The evolution of threats

People in the security industry seem to say this relatively frequently, but the times really are changing in one very important aspect of the threat lexicon. It is apparent that the headline hunters of previous years, the virus writers that simply wanted to get into the news or to receive kudos from their peers, are no longer the driving force behind malware.

Today`s threats are almost 1980s Wall Street in the purity of their aim - it`s all about the money. Organised crime is using the Internet more and more as a route to making dirty cash out of individuals and businesses. What follows explains, quite briefly, the kinds of methods criminals are using and what to be aware of in the effort to prevent your business from avoiding attack.

The logical start point in an effort to understand the threat environment is to look at the actual threats. What types are around at the moment, what threats are growing in popularity and, most importantly for the purposes of this article, what are the most dangerous to businesses from the profit perspective? There are five major categories of threat:

1. Viruses
2. Spam
3. Phishing
4. Trojans
5. Legitimate applications, or PUPs (potentially unwanted programs) also known as spyware

Each of these has a number of sub-types. Viruses, for instance, include in their number macros, script viruses, mass mailers, worms and file. Trojans can be remote access "backdoors", downloaders, data destructive, password stealers or simply an annoyance. A way of assessing the relative dangers of these threats is to look at the most common ways network security is compromised.

In the top spot there is self-propagation (attacks that spread themselves with no user intervention needed). This accounts for over a quarter of all compromises (source - Foundstone 2005). Then there are mass mailers (requiring user intervention to help spread) and browser-based threats. Taken together, they total over 60% of recorded compromises. In many ways the growth in the use of Trojans is of most interest, as it supports the contention that organised crime is increasingly involved in the production and spread of malware for monetary gain. In 1994 there were 74 recorded Trojans (programmes that disguise themselves as something legitimate in order to get onto a network and are then used to, say, send password information outside), in 2000 there were around 2 000 and in 2005 to date over 13 000. Trojans, because of their nature, are typically used in attacks on specific targets in order to obtain specific information. In times past, virus writers and hackers were in it for the fame, today the aim is not to be noticed. The last thing those in organised crime want to achieve is a newspaper headline - if the idea is to get money out of an organisation through stealing data or passwords the watchword is stealth and that`s why the growth in the use of targeted Trojans is indicative.

Another popular technique of extorting money out of businesses that supports the argument of increased organised crime involvement in the world of IT, is the use of BOT armies to blackmail organisations. BOT armies are available for hire - a BOT is a PC that has been compromised and can therefore be controlled by someone other than the user.

Network security administrators should also note the growth in the use of packers; viruses that are zipped up and encrypted in archive files in order to get past AV defences and, when unpacked/unencrypted, write themselves to memory and not to disk.

Here`s why: once installed, these tools can go out (depending on what they are designed to do) and get other pieces of code, like key-loggers, and further compromise a network. They only need to remain undetected for a very short time on a system in order to do what they are supposed to. A further complication is that packers can be tweaked to evade detection extremely easily, making it vital to have a virus scanner that not only looks in memory, but can also recognise the various packer "families" with generic detection.

Adware currently represents 45% of all end-user submissions to McAfee`s Anti-Virus And Vulnerability Emergency Response Team (AVERT). No matter the actual intention of the adware, end-users often allow the adware vendor access, for example, to their surfing patterns by ticking the "I Accept" box at the end of a 20-page end-user licence agreement. It is enough to say that some of what ends up on users` PCs is well intentioned, or at least not malicious, in intent and some most definitely isn`t. Many of the techniques used in spreading adware are common to the propagation of malware.

Almost every reader will have heard the terms "phishing" and "pharming" in the past 18 months or so. It has been the case throughout the history of malware/hacking that the weakest link is often a person rather than a security technology. There are numerous examples of successful hacks that have involved fooling people into giving up a vital piece of information to open a door to getting into a critical database or system.

Phishing and pharming are forms of fraud that take advantage of our trusting natures. The former has been well publicised and involves sending out an e-mail to one or many people that looks like it is from a reputable source. This communication asks users to input, for example, their online banking passwords or log-on details and send back the mail to someone who gratefully empties the account.

Banks and other potentially affected institutions have been proactive in warning customers about this practice and this has reduced the effectiveness of phishing attempts. It has also led to more sophisticated methods being developed to take our money. Trojans have a crossover in this area too. They are far more difficult to detect, but are thankfully not as widespread.

The final form of attack that is growing in popularity given the profit potential involved is the exploitation of application or network vulnerabilities. Vulnerabilities are far from new, having been around since the first application and network came into being. However, the "time to exploit" or "vulnerability to worm" cycle is getting smaller and smaller.

Once it may have taken months for a specific exploit to be created for a particular vulnerability. Today this has, in certain cases, been reduced to a matter of days, unveiling the spectre of the "zero day attack". Here an exploit is launched at a critical, widely used system vulnerability before a patch has time to be implemented. The average time to exploit is now around 10 days, whereas in 1999 it was 280.

There are three factors, which can make malware authors excited once they find out about a vulnerability:

1. Is the vulnerability on an application that is widely used?
2. Is the application source code public?
3. Can an exploit be executed remotely?

If the answer to all three of these is a resounding "yes", then it`s propagation on a plate, a virus writer`s dream; a way to gather huge amounts of money-making information without too much work. Preventing vulnerability exploits is a nightmare. How do you decide which patches are most crucial to your business? http://www.sans.org/top20/ provides a list of the top 20 vulnerabilities.

What are your most critical assets? How do you find the time for the constant AV updates to be implemented across your organisation? How do you find the resource to even contemplate any of the above?

The growth in the use of mobile devices is worth keeping an eye on for the next couple of years. It will provide malware authors and crime gangs with another opportunity for financial scamming and also may be a greenfield site for old-time virus writers, with their disparate motives.

If mobile devices do become user-friendly enough to replicate Internet Banking, for instance, then they are a logical target for those wishing to appropriate sensitive data for their own ends. This is a problem for both operators, who will bear the brunt of the burden of protection, and end-users, who will have to secure their WiFi and Bluetooth devices.

Already we are seeing proof-of-concept threats - people are examining the mobile world for flaws ahead of time. They are, however, hampered (as is the sector`s growth) by the multitude of architectures and operating systems. Finally, another possibility is that the wheel may turn full circle for traditional, notoriety-motivated virus writers. The mobile network world, with its varied standards, is comparable in a way to the traditional PC/server arena and malware authors are certain to seek the kudos earned from launching the first really big attack on a new environment. In either case, when the connected home becomes a reality, the security headache for us all will be severe.