Malware on computer networks reached its highest levels in the first six months of 2010, making this the most active half-year ever for malware production, according to a recent report from McAfee [MFE].
“What we are seeing in the second quarter [is that] malware continues to increase at an exponential scale,” Dmitri Alperovitch, vice president of threat research for McAfee, tells our sister publication Defense Daily. “What is really remarkable, [it] reached an all-time high where we’ve tested over six million malicious files just in the last quarter.”
What this means is that cyber attackers are using what is known as “polymorphic obfuscation” where they generate new samples at a very rapid pace through automated means but is all base off the same code family, Alperovitch says.
“But each sample is highly obfuscated and encrypted in many cases and looks very different,” he says.
“Basically it is similar to using camouflage and stealth, Tom Conway, director of Federal Business Development for McAfee, says in the same interview.
Along with the increased volume of malware McAfee is seeing, Alperovitch says the network security firm is also seeing more targeted cyber espionage attacks against both U.S. government and private sector systems.
That’s exactly what McAfee saw last year in what is called the Operation Aurora attack. About two dozen high tech companies and defense contractors were targeted during over the course of 2009, Alperovitch says.
“From a national security perspective, the real interest from the government side was the supply chain threat to the U.S. government networks,” he says. “Because here you had all the major government contractors, from an IT perspective, compromised in a very severe way and IP (intellectual property) being the primary focus of the attacks, essentially source code.”
Those source codes are the crown jewels of those companies, Alperovitch says. “What we don’t know to [this day is] if back doors have been inserted into those code bases, potentially allowing those hackers a back door to get into highly secure networks. We know attackers stole source code from companies and may have even modified it, which gives them an opportunity to find new vulnerabilities in that source code and introduce back doors.”
While threats are growing in sophistication, Alperovitch notes there are varying degrees of complexity because of the variety of groups behind cyber attacks as well as their motivation and targets.
Diverse Threat
“It’s important to understand we are not dealing with a monolithic entity,” Alperovitch says. “We are dealing with a number of different groups in the cyber criminal area. We are still seeing quite a few very unsophisticated threats where someone finds a piece of malware or a tool kit on the Internet and decides to become his own cyber criminal operation.”
These types of attacks are usually easy to spot, he says.
Then there are some very sophisticated organized crime groups that have been around for decades.
For example, Alperovitch points to Russian groups that have massive botnets at their disposal, millions and tens of millions compromised machines around the world that they can utilize for launching attacks, shutting down web sites and shutting down networks.
“And then we have nation-state operations, primarily going after cyber espionage and targeting government networks, and as we have seen, private sector networks [as a way to get into government networks],” he says.
To protect themselves, companies will need to have a defense in depth to mitigate damage, Conway says. And information on attacks will need to be provided up to the new U.S. Cyber Command so that the same mitigation efforts can be applied with the services because of the expectation that that attack is coming at them next, he adds.
“Beyond that, they realize you can’t have big walls,” Conway says. “Walls don’t work. You can’t win a war without good intelligence, so you really need to be looking outside beyond your own walls to see what may be coming over the horizon so you can be better prepared.”
McAfee is at the forefront of an effort called Global Threat Intelligence to look over the horizon.
“We are collecting data from all over the world, from consumers up to enterprise customers,” Conway says. “It’s really an early warning system for the .mil networks because things that are happening overseas against other sectors are going to have a great similarity to what is going to be hitting [the .mil] at some point in time. If we can understand what is going on, build mitigations and then provide early warning back to the .mils, it will help them raise their defense posture.”
Earlier this month at the annual Army LandWarNet conference, Gen. Keith Alexander, commander of USCYBERCOM and director of the National Security Agency, told attendees that situational awareness on the Internet is not his only requirement but is number one pressing requirement, both within the .mil networks and a broader situational awareness in cyber, Conway says.
“I think the military is ahead of the private sector in recognizing that,” Alperovitch adds. “But the need is universal. And situational awareness doesn’t just mean awareness about the threats, but also awareness of your assets, how they are deployed, the vulnerability of those assets and what they are being used for.”
Since publication of its report, McAfee has seen a new threat on the horizon.
“A few weeks ago as we were finishing up this report, we saw a very interesting threat to SCADA (supervisory control and data acquisition) systems–essentially systems used for controlling operations in electric power plants, water treatment plats–one of the most sophisticated threats we have ever seen,” Alperovitch says.
The threat used a previously undiscovered vulnerability in Microsoft‘s [MSFT] Windows that worked on all Windows platforms, he says. “It took Microsoft some time to figure out how to even patch this vulnerability.”
The threat was discovered initially targeting systems in Iran, and was found by an outfit in Belarus that worked with Iran, Alperovitch says.
“It was the first time we saw a sophisticated attack on SCADA systems and critical infrastructure,” he says. “It probably indicates government involvement behind this.”