Published: 28 Apr 2005
"Ten minutes to midnight" is how Patrick Heim described the readout on his "virus doomsday clock" during last year's so-called "Worm Wars." Dozens of MyDoom, Sasser, Bagel and Netsky variants were hammering enterprises, costing millions of dollars in defense and remediation. Yet none was the crippling worm predicted to bring the Internet to its knees. It felt as though the worst was yet to come.
A major malware outbreak hasn't occurred in the year or so since, and the clock is still ticking. Heim, VP of security at health care products giant McKesson, says the vulnerability remains, despite the waning threat. "Unless you fix the underlying vulnerabilities and make the users aware of the risks, nothing is fundamentally going to change," he says.
There's good reason to remain vigilant. The malware threat is shifting away from the massive global worm outbreaks like Code Red and Blaster to something more surreptitious: targeted malware infections.
Everyone knows that organized crime groups are targeting major corporations and banks with extortion schemes. They demand huge payouts--protection money--in exchange for not launching devastating DDoS attacks or leaking stolen proprietary information. Malware writers have figured out that their creations are useful for more than just destroying data and denying connectivity. They're using bots, Trojans and worms to steal data--especially identities--in moneymaking schemes.
The problem they face is doing it without getting caught. Their solution: localized worm outbreaks.
Eugene Kaspersky, president and founder of Russia-based AV vendor Kaspersky Lab, says he's already seeing this phenomenon in Europe and Asia. Malware writers know that if they send out 100,000 spam e-mails, about 5 percent--5,000 users--will fall for the ploy. Of those respondents, malware writers figure that at least 10 percent--500 users--will be susceptible to some easily exploitable vulnerability. The malware writers will target that set of 500 to steal information and identities.
This new technique has many advantages for the malware writer. First, he maintains control over the outbreak, knowing who and what he's going to get before he ever launches the worm or virus. Second, he controls the volume of information collected, making it easier to parse and exploit. Third, it's far more discreet than a global malware outbreak and decreases the likelihood of getting caught.
"Sometimes an attacker will create malicious code to run on systems associated with a particular domain or range of IP addresses," says malware expert and Information Security contributor Ed Skoudis. "We're also seeing attackers sending malicious code--often e-mails with attachments--at a target organization, with the hope that one of the users will run the attachment and give the bad guy access to the organization."
Malware writers are achieving what enterprise security practitioners are still striving for in their operations: manageability and risk reduction. Malware experts have long said that innovation in the malware underground is dead, and that the code they're using isn't getting any better. Perhaps not, but this trend shows that malware writers don't have to evolve their code. Spam, spyware, phishing and social engineering, combined with a little knowledge and out-of-the-box thinking, are evolving malware into an even more potent weapon against naÏve users.