Flaws in commonly used programs such as Adobe PDF Reader, Quicktime, Adobe Flash, Microsoft Office, web browsers, and others are far in the way the primary means for cyber criminals to take what they want from consumer and enterprise computers as well as secretly Shanghai them into Botnets. Despite this, consumers and enterprises alike are not only failing to implement long-available vendor patches, but for computer protection, they continue to rely solely on a failing anti-virus/spyware technology.

Most victims have absolutely NO IDEA that their computer has been compromised. Television commercials from ISPs and some vendors leave many believing that malware infections are indicated by a severely slowed down computer. This occurs when cyber criminals are sloppy.

Most attacks occur as drive-by download attacks when web surfing. These are characterized by a temporary malicious application silently downloading into the user-space of the victim’s computer, which:

• Assesses the PC
• Downloads the ideal permanent attack codes
• Launches different attack codes until successful installation
• Deletes itself

The typical end-user notices nothing. The next most popular attack vector is by way of email attachments. Most of these are spear phishing attacks whereby victims receive an attachment from someone appearing to be familiar. Cyber criminals try to take advantage of the trust be bestow on our friends, family, and colleagues. And, many of this spear phishing attack emails really do originate from the familiar person’s computer. Of course, that person has no idea their computer is infected. So, any time you open an attachment or visit a web page recommended by a friend, you’re implicitly assuming that their computer has not been hacked. In other words, ‘trust no one’. Pretty lame, I know.

So, the good people of SANS and their partners echoed previous assertions that roughly 90% of these malware attacks target programming mistakes in the software applications of a PC, leaving 10% targeting operating system vulnerabilities.

So, with this massive cyber criminal’s preference for targeting software applications, one might expect consumers and enterprises to more aggressively implement security patches on software applications. Wrong! On average, the measured time to patch is at least twice as long for software applications as is for operating systems. This will improve, particularly as Adobe, which has been shamed into action, implements more agile auto-update mechanisms in their client-side software. Other vendors are doing so as well.

As we recently wrote, most vendors with auto-update mechanisms are vulnerable to man-in-the-middle attacks. Yes, the auto-update feature that is to reduce risk from attack by implementing patches more rapidly does in fact help facilitate a successful malware attack.

Auto-update features are useless when there are no vendor patches available to rebuff existing attacks in the wild. The Zero Day Initiative website maintains a list of categorized vulnerabilities that have not yet been publicly disclosed. These were discovered and reported by ‘good guys’ so that the respective vendors could fix the programming mistakes. The list names the vendors but not the specific products.  A severity of low, medium, and high is provided, as well as the vulnerability report date.

The latter may cause any rational person some distress.   Undisclosed vulnerabilities are months old, many are over a year old.   A race is afoot, between the respective vendors seeking a vulnerability patch and cyber criminals seeking a vulnerability exploit. Yet more disturbing, what vulnerabilities have the bad guys discovered and already begun exploiting that are not yet reported to the respective vendors?

Known or unknown software vulnerabilities, cyber criminals are systematically minimizing their risks of malware detection by

• Changing their attack code every 48 hours
• Implementing obfuscation techniques (e.g., Lucky Sploit’s PKI encryption of its communications)
• Self-destructing when a honey pot (i.e., computers intentionally placed at risk to become infested security researchers and security intelligence vendors so they can discover new malware) is detected
• Limiting the distribution of their attack code (e.g., targeted attacks, cap the number of infections per malware sample, etc.) to minimize detection

Bottom line: most computers are not protected and their end-users may never know they’re victims.

Blue Ridge Solutions

AppGuard Technology prevents harm from malware attacks on unpatched software applications, allowing them to run as their developers intended.

AppGuard

• Places software applications under ‘guard’; prevents drive-by download attacks from launching
• For consumers and small businesses

AppGuard Enterprise

• Centrally managed AppGuard
• For medium to large organizations

EdgeGuard

• Centrally managed AppGuard
• Endpoint audit and control: security configuration management, application control, 3rd party security software remediation, network access control (NAC) / network access protection (NAP)
• Comprehensive operational awareness over computers located anywhere
• For medium to large organizations

Managed EdgeGuard

• Managed security service based on EdgeGuard

Posted: Tuesday, September 22nd, 2009 - Endpoint Security
RSS 2.0 - Comment - Trackback