Blended Threats

Combined attacks

Blended threats dominate the threat landscape, making it important for businesses and consumers to have multi-featured, multi-layered protection for their computer systems, writes Nivedan Prakash

As technology grows more powerful and complex, so do the threats that endanger advanced technology systems. Today’s organizations face increasing numbers of sophisticated threats that replicate more rapidly than ever before. Hackers commonly issue ‘blended’ threats, which are multi-pronged attacks designed to inflict maximum network damage.

A blended threat is a computer network attack that seeks to maximize the severity of damage and speed of contagion by combining various attack methods, for example using characteristics of both viruses and worms, while also taking advantage of vulnerabilities in computers, networks, or other physical systems.

An attack using a blended approach might send a virus via an e-mail attachment, along with a Trojan horse embedded in an HTML file that will cause damage to the recipient computer. The Nimda, CodeRed, Mydoom, and Bugbear exploits were all examples of blended threats. Such attacks usually attempt to infect networks using the techniques of a mass e-mail virus and also by attempting to find vulnerabilities in software that have not been plugged, to infect or attack an operating system or application.

Bhaskar Bakthavatsalu, Country Manager, Check Point Software Technologies-India and SAARC, pointed out, “These are new generation threats, which thrive on speed/propagation capacity of the recent attack types and carry out the damage in respective systems as high as past attacks. Perhaps from a perspective of an attacker they combine the best of two worlds into a blended attack. These blended threats serve the required blending of the attacks vectors where the attacks are not just high in magnitude but will flash in seconds around the world as well.”

Here we can say that Trojans and bots make use of blended threats on quite a large scale to infect and control infected systems. Trojans and bots essentially make use of blended threats in scanning for vulnerabilities in an enterprise network, enter via e-mail attachments, shared file folders, wireless devices, Web pages, laptops, telnet and other entry-points. Lately, both Trojans and bots have been enticing users with fictional events, love theme messages, and real life events so that they click on the link and gain control of the users’ computer.

There could be Trojans which send back sensitive information such as user names, passwords, and account numbers to the infected machines or botnets which allow attackers to take control of the machine and launch multiple attacks without being caught. For example, the malware attack of June /July 2004 known as JS/Scob-A (also called Download.Ject or Toofer) ushered in a new kind of threat, using the Web itself as the method for transporting the malicious code. Websites were hacked into, and unsuspecting users who simply visited one of the infected sites were attacked. The attack capitalized on vulnerabilities in both Microsoft Internet Explorer and specific Web servers.

While blended threats have existed for more than ten years, their reappearance today is of greater concern. Today, Internet usage is mainstream and being utilized in many aspects of business. Blended threats can spread faster and farther than classic virus threats, and unfortunately, effective solutions are still only on the horizon. Blended threats are dangerous and can hence lead to data loss in an organization.

Current trends

Blended threats remained one of the most significant security issues companies faced in the year FY 2007-08. Blended threats continue to diminish, in the face of other types of malware, rootkits, downloaders, and other botnet controlled threats have taken over as the predominant threat on the Internet. Attacks are increasingly leveraging worms to carry exploits of known vulnerabilities as a means of creating exposures or security holes on a large number of systems. The majority of all attacks documented are highly severe.

Commenting on the current trends in the blended threats space, Digvijaysinh Chudasama, Vice-president, Sales, Cyberoam India, said, “Virus writers are increasingly leveraging instant message and P2P networks as a means of spreading blended codes resulting in rise of more sophisticated and faster spreading worms, and the increased use by virus writers of new vectors for infection (such as P2P networks and IM applications).”

Adding to it, Samuel Sathyajith, Country Manager, India and SAARC, Arbor Networks, said, “Blended threats currently dominate the malware space, accounting for over 90% of all of the malcode we see. Blended threats—samples or families that combine functionality like found in backdoors, viruses, worms, infostealers, Trojan Horse programs—now account for nearly every threat out there. The ‘classics’—the basic worm or file infector virus, are a rarity.”

The attacks conducted are quite diverse in nature. The market space is fairly large and growing. The solution points range right from the perimeter to the end-point in the network. New and complex blended threats by hackers continue to wreak havoc on today’s connected corporations. The trend of advanced attacks using combinations of various technologies readily available over the Internet for performing specialized attacks undetectable by most of the security measures placed on the target system is growing day by day.

Technologies like server side polymorphism, commercial complex packers, rootkit technologies, auto updates are making these new attacks more threatening. Since there is commercial interest involved, the hackers can take extreme steps to make sure their ideas work and give results.

“The Storm worm is a good example of a blended threat and it is still going around today. The size of it is smaller as compared to one year ago but they are not giving up and we are not giving up either. We are seeing an increase in volume of these blended threats coming in different variants so in terms of size, it is still in a sizable form out on the Internet. This is one of the challenges that ISPs face today because their users could be part of a botnet and is taking up a considerable amount of their bandwidth if nothing is done about it,” added Venu Palakirti, Sales Director-India and SAARC, F-Secure.

Prabhat Kumar Singh, Director, Symantec Response Lab, explained, “The Internet Security Threat Report XIII states that theft or loss of a computer or other device made up 57% of all data breaches during the last half of 2007 and accounted for 46% of all reported breaches in the previous reporting period. Data loss is a key worry in organizations and does blended threat proves to be dangerous. Simple e-mail worms are now considered the last generation threat. Today and the near future will be composed of blended threats and their damage is yet to be seen.”

A Denial-of-Service (DoS) attack against a target, or delivering a Trojan horse that will be activated at some later date—was big factor in 2007. DoS continues to be a popular attack vector as it can be used to silence a site or extort money from them. Also, delayed activations appear to be somewhat popular. Trojan horse programs that can be activated at a later date definitely posed attacks at a higher level. Some of the fake Trojans were a classic example of these types.

While a DoS attack can unusually slow network performance (opening files or accessing websites), lead to unavailability of a particular Web site, inability to access any Web site, and dramatic increase in the number of Spam emails received. In a DoS attack, the herds of zombie computers target a particular computer to create a network traffic, which block access to that particular site. These attacks can cost the target user or company a great deal of time and money.

A DoS attack is also capable of destroying files in the affected computer systems. There are instances wherein DoS attacks have forced well-known Web sites that are accessed by millions of people to temporarily close down their operations.

Sanjay Katkar, CTO and Technical Director, Quick Heal Technologies, added, “DDoS is still the major concern as a security threat as it is still difficult to stop a DDoS once it is triggered by a botnet that has a large number of PCs under its control. Apart from this the new trend that is being observed is a flood of malware, Trojans and bots that employ newer rootkit techniques to hide themselves from the regular anti-virus scanner.”

Impact on business

Blended threats can be lethal. They scan for vulnerabilities in an enterprise network, enter via e-mail attachments, shared file folders, wireless devices, Web pages, laptops, telnet and other entry-points. They have a self replicating or cloning mechanism through which they spread really fast onto the network. They do this by exploiting vulnerabilities in the organization.

By utilizing multiple methods of attack and self-propagation, blended threats can spread rapidly and cause widespread damage. In addition to short-term financial losses, these disruptions can seriously damage an organization’s brand and goodwill with the customer. Network security breaches can trigger expensive legal consequences as well. Such attacks usually attempt to infect networks using the techniques of a mass e-mail virus and also by attempting to find vulnerabilities in software that have not been plugged, to infect or attack an operating system or application.

“Downtime and disruption are likely scenarios for any business affected by malcode. Information loss due to exfiltration (sensitive data leaving the organization) is one of the most possible and severe risks of such an infestation,” said Sathyajith.

Akshay Garkel, Senior Consultant, Professional Services, Datacraft Asia, added, “Blended threats can lead to both short-term and long-term financial loss for an organization, damage its brand and client goodwill, and can lead to non-compliance which can even require the organization to fail in crucial audits and lose market credibility. Besides, network security breaches can trigger expensive legal consequences.”

For example, just 24 hours after its introduction on September 18, 2001, the Nimda computer worm had infected more than 2.2 million computers worldwide. There are many other blended threats other than Nimda which is attacking computers today.

As mentioned earlier, blended threats can lead to data loss in an organization. According to a study done by Symantec, 52% of CISOs believe data leakage to be a top driver of their security spending. This shows how important data loss is to CISOs and how important it is to fight blended threats. Data loss through blended threats can lead to immense financial loss and also cause the productivity of an employee to deteriorate.

Here we can say that blended threats can cause huge damage to any organization just as an undetectable virus would cause once inside the corporate network. It all depends on the intent of the attacker who authored the malware or blended threat. It can cause identity theft, loss of sensitive information, network downtime, spying on internal data and information and lots of such activities based on the attackers understanding of the organization and his aim of entering the network.

Solution-sets are available

An organization can have a combination of security with must haves like network protection with client security enforced. This should make sure that all the nodes on the network have the necessary components of security like anti-virus, anti-spyware and firewalls. Along with this, there should be a good appliance at the gateway for scanning of HTTP, FTP and e-mail data as it enters the organization.

Today to guard against blended threats, experts urge network administrators to be vigilant about patch management, use and maintain good firewall products, employ server software to detect malware, and educate users about proper e-mail handling and online behavior. Updating the patches through a network admission control system is getting to be an upcoming trend. This will make it easy for the administrator to patch systems on a proactive basis and keep the threats caused due to non-patching at bay. Besides doing all the above, organizations need to have integrated Web, messaging, and data security approach to make themselves more safe and efficient.

Organizations need to implement a multi-layered Internet security protocol that provides protection at all entry points, including the Internet gateway, messaging gateway, endpoint clients, endpoint servers, and the network. Implementation of policies, procedures, standards and guidelines play an important part too and most notably they have to be endorsed and supported by the senior management of any organization.

Ajit Pathak, Country Manager, Sales Operations, SecureSynergy, pointed out, “Implement a multi-layered Internet security protocol that provides protection at all entry points, including the Internet gateway, messaging gateway, endpoint clients, endpoint servers, and the network. As attacks on enterprise systems grow more sophisticated and diverse, companies need to rethink their defense strategies.”

Blended threats require a holistic security approach of gateway devices, scanning proxies (for Web and chat services), and updated desktop protections to prevent them from gaining hold and infecting a system. Even if one of the stages fails, other stages can be used to prevent the malcode from coming in or using the network. A combination that has worked for many sites include desktop AV solutions, gateway AV solutions for e-mail, and possibly IDS rule sets to scan network traffic. NAC solutions are increasingly useful for ensuring that hosts that use the network are secure, clean by AV standards, and only accessing non-malicious network endpoints.

A Unified Threat Management approach that provides broad network protection by combining multiple security features—firewall, anti-virus, intrusion prevention system, and content control and filtering—on a single hardware platform like Cyberoam is the only viable solution that can provide comprehensive protection with its tightly integrated multiple security features working together on a single appliance.

Shubhomoy Biswas, Country Manager, India, SonicWALL, added, “The SonicWALL UTM solution provides the most intelligent, real-time network protection against sophisticated application-layer and content-based attacks and is capable of monitoring a wide variety of network communications, such as e-mail, instant messenger or Web access, on stopping blended threats.”

Host-based protection would be what most organizations are investing in today because that is probably one of the weakest points. The kind of approach that organizations should take is the layered approach or what we call a defense-in-depth strategy.

“Blended threats can be effectively dealt with by using MicroWorld’s eScan and MailScan, which are powered by the revolutionary MWL and NILP technologies, that provide real-time protection and prohibits malicious content from entering your network. However, with each new technology comes a new means of attack and potential vulnerabilities,” said Govind Rammurthy, CEO and MD, MicroWorld.

Future trends

Nowadays, viruses or other malicious programs are released within a few days of any vulnerability being discovered. The gap has reduced to as little as one day. Hence, the patching window gets smaller, within which the malicious program exploits the system

vulnerability and spreads rapidly. One thing is there for sure that blended threats are bound to continue as there’s simply too much to gain by having flexible malware and threats.

Commenting on the future trends, Surendra Singh, Regional Director, India and SAARC, Websense, said, “Web 2.0 will make detection of blended threats more difficult. Web 2.0 sites host transitory malware and spiked user-contributed content. There is no “click to accept” button to alert users. Corrupt links, malicious widgets, and embedded scripts introduce mal-ware within content and within pages. Users visiting benign sites can be redirected to sites that scan the user’s computer for sensitive data, passwords, and vulnerabilities.”

Unlike more purely mischievous forms of malware like viruses, blended threats craft spyware which are created and proliferated for specific purposes such as identity theft, financial fraud, theft of intellectual property, and to create network security holes to be exploited in future attacks.

Ambarish Deshpande, Regional Director-India and SAARC, IronPort Systems, added, “More volume, more variants, more dangerous, more at stake. You need to come up with a new name for these threats, people don’t realize just how much risk they are in, because the Nimdas and Code Reds of yesteryear, have morphed into something much more malevolent, but, because they are now stealthy, no one thinks there is problem, inventing a new name will bring greater visibility to the problem.”

Blended threats have reached an inflection point where in future they will be spreading orders of magnitude faster than our ability to respond. In the future, they will be more sophisticated and will target mass victimization.

Blended threats will be exploiting unpatched/unknown vulnerabilities and focus on targeting services like DNS, HTTP, SQL.

Sanjay Katkar commented, “Hackers who have established commercial interest and are earning out of their creations by performing electronic frauds by identity theft and other on-line crimes have clearly understood the importance of creating virtually un-detectable malware to achieve their goals. Since they are involved commercially, they are willing to spend on getting the best malicious technology available online. These malicious program writers make sure that their creations are undetectable by verifying their creations with all the available security software before releasing/selling it over the Internet. This trend is picking so fast that we are now seeing and will be seeing more sophisticated attacks that will be difficult to prevent using conventional methods that are followed today.”

The future of blended threats shall move into a new threat panorama called as a “Warhol” or a “Flash” threat as termed by Symantec. Also, zero day attacks are on the rise and it is important for the solution to have this kind of protection. This is where proactive blocking with be answer to manage such threats. Human intervention and automated blocking may not be useful in this case.

nivedan.prakash@expressindia.com