Home / Blogs

2012 Security Predictions: APT’s, Mobile Malware and Botnet Takedowns

As the weeks remaining in 2011 dwindle and 2012 peaks out from behind the last page of the calendar, it must once again be that time of year for purposeful reflection and prediction. Or is that navel gazing and star gazing?

The year still has a couple of weeks to rock on before we can comprehensively summarize the events and trends of 2011. I’m sure there will be a bunch of annual threat reports preempting the end of year—extrapolating trends etc. in order to get the jump on reports that use real data. At the highest level of navel gazing you could probably sum up 2011 with one word—“More”. The bad guys got richer, more successful, invented a few new attack vectors, and generally grew in numbers; meanwhile the good guys got more efficient at causing the bad guys pain, but continued to be outspent by the bad guys.

But let’s put that aside for now. What does 2012 hold in stall for us?

It’s easy enough to predict the future when you’re merely commenting upon the trends of past years and projecting “more” of the same. While I can offer no shortage of meaningful predictions for 2012 across a broad range of threat and security categories, I thought it would be fun to pick three topics that stole much of the limelight of 2011—Advanced Persistent Threats (APT’s), mobile malware and botnet takedowns.

So, without further ado, here are a handful of predictions for 2012.

APT Bonanza

The volume of persistent attacks directed at large corporations will continue to increase and the victims will continue to feel as though they have been specifically targeted. There will thus be a presumption of sophistication to successful penetrations, which will lead to more organizations concluding that they have been the victim of an APT—which, after more detailed analysis and external input, will increasingly be revealed as false claims.

  • More attacks will be labeled as APT’s due to misunderstanding by the victims, or because of an implied “get out of jail” tactic when public disclosure of the breach is mandated by law.
  • External analysts and security firms will dedicate more time and resources to analyzing breaches that are disclosed as “APT’s”, and will be more vocal in correcting false claims.
  • A growing unease will be attributed to the “cry wolf” mentality of labeling breaches as APT’s throughout the year.
  • Real APT attacks will increasingly be lost in the noise of falsely-claimed APT’s, and the sophisticated attackers will be able to further obfuscate the intent of their attacks.

Mobile Malware threats will continue to be misunderstood

Mobile malware will divide into two streams—Smartphone malware and tablet crimeware. Both mobile malware streams will be similarly unimpressive from a threat sophistication perspective, however their criminal intent will direct their evolutionary changes. Tablet crimeware will develop at a faster pace than Smartphone malware in 2012 as the opportunities to defraud potential victims on tablet systems grow quicker.

  • The hype around mobile malware will continue to exceed the threat and the cybercriminals capabilities in 2012—but the cybercriminals and security researchers will strive to meet that hype.
  • As mobile systems become more usable for day-to-day financial transactions and online stores tune their shopping portals for larger-screened mobile devices, cybercriminals will increasingly target these platforms. This crimeware (and injection vectors) will be more “traditional” and a closer facsimile of current generation PC-based crimeware capabilities than many have projected in the past.
  • Smartphones, long seen as “the” mobile threat vector and with the longest history of malware abuse (e.g. Symbian-based malware and premium-rate fraud), will technically be susceptible to the same malware as that affecting tablet systems—but will not be the primary target of attack.
  • Cybercriminals that develop malware specifically for Smartphones will increasingly target the devices for propagation purposes—seeking to infect other (traditional) corporate systems and to breach corporate VPN’s.
  • In the corporate realm, the Bring-Your-Own-Device (BYOD) consumerization of IT will entice cybercriminals that target enterprise networks to innovate new attack and propagation vectors. Throughout 2012 new vectors will be theorized and may be developed as proof-of-concept tools, but the hype will be bigger than reality because there are technical hurdles within the operating systems of the mobile devices that have yet to be overcome.
  • Security conferences of a Black Hat ilk throughout 2012 will uncover and illustrate new vectors that subvert the underlying mobile device operating systems that will be leveraged in the 2013 timeframe for the targeted propagation of crimeware via BYOD
  • The traditional invasive and “scary” mobile malware capabilities (e.g. eavesdropping on the victims calls, tracking the device owner, etc.) will not advance in 2012 and will continue to be potential capabilities rather than primary objectives for attackers.
  • The first generation of commercial “DIY” mobile crimeware construction and attack tools will be developed and sold by enterprising cybercriminals
  • Large scale botnets will not exist on the mobile platforms in 2012. There will be several “proof-of-concept” botnet implementations and theoretical attacks but, from an overall global threat perspective, they will be insignificant.

Botnet takedowns will be ineffective

Despite a number of public and media-hyped botnet takedowns in 2011, and the prospect of increased takedowns in 2012, the overall impact on cyber-criminal operations will decrease. In response to the 2011 takedowns, cybercriminals will change some of their management tactics, further distribute their command-and-control (C&C) infrastructure, and invest in improved and more diverse infection vector operations.

  • Professional criminals who build and monetize botnets will invest in more robust crimeware distribution technologies and services. The capability to infect 10,000+ computers per day will be more important than the marginal loss of 3-year old botnets with only a few hundred thousand infected devices.
  • Botnet C&C infrastructure will continue to become more agile—flitting between domain names, IP addresses and physical locations at an increasing pace. In 2011 this agility was measured in weeks; by the end of 2012 it will be measured in hours.
  • Botnet operators will add more layers between themselves and their victims. In 2011 cybercriminals increasingly adopted the use of commercial anonymous VPN services to connect to their C&C servers, and deployed C&C proxies between the botnet victims and the real C&C servers. In 2012 we can expect this trend to continue and there is a high probability that multiple layers of C&C proxies will be adopted to further protect the cybercriminals C&C investment.
  • Noisy botnets (i.e. Spam botnets and DDoS) will continue to be the focus of legal botnet takedowns. In response, cybercriminals will in most cases reduce the noise of their botnets and will also further segment their botnets to ensure that the entire botnet is not lost in a single takedown operation.
  • Botnet takedown attempts will become more “risky” as the takedown entities become more comfortable with the process. Risk will be introduced as the entities pursue remote clean-up and remediation of victim devices.
  • “Good guy” botnet remediation services will become a commercial reality in 2012. As multiple security vendors and academic institutions focus upon the botnet menace they will uncover more vulnerabilities lying within the heart of both the botnet malware and the C&C portal software. There will be growing pressure to exploit these vulnerabilities for the purpose of usurping control of the botnet from the cybercriminals hands and to issue appropriate shutdown and uninstall commands directly from the compromised C&C servers.

I wonder how many of these predictions will come to fruition? I guess we’ll find out in 380 days.

By Gunter Ollmann, CTO, Security (Cloud and Enterprise) at Microsoft

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.



Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API