Internet security experts are divided on the source and purpose of computer viruses and worms like Blaster and SoBig. But some government agencies are investigating a possible connection between the increasing spread of infected computers and organized crime.
Recent trends are leading many experts to worry that malicious code buried in infected computers or released in new generations of worms will spawn targeted criminal attacks against business and industry.
“That is definitely a legitimate concern,” said Michael Shema, a widely recognized expert on Internet security and author of two books on the hacker mentality. Shema said there is considerable evidence to support what otherwise would be romantic conspiracy theories about the connection of viruses to the world of organized crime.
“It’s still anybody’s guess who might be behind it, but the next move [by the virus writers] will no doubt tip their hands,” Shema told TechNewsWorld.
Follow the Money Trail
The SoBig.E and SoBig.F worms were created to open back-door access to infected computers. Those worms and others can update themselves and contact predetermined servers to acquire new instructions. A new trend in these worms includes the ability to use hijacked computers as e-mail servers to send spam without the knowledge of the computers’ owners. And spam is perhaps the least worrisome danger associated with back-door control of infected machines.
“There are still 400,000 to 500,000 computers infected,” said Christopher Faulkner, CEO of C I Host, a company that provides Internet hosting services. Given such a large base of infected computers, the foundation already has been laid to carry out massive malicious attacks.
“Spam is still prevalent — somebody must be making money,” said Shema, who is also director of research and development at NT OBJECTives, a provider of application and Web services security. “All of this activity is motivated by money.”
It is difficult to dismiss the significance of discoveries made by several research groups that have been monitoring Internet crime. For example, the Honey Net Project — a nonprofit research organization of security professionals — published a report describing how the organization has monitored individuals trading or dealing with stolen credit card information over the Internet.
The researchers found that criminals have developed highly sophisticated mechanisms for distributing stolen credit card information “through specialized IRC channels and related Web sites.” Indeed, Honey Net researchers discovered that automatic bots were running on at least a dozen IRC channels to enhance the organized dissemination of stolen credit card information.
C I Host’s Faulkner said the FBI has investigated many incidents of identity theft and related criminal activities. “Nothing ever gets done with it, though,” he said. Faulkner believes there is little that domestic authorities can do to take the fight to where much of the viruses, spam and identity theft originates.
“The bulk of it comes out of China and South Korea,” he said. “Authorities there are not too keen on helping us track down the culprits.” Part of the problem, according to some analysts, is the large, uncontrolled computer networks springing up throughout Asia and the Pacific Rim.
Faulkner said it is obvious to security experts that this is the source of many virus intrusions. The poor grammar and poor language used in messages that the viruses display are a dead giveaway.
Computer security specialist Erik Laykin, president of Online Security Inc., sees the criminal underworld of Eastern Europe and Russia as a prime source for the worm onslaught. “There you will find a large stable of very bright hackers, scientists and criminal underground,” Laykin told TechNewsWorld. “Those are smart, effective bad guys.”
Credible Links Sought
Investigations have not yielded definitive proof yet about links between viruses and organized crime, but federal authorities have stepped up the search for a mafia connection, Laykin told TechNewsWorld. He said the Department of Homeland Security has issued advisories in recent months about possible connections of virus attacks to organized crime or terrorists.
“They are looking for relationships between [computer virus] outbursts,” he said, noting that theories about crime connections to the recent attacks by the Blaster worm have much credibility. “If the virus writers were Chinese with anti-American leanings — as some have speculated — the worm did its job,” he said. “It damaged our infrastructure.”
Laykin doesn’t put much faith in theories that an attack launched by the Blaster worm was responsible for the power grid blackout several weeks ago. But given the large percentage of Windows 2000 and Windows XP computers that are obvious targets because of vulnerabilities in the Windows operating systems, he concedes that massive virus infections might have played an unplanned role.
If nothing else, infected computers could have contributed to the delayed response by engineers, he said.
Playing for Leverage
Like other analysts, Laykin thinks there is a possibility that criminals could be looking for an opportunity to take action under the cover of a malicious code attack.
“Organized crime is clearly looking to leverage technology,” he said, pointing out that the intelligence community recognizes that organized crime is much more sophisticated these days than it once was — technologically speaking. “Because of the nature of the Internet,” he said, “response to any attack would be reactive.”
Like many Interment security experts, Laykin worries about hidden commands that are yet to be activated in infected computers, regardless of who put them there. “When a virus has propagated and is sleeping, it is a malignant cancer; a particular event will set it off,” he said.
Other Internet security gurus say theories about spammer connections to virus attacks are not credible.
“Such theories have no credence. There are already plenty of open relays available. There are easier ways of spamming than risking prosecution [by planting back doors with the use of viruses and Internet worms],” said Jerry Brady, chief technology officer of Guardent, a managed security services and consulting services company.
“That business model just wouldn’t fit,” he said. “Spammers wouldn’t want the notoriety.”
Online Security’s Laykin offers a final reason to support the organized crime theory. Over the past nine months, as the SoBig worms have matured, that process no doubt has required time and resources that would drain an individual hacker. “If criminal analysts are accurate, then there has to be a crew of code writers managing the development of SoBig, much like a team would develop a piece of software,” he said.
From Laykin’s perspective, if the worms are a result of organized crime, the sophistication of the recent worms and viruses is a clear indication that those responsible have been closely studying the industry’s reaction patterns and are cleverly adapting each new generation of the worm.
“One theory is that organized crime may be examining responses to the patching,” said Laykin, concluding that the next variant of SoBig likely will provide better answers.
An excellent article that highlights one of the major trends in IT Security, namely the move from hobby-hacking to profit-driven criminal activity.
As the recent virus storm clearly demonstrates, the old re-active "update-and-patch" IT Security approach has come to its end as the sole security paradigm.
Today, it’s necessary to move ahead by physically isolating confidential data and business critical applications from external networks, be it the Internet or just the company’s own Intranet (lion’s share of IT intrusions are internal).
Luckily enough, new kind of secure and easy to use security appliances such as the Giwano (see http://www.giwano.com) are already hitting the market. They do not make the traditional security products obsolete, but take it one step further, just like we have added car anti-theft devices to the traditional steering wheel and ignition locks.