By Baselinemag  |  Posted 2005-12-13 Print this article Print

Bot worms have emerged as one of the most dangerous security threats. Companies are finding new ways to keep them at bay.

bots Go Bad (or Worse">

But bots weren't the only network security problem companies had to worry about this year. In fact, the nature of Internet threats shifted even further toward the dark side, as hackers seeking notoriety were supplanted by attackers looking to perpetuate fraud and pocket a quick buck. "There's been a change in the threat landscape," Turner notes. "Threats are increasingly motivated by profit. At the same time, attackers are moving away from large, multipurpose attacks on network perimeters and toward smaller, more focused attacks on desktop applications."

According to the most recent Symantec Internet Security Threat Report, which covers the first six months of 2005, this new landscape is being dominated by a variety of emerging viruses, bots and bot networks, customizable malicious code, and targeted attacks on Web applications and browsers.

Some of the key findings:

• Symantec documented almost 11,000 new virus and worm variants designed to attack 32-bit Windows operating systems, or Win 32, an increase of 48% over the previous period in 2004. This big jump is the result of Win32 variants that implement bot features such as remote access through Internet Relay Chat channels and denial-of-service capabilities, Turner says.

• Threats from phishing—sending fraudulent e-mails in an effort to elicit information from users that can be used in identity fraud—are on the rise. The volume of phishing messages grew from an average of 2.99 million for the first half of 2004 to 5.7 million within the same time span in 2005. One of every 125

e-mails scanned by Symantec was a phishing attempt, the company says.During the first half of 2005, Symantec documented 1,862 vulnerabilities, nearly 60% of them in Web application technologies. The total of vulnerabilities for the six-month period represented the highest number ever recorded in the Internet Security Threat Report. Additionally, 97% of these vulnerabilities were classified as moderate or high in severity.

• There was also an increase in malicious code for profit. Much of this code was deployed to relay bulk, unsolicited e-mail.

Fortunately, vendors have become more proactive in trying to safeguard enterprise clients. According to Turner, Internet service providers, for example, are doing more to block services that are targets for bot infections and filter out potentially damaging e-mail attachments. Techniques include monitoring bandwidth to detect abuse, and scanning e-mails for viruses.

Microsoft, under pressure from some of its big corporate clients like General Motors, has become quicker off the dime in responding to threats. For instance, it rushed out an off-cycle update of a malicious-software removal tool almost as soon as Zotob hit. Microsoft's Internet investigations team worked closely with law-enforcement officials in apprehending those thought to be responsible for Zotob.

Still, Microsoft isn't doing enough on the security front, says Gary McGraw, CTO of Cigital, a software quality management firm in Dulles, Va. Until the vendors, largely Microsoft, produce truly secure software, McGraw says, enterprise users will remain vulnerable. "Business guys need to wield their market power to make Microsoft do a better job," he notes. "Microsoft has made a lot of progress, but it still has a lot more to do."

But no matter what you do to combat viruses and other intruders, there's no such thing as a silver bullet, particularly given the ever-changing malware landscape. A strong defense, however, may help you sleep a little more soundly.

Stanford's Big Fix

Organizations looking to harden their security against viruses and the like can take a lesson from Stanford University's experience.

Two years ago, the Blaster worm infected some 8,000 of the school's computers, making them unusable. After spending nearly $1.6 million to extricate Blaster from its machines, Stanford installed client software from BigFix of Emeryville, Calif., on its computer systems. The software enables administrators to distribute patches quickly to computers on a network.

By the time Zotob and a related worm called Esbot hit the Stanford campus in August, more than 12,000 university PCs were using BigFix client solutions. Compared to the Blaster experience, Zotob proved to be a piece of cake. Damage was minimal; only 2% of the school's 12,000 PCs were infected. These were quickly and inexpensively repaired using BigFix patches and Symantec standalone removal tools. The roughly 1,230 computers not using the client security software, however, didn't fare nearly as well. Some 15% of those machines were infected, requiring on average four hours to repair at an estimated total cost of $300,000.

Incidents such as Stanford's underscore the need for overlapping and mutually supportive defensive systems, as well as intrusion detection and prevention systems on client machines. "It's important to provide multi-layer security and have the same level of security on the desktop as you do elsewhere," says Dean Turner, senior manager of Symantec's security response team.

Additionally, he advises, monitor for breaches 24/7; always keep passwords updated and patches current; train employees not to download files they're not expecting; and only use applications that have been approved by the organization. —L.M.


Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.