Malware Purveyors Had Banner Year in '07

2007 turned out to be "one of the most remarkable years in the history of malware," according to the recently released "ESET Global Threat Report 2007."

The movement of new digital devices, social networking channels, operating systems and platforms into the mainstream is providing malware creators with a broader canvas on which to work. Yet relatively simple, time-tested and proven methods, such as e-mail spam, that rely on gulling users into downloading malware continue to produce returns for propagators. "It's worth remembering that many malware threats exploit the user, rather than a particular platform. Phishing, for instance, is not unique to a single operating system environment," ESET's research team note in the report.

While malware has become more sophisticated, its nature has also changed. No longer the realm of the lone hacker out to make a name or strike out for a cause, malware has grown into an industry. Botnets can be rented out to conduct commercial spam mailings as well as a illicit activities, including denial of service attacks and data and ID theft. Rather than looking to attract attention, malware creators and botnet operators are devoting more time and effort to disguising and defending their creations.

Global Threats 2007

According to ESET's figures -- drawn out of a sample of 4,251.9 million e-mail messages monitored from Jan. 1 to Dec. 10 -- 33.8 million "carried malicious content such as a malware attachment or a link to a Web site containing malicious code."

Compiling a list of "the exact names of the most prominent threats is really an exercise in curiosity, not in practicality," ESET's director of technical education Randy Abrams told TechNewsWorld. "Bots and downloaders in general are the most nasty of the threats we face. These programs enable remote attackers to own all of the data on a computer and to use the computer as they choose. In a corporate environment a bot or a downloader Trojan on one PC can result in the loss of valuable data and other forms of corporate espionage."

Data for ESET's annual review of e-mail-borne threats was gathered from consenting customers' systems using the information security provider's Virus Radar. The report also contains a month-by-month rundown of malware threats automatically detected by its ThreatSense technology, particularly newly discovered threats identified using heuristic methods.

Six of ESET's top 10 e-mail borne threats were detected using a heuristic technique. ESET has been at the forefront of security providers' efforts to develop and make use of behavioral analysis and heuristic methods that make use of statistical analytic techniques to make judgment calls as to the likelihood that any given piece of software code contains malware.

Continuously refined, they are at the cutting edge of proactive threat detection, something that has become a necessity in today's networked world and an integral part of a layered defense against malware threats.

As traditional means of malware protection -- such as anti-virus solutions and personal firewalls -- are becoming increasingly ineffective and costly, vendors such as RSA are trying to take a new and different approach "by shifting the focus from the desktop to the communication paths of the malware and by protecting the data itself through encryption and leak detection. Instead of protecting the infrastructure (the PC, operating system, files, etc.) we are focused on protecting the information itself," added Uriel Maimon, senior researcher in the Office of the CTO at RSA, the security division of EMC (NYSE: EMC).

The Profit Motive

Eighty percent of all malware in 2007 were Trojans, according to Tom Bowers, senior security evangelist at Kaspersky Lab. "With the exception of the Storm Worm, few new groundbreaking Trojans appeared but thousands of variants were used. Even today the Viruslist released the latest Top 20 e-mail threats and we're still seeing multiple versions of Netsky which is a decade old."

The profit motive is inherent in ESET's Top 10 list of e-mail borne threats, Abrams noted. "Stration, which appeared in one form or another in half of the top 10 entries of the top 10 e-mail-borne threats, is all about sending spam. This is entirely profit-driven. Netsky can be used for distributed denial of service attacks. Networks of computers capable of performing such attacks are often rented out for such purposes -- again, financial motivation. Nuwar, a.k.a. Storm Worm -- spam, stock manipulation, denial of service. Nuwar is the convenience store of malware for hire. Nothing about the Storm worm is free from financial motivation."

It's not the sophistication and quality of new malware that concerns Kaspersky Lab's Bowers most, but rather "the organization behind the malware. "The bottom line today is that malware authors are far more organized, and they are in it for the money. Both the motivation and the capabilities of these organized units are far greater today. This means that anywhere where there is the potential for access to personal information -- login credentials, account information, credit card information -- ... that's where these groups are going to head.

"Yesterday it was e-mail and IM, today its social networking and gaming sites. Given the tens of millions of users in social networking and gaming sites, these areas make for very tempting targets for malware authors to exploit."

Given the enticement of large financial rewards, security specialists are seeing malware creators investing much more time and effort in disguising and defending their creations from removal, Abrams added. "Talk of boot sector rootkits and peer-to-peer encrypted communications channels is talk of the abuse of technologies used to defend malware from removal, not to make it more nasty. As a security industry, we have to anticipate that any and every useful technology will be abused in the effort to spread malware and maintain control of infected resources."

Prevention and Cure

As with health care or auto maintenance, an ounce of prevention is worth a pound of cure. It may well turn out to be a case of too little to late -- and will almost certainly cost more -- if you detect a serious malware threat after it has invaded your network and done its work. "Solutions are generally cheap, if you consider the cost of an anti-virus product compared to the cost of a compromised credit card or online bank account," maintained RSA's Maimon.

"Any IT organization has a cost calculation for what it takes to remediate a compromised system. This is a direct labor cost. On top of this is the lost productivity of the user while a device is offline. Potentially, there is also the cost of a serious breach resulting in theft of confidential data, which can create litigation costs, direct financial losses, or if serious enough, devaluation of the company," explained Lockdown Network's Dan Clark.

"The cost of prevention is typically measured by the cost/device of effective antivirus software, as well as a network access control (NAC) solution capable of identifying vulnerabilities on the network and forcing endpoints to comply to policy. Many NAC solutions don't cost much more per device than antivirus software."

"Prevention is the true measure of security. Identity theft, loss of reputation, loss of intellectual property and the other consequences the malicious nature of today's threats pose can no longer be cured. Putting a dollar figure on 'cure' is a useful exercise for budgets, but is not real. In many cases [remediation] is the best one can hope for," Abrams opined.

Anybody Got a Crystal Ball?

"Having worked in a large global enterprise, I know the differences to be substantial," Bowers added. "Imagine the deferred earnings cost of cutting off Internet access to your largest retail client for three days -- tens of millions -- versus the deployment of a security technology that would have prevented it completely for (US)$250,000."

"The Internet is littered with major corporations who've suffered 15 percent drops in market capitalization for several weeks or months due to a breach in security. What is 15 percent of the value of companies like DuPont, TJX and Ameritrade, as examples? Even more expensive, deployments such as encryption, digital rights management may cost $1 to $3 million for the largest enterprises, including solution purchase and deployment.

The conundrum for security specialists and organizations, however, is that it is virtually impossible to foresee exactly what to prevent until a new threat has been revealed. "To say that it is simply cheaper to prevent versus react to a security event is short-sighted, however," Bowers continued. "Security is a business risk function and as with any initiative within an enterprise the risk/rewards cycle is reviewed when deciding on which projects to approve.

"We do not have crystal balls with which to determine when our infrastructure will be compromised so we must use the best risk analysis we have and make the best decision we can with that information. Sometimes actual risk and perceived risk don't match up and enterprises are hacked. So while it is easy to say that prevention is far cheaper than reaction it is not always the best analysis."

"Advances in antivirus and spyware protection, IDS (intrusion detection systems), IPS (intrusion prevention systems) ... and network access control all provide new approaches to preventing, identifying and responding to different types of attacks," Clark added. "The best solution is to have a multi-tier defensive strategy that allows integration of data from different systems into a SIM (security information management) or NAC solution to coordinate an effective and timely response. No solution by itself solves all problems, so interoperability is a big deal."