Such attacks may be associated with advanced persistent threats (APTs) similar to Aurora. Greve noted that the publicity surrounding Aurora did sensitise people to such threats, leading to a threefold increase in the number of suspect URLs submitted to McAfee.
The basic lifecycle of an APT goes like this:
research the intended victim (online and offline);
deliver an attack using multiple vectors;
evade detection after installation, eg by transmitting data when the network is busiest;
gain intelligence and access to related systems;
leave no evidence behind so the victim can't tell what data was copied or modified; and
use the collected information to launch further attacks.
Another active area is fake AV software, also known as scareware as it is designed to scare people into buying a product to 'clean up' malware that isn't present on their systems but that might itself install malware while charging victims for the privilege. The incidence of password-stealing malware is also growing.
Some patterns can be seen around particular threat categories. "Fridays are kind of a hot time [for malware delivery]," said Greve. Malware distributors are responding to security companies' success in blocking sites by activating the servers for short periods at a time, The idea is to try to fool researchers into thinking the sites have already been taken down.
A different pattern applies to phishing - see page 2.
SQL injection attacks still "happen all the time," she said. The top originating countries for such attacks are the US and China, but Australia also makes the top ten.
And good old-fashioned spam still accounts for around 90% of all emails. (You're probably not seeing nine spams for every good message as it is being filtered at various points along the route.) Greve noted that spam traffic has a significant carbon footprint.
Talking of scale, botnets make up the largest 'clouds' on the planet. According to Greve, Amazon's cloud has 160,000 systems with 320,000 CPUs, and 500Gbps of bandwidth. Google has 500,000 systems, one million CPUs, and 1500Gbps of bandwidth. Both sound impressive, but pale in comparison with Conficker, which comprises 6.4 million systems with 18 million CPUs and 28Tbps of bandwidth, she said.
Ultimately, malware is all about money. "As long as it is profitable, people will keep doing it," said Greve.
What's ahead? She predicts we will face more blended threats using multiple attack vectors, and that advanced persistent threats will target individuals in their own right, not just in their corporate roles.
Please read on for a scenario.
What more can security companies do to help protect their customers? Greve noted that the more generically McAfee can detect a particular type of malware, the harder it is for the bad guys to evade detection. A trivial example is that if anti-malware merely tried to recognise a file as it arrived or was opened, changing the way the malware was packed would be enough to bypass the defences. But security software is able to unpack files, so more substantial changes are needed to avoid recognition. The further up the hierarchy that detection occurs, the more work malware writers must put in to create new versions that can slip through.
Greve also noted that the increased use of anomaly detection could reduce the amount of malware that's successfully delivered. For example, an email filtering system might consider which IP addresses are usually associated with emails from the purported originating domain and sender, and whether the sender typically emails the recipient. You probably wouldn't want block a message just because it was the first one between the sender and recipient (it could be from a potential new customer, or from an old customer with a new email address following a merger), but it shouldn't hurt to take a closer look at a message that is out of the ordinary.
Disclosure: The writer travelled to Las Vegas as the guest of McAfee.