In-Depth

Enterprises Battle Cyber-Criminals, Targeted Attacks

Automated worms and malware-born invaders are still wreaking havoc in the enterprise, and financial losses from cyber-criminals are increasing.

• By Mathew Schwartz
• 07/12/2005

Remember SQL Slammer? It’s still circulating.

According to Symantec, for the period between May 24 and June 23, 2005 the SQL Slammer worm was the top attack seen in the United States, as well as worldwide. Because the attack exploits vulnerabilities in both Microsoft SQL Server and the Microsoft Desktop Engine, which are often distributed with third-party products, it’s been difficult to patch.

Hence, today the worm is still circulating in Slammer, Gaobot, Spybot, and other malware. Thanks to such automated worms, antivirus vendor Sophos says the average time it takes 50 percent of unpatched and unprotected (by a firewall) Internet-connected PCs to get automatically infected by malware is now just 12 minutes.

Since mobile users may not update their virus signatures or allow scans to run on a regular basis, they’re particularly vulnerable to malware infections. “If they become infected outside the traditional perimeter, they could transfer the malicious code inside the perimeter through a VPN connection or by plugging directly into the network,” says Symantec.

In virus years, however, SQL Slammer is old news, and if enterprises can’t patch against it, prospects get bleaker against malware-borne targeted attacks. Such attacks are on the increase, as virus writers apply their knowledge not just to automated worms, but worms with a more financially oriented purpose.

How bad is the problem? In June alone, the UK’s National Infrastructure Security Coordination Center (NISCC) found almost 300 UK government departments and businesses had been attacked with Trojan software. “We are seeing a large amount of new Trojan horses on a daily basis, representing what may be the most significant development in malware writing,” says Gregg Mastoras, a senior security analyst with Sophos. Yet when it comes to monthly lists of the top viruses, “Trojans typically don’t make the charts because they do not spread on their own and are used for targeted attacks, which are designed to make money or steal information.”

At least some Trojan software gets onto PCs through such worms as Sober-N, which accounted for 10 percent of all reported infections in June 2005, according to Sophos. “The Sober family of worms is an example of how damaging the collaborative efforts between virus writers and spammers can be, hijacking the computers of legitimate organizations to create zombies,” notes Mastoras. These zombies can “phone home,” allowing an attacker to push Trojan software onto the PC to use it for spam distribution or to monitor a user’s keystrokes.

The increase in Trojan software attacks mirrors an increase in the number of computer crimes. According to McAfee’s recent report, “North American Study into Organized Crime and the Internet,” criminals are increasingly drawn online by the relative anonymity of pseudonyms. “We have entered a new phase of malicious activity,” notes Lee Fisher, a security strategist with McAfee. “Cyber-crime is now driven by those out to make money, which has led to growing involvement by organized criminals.”

The FBI says cyber-criminals in the United States netted about $400 billion in 2004. Expect those damages to increase, given the ongoing potential for harvesting such valuable information as Social Security numbers, credit card numbers, and bank account information.

Unfortunately, catching cyber-criminals is difficult. Blame the virtual nature of online attacks, the difficulty of tracing them back to a real person, criminals’ expertise in disguising their activities by moving money between different bank accounts, and the overwhelming amount of information investigators must assess.

Even so, there have been some law enforcement successes. In late 2004, after a more than year-long investigation dubbed Operation Firewall, authorities in the United States and Canada managed to virtually infiltrate and then track a cyber-crime gang. All told, investigators amassed and analyzed 2 terabytes of information, and ultimately 28 people from eight states and six foreign countries were arrested. The group had bought and sold about 1.7 million stolen credit card numbers, costing financial institutions an estimated $4.3 million—not to mention headaches for card owners.

Yet according to the McAfee report, “sources estimate that perhaps only five percent of cyber-criminals are ever caught or convicted.”

Related Articles:

Targeted Trojan Attacks Increase
http://www.esj.com/news/article.aspx?EditorialsID=1435

Worm Goes Right-Wing
http://www.esj.com/Security/article.aspx?EditorialsID=1411