Saturday, January 27, 2007

ID-Triggered Rootkits

In his thriller “The Moscow Vector”, Robert Ludlum’s villain kills his victims using a “designer virus” that triggers when it encounters the target’s DNA. While not yet common in the biological world, this form of attack is becoming increasingly prevalent in the world of computer viruses.

Targeted denial of service, or hostageware attacks, aimed at companies highly reliant on online transaction gateway availability, such as online casinos and stock-trading firms, are already well-documented. However, “one-off” designer rootkits designed to target individuals and trigger upon identifying your computer’s MAC address, IP address, email address, or other unique identifier, are now starting to emerge.

I trust that I don’t need describe what is at stake when it comes to targeting the computer of a single high net worth person, or executive at a large corporation, with a “one off” designer rootkit.

At the recent Virus Bulletin conference in Montreal, several companies, notably Message Labs, weighed in on this issue. Specifically at risk are companies facing external enemies steeped in corporate espionage techniques. User ID-triggered malware is an ideal way for criminals or spies to steal information from a single computer - or user - without raising suspicions.

Why? Because the odds of a globally-focused manufacturer detecting and profiting from a single instance of a previously unknown virus in user space are tiny relative to the odds of them detecting (and profiting from) a major outbreak. Hackers know that the money to be made from policing this kind of specific attack is small - so small that only a locally-distributed, service-based company could possibly police this activity at a profit*.

Right now, such companies are in the minority. But this philosophical sea-change - from policing global virus outbreaks to policing targeted attacks using designer rootkits - is forcing a rethink. Enterprise and small business customers, and large network operators, are starting to move away from centralist “product in a box” manufacturers towards locally-focused Managed Security Service Providers (MSSPs).

A big part of the reason is that many MSSPs are willing to stand behind an enterprise-class, SOX-compliant, service level agreement (SLA). A second reason is that they’re able to respond locally. A third reason is that the MSSP business model is designed to enable profit through performance - a concept that most CIOs find quite refreshing.

As an industry, we’re not there yet - but take my word for it, we’re moving fast in that direction. In the meantime, if your job involves handling sensitive information related to valuable assets via a computer, consider every attachment you open and every file you download your own personal potential “Moscow Vector”: i.e. a targeted, user ID-triggered piece of malware. If you suspect an attack, call your MSSP. You might just save your company - or yourself - a lot of money.

*Note to some of the folks weighing in on the Microsoft vs. security vendors argument: the argument that security software vendors should not profit from policing the Internet or providing computer security is naive. Assets need quality protection and providing this protection is costly. Economics 101 says vendors need to grow their profits at least as fast as the criminals, or they will not be able to produce innovations at the same rate.

No comments: