In-Depth

Q&A: The 2006 Threat Landscape

Symantec anticipates kernel-level rootkits, and more covert channels for siphoning intellectual property

• By Mathew Schwartz
• 01/10/2006

What’s the biggest security threat this year? Money. In 2006, security managers should increasingly anticipate guarding against attacks motivated by money.

According to Vincent Weafer, a senior director of Symantec Security Response, today’s attackers traffic less in stolen usernames and passwords and more in wholesale intellectual property theft—information they can sell online to the highest bidder.

Here at the start of 2006, what’s the threat landscape for enterprises?

Probably the biggest single thing we’re seeing is the rapid acceleration away from the large, multipurpose, pandemic type of global attack, to attacks increasingly focused on being for-profit—be it commercialized or like aggro-spyware … or simply just about the ecosystem that’s built up where people are willing to buy sell and use a variety of exploits like bot networks. …

Meanwhile we’ve seen a huge increase in malicious code attacks. Phishing has doubled in a year … and we’re increasingly seeing attacks … translate into loss of intellectual property, confidentiality, and privacy.

What’s this threat ecosystem?

More and more, there’s a market, like an eBay for criminals … where the main focus is stealing information that can be sold or reused. … We’re seeing for sale lists of wire transfer accounts, VoIP numbers, eBay accounts, e-mail address lists. … So the ability for attackers to go data mining, and for the value to be beyond just using passwords and bank accounts, this is already occurring.

Crime has found the Internet; there are more and more people out there who are motivated by money and responsible for everything from denial-of-service attacks … to spyware. Increasingly you’re seeing the sophistication, and the data mining to target attacks, get better.

Do companies understand the threat from phishing, spyware, and bot attacks?

When we talk to law enforcement, when we look at incidence response, the first question is, what’s the impact? Ninety percent of people say, we don’t know. So they’re having to start looking at technology and solutions for handling back channels … and just understanding what their defenses are. You need something we’ve talked about a lot and for a long time: defense in depth … so if people get in, they don’t get the crown jewels.

Where should companies start: with desktops?

There’s no doubt that the desktop is the battleground. … Seventy percent of vulnerabilities are in Web technologies—principally browsers. …

While the late ‘90s was all about perimeter defenses and attacks ranging from viruses to worms … [now attackers more often] aim for browsers and common applications, because it’s getting harder and harder to find heap/buffer overflows.

What about instant messaging (IM) as an attack vector?

We’ve seen an increase, and predict that over half of the top attacks will exploit IM or IRC in some capacity, perhaps through solicitation [phishing], or a command-and-control [scenario]—potentially it’s a covert channel. Remember, some of these newer technologies are not going to be exploited in quite the same way as e-mail.

What about compromised PCs—bots?

Well, bots are almost like the engine that drives a lot of this [Web-attack] arena. They’re used by a lot of attackers for storing information, launching attacks. You’ll also see a significant focus in the coming year on how do you eliminate botnets, and how do you stop bots from getting into the enterprise in the first place. …

What about rootkits?

Of course, that’s something we’ve recently seen a lot of discussion on, largely due to the Sony DRM [digital rights management] issue. I think you’ll see a lot of [attacks utilizing rootkits].

When your focus is about stealing personal information or assets, you want to stay on scene and hidden, and so rootkits or stealth technology are [a tool of choice]—and that includes both system-level and kernel-level rootkits. …

We’re looking at the state of technology and the state of motivation, and both say to us that rootkits are going to get more modified and have more attackers [using] them. Currently we don’t have very many kernel-level rootkits, but we [expect] that to change [in 2006] in response to better protection getting rolled out on the user level. You’ll see more attacks aimed at the kernel level. … [Even so,] rootkits aren’t going to be measured in the thousands or tens of thousands, like bots.

What does it take to build a kernel-level rootkit?

You just need a kernel-level driver. Just look at what spyware can do—it’s parasitic, comes as part of a companion download. With rootkits, you could honestly do it as something coming off a Web site. … Then once it’s on the system, it’s extremely difficult for any scanner to be able to deal with it. So the trick is stopping it from getting on there in the first place; or you need to do a clean boot with no drivers. Now, guarding against something like this is a big part of Vista’s “boot with least access” [i.e., user-level default boots in Microsoft’s forthcoming Vista operating system].

While new operating systems (such as Vista) promise security improvements, doesn’t it take quite a while for companies to wholesale transition to new operating systems?

We today are supporting people on as far back as Windows 95, perhaps even Windows 3.1. These systems have been around for over 10 years. Particularly in large enterprises, if it’s doing its role, it’s functional, why are they going to pay to upgrade it? Truthfully, the older platforms are going to be the dominant platforms for some time to come.

Attackers don’t care about technology or platforms, except for [trophy wins], like the first virus on 64-bit Windows XP. As an attacker … whatever is the easiest path out there, you’ll use it.

Related Articles:

Beyond Malware, Sox, And Data Breaches: The 2006 Security Forecast

Attackers Shift Exploits to Applications