By any measure, 2009 was a challenging year for Internet security.
Take spam. Usually thought of as just annoying email, spam in 2009 proved that it could be dangerous as well. According to Symantec researchers, between September and October 2009, there was a nine fold increase in the number of spam emails that had malware attached.
Also, attacks on social networking sites increased significantly. 2009 was the year that attacks against both social networking sites and the users of those sites became standard practice for criminals.
There was also the rise of so-called “rogue” security software. Symantec identified 250 distinct misleading applications that pretended to be legitimate security software but which actually provided little or no protection and even infected computers with the very malware it purported to protect against.
Recently, a panel of Symantec researchers was convened
to review the top Internet security trends in 2009 and to make predictions about 2010. This article summarizes their findings.
In terms of numbers alone, 2009 was unprecedented. There were 403 data breaches in the year, resulting in 220 million exposed records. In one two-month period, Symantec observed 17.4 million drive-by download infection attempts. In May, 95% of all email was spam. In the course of the year, Symantec received reports of 43 million rogue security software installation attempts.
There were some anachronisms, too. The Conficker worm brought back memories of the old-school, large-scale threats from years past. It served as a reminder that while mass-distributed threats of this nature are rare these days, they’re by no means extinct.
Among the other standout trends of 2009:
- Ready-made malware. 2009 saw malware become easier than ever to create. This was largely due to the availability of user-friendly toolkits that enable even novice hackers to create malware and botnets. Many ready-made threats are in reality a conglomeration of components from other more established malware.
- Bot networks surge. Bot networks are quickly becoming the foundation of all cyber crime. Symantec has observed that the majority of today’s malware contains a bot command and control channel. In 2009, botnet designers expanded their horizons by using social networking sites as communication channels.
- The rise of polymorphic threats. Polymorphic threats are those in which every instance of the malware is slightly different than the one before it. The automated changes in code made to each instance do not alter the malware’s functionality, but virtually render traditional antivirus detection technologies all but useless against them.
- Current events leveraged more than ever. NCAA March Madness, the H1N1 Flu, the crash of Air France Flight 447, the death of Michael Jackson, and Tiger Woods’ car accident. These events along with countless others were used by malware authors and spammers in 2009 to try and lure unsuspecting Internet users into downloading malware, buying products, and falling for scams.
- Data breaches continue. Well-meaning insiders continue to represent the bulk of data loss incidents with 88% of all data loss incidents caused by such insiders as employees and partners, according to The Ponemon Institute. There are rising concerns, however, about malicious data loss. 59% of ex-employees admitted that they took company data when they left their jobs, according to another study by Ponemon.
The researchers agreed that while the threat landscape in 2009 was “ugly,” it would likely pale in comparison to what transpires in 2010. Here’s what they want everyone to be on the lookout for as the new decade gets under way:
- Antivirus is not enough. With the rise of polymorphic threats and the explosion of unique malware variants in 2009, it’s becoming clear that traditional approaches to antivirus (both file signatures and heuristic/behavioral capabilities) are not enough to protect us. Nor does it make sense to focus solely on analyzing malware. Instead, new approaches to security, such as reputation-based security, will be key in 2010.
- Social engineering as the primary attack vector. More attackers are now going directly after end users and attempting to trick them into downloading malware or divulging sensitive information under the auspice that they are doing something perfectly innocent. Social engineering’s popularity is at least in part spurred by the fact that it is the actual user being targeted, not necessarily vulnerabilities on his or her computer. The number of attempted attacks using social engineering techniques is sure to increase in 2010.
- Rogue security software vendors will escalate their efforts. In 2010, expect to see the propagators of rogue security software scams take their efforts to the next level, even by hijacking users’ computers, rendering them useless and holding them for ransom.
- Third-party social networking applications will be the target of fraud. With popular social networking sites set for another year of unprecedented growth, expect to see fraud being leveraged against site users to grow. Also, as these sites more readily provide third-party developers with access to their APIs, attackers will likely turn to vulnerabilities in third-party applications for users’ social networking accounts.
- Windows 7 will come under attack. Microsoft has already released the first security patches for the new operating system. As Windows 7 hits the pavement and gains traction in 2010, attackers will undoubtedly find ways to exploit its users.
- Fast flux botnets will increase. “Fast flux” is a technique used by some botnets to hide phishing and malicious Web sites behind an ever-changing network of compromised hosts acting as proxies. Using a combination of peer-to-peer networking, distributed command and control, Web-based load balancing, and proxy redirection, it makes it difficult to trace the botnets’ original geo-location. As industry counter measures continue to reduce the effectiveness of traditional botnets, expect to see this technique being used to carry out attacks.
- Mac and mobile malware will proliferate. The number of attacks designed to exploit a certain operating system or platform is directly related to that platform’s market share, as malware authors are out to make money and always want the biggest bang for their buck. As Macintosh and smartphones continue to increase in popularity in 2010, more attackers will create malware to exploit these devices.
- Instant messaging spam. Symantec expects that IM threats will increasingly comprise unsolicited spam messages containing malicious links, especially attacks aimed at compromising legitimate IM accounts. By the end of 2010, Symantec predicts that one in 300 IM messages will contain a URL.
While the security challenges of 2009 were daunting, and 2010 promises no letup of criminal activity, there are reasons for hope, the researchers agreed. For example, the global cooperation needed to catch criminals who move “virtually” across borders is starting to happen. The FBI’s Operation Phish Phry, a multinational investigative effort, is an example of the security industry working together to thwart cybercrime.
Plus, new approaches to security are emerging. In particular, Symantec expects reputation-based security to be a significant factor in blocking malware in 2010. This technology, called Quorum
, leverages the anonymous software usage patterns of millions of Symantec users to automatically identify new threats. By providing users and enterprises with more insight and enabling better decision-making, reputation-based technology brings a whole new approach to securing endpoints.