Most “Malware” is now “Crimeware”

Computer viruses, Trojans, and worms have evolved a great deal since their inception in the 1970s.  Originally the province of pranksters and glory seekers, then anarchists trying to see how much damage they can cause, the new generation of malicious hackers is in it for the money.

The first widespread virus outbreak occurred in 1982 and was known as “Elk Cloner.”  At every 50th boot, it would display a humorous poem, but was otherwise harmless.  Since then there have been many viruses and variants that caused no intentional damage to hardware or software, but at various or random intervals would display jokes, political messages, or humorous (to the virus authors, at least) messages.  Such “harmless” malware can still be disruptive though, by clogging networks, slowing system performance, and consuming storage space.

It wasn’t long after that first widespread outbreak that virus technology attracted a more despicable breed of hacker, those who create malware with intentionally destructive capabilities.  A prime example is the Jerusalem virus launched in 1987.  It was designed to destroy all executable program files every Friday the 13th.  This virus spawned a large number of variants which activated on different dates and created numerous symptoms – some intended and others accidental – but the majority of them, like the original, deleted or destroyed executable programs.  The motivations behind these attacks are perplexing because the destruction of resources seems pointless.  The question, “Why don’t these programmers put their skills to more productive use?” seems to have inspired the current mindset among malware authors, although not in the direction we would have liked.

While the pranksters and anarchists may still be around, of much greater concern these days is the alarming prevalence of viruses, Trojans, and worms whose creators are financially motivated, with connections to illegal gangs and organized crime.  Thus, the coinage of the term “crimeware.”  Far from trying to make the most dramatic impact possible as was the case with original malware, crimeware attempts to conceal its presence completely, avoiding detection as long as possible.  Indeed, hundreds of thousand – even millions – of PCs and servers are infected at any given time, in most cases without the knowledge of their owners.  Crimeware employs a number of techniques to allow it to run in stealth mode.  Rootkits for example install themselves deeply within an operating system and redirect standard system calls so that their processes run invisibly.  This makes it difficult even for antivirus and other security programs to detect and remove them.

Crimeware, as the name implies, exists to help its authors perpetrate crimes, such as identity theft, fraud, financial scams, theft of intellectual property and industrial secrets, access to confidential information.  Keyloggers, often delivered via a virus or worm, work to capture users’ keystrokes and transmit them to criminals, who in turn analyze the data to discover passwords and security phrases.  Why risk getting shot while robbing a bank, when one can simply use a stolen password and electronically clean out someone’s bank account?

As bad as this kind of crimeware is, there is one more trend that is even more disturbing.  Using worms, viruses, and Trojans, crimeware authors have been deploying agents which give them remote control over infected machines.  The average size of networks of such infected machines (referred to as “botnets”) is about 20,000 computers, but some have reportedly numbered in the millions.  Botnets give their criminal perpetrators control over enormous computing power heretofore unavailable except to agencies with access to super-computers.  They harness this power to launch phishing and denial-of-service attacks, send out massive amounts of spam, crack passwords, and perpetrate other types of internet crime.  Botnet controllers have gone so far as to create complete business models, licensing segments of their botnets to members of organized crime and other criminal elements for targeted attacks on specific businesses, government agencies, or market segments.  Sometimes these “services” come complete with technical support!

As an indication of just how serious the impact of crimeware is these days, the FBI recently issued a press release where they state that crimeware in general and botnets in particular represent “a growing threat to national security, the national information infrastructure, and the economy.”

Adobe acknowledges the importance for security

Many agree Adobe has never responded to security vulnerabilities in their popular products quickly. Known vulnerabilities would take weeks and in some cases months before being addressed. Most recently in February Adobe confirmed a known vulnerability in their Acrobat PDF software and admitted the vulnerability is actively being used by hackers. Brad Arkin, Adobe’s director for product security and privacy mentions this event is what prompted a new security practice.

Adobe has started reviewing the code in Adobe Reader and Adobe Acrobat products and is identifying “at-risk areas” that will be addressed and ultimately re-written. “We’re going to broadly look at the whole application, but focus on at-risk areas, where we’ll do threat modeling, static code analysis and look for potential vulnerabilities,” said Arkin. “We’re going to do a lot more pro-active work,” he promised. “We want to shake loose vulnerabilities.”

Arkin promises a regular patching cycle and in fact will deliver patches the same day as Microsoft. Although their patch cycle is quarterly, not monthly, the patches will be delivered the second Tuesday of the month. This schedule has not officially started.  Arkin also mentioned JavaScript will not be disabled by default in future builds of Adobe Acrobat products.

More information on Adobe Acrobat’s new security initiative can be found on Adobe’s Asset blog.

Do you have Conficker?

One of the quickest and easiest ways to tell if you are infected with Conficker virus is to look below and see if any of the images from four of the 100+ security sites blocked by Conficker do not load.  I put four images for the following security websites: Kaspersky Lab, F-Secure, Secureworks, and Trend Micro below. If you have any problems loading these images or visiting the sites listed, you may be infected with the Conficker virus. If you are using a proxy server you will likely still be able to load the images and this is not a good test.

If you believe you are infected with Conficker (Kido/Downadup) check out Kaspersky’s KKiller tool to remove it.

Images are trademarks of their respective owners.