IPkey.com
information security
monitoring & management
Information Security Bulletin
Special Issue 2004
Special Issue:
An epidemic of worms, viruses and parasites.
We have pre-empted (and delayed) our regular February issue to address concerns voiced by our subscribers about the recent plague of viruses. This is partly why you are receiving this in early March; we have been waiting for some period of 'stability' to go to press, but we finally gave up.
So far in 2004, we have witnessed an unprecedented level of virus activity. It started in earnest on January 18 with the Bagel/Beagle worms, then really hit on January 26 with the MyDoom.A virus. On this day, there were at least 2 separate viruses released under at least 3 names which added to the confusion. MyDoom set a record as the most prolific virus ever. At it's peak, 1 in 5 emails were infected, and over 300 million emails overloaded servers around the world.
Fortunately, IPkey clients with Managed Security Service contracts that included Anti-Virus protection were spared. This is because we are able to manually update AV protection within an hour or two of the virus being widely reported. MyDoom was a challenge because it spread with unusually velocity. It was first reported in AV newsgroups at about 2:30pm on Monday, Jan 26 and was spreading rapidly on the Internet within 2 hours. AV vendors such as Symantec didn't have updates until about 5pm. As you can imagine, we were very nervous. We configured clients with the capability to block certain email attachment types to do so. For the others, we shut down Internet email service until protection was available. MyDoom shocked everyone with the suddenness of it's propagation.
Since then, there has been a slew of new viruses and worms; almost every day brings new threats. 2004 is a whole new ballgame. ISB Subscribers are asking why? Will it get better? Will it get worse?
I decided to write this special edition when I found out that part of the reason for the plethora of new viruses was that there is a 'war' going on between three groups of virus authors. When I first heard this, I just wanted to roll my eyes. Unfortunately, this is real and it's no joke. Estimates of lost productivity this year are already well into the billions. For those who you who have an interest in this story, the Finnish AV software company F-Secure has an interesting weblog (like a web diary). This is a daily summary of the activities of the Bagel, Netsky and MyDoom factions. They also have an outstanding review called the 2003 Data Security Summary.
The mentality of these groups is almost beyond comprehension. There was a fascinating article in (of all places!) the New York Times Magazine on 2/8/2004 which interviewed virus authors. Titled the 'E-Infectors', it's eye-opening reading. It's a fee-based download; let me know if you are interested in how to get a copy.
The reasons for the virus epidemic make for a bizarre and complex story to tell. The best way to learn about it is to meet the 'players' in their strange and twisted world.
The Authors are the virus creators who actually design and write the code. A virus is a self-reproducing cybernetic 'life-form' that once released, has to reproduce successfully on it's own. Very few are skilled enough to write a viable virus or worm. The vast majority of newly created viruses are fatally flawed and fail within minutes of being released. But a few are extremely successful, as we know all too well. Ironically, the creators of these viruses often publish the source code on personal web sites. They view their work as creative and even of academic interest. They even defend their work as a free speech issue. They are a tight knit community that likes to one-up each other. They may test their viruses on quarantined networks, but they are too smart to release them onto the Internet. Why? They have someone else to do their dirty work.->
IPkey Hot Links!
Security
Solutions
Evaluation
Remediation
Monitoring
Management
Recovery
New!
InfoSecurity
Center
Welcome
to the
Information Security Bulletin. This is your source for the latest
practical information you can use to protect your organization's critical
information and
network services.
Marcus Clarke
ISB Editor
email me your opinions!
Managed
Monitoring
Start your
free
30 day trial today
Learn more
/
Register
or call
(866) 330-1010
The CyberCriminals - If you think that the spammers are bad, think again. It's what you don't see that should scare you. There are some very bright criminals in the enormously profitable business of credit card and identity theft. The risk is negligible and the rewards are huge. They infect your PC with a stealth virus or worm which then plant a keystroke logger and/or a Trojan. This captures credit card, bank account numbers, passwords etc. CyberCriminals employ some very skilled virus writers whose creations can surreptitiously hide on your PC to keep you in the dark as long as possible. Fraud relating to identity theft is already such a huge problem that credit card and consumer finance companies are trying to hide it in their 'bad debt' reporting. Behind the scenes, the FBI and others are scrambling, but it's global problem that is largely outside of out jurisdiction.
The System Administrators are those who are responsible for protecting the networks used by ISPs, businesses, institutions, government etc.. To be fair, these individuals are often overworked, under-funded and lack security training. However, there is still a staggering amount of neglect. A case in point; when the SQL Slammer worm hit hard in January 2003, Microsoft pointed out that a fix for the vulnerability that Slammer exploited had been available since the previous summer. The SysAdmins can point fingers, but they also know they are the only ones who have any control.
The Users - the last group of players are the end users, like you and me. Now it is said that the modern virus epidemic is a 'symbiotic relationship between the people smart enough to write a virus, and the people dumb enough -- or malicious enough -- to spread it. Without both of these groups, most viruses would never see the light of day. To be fair, the newer viruses have become very adept at tricking us. There is no way that my mother-in-law is not going to click on an email attachment from my wife that's she thinks may be a photo of her grandson. There are other tricks such as the recent emails that appear to come from Microsoft beseeching us open an attachment to update protection against viruses! Bottom line - users will always err, especially when the senders address is spoofed (faked).
What's Next?
In the last week, events have become even more bizarre. A new phenomena in the virus wars is that viruses from one group will replace some of the malicious code planted by another group. It's become a contest to see who can 'own' the most computers on the planet. I am not exaggerating when I say 'own'. When any one of these guys infects your PC with a Trojan, they really do control it. Furthermore, once infected, this code is very stubborn and hard to remove. They use every trick in the book to make sure they don't lose ownership of 'your' PC to their rivals!
Ultimately, the virus/spam problem is inherent in the nature of the Internet because the economics of abuse are just too compelling. A spammer can make good money with a response rate of just 0.05% because it costs almost nothing to send email. A criminal can infect thousands of PCs and get just hundreds of credit card numbers in just a few hours. Many of these players are in Eastern Europe and Asia where they are beyond the reach of US authorities, even if they were identified. At some point, the Internet and especially email will have to change from what we know today. These economies are not changing soon, so brace yourself for a rough ride in the next year or two. Recent federal and state legislation isn't going to make a dent in this because it's a global problem. Like porn, the economics of their businesses mean that this problem is here to stay. Nor is it realistic to assume that end users are going to have an epiphany and suddenly become careful. In my opinion, the only group that can really make a difference are the System Administrators.
Final Thought: The people in charge of both corporate and private networks have to invest a whole lot more to match the wits and resources of Spammers and CyberCriminals. IT Admins have to get whatever evidence they need to convince the bean counters that significant investment in new technology and services are required. 2004 has already shown us that now is the time.
The Script Kiddies are the 'wanna-bes' who will visit the hacker and virus creators web sites to download and release the viruses. They are thus called because they are often teenagers who are unskilled but reckless. Most virus creators are extremely careful NOT to release their code because they know full well they risk prosecution. They also know that a script kiddy will do it for them and take the fall. The ethics of publishing virus code on a public web site is highly questionable at best, given the inevitable outcome. However, there is no law against creating a virus; only against transmitting it. Even stranger is that professional hackers actually encourage script kiddies to download and use their hacker tools (including worms and viruses). Why? They create a smoke screen that conceals the activities of the true professionals. We see thousands of attacks daily coming from script kiddies making it extremely difficult to trace the real hackers.
The Spammers are the scum who fill up your email inbox with hundreds of junk emails offering everything from prescriptions to porn. Spammers are highly motivated to find new ways to get bulk email to you and me. However they are in a constant battle with ISPs who will pull the plug on their servers, the services that blacklist their emails and the spam filters that block them. Their latest strategy is distributed spamming. They infiltrate thousands of unsuspecting home PCs and use them to send short bursts of spam emails before the unwitting users are shut down by their ISP or blocked by the blacklists. How do they infiltrate these PCs? They infect them with a virus or worm. Spammers have changed the virus landscape by using talented virus authors to write high quality code such as Sobig.F to do their bidding. Based purely on results, spammers are unquestionably winning the battle of email.->
ISB Takeaway:
I have to dispel a widely
circulated rumor and say:
"No, Microsoft is not going to fix this problem."
They can't even keep their own house in order!
The ISB is a
monthly email newsletter published by
IPkey.com, your source for affordable information security monitoring
and management. IPkey.com is part of Meridian Group, a New Mexico
based corporation serving the IT needs of its clients for 14 years. We
encourage you to forward ISB to your co-workers, colleagues and
friends. To subscribe or unsubscribe to the ISB newsletter, email us
at isb@ipkey.com.
Past issues of this newsletter are available at IPkey.com
ISB Archive
I invite you to call or email me with your questions and comments. As always we are here to assist you with your Information Security needs.
Next Month:
Vulnerability Scanning.
All contents copyright (C) 2003 Meridian Group Inc.