Ten emerging malware trends for 2007
The bad guys have cranked up their malware-generating machine in the past couple of years, honing their methods to create powerful malicious code. And, the small trickles of advanced malware that we have seen in recent months are indicative of a tumultuous future. Here are 10 trends to keep an eye on from the malware front: 9) Totally smashing trust with evil certs 8) Editing network configurations and disabling antimalware tools in multiple ways 7) Self-updating malware and metamorphic code 6) Peer-to-peer botnets 5). Script-based worms for Web 2.0 site 4) Client-side exploits 3) Privilege escalation attacks 2) Really big botnets (RBBs) 1) Move to non-computer platforms About the author:
10) Spyware protected by rootkits
Spyware authors primarily make money when their software injects advertisements into a user's surfing experience, sends spam from a user's machine or performs keystroke logging to snag account numbers from a victim. The longer spyware is installed on a system, the more money an attacker can make. Enter rootkits, which alter operating system software so an attacker can hide code while maintaining control of the system. Today's sophisticated rootkits can hide attackers' files, processes and network usage from unsuspecting users and system administrators. This powerful combination, which sticks spyware to the victim machine using rootkit techniques, makes detecting and eradicating malware very difficult indeed. To fend off such attacks, keep antivirus and antispyware tools up-to-date, and utilize free rootkit-detection tools, like Microsoft's Rootkit Revealer, F-Secure Corp's Blacklight, Sophos' Anti-Rootkit, McAfee Inc.'s Rootkit Detective and Trend Micro Inc.'s RootKitBuster.
When a browser is installed, it contains certain digital certificates of certificate authority companies that your browser vendor believes are trustworthy. These companies can generate certificates for other organizations, such as banks, ecommerce companies and software vendors. Unfortunately, some savvy hackers have started to install alternative, evil certificates into the browsers of infected machines, meaning even after a victim discovers and removes an attacker's spyware, a phony certificate would tell the previously infected machine's browser to trust malicious Web sites, making reinfection easier. To mitigate this threat, I recommend periodically checking the trusted certificate authorities that are configured in your browser, and verify that those companies can be trusted. Internet Explorer users can check these certs by going to Tools then Internet Options then Content then Certificates. Once in the Certificate tab look under Intermediate Certificate Authorities then Trusted Root Certification Authorities then Trusted Publishers.
For years, some malware samples have attempted to foil antivirus and antispyware updates by altering a local hosts file to point the domain names of the various antimalware vendors to 127.0.0.1. That way, when the antimalware tool tries to receive its update, it resolves the vendor's domain name to localhost, where, unfortunately, there isn't a server waiting to deliver signature updates. Look for hackers to bring this technique to new levels this year. While altering a host file is pretty blatant, attackers have started using more subtle tactics, like attempting to change personal firewall settings to block access to antimalware sites or running scripts that turn off various antivirus and antispyware tools. Hackers are deploying malware that renders the antimalware tool blind, a tactic that's harder for users to spot. To defend against such attacks, pay attention to the update status of your antivirus tool; verify that it can download new signatures. It is also wise to periodically check your antivirus tool. I recommend using the EIcertificate authorityR's free antivirus test file. If an antimalware tool cannot detect EIcertificate authorityR, in all likelihood, it has been disabled.
In an effort to stay ahead of antimalware signature updates and to deploy new functionality to extend the capabilities of their botnets, attackers are increasingly deploying self-updating malware. Such tools poll attacker-controlled Web sites for the latest updates, which bad guys can effortlessly install on hundreds of thousands of machines in just minutes. In effect, the attackers are implementing distributed software distribution, not unlike their own private Windows Server Update Services (WSUS). To stay ahead of this trend, update antivirus and antispyware tools once a day, and use tools like Microsoft Sysinternals' TCPView to look for unusual connection activity going to or from the system.
Historically, botnets have been controlled using Internet Relay Chat (IRC). Each bot logs into the same IRC channel as its creator. The attacker issues commands, which all of the bots read and then perform. But, there's a problem with this for the bad guys – there is a single point of failure. If investigators shut down the IRC server or remove the channel, the botnet cannot accept commands, preventing the attacker from communicating with his minions of infected machines. To avoid this, attackers are starting to use peer-to-peer (P2P) protocols to direct botnets without a central point of control. Some cutting-edge criminals are also looking for ways to control botnets using the Waste and Skype protocols used for Internet-based phone calls. These two techniques indicate the attackers are, in effect, creating highly distributed systems and are devising clever mechanisms for managing their distributed empires. To prevent this information security threat, use a tool like TCPView or the netstat command to look for unusual communications streams going to or from the system.
Recently, we've seen attackers exploiting Web services, which often allow one user to post information that thousands of other users can read. These so-called "Web 2.0" services include MySpace, Facebook, Gmail and countless others. Some are vulnerable to cross-site scripting attacks, in which malicious hackers post a script to their page in the service, and trick users into viewing the page via a browser. Once the victim reads the page, his or her browser runs the attacker's script. This script then uses the victim's account to add the script to the victim's own profile. If anyone else were to read this victim's profile, their account will become infected. The contagion then spreads, account to account, using victim's browser as the vehicle to run scripts from other users' profiles. To help defend against Web 2.0 attacks log out of any accounts and browsers when not in use.
As Microsoft has worked to eliminate server-side exploits, attackers are increasingly hunting for exploitable vulnerabilities in client-side software, including browsers, file viewers and music applications. In 2006, we saw several zero-day attacks in software like Internet Explorer, Microsoft Word, Microsoft PowerPoint and others. After creating an evil file that exploits the given client software, attackers then spew it out in spam or load it onto Web sites around the world, exploiting users who read the email attachment or simply surf to the wrong site. Look for many, many more of these in the future. To defend against them, diligently patch computers and ensure that antimalware software is current; if an enterprise system is vulnerable, detecting and removing malicious code is easier. Finally, consider using host-based intrusion prevention systems (HIPS), such as McAfee's Entercept and Cisco Systems Inc.'s Security Agent. HIPSes can defend against many attacks that haven't been seen by preventing the actions exploitable applications may take.
With the release of Windows Vista, Microsoft has worked hard to create an operating system that more carefully divides user privileges. With Vista, it should be easier to deploy users in roles that let them get work done, without granting them local administrator privileges. This is certainly a good advance if the Microsoft promises are accurate. Too many organizations today let users surf the Web and read email from admin-based accounts. But if Windows Vista succeeds and eases the deployment of users without admin rights, attackers will most certainly need to develop new techniques. They'll still be able to break in with a client-side exploit, but, because clients have limited privileges, they won't have complete control of victims' machines. Therefore, look for attackers to focus heavily on finding local privilege-escalation attacks that will jack up their non-admin accounts to local system privileges, the most powerful local rights on a Windows machine you can have. To defend against what may be an avalanche of these exploits in 2007, keep Windows patched and deploy antivirus and antispyware tools.
It almost seems quaint to think of the botnets of a decade ago, with one to three hundred systems under control of one malicious hacker. Today, such numbers represent a baby botnet. Hackers have extended their empires so that botnets of 60,000 infected machines are run of the mill. Look for bigger botnets in the future, with several examples tipping the scale over a million systems. With economies of scope at that magnitude, the attackers wield immense computing power. They can direct a flood and knock systems off of the network, crack crypto keys and passwords at rates that used to only be available to highly funded government agencies. To deal with this trend, those responsible for the security of an organization's network should have the emergency number for their ISPs, so if there is a massive attack against an organization, key personnel are notified.
The vast majority of malware to date has affected PCs. But as more and more processing power is added to non-computer platforms, more generalized operating systems will be able to store sensitive data. In 2007, watch for attacks against cell phones, PDAs and (dare I say it?) even the iPod. As such devices proliferate and are connected to the Internet wirelessly, a whole new malicious code vector will surface. While there aren't a lot of defenses available now, antivirus vendors will realize the need for such tools in this new environment and release products specialized for this realm.
Ed Skoudis is a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions relating to information security threats.
