Feature

Threat Evolution

They’re stronger, trickier, and more dangerous than ever. Beware of the next threat.

Take a trip back in time, just over a decade, and ask about “computer security”. The first word likely to have come from most people (well, most techies), would have been “firewall”. The image would have been that of the young Matthew Broderick hacking into a military computer and accidentally nearly setting off World War III. Sure, by the mid 1990s there had been a number of viruses, Trojans and even a few worms, but the image of the rogue hacker personified the Threat Landscape of the 1990s.

In 1999 the concept of the Threat Landscape changed – in part due to a young man’s obsession with an erotic dancer named Melissa. The worm David L. Smith wrote in her name shut down email systems around the world and briefly impacted millions of people. Melissa was the first in a series of high profile malware events that seemed on the verge of jeopardizing the future of the Internet itself. Coming during the height of the dot com bubble, viruses and worms appeared to threaten our bright new cyber future. And the idea of the lone hacker . . . well it seemed quaint; in the parlance of the dot com era, he didn’t scale. Worms clearly scaled.

Today, when asked about computer security, most people still think of mass email worms. In truth, fast spreading worms continue to be a threat – and the advice most often repeated, don’t open files attached to emails unless you know why it was sent to you is still sound. But the emerging threats today aren’t viruses or even fast spreading worms. Today’s largest threats are infected websites spreading a cocktail of attacks aimed either at at fooling the user into clicking on something they shouldn’t or zero day exploits. There is truth in the phrase, every click matters.

There has been no end of talk of Software-as-a-Service (SaaS) or even Security-as-a-Service, but the real growth has been in the delivery of Cybercrime-as-a-Service (CaaS). The point is that hackers are targeting websites instead of email. In 2008 alone, there were 12,885 site-specific vulnerabilities identified and 63 percent of vulnerabilities documented by Symantec affected Web applications. Why attack websites? Simply put, a website can be managed, monitored, updated and controlled at any time from any place - unlike your laptop. Better still, users go to websites all on their own – the cyber crook doesn’t have to be an expert in marketing, nor does he have to spend energy trying to defeat email virus scanners, spam filters, and end users’ increasing skepticism of things delivered by email.

So the trend is towards web-based attacks. But how are users’ machines getting infected? Infections typically come one of two ways; social engineering and “zero-day” exploits. By “social engineering” we mean that users are being fooled into installing software that infects them. The KoobFace worm, for example, tells users that they need to install a flash update to view a video. Social networks such as Facebook and Twitter have become major conduits of KoobFace and similar attacks. Other common social engineering attacks are pop-up windows that falsely tell the user that a security threat has been detected and offers software to “cure” the problem. Sometimes these fake software products are for sale, other times they steal identity information or even encrypt the user’s data and extort the user into sending money.

Zero-day exploits are attacks targeted at vulnerabilities that haven’t been fixed by or in some cases haven’t even been seen by software vendors. Though zero-day exploits can be aimed at flaws in operating systems, zero day attacks are most commonly found in applications such as web browsers, file viewers and media players. The gap between when vulnerabilities are found and when exploits start taking advantage of the vulnerability has shrunk alarmingly. This reflects the increased sophistication and professionalism of cybercrime groups. Malicious hacking is no longer an amateur sport.

However, the big story behind today’s threat isn’t the specifics of how infections occur. The big story is the extraordinary growth in the number of malware. Back in 2005 we knew of approx 113,000 viruses, Trojans, and worms (combined = malware). In 2007 that number had grown to over 624,000. By the close of 2008 Symantec was tracking over 1.6 million different malware. At this rate, we will see over 15 million unique malware samples by the end of 2010.

Let me say that again – 15 million viruses! That is an incredible number; an unsustainable number – there simply is no way that the standard, signature scanning model of virus scanning can work in a world with tens of millions of viruses.

Symantec started working on this problem back in 2007, when the trend in new viruses became clear. The result was Norton™ Insight – a radical new approach to the malware threat. Norton Insight reduces the burden of scanning tens of thousands of files for any of millions of viruses by looking at the likelihood that a particular file is infected. This “likelihood” or “reputation” is determined both by an analysis of a file’s behavior and by examining the use and distribution of a file across millions of computers.

While it is impossible to predict exactly how the Internet threat landscape will evolve, there are a few things we can predict. We know that criminals will continue to exploit vulnerabilities in applications. We simply don’t have the tools to produce invulnerable code. We know that hackers will continue to develop new tools to get users to click on things they shouldn’t. We know that more non-Windows® threats will be found, especially Macintosh® targeted attacks – the market is simply too rich for criminals to ignore. Most of all, we know that the future of cybercrime involves more – more scams, more infected websites, more viruses, more Trojans, more worms. This battle isn’t remotely close to being over.