Tights and skinny jeans may be back in style, but so are security threats of yesteryear.
A decade ago, a Master Boot Record (MBR) virus could take down your computer. Now, hackers are applying the latest in malware – such as rootkits – to these oldies-but-goodies hacker techniques.
Managed security services provider MX Logic has seen a resurfacing of older attack methods, or legacy threats, over the last couple of months, but where the hacker has used a new approach.
Last summer, we started to see an increase in PDF spam, where spam was being embedded in PDF documents.
When that went off the radar, we started to see a resurgence of “old school” spam tactics, moving away from PDFs and images and back to text-based spam – but with different permutations to try to fool spam filters.
Now we’re also starting to see a move into a next phase of malware, where the level of stealth is increasing.
And that’s when MX Logic started to see MBR rootkits and drive-by pharming, said Sam Masiello, director of threat management at MX Logic, which delivers managed security solutions “in the cloud” to small, medium and large businesses.
MBR viruses used to be fairly popular 10 years ago, when viruses were intended to be more destructive in nature. Over time, he said, we’ve moved past that destructive model, because if a hacker takes down your computer, he can’t use that computer to make money.
Over the past couple of years we’ve seen a movement toward rootkits.
A rootkit latches itself onto the operating system in such a way that even if you remove the malware, you still have that rootkit, so hackers can still use it for other purposes (like installing new malware).
“They still have those hooks in your computer,” said Masiello. “They’re starting to take these rootkits to the next level and install them into the MBR. That moves the rootkits outside of the operating system to make them a lot more difficult to detect and more difficult to clean.”
Drive-by pharming is another twist on an older hacker technique. In the past, hackers would poison your DNS, so if you tried to go to your bank Web site, for example, it would redirect you toward a malicious bank Web site.
But today there are a lot of effective tools that exist for Windows to help monitor the modification of certain files.
What drive-by pharming does instead is affect a user’s router. “It’s a compromise of these cable DSL routers,” said Masiello. If the user never changes the default password on the cable DSL router, the hacker is able to access the router remotely, using the default password, and change the DNS setting.
That means the router is using a malicious DNS server to route you to potentially malicious Web sites – and you don’t even have to do anything to get infected. In this scenario, it’s critical that small or home-based businesses change the default password on their routers, he said.
These two incidents exemplify a trend where hackers use established techniques, but combine them with unknown infiltration tactics that are more stealthy than any malware previously recorded.
“I think these are more proof-of-concept attacks,” said Masiello. “But from the standpoint of attackers moving their tactics into more stealthy avenues, this is definitely the next evolution of that process.”
A layered in-depth solution is typically recommended, he said, which could include managed security, but also additional protections such as desktop anti-virus, corporate firewalls that monitor inbound and outbound traffic and intrusion detection on the network.
“What’s old is new again,” said Dave Senf, director of research for Canadian security and infrastructure software with IDC Canada. There’s a given set of assets that an attacker wants to go after – customer data, intellectual property and money. And that doesn’t change.
We’re seeing all sorts of new attacks, but they’re based on old methods of exploiting vulnerabilities. Now, however, those old methods are combined with new methods, such as a boot sector virus combined with a rootkit.
“Social engineering is as old as time itself,” said Senf. “Someone tries to dupe someone into doing something. It’s morphed so now we have phishing attacks in addition to calling someone up and trying to get their username and password out of them.”
Hackers might not be more inventive, but they’re more innovative.
Nothing entirely goes out of style, said Eric Skinner, chief technology officer at Entrust, a security vendor that provides authentication, encryption and layered security solutions.
“You’re just combining old techniques with new techniques,” he said. “You’re protecting against the virus signature or you’re protecting against the particular way that somebody was able to get at your valuable assets the first time around.”
We now have operating systems that patch against front-door attacks, but somebody might find a way to get around that. Instant messaging viruses, for example, popped up after the other methods of getting viruses into an organization were better understood.
So there’s no single layer of defense. “Make sure that not only do you have redundancy and backups, but you also try to protect the data that might get targeted,” said Skinner.
While the types of breaches may be recurring – and we could see more legacy threats – the targets are changing because information is more valuable than it used to be.
“We see a lot more keyloggers than we used to because people do more things online now,” he said. “So getting somebody’s password is more interesting today than it was five or 10 years ago when you got their AOL password. The targets become juicier over time.”
