The year 2007: A review through the crystal ball

It's the season of the end-of-the-year reviews. We have used our crystal ball to jump forwards a year to provide you the ultimate review of 2007 -- here and now.

2007 was the year of the super bots: Never before has malicious software been equipped with so many functions that help it to hide from antivirus software and to resist removal. The majority of malicious software programs used root kits, and their number doubled again on last years figure to over 500. Local privilege escalation vulnerabilities in Windows were increasingly exploited; accounts with restricted user rights were used to gain system rights. Initially, the protective functions in Windows Vista, which has been available for end customers since January, made it more difficult for malicious code to infiltrate the system. The crimeware scene responded and numerous vulnerabilities appeared as the year progressed and these were exploited to cancel or bypass the majority of the security functions. The user account protection (UAC), in particular, proved to be ineffective: Most users just confirmed any respective requests, since they did not undertand the displayed information.

While in 2006, DDoS attacks with botnets were mainly targeted at unwanted competitors, online betting offices and consumer protection sites, 2007 also saw large attacks launched on critical infrastructures. In April, the stock exchange nearly crashed, when a DDoS attack on the electronic trading system disconnected it from the Internet for several days, resulting in automated control programs loosing control and attempting to divest shares in a panic reaction.

When analysing this event, neither law enforcement agencies nor other specialists involved were able to switch off the responsible botnet with its decentralised control. The individual bots communicated with each other in a peer-to-peer structure, similar to those used for file sharing sites; the commands transferred in the Net were encrypted and had a digital signature.

An insurance company suffered significant damages, when a botnet attack cut off all the telephones in the entire company group for two days. While the Voice-over-IP infrastructure proved to yield operational cost savings, this was at the expense of system stability, when vulnerabilities of the SIP protocol were used for targeted attacks. So far, no explanation has been found for why the attacks stopped abruptly after two days; persistent rumours say that a six-digit sum changed hands.

For security software vendors, too, 2007 was a black year: The number of critical holes detected in products that had been designed to provide a higher degree of security was higher than ever before. For instance, various worms used zero-day exploits for holes in antivirus software to find a way into the system during the mail scanning process.

For the first time, underground prices for such zero-day exploits dropped in 2007, compared to the previous year. Insiders think this drop in prices was caused by a glut of such exploits, mainly due to the broad usage of simpler fuzzing tools. Bit by bit, these half-automated vulnerability scanners are uncovering the (security) sins of a whole generation of programmers.

Again, the share of web-based attacks experienced strong growth rates. However, malicious web sites did not so much exploit holes in browsers; rather, they used holes in media player plug-ins and software for Internet Explorer, Firefox and Opera, to infect PCs. The popularity of video portals such as YouTube, MyVideo and ClipFish, as well social networking sites, contributed to this development, with the MySpace worm being the sad culmination. For several weeks, this worm exploited a hole in the Flash Player to infect the PCs of hundreds of thousands of visitors, logged their surf patterns and chat activities and posted this information in public forums.

With many companies starting to migrate to Web 2.0, the security situation changed for the worse: Cross-site scripting holes on web servers became an epidemic plague. Defacing web sites advanced from an insider gag to mass entertainment when Jonathon Ross presented his favorite pages on the sites of Buckingham Palace, the Whitehouse and the Vatican. For a short time, the Xacks archive -- named after a combination from XSS and hack -- had even more page impressions than shooting star YouTube. Meanwhile the ministry of justice announced plans to impose penalties for accessing such manipulating URLs.

Traditional web applications did not get off scot-free either. After the "month of PHP bugs" in March 2007 and the subsequent intrusion into ten thousands of web servers, global web hosters were forced to take their servers off the Net for several days, until updates for the major PHP holes were available. In a study published in June 2007, the US-CERT recommended that PHP should not be used for critical environments. The National Infrastructure Security Coordination Centre advised against the usage of PHP on the servers deployed in state and public institutions and authorities and suggested using Ruby on Rails instead.

Regarding privacy issues, 2007 experienced a continuation of the payback trend: An increasing number of companies tried to buy off the onerous restrictions imposed on the usage of personal data. With attractive offerings, they enticed customers into accepting their terms and conditions that grant the respective providers freedom from restriction in this context. The case of an IP-TV provider, who sold his advertisers profiles containing his customers' viewing behaviours, including names and addresses, led to a public awakening after radical feminists outed two conservative politicians as regular viewers of a porno channel. Since then IP-TV providers have discussed committing themselves to not passing personal data to puckish third parties.

A slip-up also cast a shadow on search engine provider Google: Contrary to their own assertions, the data octopus had analysed and indexed all e-mails processed through their mail service. Due to a mistake made by an administrator, a database of the highly secret project was mirrored onto the external index servers, and as a result, the private mails of thousands of GMail users could be accessed via the search front-end for at least one hour. This event adds weight to warnings against a potential combination of data from the traditional search engine, Google Desktop, Google Analytics, YouTube and other Google services. Whether this will have consequences or not, will be revealed in our year 2008 review.

So let's just hope that our crystal ball is wrong...

heise Security