The pimply-faced hacker kid living in his parents’ basement, and spending his nights alternating between reruns of Star Trek and virus coding has grown up. He’s now an accomplished programmer with expertise to sell. With that change, has come new types of attacks. Worms and viruses, disruptive demonstrations of digital malice, have begun to fade as the big threat on the network, Stamp says, to be replaced by exploits that strike deep in the heart of the enterprise.
“We actually haven’t seen a lot of viruses for a few years,” Stamp says. “It seems that virus writers are turning their activities to much more nefarious ends.”
Stamp points to the strange and frankly chilling case of Michael and Ruth Haephrati, two Israeli programmers who allegedly maintained a thriving corporate espionage business. For US$4,000, their clients would get sophisticated targeted scanning software designed to fly under their competitors’ defenses. The shockwaves from the Haephratis’ arrest last spring still reverberate. It showed that the game has changed.
“Now we’re seeing the use of designer malware, often targeting a specific company,” says Neel Mehta, team leader of Internet Security Systems’ X-Force research group in Atlanta. “It sounded like ghost stories a few years ago, but it’s real now.”
And it’s a real problem for network security. While most of the major operating system vendors have done a good job of securing the core – though that doesn’t mean there aren’t still vulnerabilities – attackers have begun to diversify into applications. “Browsers, instant messaging software, even anti-virus software,” Mehta says. “Anything that is widely-installed, and is likely to be installed on a machine is fair game.”
But the breadth of potential targets has been met with a new kind of focus. Attackers see ubiquitous software as a whole lot of open doors. As Yuval Ben-Itzak, chief technology officer of Finjan, a San Jose, Calif.-based security hardware vendor, wryly puts it, ubiquity equals temptation. “The e-crime industry says, if there’s a technology that is easy, free and everyone’s using it, then that’s the way threats will come in,” he says. “We saw it with e-mail, and we’re seeing it with the Web and other technologies.”
However, attackers have met the breadth of potential attack vectors with a refinement of their attacks. By designing malware specifically for your open door, they suddenly become more dangerous. Driven by profit motive, the attacker who creates designer malware wields a weapon that is virtually invisible to conventional security technologies.
No defence available
“The problem is that conventional anti-virus and security technologies often have no defense against these threats,” Mehta says. “A system looking for signatures will have a lot of trouble identifying malware that has been tailored to a specific purpose.”
The targeted attacks usually come in through a new twist on an old scam called spear-phishing. As with regular phishing attacks, these have proliferated along with spam. Though it might seem like spam is on the wane, that’s only because filters have become better, according to Andy Kline, Threat Center manager at security system vendor SonicWall. In fact, it’s still coming, and the messages that come through are getting nastier.
“I continue to be amazed by how fast attacks occur,” Kline says. “They change very quickly in terms of phishing and spam. It can be hard to keep up.”
And the code is getting harder for systems to recognize. There are all kinds of strategies to get spam past text recognition filters. Text might be coded to display horizontally, but be entered vertically, so the reader sees “Viagra” when the filter doesn’t. Text is in a frequently changed image. “There are all sorts of tricks,” Kline says. “Someone has to sit down and think about that.”
Web-based malware scripts are often buried deep, blended in page code. “Nothing pops up and nothing alerts you, but something affects you,” Ben-Itzak says. “You just don’t know it.”
There’s an axiom in the security business that holds that the defences against network threats are always a step behind. It’s not so much that cyber criminals are so crafty, but the inevitable reality is that you never really know what the next big threat will be until you see it.
Security technologies have continued to advance in promising directions. For example, Finjan’s Vital Security appliances are designed to look for malicious code that could be hidden deep in the text of a Web page. “Our appliance screens all Web traffic,” Ben-Itzak says. “The important thing is that it’s not just blocking malicious code . . . It can also recognize and strip out malicious content.”