TechWeb

Unpatched Machines Seen As Major Security Threat

Apr 25, 2005 (09:04 AM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=161502434


Hackers will keep cranking out exploits that take advantage of known software vulnerabilities because, although patches are available, a minority of machines are fixed, security vendor McAfee said Monday.

In releasing its quarterly security analysis, McAfee's "AVERT" virus research team noted that exploited vulnerabilities are becoming a dominant threat to both consumers and enterprises.

"The day of the virus may have come and gone," said Vincent Gullotto, the vice president of AVERT. "One day it may swing back, but now we're looking at different types of programs, not viruses, that threaten computers. And many of them are exploiting machines' vulnerabilities."

According to AVERT's estimates, half or more of the computers connected to the Internet aren't properly patched or updated. Not good, especially when the number of vulnerabilities spotted in the first quarter of 2005 was up 6 percent over the same quarter last year.

Because there are so many unpatched PCs, said Gullotto, the hacker's job is made easier: rather than have to dig up vulnerabilities on his own -- extremely challenging, technically -- he can sit back and wait for patches to be posted, then reverse engineer the patch to find the vulnerability.

While traditional viruses may be on the way out, other threats have stepped in to fill the gap, and more. Phishing for one, said Gullotto, although what we now think of as phishing may be old news -- and not much of a threat -- someday soon.

"Today's phishing is what I consider to be spyware," said Gullotto, because many of the most effective attacks now use password stealers and other such software -- like in-the-background screen capture programs -- to swipe identities or account access.

"But I think we'll see a reduction in the number of traditional phishing sites that entice people to divulge information," he said. "Instead, we'll see programs that are pure spyware that can directly target the clientele they want, to get the data they need."

Rather than scatter-shot a deluge of bogus messages spoofing Citibank, for instance -- which delivers mail to people who aren't Citibank customers -- phishers will focus their efforts by either fine-tuning their spam lists or plant bank- or company-specific spyware on users' PCs, then wait to snatch usernames and passwords.

"They'll want to specifically get on a machine for a specific customer and specific bank," said Gullotto. "They want to leave that spyware on the computer until it gives them the identity information they're after."

Speaking of spam, Gullotto and his AVERT group see spam tailing off, volume-wise, perhaps as soon as the next quarter or two, and spammers coming under attack from an unlikely source: phishers.

"We'll see identity thieves spoof spammers," he said. "Phishers will increase their use of spam-like offers to take advantage of those people who respond to spam. They'll send out e-mail, for instance, supposedly selling Viagra, but they'll be after the credit card and identity, not the sale. Two days later the 'buyer' is still waiting for his Viagra. And 30 days later, when he gets his credit card bill and sees it's been hijacked, it's too late."

If phishing identity thieves really step up this strategy, as Gullotto expects, "spammers themselves could be in the situation that banks are today. No one will believe spammed offers are legit."

Not that too many of us will be feeling sorry for spammers.

"No one will cry over spammers if they get spoofed," said Gullotto. "After all, there's a bit vigilante in all of us."