In the world of malicious code, last year is ancient history. A quick summary of the major trends of malicious code that hit us during 2006 shows where e-crime and cyber threats are heading in 2007.
Q1: ancient history
In early 2006 web attacks using "prehistoric" attack methods, resembling those used in e-mail attacks, were still prevalent. These were file-based attacks that carried a hazardous payload that runs on the victim's machine - for example, the infamous WMF exploit.
Social engineering attacks targeting the human factor also thrived. Hackers created fake "security" packages - applications that were actually spyware installers - and tricked unsuspecting victims into downloading these malicious programs. These applications still appear today, disguised as audio/video codecs, PC utilities, etc.
Q2: business models are defined
Attackers' primary motivation shifted from fame to fortune. A new business model emerged, bringing together suppliers (code writers), buyers (packaging exploits for resale), and distributors (buying and redistributing exploit packages with a pay-per-hit for malicious payloads) to form a malicious code food chain.
Attack code was provided to website owners on a shared revenue basis, where each infection counted towards the weekly or monthly revenue payout.
Q3: innovations soar
New types of stealthy attacks using emerging Web 2.0 technologies began to appear. Ajax-based attacks performed asynchronous communications "behind the users' backs". In other words, while browsing a legitimate website, the underlying code fetched malicious content and infected the victim's machine without their knowledge.
For the first time, security researchers revealed the presence of malicious code on caching servers of major internet companies (Yahoo, Google, MSN and others), which were used to grant legitimacy to the dirtiest code available.
Q4: hackers play hide and seek
The key security trend towards the end of 2006 was dynamic code obfuscation, a technique that scrambles malicious code into incomprehensible gibberish. This became increasingly common as a means of bypassing signature-based security protections, as each visitor to the malicious site receives a different instance of the code.
Modern species (2007)
Driven by commercial interests, modern malicious code is almost always obfuscated (more than 80%) and is fully internationalised. Malicious sites are brought down as soon as the infection rate is achieved to avoid detection. Attackers host malicious code in the UK, US and Canada to heighten infection rates in the shortest possible timeframes.
Trends in early 2007 continue to point to the fact that the web has become the main vector for malicious code propagation, as attackers continue to target the "weak spot" of traditional security solutions, such as antivirus and URL filtering.
Commercially driven hackers understand that signature-based solutions are not designed to counter code obfuscation, Web 2.0 platforms and technologies, and other dynamic attack vectors in today's web scenario. The only effective solution is real-time inspection technology to analyse each piece of code on the fly, regardless of its source.
● Yuval Ben-Itzhak is chief technology officer at security supplier Finjan. Examples of hacker techniques can be viewed at Finjan's Malicious Code Museum at Infosecurity Europe stand G252
David Lacey’s security blog >>
The latest ideas, best practices, and business issues associated with managing security
Stuart King’s risk management blog >>
Dealing with the operational challenges of information security and risk management
Comment on this article: [email protected]