Converged Security Threats Mean Business

Gone are the days of amateur, single-source security threats, as big business takes over creating an Internet filled with converged attacks.

Computer security researcher Peter Gutmann, from University of Auckland in New Zealand, gave a dim overview of the types of sophisticated software now used to take over computers to conduct cybercrime.

“There isn’t really any single threat anymore,” Gutmann said, adding as an example that spam is being used for identity theft.

“We’ve seen over the last 20 years a convergence of network technologies into this one big cloud called the Internet, [and] the convergence of viruses and trojans into this one blended threat.”

Speaking at this year’s Australian Unix Users Group (AUUG) conference in Melbourne, Gutmann said spam and malicious code are becoming more sophisticated, because the businesses proliferating such threats are hiring professionals—from programmers to psychologists.

“Current viruses are written by paid professional programmers, and they do serious amounts of testing on different environments,” he said. “They’re not just written by script kiddies. Some use digitally signed, encrypted updates that are equivalent to the Windows update.”

Spam “vendors” are using PhDs in linguistics to bypass filters, and phishers use psychology graduates to craft their scams.

There is also some spamware that includes the open-source Spamassassin antispam tool in its code to see if it will get through.

Gutmann said the spam business involves selling CDs with e-mail addresses at a price dependent on the quality of addresses.

“You go via a spam broker and use money to buy credits to send out spam messages,” he said. “You can also buy ‘botnets,’ and a machine can spam for 30 seconds, then transfer to another bot which will spam for another 30 seconds, so it’s virtually impossible to track them down.”

Gutmann said most spam services are hosted in China, where the ISPs don’t care about it and bandwidth is cheap.

“Botnets are infinite resources of power and bandwidth,” he said, adding many botnets are IRC-based, which are not very resilient. However, the emergence of P2P botnets has made them more resilient and completely decentralized them.

“Freely available robots, like Agobot, can do all types of nasties, from harvesting e-mail addresses to packet sniffing and rootkit functionality.

“Ironically, botnets are full of good guys’ PCs being taken over to send spam from DSL and cable Internet connections.

“With delivery mechanisms in place, malicious code has the ability to take control and manipulate the operating system down to the kernel level.

“Viruses can act as special-purpose spam relays, disable antivirus software or modify antivirus database files, and one even uses multiple levels of encryption.

“They’re extraordinarily difficult to detect and specifically coded to stop antivirus software from detecting it,” Gutmann said.

Since a lot of software has user interface options to turn off security features, viruses can also be programmed to do this. Other common problems include installing rogue root certificates and patching the Windows kernel so that “everyone is running as root.”

Gutmann cited BroadcastPC as an extreme example of malware that installs 65MB of .Net framework on the computer without the user being made aware of it.

Regarding phishing, Gutmann said like spam and viruses, it is being orchestrated by professionally run organizations.

By Rodney Gedda, Computerworld Australia

Keep checking in at our Security Feed for updated news coverage.