Story Tools: PRINT | Text Size: S M L XL | REPORT TYPO | SEND YOUR FEEDBACK

In Depth

Technology

Malware evolution

Money now the driving force behind internet threats: experts

March 27, 2007

When the internet found its way into people's homes and offices en masse in the mid-1990s, it was widely regarded as beneficial, giving people access to information — and each other — in a way that was previously impossible.

The interconnectedness across thousands of kilometres that the global network offered gave its users access to a wider world, allowing them to find whatever they were looking for, and if it didn't exist, to create it.

That rule also held for people with less altruistic intentions, giving rise to computer viruses and other forms of malicious software. The threat they pose has become so pervasive and advanced that online security companies are forced to play an ongoing game of cat-and-mouse, according to experts who spoke with CBC News Online.

Computer security companies need to change if they are to keep up with would-be criminals, according to Ron Nguyen, director of consulting services for the security firm Foundstone Inc. Computer security companies need to change if they are to keep up with would-be criminals, according to Ron Nguyen, director of consulting services for the security firm Foundstone Inc. (McAfee/Foundstone)

Profit motive prevails

"The amount of new and dangerous types of software is daunting and will continue to be that way for a while," said Ron Nguyen, director of consulting services for Foundstone Inc. of Mission Viejo, Calif.

Although Nguyen said severe, widespread outbreaks of computer viruses are increasingly rare, he noted that attackers' intent and the methods they use are evolving, as is their motivation.

"In the past, they may have been motivated by idealistic reasons," said Nguyen, who previously hacked into U.S. military computers to test their security in his role as an information warfare officer with the U.S. air force.

JARGON

  • BOTNETS are networks of computers that have been hijacked by malicious groups or individuals to do their bidding. Their owners are usually unwitting victims who have no idea their machines have been infected and turned into so-called zombies. The zombie computers are typically used to distribute spam or phishing e-mails, or viruses and Trojans that let them hijack other computers. Botnet operators often rent time or bandwidth on their networks to spam e-mail marketers and phishing scam artists.
  • MALWARE is a catch-all term for malicious software such as computer viruses, spyware and so on that compromise the security or function of people's computers.
  • PHISHING is a technique in which criminals try to trick people into disclosing sensitive information such as online banking names and passwords and is often conducted through e-mails.
  • PHARMING is an attack in which malicious individuals try to redirect traffic from one website to a false one.
  • TROJANS are programs that appear to perform one function in order to hide a malicious one. Like the mythological Trojan horse such programs are named after, the deception tricks people into granting them access to a computer.
  • ZOMBIES are computers that have been hijacked by attackers to perform commands and functions issued to them, often without the owners' knowledge. They are typically infected by Trojans that enable attackers to use them in a botnet. An infected computer is sometimes referred to as a bot - short for robot.

The old guard of hackers would discover a vulnerability in a piece of software, tell its creator about the flaw, and wait for a patch to be issued before they would publish details of the problem and "gain notoriety" among their peers, Nguyen said.

"Now they're motivated by money and can use the cash to discover new vulnerabilities, develop new techniques and tools."

Lower-risk flaws targeted

The scam artists are employing every tool in their arsenal, from spam e-mails that tout stocks in the hope of triggering a market move from which they can profit, to more direct attacks. For example, phishing messages and sites trick people into disclosing sensitive information such as banking login names and passwords, and viruses and Trojans can turn victims' computers into part of the attackers' so-called zombie bot networks to distribute spam, a lucrative business.

Today, when it's discovered that a serious security flaw is being exploited by an attacker, fixes or patches are issued more rapidly than they may have been in the past. In fact, few — if any — mid-sized or larger organizations lack their own online security, which means would-be criminals are seeking out lower-hanging fruit, Nguyen said.

"We have been noticing that because enterprise infrastructures tend to get better and better at patch management, they [attackers] are focusing on the consumer space and small business."

Why? Because those are the segments of internet users that are less likely to keep their security software updated or be aware of the latest emerging threats.

But despite faster fixes to the high risk flaws — which are generally automatically sent by software developers to the computers of consumers and small businesses when they go online — less serious flaws, which aren't patched as quickly, leave people and their systems exposed to attack, according to security researcher Dean Turner of Symantec Corp.

"From an attack perspective, the line between high- and medium-severity vulnerabilities has blurred," Turner said. "Medium vulnerabilities remain unpatched for a longer term."

That gap between the time a vulnerability becomes known and is subsequently repaired leaves a window of opportunity for attackers, making the smaller flaws a much more attractive target than the quickly closed high-risk security holes, Turner said.

It's all a numbers game, the experts agreed.

Attacks becoming 9-to-5 job

"It comes down to a cost-benefit analysis," Nguyen said, noting that although they may not be able to get as large a return from an attack on an individual user as they might from trying to exploit a large corporation, there are so many people who can easily be victimized that they begin to add up.

RELATED LINKS

CBC features

"There's certainly a professional aspect," said Turner. "It's hard to track real dollar amounts for this sort of thing. I've seen estimates of anywhere from hundreds of millions to billions of dollars. The truth is probably somewhere in between."

The trend is not surprising, Nguyen said, noting that as more people from all walks of life gain access to the internet, the likelihood is high that at least some of them will engage in illicit activities.

"The people running these campaigns, what were they doing before this? Maybe going into banks and robbing them."

But once they discovered the ease with which they could run scams over the internet and recognized that the scale and scope of their activities could increase without any significant cost, moving to online attacks was a logical choice, Nguyen said.

The trade has become so lucrative, that it has become a regular job in some circles, Turner said. He pointed to the example of the Bancos family of Trojans, which created fake login pages to steal usernames and passwords to give access to certain Brazilian banking sites.

"We felt it was a 9-to-5 job and when we looked at the release times and dates, that's what we found."

New strategy needed

The attackers are aided when they successfully hit trusted institutions such as banks, which tend not to report such problems unless required to by law, said Nguyen, relating his experience with clients.

"Ninety-nine per cent of the time, the customer is going to go down the route of not getting law enforcement involved" because the potential damage to their reputation would be too great, so they see it as a cost of doing business, according to Nguyen.

He said various malware groups may be co-operating with each other and becoming more effective — something that the security industry should emulate or risk losing customers who have lost faith in their ability to defend themselves.

"If the whole industry looks bad or is not able to keep up, it will hurt everybody," Nguyen said. "There's got to be some kind of paradigm shift so vendors can keep up with the game."

Go to the Top

Menu

Main page

Technology

Green machines
Disk drive: Companies struggle with surge in demand for storage
Open season: Will court decision spur Linux adoption?
Analogue TV
Video games: Holiday season
Video games: Going pro
Guitar Hero
Parents' guide to cheap software
Working online
Laptop computers for students
Technology offers charities new ways to attract donations
The invisible middleman of the game industry
Data mining
Two against one
The days of the single-core desktop chip are numbered
Home offices
Cyber crime: Identity crisis in cyberspace
Yellow Pages - paper or web?
Robotics features
iPhone FAQ
Business follows youth to new online world
A question of authority
Our increasing reliance on Wikipedia changes the pursuit of knowledge
Photo printers
Rare earths
Widgets and gadgets
Surround Sound
Microsoft's Shadowrun game
Dell's move to embrace retail
The Facebook generation: Changing the meaning of privacy
Digital cameras
Are cellphones and the internet rewiring our brains?
Intel's new chips
Apple faces security threat with iPhone
Industrial revolution
Web developers set to stake claim on computer desktop with new tools
Digital photography
Traditional film is still in the picture
HD Video
Affordable new cameras take high-definition mainstream
GPS: Where are we?
Quantum computing
What it is, how it works and the promise it holds
Playing the digital-video game
Microsoft's forthcoming Xbox 360 Elite console points to entertainment push
Online crime
Botnets: The end of the web as we know it?
Is Canada losing fight against online thieves?
Malware evolution
Money now the driving force behind internet threats: experts
Adopting Ubuntu
Linux switch can be painless, free
Sci-fi projections
Systems create images on glass, in thin air
Power play
Young people shaping cellphone landscape
Digital cameras
Cellphone number portability
Barriers to change
Desktop to internet
Future of online software unclear: experts
Complaining about complaints systems
Canadian schools
Multimedia meets multi-literacy age
Console showdown
Comparing Wii, PS3 and Xbox 360 networks
Social connections
Online networking: What's your niche?
Virtual family dinners
Crackdown
Xbox 360 console game
Vista and digital rights
Child safety
Perils and progress in fight against online child abuse
Biometric ID
Moving to a Mac
Supply & demand
Why Canada misses out on big gadget launches
Windows Vista
Computers designed for digital lifestyle
Windows Vista
What's in the new consumer versions
Cutting the cord
Powering up without wires
GPS and privacy
Digital deluge
RFID
Consumer Electronics Show
Working online
Web Boom 2.0 (Part II)
GPS surveillance
Hits and misses: Best and worst consumer technologies of 2006
Mars Rovers
Voice over IP
Web Boom 2.0
Technology gift pitfalls to avoid
Classroom Ethics
Rise of the cybercheat
Private Eyes
Are videophones turning us into Big Brother?
Windows Vista
Cyber Security
Video games: Canadian connections to the console war
Satellite radio
Portable media
Video games
Plasma and LCD
Video screens get bigger, better, cheaper
Video games:
New hardware heats up console battle
High-tech kitchens
Microsoft-Novell deal
Lumalive textiles
Music to go
Alternate reality
Women and gadgets
High-tech realtors
The itv promise
Student laptops
Family ties
End of Windows 98
Bumptop
Browser wars
Exploding laptop
The pirate bay
Stupid mac tricks
Keeping the net neutral
PS3 and WII at E3
Sex on the net
Calendars, online and on paper
Google, ipod and more
Viral video
Unlocking the USB key
Free your ipod
In search of
Xbox
Sony and the rootkit
Internet summit
Electronic surveillance
[an error occurred while processing this directive] [an error occurred while processing this directive]
Story Tools: PRINT | Text Size: S M L XL | REPORT TYPO | SEND YOUR FEEDBACK

World »

302 Found

Found

The document has moved here.

more »

Canada »

302 Found

Found

The document has moved here.

more »

Politics »

302 Found

Found

The document has moved here.

more »

Health »

302 Found

Found

The document has moved here.

more »

Arts & Entertainment»

302 Found

Found

The document has moved here.

more »

Technology & Science »

302 Found

Found

The document has moved here.

more »

Money »

302 Found

Found

The document has moved here.

more »

Consumer Life »

302 Found

Found

The document has moved here.

more »

Sports »

[an error occurred while processing this directive] 302 Found

Found

The document has moved here.

more »

Diversions »

[an error occurred while processing this directive]
more »