Network Lighthouse

Over the last one or two years, we have seen a fairly major shift in the methods of criminals working on the internet.  In the past viruses that spread rapidly and took down networks were the norm.  Just cast your mind back to Code Red, Nimda (both of 2001) and Sasser (2004), and you’ll get a feel for what I am talking about.  All these worms did massive amounts of damage during their limited life spans, with their primary purpose to disrupt computer systems.

However in the last couple of years there has been a shift to more organised criminal activities, the storm worm (first appeared early 2008) which at its peak some researchers estimated as having infected over 10 million machines provides a great example of this.

The storm botnet, was created in such a manner that parts of it could be leased to others which could then be used for trojan and spam distribution, DDOS attempts and other activities.  While viruses and worms from previous generations of malware where designed to have a single payload, the purpose of storm appeared to be focused on turning a profit.

Another indication of the changes that I have alluded to is the recent release of an out of band patch release, MS08-067, by Microsoft.  In brief this patch closed a flaw in all versions of windows which, for Windows 2008 and XP at least, allowed for remote code to be executed as the local service account.   Several security experts were concerned about the potential of to be used to create a worm of Code Red/Nimda proportions.   This threat never really eventuated, there were a couple of worms that took advantage of this vulnerabilty but nothing really eventuated.

Why did the expect horror worm never eventuate?  It appears (to me at least) that today’s malware authors are not interested in high profile activities, and any worm based on MS08-067 was sure to gain additional publicity, in the interests of generating a name for themselves.  Malware authors today are looking to create more stealthy worms and trojans that go undetected for as long as possible, quietly stealing credit card data,sending spam and replicating themselves.

One example of how stealthy these new threats can be is Rustock.C, discovered in May 2008 it has been identified as been in the wild, as least as far back as October 2007.  It employeed a number of very sophisticated techniques to hide itself and prevent itself from being analysed.  No longer are malware authors working to build a name for themselves, they are looking to develop a product or service that can be sold to make a profit, just like any other software company in the world.

It used to be the case that when your computer was infected with a virus/trojan/etc you would realise eventually, something bad would happen, CIH would destroy your partition table, Blaster caused network flooding and machine instability.  These days you would be lucky to notice your machine was running slow before finding out months later that your credit card details were stolen by a trojan running quietly in the background.

That’s all for this article, stay tuned for part 2, Identity Theft and Credit Card Fraud.

-Daniel

Wikipedia have a great resourse, Timetable of notable Computer Viruses and Worms, from which information was taken for this article (a number of linked articles were also reference).