Norman: Summing up 2008 and predictions for 2009

Introduction

In this security article we will focus on the security trends that could be observed during 2008, and will also briefly try to look into the crystal ball to see what can be expected in 2009.

That Was the Year That Was

2008: Another year with no MAJOR incidents - but a plethora of minor

The days seem to have passed when a retrospective look upon the year that has passed could be summed up in a few major events. No particularly big incidents happened in the year that is now coming to its closing.

This does not mean that the Internet community had a quiet and safe year - quite the contrary, actually. In later years we have seen a shift in the types of malware from "a few" major to an almost over-complex amount of malware. This is clearly seen by studying the number of signatures for malicious programs in Norman's virus detections files. In 2007 more signatures were added than all previous years accumulated. In 2008 (as per 19 December) more than 120% more signatures were added than the total number at the beginning of the year.

2008: A year of rogue computer programs

Computer programs that pretend to be what they are not, have been around almost forever (in the age of computing). During 2008 however, a new flow of these appeared, the most "successful" masquerading as antivirus and antispyware applications. In reality they were not designed to protect any user, rather to trick him into buying the rogue product by displaying false virus warnings. These programs also install malicious software by automatically downloading such from a series of different web sites.

In fact, this type of malware was so widespread and difficult to get rid of when infected, that Norman placed it on its malware warnings list as the only new malware during 2008.

2008: A year of serious vulnerabilities in operating systems and applications

The tendency for authors of malicious software to use vulnerabilities in operating systems and applications to propagate, continued in 2008. Popular applications like all wide-spread web browsers, Adobe's applications, much-used operating systems etc. were all affected by this. There seems to be a tendency to focus not only on the applications from Microsoft, as several other vendors' popular software were affected to a large degree.

The malware writers were very fast to utilize new vulnerabilities with exploit applications. One consequence of this is that the software vendors had to try to react faster with security patches. One example of this is Microsoft, which has as its policy to publish security patches once each month. During 2008 the company had to issue out-of-band patches twice (so far), the most recent a few days ago.

However, malware writers continue to create software that exploits vulnerabilities that are patched. It is a well-known fact that many users do not patch their systems for various reasons, before the patch has been available for quite a long time. This fact has been discussed in several of our security articles, most recently in week 44 this year.

2008: A year of targeted attacks

This year was probably the year when targeted attacks reached its peak. So-called spear phishing - a type of attack directed against a particular organization or group of users - rised considerably.

2008: A year when major malware distributors were stopped

In the second half of 2008 two major players on "the dark side" of the Internet community were removed from the Internet. McColo's and EstDomains' presence on the Internet were removed after investigation and action taken from private organizations.

Tomorrow's Pantomime

The short version of what to expect for 2009 is: "More of the same and something totally different". This however, may not be very useful as guidance for setting up a protection scheme, so we will attempt to be a bit more specific.

2009: More fake applications

The success of the rogue antivirus programs in 2008 will most likely tempt some groups to continue and even expand this activity. In 2008 the antivirus type of applications were used as the programs to masquerade. There is no reason why other kinds of programs cannot be used in the same way. In order to be successful, the rogue programs will most likely target a program group with some or all of the following characteristics:
  • There are several available legitimate programs available from different vendors. This makes it not obvious for the end user which one to choose.
  • The legitimate programs are free or quite inexpensive.
  • The legitimate programs have, or have a potential for, a large group of users.
2009: New (and old) vulnerabilities in applications

The bad girls will continue to exploit vulnerabilities in popular applications next year. This has been an increasingly popular technique, and there are no indications that it will lose its popularity and efficiency.

Accordingly, affected software vendors will be under continuous pressure to patch their vulnerable systems with increasing frequency, as zero-day exploits continue to emerge.

2009: More DNS poisoning

In late 2008 some malware was observed that infected computers by turning them into a fake DNS server. This is a clever way to trick users into visiting web sites that pretend to belong to legitimate orgaizations. The affected end users have almost no possibility to protect themselves as it is not the end users' computers that are compromised, rather one random computer in the organization.

Norman assumes that this technique will be refined next year as new malware that uses variations of DNS poisoning is created,

2009: The finance crisis continues

As we mentioned in last week's Security Information, the finance crisis may tempt skilled (unemployed) programmers to join the dark side and create malware. This crisis is expected to worsen in 2009, and the unemployment rate is thus expected to rise. One may therefore assume that it might be easier to recruit programmers to create malware in the year to come.

2009: Expect the unexpected

One should not underestimate the ability of the dark side of the Internet to find new schemes to earn their illegitimate money. During the years they have come up with new techniques to exploit even the most security-conscious users.

Whether unexpected techniques appear in 2009 remains to be seen, which is the nature of the unexpected...

2009: The need for encryption is increasingly acknowledged

Privacy issues have been getting more attention as several countries legislation changed after the events of 11 September 2001. This was discussed in a separate Security Information article more than six years ago. Since that article was written, legislation has allowed even more surveillance and potential privacy issues.

As the general public becomes increasingly worried about this, it is expected that techniques for encryption of communication and information in general will increase. The reason for the relatively low use of encryption among the average users is presumably that the applications that are available are perceived as quite cumbersome. Will the next "killer-app" come in this field, one may wonder; and if it does, will this happen in 2009?

Source: http://www.norman.com