A New Era of Internet Threats Looms

Internet security firms are gearing up for an onslaught of new attacks that hackers will hurl at inboxes and Web sites.

As the computer industry awaits the release of Service Pack 2 of Microsoft’s Windows XP — which will feature improved security capabilities — hackers are waiting too. They have spent the last 12 months mastering mobile attack techniques and an arsenal of devastating weapons that might make Windows XP SP2 even more vulnerable than the old Windows 98.

“The last few months have seen a series of new-age attacks,” according to Itzy Sabo, vice president of product management at the security firm Finjan Software. Finjan and other companies such as Symantec and Trend Micro are rising to meet the challenge with a new generation of security software.

A New Era of Attacks

In the earlier age of virus attacks, computer users had to interact with the vehicle of infection to activate the virus. Those old techniques relied on the ignorance of end-users, who would often open a malicious attachments or accept an malformed ActiveX control or an invalid Secure Sockets Layer (SSL) certificate and thereby infect their machines or those on their networks.

In today’s world, the end user doesn’t have to do anything wrong, Finjan Software’s Sabo said during a recent seminar called “New-Era Internet Threats.”

The Scob worm attacks of this past June could give a hint of what’s to come, Sabo said in the seminar. The Scob worm allows an attacker to install a key-logging program to record the user’s private information, including user names, passwords and credit card numbers.

The Scob worm is the first attack in which hackers use a mix of mobile application techniques — including VBScript, JavaScript and ActiveX — to create a blended Web-based attack that can manifest across standard Web protocols like HTTP.

The attack is based on the execution of a series of mobile code scripts that infect Web servers and spread by way of users who visit those servers. Visitors to the Web site unknowingly download the Scob virus and thus participate in the propagation.

This is a very complex attack that none of the traditional security products were easily able to detect and combat. The virus operated as a VBScript utility, which targeted Microsoft IIS servers and appends a malicious JavaScript to Web pages in the compromised Web server.

Blocking the New Attacks

Most antivirus software uses what is known as “signature-based” technology, which searches for files or packets that contain the distinctive traces of known viruses.

By contrast, some of the cutting-edge security technology emerging today uses “behavior-based” tactics that search out files or packets that show signs of suspicious activities. Suspicious activity could entail a small, rogue application opening an e-mail address book and sending mail to every address in it.

“The real problem is being able to block viruses,” Sabo said. “Patch propagation takes time, so antivirus programs are the only defense for most people.” Given the new generation of viruses, however, the older methods can no longer protect corporate networks or individual computers.

“Traditional antivirus programs can’t defend against malicious scripts that are not referenced in the signature database,” Sabo said, pointing out that firewalls fall short as a complete defense for similar reasons. “Firewalls deal with packets of data. They cannot see what a Web page is doing.”

Hacker-Antivirus Race

“When a new vulnerability is released, there is a race between hackers and the antivirus companies,” Sabo told the Finjan seminar audience. The computer user is very much at risk of infection during the first critical hours or days after a virus is released. Blended attacks pose more than one level of threat, so just disabling ActiveX controls using Internet Explorer’s settings is futile. Disabling ActiveX controls can cause additional trouble anyway because so many applications rely on ActiveX controls to work properly.

Antivirus programs that are good at catching known attacks should constitute the first line of defense. “We then analyze what gets through because it isn’t yet referenced in the signature database of the antivirus program,” Sabo said.

Finjan’s new defense system, known as Vital Security, is an integrated suite that includes URL filtering, spam control, content filtering and SSL scanning. It examines mobile code, scripts, processes and various applications by analyzing and monitoring the behavior of active content using a technology called “sand-boxing.”

A Better Mousetrap

Finjan officials stressed that the Internet threat is very real. Because e-mailfiltering is stopping almost all traditional attacks, hackers are now looking for new delivery methods.

Hackers seem to have found the answer, and it is the Internet. These new viruses are so dangerous because they do not require users to do anything to get the virus.

Only behavior-blocking software can repel these new kinds of attacks. Currently, consumers are at a distinct disadvantage because of the way the most popular operating systems are built. As the war escalates, however, it’s certain that more antivirus companies, like Finjan, will incorporate behavior-blocking technology into their software.