Mark Sunner, chief security analyst, MessageLabs –
As categories of malware go, targeted trojans occupy the sharp end of malicious activity.

The mainstream viruses we read about in the security press have no particular target in mind but are rather aimed at a blanket audience. However, lurking behind the scene are the targeted trojans — victimizing a specific company or perhaps even a specific individual. Because their numbers are comparatively small, they tend to go largely unnoticed, but all the indications are that activity in this area is flourishing. Something that once only affected prominent Blue Chip companies is now moving into the mainstream – but many of us don’t few even realize that such threats even exist.

At the end of 2005, Alex Shipp, MessageLabs senior anti-virus technologist, and his team of anti-virus researchers made a startling discovery following up a hunch that targeted trojan activity was actually far more common than was popularly believed or previously reported.

Sifting through the rafts of interception log data was a daunting task, but as November 2005 came to a close it began to look as though this perseverance was about to pay off. Blocking targeted malware was not the hard part –but figuring out that it existed at all was very difficult indeed.

Central to the challenge was the signal-to-noise ratio. The background noise created by the millions of other volume threats was very difficult to tune out to get a clear picture of what was really going on. What Alex and his team found was both fascinating and worrying:

For almost every week of that year to date either one or two targeted trojans were indeed being intercepted by MessageLabs anti-virus technology. In every instance, the targeted trojans were emanating from the same geographic source and heading toward the same target. But what was most troubling was the high level of sophistication combined with advanced social engineering tactics. Clearly somebody, somewhere really wanted in.

Now that Shipp and his team had devised a way of finding the “needle in a haystack,” monitoring the phenomenon became a core part of MessageLabs overall threat detection. By 2006, MessageLabs had honed its ability to monitor the faint signal of targeted interceptions, evolved it into a routine task, and was intercepting targeted attacks at an average of one per day with varying geographic sources, destinations and across industry sectors. The threat vector was experiencing exponential growth in every direction.

By early 2007, MessageLabs routinely intercepted approximately 10 targeted trojans each day. The threat profile was mixed, but China was the most common source and the Blue Chip industry sector a popular destination. While the problem was threatening, it seemed to be under control, but few could have predicted what happened next.

On June 26, 2007, at approximately 11 a.m. EST, MessageLabs intercepted a run of 514 targeted trojans over a two-hour period. Each instance referenced the email recipient by full name and job title and carried a Word document attachment, purporting to be either a customer complaint or a corporate financial penalty relative to the business in which the recipient was involved. The trojan was embedded inside the Word document and was capable of giving remote access to the victims’ PCs.

Overall, these Trojans we were similar to all previous interceptions, but the sheer volume of them was something that had never happened before. Instead of targeting a specific industry sector, these attacks targeted specific job titles — C-level executives such as CFOs, CTOs and CEOs — who would likely have access from their laptops to proprietary corporate information.

This first blast of targeted attacks was followed by a second blast of 1100 targeted trojans in September 2007 and again in November 2007 with 900 Trojans. Another more recent blast of 900 Trojans in February 2008 arrived with a twist, containing hyperlinks instead of an attachment. The links were self-contained search requests of the Better Business Bureau’s (BBB) actual Web site that when activated, would locate a BBB affiliate. It was the affiliate site that had actually been compromised and housed a re-direct to a third site where the new trojan was planted, disguised as an Adobe Acrobat update.

While all MessageLabs customers have been fully protected through every targeted attack run, it is becoming increasingly important that organizations understand the potential harm that can be done given this sharp increase in new levels of difficult-to-detect activity. Botnets, spam, phishing and spyware are high-volume attacks and can go relatively undetected on the security radar. Targeted attacks are stealthy and are beginning to make their mark on business. MessageLabs predicts there will be another large run before the end of March.

Chris Wysopal, CTO and co-founder, Veracode –
I recently led a roundtable event in New York and Washington, D.C., entitled “5 Trends Shaping Software Security.” This event involved several high-level CISOs, and we focused on creating awareness of software security issues within enterprises.

The general consensus was that developer awareness seems fairly mature, while executive awareness remains spotty. Many of the executives were interested in the idea of metrics, particularly in comparing peer groups. Metrics around secure software could be used to create accountability within business units, generating monthly reports to show who is creating secure software and create a positive competition between groups.

A few main topics discussed at the roundtables:

Technology trends: Web 2.0 and emerging mobile devices were top technology threats. Concerns were expressed about the impact of virtualization and Software-as-a-Service on software security. Concerns ranged from a lack of understanding of the new risks introduced by virtualization to new software development methodologies and a lack of recognition of the ‘enemy’.

Managing security from a business perspective: Progress is being made, but balancing compliance, risk management and business drivers continues to be a challenge. Using clear, simple metrics to create corporate accountability is a key goal. Multiple participants mentioned the challenge of balancing security compliance and time to market for delivering software.

Creating a market demand for software security: Most felt that a security standard approach rating system should be applied to commercial off-the-shelf software as well as outsourced development.

Development best practices: Successes were discussed in areas of increasing developer awareness, and a few leaders had strong programs that spanned the entire software development lifecycle. Security success starts at the code level. Ensuring secure code needs to be a priority – preventing flaws like hidden backdoors — a serious vulnerability that can provide sophisticated hackers easy, undetected access to an application and the highly confidential customer or company data that resides in it. Left intentionally or unintentionally, backdoors are a way developers can bypass authentication or other security controls in order to access the software application, and are often left in by accident. However, this increases the security risk of an entire organization.

What do you think? Have you experienced security success in your organization? What are the trends in your organization around shaping and monitoring software security?

Kurt Roemer, chief security strategist, Citrix –
SSL/VPN continues to be the technology lifeline of remote workers who require access to rich applications and data sources. Originally, these workers viewed the SSL/VPN as a simple extension of network connectivity, with many now finding greater utility in managing application access – both inside and outside the organization.

SSL/VPN technology has opened the doors wide to accommodate remote access needs. That’s no surprise, but what is surprising is how the control and management granularity of SSL/VPN are being applied to internal applications’ needs. There are many drivers behind this evolution, including access fluidity, support, granular application-level control and compliance.

In today’s highly regulated economy, “distributed everything” doesn’t make sense anymore. However, overly restricting the capabilities of the workforce leads to diminishing productivity – and an increasingly upset user community. In the face of deploying traditional “solutions” that would only deepen the chasm between technology and users, balancing the straightforward access methods and strict controls of SSL/VPN started to make sense for all classes of user needs.

By brokering virtualized access to application, desktop, network and data resources, the SSL/VPN has proven to be a mighty delivery vehicle.

Whether the access is from the office, home, an outsourcer or a personal mobile device, ease-of-access and security needs can be met. The application-level enforcement of security and compliance policies, including strong authentication, encryption, detailed audit logging and user controls that are consistent across applications has been a tremendous benefit for IT. Compliance is also a primary benefactor of these extensive capabilities and controls.

In the future, it’s logical to see this technology expand to become much more focused on brokering increasingly intelligent access and being intertwined with dynamic personal and business policies. A consistent access method for all flavors of access solves real problems, such as the separation of home and work environments on a personally owned device, as well as the assurance for the business that a managed barrier exists between personal and business usage and users’ divergent interests.

As an example, a worker attempting to access a highly-sensitive document will be subject to layered scrutiny, seamlessly automated through rich policy. As this worker issues the access request from their personal device, the policy notices that the worker is not using a managed device and that the requested application displays information that is subject to regulatory concerns. The workflow engine kicks in transparently and requires strong authentication, displays the application virtually for use and restricts the ability to copy, paste and print.

This situation requires on-line access, but what if the worker needed to complete the report on an airplane? On a managed device, workflow policy may have requested manager approval to copy the report to the device, after verifying that the report can only be saved to a properly encrypted managed partition.

By consolidating access methods and automating workflow and policy, the SSL/VPN has become the gateway that delivers the worker’s access lifeline. Now we just need a catchier name that portrays the true power of evolving “SSL/VPN” usage!

Chet Hosmer, chief scientist, WetStone Tecnologies, Inc. –
Autonomous hashing and live discovery technologies are advancing rapidly and provide value and expediency for forensic investigators. It is important as we advance these solutions that we consider not only what we collect, but also engineer solutions that can prove what we collected, where we collected it, when we collected it, and by whom it was collected.

Traditionally, hashing is performed during postmortem forensic investigations and is used to maintain evidence integrity, as well as to identify known files (known good or known hostile). Digital investigators commonly utilized one-way hash technologies MD5 or SHA varieties to generate unique mathematical signatures of known files.

Autonomous hashing (over the wire, or during direct overt or covert interactions) – the process of collecting hash values from live running systems – can significantly speed the identification of known threats and known files that users should or shouldn’t possess.

Performance enhancement is obtained by performing the hashing function utilizing the target machine’s computing resources – in other words, off-loading the processing to the target. This approach has two important benefits: the content of the files, directories or drives being hashed don’t pass over the network, which could potentially expose non-encrypted proprietary data; and the performance is dramatically improved, especially if multiple targets are being processed simultaneously, resulting in a reduction of network traffic congestion reduced.

Autonomous hashing is accomplished by pushing a small software agent to the target machine (credentialed access to the target under investigation is required to accomplish this, or the agent must be installed a priori). The hashing agent is then instructed to gather hashes from the target machine and report back results when completed.

The agent can be instructed to collect hashes from all drives and devices permanently or temporarily attached; searches can be further restricted to specific directories or file types. This can include USB or Firewire drives, local or remote network drives, or mounted or encrypted file systems.

Once the collection of hashes (and associated file attributes) is completed, the agent delivers a report back to the investigator workstation with the result. It most cases this report is delivered as a compressed and encrypted XML document that is ready for post processing by the investigator. The reason this document is encrypted is to prevent the disclosure of file system data collected by the agent. Even though the file contents are not included in this report, file system information contained in the report still may contain proprietary data that requires protection.

Post processing of the resulting discovery provides investigators with a wealth of data regarding the target.

Obviously, a file system inventory may reveal recent documents, population of images, audio files, movies, application data, documents etc. In addition, based on the hash values collected, a comparison of hashes collected to known good (operating system programs, application files, development tools) or known bad (rootkits, password crackers, botnet files, trojan horse, encryption, steganography, key loggers etc.) programs/applications can be made. In addition to the known good or bad files identified in such a discovery, files containing proprietary data could be identified based on the hash files, known file names or known partial hashes.

One of the criticisms of utilizing autonomous agents that execute on the target platform is the potential untrustworthiness of the Operating System (OS) of the target.
Developers of autonomous discovery technologies certainly are aware of the threats posed by rootkits and other malicious code that can intercept OS calls and circumvent the discovery of hidden directories or files.

Without revealing the specific details of the countermeasure that developers employ to overcome these hooks, it is safe to say that self-inspection of the operating environment is critical to effective autonomous hashing software. This implies that the software must perform a thorough inspection and determine whether core API calls that will be used can be judged safe.
In addition to trustworthiness concerns, there is anxiety over agent modifications of target evidence that would bring into question the efficacy of the discovery in court. This is a valid concern, and the responsibility of those engaged in the development of such agents must be considered from the top down.

For example, great care must be taken to audit every operation and potential modification that the agent may cause. In addition, time stamping (from a trusted source) should be included in robust solutions in order to prove the exact time the “snapshot” of the file system was taken and when collection of the hash values occurred. Since the target machine is running before, during and after the discovery, at the very next moment the file system is likely to have changed – this is especially important when collecting hashes across multiple targets potentially existing in differing time zones.

Scott Chasin, chief technology officer, MX Logic –

For years now we have faced the deluge of spam and other digital pollutants clogging the communication vectors of the Internet.

Unfortunately, the rising tide of duplicitous advertisements and contaminated bits billowing from the massive and far reaching botnet factories of “planet Internet” will only continue to worsen as the technology being embraced by their malevolent facilitators continues to outpace that of the slow reactive filtering models.

This reactive cleanup model, installed as protective filtering gateways or desktop scanning processes, provides an invaluable asset in the war against internet pollution.

However, it doesn’t take an internet environmentalist to note that the volumes of pollutants are increasing at such a fast pace that inboxes are still getting clogged and the pipes connecting those end-points are being suffocated and choked.
Can the reactive model keep up with the threat? Or will the delivery of malicious bits evolve faster, with more sophistication, morphing to a scale that will dwarf the attempts of signature and heuristic-based reactive approaches?

One thing is for sure, the internet climate IS changing. The filtering models that have been installed are not only changing the behavior of how we use the internet (think quarantines and virus updates) but are also impacting the reliability of communication.

Filtering isn’t completely accurate and mistakes can be made. Some could say we are simply sorting the pollutants from the Inbox to the quarantine. Are we simply wearing gas masks and ignoring the saturated spammy internet atmosphere?

Some recent studies suggest, that if a typical email server on the internet were to relax or drop it’s edge filtering, it would be overran with contaminates within minutes, crashing or halting under the burden.

I’ve advocated the use of outbound filtering models for sometime, especially with internet service providers.

Since the majority of pollutant spreading botnets are usually seeded within an ISP’s consumer subscriber base, shouldn’t the ISP have more tight control on what bits are leaving their networks? It seems, up until now, that ISPs have largely ignored the pollution emanating from their networks and have only really focused on the incoming pollutants from other providers. Perhaps the symbiotic nature of controlling one’s own pollution output could ultimately help diminish the input deluge that seems to be the primary focus of today.

Maybe we are ready to enter a new world of proactive medicine?

It appears to me that internet security and pollution control is certainly ready for new models of containment and the recent advances in identity and trust management could be the future of how pollution on the Internet will be controlled and squelched.

That said, the reliance on reactive filtering will never dissipate and will for the unforeseeable future likely be a cornerstone of Internet pollution control, protecting millions of internet inhabitants from phishing, botnets, viruses, worms, spam, spit, spim and every other new form of evil bit that evolves to subvert the security of our privacy, our attention and our wallets.

Hugh Njemanze, founder and CTO, ArcSight –

Traditional security monitoring strategies have focused on the “low-hanging fruit” of the perimeter.

Security analysts are comfortable talking about firewalls, VPNs, IPS and the like, because they generally fall under the control of the security and operations teams. But over time it has become clear that the scope of monitoring activity needs to expand and consider a broader range of threats.

Now, monitoring internal network devices, operating systems, databases and applications—the “higher-hanging fruit”—becomes strategic. When the strategy includes detecting threats from insider activities, the need for monitoring can expand to printers, desktops, identity management solutions and even physical security solutions.

However, this goes beyond simply monitoring a broader range of devices to paint a more complete picture of your organization’s security status and posture. Having that information is great, but the real payoff is the ability to use the captured data to enable an organization to make better business decisions.

Are our policies being followed? Are we compliant? Are we more secure today than yesterday? How does this help my business? These are all questions a comprehensive and scalable monitoring solution can help address.

Because the data being analyzed crosses many technical and political boundaries, the monitoring solution needs to integrate decision support systems, allowing groups such as security, operations, desktop support, application, telephony, HR, legal and management work together to address suspicious or malicious activity.

Security is no longer just an IT issue; it impacts the entire business so decisions can’t be made in a vacuum. Having solid policies and processes in place around incident detection, notification, escalation and response will allow security to be more tightly integrated with the organization’s mission.

So now you’re collecting the data and you have a strong decision support system; it is time for security to provide not just qualitative but quantitative results.

In the past, it has been hard to define ROI when discussing security, but that’s changed. Mature monitoring solutions should yield tangible results such as:
• Decreased response time for incident detection and resolution
• Reduced number of employees who are required to do analysis (i.e., let your security engineers focus on more strategic objectives – not sifting through logs)
• Reduced training costs because monitoring is being leveraged from a central point
• Greater employee retention – because your security engineers aren’t burned out by “syslog madness”
• Security as a business differentiator – more companies are advertising their commitment to security, and even more importantly, their implementation of effective programs as a way to retain or generate more business

While it may start with capturing data feeds, a robust-security monitoring solution can provide multiple paths to business optimization far beyond those commonly associated with security and compliance. The net benefit is that it allows you to know more about what’s going on inside your organization and make more efficient, effective and informed business decisions.

Who ever knew logs could be so valuable?

Ron Ben-Natan, CTO, Guardium –
The most valuable resource managed by IT is an organization’s data, and data security has become the number one issue for CIOs and CSO. This was not clear seven years ago, when we started working with key enterprise customers on a new generation of security products, but it is quite clear today.

There are two key compliance drivers: One is data privacy, required by PCI and other data privacy regulations. These initiatives establish controls to ensure that sensitive data cannot be accessed by unauthorized users, and create a secure audit trail of all access to that data. The second driver is ensuring the integrity of data for corporate governance, as characterized by SOX controls around the activities of privileged users.

Thanks to compliance (or really bad cases of insider fraud or a breach), data security is now even on the minds of CFOs, CEOs and board-level executives.

This focus on data security has naturally propelled Database Activity Monitoring (DAM) to the forefront. All enterprise applications use databases as the back-end, and the vast majority of data addressed by these security and compliance projects resides in databases. If the network can be viewed as IT’s arteries and veins, the database is the heart or brain – or both.

The most interesting thing about DAM is that it did not grow up in a vacuum. Databases have always had good security and auditing capabilities.

For example, almost all major database platforms have provided entitlement management and auditing. Oracle had native auditing in the early 1980s and put in Virtual Private Database in 8i. IBM’s DB2 and Informix similarly have had auditing for a very long time. Sybase has sybsecurity and Microsoft SQL Server has C2 audit, traces, and in SQL Server 2008, Change Data Capture.

I think that DAM has caught database vendors off guard – from their perspective, they gave users all the tools to implement security and compliance. What they didn’t realize is that other methods can be an order of magnitude easier to implement (also, most enterprises have multiple DBMS platforms deployed, so a single vendor’s solution usually isn’t the optimum approach).

Where is DAM going?

I believe the focus will be on optimizing business processes and increasing operational efficiency. Understanding where different types of data are located, how they’re being accessed, and analyzing and controlling access behaviors are key not only to security, but also to effective data management. But the crux is efficiency.
DAM is no longer about whether you can observe all database access. The focus has turned to how easily you can implement these capabilities and what you can do with them to optimize your environment.

DAM is growing quickly – because it has become mainstream. Seven years ago we had to convince people it was important. But DAM is also evolving (and will eventually change its name) because customers need to go beyond simple monitoring. They need more automation, auto-discovery, and preventive controls that support more stringent security, compliance and granular access policies– without requiring additional staff or disrupting existing infrastructures.

Roger Thornton, Founder/CTO, Fortify Software –
Web 2.0 technologies are spawning an explosive growth in client-side processing (Ajax/Flex), distribution of executable content (JSON), and the mixing of code from multiple sources (Mashups).

These represent architectural decisions in applications and their underlying frameworks that were made in order to improve user experience and application functionality. However, if we are not careful, these design decisions will also lead to an explosion in vulnerabilities that can be exploited both on the client and the server.

One of the major underpinnings of “Web 2.0” is the introduction of rich client interfaces based on Ajax or Adobe’s Flex platform. These technologies can greatly enhance the web user experience transforming it from simple web forms to the direct manipulation of a rich set of UI controls typically found only in desktop software today.

This requires that more code, in the form of JavaScript, execute on the client. This programming model also introduces lightweight distributed-computing mechanisms, namely JavaScript Object Notation (JSON) which facilitates the use of JavaScript as the primary means of communicating between client and server. Unlike transporting HTML and XML, we will now be transporting much more executable content.

Historically, whenever we depend on more software outside our control on the client or on executable content shared between programs, we see an increase in vulnerabilities. So here comes this next giant new trend and this one is the perfect storm.

Not only are we going to push code onto the client and pass around scripting code, we are also going to mashup all this code and content from multiple servers on a single client. Andrew Jaquith from Yankee Group termed it best in his 10/2007 research report – “The Web 2.0 Security Train Wreck”.

Web 2.0 applications and frameworks encourage developers to put more code on the client, ideally to enhance client side usability. But this will lead many developers to mistakenly put business logic and other critical code into the client without understanding the resulting security implications.

We call this class of problem a Trust Boundary Violation. This happens when we place code that requires a trusted execution environment into a location that is potentially under the control of our adversary. These types of problems were extremely common when JavaScript first made its way into web development. Back then developers would put input validation code in JavaScript on the client side in order to avoid a round-trip to the server when the user entered erroneous data. This was fine if the erroneous input was accidental, however, if it were malicious, JavaScript running in his own browser would not foil the attacker. They would simply disable the JavaScript and enter the malicious input to an unsuspecting server program, likely to be vulnerable since it assumed the client side checks were made.

More code on the client is fine, if that code is all eye candy to enhance the user experience. It is definitely is not okay to put validation out there, and it’s absolutely not okay to put security controls out there.

While Web 2.0 will create a wave of vulnerable systems, it doesn’t necessarily mean that there are going to be new types of vulnerabilities: many of these problems are a rehash of the same old stuff that has simply found a new home. There’s going to be cross-sight scripting (XSS) explosion.

We may call them XSS problems, or give them fancier names like JavaScript Hijacking, but it’s fundamentally the same stuff. Careless handling of executable content is the underlying issue behind all variants of cross-site-scripting (and SQL injection for that matter). Any design that calls for two programs passing executable content across trust boundaries will have to be carefully implemented (and used) to avoid inevitable security issues. That will be the case forever, the next big thing that does this will be a security problem too if we don’t learn this and design accordingly.

We must become better at recognizing these problems in the abstract if we are ever going to build things right the first time. Building things wrong, then waiting for the security community to find the mistakes (while the criminals exploit them), and then reworking everything is a major waste of development capacity and an unnecessary risk for businesses that increasingly depend on these systems.

What do we need to do to prepare for the Web 2.0 Train Wreck?

To borrow a couple cliché’s: this train has already left the station and there is no stuffing the genie back in the bottle.

Your company is going to deploy lots of Web 2.0 technology and it will put your business at risk. What you can do is make sure that your security team is working closely with your software development teams (internal and 3rd party). Stay on top of the vulnerabilities and exploits as they become public and be sure you have a quick response setup to mitigate and repair any of your software applications that have Web 2.0 vulnerabilities.

At the same time we can all work on making sure software developers and system designers understand fundamental security concepts so that Web 3.0 can deliver on the astonishing functionality it will surely promise without putting our systems and data at such risk.

Tom Kendra, Group President, Symantec Corp. –
While increased internet connectivity has fundamentally changed the way we do business, it also has introduced new security and IT risks that make yesterday’s approach to security ineffective. Just as new ways of doing business were ushered in with Web 2.0, next-generation security practices must be adopted to ensure a more enlightened era of enterprise security.

Call it Security 2.0—an evolution in security that focuses not only on protecting systems and keeping hackers out but also on securing information and interactions. Security 2.0 is driven by policy, enabled by technology and strengthened by a well-managed infrastructure.

All large and publicly traded companies have IT and security policies they need to enforce. Developing security policies to meet the requirements of external regulations can be difficult and costly. Typically, these regulations do not include specific recommendations on what technologies and procedures a company should put in place to achieve and demonstrate compliance. Basing a security policy on frameworks such as ITIL, COBIT and ISO provides specific guidelines on what information a company needs to secure and what IT controls to implement.

In a Web 2.0 world, security policies must focus not simply on protecting devices but on securing information. After all, the primary purpose of the devices and systems that make up an IT infrastructure is to carry and contain the organization’s most valuable asset—its information. Consequently, a security policy must help organizations manage and control both inbound and outbound content to protect them from the inadvertent or intentional distribution of confidential and sensitive information.

The growing sophistication of today’s attacks and the varied risks that businesses face in today’s connected world calls for security that is both scalable and layered. In addition, businesses must operationalize security by standardizing and automating the processes and the software. This will allow organizations to drive down the costs of day-to-day security activities so they can be more proactive when it comes to protection.

Companies need to have adequate antivirus, antispyware, and other signature-based protection in place. However, these measures are no longer enough on their own and must be layered with more proactive types of protection such as whitelisting or behavioral-based protection that analyzes patterns and reputation to block targeted threats before they happen.

Protecting the network must also be considered. Technologies like Network Access Control and anti-spam appliances are becoming commonplace within large and mid-size businesses to prevent bad things from entering the network. Data loss prevention (DLP) solutions are ideal for protecting the good things—sensitive information like customer credit card data or intellectual property—from exiting through the network.

As security becomes a foundational component of business, the traditional way with which companies manage it must change. A next-generation security strategy should embed security throughout an organization’s business processes. Security policies, workflows and technologies must span disconnected organizations to address the interconnected risks that threaten the organization as a whole, because the organization is only as protected as the weakest link in the security chain.

Tom Kendra is Group President, Security and Compliance Management Group, at
Symantec Corp.

Maksym Schipka, Senior Architect, MessageLabs –

I have been spending a lot of time recently exploring the criminal underworld. The shadow internet economy is a $105 billion business and involves tens of thousands of participants – a market even bigger than the global drug trade.

As senior architect and chief malware researcher at messaging and web security provider, MessageLabs, I am on the front lines of the internet daily, exploring and infiltrating the very websites and chat rooms that the bad guys are using to assemble their next attack.

Speaking Russian fluently, I am able to understand more of the websites, chat forums and exchanges that are very active in online crime. What I have discovered is disturbing. The shadow economy is more specialized and sophisticated than we ever believed possible. Online criminals boast of making $10,000 a day and there is little chance of ever being caught. The shadow economy operates similarly to the global economy with price competition, division of labor, specialized trade and marketing.

The crime starts with the malware author who creates a new virus, Trojan or spyware to infect a computer. These authors market their software in the hopes that a middleman will buy it. Off-the-shelf malware sells for about $250, and $25 per month gets a subscription to updates that will ensure the program evades detection. The middleman uses a botnet to spread their newly purchased malware, using its massive computing power for widespread spamming. As innocent, unassuming computer owners begin to respond, the middleman collects stolen credit card numbers with complete identities which he can sell for around 3 percent of the remaining card balance.

Some middlemen make a business out of laundering stolen credit cards, using a drop service to receive the goods purchased with a stolen credit card. An elaborate system of guarantors and escrow accounts has also emerged to regulate transactions in the underground. This proves that the market is growing more and more sophisticated and is driven by economics and the participants who value their long-term reputation in the shadow economy.

It is clear that the front runners in the shadow economy are constantly working to improve the quality of the products that they sell, testing them against anti-virus mechanisms to guarantee their products are effective. Every time a vendor updates its anti-virus product, the malware author creates a new version. In fact, malware authors can produce new malware as fast as every 45 seconds to keep it undetected.

For those of us in malware detection, this means that there is no end to malware in sight. Heuristic detection is the only surefire way to prevent the bad guys from propagating more malware.