Computer users could be forgiven if they kept their machines off on April 1. Since it first appeared last November, the malicious software known as the Conficker worm has established itself as one of the most powerful threats the Internet has seen in years, infecting an estimated 10 million computers worldwide. The malware slipped into machines running the Windows operating system and waited quietly for April Fools’ Day (the timing did not go unnoticed), when it was scheduled to download and execute a new set of instructions. Although no one knew what was to come, the worm’s sophistication provided a stark example of how the global malware industry is evolving into a model of corporate efficiency. At the same time, it raised calls for security researchers to steal a trick from their black hat counterparts.
A worm takes advantage of security holes in ubiquitous software—in this case, Microsoft Windows—to spread copies of itself. Conficker, though, was a strikingly advanced piece of code, capable of neutering a computer’s antivirus software and receiving updates that would give it more complex abilities. Its sudden march across the Web reignited interest in one of the most controversial ideas in security protection: the release of a “good” worm. Such software would spread like a worm but help to secure the machines it infected. The approach had already been attempted once before. In late 2003 the Waledac worm burrowed into Windows machines by exploiting the same vulnerability as the then widespread Blaster worm. Yet unlike Blaster, which was programmed to launch an attack against a Microsoft Web site, Waledac updated the infected machines with security patches.
On the surface, Waledac appeared to be a success. Yet this worm, like every worm, spiked network traffic and clogged the Internet. It also rebooted machines without users’ consent. (A common criticism of automatic security updates—and a key reason why many people decide to turn them off—is that updating a security patch requires restarting the computer, sometimes at inopportune moments.) More important, no matter how noble the purpose, a worm is an unauthorized intrusion.
After Waledac, the discussion about good worms went away, at least in part because worms themselves went away. “Back in the early 2000s, there weren’t strong business models for distributed malware,” says Philip Porras, program director of the nonprofit security research firm SRI International. Hackers, he explains, “were using [worms] to make statements and to gain recognition.” Worms would rope computers together into botnets—giant collections of zombie computers—which could then attempt to shut down legitimate Web sites. Exciting (if you’re into that sort of thing), but not very profitable.
In the past five years malware has grown ever more explicitly financial. “Phishers” send out e-mails to trick people into revealing user names and passwords. Criminals have also begun uploading to legitimate store sites hard-to-detect surveillance code that covertly intercepts credit-card information. The stolen information then goes up for sale on the Internet’s black market. An individual’s user name and password to a banking site can fetch anywhere from $10 to $1,000; credit-card numbers, which are more ubiquitous, go for as little as six cents. The total value of the goods that appear on the black market in the course of a year now exceeds $7 billion, according to Internet security company Symantec.
The tightly managed criminal organizations behind such scams—often based in Russia and former Soviet republics—treat malware like a business. They buy advanced code on the Internet’s black market, customize it, then sell or rent the resulting botnet to the highest bidders. They extend the worm’s life span as long as possible by investing in updates—maintenance by another name. This assembly line–style approach to crime works: of all the viruses that Symantec has tracked over the past 20 years, 60 percent of them have been introduced in the past 12 months.
See what we're tweeting about
8 Comments
Add CommentLaw enforcement hasn't sent any clear message from the onset. Reacting to threat isn't enough; proactive measures and international police cooperation have to be strengthened.
Reply | Report Abuse | Link to thisCriminal codes have to be revised in order to include security negligence as a misdemeanor; taking other type of negligence as model.
I can say from experience that the software industry doesn't take outside input seriously since there are no home page links to report threats on their web sites and no follow up when such reports are made.
Imagine for a moment that the rain was an internet virus, worm, trojan, what have you. You are in driving your convertible. Now to keep the rain out all you have to do is close the lid. You have a weather service and you have your own senses. You can wait for car manufacture to create and install a rain sensor when you don't need your car and without you noticing. You can also put up the top your self when you feel like rain might be coming or pulling over before ab putting it before you get too wet. You could also pun in the convertible for a car the is currently pretty waterproof all the time (but may not be in the future).
Reply | Report Abuse | Link to thisWho's responsibility is it to keep the car dry today? Yours or the manufacture?
In answer to the responsibility issue you raise, you are partly correct.
Reply | Report Abuse | Link to thisWhat if you neglect to clear your property from fallen branches and dead brushes and a wildfire starts which will destroy many homes; aren't you responsible for property damage through negligence?
I have forwarded many instances of phishing to a well known OS manufacturer; they never acted on them.
The cost of prosecution is what is at stake; manufacturers do not want to shoulder it and consumers can't do it.
Civil responsibility is a complex issue, true, but failure to act on reports when compared to other industries is criminal negligence.
Auto industry jurisprudence is relevant in this matter.
This is all very scary I'm just a computer user that pays bills and buy's goods because I'm encouaged to do so by banks and others, it's looking like I need to think very carefully whether or not I should use the internet at all?
Reply | Report Abuse | Link to thisso, what? Organizations still aren't patching machines or tightening down the configurations. Obviously the corporate risk/ reward of due care, often errs in the favor of do nothing. We are constantly finding commercial and governmental orgs that have many unmanaged systems. Chris Schwartzbauer SVP Shavlik Technologies www.shavlik.com
Reply | Report Abuse | Link to thisI had in my computer, that was offered to me as a gift from a company that upgraded its computer fleet, automatic updates on. Microsoft send some warnings about genuine software,then, it seems that they passed a wrest blocking the computer as an update, apparently because Windows was not genuine. It costed me several weeks of data gathering, some addresses of providers of marchandises and several calls to local Microsoft office, and the bought of replacement software for an existing one I didn't install. When applying a penalty foreseen in a law, it is supposed that you will have the opportunity to exercise some kind of defense, but in this case, Microsoft just acted in an exhibition of force. I don't want to say this, but this kind of actions are unpolite and devoided of any law background, support or rationale. Laisez-moi je t'en prie sur un bon souvenir(J Brassens). Salud +
Reply | Report Abuse | Link to thisWell I must say that from the 2 pirate programs it seemed I had, I paid only one, the other was offered by Microsoft for free. Menos da una piedra, agur ta erdi
Reply | Report Abuse | Link to thisStop using Microsoft Products (Windows)!
Reply | Report Abuse | Link to thisCould it be *that* simple?
Well, yes.