A recent report from IronPort and its parent company Cisco says that threats are not only growing, they are changing in ways that will force ISPs to adopt new anti-malware technologies.

by Alex Goldman ISP-Planet Managing Editor [December 18, 2007]

"ISPs know that spam is out of control," says Rand Wacker, senior group product manager at an anti-malware subsidiary of Cisco, San Bruno, Calif.-based IronPort. "We saw a 100 percent increase in spam this year, and a 100 percent increase last year. It's an arms race, and in order to maintain a consistent absolute number of messages arriving in each inbox, spammers are increasing the number of messages sent. We're seeing the equivalent of 20 spam messages per day for every man, woman, and child on the planet."

Attacks are changing. "The really scary part," says Wacker, "is the viruses that infect systems through vulnerabilities, such as in IE, that are not detected by traditional anti-virus software."

Whereas in the past, a virus would have been contained in an attachment, today the malware can be in a remote website, and the spam need simply contain a URL directing the recipient to an infected website. All of it is detailed in a new report from IronPort and Cisco called, "Internet Security Trends for 2007: A Report on Spam, Viruses, and Spyware."

Converged threats
Anti-malware vendors now have to protect against all threats. It's increasingly difficult to distinguish between viruses and spam, but end users know they don't want either of them. "We're seeing this change," says Jon Orbeton, IronPort product manager. "Anti-virus vendors initially did not offer protection against spyware, and now many do. We're seeing a merge between anti-virus and anti-spyware. Our own devices have both Webroot and anti-virus scanning on board."

IronPort is touting Senderbase, a system we first wrote about in detail two years ago (see The Future of Messaging). As you can see from the title of our 2005 article, we were impressed with Senderbase from its inception. Many anti-malware operations have a threat operations center (TOC) and track trends in bad stuff in real time. But none that we know of track 110 variables in real time (although MessageLabs might be doing this).

The reason it's necessary, according to IronPort, is a new type of malware.

A new malplatform
Take the Storm "virus" as an example. The report notes that Storm is so new that it did not fit into the malware categories we are accustomed to. Storm, the report says, has been called a trojan, a botnet, a worm, a spam engine, and a DDoS network. "The many names are an indication of the number of features Storm provides and the fact that it is a new class of malware—the reusable attack platform."

Orbeton explains that while in the past, viruses were written with specific instructions, attacking one vulnerability and delivering one payload, Storm can receive updates. For example, the botnet component is designed to keep track of which machines remain infected and which have been cleaned. It is even designed to track the behavior of researchers and launch DDoS attacks at any machine deemed to be studying the Storm system.

"At first we wondered why it was launching automated attacks against investigators," says Orbeton. "Then we realized it was because Storm's creators has spent so much time designing it and intend to reuse it."

Further malware innovations loom. Wacker warns that legitimate sites have been infected and used to spread trojans. "We no longer see website defacements by teenagers," he says. "These are professionals and they want their malware to be stealthy."

IronPort is warning that there's a problem and it offers its own products as part of the solution. Whether or not you choose IronPort for your own operation, at the very least make sure that you can protect your customers from web-based threats. IronPort's products, especially Senderbase, are well worth looking at.

We'll have more on Unified Threat Management (UTM) later this month when we publish a report from our security expert, Lisa Phifer.

—End