By Will Sturgeon, 29 April 2004 13:00
NEWS A leading security expert has claimed that the next year could see the internet face its most severe and damaging challenge yet, warning that a period of unprecedented virus activity could be approaching a deadly endgame.
Speaking to silicon.com at this year's Infosecurity show in London, Pete Simpson, ThreatLab manager at Clearswift, said virus writers have been carrying out a "series of discreet experiments over the past year" – referring to the multiple iterations of worms such as Bagle and MyDoom.
According to many experts in the antivirus field, these worms have created a huge attack base of zombie machines – computers infected with a Trojan horse and controlled by a remote gang of cybercriminals, ready to be deployed at a time of their choosing.
While the likes of SCO, crippled earlier this year by a distributed-denial-of-service attack from infected machines, can vouch for the devastating power of such a network, Simpson believes we haven't seen anything yet compared with what could happen.
According to Simpson, one potential target in the opening salvos of a virus war could be the antivirus update sites. As opening gambits in a battle go, effectively crippling the weapons of those you are attacking is a pretty decisive first move.
For the owners of these networks of compromised machines, Simpson says such an attack is "the obvious next step" and he believes that the gangs behind recent virus attacks will have been planning for some time.
Off the record, Simpson confirmed to silicon.com the names of two major antivirus companies who are taking this threat very seriously.
But not everybody is convinced, though many in the antivirus field are loathe to discuss the issue openly.
Raimund Genes, president of European operations at Trend Micro, said he believes that the network of compromised machines has a commercial purpose, perhaps for sale to spammers, and while he believes such an attack is unlikely, he says his company would cope with an attack on antivirus update sites.
"It would be a major headache and the clear-up operation would be huge, but we would cope," he said.
Other targets of DDoS attacks from compromised machines have included Microsoft, as well as bookmakers who have been the subject of extortion whereby they are threatened with a DDoS attack unless they pay a ransom.
Comments
There are 21 comments. Join the discussion
1. anonymous
I just don't get it anymore. The threat from virus's is causing everyone a headache, and for what? The satisfaction of some fool loser with nothing better to do than cause chaos for all. And let's remember, its not just the corporations that get hit by this. Its the likes of you and me, with little enough time on our hands, who have to put up with endless updates, endless patching, oceans of spam, and constant trashing of our computers. I pay good money for my software and hardware, and I'm damned if I'm going to let some miserable little sh*t ruin it for no good reason. Rant over. Lets break out the weapons!
2. Graham
Easy solution - next time one of those pimply nerd virus malcontents or their supporters chirp up about the evils of corporations or whatever they use to justify their reckless behaviour, lamp them squarely on the nose. Sorted!
3. Captain Kreb
This is getting ridiculous. Kids and hackers playing around with dangerous code I can understand, and I can almost see the point of their desire for outlaw status. But Zombie machines, mafia-like organisations and deadly internet-killer viruses, what's the point?
Are we just being stoked up with more anti-terror propaganda in order to keep the capitalist taps turned up full? If "they" finally do manage to crash the whole virtual machine, then what? Life won't be the same, but then it never was, was it?
The more they want me to worry the less I seem to care!
4. Sam McInerney
.. originally, hacking was about freedom of informaton, a virus would be to allow the many access to the few's privilage..'secrets'.. but now, what the hell are you doing?.. wasting everyone's time, why dont you put your programming skills to good use, getting a job that is worthwhile. Clearly you people have to much time on your hands. Are you preventing terrorism?.. stopping child slavery? if you are, then good, go ahead, get noticed... but, oh.. thats right, your doing it because it makes you think your really clever and so you can gloat about it, hackers are like the typical high school bully.. at college they realise what asshole's they are.. there's always somebody bigger and better.. and if they dont realsie, they become the prey.
Hackers, you will get your comeuppance eventually, so do the smartest thing you have done yet, and just give it up, your only hurting yourselves.
5. Dr John Maher
Curious that your latest silicon.com newsletter was consigned to my Junk folder by my Apple Mail program ... I get 100+ spams per day, they are deleted via Webmail in batches of 20 on an Acorn RiscPC - never heard of it, never mind, but it is totally impervious to any of the viruses, worms or other nasties flying around. I don't trust the iMac quite as much, but the spam filter is quit good (poor silicon.com - I do like you!), and it runs BSD Unix with a good firewall. Maybe the problem is the dominant use of Microsoft products? If there was a wide variety of operating systems out there, then virus writing and propagation would be much less troublesome.
6. Rick Halpert
This theory is an obvious one. Why wouldn't virus writing progress to the next step? Thus far it seems to have been a ego driven activity. But, progressing to writing viruses and worms for profit (extortion) seems a logical step forward for virus writers. One can only hope that the anti virus companies can stay one step ahead.
7. anonymous
You are right. The scum of this world think its clever to be destructive. What next after the internet?
8. Opinion Opinion Opinion
The very real threat of distributed denial of service is one which can, and will, affect all of us. Both corporate and home users.
The many millions of machines which are affected can generate many terrabytes of requests that cannot be dealt with by methods being employed by current Infosec professionals.
The installation of anti-DDoS devices in many internet gaming sites infrastructures is one way of dealing with the corporate threat but as DDoS loads start to exceed the actual bandwidth these websites have, whatever you have inline will start to be useless.
The tier one ISPs have to start taking the bull by the horns and stop virus traffic on the internet backbone...... If 30% of the worlds machines are infected and sending packets out into the ether, then surely 30% of their expensive transatlantic bandwidth is being taken up aswell....
They should install devices that allows them to filter this kind of traffic out.........
The coming together of Carrier class companies like Juniper and Security companies like Netscreen will hopefully see an answer.. until that time... we are at risk from this kind of attack.....
We wait with baited breath!!
NB: The response from the antivirus guy is typical of someone who doesnt understand this field If these guys really went after them. They wouldnt have a chance.
9. Dave Chaffinch
How many more people are going to falsely report that SCO was knocked out by DOS attack. SCO took thier site out of the DNS BEFORE the attack. What would have happened had they not done this is anyways guess.
10. paul bliss
lets face facts here.
most virus and spyware is spread by complacent and or lazy individuals or companies who do either not understand the threat or cannot be bothered because it has not effected them yet.
if computers where updated with antivirus (it doesnt cost the earth)
and spyware scanners then most of the problem would be mute.
but until mrs so and so with a pc in her bedroom stops downloading items without a firewall,antivirus etcand then passing the virus on etc the culture will continue and continue.
11. David Hendry
I agree, we have just purged a worm from our system today, that contained a list of anti-virus sites.
So an attack could be ready, look out for a ns.exe running in the task manager.
Its a swine to get rid of as you have to remove it manualy.
Have fun with it!
12. anonymous
However you read it, SCO's site was knocked out by this DOS attack, the fact that the DOS was due to the threat of what the virus would do is perhaps far more insidious an attack.
SCO's site was certianly made unavailable that there is no denying.
13. anonymous
I think we need to move beyond comforting images of virus authors as pimply teenage nerds or kiddy hackers. Increasingly those interested in online sabotage could be from organised crime, terrorist organisations, politically motivated hactivists, even from the security organisations of 'friendly' states. Money is involved as is the security of world essential services (which surely email is by now).
14. anonymous
ISPs should completely block machines that are observed to be behaving like compromised zombie PCs. It's too late once the packets have made it out into the rest of the network.
In this way the user, who may be completely naive and innocent, can be forced to take action to protect their own machine - though they might have to be allowed to connect to get patches !! (Should the ISPs mirror common patches locally to their network ?)
Unfortunate that this incurs yet another cost on everyone else.
15. Bruce Sandeman
The Solution
------------
Get rid of the old IP protocol that is used today across the world and replace it with an all new protocol that forces every data packet to be signed by a digital signature which is specific to the machine that it originates from. This packet must then also be signed for the recipient server.
Once all machines are authenticating with each other in this way it would be near impossible to create a ddos attack or distribute viruses other than by email, and this can be handled by standard antivirus software on email servers. All email servers would have to be properly protected and authenticated before any email could be sent. All email should then be digitally signed and verified.
Once this is all done the problems of spam and viruses would be as good as non-existent.
However, the cost involved would probably mean that this will never happen :o(
Also, silly political groups would probably call it an invasion of privacy or some such garbage. Everyone would be scared that all their movements on the web could be tracked. So what I say, if you don't want to be seen to be doing something, don't do it. Simple.
catch y'all later.
16. anonymous
If any spotty little herbert is found guilty of hacking or writing a virus then their 'nads' should be removed (get the genes out of the gene pool).
Get found guilty a second time then shoot the b*****ds - they are of no use to human society what-so-ever.
And computers for schools voucher promotions - no thanks, I don't support teenage hackers!
17. anonymous
If any spotty little herbert is found guilty of hacking or writing a virus then their 'nads' should be removed (get the genes out of the gene pool).
Get found guilty a second time then shoot the b*****ds - they are of no use to human society what-so-ever.
And computers for schools voucher promotions - no thanks, I don't support teenage hackers!
18. Malcolm Ripley
As is usual when human designed systems start to fail we have to look at nature to see how it has solved the problem. With virus' the solution is a simple one : biodiversity. Our reliance on one OS is a killer. I know there are more OS's out there but its the end user who is computer illiterate who invariably is the source "infection". The overwhelming majority of end users have a PC with microsoft software.
Everyone has to have a PC otherwise they can't use the internet effectively due to all the websites that only work with explorer and the emails with all the outlook extras attached.
It's time we imposed standards on the net which allows all flavours of OS and hardware to work effectively. Work with standard document formats so the hardware/OS/application combination is irrelevant and encourage the use of multiple OS and hardware confugurations.
De facto standards like the ones from you know where should be vigourously discouraged and totally ignored.
19. royston
lack of updateing is the obvious problem.mine is done a minimum of once a day i do all updates before i start and check for it all again at the end of the day.these virus wouldnt get such a hold if the pcs where checked regularly.not just once a week,those days are gone.the sasser virus takes advantage of unpatched machines.WHAT THE HELL ARE THEY DOING TURNING ON UNPATCHED MACHINES FOR GODS SAKE,are they a bunch of idiots or what??!!!
i would sack tech security staff for putting my business in danger if a patch had and was available for download.as far as am concerned they havent done the job i payed them for.an unpatched machine is gross negligence!!
20. HH
I still maintain that there is an element of 'cyberspace field trials' going on here in terms of the testing of propagation and fast-transfer components, ready for the 'big one' - a payload or two that effectively disables large chunks of the Net.
Far-fetched? Maybe. But even more far-fetched is the idea that Military Cyber-warfare Projects have not considered the principle as a legitimate option in the event of the 'need' to close down information systems on a massive scale. The kind of dev-comments contained in recent worms suggest an amateurish contrivance typical of agent activity.
The primed idea of WMD rogue attack is a scenario which will create the conditions for such a 'need'. I have no proof, of course, and I hope I'm wrong. But surely, someone somewhere is looking at this. Militarily-speaking, if they are not, they are negligent from the standpoint of their own objectives.
If true, what can we do about it? Not a lot! It would have to be taken seriously to prepare a large-uptake contingency. If not true, then we should be thankful that all we have to deal with are obsessive mischief-makers. And, don't let computers rule your life!
21. anonymous
Would it help if individual users kept their computers switched off when not using them, and their broadband modem and/or their LAN connection physically switched off when not actively on-line?
Perhaps someone could invent something (a separate black box whcih can't be hacked) to monitor data traffic so that the user knows if it is disproportionate to his/her actual intended activity and physically shut down the connection.
Maybe the shut-down box could be intelligent enough to learn (or be set up by the user with) a user's typical activity - programmes used & typical volume of data traffic & frequency/ pattern of use - and automatically freeze or shut down the LAN/modem connections if there is something abnormal, pending user over-ride.
Finally, why can't we have some strike-back software which instead of just detecting/ removing spyware and malware, sends back a load of anonymous garbage/ spam instead of real data?