Cloud computing and virtualization are just two technologies that cybercriminals are anxious to exploit, forecasts a report released Wednesday by security vendor Trend Micro.
The year ahead offers new opportunities for cybercrooks as they hunt for more targets and new challenges as people try to protect themselves, says Trend Micro's 2010 Future Threat Report (PDF).
Cloud computing and virtualization can be cost effective. But since they're beyond the confines of a company's own firewall, they could be potentially open areas for cybercriminals to attack. October's Sidekick data outage highlighted the vulnerabilities of the cloud, which cybercrooks are likely to abuse, according to Trend Micro.
Social networks have proved to be an appealing area for bad guys, a shift that Trend Micro thinks will increase through the use of social engineering. Cybercrooks will try to enter people's communities and circles of friends at sites like Facebook in an attempt to steal personal information.
Malware outbreaks will shift from the global landscape to more local, targeted attacks, similar to the strategy employed by Conficker, which Trend Micro calls a "carefully orchestrated and architected attack."
Trend Micro also believes the move toward international domain names orchestrated by ICANN will open up the playing field for more phishing attacks as crooks create look-alike domains names using the Cyrillic alphabet instead of Latin characters.
A few other trends for 2010 and beyond to keep us all on the alert:
- Windows 7 will have an impact since it is less secure than Vista in the default configuration (presumably because User Access Control (UAC) in Win 7 is not set to its most restrictive level by default).
- Drive-by infections are the norm--one Web visit is enough to get infected.
- Malware is changing its shape--every few hours.
To protect yourself, Trend Micro dispenses the usual advice we've all heard before. But it bears repeating--keep your PC patched and updated, don't click on strange e-mail attachments, make sure the online stores you shop at are secure (https vs http), and don't use the same password for all Web sites.
This was originally posted at ZDNet's Between the Lines.
It used to be that an IT administrator could warn employees about opening attachments from unknown sources or clicking on links from unknown e-mail senders as the first line of defense against spam, malware, and other bad stuff on the Internet.
Today, the seedy side of the Internet comes in many different forms and from many different sources. Stop for a moment and think about the new places where malware might be buried, hidden, released, and shared--a legitimate site that's been hacked, a bit.ly link on Twitter, or even an image on a Facebook friend's page. Now, think about how many of these links you've clicked on from within the corporate network.
Trend Micro, in an effort to fight a modern-day Internet security war, is announcing Monday the launch of its Web Gateway Security, a product that does more than just enhance URL filtering or expand the database of trouble spots, red flags, and other information used to keep its customers safe. The product also comes with tools that provide IT administrators with detailed information about who on the network is doing what, when and from where--even just a few moments ago. The dashboard (pictured below) gives the administrator a nearly real-time look at the users, the traffic, and the sites being downloaded across the entire network with just a glance.
It's a tool that gives companies the ability to monitor for unusual activity and track it--nearly in real-time--to a particular site or particular user. No more waiting for reports the next morning to make some sort of discovery or identify the root of a problem.
Sure, there's potential for companies to take "Big Brother" to a new level. But the executives at Trend Micro pointed instead to the ability to identify a problem at a company-approved site. If a particular user is using an excessive amount of bandwidth, for example, but isn't visiting any out-of-the-ordinary sites, it may be the result of a problem at one of those sites.
Companies have long reserved the right to monitor or restrict Web surfing activities for the sake of protecting the network and sensitive company data. In a recent survey of IT executives by Trend Micro, 75 percent said they were concerned about unauthorized online activities at work and that nearly 70 percent would consider prohibiting access to certain sites, such as shopping or social-networking properties. But the company also highlights another statistic--42 percent say they're willing to accept the risks of social networking on office computers because they see social networking as something that will benefit the company in the long run.
The company on Monday also announced a virtual appliance, which allows companies to either dedicate their own standardized hardware to the app or install in a VMware environment with other apps.
Web Gateway Security's dashboard offers a nearly real-time look at users' activity across the entire network at a glance.
(Credit: Trend Micro )
Trend Micro released its 2010 security products earlier this week, with three programs offering varying levels of security and service. The comparatively barebones Trend Micro Antivirus + AntiSpyware clocks in at $40, with the basic suite Trend Micro Internet Security available for $10 more and $70 for the premium Trend Micro Internet Security Pro. They all come with a full-feature 30-day trial.
There's a lot that's new in the Pro version and some of that filters down to the other editions. Users can expect to get full Windows 7 support, auto-run disabling for USB keys, gaming, and video-watching awareness so that scans don't begin while you're relaxing, and notably a behavioral detection engine that Trend Micro calls the Smart Protection Network.
Like its competitors Symantec and Kaspersky, Trend Micro's engine utilizes anonymous data from its client base to determine when a program is behaving suspiciously. From there, it will either automatically kill the process or ask for user input. As malware and virus makers get smarter and find new ways to avoid detection, the need for behavioral monitoring will only increase.
There are a series of performance enhancements, too, at least according to Trend Micro. Trend Micro is claiming that boot times are 20 percent faster, that the programs use 40 percent less RAM, that the download itself is 25 percent smaller, and that the quick scan on Windows Vista and Windows XP is 20 percent faster.
Many of the other feature changes amount to tweaks. However, for the price it's undeniable that you're getting your money's worth in the Pro version. Smartphone security support for Windows Mobile and Symbian, customizable data protection to keep names, phones numbers, and credit card numbers from leaving your computer, and a dynamic firewall make it a must-consider if you're in the market for a robust suite. Full reviews for each product are available here: Trend Micro Antivirus + AntiSpyware, Trend Micro Internet Security, Trend Micro Internet Security Pro.
Do you use a security suite? Which one? Let me know in the comments below.
The Conficker worm that has infected millions of Windows-based computers will likely be used to send spam and steal data much like one of the nastiest botnets on the Internet does, researchers said on Thursday after finding links between the two worms.
A week after failing to do anything but snore, the much hyped Conficker worm was roused from its slumber on Wednesday, with infected computers transmitting updates via peer-to-peer and dropping a mystery payload onto PCs. Researchers suspect that the payload program may be a keystroke logger, a spam generator, or both.
Conficker now also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com, and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down some functionality on May 3.
In addition, Conficker reaches out to a domain that is known to be infected by a worm called Waledac and downloads an encrypted file. Researchers are analyzing that code and the program that is dropped directly onto infected machines by other infected machines to find out exactly what is in it. And they suspect that Conficker and Waledac are coming from the same people.
"I'm pretty certain the same people are behind both of them," said Paul Ferguson, an advanced threats researcher for Trend Micro. "Conficker has got their (Waledac creators') fingerprints all over it."
Computers infected with Waledac comprise what Ferguson called the "most pernicious spamming botnet on the Internet." Waledac spreads via a malicious Web link or an e-mail, typically a fake Christmas greeting or Valentine's Day message, or with a subject line related to the inauguration of President Obama. It generates spam and steals data, like passwords, from infected computers.
Ferguson said he believes Eastern Europeans are behind the Waledac worm. He suspects they created the Storm botnet to try different payloads and business models and that Waledac resulted from that. Ferguson speculates that they may be putting their lessons learned from earlier efforts into practice with Conficker.
"There is empirical evidence that these guys are a for-hire, for-profit criminal operation on the Internet and that Conficker is nothing more than part of that organization's best efforts to monetize their efforts on the Internet," Ferguson said.
Vincent Weafer, vice president of Symantec Security Response, confirmed the Waledac connection with Conficker, but wouldn't speculate on who exactly might be spreading the worms. The fact that Conficker now downloads a Waledac file "reconfirms our belief that ultimately this is a large botnet designed to make money," he said. "It's the first example of how these guys are trying to leverage this botnet for profit."
As for the May 3 expiration date in the latest Conficker code, Weafer said it appears to be trying to shut down code related to the first variant of Conficker, Conficker.A, which generated more noise on the Internet than later versions did.
Symantec researchers are calling the latest Conficker code that is circulating a new variant of the worm and have dubbed it Downadup.E, with Downadup being another name for Conficker.
The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords. The worm disables security software and blocks access to security Web sites.
To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn. There is also a Conficker removal guide on CNET's Download.com site.
People are being urged to be careful in their quest for Conficker removal tools. Marshale8e6 has found spam that takes advantage of the hype over the Conficker worm to scare people into installing fake antivirus software. The e-mail messages claim to be from Microsoft security departments and provide a link to a Web page that does a fake computer scan and prompts the visitor to buy antivirus software that typically does nothing but install malware on the computer.
Also, using search engines to try to find Conficker removal tools is maybe not the best idea. Trend Micro has found that Google searches using terms related to Conficker bring up results that include links to malware. They recommend going directly to the site of a trusted security vendor to get software instead of doing general searches.
Meanwhile, Conficker also has inspired a copycat worm. Neeris, an IRC bot that spreads itself by sending links through MSN Messenger, has been active for a few years, but a new variant has emerged that borrows some behavior from Conficker, such as exploiting the same hole in Windows that Conficker does and spreading via removable storage devices, Microsoft said.
This story has been updated. See below for details.
The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.
Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.
The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.
The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.
Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.
"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.
Last night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.
"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"
In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.
The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.
Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry.
Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.
The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.
The worm disabled security software and blocks access to security Web sites. To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn.
For more information, listen to Larry Magid's audio interview with Perry.
Updated 7:50 p.m. PDT: Added that the software that's dropped onto computers is hiding behind a rootkit.
On Thursday, Trend Micro released its Internet Security 2009 and Internet Security Pro 2009 products for consumers, touting enhanced performance, features, and better end-user education.
New features within Trend Micro Internet Security 2009 include a security activity dashboard, designed to show users where threats are coming from (Web sites vs. e-mail) and which threats have affected them most (Web vs. traditional virus). The suite also includes utilities to clean up disk space, registry files, start-up programs, and browser cache. And, like McAfee, Trend Micro provides consumer access to its new "in the cloud" malware signature database. Trend Micro says it can remediate against an unknown malware sample within 15 minutes, as opposed to the older method of pushing database updates every hour or so.
Trend Micro Internet Security Pro 2009 includes all the basic features within the Internet security suite plus more wireless networking protection for mobile and laptop users.
Trend Micro continues to provide free phone, e-mail, and online chat support. This year, Symantec is also offering free tech support with its Norton products.
A full CNET Review is in the works.
- prev
- 1
- next
