2008 will be remembered as the year that the major cyber criminal operations went sub rosa, in their tireless efforts to fraudulently steal money from an unsuspecting public. The smartest thing the devil ever did was convince us he doesn't exist, and it is this precise technique that is being used by internet fraudsters to lull us all out of our hard earned cash.
More 2009 predictions
The bad guys have always been faced with 2 major issues in their attempts to contaminate victim's machines. Firstly, how to get past defence in depth security solutions, and secondly, how to convince victims to download the malware once encountered.
So, to problem number 1. How do you get past defence in depth. More than this, how do you break through the firewall, evade the IPS, and False negative the AV. The answer is you don't. Cyber criminals get the victim to extend beyond the defences put in place. By getting the victims to initiate the connection, the firewall allows http outbound, allowing criminals to encrypt the links to malware evading the URL filter or IPS, and then dynamically morph the actual malware thus slipping by the AV deployments.
This leaves problem number 2 - why would anyone want to connect to, or even type into their browser www.infected.ru as Yoda would say, or www.stealmybankaccount.cn and install software from unknown entities.
The answer is they don't. Victims rarely even know they've encountered malware, the bad guys simply exploit weaknesses on existing good websites, and put links that refer to malicious payloads that get installed on the victim's browser when they visit legitimate sites. A number of commercial and government sites have been injected with links that called malware down onto persons visiting those sites during the course of 2008. The ASPROX botnet has been the most successful this year, infecting nearly 50,000 Australian web sites at its peak, and therefore countless numbers of victims visiting those pages during that time.
Infection can happen in one of two ways. Firstly, an automatic "drive by" to the victim's machine may occur and discover it is missing a patch and exploit it, silently installing the malware without the user's consent. Secondly, if a "drive by" (a download without the user's knowledge) is not possible, the malware will contact the victim via social engineering tools to arouse suspicion of the possibility of a security problem, convincing them to install a security tool or software upgrade to fix the problem. A never ending stream of fake AV websites and credit card payment sites are setup, taking advantage of the ICANN 5 day grace period, allowing a domain to be active for a short period of time making the infrastructure to instigate crime instantly disposable, and completely reproducible.
Indeed, the bad guys held the upper hand, throughout 2008. No virus found, not in our list, not rated, not categorized, was the all too frequent findings of the security industry throughout 2008. Notoriety became the criminals worst enemy, the big takedowns of Storm , EstDomains and McColo, only increased their need for sub rosa operations. Moving forward, reputation is now the key security mechanism to defeating the bad guys. If your reputation is sub-prime, you won't make money from sub crime. In this landscape of randomised polymorphic sub crime, the only thing the criminals can't shake is their reputation, and deployment of reputation systems spread like wildfire through the brand conscious internet enabled global 2000.
In store for 2009 is more sub crime, an increase in sub rosa tactics, and a big conspiracy theory of a unified uber botnet. In 2008 we saw previously distinct botnets, ASPROX and STORM, deliver exactly the same payload, hinting at backend commonality, and the security industry rushing to bolt reputation into their flagging products and heavily exposed customers.