Fast Forward: Dasient's Security Predictions for 2011

As we wrap up 2010 and reflect on some of the major security headlines of the year - Aurora, Zeus, WikiLeaks, Stuxnet - it's hard to look at 2011 without wondering how much worse it will get before it gets better. The reality is that cybercriminals are innovative, creative, and fast. We need to do better as a community to counter the threat they pose to our organizations and to the Internet as a whole. Following are Dasient's Top 5 Security Predictions for 2011:

1) There will be a large botnet cyber war that Zeus will end up winning. Zeus will hold its ground against other botnets that try and attack it. Botnets have been around for over a decade, but have evolved significantly since Tribe Flood Network (TFN), Trin00 and similar tools that were used to attack Amazon, Yahoo, and E*Trade in 2000. While only thousands of clients were used to cripple large web sites 10 years ago, the size of botnets have expanded to hundreds of thousands or millions of clients, have become multi-application (e.g., are used to send email spam, and do keystroke logging in addition to DDoS), and the growth of botnets has utilized more and more automated technology. Compromised machines that make up botnets have become a commodity, and while there are still lots of vulnerable, uncompromised machines that are available for the taking, attackers will eventually start to “butt-heads.” While there has been some early indications that attackers have patched machines that they have infected to prevent other attackers from stealing their infected machines, 2011 will likely be the year that large botnets will start more aggressively competing to sustain their growth, and users will get caught in the middle. Zeus has proven its ability to grow to sizes more significant than other botnets, and is also one of the more profitable botnets that targets financial institutions. We expect to see a botnet cyberwar in 2011, and predict that Zeus will come out on top.

2) Human mules will be replaced by malware that do the equivalent job of transferring balances between bank accounts using keystroke-logged credentials. Today, once user credentials such as bank account usernames and passwords are logged on compromised client machines, those credentials are shipped off to botmaster servers, aggregated, and provided to human mules. The human mules most often don’t know they are mules, but think they are doing “work-at-home” types of jobs in which part of their job responsibility is to make monetary transfers between bank accounts. In 2010, we saw some significant arrests of hundreds of such human mules. Just as system architects work to eliminate points of failure when building resilient systems, the cybercriminals will do the same for their operations. If human mules can be arrested and can get in the way of transferring money from the stolen accounts to the cybercriminal’s accounts, they’ll replace the humans with additional malware for that purpose. Writing software to automatically make transfers betweeen bank accounts does require good coding, management of session data, and other such technical details, but can be done rather simply with today's attack and automation tools. As such, like many areas of businesses today, humans will be taken “out-of-the-loop” to scale cybercriminal operations.

3) We’ll see the first significant HTML 5 abuses. The HTML5 standard has been in development for some time, and every major browser now includes some support for it. Some of the features include local browser storage in which web sites will be able to store more than just cookies on your machine, and support for inline videos without requiring third-party plug-ins such as Flash. With any new functionality comes increased attack surface, and the same will be true for HTML5. We expect to see things like malware authors stuffing malicious code into the local browser storage provided by HTML 5 and then executed via a browser vulnerability. In addition, as HTML 5 has native video tags, we expect to see zero-size video tags used to inject web-based malware, just as we see zero-size IFRAMES used today to do the same. As HTML5 implementations will be at their newest, cybercriminals will leverage bugs in the early implementations tospread malware.

4) Advanced IM threats will increase and be directed at the use of webcams and audio. Attackers have been using malware to do keystroke logging for years, but as the number of standard input devices on machines increase, so will the attackers' interest in them. Most PCs have built-in microphones, and while there has been some malware that automatically turns on and captures audio and video from these devices, we expect that webcam-logging and audio-logging will become just as popular as keystroke-logging. Malware authors will use the additional logging to build more “ransom-ware” in which they record sensitive conversations and pictures, and will then demand a ransom from individuals and companies by threatening to release the sensitive media onto the Internet or disclose to interested parties if the ransom is not paid.

5) As the use of social media web sites continues to grow, drive-by-downloads and rogue anti-virus will be used more aggressively on platforms such as Facebook and Twitter. This is evidenced by threats such as the Koobface botnet that continually targets Facebook, as well as the September XSS attack that targeted Twitter and
redirected users to porn and malware sites.