When investigators at Trustwave's SpiderLabs forensics team responded to a breach at an international VoIP provider...
earlier this year, the conditions they found at the provider's data center were appalling to say the least. Servers containing data on 80,000 customers were located in a rundown barn. To make matters worse, the investigators had to endure the odor from about 20 farm cats living among the equipment.
The third-party hosting service looked professional; its website boasted of hundreds of customers and even included pictures of a hardened data center. The VoIP provider was the target of customized malware -- a rootkit -- which took advantage of the hosting service's weaknesses. The VoIP provider realized it had a problem only after customer complaints came pouring in -- months after the malware did what it was designed to do. The cybercriminals were long gone, says Jibran Ilyas, a senior security consultant for Spiderlabs.
Customized malware is a growing problem, he says. Poor network configurations, shoddily deployed security software, and an over reliance on traditional, signature-based antivirus is resulting in some very costly data breaches, he says.
"We always tend to overestimate the big environments; we think they're going to be really secure," Ilyas says. "It's only until we get there that we realize there's a major gap between the skill level of IT administrators and security folks who do the job."
Ilyas says companies such as the VOIP provider have no chance against cybercriminals wielding customized malware. For example, typically ports are open to enable outsourced IT operations to gain remote access to the network. "If those ports are open for integrators, they're also open for the hackers," he says.
Companies that fail to properly evaluate their outsourced operations are also likely relying on poor or even misconfigured security software to protect their network. In addition to keystroke loggers and network sniffers, malware with memory parsing capabilities are almost no match for antivirus software, says Greg Hoglund, a malware expert and founder of HBGary.
He has been railing against the effectiveness of antivirus, warning that many companies rely too much on traditional signature-based approach to detecting and eradicating malware.
"Most organizations in the commercial space rely entirely on their AV vendor to do all of the end node security for the network," Hoglund says. "This model doesn't work very well because the AV vendor has no idea about the threats targeting an individual site."
Hogland says organizations need to improve incident response procedures. Many organizations eliminate the malware and reimage an infected machine. Hoglund says incident responders need to conduct a basic level of forensics, examining the company logs and DNS records. Looking at the malware's characteristics could reveal information used to detect other infections on the network. Malware fingerprinting and attribution techniques are going to be needed because traditional signature-based methods can't keep up, he says.
Paul Laudanski, who headed more than a hundred volunteers who investigated spam and phishing attacks and malware for his website CastleCops.com, couldn't agree more. For several years, Laudanski and his wife Robin made headway capturing IP addresses and foiling cybercriminal operations. Fed up with unrelenting denial-of-service attacks against his site and strapped financially, they shuttered the operation at the end of 2008.
"Malware is always going to be a big component," says Laudanski, who now works for antivirus vendor ESET. "The fundamental attacks continue because hackers are always going to look for vulnerabilities they can exploit, but we're also seeing more targeted attacks cause problems."
Some experts are also identifying a shift in the way cybercriminals are conducting their operations. James Lyne, a senior technologist at UK-based security vendor Sophos, says cybercriminals are moving from randomly stealing credit card numbers and personal information to far more structured, organized criminal activity. Sophos engineers were detecting 5,000 pieces of malicious code a day at the end of 2009, Lyne says. Today on average, the same engineers are looking at more than 60,000 malware samples a day.
"The bad guys are creating forums, they're providing support services and even have development teams to create targeted malware designed to penetrate networks and remain undetectable," Lyne says. "You've got to be secure on all fronts, not just with your security technology if you expect to keep your systems safe."
Robert Westervelt is news director of the Security Media Group at TechTarget. Send comments on this article to firstname.lastname@example.org.