The arrival of the cloud and mobile computing has changed the rules again for staying safe. We examine how anti-malware vendors are responding.
Talk to security software vendors and you’ll discover there’s a common theme in the changing landscape of threats faced by users: cybercrime is now fully industrialised. What started off as attention-getting individuals writing simple malicious scripts has evolved into a fully-fledged underground criminal economy. Far from being conquered, cybercrime is exploding.
According to researchers at Kaspersky, 35,000 items of malware are released every day – that gives you an idea of the industrial scale of malware production.
The resources and money used to combat cybercrime are vastly more extensive than in the past. Eugene Kaspersky, head of the Kaspersky Lab antivirus company, tells APC: “Writers of malicious malware hold conferences in regional areas of various countries including Russia, China and the US, where they discuss their current and future plans. This is further proof that cybercrime is dominated by organised crime, and gone are the days of teenagers looking to create a virus for notoriety.”
Phillip Wolf, head of Virus Labs at Avira, says: “These days you don't need to be a malware expert to get into that business. You simply need to know where to go – which forum and so on. Some people will offer to help you – you have to pay them of course."
The trend towards organised cybercrime has caused a massive explosion of malicious and unique malware. Symantec consumer spokesperson and Norton product expert David Hall says there were 286 million unique variants of malware last year alone and these were driven by attack toolkits.
To combat the overwhelming fireball of malware, vendors have turned to the cloud.
Cloud computing
Antivirus vendors agree that cloud computing can be harnessed to provide enhanced heuristic protection, real-time protection and reduce overall costs.
"One of the projects we’ve been working on for a couple of years now is building up a global threat intelligence system by putting research into the cloud to give people real-time reputation analysis," says Michael Sentonas, CTO for McAfee Asia Pacific. "If your machine comes across a file that is suspicious or has some sort of malicious intent, you can send a fingerprint of that file to our GTI system and get a response in real-time as to whether we’ve seen it before. We’ll tell your system to quarantine the file or to let it run. And we’ll do that in real-time and that’s taken a massive improvement in our detection scores."
Nigel Hedges, technical service manager for Kaspersky, says the company is growing its cloud computing infrastructure.
"The biggest addition to our current products is the continued augmentation of our Kaspersky Security Network, which is our cloud computing infrastructure, providing cloud protection capabilities. Consumers have had this in earlier versions of the Kaspersky product by agreeing to participate in the Security Network, which would collect information from the PC such as URLs and files accessed on the internet. Kaspersky doesn’t capture whole files (that would be a privacy issue) but rather calculates a unique hash on a file,” he says.
"With many people around the world potentially accessing this file, we’re able to get an accurate picture of its geographic spread; its implications (often found if the file is making a call home, such as a malicious link back to a web site). We’re able to quickly correlate such events and provide faster and more proactive protection to the PC.”
Hedges continues: "The result is a cloud-based integration that leverages the strengths of the heuristic protection of today. We’re also adding encryption features into our corporate solutions, but consumers today can enjoy this feature from our Kaspersky PURE product for home use."
AVG security evangelist Lloyd Borrett says: "My personal view is that cloud-based web security can deliver many benefits, but it will need to work in conjunction with device-based solutions. Cloud-based solutions can also leverage the power of multiple computers used in parallel, thus offloading heavy processing there.
“Most importantly, cloud-based security offers the ability for us to have huge communities of users all helping everyone stay safe online,” Borrett says. “This delivers visibility to traffic patterns from the community, live attack data, plus user and automated reputation based votes to help us know which potential threats are relevant."
Borrett makes an ominous warning about the cloud trend; what the good guys can harness, so too can the bad guys. “Let’s not underestimate the resourcefulness of our adversary,” he says. “Some of the best implementers of cloud computing solutions so far, and probably the biggest winners, are the cyber criminals. They already use cloud-based solutions to scam search engine results and manipulate other cloud-based services for their own purposes. You can be assured they’ll also try to scam cloud-based security solutions."
Phillip Wolf says cloud-based security allows a vendor to do more complicated things in the cloud than it can do on the client side. "Threat analysis is better to do in the cloud rather than locally on the PC because it can become sluggish or disabled. Threat detection will also suffer.”
Symantec’s David Hall says the company’s anti-malware product, Norton, has been using the cloud to store a massive reputation database. “It’s not just malicious software, but every piece of software in the world. Now we have the world’s biggest database – it’s a cloud-based technology and all of it is based on reputation," he says.
"So when a new threat is detected, we get a copy of it and put a fingerprint out to the Norton community. We can now see a file as it gets born into the world. And if it’s coming from a bad web site, that file will have a bad reputation because we know the reputation score of the web site bringing up malicious software."
A Microsoft spokesperson says the company continues to invest heavily in improving its security and protection technologies. These include “behaviour monitoring, rootkit detection, network inspection and other heuristic technologies. Unlike many anti-malware solutions, which are bundled with a reputation service to block malicious URLs, Microsoft provides the reputation service via SmartScreen for Internet Explorer 8 and Internet Explorer 9.”
Microsoft addresses security at various levels. “For instance, Microsoft Security Essentials is the free anti-malware service that provides real-time protection to consumers and small businesses to address the ongoing security needs of a genuine Windows PC,” he says. “Forefront Endpoint Protection 2010 provides protection for business environments, including anti-malware, behaviour monitoring and firewall management.”
Smartphones
Smartphones are seen as the biggest emergent security threat. Although the market has been around for a couple of years, it’s only flourished thanks to the rapid uptake of Android-based phones.
"The open-source nature of the Android operating system and the open-garden approach to allowing users to install software on their mobile devices opens the door for cyber criminals to write malicious code," explains AVG’s Lloyd Borrett.
This is combined with the fact that a majority of consumers are unaware of smartphone security threats. Head of the Online Threats Research Lab at BitDefender, Catalin Cosoi, says: "Threats targeted at smartphones have really come to the forefront in the past 12 months in terms of the number of users who have been affected. Android smartphone users should be particularly aware of the risks: as the Android Market isn’t moderated, an attacker can quite easily create an application that may seem innocuous but can access your emails, stored contacts and text messages.
"We’re also working on a security application for Android devices, for which a beta version has been launched and is freely available on the Android Market. BitDefender Mobile Security utilises a through-the-cloud antivirus service to scan your device for malicious threats or applications. It also allows you to keep track of the permission settings of each installed application, informing you of any that are attempting to access the internet or your personal data without your consent."
Carol Carpenter, executive general manager of Volume Customer Business Unit at Trend Micro, was also adamant about the threats to Android devices, which has forced the company to create the Android Security product.
"You have to have antivirus, but the more powerful piece is the call blocking and SMS blocking," says Carpenter. "We think threats with mobile devices are more about data identity theft – being able to wipe your data when you lose your phone and being able to retrieve the phone through GPS. That's what you’ll see coming from Trend – more about the status of information and not about the device per se." Trend also offers iPhone, iPad surfing protection and PlayStation protection.
The latest version of Kaspersky Mobile Security 9 for Android was launched in February. Nigel Hedges says the company will continue to focus on mobile: “Kaspersky will continue to investigate the Android market and add new features to our Android anti-malware agent. Kaspersky leverages homegrown solutions rather than OEM other products or components. So you know that Kaspersky produces an Android solution with our own carefully constructed software aiming at addressing growing malware problems on that platform.”
GFI Software’s Alex Eckelberry says: "Each mobile device – be it a BlackBerry, iPhone or Android device – contains contacts, personal data and maybe even saved passwords. In the wrong hands, a stolen smartphone, just like a stolen tablet or laptop, presents a potentially serious breach of a corporation's assets. However, smartphones are easier to secure, since it's fairly easy to write software to perform actions such as a remote wipe.”
Eckelberry points out that a mobile security solution is on its way from GTI Vipre for consumers and enterprise. "We’re working on a comprehensive security solution for smartphones which will include antivirus and anti-spam, and a broad range of additional features. This will initially be available to consumers and likely to our enterprise customers as well."
McAfee’s Michael Sentonas says the company’s mobile protection comes with full anti-malware support, so it protects against virus spyware and blocks risky sites. It will block navigation to phishing and scam sites. “We have a portfolio called McAfee Mobile Security that's designed to protect the device and the data on it against loss, theft, virus infection and risky mobile web sites.
“So you can remotely lock it and wipe all your data, and over the air back up and install locating and tracking. You can track the current SIM, so when a call is made you can lock the phone."
McAfee (now owned by Intel) has been working with the rest of Intel and Lenovo on some deeper mobile security measures. "We've been working mobile now for close to 10 years with products to secure mobile at an application layer as well as a chip layer. We're also working with certain carriers to bring out smart devices with the technology built-in," explains Sentonas. "What we’re trying to do is see how we can expand that and look at how we can build into what Intel is doing on the mobile front; to look at how close we can get to the hardware side of things."
AVG’s Lloyd Borrett points out that Android was resulting in some other threats peculiar to smartphones, such as dialler ware. “Think about one or two premium text messages being sent from a phone infected with ‘dialler-ware’ every month – with not too many people noticing the error and the tiny costs on their phone bill. Then if you multiply it by thousands or millions of devices, you can quickly understand where the huge source of revenue for cyber criminals originates.
"Location data had been unknowingly embedded on their handset, enabling others to track their location. Mobile applications transmitted confidential payment information, such as credit card details, without the users’ knowledge or consent."
Borrett says AVG has created protection for Android. "AVG Mobilation is helping prevent users from downloading more than 10,000 infected applications a day. The paid version offers additional functionality, such as location of lost devices, SMS filtering and backup, but even the free version offers a set of vital security features."
David Hall, from Symantec, says a big problem was complete loss of data when a user lost a phone. “While we were looking at how popular the Android platform was becoming, we didn't just want to take a traditional anti-malware product and jam it on an Android platform. We’ve released Norton Mobile Security for Android, which is available in the Android Market. You can set it up to send a text to lock it or locate it and it will send you back its GPS location. If worst comes to worst you can send a kill command to wipe it." Another concern Hall has is with privacy issues raised by maverick applications. Users often install apps and blindly agree to let the application access to the phone’s information, e.g. SMS logs and GPS locations.
Paul Ducklin, head of technology for the Asia Pacific region at Sophos, discusses the latest mobile phone product aimed at small businesses. "The latest product in our range is Sophos Mobile Control – we're pretty proud of that because it provides a way for businesses to bring some degree of control to the smartphones and mobile devices they have in the organisation.”
Ducklin says staff bring their personal devices into the workplace, get on the company network and put sensitive data on their devices to help them do their job. If they lose their phone, then the company's data is exposed.
To get around this problem, Sophos Mobile Control will let staff choose which device they want to use for business and therefore eliminate the need for two devices.
"So we have a console that unifies that management. We allow the administrator to take some control over the devices they have in the company,” Ducklin says. "You can set the minimum security for the device, for example, password protection and encryption, and remote wipe if it gets lost. This is easy if you have a device that’s encrypted – you just need to erase the key and what you’re left with is shredded cabbage."
