In-Depth
New Attacks Use Old Tricks
Attackers are unearthing old exploits -- in the case of the infamous CodeRed worm, extremely old exploits -- to wreak havoc on businesses and consumers.
If there's one thing that last month's noisome attacks against public sector sites in both the United States and South Korea demonstrated, it's that while we might be through with the past, the exploits of the past aren't through with us.
Last month's July 4th attacks, for example, used code that had been recycled from the notorious MyDoom worm. Security experts warn that many shops aren't adequately protected against the exploits of old (see http://esj.com/articles/2009/08/04/ddos-contained.aspx).
Not surprisingly, the recurrence of exploit throwbacks -- in some cases, the recurrence of extremely old exploit throwbacks (such as the reappearance of the infamous Code Red worm) is one of the more intriguing conclusions of the new mid-year security trends report from Symantec Corp.
"In the first half of 2009, some of the more recent and highly publicized threats incorporated attack methods used in previous years. The large-scale distribution of a small number of threats that were characteristic of the CodeRed and Nimda attacks were components of the attack techniques employed by the Koobface worm, which continues to propagate via social networks, and the Conficker worm, one of the most complex and widely spread threats to hit the Internet in several years," write security researchers in Symantec's Security Trends -- 2009 Mid-Year Update report.
In 2008's end-of-year security forecast, Symantec had predicted that economic concerns would spur a good chunk of exploit activity this year. Although that has, in fact, been the case, Symantec researchers concede, it can't account for all exploit activity. July's DDoS attacks, for example, appear to have had no financial motives.
"Similar to attacks seen in previous years, the purpose behind the recent Trojan.Dozer distributed denial of service … attacks appears to be notoriety and/or mischief," the report indicates.
Not surprisingly, of course, Symantec researchers have a somewhat self-serving take on the phenomenon of such reemerging exploit activity: companies should consider investing in multi-tiered security defense assets.
"As older attack techniques continue to resurface in current threats, we believe that a multi-layered defense combining traditional detection methods with complementary detection such as reputation-based security models will be essential."
The July DDoS attacks were comparatively unsophisticated in both their construction (they used recycled code from the former MyDoom worm) and their intensity (attack victims were targeted by a relatively modest packet storm). This doesn't mean that security exploits are becoming increasingly less sophisticated, however. Savvy attackers continue to hone their craft, Symantec researchers stress, citing an especial uptick in attack methods that imitate legitimate business practices. This is particularly true in the burgeoning "scareware" segment.
"Today's attackers are increasingly sophisticated and organized, and continue to employ deceptive methods that imitate traditional business practices. Malicious ads or 'malvertisements,' usually in the form of 'flash' ads, redirect the user to fake scan Web pages. Mainstream Web sites, as well as less reputable sites, are susceptible to these threats," the report says, citing the rising popularity of "scareware" exploits (e.g., fake malware or antivirus "scanners") that identify bogus infections and then offer to "clean" a user's computer.
"The goal is to try to lure the user into buying the fake product, which promises to clean up all of those made-up threats. Those who fall for the bait are usually redirected to an order page, where they are lured for payment."