SECURITY 2007: A quick look at the year that was

BANGALORE, INDIA: Symantec reported in July that E-card spam had become particularly virulent and the trend continued in subsequent months. These evolved to include different hooks intended to lure users into following malicious URLs containing malware. Infected machines become part of the Storm Worm botnet, causing these spam messages and the malware to propagate. 

MPack is a current example of a sophisticated attacker toolkit that appears to be professionally written and developed.  It is available for sale online. Used to install malicious code on thousands of computers, MPack even includes a management console where they can control and monitor the state of their “business”. 

Another indication of the commercialization of malicious activity is the emergence of phishing toolkits, a series of scripts that allow an attacker to automatically set up phishing Web sites that spoof the legitimate sites of different brands, including those sites’ legitimate images and logos.

In September, Symantec observed 18,424 unique phishing URLs.  Banks continue to be the most phished sector with 52% of these URLs spoofing financial institutions.

Phishing presented only a marginal risk during the 2004 Presidential Election.  At the time, phishing itself was still in its infancy.  When we revisit the potential risk of phishing to the 2008 federal election, we find ourselves in a much different position. 

Since typical Internet users would not be well acquainted with the domains associated with political candidates, there is a risk that phishers would use a similarly designed website to collect credentials from unsuspecting victims.

Phishers can easily mimic legitimate fundraising emails in order to make people submit their credentials or download crimeware.

Phishers use current events to make their “bait” more convincing.  It’s no longer enough to look for obvious typos to determine if something is real or not.  A recently observed phishing scheme used the Southern California fires to tug on heartstrings and open wallets.  The message, purporting to come from the IRS, included statistics and heart-rending call to action.

 Exploitation of Trusted Brands – By exploiting a trusted Web environment, attackers now prefer to lie in wait for victims to come to them. 

Attackers no longer actively seek out their intended victims; instead, they wait for their targets to come to them. Attackers do this by compromising trusted sites and/or applications so that when a user visits that site or uses that application, the attacker is able to compromise the victim’s computer.

Social networking sites have proven fruitful for hackers because they give attackers access to large numbers of people, many of whom implicitly trust that the site and its content are secure; these sites can easily be compromised due to the prevalence of Web application vulnerabilities on the sites.

This has serious implications for end users because they may no longer be able to place their trust in well-known sites.  The previously popular advice to avoid “bad neighborhoods” on the Internet is no longer enough.

Early in 2007, attackers successfully hacked the Web site for the Miami Dolphins Stadium, host of the Super Bowl.  Malicious code on the site attempted to infect visitors.

In October, attackers targeted the online ticket vendor for the Colorado Rockies in advance of the World Series, knocking the system offline.

This accounts for the wide variety of estimates seen on the size of this particular botnet.

Symantec believe that using a snapshot approach to measure the botnet’s size yields the most reliable results.  Our research suggests that the network is smaller than some think, leading us to believe that, at least currently, the Peacomm network size is closer to the more conservative estimates that are being published.

On April 27, 2007, various Internet resources from the Republic of Estonia came under a series of DDOS or distributed denial of service attacks.

89% of browser plug-in vulnerabilities affected ActiveX components for Internet Explorer, an increase over the 58% in the previous period.

In the first half of 2007, 237 vulnerabilities affecting browser plug-ins were documented compared to 108 in all of 2006.

The rise in browser plug-in vulnerabilities is indicative of an increasing focus on client-side vulnerabilities by both security researchers and attackers.

The MPack malware kit automatically exploits various ActiveX vulnerabilities.

Recently, RealPlayer was subjected to a zero-day attack using an unpatched vulnerability affecting the latest versions of RealPlayer and RealPlayer 11 BETA. The issue affected an ActiveX object in the RealPlayer component ierpplug.dll.

Users should ensure that the security settings of their client browsers do not allow for scripting of ActiveX controls that are not marked safe for scripting. The browser should prompt for ActiveX controls and deny downloading unsigned ActiveX controls. As a general precaution users should avoid following links to unknown or untrusted sites and run client applications such as Web browsers with the minimal amount of privileges required for functionality. In addition, active scripting should be disabled to prevent the execution of script code and active content in the browser.

Vulnerabilities for Sale – Wabi Sabi Labi debuted and offered an auction-style system for selling vulnerability information to the highest bidder, sparking controversy and discussion about competing schools of thought in how to handle vulnerability information.

Symantec believes that paying for paying for software vulnerabilities or auctioning such information to the highest bidder places the vendor and its customers at possible risk.  Regardless of good intentions, when third parties have a monetary interest in such sensitive information, it introduces an opportunity to potentially abuse the system.

There are reputable companies with good intentions who pay researchers for their vulnerability data.  Companies, such as Tipping Point, have made a business of managing the responsible disclosure process with the affected vendor.

However, any payment for vulnerability research edges the industry onto a slippery slope.  Not all researchers will make smart choices, and money motivations may lead more researches to work with less responsible companies.

If money becomes the driving factor in vulnerability research, vendors could be placed in a position where they have no choice but to pay whatever the researcher wishes - otherwise its customer will be placed at risk.

Businesses have increasingly adopted virtualization technology to maximize hardware usage, increase scalability, provide segregation and lower total cost.  The security implications of virtualization, however, have not been considered by many enterprises.

The speed and ease of provisioning and deploying virtual machines may lull people into complacency about considering proper security of the virtual machine and the environment into which it is deployed.  Most data center managers put a lot of thought into architecting the security of their systems and deployments, and the same care should be done for virtual machine configuration and deployment.

In assessing virtualization from a security standpoint, Symantec has found some key limitations that illustrate what could be possible as attackers focus their energy on virtualization technology.

Escape from virtualized environments – In a worst case scenario, a threat that compromises the guest operating system may utilize a vulnerability to break out of the guest and compromise the host operating system.

Use of virtualization by malicious code – This is considered one of the most advanced Rootkit methods and research projects such SubVirt, BluePill and Vitriol demonstrate how this might be achieved.

Detection of virtualized environments - Software virtual machines are relatively trivial to detect.  Malicious code may use this knowledge to either exploit a known vulnerability in the virtual environment or to modify their behaviour when in a virtual environment as a defence mechanism.

Denial of service - Attackers can crash the VMM (Virtual Machine Monitor) or a component of it, leading to a complete or partial denial of service. 

While virtualization presents security concerns, Symantec also sees an opportunity to explore entirely new security models that leverage it.  Our collaboration with Intel is an example.

In April 2006, Symantec announced a partnership with Intel to build security solutions for the new Intel vPro technology.  The technology allows IT managers to manage security threats outside the main PC operating system in an isolated virtual environment. 

Symantec’s Virtual Security Solution moves security to the hardware layer, providing new layers of system protection.  It utilizes Intel’s virtualization technology to create a virtual security solution on the PC. 

Many attacks today are people-based, requiring some action from the end-user victim.  These attacks will be successful no matter if someone is running in a virtual environment or natively on the machine.  This means that endpoint protection is just as important in the virtual machine shell as outside of it.

Most virtual machines are hosted on thin clients or PCs.  These endpoints also require protection (at least at the network layer.)  as an embedded security solution that ships on every HP Thin client because of this.