Clampi, the Trojan that Secure Channel wrote about yesterday, is a fine example of why we'll never see another Code Red, Nimda or LoveLetter virus again. The intent of malware is no longer to cause mass service disruptions, but rather to steal as much information as possible without getting detected.

Trojans, worms, viruses and rootkits the likes of Clampi, Sinowal and StealthMBR are now the masters of the malicious code. McAfee's Avert Labs released a new report that shows the volume of password-stealing and keystroke-logging malware jumped nearly 400 percent between 2007 and 2008. McAfee's prediction: The trend will continue to expand in both volume and scope. This will force all organizations handling even routine data to think beyond conventional antivirus software and perimeter firewalls.

Hackers have long used social engineering techniques, phishing (mass mailings) and spear-phishing (targeted mail attacks) to trick users into giving up sensitive information. McAfee concludes that the effectiveness of these techniques is limited, since they don't capture nearly enough account credentials for trading.

Database attacks such as those against TJX and Heartland Payment Systems that resulted in tens of millions of credit card numbers being compromised are effective in capturing large amounts of financial and identity data, but also carry a high degree of risk.

Sophisticated malware designed to observe and report are far more effective ways of intercepting user credentials for banking and credit card accounts, and—in some cases—hijacking live sessions. Credential stealing malware will use spam, phishing and compromised Websites to transparently infect machines.

Making matters worse, malware like Clampi and Sinowal no longer collect data globally, but rather target applications and subroutines to steal specific bits of information. Older generations of data-stealing malware made a lot of noise by infecting operating systems and hooking into APIs. They collected copious amounts of data this way, which made them susceptible to detection by host-based intrusion detection/prevention applications. By targeting specific applications and data sets, the malware lowers its profile to avoid detection by conventional security scanners and analyzers.

As McAfee explains in its report, data-stealing malware is going to capture identity credentials where they're entered or reside. They can pop up login interfaces to capture credentials and then pass along to the target domain, making the session seem normal to the user. They can also go after cached credentials in Windows registry or password stored by browsers.

Even countermeasures and more stringent authentication schemas are being circumvented by new classes of malware. Some banks have introduced virtual keyboards, through which users must enter their credentials rather than typing them on a keyboard. Some financial institutions and enterprises have experimented with image-based authentication technology, where users must identify a series of photos or images to gain access. Malware creators are now defeating these security measures by including screen capture apps in their malware that activate when users connect to a targeted domain such as a bank or credit card company.

As the McAfee researchers correctly note, the intent is about currency and not necessarily money, and there's a big difference. The currency of the digital underground is access credentials to accounts of all varieties. Hacker groups and criminal organizations trade everything from credit card numbers to World of Warcraft IDs in exchange for tools, attack assistance and information. Those exchanges often lead to a financially motivated attack. McAfee is correct in its assertion that hackers and criminal groups will increasingly expand their target lists beyond financial institutions to include retailers, gaming and gambling sites, and hosted services.

What this trend underscores is the need for synergistic layered security. It's an old strategy, but one that's increasingly relevant. Conventional antivirus scanners may be able to detect and quarantine some of these advance pieces of malware, but not all. Intrusion detection and prevention systems will pick up much of the unauthorized traffic, but not all. And data loss prevention tools are useful for stopping many quantifiable data disclosures (such as credit cards and Social Security numbers), but they are still relatively powerless to stop unclassified data leaks.

While such security schemas seem only relevant to large enterprises that can afford layers of defensive technology, threats are not exclusive to large organizations. That means even small and midsized organizations will require increasing amounts of security technology to prevent potentially devastating data disclosures and compromises. States and federal agencies are mandating security breach disclosures, making a security incident both potentially costly and embarrassing. Likewise, small and midsize businesses are more susceptible to catastrophic failure should their data and systems be compromised by hackers.

A recent security survey by Channel Insider and the Computer Technology Industry Association (CompTIA) found that businesses are just as receptive to managed and cloud-based security services as they are to on-premises technologies. Solution providers should consider that when approaching customers and prospects with plans for synergistic security deployments, since services are often more affordable than big one-time on-premises technology installations.