2009 top underreported technology stories:3. Malware's new frontier: Organized gangs tricking users to act stupidly
If you're in IT, you spend countless hours defending the network from threats. But no matter how hard you work, the biggest threat doesn't come from outside the firewall, and it isn't from unpatched software or buffer overflows. The user is your biggest, albeit unwitting, enemy.
"If all software had zero exploits, it wouldn't drastically change the amount of successful hacking," says Roger A. Grimes, a security pro and InfoWorld's Security Adviser blogger. It's because the bad guys have elevated social engineering, the hack that takes advantage of a user's greed, lust, or simply naivete, to open the gates to malware.
Tricking users into visiting a phony, malware-laden Web page or clicking on a virus-laden attachment are hardly new tactics. But now hackers "have brought the industrial revolution to malware," and that makes their attacks deadlier and more pervasive than ever, says David Perry, global director of education for Trend Micro, whose global array of sensors now detects some 60,000 malware samples a day.
Mimicking traditional businesses, the hackers are working in large, highly structured organizations, like the Russian "partnerka," automating production and distribution and even outsourcing production to freelancers and smaller gangs in other countries.
Not long ago, most malware, including the infamous Jerusalem and Monkey, was self-contained, encompassing the replicator and the payload. But now, the encryption engine remains on a hacker's (or a zombie's) server, generating a new variant every few minutes, says Perry. The downloadables are scrambled just enough so that their patterns aren't recognized by conventional defenses. Sadly, an unintended consequence of Microsoft's decision to weaken the unpopular UAC (user access control) in Windows 7 is an operating system that may be more at risk of malware infection.
To be fair to users, some of the traditional advice they get from IT or popular publications is no longer adequate. IT, says Grimes, tells people to go to only trusted sites. Unfortunately, by the beginning of 2009, the majority of infectious sites were mainstream. In a typical attack, users of FoxNews.com were told they needed to install a new codec to watch clips on the site. Once installed, the "codec" turned out to be a malicious piece of code undetected by most defenses, Grimes recounts.
Even security sites aren't always safe. Last year, a blog belonging to Microsoft security expert Jesper M. Johansson was seeded with a link to a malware site embedded in a comment. Johansson noticed it, then backtracked, finally landing on a site hosted in Ukraine that ran a fake program called XP Anti-virus, that scanned nothing, of course, but did load malware.
Finally, it's clear that hacking has long since moved into the money-making mode through the use of keyloggers, scrapers, and other malware designed to steal personal and corporate data. A major source of malware is now an organization of hundreds of affiliated partnerka networks in Russia, says Dmitry Samosseiko of SophosLabs Canada. Indeed, the partnerkas [PDF] are the main source of the "scareware" (malware that masquerades as anti-virus software), he says.