|
The summer of 2003 marked a turning point in malicious code, a particularly prolific period that saw the debut of the likes of Blaster, Welchi, Dumaru and Sobig.F. That summer also signaled the end of a threat landscape littered with traditional threats. Unlike previous evolutions, the change was not one of vector or type of threat, but rather an evolution of intent.
Today's malware authors have gone pro, selling their creations -- or the systems compromised by their creations -- via underworld auctions held in the darkest corners of cyberspace. On the auction block are spam zombies, adware victims, login credentials, credit card numbers and sensitive financial or competitive details.
The tools used by the attackers include everything from old school social engineering tricks to vulnerability exploits to sophisticated rootkits that mask the activity. Viruses, worms and Trojans now form multi-pronged assaults all working towards a common goal: infect and then capitalize off of their victims.
Money as the Motive
With online banking and eCommerce a standard means of doing business in today's fast-paced world, this shift in intent may eventually spell a shift in intent for enterprise admins as well. Much of the focus for IT security to-date has been, justifiably, protecting the enterprise assets from malicious code attacks. But the security of the home/Soho user accessing the enterprise's online commercial offerings may increasingly play a role in the future.
To that end, many are closely watching the legal proceedings involving a small business operator and Bank of America. In February 2005, Joe Lopez, a Miami small businessman and victim of the Coreflood Trojan, filed a suit against Bank of America for failing to notify him of the risks posed by the Trojan. Lopez discovered the Trojan after $90,000 had been illicitly wired from his account to the attacker's account in Latvia.
Coupled with possible concerns about customer security, enterprise administrators are besieged with multi-vector attacks that leverage every online available entry point. In a recent article in The Washington Post, reporter Bryan Krebs interviewed a criminal coder who used a modified variant of the Zotob worm to exploit vulnerabilities in Windows Plug and Play (MS05-039). After successfully infecting victims’ machines, the worm installed a downloader Trojan that then foisted an abundance of adware and spyware onto the systems. His motive? Easy money from un-policed affiliate programs that paid the attacker for each of the unwanted adware and spyware installs.
When the victims attempted to remove the adware and spyware, the attacker simply re-infected the systems using the same unpatched security flaw. Periodically, he even removed the adware and spyware himself and then installed newer versions in order to double his payout through the affiliate program.
Nowhere to Hide
Though email and Internet worms remain significant attack vectors, many criminal profiteers also employ P2P and, increasingly, Instant Messaging to gain new victims. Provocatively named files are the draw on file-sharing networks, masquerading as everything from game cheats to nude celebrity photos to expensive software cracks.
Instant Messaging worms rely on the trust placed in those on a user’s buddy list. Similar to email worm spoofing, IM worms send themselves from an infected system to other contacts found in the Instant Messaging program. Most include a short compelling message coupled with a link to a miscreant website. The websites exploit a wide range of browser vulnerabilities to automatically infect those who have the misfortune to click-through.
Email scams also continue in abundance. Phishing, Nigerian 419 and lottery scams continue to evade spam and content filters, in many cases putting the security of the enterprise into the hands of the end user. Links contained in these messages often point to booby-trapped websites, visits that often result in keyloggers and backdoor Trojans being implanted on the vulnerable systems.
Mobile device threats are also on the increase, though currently far from a significant threat vector. Likewise, Mac OS X Tiger has been found vulnerable to security flaws that facilitate automatic compromise in a similar fashion to exploits common in the PC arena. The popularity of blogging also hasn’t escaped those bent on infection-for-profit. Blog comment spam that contains links to booby-trapped websites poses a substantial headache for bloggers and for users who happen to click-through.
In short, users have an abundance of ways in which to get infected, from old-fashioned social engineering to high-tech crime; their online experience is punctuated by constant attempts at intrusion.
A Careful Watch
As the shift in intent has changed to profiteering, the malware used rarely calls attention to itself. And even when profits are made via malware installations, the adware and spyware itself serves as something of red herring – drawing attention to itself and away from the underlying vulnerabilities or malicious code that led to the installations. Indeed, when it comes to adware, spyware, and other forms of nonbizware, it is often deemed to be the result of the user’s actions – deliberate or unintentional – that led to its presence. Thus remediation focuses on removing the obvious and often overlooks the cause.
Rootkits can also mask the presence of the underlying malware responsible for the intrusion, even preventing it from being ferreted out by some antivirus scanners. This not only increases the user’s likelihood of pervasive and continued re-infections, it increases the response time required for administrators to properly discover and remediate the threat.
One thing that hasn’t changed – prevention remains the single best course of action. But preventive strategies must be holistic and must include all online vectors to which the user has access.
The Castle Moat
Perimeter-based protection, including firewalls, routers, content-filters and antivirus software, are a viable first-line of defense. But by no means should they be considered the last or only line of defense. Indeed, enterprises that focus solely on perimeter-based protection are often referred to as “hard on the outside, soft and chewy on the inside” because once past the perimeter, they are easy targets.
Each system in the enterprise should be guarded as if perimeter security had already been breeched. Because chances are, it will be. Security vulnerabilities must be patched in a timely manner, strong passwords must be enforced, lax security settings must be ferreted out and corrected, and sensitive data should be routinely encrypted. Indeed, encryption of sensitive data maintained on laptops would ward off many concerns that result when these laptops are lost or stolen.
Ironically, these same laptops may provide the very means with which perimeter-based security is breeched. Infected outside the protective barrier of the enterprise, the infection is carried in-house through the front door when the employee returns to work.
In addition to treating each machine as a possible battleground, users must be called upon to act as sentry. Policy decisions must be made regarding the use of high-risk applications such as P2P file-sharing programs, and specific steps taken to ensure compliance with those policies.
Such policy enforcement need not, and probably should not, be punitive. Rather, policy enforcement is best done as part of a cooperative effort not only to protect the enterprise assets from harm, but also to educate and protect the user from harm. After all, the login credentials that get compromised by that Trojan might just be the login credentials to the user’s personal bank account. Helping the user understand his investment in security will carryover to better protection for the enterprise as well.
About the Author:
Mark Shavlik is the president and CEO of Shavlik Technologies, a provider of enterprise security software solutions.
Go Back
|
