Friday, April 21, 2006

Virus Writing and Hacking Communities Merge

Hi folks,

Last week's eWeek article "Return of the Web Mob" by Ryan Naraine highlighted a trend that we've been tracking for some time. I've been an antivirus guy for a long time now, and I've recently noticed something new: the virus writing and the hacking communities have begun to merge. It used to be that they were completely separate, and malicious techniques employed by one community were almost never used by the other. Now, however, the two groups are joining forces, resulting in unprecedented threats to users.

The result of this new combination of interests is a dramatic shortening of the time between the announcement of an exploit and its use in malicious code. As an example, the exploit that Nimda used in September 2001 was actually announced fully eight months earlier, in January 2001. Since then, however, the time elapsed between exploit announcement and usage in malicious code has been shrinking to the point where it is now just a few days—in some cases even less.

The term that has been coined to describe this acceleration is ominous: "zero-day." As the terms implies, by the time a zero-day exploit is announced, it has already been used maliciously. The December 2005 WMF exploits and the March 2006 CreateTextRange exploit are recent examples of zero-day attacks. Both of these were widely used by the spyware community for direct marketing of adware, fake anti spies, and rootkit installation. And both were already in the wild at the moment that they were announced; at no point were these threats only theoretical.

These recent examples show how efficient malware coders have become. All indications are that they will continue to refine their skills until zero-day exploits become commonplace. The reason is simple: Money. Malware code using unannounced exploits is worth more money than that using known exploits.

The best protection against these exploits lies in diligently installing vendor patches—once you can patch, you're pretty safe. But even the most aggressive vendor needs time to study targeted zero-day exploits, develop a patch, test it, and release it to users. Until that process is complete, often a matter of weeks, users are on their own.

To complicate matters patches are sometimes bundled and released all at once, as was the case with the recent Patch Tuesday release from Microsoft. This patch addressed 10 issues. However, as CNET pointed out in their coverage only one of these issues, an exploit for the create TextRange vulnerability, was actually in use in the wild.

New threats, emerging more quickly, must be met with innovative new strategies. That is why Exploit Prevention Labs exists. It is the challenge that drives us.

For some time we’d been tracking global bot activity through an internally developed network we dubbed WormRadar. Last year we turned WormRadar outward -- creating the XPL Intelligence Network -- and making it an active weapon in the fight against zero-day exploits. Instead of waiting passively for worms and bots to call on the distributed honeypot, we started actively probing for malicious websites. As a result, we get the industry's best view of what exploits are in use, and can detect new exploits as soon as they start being used. We can even anticipate which exploits are likely to be used, allowing us to reclaim some of the lead time that zero-day attacks have sought to eliminate.

We then create signatures and update all our SocketShield clients, and people are protected until the affected vendors release a patch.

We're not saying we're a panacea. We cannot claim to stop all malcode. But we are moving decisively to protect users when they are most vulnerable. We give users a chance to stay ahead of the next threat—the one they won't see coming.