Security Market Segment LS
Friday, 22 October 2010 15:39

Windows threat trends: the view from McAfee

By

What are the threats currently facing Windows users? McAfee has some answers to this question, and its advice includes being especially watchful for phishing attempts at the end of each quarter.


Paula Greve, director of web security research at McAfee, told attendees at the the company's Focus 2010 security conference that McAfee is currently seeing very targeted attacks being delivered to specific individuals within organisations via personally addressed emails that appear to have relevance to the victims, for example by including references to their organisational roles. Another method is to send messages via social networks or media that provide an appropriate context. One example might be that if someone posted a set of photos of a particular location, an attacker might send a message (possibly masquerading as a friend) reading 'here's an angle you missed' followed by a malicious link.

Such attacks may be associated with advanced persistent threats (APTs) similar to Aurora. Greve noted that the publicity surrounding Aurora did sensitise people to such threats, leading to a threefold increase in the number of suspect URLs submitted to McAfee.

The basic lifecycle of an APT goes like this:
research the intended victim (online and offline);
deliver an attack using multiple vectors;
evade detection after installation, eg by transmitting data when the network is busiest;
gain intelligence and access to related systems;
leave no evidence behind so the victim can't tell what data was copied or modified; and
use the collected information to launch further attacks.

Another active area is fake AV software, also known as scareware as it is designed to scare people into buying a product to 'clean up' malware that isn't present on their systems but that might itself install malware while charging victims for the privilege. The incidence of password-stealing malware is also growing.

Some patterns can be seen around particular threat categories. "Fridays are kind of a hot time [for malware delivery]," said Greve. Malware distributors are responding to security companies' success in blocking sites by activating the servers for short periods at a time, The idea is to try to fool researchers into thinking the sites have already been taken down.

A different pattern applies to phishing - see page 2.




A different temporal pattern can be seen in phishing attacks, where the number of new phishing sites peaks at the end of each quarter. Presumably the idea is that people are particularly busy at such times (eg, salespeople racing to make quota) that they might not be quite as careful as usual, increasing the success rate of phishing campaigns at such times.

SQL injection attacks still "happen all the time," she said. The top originating countries for such attacks are the US and China, but Australia also makes the top ten.

And good old-fashioned spam still accounts for around 90% of all emails. (You're probably not seeing nine spams for every good message as it is being filtered at various points along the route.) Greve noted that spam traffic has a significant carbon footprint.

Talking of scale, botnets make up the largest 'clouds' on the planet. According to Greve, Amazon's cloud has 160,000 systems with 320,000 CPUs, and 500Gbps of bandwidth. Google has 500,000 systems, one million CPUs, and 1500Gbps of bandwidth. Both sound impressive, but pale in comparison with Conficker, which comprises 6.4 million systems with 18 million CPUs and 28Tbps of bandwidth, she said.

Ultimately, malware is all about money. "As long as it is profitable, people will keep doing it," said Greve.

What's ahead? She predicts we will face more blended threats using multiple attack vectors, and that advanced persistent threats will target individuals in their own right, not just in their corporate roles.

Please read on for a scenario.




Greve sketched out a scenario where people sign up for a newsletter dealing with a particular health issue. The mailing list is then sold to someone that uses a botnet to spam the list with malware (either attached to the email, or delivered via a URL contained in the message). That malware scrapes the person's name and other details from social networking and other sites, and the collected information is then used to compromise the individuals concerned.

What more can security companies do to help protect their customers? Greve noted that the more generically McAfee can detect a particular type of malware, the harder it is for the bad guys to evade detection. A trivial example is that if anti-malware merely tried to recognise a file as it arrived or was opened, changing the way the malware was packed would be enough to bypass the defences. But security software is able to unpack files, so more substantial changes are needed to avoid recognition. The further up the hierarchy that detection occurs, the more work malware writers must put in to create new versions that can slip through.

Greve also noted that the increased use of anomaly detection could reduce the amount of malware that's successfully delivered. For example, an email filtering system might consider which IP addresses are usually associated with emails from the purported originating domain and sender, and whether the sender typically emails the recipient. You probably wouldn't want block a message just because it was the first one between the sender and recipient (it could be from a potential new customer, or from an old customer with a new email address following a merger), but it shouldn't hurt to take a closer look at a message that is out of the ordinary.

Disclosure: The writer travelled to Las Vegas as the guest of McAfee.


 


Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Stephen Withers

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments