This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Benjamin Cruz and Adam Wosotowsky.
Botnets come and botnets go, but we can be certain they will continue to plague us in the coming year. Botnets that send spam are again on the rise; spam volume in 2013 increased to levels we had not seen since 2010.
Support for Windows XP ends in April, so it would be natural for attackers to target this OS even more because Windows XP’s market share is likely to remain high for a while. We are also likely to see more zero-day attacks targeting vulnerabilities in XP to establish bot clients for sending spam or other uses.
Botnets will take part in more targeted attacks. We have already seen espionage supported by Travnet, which targeted governments of various countries. Next year we’ll see botnets used as a platform to launch attacks on industry-specific infrastructure such as medical devices, SCADA manufacturing systems, military organizations, smart chips, ATMs, banking, etc.
The biggest attraction of botnets—making money—will likely lead to an increase in interest in digital/virtual currencies such as Bitcoin mining. “Botnets as a service” will extend to areas in addition to their use in spamming, denials of service, and so on.
This year we observed a lot of botnet and Trojan (for example, Carberp and KINS/PowerZeus) source code leaked in public forums. We expect to see more and more variants of current botnets as attackers modify today’s source code to create and sell their own bot kits.
There will also be an increase in the sophistication of botnets. We are likely to see several developments:
- Advanced cryptography and custom encryption in communications with control servers
- Code obfuscations to prevent detection and reverse engineering
- Hardware-locked malware that runs only on a specific system after infection
- Sandbox/environment awareness that prevents the creation of automated antimalware signatures
We have recorded large growth in affiliate-marketing spam during the past few years. With this type, spammers send unsolicited advertising from legitimate companies to purchased email lists of customers who have not opted in to receiving the advertising yet are not capable of opting out. According to the CAN-SPAM Act, this sort of behavior leaves both the marketer and the client company liable for these spam activities, and the unrelenting nature of these campaigns often leads to the publicizing of companies using these sorts of marketers to force them to stop. We still need more international cooperation to get countries to agree on a basic definition of spam and adopt best practices for handling entities that send unsolicited email to purchased lists.
“Snowshoe” spamming, which uses many IP addresses to send as much spam as possible before the addresses are blacklisted, for the most part in 2013 targeted common two-letter top-level domains such as .us, .in, and .uk. This year we may see other two-letter TLDs such as .la (Laos) and .me (Montenegro, for foreign-language mails) as prime targets. Some, such as .la, are already promoting casino spam. Overall we could see more two-letter TLDs used in spam mails.
Penny stocks, loan offers, and “pump ’n’ dump” spam enjoyed a resurgence in 2013 after disappearing for a few years. As the stock market euphoria continues, small investors will be vulnerable to this type of scam. In past years these sorts of email campaigns stayed around until the perpetrators were arrested, which is likely to be the case again.
With the means for monetizing botnets growing more diverse, we expect to see an increase in spam coming from web servers compromised through PHP/MySQL remote exploits. Today we find mostly pill spam (pharmacy offers) generated through these attacks. Each year the number of web pages that haven’t been maintained with up-to-date libraries increases, which offers a growing number of sources for delivering spam, phishing, and malware to victims.