Sandbox Protection From Malware-As-A-Service And Zeus Variants Will Trend In 2012

A Verisign report on 2012 security threats picks MaaS and open-source Zeus kit issues as sandbox candidates

Verisign researchers, looking at what happened in the world of security in 2011 to get a better feel for what to expect this year, are warning against cyber-attackers beginning to offer customers more services and employing the Zeus Trojan as an open-source kit.

It is not all bad. The Verisign researchers, in a report released this week, also said that using sandboxes can make it significantly more difficult and costly for hackers to exploit vulnerabilities.

Sandbox bypass

“Currently, only two public demonstrations of bypassing sandboxes exist in environments that use and support defines-in-depth strategies such as address layout randomisation (ASLR) and data execution prevention (DEP),” according to the report. “None of the public demonstrations included any public exploit code. Until corporate enterprises widely adopt newer client-side applications that have implemented sandboxes, however, attackers will have an easier time developing exploits.”

The report, from Verisign’s iDefense Security Intelligence Service, outlines what researchers see as the most important security trends as businesses and governments head into 2012. A key one began in April 2011, when the source code for Zeus version 2.0.8.9 became available to anyone online.

“The release of the Zeus source code effectively converted the Zeus banking Trojan from a proprietary, pay-per-use crime kit into an open-source crime kit,” the report states. “The source code quickly spread across the Internet via underground Websites and file-sharing sites, giving malware authors across the globe access to the powerful and well-written malware platform.”

The result has been the rise a host of Zeus-based variants, which is a trend that will continue into this year. However, the researchers pointed out that the Zeus code is incomplete, and that anyone compiling it needs to have the programming skills to modify and add to it. This keeps less experienced hackers from using the source code. However, it also means the more skilled and more malicious attackers need to modify it, leading to the source code branching out into variants. Those variants include SpyEye, Ramnit, Ice IX and Aeacus.

“As Ramnit and SpyEye demonstrate, there will be more minor Trojans that include the functionality of Zeus into their arsenals. This trend will be even more pronounced when new malware families emerge that not only augment themselves with components of Zeus but also augment Zeus with new functionality specific to each new variant family,” the report states.

“The release of the Zeus source code is going to have a dramatic impact on the production of new, dangerous banking Trojans in 2012,” the report continues. “Fortunately, antivirus programs may actually detect as Zeus the malware variants that malware authors have based on Zeus’ source code – a detection that will decrease the effects of these variants.”

MaaS adoption

Another key trend is that cyber-criminals are beginning to adopt a new business model, which Verisign researchers called malware as a service (MaaS). In this model, authors of exploit kits not only offer the kits to customers, but also extra services.

“This trend will probably continue as other developers adopt the same business model,” Verisign said, adding that software vendors would be well-served in fending off vulnerability exploits by using sandboxes.

“The use of sandbox technologies has significantly hindered the ability of malicious actors to exploit vulnerabilities,” the report says. “Consequently, software vendors will continue to use sandbox technologies to help protect their products and customers. Sandbox technology is a mitigating security mechanism that limits the environment in which a program can execute. Companies typically use sandboxes to process untrusted content while keeping a host system protected from persistent changes.”

While sandboxes do not get rid of vulnerabilities, they make it much more difficult for cyber-criminals to exploit them; many times, hackers will need to exploit multiple vulnerabilities at the same time to exploit a software vulnerability that uses sandbox technology.

The sandbox concept is not new – it was introduced by Microsoft in 2007 – but the use of it by many software vendors is. Microsoft first introduced it with Internet Explorer 7 with Protected Mode; Google in 2008 rolled out a sandboxed browser, Chrome. Adobe, with the help of Microsoft and Google, in 2010 came out with Protected Mode for Adobe Reader X, and has since added sandbox technology to such products as Office and Acrobat.

How much do you know about internet security? Take our quiz and find out!