Strange brew

What have the phishing email that hooked aunt Donna or cousin Jeff, that AOL instant messaging worm apparently offering links to Apple's popular iTunes music download service, too, and the W32.Mytob.IH@mm mass-mailing worm got in common? They are all predominantly consumer security problems, right? Well... yes and no.

They have had some success attacking enterprise PCs, but where these attacks really flourish is on non-corporate systems. Consumers say they have lost $929 million overall to phishing attacks last year, according to Gartner.

And this is the crux of a major problem for corporate security officers: the sheer number of consumer PCs with the potential to blow their enterprise systems' doors off, and the combination of threats used to attack.

That issue, says Lawrence Baldwin, the founder of internet threat-assessment company, is often overlooked in discussions about email viruses, trojan horses, phishing and other malware attacks that make up the so-called blended, or mixed, threats that are so prevalent today.

Infected consumer systems are a major source of multiple attacks on corporate systems, say Baldwin and other security experts. These assaults range from mass emailings that overwhelm enterprise users' mailboxes with spam, to DDoS attacks, to outright attempts at fraud by professional criminals.

Any which way, it is the combination that is really dangerous.

The convergence of threats has also extended beyond the blending of techniques, with reports that different groups of criminals collaborate to deliver blended attacks in concert. Phishers, for instance, use trojans for so-called pharming attacks. This exploits a vulnerability in DNS server software that allows a hacker to acquire the domain name for a site and then redirect that website's traffic to another website.

Fear, uncertainty and doubt

Not to confuse the issue, but there is no shortage of conflicting numbers, opinions and FUD (that's fear, uncertainty and doubt) surrounding the entire blended threat issue. If this seems a little baffling, welcome to the club.

On the one hand, if one is a believer in the annual Computer Security Institute/ FBI 2004 Computer Crime and Security Survey released in July (available at, there are indications that things aren't so bad. The annual CSI/FBI report, which covers about 700 respondents, revealed that corporate losses to attacks dropped 61 percent in 2004 to $204,000 per enterprise, down from $526,000 in 2003. That makes 2004 the fourth straight year that corporate losses to internet attacks have declined.

Mark McManus, vice-president of technology and research for Computer Economics, which deals in technology cost forecasts, agrees to a point with the CSI/FBI findings. He says his company's research shows that "the number of attacks is up significantly in 2005, but the cost impact has dropped from last year."

He says that the types of threats making the rounds in early 2005 were "nothing terribly new. Most are low- to medium-impact." That contrasts significantly with 2004, in particular the first half, during which the MyDoom, Netsky, Bagel, and Sasser viruses caused around $11 billion in damages, according to McManus. "Almost every one was a blended attack," he adds.

Of course, security solutions firms disagree with McManus's findings. They say that the pace of blended attacks has not slackened at all.

For instance, Jim Murphy, director of product marketing at SurfControl, says: "Virtually every new attack we see is a blended attack. Anyone dealing with security can no longer think about point problems or point security holes to plug."

Sharon Trachtman, product management VP at security vendor Radware, is of like mind: "We continue to see a rise in DDoS attacks as the tools required to produce them, such as Trinoo and TFN, are widely available." She believes that the CSI/FBI security survey revealed that DDoS attacks were the second-most expensive cybercrime for the past two years. But that is not the only threat she cautions against.

Threats lie without

"Beyond DDoS attacks, hackers continue to retool worms and viruses to install bots that can compromise thousands of machines and, worse, allow hackers to remotely control these machines to steal data and launch DDoS attacks," she says. "We're seeing bot attacks launched using 'old standbys' including the Code Red, Mydoom.A and Mydoom.B variants."

Selim Nart, network architect with Vignette, also sides with the vendors. He says blended threats are now "the most common thing." In one recent 24-hour period, his trio of McAfee IPSs revealed that 3,000 of the nearly 17,000 attempts to penetrate his network were blended attacks from the outside.

The most prevalent one he was seeing in July was the SQLslammer. That attack, which hits unpatched Microsoft SQL Server systems, increases traffic on the network, slowing it down even when the server is not running, he says.

What these attacks illustrate is that threats to corporate networks from the outside, where no one can control them, are a major concern. As Mynetwatchman's Baldwin puts it: "What no one's focusing on is security at the endpoints, the home users," says Baldwin. "If you look at the numbers, in terms of the size of the population, it's many orders of magnitude greater than the critical infrastructure components [such as routers, servers, etc.] – 99 percent of what's on the internet is endpoints with very little security."

And so we return to those millions of infected consumer systems. They have wound up as the source of many of the attacks against security systems, such as the firewalls and intrusion detection/prevention systems (IDS/IPS) enterprises deploy to stop malware at the perimeter, according to Baldwin.

"I think 70 to 80 percent of all spam is sent through infected home computers, probably with a pool of several hundred thousands of infected systems," he adds, explaining further that he has worked with clients whose systems were "sending out one to two gigabytes of spam a day. They first realized it when their ISP was telling them that they would terminate their account if they didn't stop."

Blended threats are nothing new – one of the first to cause significant damage was the Nimda attack in September 2001, an automated worm that hit more than 2.2 million machines in a 24-hour period, causing losses of more than $590 million.

But vendors and analysts can at least agree that the ways they are now used have mutated over the past year. While at first hackers sought notoriety, they now want to entice users into relinquishing control of their PCs for financial gain.

Selling co-opted email addresses containing zombie code for use by spammers is one practice mentioned by several industry experts, including Vincent Gullotto, vice-president of McAfee's Avert antivirus and emergency response team. Gullotto adds that some criminals also use the potential threat of a DDoS attack to blackmail organizations.

The future? A layered approach

All this points to what has become obvious: in the ever-evolving world of malware, point solutions, such as antivirus software or spam filters, no longer cut it. Hybrid worms and blended threats require a layered, multi-pronged approach, at the perimeter and the user.

Most enterprises use mixed security systems that combine antivirus, firewall, intrusion detection and vulnerability management for maximum protection against blended threats. Vignette's Nart says one of his McAfee IPS boxes scans all traffic coming in via the firm's virtual private network after it's decrypted. "We use wire-scanning tools when laptops are connected to the corporate after being used on the road," he says.

Nart is particularly concerned about employees who put corporate notebooks on shared networks at home, which then become infected by unprotected PCs. Then, when the employee dials into work, "it attacks us from inside."

And, once infected, he adds, "you not only become a victim, but a source of blended threats to others as well."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.