Final countdown

Botnets, spam, malware, phishing - the list of security threats continues to get longer and more alarming. ARN spoke to a range of security experts and came up with the 10 biggest security threats looming in 2008. We also asked vendors and analysts for advice on how the channel can help their customers deal with these issues.


Sophos channel manager, Zoe Nicholson, said mail security is considered to be well in hand because defeating corporate mail security is getting harder. However, Cisco security lead, Colin Bradley, said spam volumes were still surging, going up massively even as recently as January, according to research from the vendor's IronPort subsidiary.

Meanwhile, Australian law may soon follow the US and force organisations to declare information leaks, regardless of whether they are exploited.

"There is a real need for companies to take, and to be seen to take, precautions," Nicholson said. "Web infections advertise that a customer's brand isn't properly secured."


Spam victims should evaluate new products and services. Image, PDF spam and MP3 spam are all conquerable. Email is a leading route to data leakage, yet few companies filter outbound email with the zeal they show guarding their inbox. "That should be 2008's security 'to-do'," Nicholson said.

Bradley said IronPort Internet and network gateway appliances combated spam via the context adaptive scanning engine (CASE) and reputation filtering. He claimed this stops up to 80 per cent of spam at the connection level. IronPort appliances also offer rate limiting capability - meaning that potential spam from suspect addresses can be slowed down. A 24/7 threat response centre is also a boon to users and managed security service providers aiming to respond quickly to attacks.

Software solutions include McAfee's Host Intrusion Protection for Desktops.


The widespread belief that Linux and Apple platforms are more secure and low-risk than their Microsoft counterpart is already being called into question. Sophos Asia-Pacific head of technology, Paul Ducklin, claimed Linux servers could act like an army of 'Typhoid Marys'. While remaining unaffected themselves, they host about half the 6000 newly-infected Web pages Sophos discovers each day.

"Today's Web security problems are greatly magnified by Linux servers," Ducklin said. "It's a great opportunity for selling security software to people who have for years assumed they didn't need it."

According to Sophos' 2008 security threat report, organised criminal gangs seeking pecuniary reward began targeting Macs for the first time last year. Mac malware has been seen before but November 2007 saw various malicious OSX/RSPlug trojans planted on websites to infect passing Apple machines for the purposes of phishing and identity theft.

Websense chief technology officer, Dr Richard Cullen, said cross-platform attacks are tipped to target "the Macs and iPhones of the world" and pollution of Web 2.0 applications, blogs and blog comment is already happening.


Linux and Mac users need to be aware that their machines do represent a business security hole - especially, as with Linux servers, they are part of a company network - and need to patch those holes, beginning with basic Internet security fixes such as antivirus. Resellers can also play a role in the customer education process.


The very mobility of modern IT makes it easy for the less ethical to steal business information. Portable mobile devices fill a business need because they offer anytime access to corporate information almost anywhere - and therein lies the problem. According to Gartner, handhelds are becoming popular as online banking and enterprise remote access devices. Enterprise users inside the firewall are increasingly adopting smartcards and USB tokens for authentication on the go but user mobile devices are more convenient.


Check Point country manager, Scott McKinnel, said its Pointsec Mobile solution offers USB or external drive encryption and secures data stored on mobile devices such as PDAs or phones. WatchGuard regional director, Scott Robertson, said the vendor is introducing SSL into its Edge 10.0 range, which will be available as a subscription. "Certainly as we see remote workers increasing on the network, having secure remote access is an important part of looking after that network," he said.

Trend Micro premium services manager, Adam Biviano, and enterprise sales director, Michael May, said it also offered a Mobile Security Suite for spam and data encryption on the handset.

Page Break


Last year saw crimeware writers turn old school and utilise parasitic viruses with a pecuniary mission such as Grum, Virut, and Almanahe, McAfee technical sales director, Michael Santonas, said. Variants of an older parasitic threat, Philis, multiplied 400 per cent, while 400 variants of newcomer, Fujacks, were catalogued. McAfee expects a continued interest in parasite activity, with overall parasitic malware expected to grow 20 per cent in 2008, he said.


Part of the answer is policy, practice, patch and patch again. As Sophos' Nicholson noted, four Iframe or JavaScript nasties, which probe for weak spots on the network, are found by Sophos every minute. "One PC with one incorrectly patched DLL might be enough of a wedge to get in. And, chances are, if a few PCs are missing, say, an XML patch from 12 months ago, and you haven't noticed yet, you aren't ever going to know. If you can't measure it, you can't fix it," she said.


A report on the Reuters wire service in December alleged that a Russian company had created an online flirting bot called CyberLover, which trawled online dating websites to 'flirt' with unsuspecting women and potentially steal their personal details. Security vendor, PC Tools, told Reuters the Russian pillow-talking bot could be hitting an online chat or dating website near you. According to PC Tools, CyberLover's artificial intelligence is convincing enough that users have trouble distinguishing the bot from the genuinely amorous. Even though the slick chat it employs means it can establish 20 'relationships' an hour - the romance could turn serious, the vendor warned.

"As a tool that can be used by hackers to conduct identity fraud, CyberLover demonstrates an unprecedented level of social engineering," PC Tools senior analyst, Sergei Shevchenko, said. CyberLover compiles name, contact information and photos on every person it 'meets', and can encourage the smitten or curious to visit its own 'personal' website - offering the potential for more serious malware attacks to be launched.

Shevchenko said the program can monitor Internet browser activity, automatically recognise and fill in the fields in the Web pages, generate keystrokes and mouse clicks, and post messages, URLs, files and photos.

Allegedly, though, the Russian company that invited CyberLover said it was not created to commit fraud but as a legitimate tool for online interaction.

Various news reports at the time claimed CyberLover would launch worldwide in February. Sadly, ARN didn't get to meet CyberLover: the website,, was offline.


Nicholson said rootkits had grown into an issue of their own, largely due to a paucity of quality rootkit solutions. This was especially within Internet security packages. "Keyloggers and things like that, link into identity theft," she said. "So you're still getting traditional malware but the actual payload is more fraudulent."

Gartner security analyst, Andrew Walls, said today's malware creators aren't as interested in simply taking a machine offline. Instead, smart cyber criminals want their malware to work undetected in the background and are trying to lift specific information, such as personal data. In some ways, he suggested, such attacks could be getting easier as increasing automation of systems meant fewer human eyeballs were monitoring any given network or machine for aberrant behaviour.


Sophos Endpoint Security and Control 7.0 includes a rootkit detection module. Resellers should check their solution of choice has something of the sort, Nicholson said. Resellers should also assess service response time to unpredictable attacks and whether a vendor had strong local support and their own technology, she said.


Gartner's Walls said 2008 would see more emphasis on threats targeting the application, rather than the operating system. Although Microsoft's latest operating system, Vista, is likely - like previous iterations of the Windows platform - to act as a honeypot for myriad attacks as adoption rises, more hackers and crackers are going to seek a way into the PC via specific applications - like instant messaging or VoIP. McAfee's Santonas said Vista remains a focus for risk regardless of Microsoft's efforts to boost the operating system's security. "There were more vulnerabilities discovered in the first few months of release than in the first nine months of XP," he said. "Some of those vulnerabilities might not be as critical but it gives you an indication of vulnerability."

Trend Micro's May said the move to virtualisation also raised questions around protecting virtual applications and machines. He said products around this issue would soon be announced.


Cisco's Bradley said most people focusing on data leakage had looked at endpoint security. Products such as Network Access Control (NAC), and Trend Micro's Endpoint Security and OfficeScan help. However, resellers needed to look at more network-centric solutions for the best possible response to application-based threats, Bradley said.

"You need to look at protecting the applications themselves," he said.

Resellers need to skill up to tackle the multiplicity of threats and threat vectors - with an eye to the actual targeting of applications. Gone are the days when a reseller could get by bundling in an Internet security package in a deployment, he said. "Resellers have tended to have a data-center team, a security team, a networking team - all these silos of information. You've got to get them to share knowledge [to tackle the modern security challenges]," Bradley said.

Page Break


Sophos' Nicholson said phishing wasn't going away anytime soon - if anything, attacks are going to get more serious as phish smarten up. Website spoofing is expected to get more convincing, while phish emails are already ditching some of the amateur spellings and poor-quality emulations that made early versions easy to pick for the reasonably savvy punter.

Websense's Cullen said another serious development to watch out for is dodgy code infiltrating websites. Instead of merely spoofing users via an emailed link, Javascript could be hosted on Google to take you to an attacker's endpoint, he said. "And we'll see polymorphic Javascript increase over the next year."

Cyber criminals may soon plant phishing hooks on real banking websites, for example, that mimic a link on that page but take users to a spoofed version where they can be relieved of their credit card numbers and personal details.

According to Trend Micro's Biviano and May, Java applets can sit behind the website and do harm without users noticing a difference. Web-based threats are now the tool of choice for malware writers.

"You'll see emails that comes with a URL you click on, that will use the same sort of social engineering we've seen in the past," Biviano said.

"The industry is evolving to target attacks more precisely - at executives in the organisation, for example," May added. Biviano said 88 per cent of recent malware incidents were Web-based and many of these bot-related.


Email protection such as Trend Micro's WebMarshal Gateway can help screen phish. Meanwhile, vendors and resellers are offering services that help tackle the problem.

"We're now seeing a lot of banks doing two- and three-factor identification to get onto their websites and so forth. And we have phish alerts letting them know when they've been compromised," Nicholson said.

Other than that, the best defence against phish remains customer education - coupled with constant vigilance for small changes in website details or a company's practises online. And that will get increasingly difficult as the phishers' tactics get more sophisticated.


The annual McAfee Virtual Criminology Report is based on input from NATO, the FBI, the Serious Organised Crime Agency, and various groups and universities. The report for 2008 found:
• Governments and allied groups are using the Internet for cyber spying and cyber attacks.
• Targets include critical national infrastructure network systems such as electricity, air traffic control, financial markets and government computer networks.
• 120 countries are now using the Internet for Web espionage operations.
• Many cyber attacks originate from China, and the Chinese government has publicly stated that it is pursuing activities in cyber espionage.
• Cyber assaults have become more sophisticated in their nature and are designed to specifically slip under the radar of government cyber defences.
• Attacks have progressed from initial curiosity probes to well-funded and well-organised operations for political, military, economic and technical espionage.
Threats to personal data and online services include:
• Genetically modified 'super' threats: A new level of complexity in malware. These super-strength threats may be more resilient, modified repeatedly like recombinant DNA, and contain sophisticated functionality such as encryption draw. The Nuwar or Storm Worm was the first example, and McAfee predicts more in 2008.
• New technology, new threats - vishing and phreaking: There have been several high-profile 'vishing' (phishing via VoIP) and 'phreaking' (hacking into telephone networks to make long distance phone calls) attacks. In Japan, 50 per cent of all data breaches have been via peer-to-peer software. Cybercriminals will look for ways to exploit the popularity of applications on social networking sites such as MySpace and Facebook.
• A run on banks: Cyber attacks could destroy public trust in online banking and slow e-commerce. Critics believe online banking security will not be effective or fast enough.
• The underground economy already includes specialised auction sites, product advertising and support services, and competition is so fierce that 'customer service' has become a specific selling point.
• The cost of renting a spamming platform has fallen. Criminals can now buy custom-written trojans aimed at stealing credit card data.
• The 'white market' to buy and sell software flaws - back-door vulnerabilities with no available patch - is fuelling a virtual arms trade. Software flaws can fetch up to $US75,000.

Page Break


Marshal technical consultant, Oscar Marquez, said the millions of computer Storm botnet that generated media hysteria in 2007 had already been overtaken by the Mega-D or Mega-Dik 'sexual enhancement' spam botnet in January. Mega-D accounted for 32 per cent of the world's spam in February. The Pushdo or Celebrity botnet, responsible for six per cent of spam, was the most active at sending emails that turned user PCs into zombies, according to Marshal research. For Marquez, the technical sophistication of such botnets is just the beginning.

Gartner's Walls spelled out a more frightening scenario and pointed out giant botnets like Storm had been extremely aggressive and effective, despite vendors' and customers' best efforts. "Are we actually ready to deal with the level of impact these botnets would have if they were working to launch actual attacks?" he asked.


Marquez claimed its MailMarshal email security and Web gateway product is developed to address the botnet risk. Vendors are also collaborating on botnet defences on a wider scale. Marshal has been approached by vendors, including Symantec, Trend Micro and Arbor Networks, with a view to partnering to address the botnet problem. Trend Micro and Arbor Networks have also begun monitoring and blogging about Mega-D.

WatchGuard's Robertson said proxy based firewalls - such as its Core Range of 550e, 750e and 1250e appliances bundled with unified threat management (UTM) - can limit botnet attacks. Third-generation, proxy-based firewalls protect all layers and maintain data streams in both directions. They also terminate the time-to-live field in the IP header.


Much of the more sophisticated malware out there today - whether phish, rootkit or trojan - falls into the category of blended threats. 2007 was big for blended threats; expect 2008 to be even bigger.

Trend Micro predicts the number of trojans will grow exponentially this year. In 2007, users saw a renaissance of the attack style - although the more traditional attacks are now better hidden and pack a comparatively powerful payload. "Basically it's about bots - because the Trojans give rise to bots," Biviano said.


WatchGuard's Robertson said blended threats are certainly on the rise as malware increases in complexity and sophistication. The vendor's product is built around a proprietary architecture that investigates packets as they arrive on the network, at seven layers. "We believe you have to look deeper into each packet [to see what might be there]," he said. Awareness had definitely risen but educating users was still top priority when it came to all kinds of security threats. "Education, locally and at an international level, and compliance and more emphasis on information leakage [are what is needed]," Robertson said.

Page Break


"If 2007 was the year of encrypting laptops, 2008 will be the year of encrypting USB flash drives," according to Jay Cline at Minnesota Privacy Consultants. "These easily concealed devices are the preferred method for purloining data from corporate machines to non-corporate environments, and with their increases in speed and capacity, they will supplant laptops as the leading cause of security breaches."

With USB keys in almost every employee's pocket and reports of laptops going missing, and data being downloaded from company PCs via USB or iPod already abounding, Check Point's McKinnel tipped information leakage as the biggest security threat to businesses during 2008.


Resellers must weigh up their customers' security versus usability needs. "A lot of government departments haven't moved towards laptops, and their machines don't have USB drives," McKinnel said. "This could be inconvenient in some businesses. So 50 per cent of the solution is the physical thing itself; the other part of it is port control."

McKinnel suggested the channel also look to solutions that encrypt all traffic. This means that even if data is downloaded via USB and launched elsewhere, it cannot be read without re-entering a username and password. Check Point has three relevant Pointsec solutions - a laptop encryption device or software, port control software, and USB encryption software.


While there's plenty of technology coming through to tackle security from a technical perspective, Gartner's Walls pointed out organisations needed to keep an eye on their people first and foremost. He claimed insiders are the most common source of security breaches. "It's easier to take advantage of people than technology," Walls said. "And it costs a lot of money to do [law] enforcement activities."


In 2006 and 2007, Trend Micro saw malware spread by malicious websites where each victim got a unique version of a trojan. Some websites hosting ZLOB fake codecs, for instance, install a trojan with a different identifier for each victim. Cyber criminals can keep the mutation algorithm of the trojans wholly on the server hosting the malicious files. In contrast to polymorphic viruses, the mutation algorithms do not need to be distributed along with the malware. This allows, the mutation algorithm to remain confidential and makes it tricky to write pattern files that cover all malware spread by the malicious website. Trend Micro threat researchers expect polymorphism of malware on the server side will develop further in 2008.