Security Market Segment LS
Friday, 22 October 2010 15:39

Windows threat trends: the view from McAfee


What are the threats currently facing Windows users? McAfee has some answers to this question, and its advice includes being especially watchful for phishing attempts at the end of each quarter.

Paula Greve, director of web security research at McAfee, told attendees at the the company's Focus 2010 security conference that McAfee is currently seeing very targeted attacks being delivered to specific individuals within organisations via personally addressed emails that appear to have relevance to the victims, for example by including references to their organisational roles. Another method is to send messages via social networks or media that provide an appropriate context. One example might be that if someone posted a set of photos of a particular location, an attacker might send a message (possibly masquerading as a friend) reading 'here's an angle you missed' followed by a malicious link.

Such attacks may be associated with advanced persistent threats (APTs) similar to Aurora. Greve noted that the publicity surrounding Aurora did sensitise people to such threats, leading to a threefold increase in the number of suspect URLs submitted to McAfee.

The basic lifecycle of an APT goes like this:
research the intended victim (online and offline);
deliver an attack using multiple vectors;
evade detection after installation, eg by transmitting data when the network is busiest;
gain intelligence and access to related systems;
leave no evidence behind so the victim can't tell what data was copied or modified; and
use the collected information to launch further attacks.

Another active area is fake AV software, also known as scareware as it is designed to scare people into buying a product to 'clean up' malware that isn't present on their systems but that might itself install malware while charging victims for the privilege. The incidence of password-stealing malware is also growing.

Some patterns can be seen around particular threat categories. "Fridays are kind of a hot time [for malware delivery]," said Greve. Malware distributors are responding to security companies' success in blocking sites by activating the servers for short periods at a time, The idea is to try to fool researchers into thinking the sites have already been taken down.

A different pattern applies to phishing - see page 2.

A different temporal pattern can be seen in phishing attacks, where the number of new phishing sites peaks at the end of each quarter. Presumably the idea is that people are particularly busy at such times (eg, salespeople racing to make quota) that they might not be quite as careful as usual, increasing the success rate of phishing campaigns at such times.

SQL injection attacks still "happen all the time," she said. The top originating countries for such attacks are the US and China, but Australia also makes the top ten.

And good old-fashioned spam still accounts for around 90% of all emails. (You're probably not seeing nine spams for every good message as it is being filtered at various points along the route.) Greve noted that spam traffic has a significant carbon footprint.

Talking of scale, botnets make up the largest 'clouds' on the planet. According to Greve, Amazon's cloud has 160,000 systems with 320,000 CPUs, and 500Gbps of bandwidth. Google has 500,000 systems, one million CPUs, and 1500Gbps of bandwidth. Both sound impressive, but pale in comparison with Conficker, which comprises 6.4 million systems with 18 million CPUs and 28Tbps of bandwidth, she said.

Ultimately, malware is all about money. "As long as it is profitable, people will keep doing it," said Greve.

What's ahead? She predicts we will face more blended threats using multiple attack vectors, and that advanced persistent threats will target individuals in their own right, not just in their corporate roles.

Please read on for a scenario.

Greve sketched out a scenario where people sign up for a newsletter dealing with a particular health issue. The mailing list is then sold to someone that uses a botnet to spam the list with malware (either attached to the email, or delivered via a URL contained in the message). That malware scrapes the person's name and other details from social networking and other sites, and the collected information is then used to compromise the individuals concerned.

What more can security companies do to help protect their customers? Greve noted that the more generically McAfee can detect a particular type of malware, the harder it is for the bad guys to evade detection. A trivial example is that if anti-malware merely tried to recognise a file as it arrived or was opened, changing the way the malware was packed would be enough to bypass the defences. But security software is able to unpack files, so more substantial changes are needed to avoid recognition. The further up the hierarchy that detection occurs, the more work malware writers must put in to create new versions that can slip through.

Greve also noted that the increased use of anomaly detection could reduce the amount of malware that's successfully delivered. For example, an email filtering system might consider which IP addresses are usually associated with emails from the purported originating domain and sender, and whether the sender typically emails the recipient. You probably wouldn't want block a message just because it was the first one between the sender and recipient (it could be from a potential new customer, or from an old customer with a new email address following a merger), but it shouldn't hurt to take a closer look at a message that is out of the ordinary.

Disclosure: The writer travelled to Las Vegas as the guest of McAfee.


Read 5676 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Hybrid cloud promises to bring together the best of both worlds enabling businesses to combine the scalability and cost-effectiveness of the cloud with the performance and control that you can get from your on-premise infrastructure.

Reducing WAN latency is one of the biggest issues with hybrid cloud performance. Taking advantage of compression and data deduplication can reduce your network latency.

Research firm, Markets and Markets, predicted that the hybrid cloud market size is expected to grow from US$38.27 billion in 2017 to US$97.64 billion by 2023.

Colocation facilities provide many of the benefits of having your servers in the cloud while still maintaining physical control of your systems.

Cloud adjacency provided by colocation facilities can enable you to leverage their low latency high bandwidth connections to the cloud as well as providing a solid connection back to your on-premises corporate network.

Download this white paper to find out what you need to know about enabling the hybrid cloud in your organisation.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Stephen Withers

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News