White Hat Warns of 'Less Than Zero' Threat

In the go-go eighties, Bret Easton Ellis's novel Less Than Zero was a cult classic, but today another "Less Than Zero" is attracting another kind of cult -- one bent on computer mischief or worse.

"The security industry and trade press have directed a lot of attention toward the 'Zero Day' attack, promoting it as the threat to guard against," Alan Shimel, chief strategy officer for network security company StillSecure, wrote in his blog last week.

"According to the marketing hype," he wrote, "the Zero Day attack is the only one that you should most fear, so you must put in place measures (i.e., buy stuff) to defend your organization from it.

"The Zero Day threat is born the moment a vulnerability is publicly announced or acknowledged," he explained. "But what about the period of time that the threat existed before being announced? At StillSecure we call this class [the] 'Less Than Zero' threat."

The Less Than Zero threat doesn't attract a lot of media attention, Shimel noted, but the danger is real, and "true security-conscious organizations will take steps to protect themselves from it."

Scary to Prominent Targets

Less Than Zero attacks are very scary to high-profile targets like large corporations and governments, contended Sam Curry, vice president for security management at CA, formerly Computer Associates.

"Less Than Zero attacks are the hardest things to get samples for and require more advanced defenses and techniques," he told TechNewsWorld. "This is real Black Hat hacking."

What's more, the threat seems to be growing.

"There's a lot of money in organized crime around trying to find vulnerabilities that can be exploited," Randy Abrams, director of technical education for antivirus software maker ESET, told TechNewsWorld.

"What we're seeing," he continued, "is that they're tending to save up the vulnerabilities, and the day after Microsoft (Nasdaq: MSFT) releases its patches on Patch Tuesday, then they'll start using these vulnerabilities."

A Method That Fits the Times

One reason Less Than Zero attacks are gaining popularity among the black hats is that the assaults are well suited to their needs, according to Vincent Hwang, group product manager for Symantec (Nasdaq: SYMC).

"Previous malware was all about notoriety, making a name for myself, big bang types of attacks," he told TechNewsWorld. "Now it's sneak into an organization, [do] reconnaissance, steal information, defraud. That's the new trend. The new trend is, how can I make money off some sneak attack against people and organizations out there?"

Moreover, there are tools available to hackers with even rudimentary skills to discover new vulnerabilities, he added.

Stealthware Proliferation

However, malware writing is becoming less and less the domain of the mischievous amateur and more and more the territory of the malignant professional.

"Most malware writers look at their malware as products," David Marcus, security research and communications manager for McAfee Avert Labs told TechNewsWorld. "They're professional in the way that they develop their code. They develop it using professional techniques."

McAfee has seen a big increase in the last year in malware using stealth technology, or rootkits, he noted. "The benefit there to the malware writer is that the code has the ability to live a little bit longer on the system without being discovered," he explained.

From 2005 to 2006, he said, the amount of malware with rootkits increased 400 percent.

Hacking for Profit

Organizations need not be shaking in their sneakers, however, over the prospect of a Less Than Zero attack. "There are strategies for minimizing risk," Ron O'Brien, a senior security analyst with Sophos, told TechNewsWorld. "They include employing good security practices and using software with advanced recognition technology."

While Shimel agreed that good security practices can lower the risk of loss due to Less Than Zero attacks, he does so with a heavy dose of caution.

"There's a community of Black Hats, or whatever you want to call them," he told TechNewsWorld, "people hacking for profit who are finding it very, very easy to get confidential information that can be used for financial gain.

"That's coming from somewhere," he continued, "and my guess is that they're using loopholes, backdoors and Less Than Zero kinds of attacks that we don't know about and are not defending against."