Forget Conficker--focus on the real threats

perspective Despite all the headlines, it is not the Conficker worm people should be worrying about, says industry watcher.
Written by Mary Landesman, Contributor

perspective After all the hysteria generated by Conficker, I was tempted to try and get to the bottom of the many reports and research about the worm. But when I started to distil that information, I found it amounted to very little--especially compared with the threats that really deserve our attention.

So what are the threats that keep me awake at night? Top of the list are data-theft Trojans. These are forms of malware that shun the spotlight, preferring to escape attention altogether in an attempt to survive as long as possible.

Data-theft Trojans figured prominently in two key reports released recently: the first, a joint advisory from the FBI and U.S. secret service, and the second, a result of investigative research into GhostNet performed by the Munk Centre for International Studies and The SecDev Group, both of Canada.

In the U.S. secret service-FBI advisory, investigators noted "a considerable spike in cyberattacks against the financial services and the online retail industry". Two of the behaviors reported included the installation of network-traffic analyzers, aka sniffers, and the installation of backdoors that provide remote, surreptitious access to the compromised computers and networks.

Compromises and attacks
The GhostNet research focused on a series of compromises and attacks recorded during "a 10-month investigation of alleged Chinese cyberspying against Tibetan institutions".

The GhostNet researchers reported that "the threshold for engaging in cyberespionage is falling. Cybercrime kits are now available online, and their use is clearly on the rise, in some cases by organized crime and other private actors".

While the two reports focused on their respective target areas--financial services and pro-Tibetan arenas, respectively--the methods and outcomes described closely match the methods and outcomes observed by ScanSafe in 21 industry sectors throughout 2008 and into 2009.

Not only has cyberespionage become turnkey--a virtual franchise opportunity for criminals, if you will--the impact of these continued attacks will have global repercussions.

In essence, attackers are using data-theft Trojans to siphon off our most precious intellectual-property assets. In the financial arena, those assets might be credit-card and bank-account numbers.

For Tibet, the intellectual-property assets may consist of: "Files and [e-mail messages] with contact information, lists of meetings and attendees, draft position papers, internal PowerPoint presentations, organizational budgets and lists of visitors [that] can represent items of strategic value to rivals and enemies", according to the Canadian researchers.

The most targeted sectors identified by ScanSafe research include energy and oil, pharmaceutical and chemical companies, engineering and construction, and transport and shipping. Intellectual property from these industries could be used for a variety of illicit purposes, ranging from stock manipulation and patent tampering, to critical infrastructure insecurity and physical breaches.

Data-theft Trojans in general are not very sexy. Because this type of malware hides from view, victims are largely oblivious of its presence. Data-theft Trojans also prosper from the assumption that they are someone else's problem.

Yet these Trojans have an impact on all of us. Whether it is in the form of higher fees and prices that result from credit-card fraud, or stock losses due to manipulation, or the loss of physical security, data-theft Trojans has greater potential to harm than any other form of malware--perhaps even greater than many more overt forms of military conflict.

Compromises and attacks
The increase in this type of malware is nothing short of alarming. In 2008, the number of data-theft Trojans delivered via the web increased 1,559 percent. To put that growth into terms that may be easier to digest, in 2008 a representative 15,000-seat ScanSafe customer encountered over 30,000 Web-delivered malware attempts; and over 11,000 of these, or more than 30 percent, were attempts to deliver data-theft Trojans.

So while Conficker may be headline news, the threats we need to be most concerned with--surreptitious data-theft Trojans--are going unnoticed.

Mary Landesman is the senior security researcher for ScanSafe.This article was published in ZDNet UK at the end of April.

Editorial standards