Symantec: A mid-year status check on security predictions

As predictive analytics emerge as a sought-after business tool, Symantec continues to gather data that it uses to both analyze and predict trends in Internet security. Just like predictive analytics provides valuable information allowing businesses to make smart decisions, Symantec’s predictions are based on analysis and give businesses and individuals important information on the changing threat landscape that helps them make smart decisions. In order to offer the best information possible, Symantec reevaluates its yearly predictions halfway through the year. Here’s a look at each prediction for 2010 and an evaluation of where it stands at the midyear mark.

What We Said: Antivirus Won’t Cut It

The multiplication of both malicious code and of polymorphic threats was so great in 2009 that the amount of malicious software actually surpassed the amount of good software. While users should still maintain antivirus protection, they are going to need something more to be secure. Other approaches, such as Reputation-Based Security, will emerge as key alternatives to the footrace of writing signature codes for malware.

Where it Stands

The increase of malicious code has not let up since making that prediction. While Symantec created 2,895,802 new malicious code signatures in 2009 (71 percent more than 2008), it has already created 1.8 million new malicious code signatures in the first half of 2010. It has also identified 124 million distinct new malicious programs.

The number of sources for new malicious code is huge and keeps growing. The security industry is simply not going to be able to keep up with the speedy spawning of malware. That doesn’t, however, mean cybercriminals have won. Reputation-Based security is catching on as a smart, innovative solution that promises security to those who are interested. Heuristic, behavioral and intrusion prevention technologies are also means of future protection as malware continues to spread.

What We Said: Rogue Security Software Vendors Step it UpSellers of rogue security software have not yet reached their peak. They will become more active and more innovative. They have already begun to sell rebranded copies of free third-party AV software and will likely begin to use tactics such as rendering computers useless and holding them for ransom until they are paid. Where it Stands

While cases of vendors holding computers for ransom have not yet been observed, Symantec has certainly seen more activity and more innovation from rogue security software sellers. One example of this is the practice of cold calling where sellers insist a person’s computer is infected and offer “solutions” either by having them download something or by convincing the user to let them access the computer remotely. In such cases sellers may be from actual companies who make a business out of such scams, as was one company Symantec investigated called Online PC Doctors.

What We Said: Social Networking Third-Party Applications Will Be Fraud Targets

Social networking sites have been awakened (rudely, in some instances) to the reality that their popularity makes them a target for fraud and other cybercrimes. Symantec predicted that many of them would react well and continue to take steps to secure their sites. Sadly, cybercriminals are not so easily deterred. They will turn to vulnerabilities in third-party applications to weasel their way in and wreak havoc.

Where it Stands

This trend is still developing, but it is developing in the predicted direction. Fortunately, social networking sites have reacted well and decreased the amount of malware breaking through their sites. Unfortunately, malicious efforts are increasing in the world of third-party applications. One app, for example, turned out to be part of an IQ testing scam that covertly signed up users for premium mobile service that cost $10 per month.

Also see ‘The 7 deadly sins of social networking security’ on CSOonline.com

Social networking sites may already have begun working against this trend. Facebook recently updated their application authorization system in an effort to reduce the number of scams and misleading applications making their way into the site. Users are now informed when an application seeks to access their information or post on their wall.

What We Said: More Fast Flux Botnetsbotnets hide phishing and other malicious Web sites behind a changing network of compromised hosts acting as proxies. It hinders others in tracking them down. As the security gets better at fighting traditional botnets, more of them will resort to this.

Fast flux

Where it Stands

Halfway through the year, we thankfully haven’t seen significant new usage of the fast flux technique. We have, however, seen the resurgence of the Storm botnet, which uses fast flux, as well as the use of other techniques that use back doors and camouflage to mask geo-location and make pinpointing sources of cybercrime difficult. As long as cybercriminals are playing hide-and-seek with these techniques, stopping the attack flow will be difficult. It’s hard to fight an enemy you can’t see.

What We Said: Phishers Will Use Shortened URLs as Bait More Often

Shortened URLs are no brainers for people who want to post links and save space. They are also no brainers for phishers who want to catch unsuspecting users in malicious snares. What better tool could they ask for than URLs that are widely adopted and completely disguised? Look for phishers to use shortened URLs more.

Where it Stands

In July 2009, 9.3 percent of spam used shortened URLs. In April 2010, 18 percent of spam used them. So yes, phishers are using shortened URLs more. Interestingly, however, the URLs are not only being adopted by phishers on a larger scale, they are prompting the resurrection of past threats. The previously mentioned Storm botnet, for example, used shortened URLs in the majority of its spam.

What We Said: More Malware for Mac and Mobile

One of the central standards of malware is that its creators follow market share. Mac computers are growing in market share and the spread of smartphones is like a brush fire. Consequently, cybercriminals will start going after them more.

Where it Stands

There have been a few attacks on Mac computers and iOS devices such as the iPad, iPhone and iPod Touch, but Macs continue to be mostly secure from a client perspective. Some argue that Macs operate on inherently safer systems. That may be true, but it may also be true that Hackers are just waiting for the Mac market to become a bigger target.

The mobile side has also seen relatively few security threats, although they do exist. Those may still increase as market share rises and hackers switch their objectives. Another avenue for attack in smartphones and other mobile devices, besides the operating system, is the continued growth of applications. The open access feel of the Android and of Apple apps will still likely develop into more security threats. In one safety breach, the App store actually sold a number of applications that showed malicious behavior. The damage seemed to be minimal however, with Apple saying only 400 users were affected.

What We Said: Spammers Breaking the Rules

With the economy suffering, and more people seeking to leverage the loose restrictions on the CAN-SPAM Act, more people and organizations will engage in selling unauthorized email address lists and more illegitimate marketers will spam those lists.

Where it Stands

An explosion in straight spam has been substituted by an increase in “gray” mail. Gray mail is usually unsolicited, but complies with standards of the CAN-SPAM Act, such as offering an option to unsubscribe (although honoring requests to unsubscribe might be a different matter). Also, chances are the recipient never subscribed in the first place. That fact should clue the user in to the likelihood that the email is not from a legitimate source.

What We Said: Spam Levels Will Keep Fluctuating

As the saying goes, where there’s a will there’s a way. In the case of spammers, they have a will to make money through spam and aren’t about to let up because of laws or security software, although those things do serve as speed bumps. Because of these speed bumps, spammers will have to adjust to find a way and spam levels in 2010 will fluctuate.

Where it StandsAnti-spammers shut down the Mariposa botnet, thus decreasing spam, and spammers have responded with an increase in tactics such as disposable and hijacked URLs. Spam levels will likely continue to teeter totter through the rest of the year.

Fluctuation really is the best term for it. In the first six months of 2010, both sides of the battle have seen victory.

What We Said: CAPTCHA Technology Will Get Better

As anti-spammers work to keep spam out, spammers will continue to work to get it in. CAPTCHA is a perfect example. It has become better to the point where it effectively keeps out automated systems. Spammers, however, will just adjust and hire humans to bypass the technology. We at Symantec estimated that those hired to do that work will be paid 10 percent of the cost to spammers, with the account farmers charging $30-40 per 1,000 accounts.

Where it Stands

This trend is progressing as predicted, with a slight modification in price. The New York Times reported spammers are paying workers in developing countries to physically bypass CAPTCHA codes and generate new accounts for spamming. But, instead of the $30-40 per 1,000 accounts, spammers are only paying $.80-1.20 per 1,000 deciphered CAPTCHAs.

What We Said: I’m Getting More IM Spam

As the CAPTCHA technology is bypassed, cybercriminals will exploit instant messaging more. Symantec predicts that by the end of 2010, one in 300 IM messages will contain a URL. That is an open door to shortened links and social engineering leading to scams and security problems. Symantec also predicts that one in 12 hyperlinks appearing in IM messages will contain a malicious or suspicious domain. At this time last year, that level was one in 79.

Where it Stands

In June 2010, Symantec tallied one in 387 IMs containing some sort of hyperlink and one in eight linking to malicious Web sites. Translation: the prediction was right on the money.

What We Said: More Non-English Spam

On a global scale, spam has previously been mostly English. That will change. Developing countries are becoming more connected to the Internet and as that progresses, more spam will be in languages other than English. In some parts of Europe, localized spam will exceed 50 percent of all spam.

Where it Stands

Our analysis shows that some domains already get more than 50 percent of spam rates in their local language. The numbers are a little murky, but some domains and countries may actually be seeing the amount of localized spam go down. For example, Brazil has consistently had the highest percentage of spam in its local language, but instead of increasing that average amount of spam in Portuguese went down from about 41 to 29 percent.

Conclusion

As businesses and individuals approach decisions concerning crucial precautions, knowledge truly is power. To have an idea of what the landscape has looked like, what it looks like now and what it will look like in the future is valuable information that people should, quite frankly, not go without. Symantec’s intelligence and analysis provides the information needed. In terms of security, it is the predictive analytics that offer the business intelligence that, if given proper attention, will save headaches, money and time.

Vincent Weafer is Vice President, Symantec Security Technology and Response.