Security industry losing malware battle: IronPort VP

The IT security industry is failing to keep up with the smarts of criminals developing malware, according to IronPort Systems vice president of technology, Pat Peterson.Peterson, speaking at the AusCERT 2007 conference in Queensland last week, showed several examples of scams that completely bypass the usual defences of firewalls, intrusion prevention systems, URL filters and antivirus solutions.

The IT security industry is failing to keep up with the smarts of criminals developing malware, according to IronPort Systems vice president of technology, Pat Peterson.

Peterson, speaking at the AusCERT 2007 conference in Queensland last week, showed several examples of scams that completely bypass the usual defences of firewalls, intrusion prevention systems, URL filters and antivirus solutions. He said that criminals are using techniques that "we as an industry are not very well equipped to deal with."

"They have been very successful," he continued. "That success has given them tremendous amounts of money, and tremendous amounts of leverage to continue their advantage."

The most common way user machines are being compromised was using social engineering -- where users are induced to download malware by deceptive means.

Attackers, he said, are creating "a very elaborate social construct to increase the chance that people very willingly will take this software, which often times includes a trojan, and put it on their PC."

There are many applications posted on the Internet, for example, that pose as solutions for cleaning malware and spyware from a machine but are merely "shams" aimed at further compromising a computer.

Such malware is oft-advertised on search engines (appearing as paid listings on Google, for example) attracting users concerned over pop-up ads.

For cautious users that attempt to research the program's legitimacy, more traps await. Attackers have set-up fake review sites, with the look and feel of genuine publishers, which recommend installing the malware.

Even real message boards discussing the malware can be compromised.

"There will be some guy that keeps on posting every three days," Peterson said. "He will say things like -- 'I don't know what you're talking about. I downloaded that program. It took care of all my problems. It's like the best software ever."

"The antivirus software will say something when the user tries to download the malware program, and the user just overrides it, thinking that they need the software."

Other baits to induce the user into downloading malware include e-mails purporting to be from security vendors which contain attachments or links to compromised sites.

And more commonly users are induced to click links promising "hot pictures of Britney Spears," he said.

Mutating threats
The sites serving up these attacks are from constantly changing URLs.

"The best URL filtering company in the world can't keep up," Peterson said.

Attackers are also morphing their tools to avoid detection by real security tools.

There are public Web sites he said, "designed by criminals for criminals", which offer tools for the mutating of a virus.

"If you take a virus, run it through the "next generation virus kit" on these sites -- it will spawn dozens, hundreds or thousands of variants," Peterson said. "The new virus will do the exact same thing and will function the same way, but [the attacker can] disguise the virus and make it look like something different."

"They simply run it through all the known antivirus scanners until a mutation gets through, and then put it up on their Web sites or send it out in an e-mail."

A lucrative practice
The success of these scams has fuelled innovation among online fraudsters, Peterson said.

He showed attendees a Web page hosted on a command and control node that controls a network of bot computers.

The page showed up to 50,000 infected PC's on one botnet. A directory on the same server contained a 211MB file containing text from key loggers recording what users of these PC's are typing over a period of just a few weeks.

The gains to be made through these scams are considerable, he said. He used the example of one 19-year-old making AU$6,000-$7,000 every week for compromising computers with adware.

"Rather than infecting computers and selling them as bots, he would infect computers and forcibly install adware," he said. "The adware companies were paying him 40 cents per install."

Another attacker made over AU$4 million by loading exploits that would open the user's CD ROM drive. "He'd then tell the user that if their CD ROM is open, [they] are infected, and that his tools can help clean it up for free."

"You download his software, it pretends to be scanning, pretends to find more exploits, and then offers to clean it up if you pay AU$30. Some of these guys are making AU$100,000 a day," he said.

Infection rates not acceptable
Peterson says the infection level of malware on the Web "is not acceptable."

"The criminals are using the social engineering, the exploits, and the mutating viruses, to get around the firewalls and Intrusion Prevention Systems which were not [designed] to address what the criminals are doing today."

A good defence requires an integrated approach, he said -- many solutions combined together in a single client.

"The most important thing I urge everyone to do is to X-Ray your network," he said. "Find some method of knowing whether the computers inside your network trying to communicate with a command and control node, and you'll know they are infected."