Endpoint Protection

The Future Watch section of the latest Symantec Internet Security Threat Reportdiscusses the changing threat landscape, and presents some issues thatSymantec believes will emerge in the next six to eighteen months. Fourkey points were made this time: malicious activity in virtual worlds,evasion processes used by malicious code, hiding the origin of attacks,and new uses for bots.

Massively multiplayer online games (MMOGs) are becoming increasinglypopular. Originally, these types of games were mainly populated by moreexperienced computer users, but as they grow in popularity, more andmore casual users are beginning to participate. These types of usersare more likely to be exploited by scammers due to their lack ofexperience. As more of these kinds of players participate in MMOGs,scammers may increasingly target them.

Moreover, some online games allow "real money transactions," wherein-game items and currency can be exchanged for real money. Since thesetransactions are typically very small, they often aren't tracked. Assuch, criminals can use this type of transaction to hide moneytransfers from monitoring agents. This can be used to launder moneythat has been obtained through other avenues.

Attackers have recently started implementing several strategies tohelp evade detection. Traditionally, attackers used strategies such aspolymorphism, metamorphism, and packing to hide their code, butantivirus engines are increasingly able to detect these. As a result,attackers have moved on to new methods. For example, some are deliveredvia Web servers that will only serve a single copy of the script to agiven IP address, which typically means that it can only be downloadedonce in a given location. This makes it difficult for securityresearchers to analyze the code. Additionally, these types of Webservers can specifically block security and antivirus researchcompanies, which makes it difficult to even obtain a copy to analyze.

A special type of polymorphism and metamorphism, occasionally calledx-morphism, is a strategy where the morphing engine isn't present inthe code, but resides instead on a Web server. By hiding the code usedfor morphing the threat, detecting morphed threats is more difficultthan it would otherwise be. Additionally, the Web server may haveaccess to the source code of the threat, so the higher-level languagecan be morphed instead of the outputted machine code. This type ofcode, coupled with servers that will only serve the code to eachaddress once, can make the analysis of malicious code very difficult.

Attackers are increasingly finding ways to launch attacks whilehiding their attack origin. One place where this can be done is throughWeb-based proxies, where one Web site displays content copied fromanother site. For example, various translation pages, ad-serving sites,and various so-called "mash-ups" pull content together from multiplesources. As such, the different sources are potentially able to modifyeach other or modify the site that they're displayed on, which canallow for some unintended consequences.

A tool known as Jikto recently emerged, which is able to runpenetration tests against Web sites from JavaScript code in the user'sbrowser. Because the penetration attempts originate from a user'sbrowser, not the server itself, it is extremely difficult for thevictim being attacked to trace it back to the originating Web site.

In the past, bots have frequently been among the first types ofmalicious code to implement new "features." This is likely because mostbots can be automatically updated and tested with new code, so systemsdon't have to be re-infected. One such feature is the ability to hijackbrowsers for the purposes of committing click-fraud. Instead of anautomated script making connections that artificially inflate a page'sranking, bots can make it appear that a user is doing it, makingdetection and prevention much more difficult. Additionally, bots areincreasingly committing client-side phishing attacks by redirectingusers to malicious Web sites when attempting to go to the Web sites ofbanks or other financial institutions.