News

Study: New Attacks Use Old Tricks

• By Stephen Swoyer
• August 19, 2009

If there's one thing that last month's attacks against public sector sites in both the United States and South Korea demonstrated, it's that the exploits of the past often come back to haunt us.

The July 4 attacks, for example, used code that had been recycled from the notorious MyDoom worm.

Security experts warn that many shops aren't adequately protected against the exploits of old. Not surprisingly, the recurrence of exploit throwbacks -- in some cases, extremely old exploit throwbacks, as seen in the reappearance of the infamous Code Red worm -- is one of the more intriguing angles in the new mid-year security trends report from Symantec Corp.

"In the first half of 2009, some of the more recent and highly publicized threats incorporated attack methods used in previous years. The large-scale distribution of a small number of threats that were characteristic of the Code Red and Nimda attacks were components of the attack techniques employed by the Koobface worm, which continues to propagate via social networks, and the Conficker worm, one of the most complex and widely spread threats to hit the Internet in several years," wrote security researchers in Symantec's "Security Trends -- 2009 Mid-Year Update" report.

In 2008's year-end security forecast, Symantec had predicted that economic concerns would spur a good chunk of exploit activity this year. Although that has been the case, Symantec researchers conceded that it can't account for all exploit activity. July's distributed denial-of-service (DDos) attacks, for example, appear to have had no financial motives.

"Similar to attacks seen in previous years, the purpose behind the recent Trojan.Dozer distributed denial of service...attacks appears to be notoriety and/or mischief," the report said.

Not surprisingly, of course, Symantec researchers have a somewhat self-serving take on the phenomenon of re-emerging exploit activity: Companies should consider investing in multi-tiered security defense assets.

"As older attack techniques continue to resurface in current threats, we believe that a multi-layered defense combining traditional detection methods with complementary detection such as reputation-based security models will be essential," the report said.

The July DDoS attacks were comparatively unsophisticated in both their construction (they used recycled code from the former MyDoom worm) and their intensity (attack victims were targeted by a relatively modest packet storm). This doesn't mean that security exploits are becoming increasingly less sophisticated, however. Savvy attackers continue to hone their craft, Symantec researchers said, citing an uptick in attack methods that imitate legitimate business practices. This is particularly true in the burgeoning "scareware" segment.

"Today's attackers are increasingly sophisticated and organized, and continue to employ deceptive methods that imitate traditional business practices. Malicious ads or 'malvertisements,' usually in the form of 'flash' ads, redirect the user to fake scan Web pages. Mainstream Web sites, as well as less reputable sites, are susceptible to these threats," the report said, citing the rising popularity of "scareware" exploits (e.g., fake malware or anti-virus "scanners") that identify bogus infections and then offer to "clean" a user's computer.

"The goal is to try to lure the user into buying the fake product, which promises to clean up all of those made-up threats. Those who fall for the bait are usually redirected to an order page, where they are lured for payment."