Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/29/2006
05:10 AM
50%
50%

McAfee Predicts '07 Trends

McAfee announced its top ten predictions for security threats in 2007 from McAfee Avert Labs

SANTA CLARA, Calif. -- McAfee, Inc. (NYSE: MFE) today announced its top ten predictions for security threats in 2007 from McAfee Avert Labs. According to McAfee Avert Labs data, with more than 217,000 various types of known threats and thousands more as yet unidentified, it is clear that malware is increasingly being released by professional and organized criminals.

In no particular order, McAfee Avert Labs' top 10 security threats for 2007 are:

  1. The number of password-stealing Web sites will increase using fake sign-in pages for popular online services such as eBay
  2. The volume of spam, particularly bandwidth-eating image spam, will continue to increase
  3. The popularity of video sharing on the Web makes it inevitable that hackers will target MPEG files as a means to distribute malicious code
  4. Mobile phone attacks will become more prevalent as mobile devices become "smarter" and more connected
  5. Adware will go mainstream following the increase in commercial Potentially Unwanted Programs (PUPs)
  6. Identity theft and data loss will continue to be a public issue - at the root of these crimes is often computer theft, loss of back-ups and compromised information systems
  7. The use of bots, computer programs that perform automated tasks, will increase as a tool favored by hackers
  8. Parasitic malware, or viruses that modify existing files on a disk, will make a comeback
  9. The number of rootkits on 32-bit platforms will increase, but protection and remediation capabilities will increase as well
  10. Vulnerabilities will continue to cause concern fueled by the underground market for vulnerabilities

"Within a short period of time, computers have become an intrinsic and essential part of everyday life, and as a result there is a huge potential for monetary gains by malware writers," said Jeff Green, senior vice president of McAfee Avert Labs and product development. "As we see sophisticated techniques on the rise, it's becoming increasingly hard for the general user base to identify or avoid malware infections."

Today, McAfee researchers are seeing evidence of the rise of professional and organized crime in malware creation, whereby development teams are creating malicious software, testing it and automating its production and release. Sophisticated techniques such as polymorphism, the recurrence of parasitic infectors, rootkits, and automated systems with cycling encryption releasing new builds are becoming more prevalent. Furthermore, threats are being packed or encrypted to disguise their malicious purpose on a more rapid and complex scale.

In July 2006, McAfee announced that it officially released protection for the 200,000th threat in its database. Since January 1, 2006, McAfee has added approximately 50,000 new threats to its database and is on track to exceed 225,000 new threats by the end of the year. Given current trends, McAfee expects the 300,000th threat to be identified by the end of 2007, demonstrating its growth potential.

McAfee Avert Labs' 2007 Threat Forecast:
Password-stealing Web sites are on the rise More attacks that attempt to capture a user's ID and password by displaying a fake sign-in page, and increased targeting of popular online services such as eBay, will become more evident in 2007. As evidenced by the phishing attacks that followed Hurricane Katrina, McAfee Avert Labs also expects more attacks that take advantage of people's willingness to help others in need.

In contrast, the number of attacks on ISPs are expected to decline while those aimed at the financial sector will remain steady.

Spam, particularly image spam, is on the rise In November 2006, image spam accounted for up to 40 percent of the total spam received, compared to less than ten percent a year ago. Image spam has been significantly increasing for the last few months and various kinds of spam, typically pump-and-dump stocks, pharmacy and degree spam, are now sent as images rather than text. Image spam is typically three times the size of text based spam, so this represents a significant increase in the bandwidth used by spam messages.

The popularity of video on the Web will make it a target for hackers The increasing use of video formats on social networking sites such as MySpace, YouTube and VideoCodeZone will attract malware writers seeking to easily permeate a wide network. Unlike situations involving email attachments, most users will open media files without hesitation.

Furthermore, as video is an easy-to-use format, functionality such as padding, pop-up ads and URL redirects become ideal tools of destruction for malware writers. In combination, these issues make malicious coders likely to achieve a high degree of effectiveness with media malware.

The W32/Realor worm, discovered in early November 2006 by McAfee Avert Labs, is a recent incident of media malware. The worm could launch malicious Web sites without user prompting, potentially exposing users to bots or password-stealers loaded onto these sites. Other media malware such as Exploit-WinAmpPLS could silently install spyware with very little user interaction. As video-sharing networks on the Web proliferate, the potential capture of a large audience will incite malware writers to exploit these channels for monetary gain.

More mobile attacks
Mobile threats will continue to grow as platform convergence continues. The use of smartphone technology has played a pivotal role in the threat's transition from multifunction, semi-stationary PCs to palm-sized "wearable" devices. With increased connectivity through BlueTooth, SMS, instant messaging, email, WiFi, USB, audio, video and Web, there are more possibilities for cross device contamination.

2006 saw efforts by mobile malware authors to achieve PC-to-phone and phone-to-PC infection vectors. The PC-to-phone vector was achieved with the creation of MSIL/Xrove.A, a .NET malware that can infect a smartphone via ActiveSync. Existing phone-to-PC vectors remain primitive in nature at this time, such as infecting via removable memory cards. However, McAfee expects that this next stage

SMiShing, which involves taking the techniques of phishing by email and porting them to SMS (SMiShing instead of phishing), is also expected to increase in prevalence. In August 2006, McAfee Avert Labs received its first sample of a SMiShing attack with VBS/Eliles, a mass mailing worm that also sends short message service (SMS) messages to mobile phones. By the end of September 2006, four variants of the worm had been discovered.

In addition, for-profit mobile malware is expected to increase in 2007. While most of the malware Avert Labs has run across includes relatively simple Trojan horses, the outlook has changed with the J2ME/Redbrowser Trojan. J2ME/Redbrowser is a Trojan horse program that pretends to access Wireless Access Protocol (WAP) web pages via SMS messages. In reality, instead of retrieving WAP pages, it sends SMS messages to Premium Rate numbers, thus costing the user more than intended. A second J2ME, Wesber, appearing in late 2006, also sends out messages to a premium SMS number.

Late 2006 saw a flurry of spy-ware offerings in the mobile world.

Most are designed to monitor phone-numbers and SMS call-logs, or to steal SMS messages by forwarding copies to another phone. One spyware in particular, SymbOS/Flexispy.B, is able to remotely activate the microphone of the victim's device, allowing someone to eavesdrop upon that person.

Other spyware can activate the camera. McAfee expects that the offerings of commercial spyware targeting mobile devices to grow in 2007.

Adware will go Mainstream
In 2006, McAfee Avert Labs saw an increase in commercial Potentially Unwanted Programs (PUPs), and an even larger increase in related types of malicious Trojans, particularly keyloggers, password-stealers, bots and backdoors. In addition, misuse of commercial software by malware with remotely controlled deployment of adware, keyloggers and remote control software is on the rise. However, despite the social, legal and technical challenges, there is so much commercial interest in advertising revenue models that McAfee expects to see more legitimate companies using or attempting to use advertising software in ways (hopefully) less objectionable to consumers than most current adware.

Identity theft and data loss will continue to be a public issue According to the U.S. Federal Trade Commission, approximately 10 million Americans are victims of identity fraud each year. At the root of these crimes is often computer theft, loss of backups or compromised information systems. While McAfee expects the number of victims to remain relatively stable, company disclosures of lost or stolen data, increasing incidents of cyberthefts and hacking into retailer, processor and ATM systems and reports of stolen laptops that contain confidential data will continue to keep this topic of public concern.

McAfee Avert Labs also predicts the unauthorized transmission of information will become more of a risk for enterprises in the area of data loss and noncompliance. This includes loss of customer data, employee personal information and intellectual property from possible data leakage channels-applications, networks, and even physical channels, like USB devices, printers, fax and removable storage. McAfee also expects to see an increase in archival and encryption as the data loss prevention (DLP) market matures.

Bots will increase
Bots, computer programs that perform automated tasks, are on the rise, but will move away from Internet Relay Chat (IRC)-based communication mechanisms and towards less obtrusive ones. In the last few years, there has been increasing interest within the virus-writing community in IRC threats. This was due to the power afforded by the IRC scripting language and the ease of coordinating infected machines from a chat-room type of structure.

"Mules" will also continue to be an important aspect in bot-related money making schemes. These are work-at-home type jobs which are offered through very professional-looking websites, through classified ads, and even through instant messaging (IM). These are a crucial part of the reason so many bots are able to be run from places around the globe. In order to get merchandise (often to resell) or cash with stolen credit card credentials, the thieves have to go through more strict regulations if the goods are going to another country. To get around these regulations, they use mules within those originating countries.

Parasitic malware is making a comeback
Even through parasitic malware accounts for less than 10 percent of all malware (90 percent of malware is static), it seems to be making a come back. Parasitic infectors are viruses that modify existing files on a disk, injecting code into the file where it resides. When the user runs the infected file, the virus runs too. W32/Bacalid, W32/Polip and W32Detnat are three popular polymorphic parasitic file infectors identified in 2006 that have stealth capabilities and attempt to download Trojans from compromised Web sites.

Also important to note is that 80 percent of all malware is packed, encrypted, or obfuscated, in some attempt to disguise its malicious purpose.

Examples of parasitic infectors that are obfuscated include w32/Bacalid and w32/Polip.

Earlier this month, McAfee Avert Labs also tracked and monitored the payload deployed by W32/Kibik.a, a parasitic and zero-day exploit that includes rootkit heuristics, behavioral detection and IP blacklists that have been the talk of the (security) town in recent years, W32/Kibik.a makes an interesting attempt to survive in the competitive matrix of today. From silent installation via a zero-day exploit, to silent residence and operations and virtually silent and innocent-looking Google search; W32/Kibik.a could well be the start of a new trend for 2007 in scalable remote controlled malware (a.k.a. botnet). It is no wonder that with its stealthy elements, few security vendors to date have detected or repaired W32/Kibik.a.

Rootkits will increase on 32-bit platforms-but protection and remediation capabilities will increase as well. On 64-bit platforms, particularly Vista, malware trends are difficult to predict pending uptake rates for the 64-bit platform, but in general McAfee Avert Labs expect:

A reduction in kernel-mode rootkits, at least in the short-term, while malware authors invent new techniques designed to subvert PatchGuard

An increase in user-mode rootkits, and user-mode malware in general, or at least higher impact of 64-bit malware, as more advanced heuristic and behavioral techniques provided by most advanced security software is itself hindered by PatchGuard. This state will persist at least until Vista service pack 1, when new APIs are introduced by Microsoft, and likely longer, depending on the amount of re-engineering required by security vendors and the uptake rate of SP1.

Vulnerabilities continue to cause concern The number of disclosed vulnerabilities is expected to rise in 2007. Thus far in 2006, Microsoft has announced 140 vulnerabilities through its monthly patch program. McAfee Avert Labs expects this number to grow due to the increased use of fuzzers, which allow for large scale testing of applications, and due to the bounty program that rewards researchers for finding vulnerabilities. This year to date, Microsoft has already patched more critical vulnerabilities than in 2004 and 2005 combined. By September 2006, the combined 2004 and 2005 total of 62 critical vulnerabilities had already been surpassed.

McAfee Avert Labs has also noted a trend in zero-day attacks following Microsoft's monthly patch cycle. Since the patches are issued only once per month, this encourages exploit writers to release zero-day Microsoft exploits soon after a month's Patch Tuesday to maximize the vulnerability's window of exposure.

McAfee Avert Labs' Recommendation
To protect against the above threats and malicious programs, McAfee Avert Labs recommends that to stay protected, both enterprises and consumers constantly stay updated with the latest Data Definition Files (DATs), install the latest patches and implement a multi-layered approach to detecting and blocking attacks. For more information on particular threats, or to learn more about cutting-edge security research and opinions, please visit the McAfee Avert Labs Security Blog at http://www.avertlabs.com/research/blog/. McAfee Avert Labs maintains one of the top-ranked security threat and research organizations in the world, employing researchers in seventeen cities and twelve countries around the world. McAfee Avert Labs combines world-class malicious code and anti-virus research with intrusion prevention and vulnerability research expertise.

McAfee Inc. (NYSE: MFE)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19794
PUBLISHED: 2019-12-13
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
CVE-2019-19795
PUBLISHED: 2019-12-13
samurai 0.7 has a heap-based buffer overflow in canonpath in util.c via a crafted build file.
CVE-2019-19796
PUBLISHED: 2019-12-13
Yabasic 2.86.2 has a heap-based buffer overflow in myformat in function.c via a crafted BASIC source file.
CVE-2019-5253
PUBLISHED: 2019-12-13
E5572-855 with versions earlier than 8.0.1.3(H335SP1C233) has an improper authentication vulnerability. The device does not perform a sufficient authentication when doing certain operations, successful exploit could allow an attacker to cause the device to reboot after launch a man in the middle att...
CVE-2019-5260
PUBLISHED: 2019-12-13
Huawei smartphones HUAWEI Y9 2019 and Honor View 20 have a denial of service vulnerability. Due to insufficient input validation of specific value when parsing the messages, an attacker may send specially crafted TD-SCDMA messages from a rogue base station to the affected devices to exploit this vul...