Stuart King's Security and Risk Management Blog

I asked the other day if "we no longer perceive malware as being such a high priority?"

According to the 2007 CSI Computer Crime & Security Survey, virus attacks impacted 52% of survey respondents during the last 12 months and accounted for over US$8.3million worth of losses. That was still only a third of the amount lost to financial fraud, but more than the losses credited to theft of confidential data.

So, malware is definately still an issue. Conversely, 98% of the respondents in the survey use anti-virus software, 97% firewalls, and 80% use anti-spyware software. So why are 52% suffering the consequences of malware on their systems?

Unfortunately the survey doesn't tell us what type of systems the malware affected.

There are numerous reasons why systems that are supposedly hardened and defended still become infected. For instance, change control processes not being adhered to or patches not being applied in a timely enough manner. There is also the fact that many of our defences rely upon signatures to detect malware, which is no protection at all against zero-day attacks.

Malware is also evolving. The latest Symantec Internet Threat Report describes threats affecting virtual worlds, automated evasion processes, and other advanced threats. For instance, Symantec "believes that attackers will use (persistent virutal worlds) and (massively multiplayer online games) to trick victims into installing malicious software under the pretense that the software improves functionality in the virtual world. For example, virtual worlds have embraced the concept of scripted bots that serve, entertain, and protect avatars within the virtual environment. This could provide attackers with an opportunity to compromise the environment itself."

The report goes on to describe new techniques being used to distribute malware over the internet:

Some of the new techniques center on the distribution point, the point where the malicious code is hosted, such as a Web server. With the significant decline of network-based worms over the past several years, current malicious code frequently relies
on the exploitation of client-side vulnerabilities. These exploits often use the staged downloader model in which an initial Trojan is installed on the machine and then downloads the most up-to-date version of the malicious code from a distribution point.

Lastly, for now, it's worth mentioning that malware is a growing commercial concern for some of those writing the code. There is a whole underground economy where time on botnets, zero-day exploits, and other code can be brought and sold.

How does all this translate into action items for the business? We have to remain vigilant and deploy defence in depth controls. Symantec put it thus: Employ defense-in-depth strategies, which emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated antivirus, firewalls, intrusion detection, and intrusion protection systems on client systems. This however, is only a small part of the total threat we face and the countermeasures that can be deployed. Over the next couple of blogs I'll go into more detail...

In research performed during 2005, Alexander Moshchuk, Tanya Bragin, Steven D. Gribble, and Henry M. Levy of the Department of Computer Science & Engineering at the University of Washington where 18 million URLs were crawled, spyware was found in 13.4% of the 21,100 executables discovered, and scripted "drive-by-downloads" in 5.9% of web pages processed. You can read the research paper, entitled "A Crawler-based Study of Spyware on the Web" on the web here: http://www.cs.washington.edu/homes/tbragin/spycrawler.pdf.

Interestingly their research noted a reduction in drive-by-downloads when they ran the same tests again 6 months later however, they still found that "14% of the spyware contained potentially malicious functions, such as Trojan downloaders and dialers." I'd be interested to see what the results would be of performing a similar web crawl now. I suspect they would find a higher percentage of both malicious spyware and drive-by's. Research performed by Provos, McNamee et al in their 2007 paper "The Ghost In The Browser, Analysis of Web-based Malware" would seem to support this, stating that 450,000 out of 4.5million sampled URL's "that were successfully launching drive-by-downloads of malware binaries and
another 700, 000 URLs that seemed malicous but had lower confidence."

More worrying is the conclusion that malware binaries frequently change to "thwart detection by anti-virus engines." Simply stated, this means that if you're relying solely on anti-virus software for protection, then you are not protected.

More than 40 security software technologists and anti-malware testers from around the world recently met in Bilbao, Spain to formalize the charter of the Anti-Malware Testing Standards Organization, or AMTSO. The formation of AMTSO has been driven by industry-wide concern about the increasing mismatch between what anti-malware technologies actually do, and the testing methodologies used to evaluate them.

Read more about this new organisation here: http://www.amtso.org/http://www.amtso.org/

So says the CEO of Trend Micro, Eva Chen, in this new interview where she describes how a cloud-client architecture is the solution to stop malware.

It's good to finally see one of the large anti-malware vendors sticking its neck out and trying to address the problem at source.  Chen says "For me for the last three years I've been feeling that the anti-virus industry sucks. If you have 5.5 million new viruses out there how can you claim this industry is doing the right job?"

Read the full story here.