GhostNet highlights evolving threat environment
- 30 March, 2009 19:56
The high-profile disclosure over the weekend of the GhostNet cyberespionage ring that targeted 1,295 computers in more than 100 countries underscores how highly targeted and sophisticated attacks, often run by criminals, are changing the security landscape, according to a security researcher at Symantec.
"How much is the landscape changing? It's changing drastically," said Joe Pasqua, vice president of research at Symantec Research Labs.
GhostNet, documented in a report released on Sunday by the SecDev Group's Information Warfare Monitor and the Munk Center for International Studies at the University of Toronto, used malware and social engineering to give attackers full access to compromised computers. It also let attackers control the video cameras and microphones of these computers, letting them remotely monitor activity in the room where the computer was located.
"It's another example of the sophistication of the types of attacks that are being put together," Pasqua said.
The highly targeted nature of GhostNet and similar attacks makes it difficult for antivirus vendors to respond quickly.
"In the old days, you had a threat that targeted hundreds of thousands of people. It was extremely likely that Symantec was going to have a copy of it very early on and the vast majority of those hundreds of thousands of people were going to be protected," Pasqua said. "Now you have these targeted attacks that may only target a handful of people."
"By the time we get a sample, it can be too late. They've already gone and morphed into another variant," he said. "There's no end in sight."
While there has been a lot of speculation that GhostNet was developed and controlled by the Chinese government, criminal groups are just as likely to be responsible for these types of attacks.
"The profile of the attackers has completely changed over the last few years and has gone from vandals, kids looking to have some fun and make a reputation for themselves, into a very economically motivated body of attackers," Pasqua said. "They are getting more sophisticated in what they're doing and, furthermore, they are acquiring larger resources."
To help counter the changing security threat, Symantec Research Labs is developing security technologies that are based on virtualization or use reputation to separate trusted Web sites and servers from machines that could pose a threat.
"My team is also doing advanced research in behavioral analysis as well as automatic signature generation," Pasqua said.
Symantec's aim is to match the automated generation of new malware variants by attackers. "Instead of fingerprinting specific pieces of malware, in essence we fingerprint these behaviors," he said.
Technical measures alone can't stop determined attackers. In the case of GhostNet, social engineering was a key component of the attack, used to trick users into downloading malware without their knowledge. This is an area where companies and individuals need to take steps to protect themselves.
"Education is an important thing, getting the word out on good hygiene and good behavior for users on the Internet is important for everyone," Pasqua said.