December is "prediction season" in the cybersecurity industry. Every
major anti-virus software maker and digital-security provider issues its
own forecasts of what computer users face in the coming year.
So far this month, the predictions for 2013 look a lot like those for 2012: more Android malware, increased cyberattacks by nation-states and greater activity by "hacktivist" groups such as Anonymous.
However, a few companies go back and check their own predictions at the end of the year to see what they got right — and wrong. One company that does so is Moscow-based Kaspersky Lab, one of the top five anti-virus companies in the world.
"In 2011, we really saw a number of things rising up: hacktivism; big database breaches;
attacks against Androids; attacks against Macs; data espionage became
daily business in 2011," said Roel Schouwenberg, senior researcher at
Kaspersky's Boston-area office. “When we look at 2012, we saw a further
evolution of all these new trends."
Kaspersky made the following predictions for 2012:
Let's examine five of the top security incidents that shaped 2012 and
check the accuracy of the Kaspersky researchers in light of those
Security experts had anticipated an outbreak of malware targeting Mac OS X for years; 2012 was when it finally happened. The bug that did it, called the Flashback or Flashfake Trojan, first appeared near the end of 2011, but didn't reach its peak rate of infection until March of 2012. Flashback infected more than 700,000 Macs around the world, the largest known Mac OS X infection to date.
"In 2011, we predicted that we would see more Mac malware attacks," said Kaspersky Lab's Costin Raiu and David Emm in a blog posting. "We just never expected it would be this dramatic."
Why did Flashback wreak such havoc? One reason was a well-documented Java vulnerability, which Apple took a
long time to patch even after it had been publicly disclosed. The
Flashback authors took advantage of Apple's delay to incorporate the
Java exploit into their otherwise unremarkable creation.
The second reason was the general lack of awareness among Mac users about security. Proper anti-virus software would have stopped Flashback's attack, yet most Mac users felt they didn't need it.
Flashback wasn't the only successful attack on Mac OS X systems in
2012. There were multiple espionage-related attacks on Macs used by
Tibetan dissidents and exiles. Some of the attacks used corrupted files
purporting to come straight from the Dalai Lama, Tibet's exiled leader.
"The espionage angle may be a bigger factor for Mac right now than
regular consumer malware," Schouwenberg said. "For general cybercrime,
most criminals go after Windows because that's what they know. That's
what's easiest for them."
"But when it comes to these targeted attacks, the attackers go after
whichever machines the targets are using. So if the targets are using
Macs, they'll go after Macs."
Schouwenberg said in terms of the proportion of available systems
infected, Flashback was the most successful malware outbreak of the
"When you look at relative market share, the Flashback malware in terms
of prevalence was the size of [the infamous Windows worm] Conficker,"
he said. "This was an absolutely huge event in the Apple world. When
you extrapolate [the number of Macs infected] to Windows numbers, that's
about 10 million."
Cyberwarfare is a term that often gets hyped up, especially when a politician or general is speaking.
In fact, the Stuxnet worm,
which crippled an Iranian uranium-enrichment facility in the summer of
2010, was for nearly two years the only known cyberweapon that had
destroyed anything. That changed this past spring, when a series of cyberattacks destroyed
computer systems at oil facilities in Iran, as well as in the offices of
the Iranian oil ministry.
Wiper, the malware thought to be responsible for the attacks, was never
found, although certain tell-tale signs indicated it was similar to
Stuxnet and its cousin Duqu. During the investigation in May, however, researchers from Kaspersky,
the Iranian computer emergency response team MAHER and the CrySyS Lab at
Budapest University in Hungary discovered something else — possibly the
most sophisticated piece of malware ever seen. Kaspersky's team called
The size, age and sophistication of Flame were startling. It was 20
megabytes in size, as large as a complex smartphone game, while most
malware is only a few dozen kilobytes in size. Flame contained a dozen different modules that could be added and
subtracted according to the task at hand, which made it extremely
versatile as spyware.
It could map out networks, index files, record audio and video, log
keystrokes, take screenshots and archive emails and instant messages.
When its job was done, it would destroy all signs of itself on any
32-bit Windows PC, and sometimes the host system as well.
Yet despite its size, Flame was at least five years old at the time of
its discovery — an enormous amount of time for a piece of malware to be
"in the wild."
Flame was "an example of a complex malicious program that could exist
undetected for an extended amount of time while collecting massive
amounts of data and sensitive information from its victims."
A couple of weeks after its discovery, Dutch researchers found that
Flame's creators had pulled off a mathematical breakthrough.
Using unknown techniques, Flame's creators had created a nearly-impossible cryptologic collisionthat
allowed Flame to present itself as a signed, genuine Windows update
package direct from Microsoft. No anti-virus software could have stopped
In August, Kaspersky researchers found a highly sophisticated Trojan in the Middle East, this time spying on Lebanese banks.
Like ordinary criminal banking Trojans, this new malware, which Kaspersky researchers dubbed "Gauss," stole online-banking credentials to break into accounts. Yet Gauss didn't steal any money — just information.
In their year-end review, Raiu and Emmer said Gauss added a "new
dimension to nation-state cyber-campaigns," even if it was nowhere as
sophisticated as Flame.
"It appears there is a strong cyber component to the existing
geopolitical tensions — perhaps bigger than anyone expected," they added.
That would prove to be an understatement. Later in August, Shamoon, a
piece of especially destructive, yet simple, malware, made its world debut.
Named after a piece of text embedded deep in its code, Shamoon launched
an attack against the state-owned Saudi Arabian oil company Saudi
Aramco and destroyed data on more than 30,000 computers.
Shamoon was crude but effective. It searched an infected system for
certain files, sent a list of those files to a remote server, and then
methodically deleted key parts of the installed Windows system,
rendering the infected machine useless.
"You have the hacktivist movement claiming credit for that attack, which may or may not be the case," Schouwenberg said.
"Shamoon wasn't really that sophisticated, but when you look at the
relevance of the incidence, it's extremely, extremely important,"
Schouwenberg added, "especially when you consider the fact that Saudi
Aramco announced just recently that they strongly believe that Shamoon's
real target was to mess with the oil production rather than just
sabotaging the machines in the corporate network."
Kaspersky researchers said many details about Shamoon were still
unknown, such as how the malware infected Saudi Aramco's systems in the
first place, or who was behind the malware.
Some observers suspect Iran created and used Shamoon as an attempt to
cripple Saudi Arabia's oil production, which would cause oil prices to
rise, benefiting cash-strapped Iran.
During 2011, there was an explosion in the number of malicious threats against the Android platform. It was obvious that the trend would go on.
Kaspersky, as well as most of its competitors, accurately predicted
that the number of threats for Android would continue to grow at an
alarming rate in 2012.
"We predicted we would see an explosion in Android malware and that's
what we saw," Schouwenberg said. "There is a huge amount of Android
malware these days, although not anywhere near the amount of Windows
malware that we see. But it's grown very dramatically."
"The number of samples we received continued to grow and peaked in June
2012, when we identified almost 7,000 malicious Android programs," Raiu
and Emmer wrote. "Overall, in 2012, we identified more than 35,000
malicious Android programs, which is about six times more than in 2011."
So why is there so much Android malware, and so little malware targeting its competition, Apple's iOS?
It's because iOS is locked down tight.
Apple oversees every part of the hardware and software development, and
strictly controls which apps can be installed on iOS devices.
Android, however, is a free-for-all. Dozens of manufacturers make
hundreds of Android devices, and the operating system is a little
different on each one. Manufacturers and cellular carriers refuse to update Android in a timely manner, resulting in security holes that are left unpatched for months or years.
"Off-road" app markets flourish, especially in China where access to
the official Google Play store is restricted. Google has belatedly
tightened security in both Android itself and in the Google Play store,
yet its efforts have a long way to go before they can match Apple's.
Still, the tighter security in the latest versions of Android may be
having an effect. Kaspersky's own figures show that while the number of
new Android threats continued to grow in the second half of 2012, the
rate of growth began to slow.
Advanced persistent threat hackers, i.e. cyberspies, were certainly
active in 2012, yet didn't have the spectacular successes they'd had in
previous years. Perhaps the most visible attack on Western targets was the discovery in
September 2012 that two pieces of malware had been signed using a valid Adobe code-signing certificate. Apparently, someone, somehow, had broken into an Adobe server and stolen authentication certificates.
"This discovery belongs to the same chain of extremely targeted attacks
performed by sophisticated threat actors commonly described as APT,"
wrote Raiu and Emmer. "The fact that a high profile company like Adobe
was compromised in this way redefines the boundaries and possibilities
that are becoming available for these high-level attackers."
One thing that Kaspersky failed to anticipate in 2012 was the seemingly
unending parade of huge data breaches involving companies and
organizations with inadequate security. In early June, the business-networking website LinkedIn had 6.4 million passwords stolen. The passwords were encrypted, but in a very simple way that meant most could easily be deciphered.
A day later, online-dating service eHarmony suffered a similar breach, losing 1.5 million passwords, also poorly encrypted.
In July, struggling Web giant Yahoo was embarrassed by a data breach that revealed 450,000 passwordshad
been stored without any encryption at all. It wasn't entirely Yahoo's
fault, since the database was acquired with the 2010 purchase of another
company, but it was also evident that no one had bothered to check.
Worst of all was the revelation in late October that vital personally identifiable information on 3.8 million adult residents of South Carolina, plus 1.9 million dependents and 700,000 businesses, had been stolen from the state tax agency.
Entire tax records, containing names, addresses, dates of birth and,
worst of all, Social Security numbers, were all stored unencrypted.
Virtually the entire state population of 4.7 million people was put at
grave risk of identity theft.
Weeks after the breach was revealed, the state government was blaming
the federal IRS for not providing strong security guidelines, and was
itself being criticized by security experts for not revealing enough
about what had happened.
"There isn't too much that was shocking news over 2012, just these
up-and-coming things 2011 that really established themselves in
2012," Schouwenberg said. "But we also saw some examples of new
nation-state like Flame and Gauss. But from my personal
point of view, the most significant event of the year was Shamoon."
As for 2013, "we expect the next year to be packed with high-profile
attacks on consumers, businesses and governments alike, and to see the
first signs of notable attacks against the critical industrial
infrastructure," Raiu said in a company press release. "The most notable
trends of 2013 will be new examples of cyberwarfare operations,
increasing targeted attacks on businesses and new, sophisticated mobile
Copyright 2012 TechNewsDaily, a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.