RSS To Carry Spyware Before End Of Year
Richard Stiennon, director of threat research at anti-spyware software vendor Webroot, first presented his six predictions at this week's Gartner IT Security Summit.
Number one on his list?
"The first spyware that targets Firefox will appear in the first half of 2005," prognosticated Stiennon. "That means either a spyware writer will take advantage of a vulnerability in Firefox, as others already have in Internet Explorer, or create a site that forces Firefox to invisibly download and install adware or spyware."
Stiennon's apparently not worried about the impending deadline for his prediction. "Test code against Firefox exists," he said, "and I've seen [spyware] exploits against Firefox that don't work. At the Gartner conference, I had a conversation with the CIO of another security firm, and he said that his company had just found an example."
Some of Stiennon's predictions were no-brainers, or in one case, with tongue firmly in cheek. "The number of new Microsoft vulnerabilities will grow," he said. "That was said tongue-in-cheek." Others, such as his bet that the number of different types of spyware will triple in 2005 to reach 4,500 total, is an easy prophecy, he added, since "we're well on our way for that number right now."
In Stiennon's opinion, his most distressing prediction is that spyware will latch onto RSS (Real Simple Syndication) as a way to distribute ad- and spy-style software.
"I'm extremely concerned about this," said Stiennon. "Already we're seeing marketers look to RSS. A recent list by marketing types on why RSS is better than e-mail, for example, had 'no more annoying complaints about spam' at number 8. Where marketers go, adware and spyware writers follow."
Another nasty possibility, said Stiennon, is that a vulnerability will be found in one of the big blogging services. "If a spyware writer finds a way to inject code into a blogging site -- which could take the form of a SOAP object -- most likely through a future vulnerability in Internet Explorer 7, then everyone who subscribes to that service's blog RSS feeds is gonna get infected." Such an attack could be massive, and because of the automated nature of RSS, extremely fast-acting.
Finally, Stiennon predicted that rootkits, hacker toolkits now used by the most sophisticated worm authors to hide evidence of their malicious code from anti-virus scanners, will migrate to spyware this year.
"There's a very small group, under 2,000, of advanced spyware writers. They're already experimenting with rootkits, and when they start using them in numbers, spyware is going to be very very hard to detect."
Stiennon's final prediction didn't make his list at Gartner's conference, but is no surprise considering how much space on his blog he's devoted to the recent Israeli incident where several companies' executives have been charged with industrial espionage after hiring private investigators who in turn used a British programmer's spyware Trojan to infect rivals' computers.
"An episode of industrial espionage using spyware will be revealed in the U.S.," Stiennon said. "Without a doubt."