• United States



The Sophisticated Adversary

Mar 18, 20045 mins
CSO and CISOData and Information Security

Darl McBride, the embattled CEO of SCO, visited our office recently and when he showed up, his eyes were sagging. They were red-rimmed, glassy and bloodshot and, overall, he looked worn. But it wasn’t because of the litigious morass he’d created by suing IBM and others over the alleged plagiarism of Unix code that his company owns

at least not directly. McBride looked haggard because of a virus called Mydoom.

The day McBride visited was the day that SCO was forced to relocate its entire website to a new URL because the viciously effective denial of service attack had completely leveled and, in the process, disrupted everything around it. It’s sort of like 300,000 people showing up to protest one store at the mall. Other stores in the mall may not be a target but certainly they’re affected.

“This is the real deal,” McBride said that day, sounding somewhat surprised. It had only been hours since the company had removed its original URL from DNS servers for the next two weeks. People argue with McBride about virtually everything, but when he used the word sophisticated no fewer than three times to describe Mydoom, there was no arguing with him on that point. Mydoom was the third in a series of increasingly intelligent, targeted marquee attacks; it followed Blaster, which was aimed at Microsoft, and Mimail, which was aimed at anti-spam companies.

Sophistication comes in two forms and this new generation of malware has both. First is technical sophistication. These attacks use advanced infiltration techniques and they carry complex payloads. They can capture keystrokes and can be programmed to capture keystrokes only at certain times. There is also social sophistication. Whereas once upon a time infectious code was flung out there in hopes it might stick and spread, now it’s aimed at someone or something for political or criminal gain.

Asked to give some examples of the new sophistication in the wild, Graham Cluley of anti-virus company Sophos ticks off several without hesitating. There is a Trojan horse that has successfully directed its malevolence exclusively at online gaming sites, perhaps, he says, for extortion. (Give us money or we’ll keep doing this.) There are Bagel and Netsky, viruses that experts believe are spreading rapidly because whoever launched them has control of tens of thousands of zombie computers, which makes it easy to kick start the infection process.

Many viruss derivatives (there is a Mimail-T, as in the twentieth variant) have added phishing to their arsenal. One pretends to be a request for personal information from the PayPal online payment vendor in order to update account settings. Another looks exactly like a Windows error box and asks the user to confirm his or her e-mail settings, which are promptly captured by the bad guys.

Another cunning virus, Dumaru-Y, Cluley adds, includes a photo attachment that, when clicked on, activates the worm. While trying to spread itself, it also has the capability to capture keystrokes during online banking sessions. Another uses graphic representations of words instead of text to display a randomly generated password the user must key in, a tool developed by the good guys and now used by phishermen.

If it weren’t all so malicious, malware would be considered one of the most innovative business enterprises going. At the same time, the virus defense industry is about as innovative as a brick wall.

For example, on Sophos’s site, Cluley gives the following advice for defending against Dumaru, the virus that captures keystrokes during online banking sessions: “All computer users should think carefully before opening an unsolicited e-mail attachment.& Users should ensure their anti-virus is automatically updated, and ask their ISP or employer to block unwanted executable code.&” Full marks to Cluley. It’s the right advice. But it’s also the same dull defense we relied on a year ago, three years ago, and beyond, when the attacks were comparatively artless.

The tragicomic effort to dam the flow of viruses appears to have failed. The current crop of attacks are clever beyond what today’s limp defensive measures can effectively mitigate. If you thought it was painful and costly dealing with the shrapnel from the generalist attacks on the Internet, it will be exponentially worse dealing with a smart attack designed to hurt you or your partners. What’s more, the attacks are improving so rapidlymixing technical and social engineering along with spam-like distribution*that Mydoom’s destructive and costly campaign against SCO will soon seem quaint.

“We need,” Cluley says, “a safer Internet than the one we have.”

Next time, we’ll talk about how to get that and how to fundamentally shift the game away from the bad guys.

Does the sophistication of the new generation of viruses and phishers make you nervous? Let me know and send any comments to