Video Screencast Help
Security Response

ISTR – Future Watch

Created: 29 Sep 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:56:23 GMT
Dave Cole's picture
0 0 Votes
Login to vote

Now that all of the hard work has been done by everyone else compiling the stats and the 100+ page report, it’s time for a glance at the tea leaves. (Typical product manager.) ;-) This blog will serve as a very abbreviated recap of the Future Watch section of the latest ISTR, which looks ahead to the short-term horizon for what we think some of the main issues will be. This isn’t the "toaster is infected with a worm which jumped there from a flawed RFID chip” type of stuff; rather, it’s the patterns that we see forming that are either right around the corner, or are already showing signs of being a clear pattern. Your toaster is safe for now. :-)

While the ISTR report itself discusses both Windows Vista and Web 2.0 issues in the Future Watch section, I’m going to pass on those topics here, as we’ve already provided in-depth coverage of both in previous blogs. (You can find these blogs in the "Emerging" section of the Security Response Weblog, under Oliver Friedrich’s posts and my own.)

Malware evasion games

Alright—this might not be new information for a lot of you, but malware of all sorts is headed in the direction of extreme stealth. The fact that a large portion of new malware is packed (at least once, if not twice) to attempt to avoid detection shouldn’t be a shocking revelation, either. As a result of malware authors’ desire to remain hidden, there are a few trends that are becoming clear (other than rootkits, which have already been covered ad nauseam). Two of the big ones that spring to mind are a resurgence in polymorphic threats and the increasing use of encryption.

For the “uptick” in polymorphism, look no further than Detnat in March and Polip in April. Or, how about Bacalid, which made the rounds this month. Polymorphic threats can be very tricky to defend against because they “shed their skin” with each instance, forcing AV vendors to break out their finest skills and technology in order to block, detect, and remove them. In the past, one of the things that has restricted the pace at which polymorphic threats have emerged is that they are not easy for malware authors to write. Nonetheless, it looks like creating polymorphic threats isn’t as daunting a task as it used to be, given the amount of recent activity. Also, given malware authors’ desire to evade detection for as long as possible, we expect to see this as a weapon in their arsenal for some time to come.

The amount of malware using some form of cryptography is also on the rise. Sometimes, it’s used for protecting communications, such as is done in certain bots to avoid being snooped on when using plaintext over IRC. Other times, it’s used to hide the threat itself and stubbornly resist removal, such as in the case of Trojan.LinkOptimizer, which uses the Windows Encrypted File System to defend its position on an infected system. It’s also common to see the infecting exploit code (especially in JavaScript) use some form of obfuscation or encryption as well. All tolled, encryption routines are not as challenging for attackers to implement as polymorphism. Encryption routines can be used in many ways to make our lives more difficult when we’re trying to keep them off of systems and scrubbing them off once they’ve burrowed into an infected host.

Zero-days are here to stay

In this ISTR, the team pointed out the continuing increase in the number of vulnerabilities. Every six months, we document a new record high in the number of new software flaws, most of them (69% this time around) in Web applications. For this period, we also called out the role of fuzzers with regards to vulnerabilities and how they can speed up the research process. Nonetheless, let’s take a quick look at the most serious type of software flaw: the zero-day vulnerability.

This year kicked off with the devastating WMF zero-day in Internet Explorer (IE). Over the past two weeks, we’ve been dealing with yet another reason for spyware and malware purveyors to celebrate: the IE VML vulnerability. Ugh. While these certainly affect a wide number of people because of IE’s market share dominance (over 80% by most reports), there have been a large number of MS Office-related zero-days. A quick count puts the number of MS Office flaws used in targeted attacks (that is, not widespread but intended for a small number of victims) around 10 for this year so far. And to be fair, the MS Office family has not been the only type of zero-day vulnerability used in focused attacks. We’ve seen two instances of previously unknown flaws coupled with malware that use Justsystems’ Ichitaro word processor software. Social engineering, unknown vulnerabilities, and custom malware—all in one nasty bundle.

Going forward, what’s up next for the zero-day parade? Ask yourself what file type might be the most convincing for a victim to open it up. Perhaps a PDF document? A movie file? CAD design document? Visio flowchart? Time will tell.

Download a copy of the latest Internet Security Threat Report here.