Internet Security Systems - AlertCon(TM)

Week of (everyone else's) Security Predictions 2009 - Day 2

Posted by Gunter Ollmann on January 06, 2009 at 1:20 PM EST.

It’s Day 2 of the WoSP, and lets pick up the pace on 2009 security predictions.

Yesterday’s rather conservative predictions by Cisco were clearly aimed at their standard networking customer base, so were a bit elementary to those actually operating fulltime in the security space. Incidentally, some helpful chap passed through a link to Cisco’s Security Intelligence Service - but I’ll still stick to my guns that Cisco aren’t known for this kind of security analysis. I do hope that they’ll continue to invest in this area and contribute to the community though.

So, as for Day 2, we’ll take a gander at those 2009 security predictions from MessageLabs (recently brought by Symantec).  They actually compiled their 2009 predictions in late November last year – perhaps trying to get the media drop on everyone else, or maybe they had a little time on their hands and wanted to show Symantec some additional value during the acquisition process?

Anyway, on with the real analysis!

MessageLabs 2009 Security Predictions

Given MessageLabs focus on mail security, you can expect a heavy emphasis on spam, malware attachments and all that bothersome badness coming to an inbox near you (well, technically, it’s hopefully being stopped by your corporate anti-spam filter right?).

(1) Malware Makes Its “Mash-up”

"… Web 2.0 will provide an environment for contextual malware, which can consolidate multiple dynamic data streams to create a malicious environment from a number of diverse, unrelated sources… Malware-as-a-Service will emerge allowing the bad guys to request the type of malware they are seeking from an automated system and have it delivered instantaneously… malware will become more disposable as bad guys find newer and faster ways to change their malware so as to make it undetectable by newly adopted anti-virus systems."

If you take a look at what’s happened over recent years, you’ll see that malware has made some pretty large advances in the way it is used to support professional cyber-crime teams and how an entire ecosystem has evolved to sustain that industry. I covered some aspects of this dynamic building of malware services and the cottage industry of suppliers for the attack platforms back in 2007 (see the paper on X-morphic Exploitation), and in 2008 we observed the price-point continually fall as the crimeware authors consolidated their offerings and competed head-to-head with each other on a per-feature basis – and did become quite “disposable”.

Like the MessageLabs team, I also see greater advances in the malware-as-a-service business models in 2009, but I’m not expecting any substantial shifts in to Web 2.0 contextual models. Sure, there’ll be more tinkering (like we’ve seen throughout 2008), but the other popular drive-by-download vectors are simpler and consequently more cost effective for criminals. If that profitability drops (maybe because of some new Web browser security advances or fierce internal competition) then perhaps we’ll see some changes towards the tail of 2009 – but I have a lot of confidence in the major Web 2.0 providers in being able to respond quickly to any outbreaks on their platforms (i.e. more confidence than those millions of nameless Web 1.x sites with absent administration teams).

Nuts and bolts of this prediction though is that the speed at which new (per-instance) “personalized” malware will be created AND leverage the latest vulnerability exploits, will continue to increase throughout 2009.

(2) Social Networking Gets Personal

"Social networking sites … phished … with a goal of collecting as much personal information and information surrounding a person’s social network as possible to enable highly targeted and personalized spam. In 2009, spam will include proper names and will be segmented according to demographic or market…"

As I mentioned in yesterdays response to Cisco’s predictions, we’re seeing a lot of coordinated cyber-criminal activities revolving around the incorporation of personalized information (that has been purchased or stolen en bulk) to strengthen the social engineering aspects of their attacks. I think 2009 will see the second generation of automated tools that help facilitate these “personalized” attacks, and several of these tools will become publicly available (for a price). As a consequence, we’ll see an exponential rise in use of personal data in the spam we receive. That said, I think that the real effects of any exponential rise won’t appear until 2010 (at least I hope not).

I think a limitation of their successful adoption (and escalation of personalized spam activities) will be how well the social networking sites cope with the automated crawling and data harvesting of their portals. They certainly have a role to play in helping to reduce much of this particular harvesting threat – whether that be rate-limiting access or helping their users protect their own data.


(3) Reputation Hijacking Flourishes

"… weakness in the fundamental design of the DNS (Domain Name Service) protocol … afforded the opportunity to corrupt the cache of a DNS server, … predicts that phishing attacks will focus on exploiting vulnerable DNS domains and websites, and less on the traditional approach of hosting the easier-to-spot typo-like domains, where a cursory glance may not spot the fallible web address."

Sure, there have been several very notable DNS vulnerability disclosures of late with a possibility of more in 2009, and there’s also been the recent public slaps to the domain certificate providers for sticking with MD5 hashes despite the warnings, but I’m not so sure about this prediction.

The cyber-criminals pretty much have their own DNS system now – providing high degrees of flexibility and resiliency (for a price) – through the various botnets under their control. So I’m not expecting any substantial increases in the hacking and manipulation of legitimate DNS systems for the purpose of phishing attacks (we already see this on a daily basis). This stuff has been going on for over a decade now and, while the balance is delicate, the reactive processes for dealing with these kinds of DNS registrations have proved adequate for now (still substantial room for improvement though).

Again, the criminals appear to be having enough successes with their current tactics that they may not need to “invest” in these newer exploitation techniques.


(4) CAPTCHA the Bad Guys

"… broken CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) became the keys to the spamming kingdom… predicts that while providers will respond to CAPTCHA breaking techniques in 2009 by enhancing the CAPTCHA process and deploying alternative CAPTCHA approaches, any web site that requires a personal account to be created online will continue to be targeted and the CAPTCHA failure rate will continue to increase accordingly."

Well, like I said several times in 2008, CAPTCHA’s are not a relevant protection technology against organized criminal teams. If you’re relying upon CAPTCHA’s as a security (or integrity) measure for a popular service, you’re wasting your time.

Yes, the cyber-criminals will continue to break CAPTCHA’s in 2009, but it’s pointless increasing their sophistication in return unless the companies relying upon them really want to alienate their users/customers. Face it, today’s criminal computer algorithms are better at CAPTCHA’s than humans. And, even then, the criminals are employing cheap labor in India and China.


(5) 419 Scams Lose Their Elaborate Prose

"… Nigerian style 419, or advance fee fraud scams will become harder to recognize at first glance as the messages will contain only one or two sentences, rather than the rambling prose that has typically identified such scams… scammers will also make greater use of email attachments to convey their messages with more detail, enabling the scam to bypass traditional anti-spam filters."

I think MessageLabs is spot on here. The criminals behind these attacks have taken a good look at the way current generation anti-spam tools operate and several of the criminal teams behind these scams have gone as far as employing their own trained psychologists in their efforts to keep ahead.

Does this mean that we’ll see a deluge of 419 spam in our inboxes in 2009? Probably not. I think that the good guys will manage to keep up with their evolving attack vectors, but the same relative percentage of scams will make it down to our desktop (for my IBM email account, it’s about two or three per day). However, I’d expect the number of people falling victim to these scams to increase as their social engineering content refines further. So, the net result will probably be more overall victims to 419 (and related) scams this year.

(6) Globalization of Spam

"… predict that in 2009 the emerging markets will be more heavily targeted with spam delivered in the local language. Growth in foreign language spam, especially Asian character spam, will increase by 100 percent from current levels at 5 percent to around 10 percent."

I think we’ve all been observing just how global spam has become over recent years and, if your mailbox is anything like mine, you’ll probably be very (intimately?) familiar with spamvertizing in the Russian, Korean, Thai, Spanish and even Cambodian languages.

While there is an expectation that major infrastructure advances in the various BRIC countries will result in many millions of more Internet users (and a resultant shortage of IPv4 IP addresses), it is inevitable that localized Spam will appear. Although the volume of spam will go up, so will the number of legitimate communications – as a result I think that we’ll continue to see the same percentage levels of spam overall. I’d also point out that these BRIC countries are investing substantial amounts in to the security of their new Internet infrastructure services – so they may actually be in a better anti-spam position than several western-bloc countries.


(7) Mobile Mayhem

"2009 will see mobile attacks become more malicious ... MessageLabs experts expect mobile attacks to parallel PC threats… criminals will target mobile users … autodialing SMS texts to such numbers with the intent of bilking credit from the mobile user’s account."

Sure, we’re going to see a growth in attacks focusing on smartphone technologies in 2009. Given the major advances in smarthphone technologies and the birth of cheap netbooks in 2008, it’s beginning to make economic sense for criminals to start targeting these mobile platforms.

Predicting an increase in mobile malware is a no brainer. Given how insignificant the mobile malware efforts have been over the last few years, the emergence of popular mobile application development platforms in the last 12 months will make it much easier to construct the right kind of crimeware – so expect a hear a lot about this throughout the year.

That said, I think there are several significant factors at play that will help to mitigate much of the threat from becoming any kind of pandemic:

A) Smartphone operating systems are advancing at a fast pace. Most of the recent advances that have lead to the increase in smartphone popularity have incorporated many of the hard-learnt lessons from the PC world – with trust domains, code integrity and memory separation built in.

B) Unlike older smartphone systems, users are beginning to expect to have to update BIOS and OS components. This makes it much easier to apply the latest security fixes, and respond to newer threats.

C) The OS providers with their application library services are taking a more active role in checking and assuring (signing) the content available through there platform. This makes it much more difficult to craft a purely malicious application – but intentional “dual use” applications will be a threat.

D) The mobile operators play a much bigger role in keeping the “pipes” clean. It’s in the operators best interest to not push unwanted content to their customers. Whether they’re billing on a per kb basis or not, they’re in a better position to scrum malicious content going to, or coming from, a customers handset.

E) At the end of the day, since the vast majority of smartphone customers rely upon a subscription service for both their phone and data. Unlike PC users, if it all goes to hell they can just say that it’s the mobile operators problem and not pay their bill of $25,000 for SMS text messages within a single month -  since they supplied the phone, the connection and the service, and have the capability to inspect traffic and spot anomalous calling patterns.

So, in a nutshell, while we can expect to see a fair amount of media coverage on the topic (and a “sky is falling” response to each new malware advance), I’m not expecting a significant threat to the individual user (and subsequent bill payer).

(8) Botnet Renaissance

"… major botnets disrupted by the takedown of Intercage and McColo… it is expected that they will find replacement hosting services in a countries such as Russia, Brazil or China, and the botnets will be able to continue as before… this will precipitate an improvement in the technology behind many of these botnets, creating a new vanguard. The most sophisticated will take the form of hypervisor technology, where the malware will exist as a virtualization layer running directly on the hardware and intercepting some key operating system calls…"

Umm, an interesting prediction this one. Sure, as we’ve already observed part of this as the spammers are pretty much already back up to production speed following the shutdown of Intercage and McColo in late 2008, and it’s reasonable to expect their cyber-criminal masterminds to have adopted more resilient technologies throughout 2009. It’s a business after all.

I’m still not convinced with this virtualized-hypervisor-scary-pants stuff though. Sure, it sounds cool from a security research perspective, and no doubt some decent proof of concept code will come out at a Blackhat conference near you sometime this year, but there’s actually little need to go down this route. The malware authors already have the technologies to defeat practically all desktop anti-virus protection systems out there today – so they don’t need to do this at the moment.

Maybe if there’s a mind-blowingly significant advance in anti-virus technologies in 2009 capable of defeating their current stuff that we’ll see a partial adoption of oh-ah-hypervisor-injection tactics, but I suspect that (given all the media and research going in to this area) we’ll probably find that security vendors will be quicker to market with anti-oh-ah-hypervisor-injection protection.

All in all, I think MessageLabs have done a good job with their exciting 2009 predictions, but only time will tell. And, for many of us, it's all a matter of perspective...


Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.