Malware: From bedroom to boardroom

Once the preserve of bedroom-bound teenagers, malware is now big business and aimed at financial gain rather than peer group recognition. Anthony Plewes analyses the emerging threats.

Viruses are firmly established in the public consciousness. Most people are familiar with the dangers they pose, yet millions continue to succumb to attacks that exploit unpatched holes in common platforms such as Windows or Java. No system is safe from compromise.

Malware - the generic term for malicious computer software such as viruses, worms and Trojans - has been infecting computers and driving users crazy since the early 1980s.

The first computer viruses infected the boot sector of floppy disks, which were the main way of sharing files between computers. Boot-sector viruses gave way to macro viruses in the mid-1990s. By the end of the decade, the growth of email gave malware an effective infection route into new machines.

All these early forms of malware had something in common: they were typically written by adolescent males who were aiming for notoriety through a spectacular payload.

One of the most successful of this generation was the so-called Love Bug, which in 2000 reportedly infected 10 per cent of computers connected to the internet, deleting users' files and emailing itself to everyone in the address book.

Changing landscape

But in 2003, the malware landscape was irrevocably changed by the arrival of the Sobig virus. Unlike malware that came before, Sobig was all about spam.

Instead of deleting files, it contained an email engine and turned over access of the infected machine to gangs who could use it to send spam. Viruses were no longer just an outlet for notoriety-seeking geeks, but a key part of a serious criminal business proposition.

Heralding the beginning of the botnet phenomenon, Sobig was rapidly followed by a whole host of imitators such as MyDoom, Netsky and Bagel. Many of these Trojans were self-replicating, which meant the botnets they created grew very large, very quickly.

Unsurprisingly, they had an immediate and devastating impact on spam levels and in 2003 the volume of spam surpassed legitimate email for the first time, according to anti-spam company Brightmail.

The arrival of botnet Trojans was very much a product of its age. In 2003, anti-spam legislation was starting to be enacted, which had the effect of driving spam lords underground.

Botnets gave them the anonymity they required and the increasing penetration of always-on home broadband networks made them very effective and often undetected by the infected host.

Under the radar

Ironically, from the criminals' perspective these first Trojans were too successful. The botnets grew too quickly, were difficult for them to control and were large blips on the radar screens of the antivirus vendors.

This was bad for business and to address it malware developers dropped the self-replicating part of the Trojans, which were now spammed out in controllable chunks.

In fact, it became apparent they were sending out the Trojans specifically during working hours for specific time zones to maximise the chance of getting the host infected.

The best example of this new-breed botnet Trojan is the now-notorious Storm Worm. Carole Theriault, senior consultant at security company Sophos, says she expects Storm will be the biggest malware of 2007.

"It has been so successful because there have been so many variants that can bypass antivirus [AV] systems if users don't update them quickly enough. Storm also caught people off-guard with sophisticated social engineering attacks, such as 4 July or Valentine's Day-related messages," she says.

Emailed malware is also looking more sophisticated and people who assume they can identify any suspect emails through poor spelling, grammar or bizarre subjects will be caught out.

To bypass AV systems, gangs are also turning away from using email attachments to propagate their malware and are now using links to infected sites. Because few AV packages follow the links, they are able to pass undetected into users' email inboxes.

Storm's success has created a sophisticated botnet for its controllers, which according to Mark Sunner, chief security officer at email security firm MessageLabs, numbers at the very least one million infected machines.

By using commercial-grade software products called botnet herders, gangs are able to use the botnet to send out spam. They sell encryption keys that give other spammers access to discrete chunks of their botnet that can send their messages.

And because Storm is so well disguised, few users have the faintest idea they are infected. Make no mistake - this is a very lucrative business controlled by criminal gangs with extensive teams of expert programmers.

Targeted attacks

Botnets represent the volume business in the world of criminal malware. The other side of the coin is the targeted attack, which is largely designed for industrial espionage. These Trojans will correctly address someone by their full name and job title and possibly reference a real conversation.

Social networks, including business sites such as LinkedIn, are a comprehensive source for this sort of information. The Trojan will be disguised in a document such as an invoice or request for more information and is designed to give the sender direct access to the victim's documents. This means these attacks are often targeted at C-level executives who are not always the most security-savvy computer users.

According to Sunner, the volume of these Trojans has rocketed over the past 12 months and it is being fuelled by a vibrant market in purpose-built Trojans.

"For as little as $200 you can buy a purpose-built Trojan guaranteed to go under the nose of AV protection. If it gets detected by the AV industry, you can buy an update that can bypass the protection, or for $2,000 you get a service contract with automatic updates," says Sunner.

This has lowered the bar to entry, much like the toolkits of the early 1990s did for malicious viruses. Criminals now no longer need the technical skills. All they need is the intent.

Business users with Macs are also no longer safe. The arrival of the first major Mac virus based on the Zlob worm has spawned a whole raft of imitators, as malware writers look to compromise this growing ecosystem.

There is every chance they will be successful, as Mac users have wrongly believed for some time malware is only a Windows problem.

Malware is now being written for every possible platform and communications channel and businesses that do not patch their systems religiously or fail to use AV software and internet protection will find themselves at risk.

In forthcoming articles in this special report we will take a look at the techniques behind some of the new threats that businesses are facing in other communications channels and the web.