Analysis: What's the next malware threat?

Gone are the days of simple worms and viruses. Now botnets and phishing dominate malware. But what's next? Ron Condon reports.

In January this year, 20-year-old Jeanson James Ancheta pleaded guilty in a Californian court to charges that he had broken into government computers and taken control of them for purposes of fraud.

He had planted Trojan software on the systems at the China Lake Naval Facility in California's Mojave Desert, enabling him to manipulate computers on the network there. He had then used the computers to generate hits on website advertisements where the advertisers paid according to the traffic they received.

It sounds like an overelaborate and harmless prank, except that Ancheta admitted the scam had netted him $60,000 before it had been detected.

Furthermore it emerged that he controlled some 400,000 computers around the world, which he could manipulate remotely to do his bidding - to generate advertisement traffic, to send out infected software to more vulnerable computers, to pump out spam.

Ancheta is typical of the new breed of criminal on the internet - motivated by money and determined to work by stealth. The spyware or Trojans they plant on unsuspecting users' machines do not draw attention to themselves but once installed work as slaves to their remote masters.

The users are rarely aware they have been hijacked. Their machine continues to work, albeit slightly more slowly at times, and they have no control over the secret tasks it is being asked to perform.

Bot networks - armies of these hijacked computers - have become the predominant feature of the internet threat landscape. According to security company Ciphertrust, more than 180,000 new PCs are turned into zombies every day - and that figure is continually rising.

The botnets are used by their owners to defraud internet advertisers, as in Ancheta's case. Or they can be rented out by the hour to those who want to carry out cheap mass-mailing campaigns. Extortioners may also rent them to launch denial-of-service attacks on legitimate websites.

These professional operations are taking over where the traditional hobbyist hackers left off. "We are seeing less of the big virus outbreaks such as Sasser and Blaster, and so some people believe the situation is getting better, when in fact it is getting worse," says Mikko Hypponen, chief technologist at security company F-Secure. "The bad boys are getting more professional and doing more targeted attacks."

He sees botnets as a major problem that cannot be easily fixed because the hijacked machines are mostly home PCs connected to an ADSL line. "It takes a lot of end-user support to explain to a grandmother how to configure the computer. So most ISPs are not doing anything about it," he says.

Most analysts also forecast that phishing attacks will continue to grow in number and in sophistication.

David Sancho, an antivirus engineer with security company Trend Micro, gives an example of a recent attack in Germany which pretended to come from an electricity company. It asked the recipient to check his bill by clicking on the attached PDF document, which is how the genuine electricity company operates. But the attachment in this case had a suffix of .pdf.exe, and planted a Trojan on the user's machine.

"Once active, it monitors every internet connection, every access to web pages, and access to the bank and reports it back to the creator of the Trojan," says Sancho. "It is smarter because they don't have to set up a fake server."

F-Secure's Hypponen also forecasts that phishers will find ways to crack one-time passwords which some banks have introduced as a security measure. In this case the user has a list of authorisation codes on a slip of paper sent by the bank. "The target is fooled into logging into a fake bank, where they ask for his authorisation code. The fake bank logs into the real bank with the one-time password and moves money around. Then it gets back to the customer, says there has been a problem and asks him to give the next code."

The biggest problem for the phishers, he says, is finding new suckers to fool. As more people become aware of phishing attacks, the attackers are going for smaller targets and into different languages, such as Greek, Czech and Finnish.

While Windows PCs remain the prime target for attacks, prepare to see more activity targeted at the mobile phone. F-Secure has now detected 179 mobile phone viruses and estimates that some tens of thousands of handsets are infected.

Nokia has reacted by launching handsets with antivirus protection built-in, and the newly released version 9 of the Symbian operating system has improved security, so it may be possible to nip the mobile virus in the bud.

Or maybe not. Hypponen has recently detected the first Java malware on a phone, meaning it could affect most handsets and not just the high-end models. And in March, he spotted a Trojan that plants itself on the mobile and calls a premium rate number in Russia, each time clocking up five euros for the criminal who sent it.

Even so, the rapidly growing world population of broadband users means that botnets will continue to be the main focus for internet criminals. All of the people in the Rogues Gallery of the world's top 10 spammers, on the Spamhaus website, are constantly topping up their networks with new zombie machines owned by people with little concept of security. And they do not restrict themselves to mass emailing - their activities extend into child porn, extortion and fraud.

And botnets open up another danger, according to Dave Rand, chief technologist at Trend Micro. Their combined computing power could be used to decrypt internet traffic, he says. If that were to happen (and there is no sign of it yet), it could bring ecommerce to a grinding halt.