Report: Bad guys will seek re-enforcements, recycle code
- 1. Global collaborative takedowns will increase. This year has seen examples of countries working together to bring syndicates such as the Conficker Working Group down. While there were other notable takedowns, these operations only focused on the most visible violators and sometimes only caused a temporary impact. For example, while authorities took down the massive Koobface botnet in November, the servers were reconfigured and back up and running at full capacity a week later. Next year, Fortinet sees authorities consolidating global collaborative efforts and teaming up with security task forces to shut down the growing number of malware ops. This year's Zeus takedown, which led to charges by authorities in the U.S. and Britain, is an example of the collaborations to come.
- 2. The bad guys will get territorial and raise prices on each other for insidious services."Today, were seeing a territorial concern for criminals building their malware empire(s), since control over managed infections can lead to longer up times and greater cash flow," the report said. "Features advertised as bot killers are being implemented into new bots to generically kill other threats that may lurk on the same system." For example, he said, Fortinet studied one bot that enumerated process memory to look for commands used by resident IRC bots. Once the processes using these commands are found, it will kill them since they are seen as a territorial threat. As attackers infect machines in 2011, the value of already infected machines will increase. As a result, Manky expects to see a price increase for criminal services like bot rentals and malware that includes machine maintenance to maximize an infected machine's uptime. "To keep infections discrete, malware operators may turn to quality assurance services that would, say, refuse to load software that may crash a machine or otherwise impact their business," he said, quoting from the report. "As part of the package, malware operators may also include leasing infection process time. When the lease is up, the malware would clean up after itself, reducing the amount of load/threats on a single machine."
- 3. There will be more 32-to-64-bit infections. Manky said technologies like address space layout randomization (ASLR), data execution prevention (DEP), virtualization, PatchGuard/kernel driver signing and sandboxing are becoming more routine along with the 64-bit machines running them. This has restricted malware's reach, and that will drive demand in 2011 for things like 64-bit rootkits such as Alureon, which got around PatchGuard and signing checks by infecting the master boot record to stage the attack.
Originally published on CSO |