Web Users in Malware Crosshairs

April 9, 2008 – 6:50 PM

Online malware attacks are becoming more pervasive, targeted, and refined as the underground threat economy continues to evolve and take on the characteristics of an organized industry.

The latest iteration of Symantec’s Internet Security Threat Report — covering its research over the final six months of calendar 2007 and released on Tuesday at the ongoing RSA Conference 2008 in San Francisco — finds that malware authors and the ecosystem of constituencies supporting cyber-crime are advancing the sophistication of their efforts at a staggeringly expeditious pace.

From the groups of exploit developers marketing malware toolkits to aspiring attackers to the people buying and selling stolen credentials, the entire landscape of electronic crime is taking off and increasingly resembles the security software community that is working to thwart it, Symantec researchers said.

In his keynote address at the RSA show, Symantec Chief Executive John Thompson reported that there is now more malicious code being created worldwide than there is legitimate software.

The trend is changing both the way that people view IT security in general — and the manner in which companies like Symantec will need to rethink their anti-malware strategies, the executive said.

“If the growth of malicious software continues to outpace the growth of legitimate software, techniques like white-listing will become much more critical,” Thompson said. “Identity management will only grow in importance and will need to expand beyond the enterprise environment — into consumers. And this is not an easy problem for law enforcement — the criminals themselves could be anywhere on the planet.”

That reality and the widespread availability of exploitable software and Web sites are making it such that industrious criminals are making a great deal of money and rapidly expanding the scope and professionalism of their operations, said Alfred Huger, vice president of Symantec’s Security Response research group.

“Virus writers’ professionalism has been advancing for years, but the sheer volume of attacks that we’re seeing right now is amazing; of all the Web-based attacks that we’ve ever seen, a full two-thirds of those threats were created in 2007,” Huger said.

“Without question there are far more people working on the criminal side, and automation plays a big role, but the different attack iterations that we’re finding aren’t just altering minor pieces of the malware code anymore,” he said. “They’re adding whole new features, using customer feedback to improve their functionality, and it’s very clear that they are being created in a far more organized fashion.”

Huger said that while malware development has traditionally flourished in areas of the world where levels of technical skill are high and legitimate job opportunities are scarce — including China, Russia, and areas of Eastern Europe and Latin America — larger numbers of people are likely choosing to get involved in cyber-crime today because it pays so handsomely.

Symantec itself hires workers in all of those areas of the globe, and there are often well-salaried positions available for developers with the level of coding skill that the security company is observing in the attacks coming out of the regions, Huger said.

However, the biggest catalyst to the advancement of the underground economy remains the ubiquitous nature of software vulnerabilities, allowing hackers to take over legitimate Web sites and online applications to deliver their attacks to unsuspecting users, Huger said.

Symantec is increasingly seeing those types of threats — most notably cross-site scripting attacks — outpace the creation of more traditional e-mail based exploits. During the last six months of 2007, Symantec tracked a total of 11,253 site-specific cross-site scripting vulnerabilities, far more than the than the 2,134 traditional vulnerabilities documented by the company during the same timeframe.

And of those cross-site scripting vulnerabilities, only 473 had been patched by administrators of the affected Web sites before the end of the year. Of the 6,961 site-specific vulnerabilities reported by Symantec for the first six months of 2007, only 330 have been fixed thus far.

Even in the cases where site administrators are able to fix the vulnerabilities, Huger said, they are typically slow to do so. However, during the second half of 2007, the average patch development time was 52 days, down from an average of 57 days in the first half of 2007.

Among the most commonly-exploited Web-oriented technologies were browser plug-ins, particularly those using ActiveX. Over the second half of 2007, Symantec documented 239 browser plug-in vulnerabilities, compared to 237 during the first six months of the year. During the second half of 2007, 79 percent of those vulnerabilities affected ActiveX components, compared to 89 percent in the first half.

As long as such vulnerabilities continue to make it possible for legitimate sites to get hacked, the only solution for the problem will be technological means by which sites themselves and their users can somehow authenticate each other, Huger said.

“At the end of the day, we’ll never be able to drive out all vulnerabilities, so we need software that tells us that the site we’re visiting is the site we really want, or that the e-mail we receive is from a trusted source,” said the expert. “The criminals have elevated their work to the level where it’s nearly impossible to discern something like a targeted phishing attack merely using the human eye, and they are only going to become even more creative is using social engineering to trick people into falling for their attacks.”

Source: PC World