In its inaugural report on the overall state of internet security, Cisco is predicting bigger attacks in 2008 from the Storm botnet, which now includes millions of computers infected and linked by the continually evolving and highly adaptable Storm worm trojan.
According to the report, a primary goal of the Storm worm's creators as they continue to add infected systems to the botnet is to rent it out, or sell it in portions, to cybercriminals for use in launching spam or DoS attacks.
“The bottom line is that the botnet is huge (potentially tens of millions of systems), the attack's authors are highly skilled at adapting to evade detection and prevention, and Storm continues to be successful. [We] expect to see even bigger attacks orchestrated from this botnet in the coming year,” the Cisco report stated.
Meanwhile, according to the SANS Internet Storm Center, Storm-infected machines have sent out Christmas- and New Year's-themed messages during the past two weeks designed to expose victims to malware containing variations of the Storm trojan. On Monday, holiday messages enticed recipients to visit a bogus X-rated site called "Merrychristmasdude.com" which offered free downloads of pictures. These were followed by emails containing New Year's greetings that directed recipients to visit "uhave post card.com" and urged them to download a malware-infected file, "happy2008.exe."
The Storm trojan has proven to be a shape-shifting chameleon, able to lay dormant for weeks or months only to return in a new format. It has been delivered to users' inboxes in everything from URLs to ZIP or MP3 attachments and digital greeting cards.
Among its general findings, the Cisco report said attackers increasingly have turned their focus in 2007 from operating systems to hundreds of different web applications, finding the languages used to create these applications fertile ground for exploitation. The report predicted attacks on applications will constitute a growing problem for several years, and that defending against application vulnerability exploits will be a primary battleground for IT security professionals.
Cisco said organizations can expect more infected systems attempting to access protected networks in 2008. The report also projected more malware may execute in system memory, rather than on hard drives; malware will target smart phones, portable media and gaming devices; and more multiplatform attacks next year.
“Attackers will be looking to generate more value from their efforts by striving to hit more systems with a single attack project,” the report stated.
According to Cisco, three malware innovations in 2007 make it clear that cyber attacks are now a highly profitable criminal industry (increasingly the domain of organized crime): the emergence of subscription-based attack services, the growing availability of exploit toolkits, and increased sales of online phishing tools.
Cisco reported that a number of websites appeared this year offering viruses, trojans and other malicious code for sale, often using a business model based on customers installing the code on other websites and receiving monthly payments based on the amount and quality of the information collected from infected machines.
Malicious code developers are creating more toolkits to install malware and making these tools publicly available for sale and modification, the report stated, citing MPACK, an exploit tool that compromised more than 10,000 websites, as the most significant example of this trend.
The widespread availability of online tools to automate phishing attacks is permitting even low-skilled attackers to launch sophisticated attacks, such as Flash animations that mimic legitimate websites, Cisco said.
The report, which assessed threat information and trends collected by Cisco between January and September 2007, said the proliferation in 2007 of spam spread within document attachments rather than images has permitted spammers to elude traditional spam filtering techniques. The most significant outbreaks this year of document-generated spam involved PDF and Excel attachments, the report said.
According to the report, the largest percentage of the total of 4,760 alerts issued by Cisco's Security IntelliShield Alert Manager Service during the January – September data collection period were for DoS, buffer overflow and arbitrary code execution threats. These were followed by privilege escalation, information disclosure and cross-site scripting threats. A 23 percent increase in buffer overflow attacks was reported, compared with data collected in 2006.
Cisco reported a sharp drop in new worms and trojans, including a 72 percent reduction in backdoor trojans during the reporting period.
The report said that while the overall urgency of reported threats (representing the level of activity of the threat) declined, the overall severity (representing the potential impact of a successfully exploited vulnerability) increased. This trend indicates that while fewer active threats emerged in 2007, those that were active could cause significantly more damage if successful, Cisco said.