It seems attacks are maturing. Instead of wide-scale mass penetrations, attackers appear to be going for targeted and specific penetrations. This is backed up by several sources. Sophos' 2005 Report, Message Labs 2005 Report(1) and a warning from holy_father, author of the Hacker Defender rootkit.
There are several advantages to a targeted hack:
- The intrusion is less obvious. Attack detection is pretty poor, especially amoung home users, there is less chance of the attack being noticed.
- The results are more manageable. Attackers don't need a million credit card numbers when several hundred will do.
- General information about the attack is less useful. Sharing information about the attack with the wider community is less useful. This is most obvious with signature based products such as IDS and anti-virus, which are less likely to get a sample of the attack to create a signature, and the resulting signature is too specific.
Both Sophos and MessageLabs reports indicate that these sorts of attacks are on the risk. While, holy_father's tool indicates how easy it is to make anti-virus researchers run a loosing signature creation race. Given the large number of variations of existing malware; Netsky, Sober and Bagle in particular, just creating signatures for each variant seems silly. The old whitelist vs blacklist debate. Hacker Defender's premium solutions demonstrate this, you pay for a customised rootkit, thus on the off chance it is detected the resulting signature is only effective against the one customised version.
This isn't a new type of attack. Skilled attackers generally use a very targeted attack. This indicated that the threat's attack methods are maturing and getting better as a general trend. Pretty scary. This also means that threat monitoring with services such as DSHIELD and Snort become less useful, so we know even less about potential threats.
I have believed for a while, that there is too much of a focus on script kiddie attacks, mostly because they are visible. There is no public research into skilled threats. The little there is, is mostly sensationalised e.g. Titan Rain.
1If anyone can find me a copy of the actual report I would be most grateful.