In the world of malicious code, last year is ancient
history. A quick summary of the major trends of malicious code that
hit us during 2006 shows where e-crime and cyber threats are
heading in 2007.
Q1: ancient history
In early 2006 web attacks using "prehistoric" attack methods,
resembling those used in e-mail attacks, were still prevalent.
These were file-based attacks that carried a hazardous payload that
runs on the victim's machine - for example, the infamous
WMF exploit.
Social engineering attacks targeting the human factor also
thrived. Hackers created fake "security" packages - applications
that were actually spyware installers - and tricked unsuspecting
victims into downloading these malicious programs. These
applications still appear today, disguised as audio/video codecs,
PC utilities, etc.
Q2: business models are defined
Attackers' primary motivation shifted from fame to fortune. A
new business model emerged, bringing together suppliers (code
writers), buyers (packaging exploits for resale), and distributors
(buying and redistributing exploit packages with a pay-per-hit for
malicious payloads) to form a malicious code food chain.
Attack code was provided to website owners on a shared revenue
basis, where each infection counted towards the weekly or monthly
revenue payout.
Q3: innovations soar
New types of stealthy attacks using emerging Web 2.0
technologies began to appear. Ajax-based attacks performed
asynchronous communications "behind the users' backs". In other
words, while browsing a legitimate website, the underlying code
fetched malicious content and infected the victim's machine without
their knowledge.
For the first time, security researchers revealed the presence
of malicious code on caching servers of major internet companies
(Yahoo, Google, MSN and others), which were used to grant
legitimacy to the dirtiest code available.
Q4: hackers play hide and seek
The key security trend towards the end of 2006 was dynamic code
obfuscation, a technique that scrambles malicious code into
incomprehensible gibberish. This became increasingly common as a
means of bypassing signature-based security protections, as each
visitor to the malicious site receives a different instance of the
code.
Modern species (2007)
Driven by commercial interests, modern malicious code is almost
always obfuscated (more than 80%) and is fully internationalised.
Malicious sites are brought down as soon as the infection rate is
achieved to avoid detection. Attackers host malicious code in the
UK, US and Canada to heighten infection rates in the shortest
possible timeframes.
Trends in early 2007 continue to point to the fact that the web
has become the main vector for malicious code propagation, as
attackers continue to target the "weak spot" of traditional
security solutions, such as antivirus and URL filtering.
Commercially driven hackers understand that signature-based
solutions are not designed to counter code obfuscation, Web 2.0
platforms and technologies, and other dynamic attack vectors in
today's web scenario. The only effective solution is real-time
inspection technology to analyse each piece of code on the fly,
regardless of its source.
● Yuval Ben-Itzhak is chief technology officer at security
supplier Finjan. Examples of hacker techniques can be viewed at
Finjan's Malicious Code Museum at Infosecurity Europe stand
G252
Infosecurity preview: Knowledge is power
>>
Infosecurity preview: Building blocks of trust
>>
Infosecurity preview: Mobilising single sign-on
>>
Infosecurity preview: Bridging the reality gap
>>
More
information on the show, including free entry >>
Infosecurity Europe keynote sessions
>>
David Lacey’s security blog >>The
latest ideas, best practices, and business issues associated with
managing security
Stuart King’s risk management blog
>>
Dealing with the operational challenges of information security and
risk management
Comment on this article:
computer.weekly@rbi.co.uk