Internet Security Systems - AlertCon(TM)

Week of (everyone else's) Security Predictions 2009 - Day 3

Posted by Gunter Ollmann on January 07, 2009 at 12:58 PM EST.

Here we go, launching in to Day Three of the of the 2009 security predictions.

Yesterday I discussed the predictions from MessageLabs and felt that they had a good handle on many of the trends we could expect to see throughout this year as related to messaging security.

Today we’re going to take a closer look at the 2009 security predictions of PandaLabs.  PandaLabs is the security research and analysis component of Panda Security. They recently published their 2008 Annual Threat Report – and it’s well worth a read if you have the time – but their 2009 predictions aren’t really in there. Instead, I could only find their public press release via one of the newswires (here).

PandaLabs 2009 Security Predictions

First of all, since Panda Security is largely an anti-virus company, most of the research and subsequent predictions are slanted that way. In fact, their 2009 security predictions begin with the statement that “Malware will increase in 2009” – actually, I think they threw in the words “significant increase” as well in the preamble to their list of seven 2009 predictions.

(1) Banker Trojans and fake antivirus solutions will be the most prevalent forms of malware in 2009.

I don’t know if these will be technically the most prevalent from a total volume of new malware perspective but, as we’ve observed over the last three years Banker Trojans (banking proxy Trojans, man-in-the-browser agents, etc.) have really come to the fore as one of the most sophisticated groupings of malware – meanwhile the later half of 2008 saw the massive reemergence of fake anti-virus solutions.

I’d expect the trend towards Banking Trojans to continue throughout 2009 since there’s a lot of money to be had using this fraud vehicle (but technically this is more of a feature-set of increasingly sophisticated bot-agents).

Similarly, I’d expect the fake anti-virus route to continue to be popular for criminals but I wouldn’t be surprised if it cools down a bit in the middle of the year and pops its head up again in the last quarter of the year with fake 2010 anti-virus solutions. Perhaps during the lull, we’ll see the criminal teams come up with a new flavor of faked protection – maybe social network data loss prevention?

(2) Social Networks will be a focal attack point by cybercriminals.

“…continue to see worms in social networks spread malware … designed to steal confidential data from unsuspecting users will also become more prevalent."

Like I’ve said over the past couple of days, I’m not really expecting much from social network attacks. Sure, there’ll be a lot of media hype about anything that does crop up, but I think the overall criminal significance of the event will be minimal. I do think that cyber-criminals will spend more time scraping social networks for “personalizing” other attacks such as spam and phishing.

(3)  SQL injection attacks will continue to rise.

Agree. SQL injection is a convenient attack vector – there are many very good tools that enable even a newbie to get started in their criminal hacking career, and way too many Web applications are still vulnerable to attack.

Tool integration with popular search engine platforms doesn’t help reduce the threat either, and new zero-day SQL injection vulnerabilities in popular modules can result in mass-attack with trivial ease. So, expect more damaging SQL Injection attacks throughout the year.

(4) Customized packers and obfuscators will grow in popularity.

Agreed. This is something the industry as a whole has been watching (and expecting) for several years now. As the malware-creator landscape grows more competitive, we’re seeing greater specialization and sophistication in the tools these malware-as-a-service operators produce. As the price point continues to drop and the number of “features” increase, the popularity of these customized packers and obfuscators will grow.

If I was to look a little further down the trail of this prediction, I’d probably say that there will be greater emphasis on open-platform malware creation kits. That way sophisticated components can become more boutique and subsequently more valuable to their authors. We’ve already seen a fair bit of this with the X-morphic Attack Engines out there today.

(5) Expect a resurgence of classic malicious codes.

“The use of increasingly sophisticated detection technologies will drive cyber-crooks to turn to old codes, adapted to new needs… aimed at hiding Trojans used for theft of banking information that garner big profits for the criminals involved."

I’m not sure I could class this as a prediction. I don’t think we’ve ever really seen any old attacks and malware types disappear. To a large extent the continued innovation in these older areas by malware authors goes unnoticed as commercial research teams watch their malware zoo’s swell with thousands of every other type of new malware tactic.

Sure, the vehicle for the malware may cease to exist (e.g. 5.25” floppy disks), but the propagation methods and tactics still work. Case in point – look at the continued success of autorun malware – it’s jumped from floppy disks, to CD’s, to ZIP disks, to USB thumb-drives and on to iPods over the last couple of decades.

The purpose of the malware payloads (e.g. banking Trojan, keyloggers) changes constantly as the criminal teams behind their propagation shift targets and follow the money. I don’t think it really has much to do with the increasingly sophisticated detection technologies – but more about how potential victims use their computers.

(6) Attacks on new operating systems and computing platforms will be on the rise.

I think this prediction is self-evident. As a system or platform become popular it tends to become more economical for criminals to begin targeting it. Sure, there’s a balance to be struck between popularity and propensity for leveraging it for crime, but if it’ll reap higher financial rewards that where they’re at, criminals will target the new platform.

So, if Mac OS X or Google’s Android platforms gain substantial market shares in 2009, and it’s subsequently more profitable for cyber-criminals to be targeting the users of those platforms, you can bet without a shadow of doubt that the attacks will follow.

(7) Increased targeted attacks around issues stemming from the financial crisis will continue into 2009.

Ignoring my thoughts as to what constitutes a “targeted” attack, I do believe that we’ll see an increase in cyber-crime attacks in 2009 as a consequence of the financial crisis.

As confusion and fear grows amongst Internet users, and more people become disgruntled or angry with what’s happening to them, or if their backs are against the wall and they’re looking for a quick influx of dollars, we’ll see a greater volume of both (cyber) petty-crime and socially engineered attacks (that leverage current news stories). By “petty-crime” I mean fairly simple and uncoordinated cyber attacks – more likely one off attacks – instigated by non-professional cyber-criminals.

So, with that summary and analysis, I pretty much agree with PandaLabs on most of their 2009 predictions.

More predictions tomorrow...

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.