TECHNOLOGY SPECIAL REPORT
Experts See Sharp Rise in Malware Attack Probability

Security experts are warning that malware attacks will pose more of a major threat over the next three years than direct hacker attacks. The British mi2g Intelligence Unit claimed this week that the malware risk has risen from 1 in 40 last year to about 3 in 10 for 2004. This reflects a jump from 2.5 percent to 30 percent risk.

May was the fifth worst month on record in terms of malware proliferation and is estimated to have caused between US$16.2 billion and $19.8 billion of economic damage worldwide. Much of that damage increase was caused by the Sasser outbreak and other associated variants, according to the mi2g Intelligence Unit.

Malware is a category of rogue computer code that infects computers and networks. It includes attacks by viruses, worms and Trojans. The Intelligence Unit said the heightened threat level portends catastrophic damage, defining "catastrophic" as causing global damages in excess of $100 billion from a chain of combined events.

Meanwhile, a separate class of malware, known as spyware, is raising the risk of privacy attacks to alarming levels. Spyware is rogue program code that installs itself -- without the knowledge or consent of the computer user -- and then reports personal information and Internet activity to the attacker.

"It's definitely true that spyware and adware programs are causing increasing trouble. In the wrong hands, it can become deadly," Peter Jaffee, counsel to the Senate Judiciary Committee focusing on technology, biotechnology and constitutional issues, told TechNewsWorld. Spyware distributed by two of the leading vendors has infected 70 million computers, he said.

Malware Gaining the Upper Hand

The number of manual and semiautomatic hacking attacks in May totaled 18,847. These attacks were against online servers worldwide, according to the mi2g Intelligence Unit. Compared with each of the three previous months, the figures show signs of stabilizing.

Using present rates, mi2g said the projected number of overt digital attacks carried out by hackers against online servers this year will be just 2 percent more than last year and will stand at around 220,000. If this trend continues, it will mark the slowest growth rate for manual and semiautomatic hacking attacks against online servers, according to records that date back to 1995. This confirms that the dominant threat to the global digital ecosystem is malware as opposed to direct hacking attacks, said mi2g.

By comparison, the worst months on record for malware proliferation and associated economic damage were February ($63 billion), March ($47 billion) and January ($33 billion) of this year, followed by August ($30 billion) of last year. Each month highlights the outbreak of one or two major malware families and suggests that, by 2007, the global digital ecosystem will suffer a catastrophic automated digital malware attack with attendant damages in excess of $100 billion, according to the British security unit.

"It is clear that manual and semiautomatic hacking is no longer the biggest threat, as it was two years ago. The escalation in digital risk fallout is coming from automated malware agents distributed through e-mail spam, viruses and worms that transmit swiftly over the digital ecosystem and convert millions of computers to zombies for nefarious purposes," said DK Matai, executive chairman of mi2g. "The frequency of the patching upgrades cannot thwart this threat completely, because this regime is too complex for the average user to carry out and the software vendors know it."

Matai said the future lies in offering computer solutions that are simple, with limited functionality that does not allow malware to execute.

Spyware Becoming Malware King

Edward English, CEO of InterMute, which makes SpySubtract, Spam Subtract and AdSubtract, agrees with projections that show hacker-based attacks waning in the shadow of malware. "Certainly, we don't hear as much about hack attacks," he said. "What does a hacker do? He tries to gain control of your computer or get personal or confidential information off of your computer. With spyware, the hack is essentially not needed. The aliens have already landed."

English said the real threat of spyware is its unpredictability. "Once spyware is running on a machine, it can pretty much gather and transmit whatever data it wants. And if spyware was designed to launch a coordinated denial-of-service attack, it would be trivial to do so. Software spyware can do anything once it is on your machine and running. Hackers really don't need to work so hard anymore," he said.

According to English, it is only logical that we will see devious behaviors traditionally associated with "hackers" being performed by less onerous, newer methods like spyware.

"It is so easy for companies, tricksters and deviants to get spyware planted on a PC. Just post it on a download site and call it 'freeware.' People will download and install it. There are millions of naive users out there installing 'free' spyware daily," English said, calling spyware a national security concern.

"The ability to create a massive army of spyware drones or sleeper cells is very real, not science fiction. The creator of a popular spyware application could remotely signal millions of computers to do its bidding, whatever that may be, such as launching DoS attacks. This isn't rocket science," he said.

He added that he expects to see a new wave of attacks on the Internet and attacks on certain marquee companies implemented via spyware.

Malware Victimizes Unaware Users

What worries Louis Cheng, spokesperson for Finjan Software security products, is how easily uninformed computer users become victims of spyware and other malware products. With the increase in threat levels, more damage will occur.

"There is certainly an upward trend in the frequency of malware traveling on the Internet today compared to that of a year or two ago, and we believe the trend will only continue," said Cheng. "Unlike hacking to gain access to a network, introducing malware into the Internet introduces threats that often target the lowest common denominator -- the individual computer user who may not be very security conscious."

Cheng said the increased malware attacks are an indirect way for hackers to gain access to a network as opposed to direct hacking. Just one computer on the network infected by a virus, worm, Trojan horse or other malicious code can open the backdoor for a hacker to gain access to confidential information on the rest of the network.

Spyware is not a new technology, but just the latest tactic hackers use to gain access to confidential information. Malicious spyware can introduce key-logging programs onto a computer to record a user's keystrokes and enable a hacker to steal usernames and passwords. With this data in hand, a remote hacker can gain full rights and access to a network as if the hacker were a legitimate member of the organization, said Cheng.

Blind and Off-Target Malware

Michael Hrabik, CTO of network and systems security solutions firm Solutionary, agrees that smaller users are more susceptible to attack because they lack the resources available to large corporations. He said many malware attacks are done blindly and are off-target. Like a shotgun blast, the attack is launched to see what gets through.

There is no doubt that malware attacks are surging, he said. "We are seeing a lot more of the sweeping attacks. We are also seeing more and more noise on the Internet eating up more bandwidth."

Attorney Peter Jaffee of Gibson Dunn & Crutcher LLP's Washington, D.C., office said a major source of spyware infections is caused by "drive-by downloads." These occur when computer users visit Web sites. Programs are automatically downloaded and installed without the computer users' consent.

Jaffee said his firm recently conducted a survey of computer users and companies found to have spyware infections. The survey showed that 63.7 percent of the respondents said they didn't consent to have the software program installed.

"Spyware is the perfect way to steal data the computer user thinks is protected and encrypted," said Jaffe. "Nothing is really secure anymore."