[IP] Dave - a recent note on "silent epidemic"
Begin forwarded message:
From: Ken Kousky <kkousky@xxxxxxxxxx>
Date: September 21, 2006 7:10:35 PM GMT+02:00
To: dave@xxxxxxxxxx, ip@xxxxxxxxxxxxxx
Subject: Dave - a recent note on "silent epidemic"
Dave - our work on malicious code shows what PandaLabs calls "A Silent
Epidemic"
Thought this might be of interest to your list.
----------------------------------------
It's a Crime!
Over the past weeks, we've been exploring many of the most profound
changes
in information assurance and IT security. We try to blend our own
survey
work, an ongoing review of industry writings, the daily news, and
input from
all of you in government, industry, law enforcement and academia.
And the biggest issue is .. Criminal Exploits.
This is far more profound than it sounds. It means the exploits will
increasingly be more powerful and sophisticated while simultaneously
being
far less visible.
Vandals want to be noticed. They want the world to see their initials
on the
subway car or the side of the building. Worms and viruses of old were
driven by "spray paint vandals".
That's no longer the case. Today's exploits are driven by a desire to
make
money or to do specific, purposeful damage. The goal is not simply to
show
that a worm can travel across the net and compromise 90% of the
vulnerable
machines in less than 10 minutes. That was already shown with the
Sasser/Slammer/Blaster exploits three years ago. No, today's exploits
target sites like the million-dollar homepage which has repeatedly been
attacked by extortionists who flood the site and shut it down if they
don't
get paid off. That's what the new exploits are all about.
PandaLabs' second quarter report documents the transition to more
malicious
exploits, but the fact that these exploits don't self-replicate and
propagate as aggressively makes them less obvious. So, there is a
tendency
to assume things are getting better. They're not.
Financial Motive for Malware Shows No Signs of Slowing -
The trend of Malware targeted for financial gain continues to grow
according
to a recently released report by Panda Software. More than 54% of
the new
specimens detected by PandaLabs during the second quarter of 2006 were
trojans, compared to 47% in Q1. Bots also became more prevalent,
accounting for 16% of the total, which is an increase of 4% over the
previous quarter. In all, nearly nine out of ten (88%) new Malware
in Q2
had cyber-crime potential. The full report can be downloaded for
free at
http://www.pandasoftware.com/pandalabsQ22006/.
Despite possible perceptions to the contrary, the quantity also
continues to
increase - Panda mentions that in the past year its labs have
received more
new Malware versions than in all the previous years combined. "It is
effectively a silent epidemic in that much of the code is designed to
install and operate without showing any of the traditional symptoms of
infection" states Ken Reynolds, Business Unit Manager for New
Technologies
at Panda Software. "This new dynamic makes signatures a less-
effective form
of protection in a real-time environment. Our software uses a
combination
of autonomous behavioral analysis and genetic scanning heuristics to
achieve
one of the highest rates in the industry for detecting previously
unknown
Malware."
Another fallacy is that the bad guys aren't that smart. So, even though
they're trying to make money, the good guys have them stopped.
That's just
not the case. In many eastern block countries, university educated
developers have better income opportunities writing code for the bad
guys
rather than working for the good guys. A development firm we're working
with in Romania explained that there is an entire underground market in
exploit code. Indeed, last December's disclosure of the Microsoft WMF
vulnerability was found only after a legitimate firm bought exploited
code
and reverse engineered it to learn how it compromised its victims.
Crime
pays. And if it pays more than we're spending on defenses, we're in
trouble.
So, how do people take exploited code and put it to malicious work to
generate income?
Here are the BIG BAD FIVE -
1) Botnets used for spam relays - classical use but still a viable
business
2) Botnets used for DDOS extortion attacks - this is much
bigger than
anybody realizes since it's not in our neighborhood; most targeted
sites are
pornography and online gaming. Most of these target sites are working
at the
fringes of the law or at least of social acceptability. This has led
to a
situation where law enforcement ignores the problem. There are
bigger, more
legitimate crimes needing attention, but by ignoring these extortion
gangs,
the gangs get more powerful tools. It's really just like the street
gangs
that emerge in any community lacking adequate police protection and
surveillance. Extortion and protection are profitable businesses on some
areas of the net. The exploits and tools sometimes get out of hand.
Michael
Bloomberg, Mayor of New York was actually the victim of an attempted
DDoS
extortion attack on Bloomberg's online financial services. Things can
get
out of hand quickly.
3) Botnets used for click fraud - this is a sleeper that is easily
overlooked. But, Google, Microsoft, Yahoo and others have little
interest
in cleaning up fraudulent clicks. So, if I can set up a site that hosts
high paying ads, cycle the ads through and use my zombie machines to
click
the ads, I can have thousands of unique IP addresses hit each
successive ad
and get paid by the likes of Google (who's already settled one suit
for over
$100m with advertisers based on this issue). Some Industry experts
suggest
as much as 20% of all ad clicks on words priced over $2/click are
fraudulent!
4) Theft of intellectual property - most likely the bulk of these
exploits are commercial industrial espionage and will never be
detected or
reported - you'll just start seeing a smarter more aggressive
competitor.
Losing deals is rarely associated with computer security, but last
year's
escapades in Israel demonstrated the extent to which well establish
public
companies are aggressively playing this game. More likely, the major
way
inside information is being monetized is through stock trading based on
compromised information. The SEC has looked at the "leakage" problem
for
years. Large computer databases can tell who bought or sold the
stock in
large volume prior to critical news releases, but the SEC lacks the
ability
to tie these trades to ill-gained information.
5) Consumer exploits - identity theft, phishing and auction
fraud are
the final cluster. I lump these together since they are a unique
class of
exploits that are driven by the mechanisms used to convert the
information
systematically to cash.
Remember, the bad guys are increasingly organized and well-educated.
They
are working the fringes; where law enforcement isn't present. They're
honing their skills.
The universal challenge we face is this - while there's a great deal of
contradictory evidence on the magnitude of current exploits- they are
there;
and they are getting worse. Sounds like the meteorologists who tell
us the
conditions for serious hurricanes are worse than they have been for
years,
and these grave conditions will remain with us for several years to
come.
Do we have to have another Katrina to understand the risk conditions
have
changed? I've heard several experts say that without a major hurricane
hitting land this year, we'll be back to fully developing coast land
that is
certain to be devastated again.
IP3 believes the growth in criminal activity is profoundly changing
the risk
conditions. Unlike the vandals who created worms with the goal of
demonstrating their technical prowess, criminals usually have an
economic
goal. To attain this goal, they do not want to be discovered.
Often, being
discovered will likely prevent them from attaining their goals. The best
crimes are going undetected.
Year's ago, I heard Paul Judge of CipherTrust present an argument
that the
net would soon have so much spam and illicit mail that it made more
sense to
find the good mail than to filter the bad.
We may soon be looking at the same kind of traffic perspective.
That's what
NAC (Network Access Control) is really about.
There are numerous means of making money maliciously on the net.
Unfortunately, most of these (means) go either undetected or at least
draw
minimal attention from law enforcement.
Spam relays are an obvious example. They are not the only
opportunity for
commercial exploits. Botnets are frequently used as attack agents in
the
distributed denial of service attacks (DDOS).
Certainly a botnet can be leveraged and sold simply as a mechanism for
distributing junk mail. But there are many other clever uses of a
network
of compromised machines. We usually hear these networks referred to as
botnets.
Botnets are frequently used as attack agents in the distributed
denial of
service attacks as well. Crime pays. Botnets are as hot as the
market for
handguns, and soon we might even have a National Botnet Association
protecting the rights of bot herders.
Stay safe - more on botnets next week.
Ken Kousky, CEO
IP3 Inc
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/