ALARMED: The Sophisticated Adversary

(The first of two parts.)

Darl McBride, the embattled CEO of SCO, visited our office recently and when he showed up, his eyes were sagging. They were red-rimmed, glassy and bloodshot and, overall, he looked worn. But it wasn't because of the litigious morass he'd created by suing IBM and others over the alleged plagiarism of Unix code that his company owns — at least not directly. McBride looked haggard because of a virus called Mydoom.

The day McBride visited was the day that SCO was forced to relocate its entire Web site to a new URL because the viciously effective denial of service attack had completely levelled and, in the process, disrupted everything around it. It's sort of like 300,000 people showing up to protest one store at the mall. Other stores in the mall may not be a target but certainly they're affected.

"This is the real deal," McBride said that day, sounding somewhat surprised. It had only been hours since the company had removed its original URL from DNS servers for the next two weeks. People argue with McBride about virtually everything, but when he used the word sophisticated no fewer than three times to describe Mydoom, there was no arguing with him on that point. Mydoom was the third in a series of increasingly intelligent, targeted marquee attacks; it followed Blaster, which was aimed at Microsoft, and Mimail, which was aimed at anti-spam companies.

Sophistication comes in two forms and this new generation of malware has both. First is technical sophistication. These attacks use advanced infiltration techniques and they carry complex payloads. They can capture keystrokes and can be programmed to capture keystrokes only at certain times. There is also social sophistication. Whereas once upon a time infectious code was flung out there in hopes it might stick and spread, now it's aimed at someone or something for political or criminal gain.

Asked to give some examples of the new sophistication in the wild, Graham Cluley of anti-virus company Sophos ticks off several without hesitating. There is a Trojan horse that has successfully directed its malevolence exclusively at online gaming sites, perhaps, he says, for extortion. (Give us money or we'll keep doing this.) There are Bagel and Netsky, viruses that experts believe are spreading rapidly because whoever launched them has control of tens of thousands of zombie computers, which makes it easy to kick start the infection process.

Many virus’s derivatives (there is a Mimail-T, as in the twentieth variant) have added phishing to their arsenal. One pretends to be a request for personal information from the PayPal online payment vendor in order to update account settings. Another looks exactly like a Windows error box and asks the user to confirm his or her e-mail settings, which are promptly captured by the bad guys.

Another cunning virus, Dumaru-Y, Cluley adds, includes a photo attachment that, when clicked on, activates the worm. While trying to spread itself, it also has the capability to capture keystrokes during online banking sessions. Another uses graphic representations of words instead of text to display a randomly generated password the user must key in, a tool developed by the good guys and now used by phishermen.

If it weren't all so malicious, malware would be considered one of the most innovative business enterprises going. At the same time, the virus defence industry is about as innovative as a brick wall.

For example, on Sophos's site, Cluley gives the following advice for defending against Dumaru, the virus that captures keystrokes during online banking sessions: "All computer users should think carefully before opening an unsolicited e-mail attachment.… Users should ensure their anti-virus is automatically updated, and ask their ISP or employer to block unwanted executable code.…" Full marks to Cluley. It's the right advice. But it's also the same dull defence we relied on a year ago, three years ago, and beyond, when the attacks were comparatively artless.

The tragicomic effort to dam the flow of viruses appears to have failed. The current crop of attacks are clever beyond what today's limp defensive measures can effectively mitigate. If you thought it was painful and costly dealing with the shrapnel from the generalist attacks on the Internet, it will be exponentially worse dealing with a smart attack designed to hurt you or your partners. What's more, the attacks are improving so rapidly — mixing technical and social engineering along with spam-like distribution that Mydoom's destructive and costly campaign against SCO will soon seem quaint.

"We need," Cluley says, "a safer Internet than the one we have."

Next time, we'll talk about how to get that and how to fundamentally shift the game away from the bad guys.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about Good GuysIBM AustraliaMicrosoftPayPalSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Scott Berinato

Latest Videos

More videos

Blog Posts