Up next: Cellular botnets, cyber militias

The ability of malware writers to consistently stay ahead of those seeking to stop them has been a constant factor in the security industry over the past several years.

Looking to 2009, don't expect that situation to change, security analysts and vendors concede glumly. In fact, with cybercrime getting more organized and as more money is poured into malware development, it will be a challenge to stop cybercrooks from pulling even further ahead, according to the authors of a report on emerging cyberthreats for 2009 and beyond.

The report was released last week by the Georgia Tech Information Security Center (GTISC) and looks at the threats that security managers are likely to confront next year and how to deal with them.

For the most part, the threats are not unexpected or especially new. What's different is the increasing sophistication and refinement that malware writers are adding to their tools and attack techniques. Among the emerging threats identified in the report are the following:

Bugs and botnets in the mobile world

The features built into smart phones, such as Apple's iPhone, RIM's Blackberry, Google's Android and Windows-enabled mobile devices are making them increasingly computer-like in their functionality. And therein lies a security problem.

The more the systems emulate traditional PCs and notebooks, the more prone they are to the security risks that have bedeviled the computer industry for years, said Patrick Traynor, an assistant professor in the School of Computer Science at Georgia Tech and a GTISC member.

A user surfing the Web using an unprotected smart phone will, in the not-too-distant future, be just as likely to catch a nasty bug as a user doing so with a PC today, Traynor said. Malware writers will need to first re-architect and retool their products to get them to run in a mobile environment. As more people begin using smart phones to transact business and to store personal identity information and credit card numbers, the mobile device category as a whole becomes a lot more attractive for cyberthieves. This is especially so because mobile devices are relatively less-protected than PC environments.

Expect to see attackers attempting to inject malware into mobile phones to turn them into remote-controlled bots, Traynor said. Such bots can then be used to deliver spam, steal data, or launch distributed denial-of-service attacks that can cripple mobile-phone networks, Traynor said.

Page Break

Tools are already available for crafting exploits for the iPhone, said Tom Cross, a security researcher with IBM's Internet Security Systems, X-Force security team and a contributor to the GTISC report. It's just a matter of time before the same kinds of tools become available for every major mobile phone platform, he said. The only reason it hasn't happened already is because mobile phones are not viewed as being especially attractive targets by malicious attackers, he said.

One of the big questions that needs to be answered before the attacks start is who should be responsible for addressing the issue -- the users, with potentially battery-draining third-party fixes, device manufacturers or the service providers, Cross said. "We think that the impact that botnets of infected smart devices will have on the performance and reliability of telecommunications networks will affect the decision-making process," he said.

Smarter 'headless' botnets

Botnets, which are large clusters of compromised computers that can be controlled centrally from a remote location, have become the delivery mechanism of choice for cybercrooks that want to distribute spam and other sorts of malicious code. Though such networks have been very efficient at distributing malware they have become relative easy to neutralize by tracking and taking down the command and control servers that control them.

"Bot masters have been relatively stupid so far," said Mustaque Ahamad, director of the GTISC. "There are a variety of interesting ways to detect bot activities fairly quickly," he said. That's already changing, however, as cybercriminals put more effort into hiding bot activity by, among other things, disguising bot traffic as normal traffic, he said.

Another technique gaining favor in the botnet world is the use of so-called fast-flux networks, said Jon Ramsey, chief technology officer at security vendor SecureWorks and also a report contributor. Such networks allow compromised systems in a botnet to be controlled by multiple command and control servers instead of just one system as is the case today. These "headless" botnets are going to be a lot harder to shut down than today's typical hierarchical models, Ramsey predicted.

Page Break

Botnet operators have also started using HTTP protocols for communications between the compromised machines and the command and control servers. As a result, it will become a lot harder to distinguish botnet activity from normal traffic going forward, Ramsey said.

Cybermilitias and cyberwarfare

Russia's military invasion of Georgia earlier this year was preceded by a meticulously planned cyberattacks against media and government communication infrastructure targets in the Georgian city of Gore.

A post-mortem by Secure Works shows that the attacks were coordinated among known hacking groups and military operators. The attacks included DDoS and cache-poisoning attempts targeting DNS servers for major Georgian networks. The attacks were launched from Russia's state-operated Rostelecom and Moscow-based COMSTAR networks, using the same tools and infrastructures that are being use by organized cybergangs to steal data and send spam.

At its peak, the amount of traffic directed at the targeted servers during the DoS attacks touched an astounding 80GB per second, Ramsey said. "That is the shock and awe version of cyberwarfare," he said. The huge success of the attacks is sure to serve as a model for similar attacks by nation states using cybermilitias, he said.