New Levels of Sophistication in Malware Pose Serious Future Consequences

**JeffC** · 11-17-2007

I just covered some of the findings of an Open Source Security conference held this week in San Jose at IntelFusion.net, and I'm very worried. These are exceedingly sophisticated techniques, and few in Law Enforcement or the DOD are on the same page technologically.

Here are a few examples of what can be done with a Botnet attack:

- Use RSS-to-e-mail conversion services as an untraceable way to control a Botnet;

- Instructions for a Botnet can be hidden on multiple web pages, and then recovered by that Botnet via Google search.

Granted, these are still very new strategies and haven't yet been widely adopted by the bad guys, however it's just a matter of time. I'm concerned that a lack of training among many of the agencies tasked to protect our infrastructure is going to leave us exceedingly vulnerable to a technologically adept and rapid adopter cyber foe.

**bismark17** · 11-17-2007

I wouldn't be surprised by today's crackers/spammers/cyber criminals by how fast they develop their TTPs. The amount of good information available on the net, let alone, the numbers of good tech books on security at any Borders or Barnes and Noble these days is mind numbing. As Dylan sang, "The times, they are a changin."

**JeffC** · 12-05-2007

"Shell, Rolls Royce Reportedly Hacked By Chinese Spies"

http://www.infoworld.com/article/07/...e-spies_1.html

Also, the latest CRS report on Cybercrime, Cyberterrorists, and Cyberwarfare is available through FAS:

http://www.fas.org/sgp/crs/terror/RL32114.pdf

**Jedburgh** · 03-31-2009

University of Cambridge Computer Laboratory, March 2009:

The Snooping Dragon: Social-Malware Surveillance of the Tibetan Movement

In this note we document a case of malware-based electronic surveillance of a political organisation by the agents of a nation state. While malware attacks are not new, two aspects of this case make it worth serious study. First, it was a targeted surveillance attack designed to collect actionable intelligence for use by the police and security services of a repressive state, with potentially fatal consequences for those exposed. Second, the modus operandi combined social phishing with high-grade malware. This combination of well-written malware with well-designed email lures, which we call social malware, is devastatingly effective. Few organisations outside the defence and intelligence sector could withstand such an attack, and although this particular case involved the agents of a major power, the attack could in fact have been mounted by a capable motivated individual. This report is therefore of importance not just to companies who may attract the attention of government agencies, but to all organisations. As social-malware attacks spread, they are bound to target people such as accounts-payable and payroll staff who use computers to make payments. Prevention will be hard. The traditional defence against social malware in government agencies involves expensive and intrusive measures that range from mandatory access controls to tiresome operational security procedures. These will not be sustainable in the economy as a whole. Evolving practical low-cost defences against social-malware attacks will be a real challenge.