Security Threats: The Landscape Has Changed
By Shane Coursen

You can’t pick up a newspaper or turn on the television today without hearing a story about ID theft and the tremendous information loss involving major credit card and financial institutions. Unlike worms or Internet attacks of yesteryear, most of today’s incidents are taking a new flavor. Security professionals are faced with a rapidly changing landscape of surgical attacks motivated by pure profit, instead of what were mainly ego-driven pranks, managed and executed by professional criminals instead of code jockeys out to impress the world with their skills. This article will describe this move from pranksters to pros, showcasing network elements that must be addressed to protect today’s extensive, distributed network environment.

Malware, Malware Everywhere
The malware we see today, through construction and execution, is able to undertake most malicious intent. Today’s malware writer favors using the mass-mailer e-mail virus, trojan horse and network-aware worm. Blending of characteristics across each type of attack is not uncommon. For example, a trojan horse dropper may launch an email virus just as easily as an e-mail virus may leave behind a trojan horse dropper.

When the first mass-mailer virus, Melissa, hit in March 1999 it set off a spike of uncontrolled activity. E-mail servers everywhere were flooded with requests that would ultimately overload the limited resources in place. Controls to manage this type of outbreak are now in place, and an uncontrolled worldwide mass-mailer virus epidemic is no longer possible. And given how e-mail viruses have evolved, those attacks are no longer in vogue. Malware writers know such attacks are attention grabbers, and too much attention doesn’t help to accomplish their objective. A localized epidemic, however, is much easier to maintain, with an undetected network of zombies ready to do an attacker’s bidding, or to sell to the highest bidder.

A trojan horse often arrives as an executable e-mail attachment or as an HTTP link in the body of the e-mail, and is never what it appears. Highly variable, trojans are one of the most dangerous types of malware. Even with detailed forensic analysis, it might be impossible to restore a compromised system's integrity. A complete rebuild or restoration from a clean backup might be the only way to resuscitate the infected computer. Trojan horse programs today account for about 1/3rd of all reported malware.

Because one host generally acts as the server for the next potential host, and as a place to store contact information, any significant network worm propagation can congest significant bandwidth. Compromised hosts can be made into a botnet, with each infected system at the mercy of the worm writer. Botnets, such as those built by Bagle and Sobig, are used today by acting as SMTP relays for spammers. Botnets have become so common that they are commodities on the underground market. Botnets of nearly any size are reportedly available for $.06 per machine.

Increase the Network, Increase the Risk
Today’s distributed network environments have become appealing targets for organized crime. Simply put, why risk traditional crime when there is a treasure-trove of data on networks that can be swiped and sold for profit? As Internet criminals organize and improve their skills, more attacks are discovered that utilize three or more pieces of combined malware. Malware writers are developing additional components, each building on the success of the previous attack. Each attack component may infect another 1,000 machines, creating a localized, limited epidemic. Limited epidemics provide just enough zombies to launch an effective DDoS, to quietly leech a small number of banking passwords, or to set the stage for a future spam run.

The Internet’s ubiquitous nature plays into the hands of these criminals. With literally worldwide access, be it from Brazil, China, Russia, the UK or the United States, these types of focused attacks can be generated from anywhere in the world. And with local enforcement varying from significant to zero, more times than not these criminals go unchecked.

Attacks - Not Just For Windows Anymore
Malware writers are moving beyond Windows and are starting to target Instant Messaging (IM) environments, mobile smart phones and Personal Digital Assistants (PDAs).

IM and wireless malware already exist, but are nascent. Existing platforms do not offer a solid foundation for widespread propagation. However, early research indicates that with the correct environment, IM malware could eclipse mass-mailer viruses in replication speed.

The emphasis on previously mentioned malware is admittedly Windows-heavy. Looking at other popular operating systems, one still finds vulnerabilities. Linux, for example, has had about 500 pieces of malware developed for it. Given its popularity as the alternative to Windows, so far around 5 Linux worms have had a fair amount of success spreading in the wild. When considering the percentage of installations vs. attacks, Linux is about as popular a target as Windows. It is not a huge leap to predict that as Linux gains popularity it will become an even larger target for attacks.

The Possible Threat Horizon
New computer technologies that positively impact the way we conduct business appear almost daily. From checking stock portfolios on a PDA to paying for groceries though a cell phone, innovations abound for the ever-growing computer user population. Unfortunately, cyber criminals remain intent on hijacking nearly every good new technology for misuse. As new technology appears, no one can predict with confidence that will become the most popular. But rest assured that the most ubiquitous technology would bear the brunt of exploitative attacks, clearly demonstrated with Microsoft’s products.

In the long term, we are expecting malware that monitors and modifies the functionality of smart appliances – commercial ovens operated via a wireless device, refrigerators that restock themselves via RFID, pre-programmed computer controlled thermostats that report monthly electricity usage, and more. Most of these services will tie into customer financial data through bank accounts or credit cards, and must be monitored during implementation to insure sufficient security standards.

In the short term we should urgently address the security requirements of our current favorite wireless gadgets, the cell phone and PDA. Smart phone viruses can survive in the wild with a sufficient user population, which is predicted for 2007. A smart phone operating system – Symbian OS – went from having no malware to over 100 known pieces in just slightly over one year. The very first Symbian virus, Cabir, has so far been found in the wild in over 30 countries but has achieved limited results due to a fairly small user population.

The majority of cell phone users in the U.S. haven’t been exposed to this type of threat, but European users are already experiencing attacks in the wild. While the Symbian operating system—more commonly used in European cell phones—has been an early target, it isn’t the only target. Indeed, any common operating platform is a natural target for criminals.

Similarly, the smarter the device, the more attractive it is to cyber criminals for the value of that data. The smart phone is basically a miniature PC with a built-in phone; an extremely useful device by anybody’s standard. With the ability to track several e-mail accounts, an organizer for planning important business meetings, a voice recorder for taking dictation, a camera for snapping pictures and a global positioning system (GPS) to direct you to your next destination, these devices carry increasingly personal and critical information. They one day may even act as your credit card!

A decade ago, we considered it advanced to have an address book of 10 names, but it is now possible to carry that plus our bank statement and a smart card enabling financial transactions in one device. Given the wireless nature of mobile devices and how we openly allow them to perform important tasks, criminals will likely attempt to intercept our transactions, possibly funneling personal contact data and virtual money from our accounts.

What are the Next Steps?
Assuming that most malware will continue to be Windows-based and utilize the Internet for distribution, it will be an ongoing battle for Microsoft and other software manufacturers to address all security issues. Each vulnerability corrected means a secure network only until another issue is discovered. Eliminating the current set of vulnerabilities within our computing environment many times changes the network in a manner that opens doors to different types of malware.

Naturally, the greater public still demands security. People want operating systems and online services they can trust are going to be – and remain – secure from intruders. Can such an environment exist? Without being completely closed off to the outside development and access, security cannot be 100% guaranteed. And without access, any system, as we use them today, is pretty much worthless. It’s the ultimate epitome of taking the good with the bad.

The best news is that a greater amount of security can be achieved right now. With proper application of the security embedded within evolving network systems, employing an ever-evolving depth of defense approach, and careful attention to best-practices, much of today and tomorrow’s malware can be avoided.

About the Author
Shane Coursen is the Senior Technology Consultant for Kaspersky Lab. He can be reached at shane.coursen@us.kaspersky.com.

<< Previous Page