Fake AV, Autorun Threats Still on Top

By Matthew Hines  |  Posted 2009-01-27 Print this article Print

Anti-virus software maker ESET has gone to the trouble of publishing its postmortem regarding the most ubiquitous and dangerous threats that its experts encountered during 2008.

As in other vendors' reviews, phony AV programs ruled as the leading threat method, however, ESET also highlights several other emerging trends, such as attacks that use Windows' Autorun functions to deliver their payloads that have not been as widely anticipated by researchers.

Among the usual cast of suspects, including Trojans, zero day threats and game credential-thieving programs, ESET is also predicting that the Storm Worm P2P botnet network has finally crumbled, as part of its latest Global Threat Report.

For ESET and other AV makers, the phony AV situation has become an epidemic problem of sorts, and the activity shows no real signs of slowing down, experts said. While researchers have been warning users about the attacks for over a year, the threats are successfully capitalizing on people's heightened sensitivity to IT security problems, in particular online attacks, the company said.

And, like the attacks themselves, the criminal groups behind the programs have also become increasingly sophisticated, ESET experts warned.

"Make no mistake: there are many conmen out there trying to pass themselves off as legitimate security vendors, and using any means they can to blur the distinction between what they do and what we do. For instance, it's alleged that Bakasoftware, based somewhere in Russia, is making more than $5 million a year selling fake antivirus software through an elaborate scheme that relies on e-mail spam while indirectly controlling thousands of unprotected PCs," ESET researchers wrote in the report.

"Others are claiming falsely to have industry standard certifications for their 'products,' introducing rudimentary 'real' detection into the product, slandering vendor reputations in public forums, and threatening legal action against real security vendors and others who might expose them for what they are. In many respects, this is as much an attack on the security community as it is on end users," they said.

ESET's most dangerous malware trends in 2008 were:

-Fake antivirus and antispyware products

-Exploitation of the Windows Autorun facility by most families of malware

-Malicious PDFs and other Trojan-like piggy-backing/exploitation of normally trustworthy documents

-Constant search for zero-day exploits: software development bugs that lead to overflow conditions and similar errors leaving the application or operating system vulnerable to attack, especially automated attacks.

-Exploitation of the security issues highlighted in Microsoft's MS08-067 bulletin by malware families such as Confiker and Gimmiv.

-The death of the Storm Worm botnet, or, at any rate, its virtual abandonment by the gang that maintained it. This supports our suspicion that botherders are moving away from huge botnets towards smaller networks, which may be more easily-concealed and more easily-maintained.

-Online Game password stealers: it's possible to make large profits by gaining access to victims' gaming accounts so that they can steal avatars, assets such as virtual treasure and currency, and so on, in order to re-sell them.

-Drive-by downloads and exploitation of numerous flaws in browsers and browser plugins, used to distribute malware.

-Fake codecs. Victims are often persuaded to run malware by tricking them into believing that the malware is a legitimate program that they need in order to view some form of digital content. Compare also the use of infected media files - a prominent example is GetCodec.

-Packers (Themida and others) and obfuscators continue to be widely used to evade anti-malware detection, especially by conventional signature scanning

In 2009, ESET contends that IT security products and services providers are going to need to dramatically step up their game if they hope to keep pace with the scores of new threats being delivered unto end users.

Both technical and organizational adjustments will need to be made today if the good guys are going to slow down the bad guys anytime soon, driven both by the innovation of the criminals, and the spiraling complexity of IT in general, the report suggests.

"In 2009, technological innovation is far outstripping security innovation - this will be a pivotal year for security companies to innovate and revolutionize endpoint security. With the widening gap between cybercrime and cybersecurity, 2009 will be a critical juncture in the timeline," the experts said.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel