For those that were unable to attend the March 1 podcast on 2011 Malware Trends, here are a few of the key points with additional depth for each.

By way of background, the market for stolen Internet information is saturated and things like credit card data and bank account credentials have become a cheap commodity on the black market.  Not long ago, a valid set of credit card credentials was worth $12 - $15 dollars. Today, the values have plummeted to just 20 cents per record.  Malicious hackers are moving to other types of harvestable data to improve their margins and literally any and all intellectual property is at risk.

Over the years we have also seen attacks traverse the OSI model from Layer 4 up to the Application Layer and still today Layer 7 is the vector of choice. Why? Its not rocket science – the bad guys are simply attacking where our defenses are weakest.

Citing the 2011 State of Endpoint Risk study done by the Ponemon Institute, “organizations do not feel more secure than they did one year ago.” From my perspective it is due in part to the faltering economy causing security budgets to be tightened which in turn, results in greater exposure. It is also due to the lack of innovation in network security product offerings that continues to allow the bad guys to stay well ahead of our defensive efforts.

2011 Trends

1. Social Media is Top Delivery Vehicle
The popularity of FaceBook has made it one of today’s leading vehicles for malware delivery. Historically, the bad guys relied on harvested personal information from Facebook to create more effective phishing emails for targeted victims. Today the attacks are much broader in scope with click jacking attacks regularly going viral on Facebook .

Just yesterday, yet another click jacking attack was circulating via Face book messages proclaiming “I lost all respect for Emma Watson when I seen this video! Outrageous!” When users clicked on the link in the message they were brought to a fake video webpage that when the play button was pressed the transparent “real” button was initiated that then shared the message with all of your friends on Facebook.


The current objective of this latest click jacking scam on Facebook is to use a survey form to trick users in to revealing their cell phone number. Once you have revealed your cell phone number you are signed up for a premium rate SMS service and the charges are immediately billed to your cell phone account – better pay close attention to your cell phone bill…

2. Improved hacking tools available in the wild
Yesterday’s defensive tools are no match for today’s exploit kits. Gone are the days where hacking toolkits sold on the Internet primarily relied on exploits that were a year old or more. More sophisticated toolkits feature obfuscated and zero day exploits that are now completely missed by traditional defenses. Installing the latest AV signatures is of little help when no signature yet exists for the exploit.

3. Traditional defenses are not keeping up
When was the last time you heard of something really innovative from a security vendor? At RSA this year, a lot of the talk was on complimenting AV with things like heuristics and Reputation databases. Heuristics have been around for a decade and have been simply written off as being effective due to their inherent high false positives and intensive CPU usage. Reputation databases were rendered effectively obsolete as soon as the bad guys realized all they had to do was change the IP address with DHCP of their compromised PCs at a rate faster than vendors updated their data bases – change the IP address and you now have a clean reputation.

One of the more interesting technologies of late is the adoption of Trust Models to Whitelisting in an effort to reduce the administrative burden associated with maintaining a white listed environment. I personally am a big proponent of Whitelisting because it allows you to focus on the hackers’ end game, meaning the running of a malicious executable on the compromised machine. Instead of trying to out think the bad guys unlimited methods of delivering a malicious payload – you simply stop it in its tracks by not allowing the payload to execute.

4. DDoS and fake AV on the rise
DDoS attacks
In the last year, we have seen a 7-fold increase in botnets on the Internet. These botnets are the cash cows for the bad guys.  Today’s botnets have proven their ability to deliver a sustained 100 GB flood of traffic against a target. DDoS mitigation is already a compliance requirement for many and needs quickly to become a component of all risk mitigation and business continuity planning for any Internet connected entity.

Why has DDoS become so popular? Part of it of course is the rise of hactivism due to the ongoing instability in our world. That being said another part  is  those that are launching theses attacks only do so because they know we are woefully unprepared to defend ourselves from them. Long gone are the days of blocking a DDoS attack with a few ACL’s on your border router.

Fake AV
It was noted at RSA this year that the revenue generated by fake AV cyber criminals now exceeds the revenue generated by legitimate AV product vendors. It was also noted there are an estimated 500,000 unique fake AV binaries on the Internet today. I think it is ironic how you are left defenseless against fake AV by the real AV that you have adopted for use in your environment. We will not get ahead of the bad guys until we stop depending solely on the failed methodologies we have been using for the last decade or longer. The time to use Whitelisting to complement traditional AV is long overdue.

5. Stuxnet – A game changer
Stuxnet combined good social engineering with zero day exploits as well as privilege escalation attacks to successfully meet its objectives. While many believe that the use of Stuxnet averted or at least temporarily negated the need for immediate military action against its target, few have considered the bigger picture ramifications. We have officially entered the realm of the militarization of the Internet.  At a time when we are still not able to defend ourselves from the obfuscated Javascript embedded within a PDF file, we have let the genii out of the bottle on Cyber War. Anyone taking bets on how long it will take before global powers begin to rationalize that a DDoS attack response includes the use of ballistic missiles?

Where to go from here? Practical defense considerations

1. Focus on the endgame not the delivery mechanism
For many years now we have focused the bulk of our efforts trying to outwit the delivery mechanism for malware. It is an arms race we simply cannot win. Instead, we need to step back and look at the bigger picture.  In the vast majority of cases, the endgame for the bad guy is to get us to download and execute some form of malicious code. It simply makes better sense to focus on preventing the malware from executing and stop spinning our wheels on its delivery.

2. Rethink your patch strategies
The data from the Secunia half year report for 2010 tells an undeniable truth – A PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 third party programs installed then the 26 Microsoft programs installed. Vulnerabilities are not a Microsoft exclusive issue and turning on WSUS and calling it a day will leave you woefully exposed. If you can not keep the software current with the vendors’ latest patches, you should not be running it.

3. Ensure defense in depth with application whitelisting
Stand alone AV is no longer an acceptable defense – it needs to be complimented with Whitelisting sooner rather than later.  The evolving manageability of Whitelisting will allow it to finally take its role as a primary defense and traditional AV will assume a role of cleaning up wayward malware that had been rendered ineffective by Whitelisting.

4. Manage removable devices within the environment
How many more malware attacks have to use USB sticks as a vector for infection before we address the associated risks? They have played a role in countless headline grabbing attacks yet often are dismissed as a secondary and perhaps acceptable.  Bottom line is you cannot get control of your risk until you have control of your removable media.  Many would argue that they already have a policy in place to address USB devices. Unfortunately the reality is policies without technical enforcement are useless.

5. Consolidation of endpoint security
Many organizations today have to deal with 3 to 6 different management consoles within their environments – and this is clearly information overload. Combine that with the overhead of running multiple agents (up to 10 in some cases) each inspecting the same packets or binaries over and over to implement their touch of “security” upon them. The days of running best of breed point solutions is dwindling as they become to complex and burdensome to manage. I encourage clients to seek out solutions that can consolidate the management of their security infrastructure rather than continue their reliance on individual point solutions.