Mid-2012 malware: new flavours, same ice cream

We take a look at some of the malware that's appeared this year. Are we seeing new attacks, or just evolutions of the old ones?

While 2011 was dubbed as "the year of the hacktivist" in some media circles, 2012 was billed as "the year of cyberwar", to be accompanied by an explosion of Android malware. But what's actually happened?

In this week's Patch Monday podcast, we check the half-time scores and discover that, by and large, it's business as usual for everyday criminal activities online.

"It's not to say that state-sponsored stuff is not going on — and it clearly is if you look at Flame — and I'm sure there's other things going on in the background ... But the reality of what we've observed in the field is that state-sponsored cyberwar sort of level stuff is, maybe, 0.1 per cent of the overall threat landscape," said Alex Kirk, senior research analyst with the Sourcefire Vulnerability Research Team (VRT).

As always, criminals target what's popular and vulnerable, and right now that includes the WordPress content-management system.

"WordPress is a massive target for automated scanning programs. These things are just hitting every website on the whole stinking internet, looking for a vulnerable WordPress install," Kirk said.

"If you're not paying attention to security updates with WordPress, you're in for a nasty surprise."

The Blackhole malware construction kit, which we discussed in February and May , is still the criminal tool of choice.

"It's got good professional support, it's fairly straightforward to deploy and they do a pretty reasonable job of staying on top of 'Uh oh, the IDS [intrusion detection system] or the antivirus company has detected us. We'd better put some fresh update out to make sure that doesn't happen anymore'," Kirk said.

Android malware has been on the rise, adopting techniques seen previously in the malware deployed against Windows — such as polymorphism, the creation of random variants of malware to avoid signature-based detection.

"Last year in July, we saw for every one family [of Android malware], there was about eight variants. But now, in May this year, there's over 159 variants per family, so that sort of explodes out to 13,000 malicious .apk files that we've identified," said David Hall, Symantec's consumer spokesperson for Asia Pacific.

But really, that's nothing compared with the total of 256 million virus signatures that Symantec created in 2011.

According to Bob Hansmann, senior product marketing manager at Websense, there's nothing really new in the kinds of attacks we're seeing online. It's just an evolution.

"People are talking about targeted attacks. Well, we've had targeted attacks now for almost a decade. It's not new," he said.

"Think of it as ice cream; ice cream isn't new. All you can really have is new flavours of ice cream. And the malware, the attacks, whether it's, you know, government-sanctioned or just somebody trying to make a political statement, those have been around for a long time — it's just the flavour of the message."

To leave an audio comment on the program, Skype to stilgherrian or phone Sydney +61 2 8011 3733.

Running time: 35 minutes, 44 seconds