Security Advisor

The New Face of Internet Threats

It's a brave new world in anti-malware protection. Joern analyzes the latest security trends.

• By Joern Wettern
• 05/01/2008

The Commercialization of Malware
The most striking trend in Internet-based attacks is the increase in commercialization of such attacks. Today's threats are no longer dominated by teenage hackers trying to break into computer systems for bragging rights. The most obvious sign of this development is the rapid increase of phishing e-mail that attempts to trick people into giving up their online banking log-in names and passwords. Less obvious but even more worrisome is the increasing number of companies becoming victims of criminals stealing large quantities of credit card numbers, even among those companies with elaborate security measures.

This type of theft is a sign of a development that has been going on for some time and with little public coverage. Large-scale crime syndicates are now in the business of cyber attacks. They are quite willing to invest large sums, often millions of dollars, into ventures that have the potential of even larger financial rewards. According to John Eddy, a senior vice president at anti-malware vendor Kaspersky Lab, it's not uncommon to see schemes that are yielding profits of tens of billions of dollars. Given the size of the initial investment and potential payoff, these groups can afford to finance development efforts that rival those of large legitimate software vendors. The investors are removed from the actual dirty work and simply hire someone to run their business. That person, in turn, finds developers who are paid to come up with new and increasingly effective attacks.

Large organized crime organizations don't make up all of today's cyber crime business. The latest Web Security Trends Report by Finjan, a Web security company, describes an underground economy that isn't all that different from other sectors of the economy. One aspect of this economy is a mature pricing model that's based on supply and demand. Credit card numbers are commonly advertised on underground channels and prices for numbers from a particular geographic region fluctuate based on how many of them are available and how many buyers there are. There's even a trend toward service-based cyber crime.

In the past a criminal would buy the attack code, rent a Web server to host it, and find a separate source for leasing botnets to send vast quantities of phishing e-mail. Today you can buy the entire package and let someone else do the work for you. In this service-oriented model customers are paying for specific results, such as a negotiated number of phishing responses. There are even contracts with service level agreements that are similar to those you might see in the legitimate economy. Symantec's latest Internet Security Threat Report contains detailed information about how specialization of goods and services, outsourcing of production and sophisticated pricing and business models have become mainstays of this underground economy.

What Does This Mean for You?
The main lesson to be learned from the developments described is that it's more important than ever to be vigilant. You also need to consider new methods for protecting your data. It's no longer enough to keep OSes patched and instruct users to not reply to phishing e-mails. Instead, you need to develop a multilayer approach that responds to today's threats in multiple ways.

In the past most attacks exploited vulnerabilities in operating systems and browsers. According to the Symantec study, most vendors of these products have shortened the time for releasing patches for vulnerabilities. During the last year Microsoft led the field with an average patch development time of only six days. Sun had the worst record with an average patch development time of 157 days. Also, most organizations tend to deploy these patches shortly after they have been released. As a result of these developments, attacks against operating systems and browsers are less effective and have decreased. Instead attackers have directed their efforts against other vulnerable software.

The Symantec and Finjan studies both indicate that vulnerabilities in browser plug-ins are the most serious problem and the most likely target for an attack. This shouldn't be surprising because many companies don't have an effective process for patching this type of software and often are not even aware what plug-ins are in use in their networks. The obvious lesson from this is to be vigilant about letting users install plug-ins, and expanding the scope of software patching to include browser plug-ins and other software used in your company.

Anti-malware protection at the desktop remains crucial and is still effective against many types of attacks. However, due to scanning limitations and delays in updating signatures, you shouldn't depend on it as your primary malware defense. However, attacks originating from the Internet can be blocked more effectively at a gateway. For e-mail-based attacks it's crucial to scan all messages as they arrive, preferably using multiple scanning engines. You should also continue to scan e-mail each time a user accesses a message or perform regular scans of your mail stores. Whether you scan incoming e-mail using a software solution, an appliance or a hosted security service, the most important thing to look for is that the solution you pick can quickly adapt to new threats and is flexible enough to respond to entirely new attack patterns.

The most difficult task in defending against today's attacks is securing Web communications. Normally, there's a long delay between the emergence of a new file-based threat and the first time it appears on a floppy disk an employee brings in from home. There are frequently several hours between the time a new virus or worm is discovered and the first infected mail message that arrives at your server. In all likelihood, the malware signatures on clients and mail servers are current enough to protect you.

But the reality is that Web-based attacks happen in real time. To protect against these attacks you need a Web-filtering solution that goes beyond just blocking specific sites or content. Effective Web-filtering solutions examine Web traffic and detect malicious activity in Web requests and responses based on an analysis of how they would impact the client and server. Even more than with e-mail security, it's crucial that the solution you choose is flexible to adapt to new threats and that the vendor has a record of quickly delivering updates when the threat landscape changes.

Have you noticed a change in the attacks your own company is experiencing, or can you think of additional ways to respond to changes in the security landscape? I'd like to hear about it. You can contact me by e-mail at the address below.