Malware Drop, Ransomware Rise Forecast for 2014

A malware decline and ransomware rise are in the security crystal ball for 2014.

There will be less malware spreading through networks next year as hackers focus on obtaining credentials that allow them to access systems under the guise of authentic users.

“Malware will still be important in establishing a foothold in the network, but we don’t see malware moving laterally in networks and infecting every computer as we saw a couple of years ago,” Alex Watson, director of Websense, told TechNewsWorld.

“Malware will be used as a tool to grab credentials and walk in the front door,” he said.

That can make things very difficult for system defenders.

“The existing methods for identifying attacks are largely based on the characteristics of their malware,” Watson explained. “What happens when there isn’t any malware to detect in the attack?”

Victim Hotline

Even if broad use of malware declines, one form of bad app that appears likely to rise is ransomware. That’s largely due to the success this year of Cryptolocker.

“Since it has been successful, there’ll be more attacks of that nature in the months to come — especially if no one gets arrested,” Fred Touchette, a security analyst with AppRiver, told TechNewsWorld.

“The spread, the effectiveness of the encryption, and the fact it even looks for mapped drives to encrypt are all indicators that some criminal gangs are substantially investing in this area,” said Rik Ferguson, global vice president of security research at Trend Micro.

“In fact, just recently they have even gone so far as to set up a help line for victims to call if they need help in recovering their files,” he told TechNewsWorld.

Making matters worse, data abductors will be refining how ransomware is distributed next year, Ferguson continued.

“Right now, it appears that Cryptolocker has a unique distributor, but expect Cryptolocker and several new variants to appear next year and to take advantage of the partnerka, or affiliate network system, that served so well for Fake AV, the bogus security software that was everywhere a couple of years ago,” he warned.

“This will really increase the rate of ransomware infections,” said Ferguson, “as large numbers of criminal affiliates motivated by their share of the profits will be actively using SEO techniques to poison your search results.”

Chokepoint Attacks

Malware won’t be the only malicious activity declining in 2014. The size of Distributed Denial of Service attacks could fall, too.

Attackers are beginning to identify the chokepoints at websites they target for a DDoS foray.

“That allows them to magnify the effectiveness of their attacks without making the amount of traffic to a site go up,” Catherine Pearce, a security consultant with Neohapsis, told TechNewsWorld.

“Webmasters will find that a tiny proportion of their traffic is taking up a ridiculously significant level of their site’s resources,” she added.

A dire prediction was made for another trend. For some time now, there’s been a growing contingent in the security community advocating a more proactive approach to dealing with system attackers. That’s largely driven by frustration.

“We haven’t improved the defenses of business organizations in any way,” Andrew Kellett, a principal analyst with Ovum, told TechNewsWorld.

“We continue to find it difficult to detect security breaches,” he added. “Reports show that we’re no better in 2013 in detecting when a security breach is taking place than we were in 2009, so we’re not doing the proactive stuff very well.”

Gray Hats

Just how badly the proactive stuff can get will be seen in 2014, said Websense’s Watson, who predicted an innocent organization will be harmed by White Hats aiming to hurt Net raiders.

“There’s a much greater likelihood of organizations being caught in the crossfire here than there would be of offensive security measures being successful,” Websense’s Watson observed.

Moreover, when offensive operations are conducted, they can discolor a security organization’s millinery.

“It’s hard to have the moral high ground when you’re doing the same thing to someone that you’re condemning them for doing,” Watson said.

Breach Diary

  • Dec. 2. U.S. District Judge Jon Tigar rejects lawsuit by Kathleen Haskins claiming Symantec hid a vulnerability in its software that left its customers open to cyberattacks.
  • Dec. 3. TrustWave SpiderLabs discovers credentials for 2 million accounts belonging to users of Google, Facebook, Twitter and Yahoo compromised by the Pony botnet.
  • Dec. 3. D-Link releases patches to close backdoor in firmware for several of its routers that allowed access to them without using an administrative password.
  • Dec. 3. Governing board of a Maricopa County Community College District in Arizona approved US$7 million for expenses related to a data breach affecting 2.5 million students, former students, employees and vendors of the district. Expenses include notifications, a call center and a free year of credit-monitoring and identity theft protection services.
  • Dec. 3. University of Washington Medical School notifies some 90,000 patients of possible unauthorized access to their healthcare records due to a data breach resulting from a malware infection.
  • Dec. 3. Vodafone Iceland announced it is working with law enforcement authorities in probe of data breach that resulted in the release of text messages from 5,000 customers, including government officials, and passwords of 70,000 accounts.
  • Dec. 3. World Law Group launches online guide to data breach notifications that includes summaries of laws and regulations relating to data breaches in 43 jurisdictions around the world.
  • Dec. 4. J.P. Morgan issues notifications to nearly 500,000 of its UCard users due to a data breach that occurred in July. New cards would not be issued to the users because there’s no evidence any funds were stolen, company said. UCards are used by states to process payroll, child support payments, welfare payments, education assistance payments, unemployment payments and tax refunds.
  • Dec. 5. Microsoft, FBI and Europol announce disruption of ZeroAccess botnet attributed with defrauding online advertisers of $2.7 million a month. Totally eradicating the network will be difficult because of its complexity, Microsoft said.

Upcoming Security Events

  • Dec. 9-12. Black Hat Training Sessions. Washington State Convention Center, Seattle, Wash. “The Art of Exploiting Injection Flaws,” $1,800 by Oct. 24; $2,000 by Dec. 6; $2,300 thereafter. “The Black Art of Malware Analysis,” $3,800 by Oct. 24; $4,000 by Dec. 5; $4,300 thereafter. “CNSS-4016-I Risk Analysis Course,” $3,800 by Oct. 24; $4,000 by Dec. 5; $4,300 thereafter.
  • Dec. 9-12. World Congress on Internet Security. Thistle Hotel London Heathrow, London. Registration: IEEE, BCS, IET or IAP members, Pounds 500; Non-IEEE, BCS, IET or IAP Members, Pounds 600; IEEE, BCS, IET or IAP student members: Pounds 350;other students, Pounds 380.
  • Dec. 9-13. Annual Computer Security Applications Conference (ACSAC). Hyatt French Quarter, New Orleans.
  • Dec. 10. Risk Does Not Equal Threat. 2 p.m.-5 p.m. ET. SRI International, 1100 Wilson Blvd., Arlington, Va. Registration free, but space limited.
  • Dec. 11. M&A Opportunities in Cybersecurity Investments. 4:30 p.m-8:45 p.m. Time/Life Building, 1271 Sixth Avenue. New York City. Registration: Association for Corporate Growth New York members: $175; Non-NY ACG members, $200; non-members, $250.
  • Jan. 20-21, 2014. Suits and Spooks. Waterview Conference Center, Washington, D.C. Registration: Sept. 20-Oct. 20, $415; Oct. 21-Dec. 1, $575; after Dec. 1, $725.
  • Jan. 27-29. CyberTech 2014. The Israel Trade Fairs & Convention Center, Tel Aviv. Registration: Until Jan. 1, $350; Jan. 2-26, $450; on-site, $550.
  • Feb. 9-13. Kaspersky Security Analyst Summit. Hard Rock Hotel and Casino Punta Cana, Domincan Republic.
  • Feb. 17-20, 2014. 30th General Meeting of Messaging, Malware and Mobile Anti-Abuse Working Group. Westin Market Street, San Francisco. Members only.
  • March 25-28, 2014. Black Hat Asia. Marina Bay Sands, Singapore. Registration: by Jan. 24, $999; by March 21, $1,200; by March 28, $1,400.
  • April 11-12, 2014. Women in Cybersecurity Conference. Nashville, Tenn.
  • June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels