Security in 2007: Botnets, Threat Convergence and Other Risks

A new year brings an opportunity to analyze previous risks for new trends—and new threats. Among the predictions for 2007: Botnets will become increasingly dangerous, and their use will be traded by attackers for credit card details and other personal information. Also, large-scale virus outbreaks are a thing of the past for PCs, but will be replaced by malicious code attacks targeted to steal information from businesses, and ransomware will use more sophisticated encryption, possibly becoming invulnerable to brute-force attacks. 

Malware Targets BusinessesBased on analysis over the last 12 to 18 months, says Paul Wood, a senior analyst at MessageLabs, large virus outbreaks are a thing of the past. “The trend is already shifting towards lower-level attacks that are targeted and intended to remain below the radar of the general security community,” he says. “Malware attacks against businesses will be more intent on gaining access to confidential information and intellectual property theft.”

Also in that vein is the ever-increasing threat of ransomware, malicious software used to encrypt files and documents using a secret key known only to an extortionist. “These attacks have previously been defeated by security companies using distributed computing resources, such as brute force, to crack the secret keys,” says Wood. “However, by increasing the key lengths and adjusting the encryption algorithms to use something stronger, such as AES, such an attack could be rendered unbreakable.”

Botnets EvolveBotnets are expected to become an increasingly dangerous threat. Capitalizing on advances used by SpamThru, which MessageLabs says is the first real example of a more aggressive form of spambot, botnets will be difficult to detect, become more resilient to disruption and use several forms of communication to infect their targets. “SpamThru was not sent out in a mass mail attack; it was more likely installed via a drive-by attack from a compromised website, perhaps seeded from an e-mail containing a link to the infected sites,” says Wood. “Antivirus software provides little defense against such attacks for two reasons: The antivirus software cannot be expected to know whether a link in an e-mail is to a malicious site or not, and the author will go to great lengths to continuously update the botnet code, ensuring that detection by the major vendors is avoided.” 

SpamThru, according to Wood, can be updated by sending instructions to any bot in the network if its command center is shut down. This also means that no new virus outbreak is required to regain access to the bots. It uses a mail-merge technique called a “spam cannon” to send greater volumes of spam from each compromised computer and randomizes text and images within the e-mail to confuse spam filters. Wood says SpamThru also installs a hacked version of Kaspersky antivirus software to remove rival viruses, trojans and botnet code. “SpamThru represents a milestone in botnet evolution,” says Wood. “We have already seen a decline in the number of viruses over the past 12 months, and this trend is expected to continue as the criminals find better ways to maintain control over their robot networks. No one is safe from these types of attacks.” 

MessageLabs saw a trend in 2006 in which attackers rented 1,000 or 2,000 bots for $50 to $60 a week, with the option of trading payment for stolen credit card numbers. Wood believes this trend will become increasingly popular this year as more credit card fraud turns to “cardholder-not-present” types of schemes. 

“Some of the more sophisticated networks of criminals have automated tools to determine additional information and target attacks towards more affluent individuals based on credit card details,” says Wood. “The use of personal information harvested from botnets will also provide a valuable resource for those interested in conducting identity fraud scams.”spam is expected to represent more than 95 percent of all of e-mails sent in 2006—more than 60 billion messages each day—which may “ultimately represent the death of e-mail as we know it.” 

Spam, SpIM, SpIT

So-called free technology services and applications are likely to face competition in the coming year from pay services that offer more convenience. For example, analysts at Deloitte say that 

Free e-mail is estimated to have cost consumers approximately $7.8 billion over the last two years to repair or replace PCs infected by malicious code and spyware. By contrast, Deloitte analysts say, “paid-for SMS [offerings], on which consumers spent over $185 billion in 2006 alone, were relatively junk-free, most likely because the economics of spam simply do not work in such a highly commercial setting.”

Says Wood, “IM threats will perhaps play more of a role in adding another attack vector to a trojan or virus so that it may find another vehicle by which it can spread.” 

Instant messaging and voice over IP (VoIP) are expected to suffer similarly as SpIM and SpIT (spam targeting those respective avenues) vastly increase. More than 80 million users of free IM clients received 1.2 billion SpIM messages in 2006, about five a day for the average user, MessageLabs says. That threat is likely to grow to 27 per day by 2008 and result in reduced productivity and increased risk of infection from malicious code transmitted by IM. In the case of SpIT, spammers use VoIP systems to send thousands of unsolicited voice messages promoting products and services.

“There’s an increased level of acceptance to pay for services, such as satellite radio, to avoid hearing a million and one ads, or buying an iPod to have what I want when and where I want it. And there’s plenty of evidence that people are willing to pay,” says Eric Openshaw, lead partner for technology at Deloitte. “The cost of ’free’ is the loss of security and control, and a lack of choices.”

Threats Converge

“2007 will be the year of true convergence between spam, viruses and spyware across multiple business communication protocols,” says MessageLabs’ Wood. He describes “convergence” as an attack that can manifest across multiple protocols or applications, such as the Internet, IM and e-mail. An example of such an attack could be an e-mail or IM containing a link to a malicious website.

Mac Threats on the Rise

Malicious code targeting Mac OS X will rise in the beginning of 2007, says Wood.

He points to the uptake in use, which presents a more viable target for attackers. Though many believe that it’s a more secure OS than Windows XP, this is due in no small part to its lower install base.

This “tends not to attract the attention of the criminals who are looking to make as much money as possible for as little effort as possible,” says Wood. “Once Mac OS X achieves a greater install base, as is expected in 2007, this equilibrium is likely to shift.”

Focus on Outsourcing

When it comes to outsourcing, security will become a focal point. “All forms of security will be on the shortlist for successful outsourcing engagements, including data, systems, physical, staff and disaster recovery,” says Dmitry Loschinin, president and CEO of Luxoft, a Russian IT outsourcing provider.

Emphasis on Unified Security

Andy Kellett, a senior security research analyst at European IT research firm Butler Group, says the consolidation that has taken place in the security market over the past 12 months will place more emphasis on the requirement for unified protection and network infrastructure security systems.

Says Kellett, “One example is Unified Access Control—products that enable organizations to understand all devices that operate across their networks, and then extend their reach to controlling how such devices should be evaluated and managed as they attempt log-on, including the evaluation of device acceptability and end-user authentication.”

An Eye on Biometrics palm veins, voice and hand geometry, will see a major uptake in adoption for a wide range of applications, says Deloitte. Analysts say the increase will be driven by falling prices, rising performance of key technologies such as processors and digital storage, and a growing public willingness to pay more for biometric security.

Biometric security, based on physical characteristics such as a person’s iris, fingerprint,

The value of physical and digital property will make the case for biometrics increasingly strong, but initial deployments are likely to be small scale to secure buildings or homes. A government mandate to use biometrics in all identity cards is also likely in 2007, according to Deloitte analysts.

Are these predictions on the money? Drop me a line at smcalearney@cxo.com and let me know your views on these predictions as we move into 2007.

-Shawna McAlearney