I asked the other day if “we no longer perceive malware as being such a high priority?”
According to the 2007 CSI Computer Crime & Security Survey, virus attacks impacted 52% of survey respondents during the last 12 months and accounted for over US$8.3million worth of losses. That was still only a third of the amount lost to financial fraud, but more than the losses credited to theft of confidential data.
So, malware is definately still an issue. Conversely, 98% of the respondents in the survey use anti-virus software, 97% firewalls, and 80% use anti-spyware software. So why are 52% suffering the consequences of malware on their systems?
Unfortunately the survey doesn’t tell us what type of systems the malware affected.
There are numerous reasons why systems that are supposedly hardened and defended still become infected. For instance, change control processes not being adhered to or patches not being applied in a timely enough manner. There is also the fact that many of our defences rely upon signatures to detect malware, which is no protection at all against zero-day attacks.
Malware is also evolving. The latest Symantec Internet Threat Report describes threats affecting virtual worlds, automated evasion processes, and other advanced threats. For instance, Symantec “believes that attackers will use (persistent virutal worlds) and (massively multiplayer online games) to trick victims into installing malicious software under the pretense that the software improves functionality in the virtual world. For example, virtual worlds have embraced the concept of scripted bots that serve, entertain, and protect avatars within the virtual environment. This could provide attackers with an opportunity to compromise the environment itself.”
The report goes on to describe new techniques being used to distribute malware over the internet:
Some of the new techniques center on the distribution point, the point where the malicious code is hosted, such as a Web server. With the significant decline of network-based worms over the past several years, current malicious code frequently relies
on the exploitation of client-side vulnerabilities. These exploits often use the staged downloader model in which an initial Trojan is installed on the machine and then downloads the most up-to-date version of the malicious code from a distribution point.
There are more emerging malware threats relevant to mobile devices. With smartphones being able to synchronisation with PC’s as standard part of device ownership, malware writers can now create code that transfers itself from the PC to smartphone (or vice versa). By placing a virus on the smartphone, an attacker has the ability to compromise a PC, and vice versa (see “The future of mobile malware” by Shane Coursen).
Lastly, for now, it’s worth mentioning that malware is a growing commercial concern for some of those writing the code. There is a whole underground economy where time on botnets, zero-day exploits, and other code can be brought and sold.
How does all this translate into action items for the business? We have to remain vigilant and deploy defence in depth controls. Symantec put it thus: Employ defense-in-depth strategies, which emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated antivirus, firewalls, intrusion detection, and intrusion protection systems on client systems. This however, is only a small part of the total threat we face and the countermeasures that can be deployed. Over the next couple of blogs I’ll go into more detail…