Printer Friendly

2006 annual threat round-up and 2007 forecast: a special report by Trend Micro- December 2006 David Sancho, threat specialist Jamz Yaneza, senior threat researcher.

All data provided in this report was gathered from TrendLabs--Trend Micro's global threat research and support organization that provides customers with 24x7 response to the latest threats--as well as from Trend Micro's Network Security Services. With more than 800 security experts around the globe, TrendLabs operates in 15 locations including Germany, Japan, the Philippines, and the United States and collects approximately 1.5 billion spam emails daily from over 3000 business customers. They also collects IP addresses and stores 50 million spam emails per day for forensic activities.

Upon review of the malware threats that occurred in 2006, two trends are very clear:

* The nature of threats is changing from widespread to targeted and regional and in addition to email and messaging threats, the web is emerging as powerful threat vector. Trend Micro also sees the blending of email and web threats to create both harmful and viral threats, as well as the use of blended threats, multiple pieces of malware working together.

* Malware creators have an ever increasing and technologically sophisticated tool set at their disposal, comprised of bots and botnets, rootkits, social engineering, spyware and adware. They are motivated more than ever by financial gain and are creating underground economies specifically for creating malware, crimeware and spyware/adware. Many come from Eastern Europe and Asia. Rather than create malware that deletes files and decimates PCs, they are creating malware that surreptitiously resides on PCs waiting to be called into action by a botmaster or the right moment to steal personal information, They continue to create malware that is more likely to evade detection, like image spam--spam emails containing images rather than text. This threat roundup and forecast analyzes the threat activity that has occurred in 2006, and offers recommendations to businesses and consumers alike for being prepared in 2007.

Malware Trends in 2006

Digital threats to information never cease. Since Trend Micro's 2005 Annual Roundup and 2006 Forecast was issued in December 2005, an average of 1.4 million threats have been recorded each month, (Figure 1).

The Return of Malware-Related Threats

2006 has shown a dramatic return to malware-related threats. Additionally, crimeware related Trojans have gained notable prominence. Of the top 20 threats in 2006 (Figure 2), 80% specifically involved viruses and worms. The specifics of each are discussed below.

WORM_NYXEM

The major virus concern of 2006 occurred in January, with the rampant propagation of WORM_NYXEM variants (initially detected as WORM_GREW). This worm had a programmatic timer that activated every third of the month and deleted common Microsoft Office documents and archives. It was also very effective in dropping copies of itself on shared directories and drives, as well as deleting the auto-start entries of antivirus and security products from the Microsoft Windows registry. The successful and continued propagation of NYXEM variants is attributed to its sex-oriented social engineering, using provocative e-mail subject and message lines promising video clip and images. While this technique is somewhat dated (since W97M_MELISSA in 1999), it has successfully been reused for many of the large outbreaks over the past six years.
Figure 2. Top 20 Threats of 2006. Numbers culled from 3.2 million
unique reports.

 Top-20 Threats Reports

 WORM_NYXEM.E 571,291

 TROJ_Generic 569,845

 HTML_NETSKY.P 386,943

WORM_NETSKY.DAM 242,609

 PE_PARITE.A 235,476

SPYW_DASHBAR.300 234,565

 SPYW_GATOR.F 216,291

 WORM_MOFEI.B 191,205

 WORM_NETSKY.P 175,084

 JAVA_BYTEVER.A 167,738

 EXPL_WMF.GEN 143,848

ADW_WEBSEARCH.K 142,994

 WORM_ANIG.A 137,490

PE_FUNLOVE.4099 122,096

 WORM_NETSKY.D 118,168

WORM_RONTKBR.GEN 115,849

WORM_RONTOKBRO.B 111,016

 TROJ_ROOTKIT.E 107,915

 BKDR_Generic 95,668

 ADW_SLAGENT.A 95,067


Trend Micro uses heuristic techniques to immediately identify many of the newer threats, particularly crimeware-related spyware and keyloggers, such as those targeting bank and online gaming accounts. Users with gateway implementations of content filtering now have better protection as a result.

WORM_NETSTKY

While the WORM_NYXEM variants outnumber the WORM_NETSTKY variants, the collective infections of the NETSKY family trumps that of NYXEM by more than 50%. Damaged versions of NETSKY attachments are also reported as representing one-third of all family-related infections, and are usually either a result of improper cleaning at the gateway or of corruptions as the attachment is relayed from various email servers.

WORM_MOFEI.B

WORM_MOFEI.B is a traditional network worm without email propagation capability. Variants of this worm use brute-force techniques to log into systems and install themselves as backdoors. MOFEI's functional features include full control over affected systems, such as the ability to run applications and modify data. It is also interesting to note that MOFEI falsely creates administrator-level accounts related to the Windows Terminal Services, but uses common ports 135 and 139, which are usually associated with Remote Commander.

PE_FUNLOVE.4099

First detected in November 1999, PE_FUNLOVE.4099 is the oldest file infector to appear in the top 20 threats of 2006. This threat also acted as a network worm and thus could propagate more easily, since network shares have historically proven to be the most effective threat vector. The PE_FUNLOVE.4099 infector also dropped viral code and patched the files NTLdr and NTOSKml.exe--enabling it to bypass both the Microsoft Windows file-integrity checking for the NT Boot Loader Kernel, and the integrity checking of infected Windows files. Thus, via a pseudo- kernel- mode rookit function, this malware was able to defeat the existing security implementation available to protect Windows users from viruses, and has continued to be active for more than five years. Due to its complex infection routine, FUNLOVE has been used as a payload by both WORM_BRAID and WORM_WINEVAR; and, in a recent discovery of double infections, by piggy-backing on the WORM_BAGLE.H variant, which resulted in a new family called WORM_FUNBAG, initially detected in March 2004.

PE_PARITE.A

PE_PARITE.A, the second oldest threat on the list, was first discovered in January 2001 but has proven to be surprisingly tenacious, despite many contemporary security solutions. It injects its code as part of the Windows Explorer.exe file, thereby making itself part of every normal operation. This is a prime example of a pseudo-user-mode rootkit. By affecting how Explorer.exe works, PARITE gains pre-control over processes and quickly infects other executables (*.EXE) as well as screen-savers (*.SCR).

It is also notable that WORM_BRONTOK and WORM_RONTOKBR variants specifically target Indonesian-speaking individuals. This is evident in its spammed e-mail subject lines and content. This parasitic threat actively monitors the Windows registry and prevents removal attempts or installation of antivirus and security products by automatically forcing a reboot.

Exploits account for 10% of threats propagating in the wild. It is their unhindered execution value, combined with various malware and grayware, that make exploits popular tools in the information thief's arsenal. Holes in the Microsoft Java Virtual Machine and its use of ActiveX relate to MS00-0075 and MS03-011; improper MIMEtype header handling is related to MS01-020. Although more related in effect to web pages, the ability of many email applications to send and receive HTML-formatted messages allows the opportunity to embed exploit code and thus auto-run attachments without user intervention. Many of the items listed in the threat list also use the autoattachment execution exploit to propagate themselves including PE_CHIR, VBS_REDLOF, WORM_NETSKY, and WORM_TRAXG.

Money Still The Main Driver For Malware Authors

In 2006, the overwhelming majority of malware attacks was driven by financial theft, and employed such tactics as password stealing, keylogging, and other related activities.

Trend Micro and other industry analysts refer to this type of threat as crimeware--the fastest-growing threat in the malware category. All crimeware--from TSPY_BANCOS, which steals passwords, to TROJ_YABE, which attacks eBay users--follows three typical paths to their payloads: identity theft, extortion, and/or espionage.

Once these efforts are successful, crimeware employs a variety of methods for actually stealing money--such as hijacking banking passwords, holding files captive under threat, or raiding proprietary corporate information.

Additionally, two other malware effects not directly related to crimeware--but popular among malicious attackers as a means of financial theft--include community-forming and the download of more malicious components. Community-forming malware is usually called a bot worm or, simply, a bot. A bot's primary objective is to achieve as broad a threat distribution as possible, while enabling its creator to maintain centralized control. Combining individual bots into a network--or botnet--increases the bots' power and enables creators to exploit this power over hundreds and thousands of PCs for financial gain. During 2006, botnets experienced significant growth--the most notable being the WORM_SDBOT family.

The financial motivation inherent in today's malware demonstrates that malicious attackers are no longer mere individuals, as in the past. Now, attacks are commonly executed as joint ventures among professional malware programmers with access to greater pooled resources--and such consortiums are dedicated to the creation and distribution of malicious software intended to steal money from individual and corporate victims. Crimeware includes spyware and other keylogging Trojans, hacking tools, and phishingrelated email spam. New hybrid combinations also have emerged, including spyphishing--a targeted spyware attack in which a downloaded Trojan, programmed to steal specific information from a specific legitimate URL, activates and sends information to a malicious third party); and vishing--a targeted phishing attack using voice over IP (VoIP). Since the stakes for information theft are rising, applying the term crimeware to the above activities provides an appropriate level of understanding for computer users regarding the threats they face.

Hacking tools account for most crimeware-related threats. However, users should not feel reassured by the success of such old-fashioned infiltration techniques; the majority of systems remain ineffectively patched and firewalled against current threats, mostly due to new machines coming online, as well as users being unfamiliar with security concerns. Phishing, spyware, and spy-phishing are very real threats. Spy-phishing, especially, is a particular concern, as its two-pronged approach (see above) means that users are vulnerable the moment they visit an implicated URL. Even if users suspect a site and navigate away from it, the malware remaining on their machines completes the theft.

Web Threats Emerge From the Shadows of Email Threats

Most malware threats propagate via email. In 2006, attackers combined phishing emails with malicious attachments to create a strong attack vector, identified by Trend Micro as spy-phishing. Spy-phishing initially uses email spamming techniques to distribute messages which, in turn, rely on social engineering ploys to trick users into running malicious file attachments. Identity theft remains the highest objective for spy-phishing.

In addition to email, the second most prevalent means of malware distribution is via the Web. Most often, attackers prey upon users' beliefs that a malicious program is needed or expected--and therefore legitimate. For example, in developed countries, increased Internet bandwidth has spawned explosive growth in video sharing and downloading. In order to view the variety of file formats available, users need codecs--small programs that encode and decode digital data streams--which are often available as downloads from video-sharing sites. Malware authors exploit this by regularly setting up bogus codecs in public networks; sometimes, they go so far as to create entire malware websites around the fake codec. The TROJ_ZLOB family consistently uses this strategy, masking files as "mandatory downloads" necessary to watch online videos. Malware authors effectively use another Web-based distribution method: publishing malicious links in search engines, discussion forums, and other public places. These links point to download pages with heavily obfuscated script code in order to prevent detection. For example, the FEEBS worm attacked when a user visited a page containing one of these scripts--which enabled the worm to download and infect the user's computer.

New vulnerabilities surface every month, and malware creators respond by adding fresh network-spreading capabilities to their arsenal. This helps them acquire new, unprotected victims each time an exploitable vulnerability is made public. Ever since the Blaster worm first occurred in 2003, malware authors have very successfully exploited network vulnerabilities--immediately updating their libraries when a new vulnerability is released. Bot worms have traditionally been the fastest to incorporate support for newly published exploits.

New in 2006, Trend Micro has observed malware that exploits client-side vulnerabilities.

Such threats operate via exploit files which, when run, drop a piece of malware in the user's system. The WMF exploit marked this new trend in early January. Consisting of specially-created WMF image files, this attack exploited a vulnerability in the Widows image rendering engine, which allowed rogue code to execute once a user viewed the bogus image. Eventually, this code enabled crimeware. Similar waves of exploits followed, many of which took advantage of client-side vulnerabilities within the popular Microsoft Office suite, as well as applications such as the music player Winamp.

Because users typically don't recognize these exploit files as threats--and therefore open them without consideration--the social engineering component in these cases is significant.

Regional and Targeted Attacks Replace Global Outbreaks

In 2006, Trend Micro has observed that--with the exception of bot worms--most modern malware lacks the means to easily propagate. This fact implies that unlike older generations of malware, creators of modern threats intend their malware to remain localized. This greatly impacts the types of infections experienced by businesses and consumers alike.

For example, in 2004, a malware outbreak would have wreaked havoc on all seven continents--causing security companies to pursue an immediate solution for cleaning and preventing infections. In 2006, malware outbreaks instead have targeted email address lists, or visitors to a malicious Web page--and may only infect those specific computers. Once an attack is successful, today's malware only remains active until it can steal a user's personal information and, eventually, money. "Targeted attacks" follow the same principle. Deployed in order to steal confidential information from specific companies, such threats mimic internal emails and target certain individuals within a given organization. As soon as even one user is tricked to run the attached malware file, the company becomes vulnerable to widespread theft of often vital data.

Similar to a regional attack, a targeted attack is even narrower in scope with a more specialized objective.

Both regional and targeted attacks affect fewer users than in the past, and often involve blended threats. This presents a new challenge for security companies, for cleaning narrowly focused, self-updating malware is much more difficult than cleaning a widespread, static worm. Therefore, the threat landscape has become more dangerous than ever.

Blended Threats Are Better Than One

Although the term blended threats was coined a while ago, it has become increasingly relevant to today's Internet landscape. In fact, most malware attacks today involve multiple pieces of malware.

Typically, a malware infection launches when a user--either wittingly or unwittingly--downloads an executable file that, in turn, downloads other malicious components and/or spyware. The unfortunate result is infection of the targeted computer by as many as four different types of malware, spyware, and adware--and sometimes, more. For example, in the Gromozon case of Q406, Italian users were tricked into visiting a malicious Web page. This page redirected users, via a script, to a chain of other pages that eventually caused users to download a file. This file then unleashed a malware download process that dropped adware and other components onto affected systems, installing and protecting it with a rootkit.

Similarly, also in Q406, the NUWAR worm attacked several different regions. NUWAR mass-emailed messages with "nuclear war" subject lines and an attached executable file.

This file, when run, dropped a downloader component onto the affected machine and planted copies of the mass-emailer module; then, it downloaded four other components, including a new downloader (which enabled the import of new modules without detection) and a rootkit that hid the entire malware army. The unfortunate result was a collection of computers transformed into spam- and infectious-worm email generators.

The main component of the NUWAR threat was a module that sent spam emails advertising stock sales.

Sadly, these are not isolated cases. Blended threats are a growing concern for all Internet users, and a challenge for antivirus companies. Trend Micro anticipates this type of attack to continue at least into the near future.

Spam and Phishing

Spam is nothing new. Unsolicited advertising, bandwidth hogging, and productivity drops have been irritating users for at least several years--and in 2006, spam has continued to rise. One factor behind this spike involves the ways in which bot owners leverage their botnets to propagate spam. In this scenario, the email origination point constantly shifts among members of the botnet--which makes blacklisting as a defensive tactic nearly impossible. Similar instances of using malware as a spamming platform have also been observed. The best example involves the STRAT worm distribution, which occurred in the third and fourth quarters of 2006. This worm behaved very much like a typical, fastspreading mass-mailing worm, with a special twist: it spammed advertisements for an online pharmacy from each infected host. The NUWAR worm, mentioned previously, also used infected machines as spam-sending platforms. Trend Micro predicts this is notthe last time such a plot will exhibit itself, which bodes poorly for all email users and their inboxes.

Incidentally, these spammer worms leverage the latest mass-mailing technique: image spam. In 2006, in order to bypass spam filters, spammers revived an old trick that has now become quite common: placing email advertising text within an image, and scattering random elements such as dots or lines throughout the text. The resulting complexity of such emails makes it difficult for heuristic engines and other antispam vehicles to detect image spam.

Although samples are processed continuously on a daily basis, almost 60% of phishing siteshave either been discovered and taken down, or have morphed to avoid detection, during the time in which an actual sample is received for processing. This underlines the need for products that either have a permanent online connection or are equipped with heuristic technologies to effectively detect and block phishing sites.

Many of the affected companies, such as eBay and PayPal, have established dedicated departments and security groups for mitigating the effects of phishing-related crimeware--often through joining broadly based, cross-industry initiatives. They also actively educate users about these types of activities. Traditionally, phishers have used at least ten different techniques to lure users into their schemes. However, due to various browser improvements--as well as government- and private sector-sponsored awareness campaigns--only one of these techniques remains effective: address-bar spoofing. Address-bar spoofing abuses Java or ActiveX scripting to overlay a legitimate address bar with a fake image. Otherwise, more than 96% of all phishing attempts occur via explicit display of a spoofed URL, using a combination of character encoding to impart a false sense of security to users.

On average, Trend Micro has identified more than two million different pieces of spam flooding the Internet each month. English is the predominant language used, likely due to its global application in the business world; English-language spam constitutes 61% of all samples processed, representing an enormous 20% increase over last year.

Regionally targeted spam for the Japanese market is also on the rise. Chinese spam is the third largest, at more than a half-million pieces recorded.

Commercial spam--spam involving trading or Web-offers--represents 13% of all spam. This is an almost 5% drop from last year's value, likely due to spammers testing the effectiveness of new topics. Financial spam, such as offers for debt consolidation or mortgage programs, is a close second at 8% of the pie. Health-related spam comes in third at 6%. The most successful spam leverages topics that are likely to be of concern to a majority of people--thus ensuring propagation via social engineering. Users who fall victim to such scams, however, are left with nothing--while scam artists make off with their money.

Spyware

The past several years have witnessed the rise of spyware and other non-malicious threats. These threats have been a concern for home and corporate users for two main reasons: the annoyance their unsolicited advertising displays cause; and the data leakage their presence introduces. In 2006, spyware and adware have continued to increase, thanks to their creators' discovering innovate new ways of distributing them. As previously mentioned, many malware attacks are, in reality, blended threats that install spyware and/or adware on the infected computer--which vastly increases their dissemination. The fight against spyware is at its peak, and the market for anti-spyware software is growing.

On their own, aggressive marketing tactics may not appear to be much of a threat--but, especially recently, the results of such activities have included technological abuse. For example, spyware--which profiles users' activities and browsing preferences--feeds into a database that loads these preferences into adware campaigns designed to either promote more visits to a particular site, or to leverage the data to compete with a different brand.

TrendLabs has noticed--via almost four million spyware and adware reports--that several pieces of malware are being used to generate click-through revenues. This means that the prevalence of spyware and adware is a concern; as companies adopt more stringent content filtering solutions, unregulated markets may utilize malware in order to force marketing content onto users. Commercial spam already employs this approach, as with WORM_STRAT distributing pharmaceutical spam as part of its payload.

The New Technologies and Threats on the Block

2006 witnessed the resurfacing of file infectors. File infectors insert malicious code into other executables, making them stickier and more difficult to remove than more common worms and Trojans. Older file infectors--which fell out of fashion several years ago--have been replaced by a newer generation that behaves differently than its ancestors.

Current incarnations have more a modern, somewhat predictable

MACRO VIRUSES

Since 2004, Trend Micro has been reporting that macro virus threats are virtually gone.

This is because the technologies that cause such concerns have not changed much over the years--which makes them easier to protect against.

However, the effects of document and data modifications remain relevant within the current threat landscape.

Evident from this distribution is the fact that, despite the lack of new macro variants, the Microsoft Office Suite remains affected by malicious activity.

Macro threat reports in 2006 year show increasing numbers, initially peaking in April and then again in September.

MICROSOFT WINDOWS INTERNET EXPLORER 7 THREATS

Microsoft Windows Internet Explorer (IE) 7 will soon be the most popular web browser worldwide, due largely to the fact that Microsoft has chosen to deliver IE 7 to existing Windows users via Windows Update. With IE 7 comes three important new features which Trend believes will provide opportunities for spyware--specifically, adware--exploits. These opportunities include:

* Tab-jacking. IE 7 introduces a feature, called tabbed browsing, that has been present in Firefox for a long time. With this feature, users can associate multiple tabs with particular Web pages--which provides quick access to a user's favorite sites. However, due to the ease with which a user can add a new tab to the browser, Trend Micro expects that adware--rather than producing its typical pop-up ads--will soon introduce adware tabs into IE7. This tab jacking will allow adware companies to create persistent, ad-based tabs that will reappear when IE 7 is restarted, even if a user closes the ad tabs.

* RSS injection. IE 7 has quickly become the world's most popular RSS reader by its inclusion of Microsoft's RSS reader. Microsoft is quick to point out that adding desired RSS feeds is as easy as adding bookmarks to the browser. Trend Micro anticipates that adware companies will soon inject their own RSS feeds, providing a stream of ad content into the RSS data.

* Search box stealing. IE 7 includes its own embedded search box--meaning that users no longer need to visit a separate search engine page such as google.com. Because IE7's search box is configurable, Trend Micro believes the configurable search box will be hot property and adware companies will hijack the search box to operate searches on their own desired search engines, thus generating search engine Pay Per Click revenue for adware companies.

LINUX MALWARE

Typically, alternative operating systems have not been targeted by malware--with the exception of discrete threats such as OSX_LEAP.A, a worm detected in February 2006 that affects users of the Mac OSX platform.

This has led to a false sense of security among Linux and Unix users, who are often unprepared for attacks such ELF_LION in 2001--the first publicized, internet-propagated worm to affect their systems. In 2006, the most commonly reported Linux threats include ELF_BLITZ, a denial- of-service attack Trojan; and variants of ELF_BO121B and ELF_DIESEL, both file-infecting viruses. Interestingly, remedies to these threats appeared almost instantly, yet users continue to be plagued by the effects.

UNIX_RAMEN.G, first discovered in 2002, is the most prevalent Linux worm and appears to be spreading chiefly in North America and parts of Europe.

Many Linux users will often install the full package, including Unix compatibility, to increase the number of free applications they can run on their system.

BOTS AND BOTNETS

Since December 2005, there has been anaverage bot increase of 15% per month, with more than 140,000 being flagged every month.

ROOTKITS

Rootkits are another growing concern. Although not malicious in isolation, they are employed by malware and spyware to hide in infected systems. This is important for the following reason: in an environment where malware is attempting to steal financial information, time is essential. The longer malware remains active, the higher the chances of its obtaining personal and confidential information. Rootkits buy malware more time by hiding processes, registry entries, and related files from antivirus scanners and other security checks. It is vital for PC users to be protected against these new concealing agents, and keep their security software up to date. The release of Microsoft's new operating system, Windows Vista, will likely decrease the number of kernel-level rootkits. Vista requires every driver to be signed by its vendor. This policy limits the impact that rootkit drivers may have on users. Although kernel-level rootkits are the most effective in hiding malware, they are also the least popular. User-level rootkits will continue to be a threat and, while easier to remove, are still a formidable enemy. As an example, variants of the TROJ_ROOTKIT family of rootkits have climbed to top positions in the malware prevalence charts during 2006. Detecting the existence of one or more rootkits in a system is not easy, and analysis of the hidden malware can be difficult. Consequently, parasitic lifetime can increase exponentially. Add to this the fact that most rootkits are open-source developments and readily available to anybody. Trend Micro continuously discovers more of these threats as usage gathers a following among malware authors.

Rootkits follow the general growth patterns for all malware, and their widespread presence depends heavily on the propagation and proliferation successes of other multithreat code droppers--as well as the apparent integration of their use by spyware and adware in order to avoid detection and prolong financial gain. These types of threats are complimentary packages to botnets as well.

MOBILE MALWARE

Mobile threats have been on researchers' radar screens for the last two years. Trend Micro has observed an increase in mobile phone malware during 2006. The main factor behind this trend is the increasing number of smart phones on the market. Since these phones are specifically targeted--and they can also act as propagating platforms--increased sales means users should beware.

Most has been distributed as Trojans, meaning they generally lack spreading capabilities, and don't have special motivations beyond demonstrating and testing the mobile malware concept. Typically, mobile malware is launched when a user downloads a fake program from the Internet and installs it on the phone. Instead of the expected program, however, mobile malware has a malicious effect, such as sending SMS messages to expensive numbers and other noxious actions. Unlike most other malware, mobile malware appears to be the work of smaller groups, not criminal organizations. As the market expands, and more potential victims join the mobile network, however, this situation may change for the worse.

In 2006, mobile malware prevalence reached an all-time high, and was even predicted to be one of the year's top concerns--if not for the fact that current technological barriers prevent these types of threats from becoming aggressive. However, growth patterns indicate waning interest in new threats based on the old Symbian EPOC platform; lack of interest in versions of the Windows for Mobile platform; and the pronounced continued proliferation of the Nokia-branded SymbianOS.

This makes sense, given the greater adoption of SymbianOS--and in particular the Series 60 version--by various mobile operators and manufacturers. An industry report by Canalys during Q1 2005 supported this trend, showing various SymbianOS versions as accounting for 61.4% of the worldwide market share. Further, Canalys projected that increased adoption of the new Windows Mobile 2005 platform--as well as increased sales in Linux-based mobile phones such as the Motorola RAZR and the occasional Nokia 7710--might soon change that landscape. However, during Q4 2005, Nokia released its innovative N-series phones--which cater to multi-media enthusiasts--and and a new set of E-series phones--which cater to business users. Both of these developments have cemented Nokia as the market leader. In September 2005, SYMBOS_CARDTRP.A attempted to become the first crossplatform mobile worm, by dropping worms--such as WORM_WUKILL.B--in the infected device's memory card. When the card was subsequently attached to a Windows computer, the worm could open a backdoor to the system and distribute two more worms. Though this attack was not particularly successful, the most recent SYMBOS_CARDTRP.R--discovered found March 2006--was 17th variant found, with early reports from North America and China. Since removable flash memory cards in MMC or SD formats are easy-to-carry commodities, and are available with up to two gigabytes of storage, it makes sense for many consumers to plug such devices into regular desktop terminals (to back up data, for example, or store multimedia files). This consumer behavior has likewise changed the standard input devices of pre-assembled desktops for sale--which these days support any of the nine common card formats, including compact flash, XD, and Duo, as well as those previously mentioned.

Further, during November 2005, Trend Micro received samples of a particular form of mobile phone malware that attempted to gather a user's contact details, and send those details to any other mobile device in range. Trend Micro named this malware SYMBOS_PBSTEAL.A. This malware was, in effect, the first information-stealing threat for mobile phones. North America is again listed as a site in which the most recent variant SYMBOS_PBSTEAL.D was found in late January.

It appears that almost all of the newly reported mobile threats, as well as several variants of SYMBOS_FONTAL and SYMBOS_SKULLS, are actually Trojans that require premeditated user intervention to be installed. One exception is SYMBOS_BOOTTON, which can spread via Bluetooth. Malicious authors float their creations online and on P2P networks as bootleg copies of commercial software, or even as common fileviewing tools. Thus, the mantra of avoiding malware-riddled "warez" (pirated software) is as true for mobile applications as it is for desktop software.

There is some indication that the desktop spyware phenomenon is going mobile.

SYMBOS_FLEXSPY.A was reported in March 2005, with functionality to log calls, SMS and MMS messages, GPRS and data usage, as well as email content. Once the data is collected, it is sent to a remote server. This doesn't bode well for the future of mobility.

Users are soon likely to be carrying viruses and spam in their pockets the way they currently carry them on their networks and desktops.

While malware that targets mobile devices is expected to increase in 2007, the major threat continues to be from lost or stolen devices. Leaving a device in a taxi is a much more common occurrence today than having such a device hacked while surfing at the local Starbucks. Trend Micro continues to be measured in its observations about the mobile security threat; today, it is in proof-of-concept stage, but has the indicators to become virulent in the near future.

The Emergence of Web Threats in 2007

In 2007, users can expect Web threats to emerge as the prevailing security threat. Web threats include a broad array of threats originating on the Internet, and are typically blended threats that use a combination of files and threats. They spawn large numbers of variants and generally target a relatively small audience, such as regional internet users or users of a specific site or related group of sites. These threats, much like their 2006 predecessors, are profit-driven, their goal being to surreptitiously infect and hide on PCs or the Web, and steal information for as long as possible. Web threats will impact consumers and corporations alike through confidential information leakage, identity theft, bot infection, adware/spyware installation, and the like.

2007 will continue the "high focus/low spread" tendency of 2006. Due to the nature of their distribution methods, infections will usually be very limited in scope. This is completely changing the concept of outbreak in the industry. Whereas in the past, we experienced widespread mass-infections, now we see smaller-scope regional outbreaks.

These targeted attacks have more specific objectives and they are more difficult to eradicate. In some cases, they are so specific as to target single companies in order to steal certain internal information. Most of the time, they are just blended threats whose initial detonator component is spammed to an email address database.

In 2007, we can also expect to see the bot threat grow, as creators find newer methods for installing them in users' machines. More ingenious social engineering and software vulnerabilities will be the likeliest candidates for this.

Since crimeware creators have away to fund their activities, crimeware attacks will not go away. PC users must be prepared for, and be familiar with, these novel ways of being attacked in order to prevent being robbed or scammed.

Spyware and other aggressive marketing campaigns will continue to be a threat. Developers of these adware campaigns usually pay per each copy of the software installed. Their distributors, therefore, resort to questionable methods of installing as many copies as possible, even against the user's will or knowledge. If this situation continues, distributors will seek even sneakier ways to drop their adware--even joining forces with malware writers, as they have during 2006.

Best Practices and Recommendations

For enterprises, mid-size corporations and small businesses, Trend Micro recommends a multi-layered approach to protection, including the following:

* Deploy HTTP-scanning methods.

Due to the prevalence of Web threats, it is highly recommended to implement Web-scanning systems in mid- to large-size networks. Not only is it advisable to deploy these, but also to make sure users cannot bypass them. The most secure way to implement such a system is to force users to forward all Web requests to the scanning device, and deny them otherwise. Closing this gap is key in the fight against malware and spyware, since the Web has become the number one point of entry in the corporate network.

* Do not allow unnecessary protocols to enter the corporate network.

The most dangerous of these are P2P communication protocols and IRC (chat). These two protocols are part of the bot arsenal of weapons used to propagate and communicate with their botmaster, and should be disallowed in the corporate firewall.

* Deploy vulnerability scanning software in the network.

Maintaining a consistently up-to-date operating system can minimize the impact of any new network vulnerabilities, and diminish the risk of being infected by these kinds of worms. It is highly recommended to keep all other applications patched as well. This especially includes office productivity applications.

* Restrict user privileges of all network users.

Kernel-level rootkits are implemented as device drivers; therefore, denying users the right to "load and unload device drivers" will largely block them. Windows Vista already provides a default protection feature to prevent this. Other types of malware leverage administrator-level capabilities to perform malicious acts. It is wise to limit what a rogue program can do by limiting its user privileges. This is accomplished by depriving normal users of administrator rights.

* Deploy corporate anti-spyware scanning.

As spyware threats are becoming more prevalent for businesses, administrators need to deploy specific software to detect and stop them.

* Support user awareness campaigns.

Since many employees with corporate laptops take them outside the corporate environment--on airplanes, in cafes, and at home--and also use them for personal purposes, user awareness is especially important. Most of today's malware-related attacks attempt to fool the user in what is called social engineering. Most of the malware detected in 2006 would not have created any harm had users not clicked on it. We can minimize the effect of malware in our networks by demonstrating how attackers try to fool users. We must teach users basic security measures and how to react to typical attack scenarios. This goes a long way towards preventing internal outbreaks. It is also important to keep users up-to-date on new attack strategies, as well as on company security policies and recommendations.

In 2006, the Trend Micro Internet Security and Confidence Survey yielded a very interesting finding. While most respondents perceived the Internet to be somewhat safe today, and believe it will be less safe in six months, they still admitted to participating in risky online behaviour--such as using freeware/shareware programs and unsecured public wi-fi hotspots. Today's security tools go a long way toward helping secure the online experience of computer users; however, end-user awareness and online behaviour needs to complement security tools if true security is to

be achieved.

For home users, Trend Micro recommends the following:

* Beware of pages that require software installation. Do not allow new software installation from your browser unless you absolutely trust both the Web page and the provider of the software.

* Scan, with an updated antivirus and anti-spyware software tool, any program downloaded via the Internet. This includes any downloads from P2P networks, through the Web, and by FTP server--regardless of the source.

* Beware of unexpected or strange-looking emails, regardless of their sender. Never open attachments or click on links contained in these email messages.

* Enable the "Automatic Update" feature in your Windows operating system and apply new updates as soon as they are available.

* Always have an antivirus real-time scan service. Monitor regularly that it is being updated and that the service is running.

Trend Micro Inc. provides centrally controlled server-based virus protection and content filtering products and services. By protecting information that flows through Internet gateways, email servers, and file servers, Trend Micro allows companies worldwide to stop viruses and other malicious codes at a central access point before they reach the desktop.

www.trendmicro.com
COPYRIGHT 2007 A.P. Publications Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2007, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:SECURITY SUPPLEMENT
Publication:Software World
Article Type:Company overview
Date:Jan 1, 2007
Words:6448
Previous Article:Security news and products; Sunbelt Software announces top ten spyware threats for October.
Next Article:Infosecurity Europe 2007.
Topics:


Related Articles
2006 year for going back to basics, say researchers.
By 2009 the Worldwide Market for Network Security Appliance & Software is Expected to Reach $6billion.
Security news and products; avanquest UK launches PC-Cillin from Trend-Micro.
Research & Markets: Gain an Insight into the Financial Performance of Ixia.
Research and Markets: New Report Analyzes Business Structure, Finances and Operations at Packeteer Inc.
Security news and products; 2006: the year spam raised its game and threats got personal.
China Fuels the Sharp Rise in Demand for Cable Set Top Boxes.
Security and products; new beta version of ScanMail.
Research and Markets: New Report Analyzes Performance and Competitors at Amdocs Limited.
Research and Markets: Gain an Insight into the Financial Performance of Secure Computing Corporation.

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters