Update on Malware

Stephen DeAngelis

December 19, 2008

Last month on Election Day, I posted a blog entitled Public/Private Partnerships in Cyberspace that discussed efforts aimed at increasing Internet security. New York Times‘ technology columnist John Markoff reports that, despite government and commercial efforts, the bad guys are winning [“Thieves Winning Online War, Maybe Even in Your Computer,” 5 December 2008]. This may be the season to be jolly, but Markoff provides no joyful news. He writes:

“Internet security is broken, and nobody seems to know quite how to fix it. Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware surreptitiously takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught.”

This is bad news indeed. Not only is connectivity needed to help pull the world out of its financial funk, it is critical to help the millions of people still held firmly in poverty’s grasp to break free. I have repeatedly written about the importance of trust in helping foster a growing and sustainable global economy. Malware erodes that trust and costs innocent victims billions of dollars. More on that topic later.

“As more business and social life has moved onto the Web, criminals thriving on an underground economy of credit card thefts, bank fraud and other scams rob computer users of an estimated $100 billion a year, according to a conservative estimate by the Organization for Security and Cooperation in Europe. A Russian company that sells fake antivirus software that actually takes over a computer pays its illicit distributors as much as $5 million a year. With vast resources from stolen credit card and other financial information, the cyberattackers are handily winning a technology arms race. ‘Right now the bad guys are improving more quickly than the good guys,’ said Patrick Lincoln, director of the computer science laboratory at SRI International, a science and technology research group.”

Back in October, Markoff wrote another article about botnets that I commented on in my post entitled An Update on Zombies. It provides an excellent background for this article. In my November post, I noted that the effort to improve Internet security needs to be an international effort — a fact highlighted in Markoff’s most recent column:

“A well-financed computer underground has built an advantage by working in countries that have global Internet connections but authorities with little appetite for prosecuting offenders who are bringing in significant amounts of foreign currency. That was driven home in late October when RSA FraudAction Research Lab, a security consulting group based in Bedford, Mass., discovered a cache of half a million credit card numbers and bank account log-ins that had been stolen by a network of so-called zombie computers remotely controlled by an online gang. In October, researchers at the Georgia Tech Information Security Center reported that the percentage of online computers worldwide infected by botnets — networks of programs connected via the Internet that send spam or disrupt Internet-based services — is likely to increase to 15 percent by the end of this year, from 10 percent in 2007. That suggests a staggering number of infected computers, as many as 10 million, being used to distribute spam and malware over the Internet each day, according to research compiled by PandaLabs.”

If there were not big financial rewards associated with these criminal activities, the nefarious people involved wouldn’t be spending the time and money recruiting zombie computers to strengthen their botnets. Rout them out in one place and they simply reemerge in another.

“Security researchers concede that their efforts are largely an exercise in a game of whack-a-mole because botnets that distribute malware like worms, the programs that can move from computer to computer, are still relatively invisible to commercial antivirus software. A research report last month by Stuart Staniford, chief scientist of FireEye, a Silicon Valley computer security firm, indicated that in tests of 36 commercial antivirus products, fewer than half of the newest malicious software programs were identified.”

That’s not very reassuring for those of us who load anti-virus and anti-spyware programs on our PCs and use them religiously. Markoff does point to one glimmer of light.

“There have been some recent successes, but they are short-lived. On Nov. 11, the volume of spam, which transports the malware, dropped by half around the globe after an Internet service provider disconnected the McColo Corporation, an American firm with Russian ties, from the Internet. But the respite is not expected to last long as cybercriminals regain control of their spam-generating computers.”

That is why I argue that efforts to make the Internet safer must be international. The pressure to find and prosecute cybercriminals must be unrelenting. Any country that doesn’t cooperate fully should be declared a pariah and, as much as possible, be severed from international connectivity. The punishments for cybercrime need to be as painful as the crimes are rewarding. As long as rewards outweigh risks, the criminal community will thrive. Criminals know how to conduct cost/benefit analysis.

“‘Modern worms are stealthier and they are professionally written,’ said Bruce Schneier, chief security technology officer for British Telecom. ‘The criminals have gone upmarket, and they’re organized and international because there is real money to be made.’ The gangs keep improving their malware, and now programs can be written to hunt for a specific type of information stored on a personal computer. For example, some malware uses the operating system to look for recent documents created by a user, on the assumption they will be more valuable. Some routinely watch for and then steal log-in and password information, specifically consumer financial information. The sophistication of the programs has in the last two years begun to give them almost lifelike capabilities. For example, malware programs now infect computers and then routinely use their own antivirus capabilities to not only disable antivirus software but also remove competing malware programs. Recently, Microsoft antimalware researchers disassembled an infecting program and were stunned to discover that it was programmed to turn on the Windows Update feature after it took over the user’s computer. The infection was ensuring that it was protected from other criminal attackers.”

It’s not just the sophistication but the volume of malware that disturbs analysts. An accompanying graphic to Markoff’s column shows that the number of unique malware applications that have been discovered is closing in on 20 million. Markoff reports that “Microsoft has monitored a 43 percent jump in malware removed from Windows computers just in the last half year.” He also notes that the average user has no idea whether his or her computer is one of the millions of zombie computers in operation.

“The biggest problem may be that people cannot tell if their computers are infected because the malware often masks its presence from antivirus software. For now, Apple’s Macintosh computers are more or less exempt from the attacks, but researchers expect Apple machines to become a larger target as their market share grows. The severity of the situation was driven home not long ago for Ed Amaroso, AT&T’s chief security official. ‘I was at home with my mother’s computer recently and I showed her it was attacking China,’ he said. ‘”Can you just make it run a little faster?” she asked, and I told her “Ma, we have to reimage your hard disk.”‘

Markoff eventually gets to the subject of trust.

“Beyond the billions of dollars lost in theft of money and data is another, deeper impact. Many Internet executives fear that basic trust in what has become the foundation of 21st century commerce is rapidly eroding. ‘There’s an increasing trend to depend on the Internet for a wide range of applications, many of them having to deal with financial institutions,’ said Vinton G. Cerf, one of the original designers of the Internet, who is now Google’s ‘chief Internet evangelist.’ ‘The more we depend on these types of systems, the more vulnerable we become,’ he said.”

As the CEO of a company purveying resilience, I am vividly aware of how vulnerabilities can affect operations and resiliency. Government leaders are also beginning to understand how cybercrime can have both security and economic repercussions.

“The United States government has begun to recognize the extent of the problem. In January, President Bush signed National Security Presidential Directive 54, establishing a national cybersecurity initiative. The plan, which may cost more than $30 billion over seven years, is directed at securing the federal government’s own computers as well as the systems that run the nation’s critical infrastructure, like oil and gas networks and electric power and water systems. That will do little, however, to help protect businesses and consumers who use the hundreds of millions of Internet-connected personal computers and cellphones, the criminals’ newest target.”

With mobile computing (which includes the explosion of smartphones) on the rise, it should come as no surprise that cellphones are targets. With an increasing number of people using cellphones for financial transactions, especially in emerging market countries, sustainable development could well rest upon the shoulders of those fighting the good fight. In bad financial times, however, those fighting the good fight are often early casualties (because “wars” expend precious resources that business owners believe could be spent better elsewhere). They might want to rethink their priorities.

“Despite new technologies that are holding some attackers at bay, several computer security experts said they were worried that the economic downturn will make computer security the first casualty of corporate spending cuts. Security gets hit because it is hard to measure its effectiveness, said Eugene Spafford, a computer scientist at Purdue University. He is pessimistic. ‘In many respects, we are probably worse off than we were 20 years ago,’ he said, ‘because all of the money has been devoted to patching the current problem rather than investing in the redesign of our infrastructure.'”

The challenge, of course, is that no single country can “redesign” the infrastructure to make it more secure. The thing that makes the Internet resilient is the fact that no one controls it. There is no single point of failure. Again, only an international effort has any chance of creating a more secure future; but difficult financial times means that a cooperative effort is unlikely. Nevertheless, now is no time to go lax. Our best efforts are needed because the forces of good are equally matched in skill level by the forces of evil.

“The cyber-criminals appear to be at least as technically advanced as the most sophisticated software companies. And they are faster and more flexible. As software companies have tightened the security of the basic operating systems like Windows and Macintosh, attackers have moved on to Web browsers and Internet-connected programs like Adobe Flash and Apple QuickTime. This has led to an era of so-called ‘drive-by infections,’ where users are induced to click on Web links that are contained in e-mail messages. Cyber-criminals have raised the ability to fool unsuspecting computer users into clicking on intriguing messages to a high art. Researchers note that the global cycle of distributing security patches inevitably plays to the advantage of the attacker, who can continually hunt for and exploit new backdoors and weaknesses in systems. This year, computer security firms have begun shifting from traditional anti-virus program designs, which are regularly updated on subscribers’ personal computers, to Web-based services, which can be updated even faster.”

With all of the recent announcements of layoffs, there is one upside to the growing malware problem — some people’s jobs look secure.

“Security researchers at SRI International are now collecting over 10,000 unique samples of malware daily from around the globe. ‘To me it feels like job security,’ said Phillip Porras, an SRI program director and the computer security expert who led the design of the company’s Bothunter program, available free at www.bothunter.net. ‘This is always an arm race, as long as it gets into your machine faster than the update to detect it, the bad guys win,’ said Mr. Schneier.”

If the global economy is going to grow and if millions of more people are going to be helped out of poverty, the bad guys can’t win. If the bad guys win, they will do their best to keep emerging market nations just below the threshold of success. They need places from which they can operate and relatively unsophisticated economies provide them with just the toehold they need into the developed world’s networks without having to dodge the developed world’s enforcement mechanisms. That is another reason that my colleague Tom Barnett believes that the U.S. strategy (and broader international community strategy) should be to shrink the Gap (meaning reduce the number of relatively disconnected nations in which criminals can hide and flourish). It’s all about trust.