Dave - a recent note on "silent epidemic"

[David Farber <dave () farber net>]

Begin forwarded message:

From: Ken Kousky <kkousky () ip3inc com>
Date: September 21, 2006 7:10:35 PM GMT+02:00
To: dave () farber net, ip () v2 listbox com
Subject: Dave - a recent note on "silent epidemic"


Dave - our work on malicious code shows what PandaLabs calls "A Silent
Epidemic"

Thought this might be of interest to your list.

----------------------------------------
It's a Crime!


Over the past weeks, we've been exploring many of the most profound  
changes
in information assurance and IT security.  We try to blend our own  
survey
work, an ongoing review of industry writings, the daily news, and  
input from
all of you in government, industry, law enforcement and academia.
And the biggest issue is .. Criminal Exploits.
This is far more profound than it sounds. It means the exploits will
increasingly be more powerful and sophisticated while simultaneously  
being
far less visible.
Vandals want to be noticed. They want the world to see their initials  
on the
subway car or the side of the building.  Worms and viruses of old were
driven by "spray paint vandals".
That's no longer the case. Today's exploits are driven by a desire to  
make
money or to do specific, purposeful damage. The goal is not simply to  
show
that a worm can travel across the net and compromise 90% of the  
vulnerable
machines in less than 10 minutes.  That was already shown with the
Sasser/Slammer/Blaster exploits three years ago.  No, today's exploits
target sites like the million-dollar homepage which has repeatedly been
attacked by extortionists who flood the site and shut it down if they  
don't
get paid off. That's what the new exploits are all about.
PandaLabs' second quarter report documents the transition to more  
malicious
exploits, but the fact that these exploits don't self-replicate and
propagate as aggressively makes them less obvious.  So, there is a  
tendency
to assume things are getting better.  They're not.

Financial Motive for Malware Shows No Signs of Slowing -
The trend of Malware targeted for financial gain continues to grow  
according
to a recently released report by Panda Software.  More than 54% of  
the new
specimens detected by PandaLabs during the second quarter of 2006 were
trojans, compared to 47% in Q1.  Bots      also became more prevalent,
accounting for 16% of the total, which is an increase of 4% over  the
previous quarter.  In all, nearly nine out of ten (88%) new Malware  
in Q2
had cyber-crime potential.  The full report can be downloaded for  
free at
http://www.pandasoftware.com/pandalabsQ22006/.

Despite possible perceptions to the contrary, the quantity also  
continues to
increase - Panda mentions that in the past year its labs have  
received more
new Malware versions than in all the previous years combined. "It is
effectively a silent epidemic in that much of the code is designed to
install and operate without showing any of the traditional symptoms of
infection" states Ken Reynolds, Business Unit Manager for New  
Technologies
at Panda Software.  "This new dynamic makes signatures a less- 
effective form
of protection in a real-time environment.  Our software uses a  
combination
of autonomous behavioral analysis and genetic scanning heuristics to  
achieve
one of the highest rates in the industry for detecting previously  
unknown
Malware."
Another fallacy is that the bad guys aren't that smart.  So, even though
they're trying to make money, the good guys have them stopped.   
That's just
not the case.  In many eastern block countries, university educated
developers have better income opportunities writing code for the bad  
guys
rather than working for the good guys.  A development firm we're working
with in Romania explained that there is an entire underground market in
exploit code.  Indeed, last December's disclosure of the Microsoft WMF
vulnerability was found only after a legitimate firm bought exploited  
code
and reverse engineered it to learn how it compromised its victims.   
Crime
pays.  And if it pays more than we're spending on defenses, we're in
trouble.
So, how do people take exploited code and put it to malicious work to
generate income?
Here are the BIG BAD FIVE -
1)       Botnets used for spam relays - classical use but still a viable
business
2)       Botnets used for DDOS extortion attacks - this is much  
bigger than
anybody realizes since it's not in our neighborhood; most targeted  
sites are
pornography and online gaming. Most of these target sites are working  
at the
fringes of the law or at least of social acceptability. This has led  
to a
situation where law enforcement ignores the problem. There are  
bigger, more
legitimate crimes needing attention, but by ignoring these extortion  
gangs,
the gangs get more powerful tools.  It's really just like the street  
gangs
that emerge in any community lacking adequate police protection and
surveillance. Extortion and protection are profitable businesses on some
areas of the net. The exploits and tools sometimes get out of hand.  
Michael
Bloomberg, Mayor of New York was actually the victim of an attempted  
DDoS
extortion attack on Bloomberg's online financial services. Things can  
get
out of hand quickly.
3)       Botnets used for click fraud - this is a sleeper that is easily
overlooked.  But, Google, Microsoft, Yahoo and others have little  
interest
in cleaning up fraudulent clicks.  So, if I can set up a site that hosts
high paying ads, cycle the ads through and use my zombie machines to  
click
the ads, I can have thousands of unique IP addresses hit each  
successive ad
and get paid by the likes of Google (who's already settled one suit  
for over
$100m with advertisers based on this issue).  Some Industry experts  
suggest
as much as 20% of all ad clicks on words priced over $2/click are
fraudulent!
4)       Theft of intellectual property - most likely the bulk of these
exploits are commercial industrial espionage and will never be  
detected or
reported - you'll just start seeing a smarter more aggressive  
competitor.
Losing deals is rarely associated with computer security, but last  
year's
escapades in Israel demonstrated the extent to which well establish  
public
companies are aggressively playing this game.  More likely, the major  
way
inside information is being monetized is through stock trading based on
compromised information.  The SEC has looked at the "leakage" problem  
for
years.  Large computer databases can tell who bought or sold the  
stock in
large volume prior to critical news releases, but the SEC lacks the  
ability
to tie these trades to ill-gained information.
5)       Consumer exploits - identity theft, phishing and auction  
fraud are
the final cluster.  I   lump these together since they are a unique  
class of
exploits that are driven by the mechanisms used to convert the  
information
systematically to cash.
Remember, the bad guys are increasingly organized and well-educated.   
They
are working the fringes; where law enforcement isn't present.  They're
honing their skills.

The universal challenge we face is this - while there's a great deal of
contradictory evidence on the magnitude of current exploits- they are  
there;
and they are getting worse.  Sounds like the meteorologists who tell  
us the
conditions for serious hurricanes are worse than they have been for  
years,
and these grave conditions will remain with us for several years to  
come.
Do we have to have another Katrina to understand the risk conditions  
have
changed?  I've heard several experts say that without a major hurricane
hitting land this year, we'll be back to fully developing coast land  
that is
certain to be devastated again.
IP3 believes the growth in criminal activity is profoundly changing  
the risk
conditions.  Unlike the vandals who created worms with the goal of
demonstrating their technical prowess, criminals usually have an  
economic
goal.  To attain this goal, they do not want to be discovered.   
Often, being
discovered will likely prevent them from attaining their goals. The best
crimes are going undetected.
Year's ago, I heard Paul Judge of CipherTrust present an argument  
that the
net would soon have so much spam and illicit mail that it made more  
sense to
find the good mail than to filter the bad.

We may soon be looking at the same kind of traffic perspective.  
That's what
NAC (Network Access Control) is really about.
There are numerous means of making money maliciously on the net.
Unfortunately, most of these (means) go either undetected or at least  
draw
minimal attention from law enforcement.
Spam relays are an obvious example.  They are not the only  
opportunity for
commercial exploits.  Botnets are frequently used as attack agents in  
the
distributed denial of service attacks (DDOS).
Certainly a botnet can be leveraged and sold simply as a mechanism for
distributing junk mail.  But there are many other clever uses of a  
network
of compromised machines.  We usually hear these networks referred to as
botnets.
Botnets are frequently used as attack agents in the distributed  
denial of
service attacks as well.  Crime pays.  Botnets are as hot as the  
market for
handguns, and soon we might even have a National Botnet Association
protecting the rights of bot herders.

Stay safe - more on botnets next week.
Ken Kousky, CEO
IP3 Inc
        




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/