More than ever before, the threat of malware continued to hang over the heads of enterprise executives in 2007. Further proliferation is also a frightening possibility for 2008, according to some industry participants.
Malware is software designed to damage or infiltrate an operating system without the owner’s authorization, and includes computer viruses, Trojan horses, certain types of adware, spyware and other malicious software. Unlike problem-causing software bugs that are flaws in a computer program, malware is designed with the specific intent of causing detriment to the intended victims.
In Canada, the recent arrests of Quebec-based hackers running more than one million botnets, is a grim reminder that businesses should never keep their guard down.
According to Fortinet, a global provider of unified threat management security systems, mass mailers accounted for many of the top 10 malware threats last December, with ‘Netsky!similar’ topping the list at 11.05 per cent of all reported incidences during the month. ‘Iframe_CID!exploit’ came in second at 8.47 per cent, while the ‘Istbar.PK!tr.dldr’ Trojan made it to the list at 1.93 per cent.
As anti-malware tools became more effective, malware authors responded with more sophisticated attacks. ‘Selfdefending malware’ first appeared last year in the form of Storm Botnet. IronPort Systems, a Cisco business unit, said that when researchers or security vendors try to investigate a Storm-infected web server, the malware will fight back with a distributed denial-of-service attack and relocate the web server.
Global data security company F-Secure, conducted a worldwide survey in the second half of last year to assess 2007’s data security situation.
The survey results were chilling. Some 250,000 different types of malware, including new ones and variants, were found in 2007, the same total from the previous 20 years.
“The numbers were staggering because the bad guys were making money trading viruses,” said Patrik Runald, F-Secure’s senior security specialist. “Just like any other business, they want to improve and constantly evolve.”
Multiple malwares dailyImproved detection abilities of anti-malware software also account for the higher statistics, Runald said. “Malware authors are not necessarily releasing anything groundbreaking. It might simply be a new variant to avoid detection from signature-based anti-virus products. They can even release multiple malwares a day, depending on who they think they’re fighting.”
Runald said Storm Botnet was the top malware threat last year. “A conventional botnet has a central server in the network and all infected computers connect to this server to receive commands on what to do. By identifying the central server, IT security staff may shut down the botnet.”
However, Storm Botnet is different because it uses peer-to-peer technology without a central server. “Anything within the network can be the controlling mechanism and it can change at any point in time. Hence, efforts to shut Storm down have not been completely successful,” he added.
Runald recommended that enterprises use latest technology security products to minimize the risk of Storm infections. “Our integrated solution still checks for known virus signatures. But if it detects an unknown signature, we run it through what we call behavioral-based technology.”
Behavioral-based technology proactively looks out for bad file behaviors such as unauthorized system modifications or website downloads. Based on that, the technology blocks the file without knowing exactly what it is, he explained.
“Phishing that targets online banking services is another major threat, especially in Asia,” Runald warned. For example, the victim receives an e-mail claiming suspicious activity is detected on his account. He is then prompted to click on a link to an authentic-looking but fake website and log-in to verify personal details. Consequently, his password is stolen.
With users becoming more aware of this threat and hence prudent in clicking on links, malware authors have engineered ‘Banking Trojans’, Runald warned. Instead of prompting for user names and passwords, the malware attaches to the victim’s web browser and waits for him to log into the authentic online banking system. Once that happens, the victim’s password may be stolen even if he takes basic precautionary measures.
While social engineering is “very tricky” and “extremely difficult” to protect against, all is not lost, according to Runald. “As banking Trojans attempt to plug into the browser and steal information, behavioral-based technology can recognize the bad behavior and block it.”
He advised administrators not to add new features to their websites until existing ones are safe for use, which would minimize the risk of compromise. Additionally, websites should be analyzed for potential vulnerabilities to ensure users’ security.
Hacking for money
While acknowledging internal data breach as “an area of concern”, he said that malicious hackers might pose a greater threat to enterprises. “Five years ago, people were hacking into systems for fun. Today they’re doing it for money.”
Runald warned that after making money, the perpetrators have more resources to “get better at their craft”, or even set up a company that hires other malware authors.
Old school security threats are also back in style according to another report.
He highlighted the importance of continuous IT security education for all employees to minimize the risk of data breaches arising from staff negligence. “It’s not enough to have a one-off IT security session when people join the company because they may forget. Continuous education is crucial because threats are always evolving or changing.”
But as the saying goes, it takes two hands to clap. “Enterprises should enable employees to help by ensuring they are aware of the threats and feel as part of the solution, not just part of the problem,” Runald said.
He noted that there is some risk in using Web 2.0 services. “I know a company that uses Facebook to create a better social experience among employees. This gives away part of the responsibility of securing company information to the service provider because things are happening on a server somewhere.”
Runald does not foresee any significant change to the type of security threats in 2008, but expects a continued jump in incidences. Websense researchers share a similar view, predicting the possibility of large scale denial-of-service attacks on Beijing 2008 Olympic-related websites as political statements, and phishing attempts to exploit the event.
Customized security training
Runald recommended that IT security training should be customized according to the company’s identity, workflow, collaborative arrangements with the IT department and targeted trainees.
The IT department should also play a supportive role in the training. “I think the IT team knows the internal system better, but it shouldn’t be technical training. It should focus on IT policies, guarding against social engineering tricks and making everyone feel involved in security,” he said. “Case studies would be great.”