At the end of 2009, Symantec made a few predictions of what to expect in 2010. Now that it's more than half way through the year, Symantec has taken a look back and evaluated how the forecasts have panned out thus far.
The following are some highlights of some predictions for 2010 and their status so far.
Prediction #1: Antivirus is not enough
With the rise of polymorphic threats and the explosion of unique malware variants in 2009, the industry is quickly realizing that traditional approaches to antivirus, both file signatures and heuristic/behavioral capabilities, are not enough to protect against today's threats. We have reached an inflection point where new malicious programs are created at a higher rate than good programs. As such, we have also reached a point where it no longer makes sense to focus solely on analyzing malware. Instead, approaches to security that look to ways to include all software files, such as reputation-based security, will become key in 2010.
Status: On track
Reasoning: Unfortunately, the bad guys have proven us correct here. Symantec created 2,895,802 new malicious code signatures last year alone. This was a 71% increase over 2008 and a number representing more than half of all malicious code signatures ever created by Symantec. Furthermore, Symantec identified more than 240 million distinct new malicious programs, a 100% increase over 2008. We are on track to continue this upward trend in 2010. In just the first half of the year, we have created 1.8 million new malicious code signatures and identified more than 124 million distinct new malicious programs.
This means it is becoming less likely that traditional security technologies will catch every new threat out there; there are simply too many of them, even with automated systems in place. Technology that does not rely on capturing and analyzing a threat in order to protect against it, like Symantec's reputation-based security, is indeed becoming imperative. Other methods that are also playing a key role in combating today's most pervasive threats are heuristic, behavioral, and intrusion prevention technologies.
Prediction #2: Social engineering as the primary attack vector
More and more, attackers are going directly after the end user and attempting to trick them into downloading malware or divulging sensitive information under the auspice that they are doing something perfectly innocent. Social engineering is already one of the primary attack vectors used today, and Symantec estimates that the number of attempted attacks using social engineering techniques is sure to increase in 2010.
Status: On track
Reasoning: Social engineering is likely the world's second oldest profession, and its exploitation in the digital world was nothing unexpected. However, we have seen its effectiveness improve even further, thanks to Web 2.0. With so many computer users enraptured in a love affair with social networking, we have become accustomed to receiving emails announcing so-and-so would like to be our "friend" or is now "following" us. Attackers are taking advantage of social networking and are devising ever-more creative and convincing tricks to get users to download malware or divulge sensitive information.
Phishing attacks are a prime example of a socially engineered threat. In a world that is becoming less centralized around the PC, phishing allows cybercriminals to take advantage of computer users regardless of what platform they are operating on.
We have also seen social engineering play a large role in some recent, very high-profile attacks. For example, earlier this year, the infamous Hydraq attacks against a number of large organizations used, at least in part, socially engineered emails sent to an individual or a small group of individuals within the affected organizations. Once the user was tricked into either clicking a malicious link or opening an attachment, the Hydraq Trojan was installed on their machine.
Prediction #3: Rogue security software vendors escalate their efforts
In 2010, expect to see the propagators of rogue security-software scams take their efforts to the next level, even by hijacking users' computers, rendering them useless and holding them for ransom. A less drastic next step, however, would be software that is not explicitly malicious, but dubious at best. For example, Symantec has already observed some rogue antivirus vendors selling rebranded copies of free third-party antivirus software as their own offerings. In these cases, users are technically getting the antivirus software that they pay for, but in reality, the software can be downloaded for free elsewhere.
Status: Mostly on track
Reasoning: Rogue security software is still one of the biggest issues facing the security industry and consumers alike, but we have not yet seen peddlers of such nefarious applications go as far as making ransom requests to free locked down computers a regular practice.
Prediction #4: Fast flux botnets increase
Fast flux is a technique used by some botnets, such as the Storm botnet, to hide phishing and malicious websites behind an ever-changing network of compromised hosts acting as proxies. Using a combination of peer-to-peer networking, distributed command and control, Web-based load balancing, and proxy redirection, it makes it difficult to trace the botnets' original geo-location. As industry counter measures continue to reduce the effectiveness of traditional botnets, expect to see more using this technique to carry out attacks.
Status: Still possible
Reasoning: Thus far this year, we still haven't seen any major new threats using the fast flux technique. We hope it stays that way, but the reality is that the year is only half over. We have, however, seen the resurgence of an old foe that leverages the fast flux technique. The Storm botnet has recently re-emerged as a top botnet and it continues to use the fast flux technique to hide the website domains behind the hyperlinks it spams out.
We have also seen an increase in threats like Spakrab, a back-door Trojan that is typically used to send out spam. This threat uses techniques that result in similar camouflaging effects to fast flux, such as masking command and control server geo-locations by exploiting Dynamic DNS providers. Dynamic DNS is free, easy to set up, and allows attackers to use compromised hosts that do not have a static IP address, making their physical location harder to pinpoint.
Prediction #5: URL shortening services become the phisher's best friend
Because users often have no idea where a shortened URL is actually sending them, phishers are able to disguise links that the average security conscious user might think twice about clicking. Symantec is already seeing a trend towards using this tactic to distribute misleading applications, and we expect much more to come. Also, in an attempt to evade antispam filters through obfuscation, expect spammers to leverage shortened URLs to carry out their own evil deeds.
Status: On track
Reasoning: As predicted, spammers' use of URLs from link-shortening services has become increasingly popular. At its peak in July 2009, 9.3 percent of spam included some form of shortened hyperlink provided by one of the many free online shortening services. This is equivalent to more than 10 billion spam emails each day worldwide. In April of 2010, however, this peak figure nearly doubled to 18% of spam, the current historical peak.
Prediction #6: Specialized malware
Highly specialized malware was uncovered in 2009, which was aimed at exploiting certain ATMs, indicating a degree of insider knowledge about their operation and how they could be exploited. Expect this trend to continue in 2010, including the possibility of malware targeting electronic voting systems both those used in political elections and public telephone voting such as the systems connected with reality television shows and competitions.
Status: Still possible
Reasoning: We haven't seen a widespread outbreak of specialized malware, but we have seen glimpses of activity that lead us to believe we could still see this trend develop. For example, the previously mentioned Stuxnet threat, discovered in July 2010, was specifically designed to steal Scada-related documents, including industrial automation layout design and control files.