Emerging cyberthreats for 2009

The Georgia Tech Information Security Center (GTISC), one of the leading academic research centers in the US, focuses on information security. In mid-October, GTISC held its annual summit on emerging security threats, bringing together information security experts from the public sector, private enterprise and academia. These experts released a report called “Emerging Cyber Threats Report for 2009″, which discusses five specific trends that will drive threats and countermeasures in 2009. The five trends include: malware, botnets, cyberwarfare, threats to VoIP and mobile devices, and the evolving cybercrime economy.
According to experts at Kaspersky Lab, there will be a 10-fold increase in malware objects detected in 2008. In August 2008, a total of 28,940 different malicious and potentially unwanted programmes were detected on users’ computers – a 38 per cent increase over the previous month’s findings. The growth rate for malware is a sky-rocketing J curve.

There are two primary reasons behind the distribution of so much malware. The first is to steal data from individually infected machines, and the second is to take control of a broad range of machines to form a botnet that in turn distributes more malware as well as spam.

Increasingly, the purveyors of malware are turning to social engineering to get unsuspecting users to click on the links necessary to download the malicious payload. Shotgun blasts of phishing attacks are giving way to targeted messages that appear to come from a trusted source such as a friend or colleague. If you’ve ever needed a reason to block access to Facebook or YouTube at work, this may be it. The GTISC report cites a realistic example of how easy it is to spread malware via social networks:

A Facebook message sent from one friend to another includes a link to a YouTube video of interest to the recipient. The recipient clicks on the link supposedly sent by his/her friend, and then sees a prompt to install the latest version of Flash Player in order to watch the video clip. The user clicks to install the update, but actually installs a piece of malware on the machine, effectively involving the computer in a botnet.”

Speaking of botnets, 2008 has been a year of growth, and the trend is expected to continue, according to the GTISC report. GTISC estimates that as many as 15 per cent of online computers are unknowingly controlled by a malicious master – up from 10 per cent just a year ago. Research from Kaspersky indicates that some of the largest botnets are comprised of corporate machines, often because it takes the average corporation two to three months to apply a security patch across all devices. The window of time when a machine goes unpatched leaves it open to known vulnerabilities.

Wenke Lee, an associate professor at GTISC and a leading researcher on botnets cites three unavoidable factors in the growth of botnets:

* Infection can occur even through legitimate Web sites.

* Bot exploits/malware delivery mechanisms are gaining sophistication and better obfuscation techniques.

* Users don’t have to do anything for their machines to become infected; simply rendering a Web page can launch a botnet exploit.

What makes it so challenging to prevent bot infection is that bot communications are designed to look like normal web traffic using accepted ports. Says Lee, “It’s very difficult to filter bot traffic at the network edge since it uses http and every enterprise allows http traffic.”

To me, botnets conjure the image of the thousands of clone robots coming to life in the movie Star Wars: Episode II – Attack of the Clones. According to GTISC, the devices in a botnets are prompted to act in unison to engage in a variety of activities, such as data theft, denial of service attacks, spam delivery, and DNS server spoofing. The report also cautions that a bot army could be used to conduct cyberwarfare in the future.

The encouraging word is that new technologies have been and are being developed to pinpoint the communications between botnets and bot masters. Algorithms are used to analyse the traffic patterns from internal computers to outside machines, and software can shut down the links to effectively stop the infected machine from being controlled without permission.

Source: Financial Express