A Verisign report looking at security dangers for 2012 pointed to MaaS and an open-source Zeus kit as issues, but also noted that sandbox technology helps against exploits.
Verisign researchers, looking at what happened in the world
of security in 2011 to get a better feel for what to expect this year, are
warning against cyber-attackers beginning to offer customers more services and
leveraging the Zeus Trojan as an open-source kit.
But its not all bad. The Verisign researchers, in a report
released this week, also said that using sandboxes can make it significantly
more difficult and costly for hackers to exploit vulnerabilities.
Currently, only two public demonstrations of bypassing
sandboxes exist in environments that use and support defense-in-depth
strategies such as address layout randomization (ASLR) and data execution
prevention (DEP), according to the report. None of the public demonstrations
included any public exploit code. Until corporate enterprises widely adopt
newer client-side applications that have implemented sandboxes, however,
attackers will have an easier time developing exploits.
The report, from Verisigns iDefense Security Intelligence
Service, outlines what researchers see as the most important security trends as
businesses and governments head into 2012. A key one began in April 2011, when
the source code for Zeus version 188.8.131.52 became available to anyone online.
The release of the Zeus source code effectively converted
the Zeus banking Trojan from a proprietary, pay-per-use crime kit into an
open-source crime kit, the report states. The source code quickly spread
across the Internet via underground Websites and file-sharing sites, giving
malware authors across the globe access to the powerful and well-written
The result has been the rise a host of Zeus-based variants
which is a trend that will continue into this year. However, the researchers
pointed out that the Zeus code is incomplete, and that anyone compiling it
needs to have the programming skills to modify and add to it. This keeps less
experienced hackers from using the source code. However, it also means the more
skilled and more malicious attackers need to modify it, leading to the source
code branching out into variants. Those variants include Spyeye, Ramnit, Ice IX
As Ramnit and Spyeye demonstrate, there will be more minor
Trojans that include the functionality of Zeus into their arsenals. This trend
will be even more pronounced when new malware families emerge that not only
augment themselves with components of Zeus but also augment Zeus with new
functionality specific to each new variant family, the report states. The
release of the Zeus source code is going to have a dramatic impact on the
production of new, dangerous banking Trojans in 2012. Fortunately, antivirus
programs may actually detect as Zeus the malware variants that malware authors
have based on Zeus source codea detection that will decrease the effects of
Another key trend is that cyber-criminals are beginning to
adopt a new business model, which Verisign researchers called malware as a service.
In this MaaS model, authors of exploit kits not only offer the kits to
customers, but also extra services.
This trend will probably continue as other developers adopt
the same business model, they said.
Software vendors would be well-served in fending off
vulnerability exploits by using sandboxes, according to Verisign.
The use of sandbox technologies has significantly hindered
the ability of malicious actors to exploit vulnerabilities, the report says.
Consequently, software vendors will continue to use sandbox technologies to
help protect their products and customers. Sandbox technology is a mitigating
security mechanism that limits the environment in which a program can execute.
Companies typically use sandboxes to process untrusted content while keeping a
host system protected from persistent changes.
While sandboxes dont get rid of vulnerabilities, they make
it much more difficult for cyber-criminals to exploit them; many times, hackers
will need to exploit multiple vulnerabilities at the same time to exploit a
software vulnerability that uses sandbox technology. The sandbox concept isnt
newit was introduced by Microsoft in 2007but the use of it by many software
vendors is. Microsoft first introduced it with Internet Explorer 7 with
Protected Mode; Google in 2008 rolled out a sandboxed browser, Chrome. Adobe,
with the help of Microsoft and Google, in 2010 came out with Protected Mode for
Adobe Reader X, and has since added sandbox technology to such products as
Office and Acrobat.