Spyware Makers Aiming For Enterprises

Targeted attacks against organizations are supplanting spyware attacks against consumers as the most common malware threats on the Internet, according to a recent report from Panda software, Glendale, Calif.

"There is a new front to the war," says Patrick Hinojosa, Panda chief technology officer. "The attacks went from script kiddy worms that were easy to create and targeted at filling up e-mails to targeted attempts against organizations."

Companies holding a tremendous amount of customer data are the most commonly targeted victims, but not the only ones. The trend started in mid-2004, according to Hinojosa, and picked up steam after much-publicized security breaches at a pair of credit card service companies. Once a professional hacker learns of a type of attack that works, he's likely to launch one himself.

"Then they know how it's done; there are a lot of opportunists. There's a growing threat vector," Hinojosa explains, adding that the newer malware "isn't flashy, it just tries to get the job done."

Older malware, on the other hand was often written by young hackers just to impress others about what they could do, he adds.What Hackers Are Using
Today's hackers are more organized and have favored the Sdbot.ftp malware for the last half of 2005, according to the ranking of the viruses and spyware most frequently detected by the Panda ActiveScan online security software in 2005.

Sdbot.ftp features a script used by certain malware specimens to download the Sdbot worm. It does this by exploiting several operating system vulnerabilities such as Local Security Authority Subsystem Service (LSASS) or Microsoft Distributed Component Object Model within the operating system's Remote Procedure Call (RPC-DCOM).

According to the report, this generic detection of the variants of the Sdbot worm, downloaded via FTP, was responsible for 3.7 percent of infections. In second place came the tenacious veteran Netsky.P. Since this worm first appeared in 2004, it has stayed on Panda's monthly list of most frequently detected viruses, says Hinojosa. Ironically, this worm exploits a vulnerability in Internet Explorer, which was detected and resolved some years ago.

Third on the list is QHost.gen, a Trojan that prevents access to several Web pages that are mainly related to IT security. Next is Gaobot.gen, a generic detection for worms from the Gaobot family that exploit several software vulnerabilities.

The Trojans, which include Citifraud.A, designed to defraud users through a phishing attack, and Zapchast.D, are in fifth and sixth places in the Panda rankings. The next three are Parite.B, Netsky.D and Sasser.ftp. The latter is a generic detection for the script created by worms from this extensive family in order to download themselves via FTP. The Trojan Psyme.C completes the top 10 list.What's Coming Down The Pike
Hinojosa expects malware to become even more sophisticated in its attacks against targeted financial services firms and other companies in 2006 as hackers seek ways to get into corporate computer systems and scurry away without leaving a trace.'

One such method is through "spearfishing," which uses a targeted communication to a person within a specific company (i.e., Bank of XYZ, N.Y.) that uses technology and social engineering. The message will direct the reader to open a link, which will load the malware.

For example, a line employee could receive an e-mail appearing to be from a system administrator telling him to open a link to check the security of his system when that link will actually contain the security threat.

Hinojosa also expects to see more company against company attacks for purposes of corporate espionage and more movement by software vendors, who could be facing government pressure,topressure, to ensure that operating systems and other applications are more secure when software first leaves the factory.