By Geoff Fein
Malware on computer networks reached its highest levels in the first six months of 2010, making this the most active half-year ever for malware production, according to a recent industry report.
“What we are seeing in the second quarter [is that] malware continues to increase at an exponential scale,” Dmitri Alperovitch, vice president of threat research for McAfee [MFE], told Defense Daily recently.
“What is really remarkable, [it] reached an all-time high where we’ve tested over 6 million malicious files just in the last quarter,” he added.
What this means, Alperovitch said, is that cyber attackers are using what is known as “polymorphic obfuscation” where they generate new samples at a very rapid pace through automated means but it is all based off the same code family. “But each sample is highly obfuscated and encrypted in many cases and looks very different.”
Basically it is similar to using camouflage and stealth, Tom Conway, director of federal business development for McAfee, said during the same interview.
Along with the increased volume of malware McAfee is seeing, Alperovitch said the network security firm is also seeing more targeted attacks–cyber espionage attacks, against both United States government systems and the private sector.
That’s exactly what McAfee saw last year in what is called the Operation Aurora attack.
About two dozen high tech companies and defense contractors over the course of 2009 were targeted, Alperovitch noted.
“From a national security perspective, the real interest from the government side was the supply chain threat to the U.S. government networks,” he said. “Because here you had all the major government contractors, from an IT perspective, compromised in a very severe way and IP (intellectual property) being the primary focus of the attacks, essentially source code.”
Those source codes are the crown jewels of those companies, Alperovitch added. “What we don’t know to [this day is] if back doors have been inserted into those code bases potentially allowing those hackers a back door to get into highly secure networks.
“We know attackers stole source code from companies and may have even modified it, which gives them an opportunity to find new vulnerabilities in that source code and introduce back doors,” he said.
While threats are growing in sophistication, Alperovitch noted there are varying degrees of complexity because of the variety of groups behind cyber attacks as well as their motivation and targets.
“It’s important to understand we are not dealing with a monolithic entity. We are dealing with a number of different groups in the cyber criminal area,” he said. “We are still seeing quite a few very unsophisticated threats where someone finds a piece of malware or a tool kit on the Internet and decides to become his own cyber criminal operation.”
But those type of attacks are pretty easy to spot and they usually are not too sophisticated, Alperovitch said.
Then there are some very sophisticated organized crime groups that have been around for decades. For example, Alperovitch pointed to Russian groups that have massive botnets at their disposal, millions and tens of millions of compromised machines around the world that they can utilize for launching attacks, shutting down websites and shutting down networks.
“And then we have nation-state operations, primarily going after cyber espionage and targeting government networks and, as we have seen, private sector networks [as a way to get into the government networks],” he added.
To protect themselves, companies will need to have a defense in depth to mitigate damage, Conway said. And information on attacks will need to be provided up to the new U.S. Cyber Command (USCYBERCOM), so that same mitigation efforts can be applied with the services because of the expectation that that attack is coming at them next, he added.
“Beyond that, they realize you can’t have big walls. Walls don’t work. You can’t win a war without good intelligence, so you really need to be looking outside beyond your own walls to see what maybe coming over the horizon so you can be better prepared,” Conway added.
McAfee is at the forefront of an effort, called Global Threat Intelligence, to look over the horizon.
“We are collecting data from all over the world, from consumers up to enterprise customers. It’s really an early warning system for the .mil networks because things that are happening overseas against other sectors are going to have a great similarity to what is going to be hitting [the .mil] at some point in time,” Conway explained. “If we can understand what is going on, build mitigations and then provide early warning back to the .mils, it will help them raise their defense posture.”
In early August at the annual Army LandWarNet conference, Gen. Keith Alexander, commander, USCYBERCOM and director of the NSA, told attendees during his keynote that situational awareness on the net is not his only requirement but his number one pressing requirement, both within the .mil networks and a broader situational awareness in cyber, Conway said.
“I think the military is ahead of the private sector in recognizing that,” Alperovitch added. “But the need is universal. And situational awareness doesn’t just mean awareness about the threats, but also awareness of your assets, how they are deployed, the vulnerability to those assets and what they are being used for.”
A good example of the need for situational awareness surfaced during a recent table-top exercise where malware was identified in critical systems within an organization. “But management in the organization couldn’t even decide to shut down the machine until they could figure out the problem because they had no idea what the impact of that operation would have on that critical infrastructure system,” Alperovitch said.
Since publication of its report, McAfee has seen a new threat on the horizon, Alperovitch said.
“A few weeks ago as we were finishing up this report, we saw a very interesting threat to SCADA [supervisory control and data acquisition] systems–essentially systems used for controlling operations in electric power plants, water treatment plants–one of the most sophisticated threats we have ever seen,” he said.
The threat used a previously undiscovered vulnerability in Microsoft‘s [MSFT] Windows that worked on all Windows platforms, Alperovitch said. “It took Microsoft some time to figure out how to even patch this vulnerability.”
The threat was discovered initially targeting systems in Iran, and was found by an outfit in Belarus that worked with Iran, he added.
“It was first time we saw a sophisticated attack on SCADA systems and critical infrastructure,” Alperovitch said. “It probably indicates government involvement behind this.”