Six months is a long time when it comes to security. Indeed so is a day, as many of the people PC Retail spoke to this month jested. But while their tone might have been jovial, the message behind it wasn’t. The risks to your customer’s computers are getting worse – much worse.
"There has been an explosion of malware variants," explains Webroot’s EMEA managing director Nicholas Banks. "Instead of seeing maybe 5,000 pieces of malware a month, we are seeing hundreds of thousands of malware variants per month. Malware writers are hoping that antimalware companies cannot keep up with the amount of files they are pumping out, and that they cannot protect their customers before infection because of it."
It was a point echoed by Kaspersky Labs’ senior technology consultant David Emm. "2007 was hailed as the most viral year in history; the first half of 2008 continued in a similar vein with an overall increase in the number of threats detected."
This is key to understanding the current landscape, argue all of the experts we spoke to. "The last six months have been dominated by two types of attacks," adds director of malware intelligence at ESET, David Harley. "The first has been malware that tries to self-install from flash drives and other removable media using the Windows Autorun facility."
AVG’s business development manager for VARs Tony Ayin explains that the shift in attack patterns is representative of malware writers recognising the changing face of the security market. "The majority of computer users are now reasonably well protected against email threats, leading malware authors to turn their attention to the web – and, unfortunately, they have found the ideal attack vector."
The major problem, as Ayin adds is that these attacks aren’t limited to surfing dodgy websites, they target vulnerabilities in software that are crucial to the modern internet: "Browser plug-ins, such as Adobe’s Flash Player and Apple’s Quicktime, open even more doors for malware writers to attack through," he argues.
Indeed, it is people’s desire to use the internet in the way that they want to that is leaving people’s computers wide open to attack. "The latest threats centre around social engineering and the web as a means to spread infection," says chief technology officer at BitDefender Bogdan Dumitru, echoing Ayin’s suggestion that the web is central to the malware peddler’s ‘route to market’ as such.
"The most usual way for someone to end up with an infected system these days is to visit a compromised or malicious web page, click a link and end up downloading and running a threat," adds Dumitru. Stressing that because these viruses take advantage of the vital part these programs play in the modern world wide web, he adds: "The Trojans and adware spread this way, such as Wimad, have been consistently amongst the top ten threats in the past six months."
The increased number of ways that people interact with the internet is also causing a number of distinct groups to be targeted. "The number of threats were as diverse as the groups they targeted," adds Emm. "There was an increase in the number of threats to online gamers. Malware ‘2.0’ was being targeted at social networking sites through the use of sophisticated rootkits installed at a sector level on the computers (bootkits) and obfuscation techniques, designed to obstruct analysis."
It was a point echoed by F-Secure’s country manager for the UK and Ireland, Richard Hales: "This year the number of virus attacks has already reached 1.1m. Even more worringly, we detected the same number of virus samples in the first six months of 2008 as in the previous 20 years.
Expanding on this, Emm said: "This year has been dominated by Trojan programs. As the year has gone on, users have been plagued by Trojans with hybrid malware, designed to create back door entry for malicious programes to attack unprotected computers. Of note was the specific attack on online gaming accounts, acknowledging the value games such as World of Warcraft now possess."
Worryingly though, there is another trend emerging that has echoes of the past. "There has been an upsurge in cybercriminals mis-selling ‘antivirus’ products, using their own notoriety as a catalyst," explains country manager for Panda Security UK, Dominic Hoskins. "It echoes their ninties tricks where they would send an email urging you to search your system for a ‘virus’ file – normally a vital system file – and when you find it, which of course you would, to delete it and tell everyone else you know about it.
"Of course, deleting this file would stop your computer booting next time – this was never intended to make money, just cause disruption – but now criminals are returning to this trick. Now the cybercrooks are trying to obtain money by installing adware on user’s PCs or directing you to a website that poses as a real antivirus. Once executed, this displays fake infections and invites users to buy a full version of the antivirus to remove threats which are not real threats."
The problem isn’t going to go away in the near future either, CTO and co-founder of Bullguard, Theis Søndergaard argues, explaining it is an emerging economy in its own right. "Co-operation between cybercriminal gangs is on the increase. Tools are created by some specialised groups, and then are used by others."
Education, education, education
"It has long been known that the user is the weakest link of the security chain, and it is essential to educate users in all aspects of security in order to fully protect them," adds Hoskins, a point echoed by Kaspersky’s Emm. "Panda Security is very proactive in running campaigns directed at the channel and end users, to help educate them on the current security issues."
Dumitru also backs up Hoskins’ stance that education is the only way to combat these problems in the future: "BitDefender is pushing education aggressively into the retail space by organising courses on security policies and practices for our partners and their employees."
Harley also sees education as key to combating the security threat – but also sees co-operation between the many security firms as key to fighting threats: "We use our ThreatSense blog to share information about current threats and good practice, and we share information in many other ways, such as our white papers page."
Symantec believes it is crucial to target the end user, as well as the industry, as vice president for consumer sales EMEA Lee Sharrocks explains: "Vendors have a responsibility not only to sell products, but to also help support and educate the public on ways they can stay safe online, outside of just technology solutions."
Hales takes a slightly different route: "F-Secure does what it can to educate customers. We believe that one of the most effective ways to educate customers is for ISPs to bundle internet security in their offerings. We recognised this years ago and now work with 175 ISPs around the world."
Some are less sure that a short term solution can be found: "Unfortunately, I feel it may be a long time before security online becomes as common sense as not talking to strangers and looking both ways before crossing the road," states Emm. "It may well be the case that we have to go to the school level to educated people; a major problem is that parents are often less clued up about the internet than there children.
"We could be looking at today’s children – who have grown up with today’s threats – having their own children and passing on advice on how to be safe online." Agreeing, Hoskin adds: "This maxim does not just lie with technology, but also with the social aspects of security, which can only be combated through education."
Banks, however, is much more positive. "I think more than ever before, antivirus programs are being viewed as a necessity. A survey conducted by NPD over the summer showed that people are now buying or installing before being attacked, rather than taking action after being compromised, suggesting that there is already a shift in awareness."
His view is echoed by Søndergaard: "Awareness of possible dangers is still growing amongst consumers. Many customers today understand the principle of malware being capable of doing damage. However, as malware evolves so quickly in terms of behaviour, target and delivery mechanisms, it can be hard for them to stay on top of things."
He is aware of the problems of apathy though, and recognises that some of it might have been caused by the security industry’s eagerness to push its wares: "The channel is well aware of the dangers posed by threats, as IT resellers have a higher degree of knowledge than the average end customer."
Agreeing with Sharrocks, Søndergaard adds: "Educating and creating awareness among end users is the obligation of vendors and channel alike, but we must recognise that there are still end users out there who accuse security companies of hyping the dangers (and sometime even of creating them). It is important that impartial parties like government institutions and publications participate in the education process."
No such thing as a free lunch
When trying to dig down to the reason why AntivirusXP was so successful, a lot of our experts came to the same conclusion: too many people feel there is no difference between an antivirus you pay for, and one that is free. Indeed, it is the ‘free’ part that many of the people we asked said was the reason why it had been so successful.
Unlike six months ago where there was a general undertone that some customers felt that antivirus was unnecessary, that was now largely evaporating: "The perception that antivirus software is unnecessary seems to be slowly fading away for Windows users," comments Harley. Although he warns that some are still leaving themselves wide open to attack: "That sense that it is unnecessary is still very strong for users of other operating systems though."
Hoskin expands: "We believe that current user perception is not that antivirus software is unnecessary, but that all antivirus software products are similar," a point Emm agreed with strongly. "A lot feel that it doesn’t matter which one you have – free or paid for – as long as you have one," adds Hoskin, a point that he feels may have contributed towards the success of the various strains of AntivirusXP. "The thing is, there are big differences between each solution and they technology they contain," he adds.
Indeed, such has the security landscape changed in the past six months, that Dumitru jokes: "That perception went the way of the Siberian tiger a long, long time ago. We’ve since been elevated to the rank of ‘necessary evil’ in the eyes of the public."
However, Harley doesn’t feel that the risk has gone away altogether. "I think there is still an element of that in those organisations and individuals putting their faith in whitelisting. In some contexts, it can work quite well, though it’s certainly not the universal solution that some have presented it to be." Emm agrees to a point, but warns that that context isn’t necessarily the best one to consider the benefits and drawbacks of whitelisting in: "To consider whitelisting as a sole solution would not just be unrealistic, it would also be foolish. As part of a modern package, whitelisting is the ideal for combating some of the problems that have caused apathy amongst users.
Indeed, Emm’s assertion that whitelisting’s strength lies in being able to combat apathy, is the point that most people agreed with.
The Future’s White
When we asked what 2009 holds for the sector, there was one overriding opinion: less system resource use. "I think it’s fair to say that in the past, some customers have avoided running security programs because it has interfered with what they were doing, especially groups like gamers," says Emm. It is a point echoed by Sharrocks: "According to our own research, performance is the number one reason why people switch security products.
We have responded to customers’ needs to bring the fastest Norton security products ever, with the fastest install time, the quickest scans and the least memory usage compared to our competitors products." Expanding on that, Sharrocks says: "Cloud computing is one of the buzz words in the IT industry at the moment. It can be used to fight online threats in an environment where we are seeing many more malicious applications than legitimate ones.
"This is based on the concept of whitelisting," explains Sharrocks. "Trusted applications are stored on a whitelist database," he adds, explaining that it means they don’t have to scan every program, everytime; a major cause of the slowdown and hogging of system resources.
Others see the market moving in different directions, but agree that there will be a general move away from relying on static signature detection. "There will be continued development of more proactive detection methods such as advanced heuristics and other forms of behavioural analysis," Harley believes. However, he is sceptical about the rush to whitelisting and its cloud based brethren: "More vendors are likely to use comparatively new techniques such as cloud computing. At the moment, some of these techniques have an element of ‘we have to do this right now, because everyone is doing it’. I think we’ll see more benefits as some of the rough edges are knocked off by early implantations."
Ayin, however, belives it does have its benefits, but that putting everything into the whitelisting basket would be foolish: "This year, vendors like Cisco have come out and said that whitelisting may be a way forward in 2009 and beyond. It is true that whitelisting has its uses, and we are likely to see more whitelisting incorporated into 2009 versions of security software. However, we see whitelisting as just one more piece in the layered defence against threats."
But focusing on Windows only tells half the story; especially as the popularity of rival platforms Mac and Linux grow. "Whist malware has been very limited for both platforms, we expect this to change as they increase in popularity," explains Hales. However, not everyone agrees: "There is probably more demand for the platforms than before, based on the increased number of users, but they still represent a small, albeit very vocal, minority," says Banks.
The problem, as far as he sees it, is that while the number of Windows-based computers drastically outnumbers those of Macs and Linux-based, it won’t be worth the malware writers’ time creating programs for those PCs. "When you compare Windows to Mac OSX and Linux, there is an overwhelming disparity in malware written for Windows, mainly because of its popularity."
Hoskins feels it is only a matter of time before they become more of a target than they currently are: "The rise in Mac popularity and also Linux usage – driven partly because of the netbook phenomena – are leading to increased demand for security solutions for these platforms." Despite that, he is still keen to play down the threat posed to the platforms compared to that the Windows-based platforms do.
"However, they still make up a tiny proportion of the total installed base so the increase is not yet appreciable." Despite that, he still had a warning for users of less popular platforms: "There are cybercriminals who consider the niche markets more attractive as the user expectation of infection is much lower."
However, even more worringly, Sharrocks warns that the platform might become irrelevant, especially as malware writers look to take advantage of browser vulnerabilities: "From the standpoint of the ‘traditional’ attack, you are safer on a Mac as there are fewer viruses, worms and Trojans released that target that platform, but that is now changing. Many of the attacks initiated today are focused on web applications and web browsers."
It’s a situation that has called for a new response. Indeed, the firm has recently launched a special version of its antivirus program designed for Macs that run both OSX and Windows. "Customers are becoming increasingly aware that the fact they are not immune from attack just because they are using a Mac," a point echoed by Hoskins: "I know Mac users who don’t run security because ‘Macs don’t get viruses’ – a very risky strategy."