Its hard to say that 2003 has been a good year for security, but conscientious IT staff can feel good about their odds in the battle for security. You can protect yourself. But the arms race with attackers is getting nasty, and 2004 will be harder.
Theres no doubt in my mind that the biggest problem with computers these days is spam. Its a problem that everyone has to deal with, even if its managed to the point where its just an annoyance. Dont expect the problem to be solved; expect the spam problem and the e-mail worm problem to converge. Weve begun to see this happening in phishing worms like MIMAIL that contain special, disguised worm applications. MIMAIL, Sobig and the other major worms of 2003 indicate a growing level of sophistication among the top attack writers. The other major trend that will continue to manifest in 2004, and which parallels the evolution of legitimate software development, is increased ease-of-use of attack development tools.
From the standpoint of the vermin who write these things, MIMAIL is clearly an improved, next-generation worm. Why write a worm that just attacks and spreads? Why not write one that also creates the possibility of collecting personal information to sell? From the distribution standpoint, unlike older phishing attacks that just send you to a fake company site, MIMAIL redistributes itself.
Im impressed enough with this technique to make a prediction: If easy development tools for apps like MIMAIL can be made available, look for conventional spammers to start using them (to my knowledge, this hasnt happened yet). The application wouldnt be an explicit scam, just the usual vulgar penis-enhancing stuff, but it would have several big advantages.
First, it would self-propagate; any ad like this should search all files in the system in slow motion, so as not to raise attention, and distribute to all of them. Second, because its a native application as opposed to a simple Web page, it would have full freedom to create even richer content to catch the readers eye. For example, why not throw in a little DirectX game? Third, once youve installed an executable like this, youre probably able to install facilities to receive instructions from the Internet without having the user run another attachment. In fact, modern protocols like Web services would suit this very well.