Untitled Document
[an error occurred while processing this directive]
05 March 2007  
Untitled Document

Technology Life


Between The Bytes


Technology Senate
Technology Sabha


HMA Bankbiz
UPS Batteries

Contact Us
Network Sites
Network Magazine India
Exp.Channel Business
Express Hospitality
Express TravelWorld
feBusiness Traveller
Express Pharma
Exp. Healthcare Mgmt.
Express Textile
Group Sites
Indian Express
Financial Express

Untitled Document
Home - Technology - Article


Blended threats, Blended complications

The Internet has become that much more dangerous in recent months, with several attacks using the Web to launch and spread into the mainstream. These sophisticated threats make use of more than one attack vector. By Dominic K

A blended threat is often referred to as a ‘blended attack’. Some people refer to these attacks as ‘combined attacks’ or ‘mixed techniques’. A blended threat exploits one or more vulnerabilities as the main vector of infection and may even perform additional network attacks such as denying services through a Denial of Service (DoS) attack against other systems. The use of multiple attack vectors increases the likelihood of successful infection and also makes combating these threats more difficult.

The lethality parameters

Blended threats can be lethal. They scan for vulnerabilities in an enterprise network, enter via e-mail attachments, shared file folders, wireless devices, Web pages, laptops, telnet and other entry-points. Once in, they quickly replicate, flooding and harming the network.

Such threats and attacks can enhance the severity of damage and speed of contagion by combining various methods. An attack using a blended approach might send a virus via an e-mail attachment, along with a Trojan horse embedded in a HTML file that will damage the recipient computer. Blended threats combine the characteristics of viruses, worms, Trojan horses, and malicious code with desktop, server, and gateway vulnerabilities to initiate, transmit, and spread an attack.

By utilising multiple methods of attack and self-propagation, blended threats can spread rapidly and cause widespread damage. In addition to short-term financial loss, these disruptions can seriously damage an organisation’s brand and customer goodwill. Network security breaches can trigger expensive legal consequences as well.

Such attacks usually attempt to infect networks using the techniques of a mass e-mail virus and also by attempting to find vulnerabilities in software that have not been plugged, to infect or attack an operating system or application.

Unravelling threat patterns

"A blended attack will come over multiple ports, such as SMTP or POP as well as HTTP. Sometimes the only pattern is that the target is the same for each of the attacks"

- Richard Steinnon

Blended threats can be any combination of attack and propagation methods. Many spread as worms—programs that spread through vulnerabilities in a network. Unlike true viruses, worms do not depend upon other applications to work.

Network or security administrators may suspect a blended threat attack if after cleaning and blocking a particular vector, infections return. For e.g. administrators determine that the initial infection arrived through peer-to-peer (P2P) protocols, but even after closing that vector and cleaning the systems, infections continue.

According to Richard Stiennon, CMO, Fortinet, “A blended attack will come over multiple ports, such as SMTP or POP as well as HTTP. Sometimes the only pattern is that the target is same for each of the attacks.”

“Initiating, transmitting or spreading an attack through viruses, worms, Trojans and then exploiting vulnerabilities in a system is yet another pattern”, adds Sunil Manglore, CEO Datacraft India. Such attacks have more than one payload such as a backdoor installation and then launch a buffer overflow or a DOS attack on the system. This propagates through various channels such as e-mail and file-sharing network.

It is difficult to determine a blended threat because there is no single symptom of the problem. This is because there are problems occurring in different locations. For example, if the enterprise has a solution from brand X at its gateway, an anti-virus solution on each desktop and a network device from some other vendor, then each device’s administrators will have a view of only his part of the problem because the console deals with only the specific part. This limits the administrators’ ability to detect the vulnerability.

Generation Next threats

Nowadays, viruses or other malicious programs are released within a few days of any vulnerability being discovered. The gap has reduced to as little as one day. Hence, the patching window gets smaller, within which the malicious program exploits the system vulnerability and spreads rapidly.

Many Trojans and bots make use of blended threats to infect and control infected systems. In 2006, backdoor Trojans and bots continued to comprise a significant percentage of the malicious software detected by Microsoft, and therefore remain a top threat to consumers and business.

Seemingly every day a new threat emerges, whether through Web attacks, spyware, malicious mobile code, or phishing. Due to delay in the patching by a few hours, the impact is devastating. As such malicious programs have immense capability to propagate and inflict damage. An organisation can be brought to its knees in a few hours. The MyDoom malware family caused between $73.2 bn and $89.5 bn of damage worldwide.

General characteristics of blended threats
  • Like conventional viruses, blended threats can damage files, corrupt OS configurations, and overwhelm network resources. Common damage includes changing registry settings, injecting malicious code into OS executables, and adding scripts to HTML documents
  • Blended threats can include routines that probe for known vulnerabilities, such as buffer overflows and the use of default passwords on predefined accounts
  • Newer threats are making greater use of networks to maintain the malware after it has infected a system. Worms such as Fizzer connect to a Web site to download updates to the virus
  • Blended threats might contain basic network utilities. As noted, the Fizzer virus has its own SMTP engine; the Lovsan virus has a built-in Trivial File Transfer Protocol (TFTP) utility
  • It can plant Trojan horses that erase hard drives, steal data and launch denial-of-service (DoS) or distributed DoS attacks
  • Embed malicious code in HTML files to infect visitors to a Web site
  • Send unauthorised e-mails with worm attachments
  • Inject malicious code into a network’s .exe files and alter security access levels

Difficulties exposed

Blended threats strike with blinding speed. Unfortunately most enterprises are unprepared to handle these. One of the main problems faced by enterprises is that they cannot determine that they have been hit by a blended attack.

Many enterprises may not have internal expertise in managing complex blended threats. If they do have services from system integrators, who have the required expertise, they would still find it difficult to isolate and fix the problem. The other issue is that solutions are usually purchased from more than one vendor and it takes time to correlate and find the root cause of a problem and then get back to the concerned vendor for support.

For example, in an organisation with multiple vendors, if there is a problem with a desktop PC, the vendor might try to fix the desktop problem, and then a problem might arise with the server. If the vendor who sold the security product for the server is different from the one who sold the PC security tool, he would disclaim responsibility. So, a lot of time is taken to fix the problem in a blended attack. This is because there are multiple vendors involved in the organisation and the entire procedure of trying to find solutions against multiple attacks becomes quite cumbersome for a large organisation.

“SMBs would typically have neither the skills nor the resources to deal with blended threats, because of the multiple attack vectors used. Larger companies with MIS departments may also have difficulties repelling these threats because it is often difficult to justify the added expense in security products when they have already invested heavily on existing equipment,” says Stiennon

The worm propagation mechanism has the greatest impact on the health of a network. The damage stems from a worm’s intense network scanning, which consumes end-system CPU resources and accessibility, network device processing cycles, and network bandwidth. The rapid rate of infection and the aggressive scan rate cause traffic congestion and network instability.

Prabhat Singh, Head – India, Security Response Operations, Symantec says, “Blended threats are more lethal and dangerous as they blend in rootkit technology to hide on compromised machines. These threats are utilising spamming techniques to spread faster and wider. The recent outbreak of Trojan.Peacomm blended almost everything. It arrived in a machine via a spam mail or it could be dropped by the mass mailing worm named W32.Mixor.Q. It had the ability to install itself on machine as a device driver and hide itself. This threat was aimed at creating a hidden peer to peer network such that each compromised machine is aware of its peers and such a network can be used effectively for various destructive activities such as DoS and downloading new threats.”

Best practices to be followed
Use the latest tools Today's products protect the network from end to end. Security manufacturers now offer comprehensive, system-wide detection and reporting products that monitor vulnerabilities, manage security policies and block threats before they enter. This could be used in conjunction with advanced firewall software or appliances to manage entry of remote workers via VPNs.
Seal unnecessary entry points Discover where FTP, telnet and other potentially unneeded functions can be removed, to further tighten security.
Change passwords regularly Create a password policy for remote workers and enforce the same across the enterprise. Strengthen the plan by requiring that employees change their VPN and key application passwords routinely, every six months or so.
Update network software Enterprises need to ensure that applications are patched for security and upgraded as soon as updates become available. Or they can simply outsource network maintenance.
Encourage common sense Enterprises can instruct the employees not to open attachments unless they are expecting them. That may be easier said than done, but the results will save the IT staff some headache.

Framing a response

Websense Security Labs informs that the number of phishing incidents, on average, has been about three to six every day. In the current year, Voice-over-Internet-Protocol (VoIP) phishing has become the latest phenomenon. Blogs, personal Web hosting and social networking sites are also being utilised to host exploits, phishing, and fraud.

Cyber-criminals continue to use innovative social engineering techniques to further their exploits. Of the sites designed to steal credentials, almost 15 percent are derived from toolkits, an emerging tactic from the hacker community.

According to the Websense Security Labs H1 trends report, a 100 percent increase has been noted in sites designed to install key loggers, screen scrapers and other forms of crimeware. Conversely, Websense has seen more than a 60 percent drop in Web sites designed merely to change user preferences, such as browser settings.

Singh says “In the first half of 2006, we have seen malicious code become more covert, less recognisable, and motivated more than ever by economic gain. Not only have codes become more sophisticated, but the infrastructure supporting its creation and spread has also become more complex. Cyber-criminals are now more creative, organised and business savvy”

Current trends in the threat space
  • Money motivated attacks such as banking Trojans which steal a user’s identity to access his bank account
  • Denial of service (DoS) attacks to extort money from e-commerce Web sites
  • Attacks delivered via MMS that cause cell phone accounts to be charged
  • Internal threats from employees and trading partners. In fact, most of the security breaches emanate from internal business networks
  • Interconnected networks with no clear boundaries. As boundaries between networks disappear in order to connect partners and suppliers, multiple vulnerability points are introduced
  • Security for Web services has been problematic and difficult to standardise and enforce across organisational boundaries, leaving enterprise network boundaries porous and permeable
  • Growing use of personal applications such as Web-based e-mail, instant messaging, and peer-to-peer applications provide multiple points of entry for viruses, worms, and other attacks and provide a readily accessible means of disseminating proprietary and confidential information
  • Phishing and pharming attacks: New schemes for Internet-based fraud are difficult to stop, and they pose the risk of identity theft to unsuspecting customers and employees
  • Spyware on the rise. Two-thirds of computers are infected with spyware
  • Spam and spim: Unsolicited e-mail (spam) accounts for more than half of e-mail traffic, costing businesses billions per year. Instant messaging spam (spim) is also on a major rise

Striking back

Even with a diligent IT staff, enterprises may need to take a closer look at network security. There are several reasons why a network may become vulnerable. Over time employees may inadvertently create vulnerabilities. Remote workers access the network via laptops and PDAs, which can create potential security breaches if their entry via a virtual private network (VPN) isn’t fully protected.

Temporary employees and outside consultants who access the network and lack familiarity with security procedures may also leave ports unsecured. Traditional security approaches have become outdated. Anti-virus measures alone can not stop blended threats. That is because these threats can enter via numerous insecure ports, and spread so quickly, that an anti-virus application cannot be updated in time to contain the threat. In some cases, the blended threat infection rate is hundreds of PCs per second.

Firewall software can be configured to prevent certain types of attacks from happening in the first place provided it is fine tuned and monitored regularly. Worms and viruses will continue to be successful as long as computing resources have security vulnerabilities that can be exploited. To protect itself, an enterprise must implement a comprehensive, multilayered, enterprise-wide security strategy that protects against both known and unknown outbreaks, simultaneously.

No single product can protect an organisation from an outbreak. Prevention measures must be a part of a comprehensive strategy that is properly implemented across the enterprise to create a complete line of defence.

This strategy must include a combination of solutions and processes, as a part of an established security policy that mitigates the impact of an outbreak if an unknown worm or virus does manage to get inside the organisation. Although most enterprises have put a security policy in place, more discipline is needed to ensure that these policies are updated on a regular basis based on the company’s needs, the current environment and threats.

Equally important is for employees of respective organisations to strictly adhere to and follow the company’s security policy. Finally, the enterprise IT architects such as CSOs, CIOs and CTOs, must manage and mitigate security and privacy related risks that dramatically affect their profitability, corporate governance and compliance imperatives. From simple yet insidious to complex and pervasive, these security challenges threaten to overwhelm business boundaries and protection mechanisms, thus requiring an increasing share of management attention and IT resources.


[an error occurred while processing this directive]
[an error occurred while processing this directive]
Untitled Document
[an error occurred while processing this directive]
[an error occurred while processing this directive]

Untitled Document
Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.