As technology and business align closer to an open, Internet-driven world, the current security mechanisms that protect business information are not matching the increasing demands for protection of business transactions and data. A new generation of criminals is exploiting the very connectivity that is so critically important to the productivity of business Internet users.
These professional criminals have long superseded amateur vandals — “script kiddies” — as the major threat to Web users by fielding an array of destructive tools, including spyware, phishing, viruses, trojans and other forms of malicious code that compromise users’ identity and privacy, the security of their transactions, and the integrity of their financial assets.
The malicious content that threatens today’s Web users is diverse. Danger continually lurks in the myriad of “free” downloads of software utilities, toolbars and screen savers. Especially insidious are applications that co-opt search results, keyloggers that intercept credit card numbers and send them to remote machines and trojans that expose corporate desktops to remote hacking.
The new wave of Web threats provides an opportunity for huge financial gain. Surreptitiously installed adware alone generates revenues in the hundreds of millions of dollars every year. Indicative of the lucrative opportunity that “malware” presents are software development kits (SDKs) for spyware and trojans that come with warranties — if the exploited vulnerability is patched by the vendor, the hacker will provide the buyer with a new, unknown one.
The market for malware is vast and continually expanding. Motivated by greed, hackers are becoming ever more creative in finding new ways to exploit vulnerabilities. Not long ago, hacking was primarily recreational; in an odd spirit of sportsmanship, successful hacks were responsibly reported by their inventors to vendors whose products were affected at the time the hacks were “released into the wild.” No more. Today, hackers prefer to sell their Web exploits for profit to criminals who are willing to pay handsomely.
Finjan’s Web Security Trends Report from the second quarter of 2006 presents clear evidence of this growing market for malicious code. Taking advantage of the openness and anonymity offered by the Internet, hackers utilize the Web to auction off newly discovered vulnerabilities to the highest bidder. Selling unpublished vulnerabilities on the black market represents a new source of revenue for hackers. One such auction can be found on the “Full Disclosure” Web site which is well known in the security community.
Flavors of Malware
Available for sale are exploits packaged into easy-to-use toolkits. One highly successful product is the Web Attacker Toolkit, which is being offered on a Web site originating from Russia for US$300. Employing a “drive-by” spyware installation technique, this toolkit makes it easy to create a Web site that installs malicious code on computers used to visit the site.
Malicious code embedded in spam messages is also popular. Until recently, spam was generally deemed more of a nuisance than a threat. Lately, however, spam increasingly contains malicious content or links to malicious Web sites. As a result, they provide an ideal vehicle for carrying out “blended attacks” that use Active Content, encoding and other sophisticated techniques to bypass traditional antivirus and e-mail security solutions. Financial institutions are particularly susceptible to such attacks; e.g., some customers of National Australian Bank (NAB) were recently exposed to a spam message containing a link directing them to a malicious Web site that automatically installs a trojan on the user’s machine.
These examples clearly show that a new “battlefield” has been established, driven by new interests and monetary gain. New security methods are needed to protect businesses and individuals from threats that may expose them to identity theft, violation of privacy, compromised intellectual property and other damage.
New Threats Require Proactive Solutions
How can companies address these new security threats? Reliance on traditional security measures will not suffice. Companies must make it a top priority to incorporate the latest generation of intelligent, proactive security solutions into their IT infrastructure. According to Gartner: “Traditional signature-based antivirus products can no longer protect companies from malicious code attacks. Vendors must execute product and business strategies to meet the new market requirements for broader malicious code protection.”
There is no question that reactive, signature-based security solutions no longer suffice. Because they require time to create and deliver a signature update to their databases, they cannot be effective against the continual onslaught of “unknown” attacks. Users may be left vulnerable for hours and sometimes even days to new attacks until patches or signature updates are installed.
Coming to the rescue is a new genre of proactive, behavior-based security solutions that scan Web content for known and new potential threats before they reach the end user’s desktop. These new security solutions effectively close the window of vulnerability timeline and safeguard networks from new and unknown types of malicious code. This technology inspects Web content on the fly for suspicious or malicious computer operations, function calls, commands or operations.
Using these findings together with smart algorithms, behavior-based security builds the expected execution model of the content and looks for dangerous execution paths that might compromise the end-user machine. Then, in accordance with an organization’s specific security policy, the security engine decides whether to allow, block or neutralize the content.
A critically important capability of the new behavior-based security technology is that it analyzes each and every piece of content, regardless of its original source. Web pages from every site — from heavily-trafficked mainstream sites to the most obscure newly created sites — are analyzed in exactly the same way. As a result, it is not possible for malicious content to enter the network even if its origin is a highly trusted site. This capability of behavior-based security cannot be matched by conventional URL filtering, which carries the risk of marking well-known Web sites — especially popular social-networking site such as MySpace or YouTube — as trusted even though hackers may upload malicious code to personal pages or ads to those domains.
Since it does not require signatures or pre-defined patterns to identify malicious content, behavior-based security technology is the ideal solution for securing corporate networks from new and emerging threats. By making it possible to analyze code behavior and understand the context of its execution environment, this approach is highly effective in protecting against unknown and dynamic Web content.
Yuval Ben-Itzhak is Chief Technology Officer of Finjan.