As the recent Conficker malware outbreak clearly demonstrated with an estimated
10 million systems infected, cyber exploits are still wreaking havoc despite
better security practices and near ubiquitous antivirus. The recent U.S. Cybersecurity
Policy Review found industry estimates of domestic losses from intellectual
property to data theft in 2008 ranging as high as $1 trillion.
With all this money involved, cyber criminals clearly have the resources and
motivation to develop sophisticated malware to break into private networks.
And cyber criminals have a whole arsenal of tactics to use.
They can capitalize on newly discovered OS and application vulnerabilities,
use security bypass toolkits, and exploit Web 2.0 applications such as social
networking where user-generated content (like malware) can be uploaded. Social
engineering attacks via email are still common, but require user interaction
to activate a malware binary or malicious URL.
Today's stealthy "drive-by" tactics require no such interaction by
browser and plug-in vulnerabilities to install "dropper" malware.
For example, the July 6, 2009 Microsoft Security Advisory (972890) confirmed
a new vulnerability in the Microsoft Video ActiveX Control.
An attacker who successfully exploited this vulnerability could gain the same
user rights as the local user. When using Internet Explorer, code execution
is remote and may not require any user intervention. At the time Microsoft indicated
the company was aware of attacks attempting to exploit the vulnerability.
The aggressive use of Web exploits and non-Web callback channels represent
the primary mechanism for today's cyber criminals to open up covert channels
for data theft. So, the initial infection and installation of the so-called
dropper malware may occur via the Web, but is simply the first step.
Further malware payloads are downloaded by the dropper malware utilizing various
protocols. Typical security procedures allow outbound communications originating
from within the network to exit the organization. Subsequent, related inbound
replies are also allowed (e.g. stateful inspection firewalls operate on this