Cyber crims smash through Windows into the great beyond
How malware became a multi-platform game
Windows has been a beleaguered piece of software over the years. That is because malicious hackers, like everyone else, want to walk the simplest path to the greatest glory.
Microsoft’s operating system has been the most popular one for the past 20 years, so it has attracted the most malware. One IT professional told The Register he thought 100 per cent of working malware was aimed at Windows.
He was, of course, being a tad disingenuous. Now that all and sundry are heralding the post-PC era, it is becoming apparent that malicious software authors have turned their attention to other operating systems.
“The time when Windows was the only platform associated with malware is long gone,” says Marta Janus, security researcher at Kaspersky Lab.
“Nowadays, cyber criminals target every system that is potentially exploitable and attack any that may result in a profit.”
Looking solely at desktops, Windows is undoubtedly still massively popular among digital criminals. The most sophisticated malware types seen to date, from Stuxnet to Flame, were Windows based.
But a host of examples hint that both data-stealing malware and financial Trojans have started showing a fondness for Apple Macs. Although it is supposed to be more secure than Windows PCs, Mac OS X has been hit by some significant outbreaks recently.
The Flashback Trojan infected at least 650,000 Macs back in 2012, exploiting a Java security vulnerability that Apple patched six weeks after the Windows code fix was released.
It was a pernicious data stealer that sought to nab passwords for email, Skype and other accounts. It also proved that epic botnets could be created on the Mac OS X platform.
A wide range of malware used for espionage is Mac compatible too. In February, Kaspersky Lab researchers uncovered “one of the most advanced global cyber espionage operations” ever seen, called the Mask.
The attackers targeted government organisations and energy companies using a complex set of attack tools, including rootkits, bootkits and other malware for PC, Linux and, yes, Mac OS X.
The world’s most advanced cyber spies were targeting Macs
These were seriously talented hackers, looking for SSH keys and access to remote desktop clients while scooping up communications and files from victims’ machines. The world’s most advanced cyber spies were targeting Macs.
Though the iPhone maker’s locked down approach to security does bring benefits, attacks on Apple’s mobile offering, iOS, as well as its desktop software can no longer be ignored, according to Bob Tarzey, security analyst at Quocirca.
“iOS and Mac OS are not immune but the walled garden of Apple does help, as does its smaller market share [compared with Android]," he says.
“Also, apps downloaded for use on company devices may not be insecure per se, but that does not mean they are not a security risk for business data.”
The days of wholly trusting in Apple products to fend off malicious hackers are long gone.
“The presumption that Apple platforms are attack-proof came from the fact that devices running Apple software used to be far less popular than Windows PCs, so they didn't draw so much cyber-criminal attention,” says Janus.
“Now with its huge growth in market share, Apple faces the same security problems Microsoft has been experiencing since the early 90s.
“Both Mac OS and iOS have become lucrative targets, and even though Apple-oriented malware is still far smaller than its Windows counterpart, no operating system can be called 100 per cent secure.”
While exploding the myth of Apple security is a noble pursuit, it is clear the pretender to the crown of most malware-ridden operating system is a Google creation.
“The biggest growth of malware is in Android, which like Windows is widely used and open – both good things but they make it a worthwhile target,” says Tarzey.
Other mobile operating systems too are targeted by cyber criminals, and many attacks, such as those over public Wi-Fi networks, work regardless of operating system.
But Android attracts almost all mobile malware. F-Secure research from April revealed there were 277 new malware families in the first quarter of 2014, 275 of which targeted Google’s operating system.
The majority are SMS Trojans, sending text messages to premium-rate telephone numbers owned by the malware creators or one of their crooked cohorts.
Ransomware - locking users out of their phones by encrypting files and asking for payment for decryption, is becoming more of a menace - as hinted at by the Koler Trojan, which targeted those drawn to prurient content.
Fake anti-virus is also starting to proliferate. In May, Kaspersky uncovered a range of fake anti-virus products across Google Play (one was even found on the Windows Phone market).
They may not have caused any apparent data loss but they still convinced a large number of shoppers to part with cash for apps that did nothing whatsoever despite promising security. It followed the apparently accidental release of Virus Shield, for which Android users who bought the app were compensated.
OS, who cares?
As with Mac and iPhone, espionage malware has also been seen hitting Android devices. This points to a reality that everyone, from employees to IT chiefs, needs to be aware of: targeted attacks do not care about the operating system.
“The statement that niche systems are less prone to infections is no longer true. Even the least popular platforms are at risk as long as there is any potential reason for attacking them,” says Janus.
State-sponsored attackers are less concerned about the nature of a target’s operating system than they are about the applications sitting on those operating systems.
That is why there is such panic when a zero-day vulnerability for popular software, often Internet Explorer and Adobe products, emerges.
A good example reared its ugly head in April, when it was reported that Syrians were being targeted by attackers using an Adobe Flash zero-day. It was part of a drive-by download attack, as exploits taking advantage of the zero-day were served to visitors to a Syrian government website for the Justice Ministry.
The attack code would check the operating system version, according to Kaspersky Lab, informing the hackers about how they might want to proceed. Adobe issued an out-of-band patch for the critical bug, covering not just Windows but Mac OS X and Linux too. All were open to compromise.
Save our servers
Clients are not the only targets either. Any piece of infrastructure connected to the internet is attractive to hackers for various reasons.
Servers, given the valuable data passing through them, have become increasingly tempting for digital crooks, as evidenced by Operation Windigo, uncovered by ESET researchers this year.
The Windigo malware infected more than 25,000 Unix servers, including those running nginx, Lighttpd, and Apache web servers. The aim appeared to be rather banal: to send out reams of spam from infected machines.
But it was more complex than that, as visitors to those servers were targeted by further malware which would steal information from the clients. Crooks are upping their cross-platform attacks.
Routers are also receiving a lot of attention. Malware known as the Moon was spotted earlier this year hitting various LinkSys routers and access points.
The Moon worm bypassed authentication on the router by logging in without knowing the admin credentials. It wasn’t clear what the attackers were doing, other than causing latency issues.
Once infected, the router would start flooding the network with traffic over ports 80 and 8080. The Moon may have just been a trial, however, with hackers testing whether self-replicating malware could work across routers.
Attacks on network devices have become more severe in recent months. In March, non-profit security organisation Team Cymru disclosed an epic attack campaign on 300,000 machines from D-Link, Micronet, Tenda and TP-Link, among others.
The hackers were seen altering domain name system configurations, opening up the potential for sending victims to malicious websites.
The myriad platforms entering the workplace and the vulnerabilities residing in all of them have brought about a hugely complex environment, one fraught with risk. Innovation among black hats, as seen with the server and router attacks, isn’t helping either.
“The greater the diversity of a company's IT infrastructure, the harder it becomes to keep everything updated and secure. Multiple devices running different versions of software mean not only more problems for IT administrators but also more opportunities for cyber criminals to get in,” says Janus.
"A data breach may occur because of a single outdated smartphone"
“For example, even if all Windows workstations in a company are adequately protected, always up-to-date, used with secure policies and running security software, a data breach may occur because of a single outdated smartphone or a misconfigured router.”
There is some sort of good news here: threats that are not cross-platform obviously won’t affect the entire client environment.
“On the other hand, platform diversity means that a security failure on one platform will not necessarily repeat for other platforms,” says Charles Brett, analyst at Freeform Dynamics.
“This is a difficult balancing act, just like it is in a global supply chain – one low-cost specialist supplier or three higher cost ones with possibly lower quality overall.
“In a modern multi-platform environment it is essential for IT managers to pay close attention to the security of every single device, not only the ones that are considered to be most at risk of being targeted.”
In-depth risk assessments have to focus not just on the operating systems in use but on the applications and content passing through them.
“Take a long look at all the platforms in use in the organisation, not just those officially supported,” says Tony Lock, analyst at Freeform Dynamics.
“Then consider who is using them and which systems and information they can reach. Effective security solutions can be built only with this knowledge and with the acceptance of the need for security among the users. Training users could be the most effective way forward.”
Indeed, training in different operating systems, even if it seems unnecessarily in-depth, should help boost organisational security.
“There is a dilemma here: security is dull, complex, ever-changing or evolving and by its nature restrictive, which does not make it very attractive for teaching,” says Brett.
Mind the hole
“The alternative to not making people aware of the security implications is to lock down tight, but this is often unpleasantly restrictive. It encourages workarounds that in turn create security holes because people do not understand the implications of what they are doing.
“CIOs seem to have nailed their colours to the fence, not wishing to offend with perceived excess security and rarely possessing a budget for coherent, enterprise-wide security awareness. The key, which may be unobtainable, is friendly lock-down.”
Despite all of the attacks across different machines and the rise of Android malware, Windows still has to be a major worry for IT.
“Windows remains one of the most vulnerable as so many still run it in admin mode. Android does not run like this and has better base security, so we still need to be focussed on Windows security,” says Tarzey.
And with Microsoft having finally pulled the plug on XP support in April, Windows will be getting even more attention from malicious hackers in the coming months. ®