Ghosts in the Machine
Today’s Invisible Threats
                   Focus Report Series

          September 2009


I. Executive Summary
Viruses are invisible without a microscope, yet ...

As part of their invisible nature, today’s threats do not typically da...

Black Market for two to five percent of their remaining balances. For ...

command console grows ever more powerful. Today’s botnets range from s...

Insider Threats
In addition to invisible external network threats, man...

received notice that over 400 phishing kits designed to generate phish...

III.         Inadequacies of Today’s Solutions
Traditional antivirus s...

Threat Management—advanced correlation and collaboration with the Smar...

VII.         Free Tools
Trend Micro’s RUBotted monitors comp...

IX:               References
1 “Global HIV/AIDS estimates, end of 200...
Upcoming SlideShare
Loading in …5

Ghosts In The Machine Today's Invisible Threats Oct 2009


Published on

Trend Micro examines today's invisible threats (i.e. data stealing malware) and finds surprising statistics about machines compromised by malware.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ghosts In The Machine Today's Invisible Threats Oct 2009

  1. 1. Ghosts in the Machine Today’s Invisible Threats Focus Report Series September 2009 A Trend Micro White Paper | September 2009
  2. 2. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS I. Executive Summary Viruses are invisible without a microscope, yet remain one of the most deadly organisms that exist in nature. The term “computer virus” is aptly named to describe one of the greatest challenges of our online world. Yesterday’s computer viruses were not invisible and were instead created by “showoff” hackers out to demonstrate skill and daring. Today’s viruses, or malware, are more like their biological namesake and are today created to be invisible to users to evade detection. Current malware are usually part of an infection chain whose sole purpose is making money for cybercriminals. In addition to being invisible, today’s malware are also As part of their invisible pervasive. Current research of approximately 100 million compromised IP’s indicates that nature, today’s threats computers are also infected (or frequently and quickly reinfected) for longer time do not typically damage periods — often with malware that keep the machine captive as a sleeper bot, ready to the computer systems be activated for eventual, criminal purposes. they infect. Rather—like In addition to external threats, many of today’s organizations are similarly worried about parasites—these threats internal threats—either malware placed inside maliciously or accidental introduction of exploit their hosts to malware due to employee accident or error. The Conficker worm is probably the best, stay alive.. current example of invisible malware in action, with estimates ranging from 1.25 to five million infected computers. Most security software solutions are woefully ineffective at fighting the invisible malware enemy because of the sheer number that exist and because today’s viruses are so difficult to detect. Trend Micro advocates a new approach toward chasing down invisible infections—an approach that involves several tiers of protection, rather than simply trying to protect the desktop. Additionally, all Trend Micro solutions are based upon a revolutionary, cloud-content security infrastructure that stops invisible threats in the Internet cloud before they can reach a user’s desktop or server platform. The following white paper explores the evolution of threats—from highly visible to unseen—and offers several unique technology solutions to expose and eradicate the “ghosts in the machine.” II. Challenges of Today’s Invisible Threats Which is scarier—a tiger or a microbe? Most people would agree that the large teeth and extreme hunting instinct of tigers pose a more formidable enemy. Yet tigers do not wipe out entire villages like an aggressive virus. More than 25 million people have died of AIDS infections related to the HIV virus since 1981 [1] while tigers claim less than 100 victims per year. Viruses are not visibly dangerous—one cannot see a virus without a microscope–yet experience tells us that viruses can indeed be deadly. Viruses that threaten computers are for the most part invisible. Of course an IT guru or security expert can identify errant code but most of today’s dangerous web threats are largely invisible to users. Computer viruses that are written to gain attention are largely passé. Actually, viruses that command attention comprise less than one percent of the total malware population. Some PC users may remember the “cascade virus,” which dropped all the letters on the screen to the bottom of the page or “Yankee Doodle,” which played the famous song every day at 5pm on infected computers. These show-off viruses were largely written by college students and amateur hackers and have always totaled less than one tenth of a percent of viruses in circulation—and even less of infected systems. 2 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
  3. 3. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS As part of their invisible nature, today’s threats do not typically damage the computer systems they infect. Rather—like parasites—these threats exploit their hosts to stay alive. According to David Perry, Global Director of Education for Trend Micro, in his more than 20 years spent researching viruses, he has yet to find a computer that has been damaged by malware. Almost all reported damages due to malware, including disk drives, monitors, RAM chips, motherboards and processors, etc. are bogus. Today’s threats live on their host evading detection not to cause damage or disruption, but to steal Most data-destroying information from the host and to be used for the purpose of compromising and stealing malware were built information from others. and distributed in the mid to late 1990s and Data-stealing Malware today, are virtually Malware fly under the radar not by mistake but by clever design. Rather than damaging systems or data for the purpose of bravado, today’s malware are stealthy and created to extinct. evade detection. Although phishing attacks, spam, online scams, and web-based threats all possess visible components, the malware lurking behind is invisible on purpose. Keyloggers, botnet code, and password stealers are built for transparency because their primary goal is infecting a system to quietly steal valuable data. Data Stealing Malware 1H09 (source: TrendLabs) 100% Trojan Spyw are Trojan 75% Spyw are Hacktool Exploit Dialer 50% Backdoor Adw are 25% 0% Global N America S America Europe Africa Asia AUNZ Although invisible, data-stealing malware poses a serious threat to today’s organizations. As one of the most dangerous categories of web threats today, data-stealing malware showed tremendous growth in 2008 and is therefore an area of concern for consumer and business audiences alike. In 2009, virtually all malware tracked by Trend Micro experts has been observed to have information stealing as one of their primary goals. According to Anti-Phishing Working Group (APWG) statistics, the number of sites infecting PCs with password-stealing crimeware reached an all time high of 31,173 in December 2008—an 827 percent increase from January of the same year.[2] Cybercriminals are responsible for creating most of the malware that exists today with the sole intention of making money. Most malware are used to gather and steal data such as banking logins and credit card numbers, intellectual property, confidential data, administrative passwords, and address books—for example. Malware authors are usually professional criminals and credit card details are the most common item bought and sold in the underground. Criminals either use the numbers on their own to exploit victims or sell the numbers on the online 3 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
  4. 4. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS Black Market for two to five percent of their remaining balances. For example, if the average card on the list had remaining credit of $1,000, each set of details would be worth approximately $25. [3] Some invisible malware are specifically designed to assimilate PCs into botnets. For example, botnet services cost about $10 for a million emails.[4] Botnets can also be rented and used for spamming, hacking, and denial of service attacks. An hour of usage on a network of 8,000 to 10,000 computers costs approximately $200. [5] Underground Economy 2009 (source: TrendLabs) ASSET GOING RATE 30 cents in the United States, 20 cents in Payout for each unique adware Canada, 10 cents in the UK, 2 cents installation elsewhere Malware package, basic version $1,000 - $2,000 Malware package with add-on services Varying prices starting at $20 Exploit kit rental – 1 hour $0.99 to $1 Exploit kit rental – 2.5 hours $1.60 to $2 Exploit kit rental – 5 hours $4, may vary Undetected copy of an information $80, may vary stealing Trojan Distributed Denial of Service attack $100 per day 10,000 compromised PCs $1,000 Stolen bank account credentials Varying prices starting at $50 1 million freshly-harvested emails $8 up, depending on quality (unverified) One Hundred Million Compromised IP Addresses In addition to being invisible, today’s threats are more pervasive than security experts ever imagined. Trend Micro recently analyzed 100 million compromised IP addresses. The number 100 million is staggering enough until one considers that NAT (network address translation) devices allow multiple computers to be connected to one IP address. For this reason, experts theorize that the number of compromised machines is probably much higher. Many of these machines are unknowingly infected and often being kept as bots—a term used to describe PCs that have been assimilated into part of a botnet. Botnets are an organized collection of zombie computers that enable cybercriminals to commit large-scale fraud and distribute pornography, spam, and other malicious content. Cybercriminals also upload hidden keylogging software to the bots, enabling access to personal data on affected machines, including usernames, passwords, bank account information, and social security numbers. The software then passes this data to the criminal organization running the botnet, which sells it on the Black Market. From a cyber scammer’s perspective, botnets are extremely efficient because as bots increase in size, the central 4 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
  5. 5. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS command console grows ever more powerful. Today’s botnets range from small networks of a thousand drones to enormous networks with hundreds of thousands of infected PCs, placing computing power and high network bandwidth in criminals’ hands. New Trend Micro data suggests that the peak number of infected machines have been Machines Infected Longer infected (or repeatedly In addition to threats being more prevalent than ever imagined, today’s threats infected) for more than two are also infecting systems for longer time durations. Unlike the generally accepted belief by the security industry that machines are infected for years, with a pronounced approximately a six-week time period before being discovered and disinfected, spike at three years and with new Trend Micro data suggests that the peak number of infected machines have 23 million addresses “active” been infected (or repeatedly infected) for more than two years, with a at any one time. pronounced spike at three years and with 23 million addresses “active” at any one time. Of these, 80 percent are infected for longer than one month, indicating that malware infection is a long-term problem and machines are either being continuously infected—becoming reinfected as soon as they are cleaned—or that machines are not being cleaned at all. One might wonder—if threats are this prevalent and long-lasting, why doesn’t the public perceive malware infections to be a bigger problem? The reality is that malware poses a huge problem but because of its invisible and stealthy nature, it goes unnoticed for long periods of time. Many infected machines are in fact dormant bots that are waiting to be activated or called into service. So, although they do not exhibit signs of infection, they may instead act as silent “sleeper bots,” waiting for instructions from a botnet command and control server. China Country Infections over Time USA Brazil Germany Korea Italy Spain Russia 4000000 Turkey 3500000 France 3000000 GBR 2500000 India 2000000 Poland Poland 1500000 France 1000000 500000 Spain 0 Germany 1 day 3 5 7 21 60 120 180 240 300 1 year 3 5 years years China 5 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
  6. 6. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS Insider Threats In addition to invisible external network threats, many organizations face security breaches that originate from the inside. Just as hard to detect and often just an insidious, internal security leaks can occur either through deliberate policy breaches, such as planting malware to steal data for financial gain, or by accident, such as an employee bringing in malware through an infected USB stick or music player, or by unknowingly using an infected laptop to logon to a company’s network. For example, experts believe that the well-known Hannaford Brothers grocery chain breach that occurred in March 2008 may have been an inside job. Data from 4.2 million credit cards was stolen in transmission as a result of malware installed on all Hannaford’s servers in 300 stores. Investigators discovered that the captured data was then being sent overseas. The methodologies used to install the malware and extract the data led to speculation that the Hannaford breach was an inside job as it is unlikely an outsider could have successfully distributed the correct malware to all the appropriate systems, as observed in the attack. In addition, the sophistication of the credit card interception software led investigators to believe that the criminals used prototypes to develop and test the malware prior to deployment, which would have been readily accessible to an employee.[6] Hannaford suffered greatly in the attack—both in terms of damages paid out in consumer law suits and in a tarnished brand image. According to a recently released study by the Ponemon Institute that polled 845 U.S. IT and IT security professionals, malicious insiders—described as employees with a specific purpose for stealing organizational data—accounted for 9 percent of agents likely to infect an organization with malware while another 39 percent of systems were infected by well meaning insiders—probably caused by employees unknowingly introducing malware into networks and systems. [7] Who do you see as the agent most likely to infect your organization’s computer systems with malware? Malicious outsiders – hackers directly breaking into network and systems 52% Well meaning insiders – infected employees unknowingly introducing 39% malware into network and systems Malicious insiders – employees with a specific purpose of stealing 9% organizational data Source: Ponemon Institute, “Anatomy of Data-Stealing Malware” Aug 2009 Invisible malware can infiltrate the corporate network in any number of ways. The explosion of potentially vulnerable technologies, such as P2P file sharing, streaming media, instant messaging, wireless networking, and USB storage devices has made it increasingly difficult to protect corporate data from invisible malware. The interactive nature of Web 2.0 technologies provides an additional threat vector. Web 2.0-based sites, such as, act as a platform for third-party developers to create powerful, scripted applications that can access user account details and execute within a browser window. Users can add additional applications and grant access permissions with a few clicks, and when they do, on-site messaging encourages the user’s friends to do the same. This viral networking pattern opens the door for fast-spreading malware. For example in March 2008, TrendLabs 6 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
  7. 7. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS received notice that over 400 phishing kits designed to generate phishing sites were targeting top Web 2.0 sites (i.e., social networking, video sharing, and VoIP sites), free email service providers, banks, and popular e-commerce Web sites. This creates a huge challenge to most organizations as they struggle to manage how, when, and even if these web sites will be allowed in the workplace. Additionally, greater numbers of telecommuting and traveling employees and the blurring between home and work offices have increased mobile device use and the tendency to transmit sensitive information back and forth by email, which increases the chance of infection. This creates a challenge for today’s companies to protect against the loss or theft of corporate data assets—either by accident or on purpose. Invisible Threat du Jour—Conficker A current example of an invisible and dangerous threat is the Conficker worm (also known as Downup, Downadup and Kido), which gained notoriety in April 2009 when an update via a peer-to-peer communication network through one of Conficker’s latest variants exposed connections between Conficker and Waledac (a notorious botnet) and between Conficker and a FakeAV variant called Spyware Protector 2009. The significance of these discoveries is Conficker’s connection to the world of cybercrime. Waldec is an immense botnet due to its association with another bot giant, Storm—a notorious spammer—and injects information stealing code. Waldec also downloads FakeAV, which scares users into buying “security” products by faking infection symptoms and employing crimeware routines. The size of the worm and subsequent damage was large enough to motivate security researchers to form Figure 1: Fake AV screen generated by the Conficker Working Group. The Conficker Working Conficker Group is a collaborative effort between technology industry leaders and academia to implement a coordinated, global approach to combating the Conficker worm. According to the Conficker Working Group, recent estimates place the worm’s top three variants as affecting well over five million unique IP addresses. Even considering the group’s disclaimer of estimating the number of actually infected systems at only 25 to 75 percent of that number, a minimum of 1.25 million infected systems is considerable. [8] Experts say Conficker is the worst infection since the SQL Slammer worm in 2003. Conficker exploits a known buffer overflow vulnerability in the Server Service on Windows computers to spread to other machines, linking them to a virtual computer system that can be commanded remotely by its authors. In this manner, the Conficker worm has been used to amass an extremely large botnet, which is now believed to command up to 20 million computers. A single unpatched machine in a business network can become infected with Conficker and subsequently infect the entire network. The potential scale of infection is large because about 30 percent of Windows computers lack the Microsoft Windows patch released in October 2008 to block this vulnerability. Microsoft deemed Conficker important enough to offer a $250,000 reward for information leading to the arrest and conviction of the criminals behind its creation and/or distribution. 7 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
  8. 8. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS III. Inadequacies of Today’s Solutions Traditional antivirus solutions are no longer effective against today’s invisible threats. In addition to becoming increasingly invisible to users, today's threats are complex, multi- User behavior makes a dimensional, coordinated attacks that are difficult to detect and prevent. The sheer bad situation worse. number of new threats is an additional concern. A recent estimate places the number of Even when users unique new malware samples introduced in a single day at greater than 60,000 unique samples—a new piece of malware is created every 1.5 seconds. Although, the security encounter a warning industry issues more frequent pattern updates in an attempt to keep up, the massive from their desktop volume of updates can overload system resources resulting in critical performance issues. security systems, many As the number of threats multiplies, this approach becomes difficult to sustain. choose to ignore it. Although many organizations are protected by security software, user behavior makes a bad situation worse. Even when users encounter a warning from desktop security systems, many choose to ignore it. Others fail to update security software or to download recommended security patches. Internal employee mistakes or carelessness (rather than external threats) provide an additional entry point for malware. Lack of visibility into the exact location and cause of infections presents an additional challenge. To achieve comprehensive coverage, more information is needed to better understand where infections originate. For example, if most threats occur at the Internet gateway, appropriate gateway protections can be installed. In essence, an “early warning system” would help immediately identify invisible malware. Companies need to gain a more comprehensive understanding of security vulnerabilities. Additionally, compliance does not ensure security and too many companies are distracted by complying with a checkbox set of policies rather than on the bigger picture of overall security. Large-scale data breaches continue to occur in large firms that are fully compliant. For example, in the case of the Hannaford Brothers breach discussed earlier in this paper, the company was supposedly PCI-certified the previous year and had just received recertification. (The Payment Card Industry, or PCI, sponsors certification to protect consumers from identity theft with established controls to regulate data security.) As threats become more stealthy, more sophisticated, and more numerous than ever before, today’s security solutions struggle to keep up. Conventional technologies like firewalls and IDS hardware appliances provide some level of protection but may fail to catch “inside threats” from employees who accidentally infect the network or who plant malware from the inside. The increasing use of virtualization also provides new threat vectors that require additional protections. To be adequately protected, both consumers and business require a comprehensive approach to security that can detect and stop threats before they reach users and data. IV. New Layers of Security Risk assessment tools help increase overall threat intelligence so organizations can gain a bird’s eye view of their security posture to ensure adequate protections are in place. The Trend Micro Security Threat Assessment was designed for organizations seeking a more effective way to discover, mitigate, and manage network level threats. The solution helps organizations respond to malware quickly and efficiently, throughout the network, significantly reducing damage containment costs and improving the overall security posture. The Security Threat Assessment includes the following three tiers: Threat Discovery—uncovers internal security threats within the network. This would alert users to a phishing attack, for example. 8 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
  9. 9. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS Threat Management—advanced correlation and collaboration with the Smart Protection Network identifies the attack’s root cause and provides customized threat reports and threat response recommendations. Threat Mitigation—acts on information provided by a monitoring device to perform clean-up, policy enforcement, and remediation. V. Blocking Threats in the Cloud The Trend Micro Smart Protection Network is a next-generation cloud-client content security infrastructure that blocks invisible threats before they reach a user’s PC or a company’s network. Leveraged across Trend Micro’s solutions and services, the Smart Protection Network combines unique Internet-based—or “in-the-cloud”—technologies with lighter- weight clients. By checking URLs, emails, and files against continuously updated and correlated threat databases in the cloud, customers always have immediate access to the latest protection wherever they connect—from home, within the company network, or on the go. The Trend Micro Smart Protection Network comprises a global network of threat intelligence technologies and sensors that provide comprehensive protection against all types of invisible threats—from malicious files, phishing, and web threats, to denial of service attacks, web vulnerabilities, and even data loss. By incorporating in-the-cloud reputation, scanning, and correlation technologies, the Smart Protection Network reduces reliance on conventional pattern file downloads and eliminates the delays commonly associated with desktop updates. The Smart Protection Network is composed of technology components that encompass web reputation, email reputation, file reputation, correlation with behavior analysis, feedback loops, and threat collection and analysis. Processing over 5 billion customer queries per day, the Smart Protection Network is a next generation cloud-client content security infrastructure designed to block threats before they reach a network. The Smart Protection Network prevents over 1 billion threats from infecting its customers daily. VI. Server Security To protect servers from attack from invisible threats, Trend Micro Deep Security solutions provide advanced protection for servers—whether physical, virtual, or in-the-cloud. Deep Security combines intrusion detection and prevention, firewall, integrity monitoring and log inspection capabilities in a single, centrally managed software agent to help companies prevent malware from infiltrating web servers. Deep Security protects confidential data and critical applications to help prevent data breaches and ensure business continuity, while enabling compliance with important standards and regulations such as PCI, FISMA, and HIPAA. The solution helps enterprises to identify suspicious activity and behavior, and to take proactive or preventive measures to ensure server security. Protection for Virtual Machines Trend Micro Deep Security, combined with Trend Micro Core Protection for Virtual Machines, stops invisible threats from malware before they impact critical data, applications, and resources situated on virtual servers. Deep Security provides server and application protection that enables virtual machines to become self-defending. Core Protection for Virtual Machines is a solution that leverages the VMware VMsafe™ APIs to secure both active and dormant virtual machines. 9 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
  10. 10. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS VII. Free Tools RUBotted Trend Micro’s RUBotted monitors computers for suspicious activities and regularly checks with an online service to identify behavior associated with bots. Upon discovering a potential infection, RUBotted prompts users to execute a scan and clean their computers. Both business users and consumers can benefit from running RUBotted. HouseCall Trend Micro’s HouseCall is an online application that scans and detects for possible infection by viruses, spyware, or other malware then cleans the infected computer. Powered by Trend Micro’s’ Smart Protection Network, HouseCall delivers up-to-date detection against the latest threats. This free tool provides a quick and easy check for threats regardless of the protection status of existing security applications. VIII. Conclusion Because today’s threats are created to boost the underground economy, most malware are invisible, designed to work quietly and reside on users’ PCs undetected for months or years at a time. Because of their stealthy nature, there is no need for today’s threats to slow down PCs, destroy files, or show any evidence of their existence. The pervasiveness of today’s threats and the fact that they infect machines for far longer than originally imagined creates a compelling need for new, more robust security solutions that can stay a step ahead of the thousands of unique, new malware samples introduced daily. Additionally, these solutions must guard against accidental or on-purpose threats that enter the corporate network from inside. Trend Micro advocates multiple layers of protection through its Threat Management Solution to cover every part of the network and identify, manage, and mitigate threats. Additionally, the Smart Protection Network powers all Trend Micro solutions, blocking invisible threats in the Internet cloud through a combined effort of Web, Email, and File Reputation technologies. Server security is an additional area of concern and solutions like Trend Micro’s Deep Security help companies stop invisible threats before they can infiltrate physical or virtual servers. 10 Focus Report | Ghosts in the Machine: Today’s Invisible Threats
  11. 11. GHOSTS IN THE MACHINE: TODAY’S INVISIBLE THREATS IX: References 1 “Global HIV/AIDS estimates, end of 2007,”, July 2008, 2 Anti Phishing Working Group website, 3 Sarah Arnott, “How Cybercrime Went Professional,” The Independent,” August 13, 2008. went-professional-892882.html. 4 Ibid. 5 Ibid. 6 Richard Koman, “Grocery Chain Data Breach Offers Lessons for CIOs,”, March 31, 2008, 7 Dr. Larry Ponemon, “Anatomy of Data-Stealing Malware,” research report, August 11, 2009. 8 11 Focus Report | Ghosts in the Machine: Today’s Invisible Threats