Five Places Where Malware Hides
Malware has to live somewhere. And while some Web filtering solutions can detect known malware hosts, most malware hides in sites that are otherwise benign.
IT organizations have long suspected that the purveyors of malware are not only getting more sophisticated, they are getting more organized. But until now, the only real confirmation of those suspicions was the increased number of attacks on their sites.
Now a new report from Symantec that is being published the week of the Black Hat Technical Conference details the existence of a robust "Attack Kit" economy. According to Marc Fossi, executive editor of the report, attack kits are collections of malicious code that can be aimed at networks of computer systems. Once developed, these toolkits are offered for a nominal fee, which criminals then use to attack distributed systems around the globe.
A downward trend in the global economy has increased the number of idle hands willing to engage in such activities. And with easy access to the toolkits needed to accomplish the task, more aspiring digital criminals have the motive and means to launch attacks.
Most of these kits, says Fossi, are based on code that was developed using publicly deployed exploits. While many IT organizations have already deployed patches to close these exploits, there are still plenty of IT organizations that have not deployed every patch for any number of reasons, ranging from application compatibility issues to sheer organizational inertia.
Among the more famous instances of malware that routinely show up in these toolkits is ZeuS, which Fossi says is increasingly being used to target financial information. Oddly enough, however, none of the attack toolkits contain any zero-day attacks, says Fossi. This is because the people who create these attacks do not want to publish this code in a place that would allow companies such as Symantec to discover it and then identify its digital signature, which in turn would allow Symantec to defend against that particular form of attack.
The existence of an attack kit economy raises the age-old debate over the value of publicly disclosing exploits. But Fossi says that over the long haul, the IT industry as a whole is better off because the disclosure gives people a chance to secure their systems before an exploit is quietly discovered by the criminals who could attack systems for months or years without anyone ever knowing.