Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

The Sophisticated Adversary

(The first of two parts.)
Malicious hackers are known for staying one step ahead of the good guys; lately, it's more like a half-a-mile

By

March 18, 2004CSO — Darl McBride, the embattled CEO of SCO, visited our office recently and when he showed up, his eyes were sagging. They were red-rimmed, glassy and bloodshot and, overall, he looked worn. But it wasn't because of the litigious morass he'd created by suing IBM and others over the alleged plagiarism of Unix code that his company ownsat least not directly. McBride looked haggard because of a virus called Mydoom.

The day McBride visited was the day that SCO was forced to relocate its entire website to a new URL because the viciously effective denial of service attack had completely leveled sco.com and, in the process, disrupted everything around it. It's sort of like 300,000 people showing up to protest one store at the mall. Other stores in the mall may not be a target but certainly they're affected.

"This is the real deal," McBride said that day, sounding somewhat surprised. It had only been hours since the company had removed its original URL from DNS servers for the next two weeks. People argue with McBride about virtually everything, but when he used the word sophisticated no fewer than three times to describe Mydoom, there was no arguing with him on that point. Mydoom was the third in a series of increasingly intelligent, targeted marquee attacks; it followed Blaster, which was aimed at Microsoft, and Mimail, which was aimed at anti-spam companies.

Sophistication comes in two forms and this new generation of malware has both. First is technical sophistication. These attacks use advanced infiltration techniques and they carry complex payloads. They can capture keystrokes and can be programmed to capture keystrokes only at certain times. There is also social sophistication. Whereas once upon a time infectious code was flung out there in hopes it might stick and spread, now it's aimed at someone or something for political or criminal gain.

Asked to give some examples of the new sophistication in the wild, Graham Cluley of anti-virus company Sophos ticks off several without hesitating. There is a Trojan horse that has successfully directed its malevolence exclusively at online gaming sites, perhaps, he says, for extortion. (Give us money or we'll keep doing this.) There are Bagel and Netsky, viruses that experts believe are spreading rapidly because whoever launched them has control of tens of thousands of zombie computers, which makes it easy to kick start the infection process.

Many viruss derivatives (there is a Mimail-T, as in the twentieth variant) have added phishing to their arsenal. One pretends to be a request for personal information from the PayPal online payment vendor in order to update account settings. Another looks exactly like a Windows error box and asks the user to confirm his or her e-mail settings, which are promptly captured by the bad guys.

RESOURCE CENTER