Hollywood action movie heroes are formidable adversaries: adept in martial arts, experts with weapons and explosives, brilliant hit-and-run tacticians. A blend of samurai, ninja, and Native American, the action hero is an irresistible force. Imagine if Chuck, Arnold, Jean-Claude, and the rest were drawn to The Dark Side. Now imagine that they are executable code on your computer. It's not your imagination; it's a blended threat.
A multi-pronged attack
Blended threat is a popular term for a multi-pronged attack against networked computers. Symantec describes a blended threat as an attack that combines "viruses, worms, Trojan Horses, and malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an attack." Blended threats are designed to propagate quickly, like worms, but instead of relying on a single attack vector (such as email), blended threats are designed to use whatever propagation path exists.
In movies, the action hero contrives a way into a secure compound. He neutralizes guards, disarms alarms, booby-traps vehicles, destroys heavy munitions with explosives, mows down countless armed ground forces throughout the compound with all sorts of devastating weapons. He incapacitates or destroys anything in his path, as quickly as possible. He attacks many locations simultaneously, to confuse the enemy and confound countermeasures. Many blended threats follow the same script.
On the Internet, a blended threat engineers its way into computers and networks as an email attachment. It takes over the "command center" by compromising and assuming administrative control of the compromised computer. With administrative privileges, it may try to disable the computer's guards and alarm systems, by erasing event logs, and disabling antivirus and personal firewall software. It may install malicious code, "booby traps" for unwitting users that damage or erase critical system and information files. Blended threats almost always try to attack many locations, simultaneously. Having penetrated an organizations' defenses through one computer, a blended threat typically tries to expand its attack. Blended threats will try to exploit common network services, such as file sharing, ftp, telnet and even VPN connections, to proliferate damage throughout an organization's network and to other networks as well.
Worm or blended threat?
Many of the most nefarious worms - nimbda, CodeRed, BugBear, Klez and slammer - are more accurately categorized as blended threats. Nimbda variants used email attachments; file downloads from a compromised web server; and Microsoft file sharing (e.g., anonymous shares) as propagation methods. Some Nimbda variants modified user (guest) accounts to provide the attacker or maliciously installed executable code with administrative privileges. The more recent Conficker and ZeuS/LICAT worms are also blended threats. Conficker employed all the traditional distribution methods. Both use domain generation algorithms to contact C&C hosts and download malware; LICAT file infector amplifies ZeuS' formidable man-in-th-browser trojan.
Escalating privileges is the ultimate end game for a blended threat attack. If provided with administrative privileges, executable code incorporated into a Nimbda variant, Conficker or any blended threat payload can in theory perform any operation available, thus enabling keystroke logging; file copying, removal or modification; communications monitoring and modification; and unauthorized service operation: imagine someone operating a kiddie porn file server or underground chat room from your web server.
There's a (marketing) tendency to claim that blended threats are a new worry. McAfee, at least, doesn't feed this F.U.D., describing blended threat as "a relatively new term for a type of malicious code attack that has been around for the past few years". This is indeed the more accurate representation. Amphibious assaults were not "new" in 1944, nor were parachute and glider attacks, strategic long-range bombing, and bombings by French resistance forces. Coordinating all these attacks to coincide with a massive assault across multiple beachheads during suspect weather on June 6th, (D-Day) was unexpected, and Fortress Europe was unprepared to respond.
The risk of a blended threat attack can be mitigated using a combination of countermeasures. Client security measures considered appropriate for preventing blended threat attacks include antivirus, personal firewall, and spyware detection software. If you are the type who is reluctant to rely entirely on 3rd party software, implement a desktop security policy to maintain patch currency, eliminate configuration vulnerabilities at operating system (e.g., Windows registry), services, and file system levels (e.g., NTFS permissions). Network admission control (e.g., Cisco NAC), IEEE 802.1x Port-based access control, and "browser" integrity (a.k.a., endpoint control) are relatively new features for switches, Wireless LANs, and (SSL) VPNs. These protect an organization by denying network connections to client devices that are not properly configured or are not running client security software your organization considers "mandatory". Server security, in the form of antivirus, antispam, and antispyware, provides an additional layer of defense for organizations against blended threat vectors. Here again, complement 3rd party software by securely configuring, maintaining and operating servers. Complement the sum of these measures with an incident response plan that isolates compromised systems quickly, and prevents blended threat attacks from propagating through your network and beyond.
The last, but perhaps most important, security measure is education and common sense. Users must be educated so they understand and appreciate the dangers blended threats pose. They should be taught to recognize and not fall prey to social engineering and phishing techniques that worm and blended threat creators rely on. Users should also understand that antivirus and antimalware measures are not failproof.
Organizations must establish acceptable use and compliance policies. Users must agree to comply with security measures organizations employ to combat blended threats, and understand how they will be held accountable for incidents where they have failed to comply. Some organizations may conclude that stringent client and mobile user security policies are necessary to combat blended threats. These organizations often implement local/OS security policies that prohibit non-administrator users from performing tasks requiring administrative privileges, and may even block the use of unauthorized removable media. Some organizations conclude that the most secure IPsec remote access policy is one which forces mobile users to connect first to the organization's IPsec security gateway before accessing Internet sites. While this strategy may introduce some latency, the organization can impose the same security policy and measures (e.g., antivirus gateways, antispam measures, and content inspection services such as WebBlocker) to all users, mobile or stationary.
By using multiple methods and techniques, blended threats hope to rapidly spread and cause widespread damage before security measures respond. This makes a blended threat hard to stop, but not unstoppable.
If there is a silver lining to blended threat attacks, it is that they force organizations to appreciate the need for security in depth.