Security lessons not learned will haunt us in 2009

2008 will probably be remembered for a very long time for all the wrong reasons — and amid the grim litany of the year's events are ominous developments in malware, which we ignore at our peril, says internet security expert Mary Landesman.

In terms of malware, 2008 was a very bad year. But 2009 will be far worse. The most depressing thing is so many IT people still haven't grasped the significance of certain malware developments that occurred in 2008. That failing will mean they will be ill-prepared for the challenges 2009 will surely bring.

Let's look back. The power of distributed computing has brought malware to the masses via botnets. While systems administrators cling to desktop-security solutions, the attackers have clearly moved to the cloud.

Botnets such as Asprox incorporated the operational ease of exploit frameworks such as Neosploit with backdoors and downloaders such as Zbot. The end result: millions of compromised web pages delivering Trojans that silently syphon sensitive data from infected systems.

Less is more
Where technology fails, users pick up the slack. Social engineering escalated to new levels in 2008, proving once and for all that less really is more. To bypass spam filters, the messages contain little more than a few terse words and a link.

Some of the messages appeal to the recipient's vanity: "You look awesome in this video". Others exploit people's fear and curiosity: "Pope killed by assassin in Vatican City". In some cases, the links point to a malicious website rigged with exploits designed to install malware automatically. In most cases, however, the attackers can afford to be lazy and let the victims infect their own computers by simply pretending the malware is a video codex or Flash update.

Sneaker net-spread infections made a comeback this past year, thanks to autorun worms that target removable and mapped drives, dropping an autorun.inf to the root, which loads the worm executable each time the drive is accessed.

The continuing popularity of USB thumb drives provides an open door for the malware. Once these worms have taken root, mitigating the threat can be costly. And auto-run worms seldom work alone. Underlining the theme that malware is no longer about pranks, today's auto-run worms double as Trojan downloaders, installing an explosive cocktail of backdoors and data-theft Trojans.

The troops have been overwhelmed. In 2008, traditional antivirus detected 80 percent of new threats. Put another way, traditional antivirus on average missed 20 percent of new malware released during the year.

Signature-based methods rely on four critical components: discovery, analysis, pattern creation and updates. Attackers have overwhelmed the system by releasing...

...tens of thousands of new variants of malware each month, in effect launching a denial-of-service attack against signature-based vendors.

Where response times to new malware used to be measured in hours, now it can be days, weeks and even months before antivirus software is updated. Still, 80 percent is vastly superior to zero percent and thus signature-based antivirus continues to play a critical role. It cannot, however, continue to be perceived as a standalone defence in today's malware wars.

In A Case-Study of Keyloggers and Dropzones, authors Thorsten Hole, Markus Engelbert and Felix Refiling of the University of Mannheim studied two families of keyloggers between April and October 2008. Through their honey net, the authors discovered 300 dropzones and were able to fully penetrate 70 of those.

They uncovered 5,682 stolen credit-card numbers resulting from the attacks, and an estimated loss of funds of almost $1.7m (£1.2m). Also discovered were "10,775 unique bank-account credentials", 149,458 email credentials, and 78,359 stolen social-networking credentials. The black market in stolen data provides millions in revenue for criminals and exacts a high financial toll on the economy.

Growing trend
Threats like these have been increasing exponentially month on month. There was more web-distributed malware in July 2008 than in the whole of 2007. October 2008 was 21 percent worse. November was as bad as October and December hasn't shown much improvement.

If that trend continues — and there's no reason to believe it won't — 2009 may prove a pivotal year for the future health and viability of the web. Before you write that off as doomsday marketing, consider the $21.2bn internet advertising economy that depends on the acceptance of third-party scripts. Add in the potential economic impact of intellectual property theft, credit-card fraud, and identity theft and the magnitude of the problem becomes clearer.

My hope for 2009 is that we stop viewing these issues as simply a malware problem. The web is under attack, as are corporations and consumers.

Today's malware is not about digital graffiti or prankish control of computers. It's about stealing property — yours, mine, and ours. The criminals have advanced their technologies, using the power of the cloud to their own advantage.

Collectively, we need to advance our own protection mechanisms, combined with user education and criminal sanctions, to combat this threat and retake the web.

Happy new year.

Mary Landesman is the senior security researcher for ScanSafe.