Mobile Malware and Cyber Warfare


Security analysts have been predicting the emergence of mobile malware for many years.

In 2011, the criminals have finally come through by attacking Google's popular Android OS. Meanwhile, the sophistication of Stuxnet — a nasty piece of code that infected a nuclear power facility — has alarmed researchers who believe governments are stockpiling tools for cyberwar. Looking ahead, it seems a cataclysmic Cloud failure is just around the corner.

MOBILE MALWARE, WINDOWS AND STUXNET Speculation is mounting that the recent discovery of a host of rootkit apps for Android devices, dubbed DreamDroid, signals a new major target for attackers beyond Windows.

Mobile phones have largely escaped the attention of attackers for the past decade, says Mikko Hypponen, chief security researcher at Finnish antivirus company F-Secure. But he expects that to change.

“We will see more attacks on Android.” he says,adding that unlocked iPhones are a worthy target too. “There will be copycats of the attacks we've seen,and possibly even exploit-based conceptions.” But unlike Windows environments, which can be compromised just by visiting a rigged website, most mobile victims still need to install the threat.

That the “low hanging fruit” — Windows XP — still runs on about half of the world's desktops is another reason there won't be a tidal shift to other platforms just yet, says Hypponen. “They have plenty of time to attack iOS, Android and other platforms when XP has gone. So long as Windows XP is there, it makes sense to target that and only that.”

Russian antivirus czar, Eugene Kaspersky also expects more attention to be paid to Android. He even predicts there will be an all out war between those with Windows skills and the younger, up and coming hackers with Android knowledge.

“Cyber criminals will be forced to move onto Android, because most home users don't need Microsoft Office. They need the Web — for social networks, for news, pictures. Smart phones and tablets. That's what they need,” says Kaspersky.

Exactly when that occurs is still up for debate.Hypponen expects the shift to happen once Windows 7 becomes the most widely used operating system,about 2013.

“Windows 7 is much harder to target and maybe then some of the current attackers realise there are other operating systems out there, including the mobile ones,” he says. When the shift does occur, Kaspersky envisions an actual "physical conflict" between the "old school Windows criminals" and younger Android developers. Windows cyber criminals will initially attempt to employ Android developers.

"The new generation — the Android criminals — will recognise they don't need management because they can do everything themselves."

Meanwhile Stuxnet, the malware discovered in one of Iran's uranium enrichment plants, is so sophisticated and complex, security observers have grudgingly praised its designers and suggested it was likely created by a government cyberwarfare team.

“The exploit parts were definitely written by somebody or somebodies who knew what they were doing, for, you know, one of the top researchers out there, and there's not that big a fish bowl to choose from,” says HD Moore, CSO for vulnerability management and penetration testing firm Rapid7.

Kaspersky believes Stuxnet was the result of a “multi-million dollar project" and expects to see similar malware capabilities developed in future. “To develop such a complicated piece of malware,which had access to a lot of data, and help from outside. Criminal malware is much cheaper to develop than a Stuxnet attack.”

Hypponen predicts it's a sign of things to come.“I'm confident we're starting to see the beginnings of a cyber arms race and developed nations are starting to develop a stockpile of these cyber arms.”

Whether Australian critical infrastructure providers can ever be prepared for an attack of this nature is another matter. “It's a tough ask to say that Australian infrastructure organisations should be geared up to fend off an attack that sophisticated and determined. But it's certainly worth doing some war-gaming on a similar scenario,” says James Turner, IBRS security industry analyst.

THE NETWORK Having already a found gaping hole in the underlying infrastructure that supports much of the world's networks, Moore's fear that it may be the cause of a major disruption could be well placed.

“If you look at what network infrastructure looks like these days, it's awful and it's not going to get better any time soon,” Moore says.

Moore's VXWorks WDB agent debugging tool,which he unveiled in 2010, revealed a serious flaw in an embedded operating system (OS) developed by Wind River, a subsidiary of Intel.

Like its parent, it was inside everything from space explorer equipment to defence aircraft. Dozens of telecoms equipment makers were vulnerable,including Alcatel-Lucent, Ericsson and Motorola, as were hardware and router makers, such as HP, EMC,Brocade, Dell and Cisco.

A major risk stems from a persistent avoidance of patching these embedded devices.

“The number of machines that exposed their build date in the firmware is about 250,000 of that 3.1 billion,” says Moore, referring to his scan of “almost” every IP address on the internet. “250,000 is a small sample, but if you just look at Cisco routers, more than 55 to 58 per cent of those hadn't been updated since 2007.

“You have four years' of unpatched routers hanging out out there that make up the majority of routers, since it's Cisco.”

HOME GROWN THREATS For local security industry analysts, however, it is people, processes and trust which are are the major risks in the coming year.

“In Australia everybody thinks that the economic good times are back and here to stay and I'm not seeing sufficient planning,” says IBRS' Turner.

“My concern is that as these projects are rolled out,the pressure will be on for fast delivery and technical rollouts will be lobbed over to the IT security people who are told, ‘we're going live tomorrow, you need to certify this now’.

“We'll suddenly be back to the same old situation of security being an afterthought and a bolt-on,” he says. The byproduct of haste will be insecure websites, poorly designed mobility solutions, and overlooked information asset risks.

Jason Edelstein, chief technology officer for security firm, Sense of Security, believes insider threats are still not treated seriously enough.

“While there is a lot of evidence to support this risk, most organisations ‘trust’ their staff and believe it will not happen to them,” says Edelstein. “We are too often called in to conduct the forensic postmortem following the theft of intellectual property or the actions of a disgruntled employee.”

Gartner’s Walls takes a slightly longer view,believing that the origins of insider threats businesses face today stem from placing too much faith in technological solutions and failing to invest in people.

“Many years ago we bought into this idea that through IT we could reduce our reliance on individuals,” he says, pointing to the so-called knowledge management systemsthe sought to capture tacit employee knowledge.

CLOUD Google, Microsoft, Amazon and have yet to suffer a major data breach, but observers say it's only a matter of time.

“We're seeing mostly large retail establishments being compromised, but I wouldn't be surprised if we see something like Amazon EC2's back-end databases get leaked,” speculates Moore, who also founded the Metaspoilt Framework, an open source penetration testing solution.

When it does happen, Gartner's security and risk research director, Andrew Walls, believes the fallout will demonstrate just how little knowledge end-users have of the services they've entrusted their data to. “Our expectation is that we're going to see some major corporate hits through cascading failures in the Cloud,” says Walls.

While these vendors may offer superior security to many end-users, they still lack transparency, he warns. “In the security world, if we have an unknown risk, we have to assume it is a high risk. If we can't get our hands around it, we have to assume it is really dangerous.”

“When we get that transparency, you can really start to do risk management. You can quantify the risk to some extent.”

Join the CSO newsletter!

Error: Please check your email address.

Tags eugene kasperskymobile malwareattackskasperskycloud securityStuxnetmalwarecybercrime

More about Alcatel-LucentAmazon Web ServicesAndrew Corporation (Australia)Brocade CommunicationsC2CiscoDellDell ComputerEMC CorporationEricsson AustraliaF-SecureGartnerGoogleHewlett-Packard AustraliaHPIBRSIntelKasperskyKasperskyLucentMicrosoftMotorolaRapid7Salesforce.comSmart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by CSO staff

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place