Tag Archives: malweb

Information Security Intelligence Report for 2010 and Predictions for 2011

Looking back at 2010 shows a widening gap between cybercrime and law enforcement capabilities, in conjunction to nations that have started the cyber-race to develop defensive and offensive capabilities. Most of the attacks analyzed in 2010 depict organizations that fall behind in their defensive strategies as attackers take advantage of a hybrid approach that merges technical merits alongside human weaknesses to cash-out on their attacks.

Cybercrime widens the gap between attack capability and defense mechanisms. Analyzing several of the major attacks of 2010, Security Art notes that organizations were attacked in two key ways. Firstly, through technical exploits such as Aurora, Mariposa, ZeuS, and SpyEye. Secondly, by attacks that bypassed traditional protection methods, and gained access to targets through human-weakness areas such as social media. While businesses focused on defending themselves using security mechanisms such as anti- virus software and perimeter defenses, attackers jumped over these defenses, and proceeded to flood the market with a high volume of malware that now poses a serious threat to security providers in terms of detection rates and response time. However, law enforcement agencies have focused mainly on menial cybercriminals, and have not successfully reduced the impact of online criminal activities. On a national level, we see nations have embarked upon the race to develop defensive and offensive cyber capabilities.

Cyberwar arms race sends nations to shopping frenzy. As CyberWar gained merit (and criticism) during 2010, with the movie-material Stuxnet incident being the poster-boy for news outlets that published every spin-off, speculation, and plain old gossip, the international scene had its own race for the latest and greatest defense mechanisms. The implications of Aurora and Stuxnet made most countries feel their lack of a critical infrastructure defense and the capability to deliver a similar cyber-blow, and many went shopping for weapons. Security Art witnessed the strategic build up of capabilities in some countries, and a more hurried shopping spree (that usually led to amassment of CyberCrime provided tools) in others. This, and the delayed response of organizations such as the UN, the EU, and NATO, left the scene looking more like the Wild West than Silicon Valley.

Expanding digital domain and improved understanding of security will reign in 2011. Our prediction for 2011, drawn from the criminal, political and diplomatic sides of cybercrime that dominated 2010, is that more focus is going to be given to approaching security from a strategic standpoint. Rather than buying “best of breed” products and ticking off compliance sheets, we predict that organizations and countries will apply a more sensible executive-level understanding of what information security means to them. In the expanding personal digital domain (smartphone, tablets, and suchlike), and the continued digitization of all organizational information (from scanned materials to VOIP telephony), security must be applied to more layers than ever before. Countries and organizations will have to adopt additional skill-sets and look for solutions in areas they have not dealt with before.

Please go to http://www.security-art.com/download-report to download the full report, or email [email protected] for additional information.

The Botnet Wars – industry Q&A

I was approached recently by Bart P from Panda security in order to participate in an industry expert Q&A about the botnet wars (apparently he did his homework as he got quite the lineup to participate in this, guessed he can count me as a close miss :-)…).

He managed to compile a great Q&A where you can read some of the views and opinions on the current state of business at the Botnet (including exploit kits and crimeware kits) marketplace.

The full article is available at: http://bartblaze.blogspot.com/2010/10/botnet-wars-q.html


Mapping and Security Research

From the “We should have trademarked this” department: McAfee came out with their “Mapping the Mal Web“[PDF] report and are proving that innovation is best left for the smaller players to meddle with, only to be used later by the big guys.

Not that there is anything revolutionary about the report – it’s the same basic “look at what we could figure out from our logs” type, loaded with graphs and tables (as opposed to forward looking research, or one that dares to predict or create a disruptive technological/behavioral change). But the mere use of “MalWeb” is funny since I clearly remember starting to use it in an internal meeting some years ago back when we used to issue reports ourselves…

In any case – use this “with caution” (just as you would use last years financial news to base your investments on), or better yet – just use the graphs and maps to scare potential customers 🙂 Hope that the nest report would have a somewhat beefed up sections discussing “what to look for” (a mere single paragraph here), and more discussions on the thinking of how domain names are picked by eCrime operators to reach their target audience.

Keep safe!

DefCon 17 talk video available!

For your viewing pleasure – if you happened to miss out on DefCon 17 earlier this year, the full video and slides of my talk “Down the Rabbit Hole – uncovering a criminal server” have been uploaded to the DefCon archive page.

The slides and audio are also available in my section on the DefCon17 archives: http://defcon.org/html/links/dc-archives/dc-17-archive.html#Amit

Have fun!

Malicious ads circa 2007

Sometimes the only thing you can say about something boils down to the sound of your palm hitting your forehead. We have been seeing many ways in which criminals try to attack unsuspecting users and take over their PCs. One of which has been for quite some time the usage of advertisements as a vehicle to run malicious code on the victim’s browser – also exploiting the fact that these ads show up on the most legitimate sites.

Recently, I ran across an article that “exposes” such a scheme as if it was completely new (see Register article here). My initial response was to tweet about it as it reminded me of how we covered the same issue some years ago. It was late and I was trying to recall how far back was it since this coverage, and surprisingly I got it right! 2007…

Having been running this blog which saves all of my “historical” posts, there is even one dating back to September 2007 here, which references a report I issued for the 2nd quarter of 2007 (means it was written in May) and tracks the story published on the Q1 report (which would mean that I almost missed it and some of these were tracked back at the end of 2006). Funny story how a 3 year old news is reemerging now… For your comfort here are a couple of excerpts from the original research (find the differences…):

Numerous parties are often involved in getting an ad from an advertiser to a consumer. These include advertisers, ad agencies, advertising affiliate networks, adware makers, software makers, distribution affiliates, distribution affiliate networks, and websites. This complicated network of relationships can make it difficult for advertisers to know exactly where their ads are being delivered.

As websites depend more on advertising revenues, they often display ads from third party advertising networks, over which they have little or no control. While legitimate website owners trust advertisers to display non-malicious content, advertisers sometimes “sublet” their space to others. This hierarchy can often comprise several layers, seriously compromising the level of control the website owner has over advertising content.

Bottom line – same as always. If it works, no point of changing anything. Back at the time we were watching sites such as MLB.com, CNN.com and other high profile ones serve malicious ads, and today the situation is not any different. And I thought that I had to keep on the cutting edge of research to keep up in this line of business 🙂

Keep safe!