War beyond worms

The real losers in this lopsided contest though are enterprises trying to keep software up to date to protect corporate data. Statistics revealed in AusCert's 2006 Computer Crime Survey tell the sorry tale.

The survey, to which of 389 Australian organizations responded, reports antivirus (AV) software missed 60 percent of mal-intentioned hits, the sole purpose of which was to steal personal information. This means that client computers with the most "up to date" antivirus software are likely to be vulnerable 60 percent of the time.

It explains the high level of trojan infections reported in the survey.

The report found that: "Attackers work to increase the effectiveness of their attacks by modifying trojan malware to create variants that are unlikely to be detected by most up-to-date software upon release."

A caveat in the AusCert findings noted a split between "virus and worm infections" and "trojan and rootkit" infections.

In 2006, 45 percent of respondents experienced a virus or worm infection and 21 percent experienced "non self-propogating trojan or rootkit infections".

But if the ill-intentioned coders seem to be winning, it is not solely because security products lack any ability to cope.

It is not a battle of heuristics or signature-based security or "advanced network anomaly" detection or poor integration.

It's partly because 'innocent' end users keep clicking on pop-ups and inviting trouble.

Nick Ellsmore, director of information security services firm SIFT, said that in today's environment even the concept of a homogenous antivirus environment starts to lose its effectiveness.

"You need both signature and behavioural tools. Signatures are fundamentally efficient and effective for 99 percent of viruses," Ellsmore said.

"The issue is the type of attack - that 1 percent is likely being put together by a much more sinister attacker for a much more potentially significant event.

"Most AV already run both behavioural and heuristics; you cannot suggest one is better than another.

"However, rootkits hide at a level lower than AV can scan, and often subvert it; as seen with recent worms, they can be disabled prior to infection."

Ellsmore said an interesting side to the AusCert findings is the degree to which users are responsible for the amount of "non-propogating malware - such as, trojan or rootkit infection. Users, according to Ellsmore, might be responsible for their installation in the first place.

"Because the rootkits in this survey were defined as 'non self-propagating', they are limited by the number of ways they can get on a network, so users surely have a role to play," he said.

"When users are involved as part of the infection mechanism, it is easy to get around some software."

Ellsmore said if one in five companies identified a rootkit or trojan on their network, it's likely an AV product picked it up.

Michael Sentonas, McAfee's Asia Pacific director of professional services, said the goal of malicious code - like trojans or rootkits - is to circumvent, or hide from such software so that it around for longer.

"We have seen a significant growth in the area of rootkits and while a lot of reports say high-risk viruses are not an issue today, we need to understand why that is and look at what has changed," Sentonas said.

"The amount of malware has not gone away; we are seeing 160,000-plus variants and strands, but the trend now is to write rootkits designed to hide themselves from security software, to enable a longer shelf life.

"To say enterprises need to move to a zero-day preventative security stance is not really the right thing, and behavioural-type security will not stop all types of attacks. You need signature-based technology to build accuracy and speed."

Kim Duffy, managing director of Internet Security Systems Australia, said rootkits are the end result of a staged exercise involving due systems reconnaissance. More often than not they are the result of more than one attack vector.

"And in this respect if you don't have a good intrusion prevention toolkit or something alerting you to bad code you will never know; and if someone has scanned your perimeter and found soft defences, then they will come in," Duffy said.

"The evidence of this is the number of trojan or rootkit variants we see. It is the worst nightmare for vendors that rely solely on signature-based protection because, for every new variant, a new signature has to be released even if only one byte in a stream has been changed."

Vincent Weafer, Symantec security response director, said security technologies today need a combination of behavioural, policy-based heuristic, signature and network-based protection.

"Most antivirus scanners today include a combination of technologies to balance the proactive nature of behavioural engines versus the performance, stability and low false-positive rates of signature-based engines," Weafer said.

"We recommend that with today's blended threat environment, a user deploys a multi-tier, multi-protection strategy that includes antivirus, intrusion protection, firewall, content filtering and uses security best practices, such as keeping up to date with security patches."

Join the newsletter!

Error: Please check your email address.

More about AusCertInternet Security SystemsMcAfee AustraliaPLUSSecurity SystemsSpeedSymantec

Show Comments

Market Place