedding of video clips (such as the one below).

The more the URL is out there, the more likely someone can and will install the rootkit onto their systems. Stay safe, everyone!

Jovi Umawing (Thanks, Matthew)

Hackers are changing their habits and using new methods which are web-based, dynamic in their nature and hidden in otherwise legitimate sites. The end-user remains the weakest link in web security as malware authors exploit this weakness to launch their attacks, preying on human interest, curiosity and behavior. Social networks are “trusted” and users rely on their IT administrator to provide protection, thereby lulling everybody into a false sense of security.

1. Exploiting news events – hackers use headline stories to trick users

Barely 24 hours had passed following the announcement of Gaddafi’s death that we started to see targeted malware being released to exploit the public’s curiosity of this big news story. Cyber-criminals will take advantage of human interest – and big world news stories as these generate a huge amount of coverage and internet activity. The same occurred when Bin Laden died and when the Royal Wedding was held – and the trend will continue. This same trick is used for Halloween and other seasonal stories; we’ve seen many of these emerge on social networking sites and others. Social engineered attacks convince users to download content supposedly related to the event that is infected with new strains of malware. Any event which is highly newsworthy and generates interest will be used to propagate malware, scams and other fraud.

2. Insecure browsers and plug-ins – using only Windows Update is not enough

Although your favorite web browser and operating system may be secured and patched, the reality is that most people do not update browser plugins. Java, Adobe Flash and Adobe Reader browser plugins are often outdated and there are many web exploits which use this weakness to infect networks. Web exploits which target these vulnerabilities specifically (such as the Blackhole exploit kit) are becoming increasingly popular in the cyber-criminal community.

3. Compromised high-profile websites and “drive-by downloads”

So how do these exploits spread? The first method is “fast-flux” sites; websites which are created solely for the purpose of distributing malware for a short time. The second way is by compromising a high profile website and injecting a “drive-by download” – a piece of code which infects a user as soon as they visit a website (there’s no need to click anything – simply visiting the website will infect the user’s machine – hence drive-by). The usps.gov website and the mysql.org website were both subjected to these kinds of attacks.

There is a third method of spreading these infections. Rather than exploiting a specific website, malware authors submit infected content to web advertising companies. This content is then passed onto thousands of websites affiliated with these advertising companies, and any website hosting these adverts will distribute malware until this code is detected. The London Stock Exchange was one website that exposed this kind of attack this year, though it was by no means the only one.

4. Search engine poisoning

End-users have grown accustomed to trust search engines. They (wrongly) believe that a renowned search engine, such as Google or Bing, would never direct them to a website which is infected with malware. But search engines do not really make a distinction between websites; they display search results according to their ranking algorithms. As a result, malware authors inundate search results with links to baited pages that take users to malicious websites which will download malware onto their computer. Since users were becoming suspicious of clicking certain types of links, this kind of search has now shifted towards image searches which are much harder to prevent.

As web threats continue to evolve, it becomes harder and harder to ignore the threat exposed by user web browsing, and as attacks continue to evolve, you need to make sure that your web browsing activity is not giving you more than you bargained for.

Have a look at what GFI WebMonitor can do for you to improve web security, or just download a free trial and give it a spin!

And, oh: Facebook users should watch their backs, too.

Our malware researchers at the AV Labs, Robert and Matthew, has seen something in the wild that might spoil the holiday spirits a bit. It began as an email message supposedly from Amazon with the subject “Your Amazon.com order of Omron WXH-108F Fat Loss… has shipped”.

Clicking any of the links on the email body directs users to jongerencentrumdebus(dot)nl/wp-content/uploads/fgallery/news.html, a likely compromised site, and then directs to ageoloft(dot)info/main(dot)php?page=525447c096f8efbf, a known Black Hole Exploit Kit host.

The said ageoloft(dot)info automatically downloads a .PDF file (an exploit) onto systems. This then exploits Adobe Reader to run malicious executable files on these systems. Furthermore, a worm, which GFI Software detects as Win32.Malware!Drop, is downloaded onto systems.

We detect the exploit page as Trojan.JS.Obfuscator.w (v); the PDF file that is part of the kit, Exploit.PDF-JS.Gen (v).

With the number of Internet users shopping online using services such as Amazon and eBay, it pays to be cautious fourfold, especially at this time of the year. Criminals know when and how users—you—spend their time there.

Jovi Umawing (Thanks to Robert and Matthew)

Most techies understand the web security risks posed by web browsing and we all take simple steps to mitigate these risks on a personal level. We can smell a phishing email from miles away, we ignore IM-based threats, and we suspect a Facebook worm as soon as we see a link getting posted over and over again. There are other ‘activities’ which we learn to screen out, but most users don’t. Malware authors exploit this lack of awareness to propagate their schemes – posing a security risk to the network.

‘But why is this dangerous?’ you may ask.

Although you may already have antivirus software installed on every endpoint, the extremely fast nature and growth of the internet makes it very difficult for a single antivirus to stop all threats.

‘So how do I limit the risk that casual user browsing poses?’

This can be done using multiple layers of web browsing protection – all working in tandem.

Proactive Protection – Automatic blocking of known malicious websites – powered by ThreatTrack

GFI WebMonitor™ 2011 R3 already scans every download with three antivirus engines. ‘But isn’t it better to stop a threat before a user can download an infected file?’ GFI WebMonitor now automatically blocks hundreds of thousands of known malicious websites – all of which are obtained through extensive monitoring of the latest threats through all of our sensors. This list includes websites which have been hacked temporarily and are currently distributing malware or malicious content such as spyware, adware, rogue software utilities, phishing scams etc. With the list being updated every hour you can be sure that the most recent threats are blocked.

Preventive Protection – Blocking Suspicious sites using Web Reputation

With ThreatTrack blocking we are automatically blocking those “known bad websites”. But that leaves us with a host of websites which could be malicious. How do we block websites which have not yet been detected? How do we prevent users from browsing websites which might turn out to be malicious? How do we know whether we should visit a website which we have never seen before? This is where Web Reputation comes in to address the ‘unknown’.

Web Reputation gives a score to websites to determine if these sites are safe to visit or not. It is like your safety consultant, who knows the unknown areas you’re thinking of visiting and is recommending whether you should visit or not. With Web Reputation we can advise you whether visiting a certain website may pose a risk. This is based on the experience we’ve gained from “monitoring” millions of websites and looking at their behavior. The advice is independent of categories and content. For example, any website not in our continuously growing 280 million website database is considered suspicious. There are many other factors we take into consideration, but based on experience we can safely say that you now have a security expert next to you and every user browsing the web.

With the above two features, and many others in GFI WebMonitor, including:

• Blocking of WebGrade Security related categories
• Scanning of downloads with multiple antivirus engines and including HTTPS scanning
• An antiphishing engine
• File download control

it has never been easier for SMEs to implement complete web security.

Have a look at what GFI WebMonitor can do for you to improve web security, or just download a free trial and give it a spin!

The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as Oracle VM VirtualBox and VMWare.

Please keep in mind that securing your information, including your social network credentials, is a must. Never unknowingly click links on messages sent over by online contacts. Make sure that they did send messages to you first before doing something; else, it is best if you simply delete them from your message inbox.

Jovi Umawing

Very few! And those guarantees disappear if the organization does not have adequate security solutions in place. We’re not talking just email security here but web security as well.

A recent survey commissioned by GFI Software among small and medium businesses in the US found that 40% know with certainty that they suffered some sort of security breach as a result of employees navigating to websites that host malware, infected downloads or have been corrupted by malicious code.

The Internet is a hornets’ nest of malware and other nasties and the bad guys are primed to pounce on suspecting users. What is worrying is that despite the high risk of infection, there are still organizations that are not paying attention to the problem or they are doing so for a good but not necessarily the most important reason.

The results show that even in the face of such infections, a majority of web monitoring software users do not cite defense of their network as the main driver for deploying such a solution. 55% of SMBs indicate that defense against infected websites is not their main priority.

A total of 24% of all respondents use it mainly to ensure employee productivity; 13.5% to conserve network bandwidth and speed; and 11.5% to prevent employees from visiting inappropriate sites.

These are all valid reasons to use web monitoring software but what about security?

These results indicate a lack of awareness about the full capabilities of web monitoring software and how these solutions are evolving into critical components of effective SMB network security practices. Protecting the network from malicious websites and downloads should be a top priority for IT managers in addition to concerns over employee productivity and bandwidth management.

The survey found that 70% of those not using web monitoring or filtering software claim that web use is not a problem in their organization. With all the threats that are reported in the media on daily basis, these organizations are really taking a big risk.

Web monitoring solutions that equip IT administrators with an additional layer of network defense against online threats and provide employees with the tools they need to make better, safer decisions while online go a long way in helping SMBs balance the benefits of Internet access with the risks it creates.

The survey of 200 U.S.-based IT decision makers at organizations with between five and 249 employees was fielded by noted polling expert Opinion Matters, between Sept. 29 and Oct. 4, 2011.

Our friends at ESET have in depth analyses of this TDSS rootkit, and from what they have observed as of late, this nasty malware have evolved again; however, it’s not the kind of evolution anyone might have expected:

“Based on the analysis of its components we can say that some of those components have been rewritten from scratch (kernel-mode driver, user-mode payload) while some (specifically, some bootkit components) remain the same as in the previous versions. These changes might suggest one of the following: either the team developing the botnet has been changed, or TDL4 developers have started selling a bootkit builder to other cybercrime groups.”

You can read more about it here on their official blog. By the looks of this, this TDSS is becoming more and more sophisticated the longer its developers continue to improve on it.

Jovi Umawing

Malware

1. Viruses
Most infected files these days are downloaded from the Internet. Whether the user is trying to get an application for their job or a new screensaver, downloads which have not been scanned become bad news.
2. Trojans
Many Internet downloads contain remote access Trojans or spam mailers, designed to give bad guys access to your data and resources.
3. Cross-site scripting
Even with up-to-date antivirus software, visits to infected websites can steal information by tricking users into filling out forms they think are safe, or presenting them with malicious content.
4. Tracking
Complete privacy on the Internet is not practical, but providing your complete web history to advertisers is not a good idea either.
5. Botnets
Infected computers often become zombies, reaching out to contact the command and control servers for orders.
6. Spyware and adware
Keyloggers, browsing history, and pop-up ads, are all part of the fun of surfing to the wrong places on the web today.

Phishing sites

7. Identity Theft
Many phishing sites ask for personal information in order to assume the identity of the victim.
8. Financial loss
Other phishing sites may be after credit card or bank account details for immediate financial gain.
9. Social engineering
There are sites out there trying to gain usernames and passwords to webmail, online banking, and remote access systems, with which they can access for further nefarious deeds.

Inappropriate content

10. Pornography
What users do at home is their own business; what they do at work could get the company sued.
11. Racial hatred
It’s a shame that in 2011 racism is still rife and this can lead to a hostile work environment suit.
12. Religious intolerance
Much like racial hatred, religious intolerance of any faith has no place at work, and could also lead to a hostile work environment.
13. Alcohol, tobacco and drug related sites
Unless you work in the industry, there is little chance these topics are work related, but if the arise within the workplace, they could cause tension among employees.

Data loss prevention

14. WikiLeaks type sites
The company’s confidential information won’t stay confidential for long if it is posted to a public site and makes the evening news.
15. Forums
Disgruntled employees may think they are harmlessly venting when the rant on a forum, but the company’s reputation may suffer as a result.
16. Blogs
Company approved blogs are good; technical blogs are too. But a user blogging at work (unless that’s their job) is wasting time, and might be posting confidential information not yet ready for public release.
17. Instant messaging
An approved corporate IM solution is a valuable communications tool; unrestricted access to public services can present many risks, including IM spam, malicious links and data leakage.
18. P2P
Peer to peer software can be useful, but too often a user shares their entire hard drive, making all the company documents on it available to others.
19. Online storage
If a user needs to store data with an online storage company, that data is now outside the company’s control. You’re not backing it up, searching and indexing it, and you cannot retrieve it if the employee leaves. Unless approved by the company, users should never be allowed to use cloud storage services.
20. Webmail
Companies that use DLP solutions on their email system do so to make sure nothing is being emailed that presents a risk, like IP, NPI, or other sensitive data. Letting users access webmail provides them a way around this, and also risks them using personal email for corporate business.

Lost productivity

21. Social Networking
Checking their Facebook wall post may sound like a one-minute thing, but this might turn into hours per week as users tend to do other things once there such as commenting on/following their friend’s status updates, images, videos, andso on.
22. Auctions
Submitting a bid might take only seconds at the start of an auction, but users can burn hours checking on a long term auction, or staying onto the close to make sure they aren’t outbid.
23. Gaming
No need for explanations here, an innocent five minute break to play an online game, might turn into long wasted hours.
24. Gambling
Just as in online gaming, but with the added concerns that this could lead to legal issues.
25. Dating
Dating sites can become attention traps, leading a user to spend the entire day checking out their possibilities rather than focusing on their job.
26. Software downloads
Any software a user needs should come from IT, to ensure it is licensed, appropriate for the task, supportable, and doesn’t crash their PC or LOB application.
27. Daytrading and investment sites
Another site that seems harmless at first, until the user spends all morning waiting for the exact moment to buy or sell.
28. Employment sites
If they want to hunt for another job, they really need to do that on their own time.
29. Online shopping
Here’s one you may want to allow a limited amount of access to, especially during the holidays, but you don’t want users to spend all day shopping when they should be working.

Copyright violations

30. Torrent sites
Bittorrent is a very useful protocol for distributing ISOs of open source operating systems, but too often it is used to distribute movies and music. This could go under bandwidth crushers, but the bigger risk is that your company gets sued by the MPAA or RIAA.
31. Warez
Unlicensed software can cost a company millions of dollars in fines. If a user needs an application to do their job, make sure that IT is buying it legitimately and licensing it appropriately. The BSA does take legal action.

Bandwidth crushers

32. Internet radio
A single user streaming music may not use much bandwidth, but when the entire office is doing it, the total can quickly saturate a pipe.
33. Sporting events
I once worked for a company that only blocked one thing – the NCAA Final Four Basketball Tournament. Every year we had to scramble to block every possible way it could be viewed online because it not only killed productivity, it took out the campus DS3.
34. TV and movie sites
Some folks might be able to work with the TV on in the background; most can’t really work well though, and the amount of aggregate bandwidth several simultaneous streaming movies can consume can quickly use up the entire circuit.

Policy violations

35. Anonymizers
You can argue that anonymizers are only there to protect users’ privacy, but you cannot argue that there is a real reason why they need that while surfing at work. Whatever they are doing online, if they need to use an anonymizer service, it probably isn’t work related.
36. Open proxies
Here’s another case where the likelihood that whatever they are doing is work-related approaches zero. Open proxies really just help you hide your actions or access content that is not licensed for your actual country of origin. In either case, it’s not work related activity.
37. IM portals
If you are blocking instant messaging, the easiest way to get around that is for a user to hit the service’s web portal or one of the many IM aggregation portals that exist. Blocking these helps ensure you are restricting IM access.

You don’t need to block 100% of all sites within all of these categories. A certain amount of recreational Internet access can go a long way towards improving employee morale, and if it doesn’t cause a productivity issue, and all users obey the rules, there’s no harm for most organizations. Look for web filtering software that can permit a certain amount of recreational use, either by total time or bandwidth used. “Nothing in excess” is a good rule of thumb for those categories that don’t present a risk of data loss or malware infection. While uncontrolled Internet access presents many risks, a good web filtering solution and appropriate policies can mitigate those while still letting users surf the web.