Unlocking the Potential of the Cloud for IBM Power Systems
Ghosts In The Machine Today's Invisible Threats Oct 2009
1. Ghosts in the Machine
Today’s Invisible Threats
Focus Report Series
September 2009
A Trend Micro White Paper | September 2009
2. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS
I. Executive Summary
Viruses are invisible without a microscope, yet remain one of the most deadly organisms that exist in nature. The term
“computer virus” is aptly named to describe one of the greatest challenges of our online world. Yesterday’s computer
viruses were not invisible and were instead created by “showoff” hackers out to demonstrate skill and daring. Today’s
viruses, or malware, are more like their biological namesake and are today created to be invisible to users to evade
detection.
Current malware are usually part of an infection chain whose sole purpose is making
money for cybercriminals. In addition to being invisible, today’s malware are also As part of their invisible
pervasive. Current research of approximately 100 million compromised IP’s indicates that nature, today’s threats
computers are also infected (or frequently and quickly reinfected) for longer time do not typically damage
periods — often with malware that keep the machine captive as a sleeper bot, ready to the computer systems
be activated for eventual, criminal purposes. they infect. Rather—like
In addition to external threats, many of today’s organizations are similarly worried about parasites—these threats
internal threats—either malware placed inside maliciously or accidental introduction of exploit their hosts to
malware due to employee accident or error. The Conficker worm is probably the best, stay alive..
current example of invisible malware in action, with estimates ranging from 1.25 to five
million infected computers.
Most security software solutions are woefully ineffective at fighting the invisible malware
enemy because of the sheer number that exist and because today’s viruses are so difficult to detect. Trend Micro
advocates a new approach toward chasing down invisible infections—an approach that involves several tiers of
protection, rather than simply trying to protect the desktop. Additionally, all Trend Micro solutions are based upon a
revolutionary, cloud-content security infrastructure that stops invisible threats in the Internet cloud before they can
reach a user’s desktop or server platform. The following white paper explores the evolution of threats—from highly
visible to unseen—and offers several unique technology solutions to expose and eradicate the “ghosts in the machine.”
II. Challenges of Today’s Invisible Threats
Which is scarier—a tiger or a microbe? Most people would agree that the large teeth and extreme hunting instinct of
tigers pose a more formidable enemy. Yet tigers do not wipe out entire villages like an aggressive virus. More than 25
million people have died of AIDS infections related to the HIV virus since 1981 [1] while tigers claim less than 100
victims per year. Viruses are not visibly dangerous—one cannot see a virus without a microscope–yet experience tells
us that viruses can indeed be deadly.
Viruses that threaten computers are for the most part invisible. Of course an IT guru or security expert can identify
errant code but most of today’s dangerous web threats are largely invisible to users. Computer viruses that are written
to gain attention are largely passé. Actually, viruses that command attention comprise less than one percent of the
total malware population. Some PC users may remember the “cascade virus,” which dropped all the letters on the
screen to the bottom of the page or “Yankee Doodle,” which played the famous song every day at 5pm on infected
computers. These show-off viruses were largely written by college students and amateur hackers and have always
totaled less than one tenth of a percent of viruses in circulation—and even less of infected systems.
2 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
3. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS
As part of their invisible nature, today’s threats do not typically damage the computer systems they infect. Rather—like
parasites—these threats exploit their hosts to stay alive. According to David Perry, Global Director of Education for
Trend Micro, in his more than 20 years spent researching viruses, he has yet to find a computer that has been
damaged by malware. Almost all reported damages due to malware, including disk drives,
monitors, RAM chips, motherboards and processors, etc. are bogus. Today’s threats live
on their host evading detection not to cause damage or disruption, but to steal Most data-destroying
information from the host and to be used for the purpose of compromising and stealing malware were built
information from others. and distributed in the
mid to late 1990s and
Data-stealing Malware
today, are virtually
Malware fly under the radar not by mistake but by clever design. Rather than damaging
systems or data for the purpose of bravado, today’s malware are stealthy and created to
extinct.
evade detection. Although phishing attacks, spam, online scams, and web-based threats
all possess visible components, the malware lurking behind is invisible on purpose.
Keyloggers, botnet code, and password stealers are built for transparency because their primary goal is infecting a
system to quietly steal valuable data.
Data Stealing Malware 1H09 (source: TrendLabs)
100%
Trojan Spyw are
Trojan
75% Spyw are
Hacktool
Exploit
Dialer
50% Backdoor
Adw are
25%
0%
Global N America S America Europe Africa Asia AUNZ
Although invisible, data-stealing malware poses a serious threat to today’s organizations. As one of the most
dangerous categories of web threats today, data-stealing malware showed tremendous growth in 2008 and is therefore
an area of concern for consumer and business audiences alike. In 2009, virtually all malware tracked by Trend Micro
experts has been observed to have information stealing as one of their primary goals. According to Anti-Phishing
Working Group (APWG) statistics, the number of sites infecting PCs with password-stealing crimeware reached an all
time high of 31,173 in December 2008—an 827 percent increase from January of the same year.[2]
Cybercriminals are responsible for creating most of the malware that exists today with the sole intention of making
money. Most malware are used to gather and steal data such as banking logins and credit card numbers, intellectual
property, confidential data, administrative passwords, and address books—for example.
Malware authors are usually professional criminals and credit card details are the most common item bought and sold
in the underground. Criminals either use the numbers on their own to exploit victims or sell the numbers on the online
3 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
4. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS
Black Market for two to five percent of their remaining balances. For example, if the average card on the list had
remaining credit of $1,000, each set of details would be worth approximately $25. [3]
Some invisible malware are specifically designed to assimilate PCs into botnets. For example, botnet services cost
about $10 for a million emails.[4] Botnets can also be rented and used for spamming, hacking, and denial of service
attacks. An hour of usage on a network of 8,000 to 10,000 computers costs approximately $200. [5]
Underground Economy 2009 (source: TrendLabs)
ASSET GOING RATE
30 cents in the United States, 20 cents in
Payout for each unique adware
Canada, 10 cents in the UK, 2 cents
installation
elsewhere
Malware package, basic version $1,000 - $2,000
Malware package with add-on services Varying prices starting at $20
Exploit kit rental – 1 hour $0.99 to $1
Exploit kit rental – 2.5 hours $1.60 to $2
Exploit kit rental – 5 hours $4, may vary
Undetected copy of an information
$80, may vary
stealing Trojan
Distributed Denial of Service attack $100 per day
10,000 compromised PCs $1,000
Stolen bank account credentials Varying prices starting at $50
1 million freshly-harvested emails
$8 up, depending on quality
(unverified)
One Hundred Million Compromised IP Addresses
In addition to being invisible, today’s threats are more pervasive than security experts ever imagined. Trend Micro
recently analyzed 100 million compromised IP addresses. The number 100 million is staggering enough until one
considers that NAT (network address translation) devices allow multiple computers to be connected to one IP address.
For this reason, experts theorize that the number of compromised machines is probably much higher. Many of these
machines are unknowingly infected and often being kept as bots—a term used to describe PCs that have been
assimilated into part of a botnet. Botnets are an organized collection of zombie computers that enable cybercriminals
to commit large-scale fraud and distribute pornography, spam, and other malicious content.
Cybercriminals also upload hidden keylogging software to the bots, enabling access to personal data on affected
machines, including usernames, passwords, bank account information, and social security numbers.
The software then passes this data to the criminal organization running the botnet, which sells it on the Black Market.
From a cyber scammer’s perspective, botnets are extremely efficient because as bots increase in size, the central
4 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
5. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS
command console grows ever more powerful. Today’s botnets range from small networks of a thousand drones to
enormous networks with hundreds of thousands of infected PCs, placing computing power and high network
bandwidth in criminals’ hands.
New Trend Micro data
suggests that the peak
number of infected
machines have been
Machines Infected Longer
infected (or repeatedly
In addition to threats being more prevalent than ever imagined, today’s threats
infected) for more than two
are also infecting systems for longer time durations. Unlike the generally
accepted belief by the security industry that machines are infected for
years, with a pronounced
approximately a six-week time period before being discovered and disinfected, spike at three years and with
new Trend Micro data suggests that the peak number of infected machines have 23 million addresses “active”
been infected (or repeatedly infected) for more than two years, with a at any one time.
pronounced spike at three years and with 23 million addresses “active” at any
one time. Of these, 80 percent are infected for longer than one month, indicating
that malware infection is a long-term problem and machines are either being continuously infected—becoming
reinfected as soon as they are cleaned—or that machines are not being cleaned at all.
One might wonder—if threats are this prevalent and long-lasting, why doesn’t the public perceive malware infections to
be a bigger problem? The reality is that malware poses a huge problem but because of its invisible and stealthy nature,
it goes unnoticed for long periods of time. Many infected machines are in fact dormant bots that are waiting to be
activated or called into service. So, although they do not exhibit signs of infection, they may instead act as silent
“sleeper bots,” waiting for instructions from a botnet command and control server.
China
Country Infections over Time USA
Brazil
Germany
Korea
Italy
Spain
Russia
4000000
Turkey
3500000
France
3000000
GBR
2500000
India
2000000 Poland
Poland
1500000
France
1000000
500000 Spain
0 Germany
1 day 3 5 7 21 60 120 180 240 300 1 year 3 5
years years China
5 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
6. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS
Insider Threats
In addition to invisible external network threats, many organizations face security breaches that originate from the
inside. Just as hard to detect and often just an insidious, internal security leaks can occur either through deliberate
policy breaches, such as planting malware to steal data for financial gain, or by accident, such as an employee
bringing in malware through an infected USB stick or music player, or by unknowingly using an infected laptop to logon
to a company’s network.
For example, experts believe that the well-known Hannaford Brothers grocery chain breach that occurred in March
2008 may have been an inside job. Data from 4.2 million credit cards was stolen in transmission as a result of malware
installed on all Hannaford’s servers in 300 stores. Investigators discovered that the captured data was then being sent
overseas. The methodologies used to install the malware and extract the data led to speculation that the Hannaford
breach was an inside job as it is unlikely an outsider could have successfully distributed the correct malware to all the
appropriate systems, as observed in the attack. In addition, the sophistication of the credit card interception software
led investigators to believe that the criminals used prototypes to develop and test the malware prior to deployment,
which would have been readily accessible to an employee.[6] Hannaford suffered greatly in the attack—both in terms
of damages paid out in consumer law suits and in a tarnished brand image.
According to a recently released study by the Ponemon Institute that polled 845 U.S. IT and IT security professionals,
malicious insiders—described as employees with a specific purpose for stealing organizational data—accounted for 9
percent of agents likely to infect an organization with malware while another 39 percent of systems were infected by
well meaning insiders—probably caused by employees unknowingly introducing malware into networks and systems.
[7]
Who do you see as the agent most likely to infect
your organization’s computer systems with malware?
Malicious outsiders – hackers directly breaking into network and systems
52%
Well meaning insiders – infected employees unknowingly introducing
39%
malware into network and systems
Malicious insiders – employees with a specific purpose of stealing
9%
organizational data
Source: Ponemon Institute, “Anatomy of Data-Stealing Malware” Aug 2009
Invisible malware can infiltrate the corporate network in any number of ways. The explosion of potentially vulnerable
technologies, such as P2P file sharing, streaming media, instant messaging, wireless networking, and USB storage
devices has made it increasingly difficult to protect corporate data from invisible malware.
The interactive nature of Web 2.0 technologies provides an additional threat vector. Web 2.0-based sites, such as
Facebook.com, act as a platform for third-party developers to create powerful, scripted applications that can access
user account details and execute within a browser window. Users can add additional applications and grant access
permissions with a few clicks, and when they do, on-site messaging encourages the user’s friends to do the same.
This viral networking pattern opens the door for fast-spreading malware. For example in March 2008, TrendLabs
6 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
7. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS
received notice that over 400 phishing kits designed to generate phishing sites were targeting top Web 2.0 sites (i.e.,
social networking, video sharing, and VoIP sites), free email service providers, banks, and popular e-commerce Web
sites. This creates a huge challenge to most organizations as they struggle to manage how, when, and even if these
web sites will be allowed in the workplace.
Additionally, greater numbers of telecommuting and traveling employees and the blurring between home and work
offices have increased mobile device use and the tendency to transmit sensitive information back and forth by email,
which increases the chance of infection. This creates a challenge for today’s companies to protect against the loss or
theft of corporate data assets—either by accident or on purpose.
Invisible Threat du Jour—Conficker
A current example of an invisible and dangerous threat is the Conficker worm (also known as Downup, Downadup and
Kido), which gained notoriety in April 2009 when an
update via a peer-to-peer communication network
through one of Conficker’s latest variants exposed
connections between Conficker and Waledac (a
notorious botnet) and between Conficker and a FakeAV
variant called Spyware Protector 2009.
The significance of these discoveries is Conficker’s
connection to the world of cybercrime. Waldec is an
immense botnet due to its association with another bot
giant, Storm—a notorious spammer—and injects
information stealing code. Waldec also downloads
FakeAV, which scares users into buying “security”
products by faking infection symptoms and employing
crimeware routines.
The size of the worm and subsequent damage was
large enough to motivate security researchers to form
Figure 1: Fake AV screen generated by
the Conficker Working Group. The Conficker Working
Conficker
Group is a collaborative effort between technology
industry leaders and academia to implement a coordinated, global approach to combating the Conficker worm.
According to the Conficker Working Group, recent estimates place the worm’s top three variants as affecting well over
five million unique IP addresses. Even considering the group’s disclaimer of estimating the number of actually infected
systems at only 25 to 75 percent of that number, a minimum of 1.25 million infected systems is considerable. [8]
Experts say Conficker is the worst infection since the SQL Slammer worm in 2003. Conficker exploits a known buffer
overflow vulnerability in the Server Service on Windows computers to spread to other machines, linking them to a
virtual computer system that can be commanded remotely by its authors. In this manner, the Conficker worm has been
used to amass an extremely large botnet, which is now believed to command up to 20 million computers.
A single unpatched machine in a business network can become infected with Conficker and subsequently infect the
entire network. The potential scale of infection is large because about 30 percent of Windows computers lack the
Microsoft Windows patch released in October 2008 to block this vulnerability. Microsoft deemed Conficker important
enough to offer a $250,000 reward for information leading to the arrest and conviction of the criminals behind its
creation and/or distribution.
7 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
8. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS
III. Inadequacies of Today’s Solutions
Traditional antivirus solutions are no longer effective against today’s invisible threats. In
addition to becoming increasingly invisible to users, today's threats are complex, multi- User behavior makes a
dimensional, coordinated attacks that are difficult to detect and prevent. The sheer bad situation worse.
number of new threats is an additional concern. A recent estimate places the number of
Even when users
unique new malware samples introduced in a single day at greater than 60,000 unique
samples—a new piece of malware is created every 1.5 seconds. Although, the security
encounter a warning
industry issues more frequent pattern updates in an attempt to keep up, the massive from their desktop
volume of updates can overload system resources resulting in critical performance issues. security systems, many
As the number of threats multiplies, this approach becomes difficult to sustain. choose to ignore it.
Although many organizations are protected by security software, user behavior makes a
bad situation worse. Even when users encounter a warning from desktop security
systems, many choose to ignore it. Others fail to update security software or to download
recommended security patches. Internal employee mistakes or carelessness (rather than external threats) provide an
additional entry point for malware.
Lack of visibility into the exact location and cause of infections presents an additional challenge. To achieve
comprehensive coverage, more information is needed to better understand where infections originate. For example, if
most threats occur at the Internet gateway, appropriate gateway protections can be installed. In essence, an “early
warning system” would help immediately identify invisible malware.
Companies need to gain a more comprehensive understanding of security vulnerabilities. Additionally, compliance
does not ensure security and too many companies are distracted by complying with a checkbox set of policies rather
than on the bigger picture of overall security. Large-scale data breaches continue to occur in large firms that are fully
compliant. For example, in the case of the Hannaford Brothers breach discussed earlier in this paper, the company
was supposedly PCI-certified the previous year and had just received recertification. (The Payment Card Industry, or
PCI, sponsors certification to protect consumers from identity theft with established controls to regulate data security.)
As threats become more stealthy, more sophisticated, and more numerous than ever before, today’s security solutions
struggle to keep up. Conventional technologies like firewalls and IDS hardware appliances provide some level of
protection but may fail to catch “inside threats” from employees who accidentally infect the network or who plant
malware from the inside. The increasing use of virtualization also provides new threat vectors that require additional
protections. To be adequately protected, both consumers and business require a comprehensive approach to security
that can detect and stop threats before they reach users and data.
IV. New Layers of Security
Risk assessment tools help increase overall threat intelligence so organizations can gain a bird’s eye view of their
security posture to ensure adequate protections are in place.
The Trend Micro Security Threat Assessment was designed for organizations seeking a more effective way to discover,
mitigate, and manage network level threats. The solution helps organizations respond to malware quickly and
efficiently, throughout the network, significantly reducing damage containment costs and improving the overall security
posture.
The Security Threat Assessment includes the following three tiers:
Threat Discovery—uncovers internal security threats within the network. This would alert users to a phishing attack, for
example.
8 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
9. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS
Threat Management—advanced correlation and collaboration with the Smart Protection Network identifies the attack’s
root cause and provides customized threat reports and threat response recommendations.
Threat Mitigation—acts on information provided by a monitoring device to perform clean-up, policy enforcement, and
remediation.
V. Blocking Threats in the Cloud
The Trend Micro Smart Protection Network is a next-generation cloud-client content security infrastructure that blocks
invisible threats before they reach a user’s PC or a company’s network. Leveraged across Trend Micro’s solutions and
services, the Smart Protection Network combines unique Internet-based—or “in-the-cloud”—technologies with lighter-
weight clients. By checking URLs, emails, and files against continuously updated and correlated threat databases in
the cloud, customers always have immediate access to the latest protection wherever they connect—from home,
within the company network, or on the go.
The Trend Micro Smart Protection Network comprises a global network of threat intelligence technologies and sensors
that provide comprehensive protection against all types of invisible threats—from malicious files, phishing, and web
threats, to denial of service attacks, web vulnerabilities, and even data loss. By incorporating in-the-cloud reputation,
scanning, and correlation technologies, the Smart Protection Network reduces reliance on conventional pattern file
downloads and eliminates the delays commonly associated with desktop updates. The Smart Protection Network is
composed of technology components that encompass web reputation, email reputation, file reputation, correlation with
behavior analysis, feedback loops, and threat collection and analysis.
Processing over 5 billion customer queries per day, the Smart Protection Network is a next generation cloud-client
content security infrastructure designed to block threats before they reach a network. The Smart Protection Network
prevents over 1 billion threats from infecting its customers daily.
VI. Server Security
To protect servers from attack from invisible threats, Trend Micro Deep Security solutions provide advanced protection
for servers—whether physical, virtual, or in-the-cloud. Deep Security combines intrusion detection and prevention,
firewall, integrity monitoring and log inspection capabilities in a single, centrally managed software agent to help
companies prevent malware from infiltrating web servers.
Deep Security protects confidential data and critical applications to help prevent data breaches and ensure business
continuity, while enabling compliance with important standards and regulations such as PCI, FISMA, and HIPAA. The
solution helps enterprises to identify suspicious activity and behavior, and to take proactive or preventive measures to
ensure server security.
Protection for Virtual Machines
Trend Micro Deep Security, combined with Trend Micro Core Protection for Virtual Machines, stops invisible threats
from malware before they impact critical data, applications, and resources situated on virtual servers. Deep Security
provides server and application protection that enables virtual machines to become self-defending. Core Protection for
Virtual Machines is a solution that leverages the VMware VMsafe™ APIs to secure both active and dormant virtual
machines.
9 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
10. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS
VII. Free Tools
RUBotted
Trend Micro’s RUBotted monitors computers for suspicious activities and regularly checks with an online service to
identify behavior associated with bots. Upon discovering a potential infection, RUBotted prompts users to execute a
scan and clean their computers. Both business users and consumers can benefit from running RUBotted.
HouseCall
Trend Micro’s HouseCall is an online application that scans and detects for possible infection by viruses, spyware, or
other malware then cleans the infected computer. Powered by Trend Micro’s’ Smart Protection Network, HouseCall
delivers up-to-date detection against the latest threats. This free tool provides a quick and easy check for threats
regardless of the protection status of existing security applications.
VIII. Conclusion
Because today’s threats are created to boost the underground economy, most malware are invisible, designed to work
quietly and reside on users’ PCs undetected for months or years at a time. Because of their stealthy nature, there is no
need for today’s threats to slow down PCs, destroy files, or show any evidence of their existence. The pervasiveness
of today’s threats and the fact that they infect machines for far longer than originally imagined creates a compelling
need for new, more robust security solutions that can stay a step ahead of the thousands of unique, new malware
samples introduced daily. Additionally, these solutions must guard against accidental or on-purpose threats that enter
the corporate network from inside. Trend Micro advocates multiple layers of protection through its Threat Management
Solution to cover every part of the network and identify, manage, and mitigate threats. Additionally, the Smart
Protection Network powers all Trend Micro solutions, blocking invisible threats in the Internet cloud through a
combined effort of Web, Email, and File Reputation technologies. Server security is an additional area of concern and
solutions like Trend Micro’s Deep Security help companies stop invisible threats before they can infiltrate physical or
virtual servers.
10 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
11. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS
IX: References
1 “Global HIV/AIDS estimates, end of 2007,” Avert.com, July 2008, http://www.avert.org/worldstats.htm
2 Anti Phishing Working Group website, http://www.antiphishing.org.
3 Sarah Arnott, “How Cybercrime Went Professional,” The Independent,” August 13, 2008. http://www.independent.co.uk/news/business/analysis-and-features/how-cyber-crime-
went-professional-892882.html.
4 Ibid.
5 Ibid.
6 Richard Koman, “Grocery Chain Data Breach Offers Lessons for CIOs,” Newsfactor.com, March 31, 2008, http://www.newsfactor.com/story.xhtml?story_id=59056
7 Dr. Larry Ponemon, “Anatomy of Data-Stealing Malware,” research report, August 11, 2009.
8 http://www.confickerworkinggroup.org
11 Focus Report | Ghosts in the Machine: Today’s Invisible Threats