Quarter past nine on a Monday morning. I’m staring at the thick oak beam of long polished table wondering what the hell I’m doing at briefing about internet security. My last journalistic foray into this turgid corner of the tech world had me stuck talking anti-virus software with one of the chief marketing officers at a leading company. I recall a solid 40 minutes of the internet neighbourhood watch warnings as the canapes passed just out of reach behind his back. The hungrier I got the more it sapped my soul. My last conscious thought was “never again”. Never again; until today.
I’m not sure if it was the lure of the Soho House, the charm of the invitation or, more likely, the promise of breakfast but somehow, between them, they short-circuited that old memory in my brain; they silenced its voice. Down went that corner of my neural net; a localised blackout and now here I am in my trainers and jeans, most others with a collar at least. Quarter past nine on a Monday morning. Fifteen minutes before I’m usually at work.
Ed Gibson begins the day more upset than I am that his cooked breakfast hasn’t arrived but that’s probably where the similarity ends. Edward P Gibson is Microsoft’s chief security advisor and a former operative with the FBI. He takes comfortable control of the room of assembled journalists with the warmth and ease of his Midwest drawl. I wonder if that manner served him well at the FBI. I wonder if he’s enjoying his retirement, but by the end of the morning I’ll have changed my mind about how much rest he’s getting in his new profession.
“The UK has become a haven for e-crime,” Mr Gibson begins as he reminds us of the decision made by the former Home Secretary to remove credit card fraud from the police agenda. It’s a matter for our banks and card companies now. We report it. They repay it. Part of me can’t help but think of it as a victimless crime but then I know that isn’t true. What crime really is?
“Still, what’s all this got to do with malware,” I’m thinking as Mr Gibson talks of e-mails traveling through two countries in the blink of an eye before they pass between my desktop and yours. That’s more about phishing schemes? Someone sends you a false message from a bank that they happen to have got lucky is the one you save with and if you’re stupid enough to fill in your details, then your money gets taken. You probably deserve it. But malware? Viruses? That’s about programmers having their bit of fun with Windows isn’t it; it’s a twenty something, single, white male in his basement, pop-tart in hand wreaking a petty revenge on the world? Isn’t it? Isn’t it? Apparently not.
Up steps Mr X. Mr X is a security expert but of a very different kind. Mr X is a hacker – an accolade that Edward P Gibson is loathed to lay on him, such distaste that he has for those of Mr X’s former profession. But behind the black silk suit, the white open necked shirt and printed business cards Mr X has just handed out; behind his slow, smooth facade of a professional gambler who got out while the going was good gleams the eyes of a man with a lot of respect for the internet’s darkest community and a pride in the work he used to do.
He takes us through the world of modern day malware with the briefest of introductions. Only now do I appreciate how hard it was for him to begin, because largely there is no beginning. Malware has become a community, an ecosystem and such it goes round not from top to bottom but cycling from one place to another; to people, computers, services, criminals, salesmen, middlemen men, e-markets, racketeers, gangsters and the writers of the code themselves and all without our knowledge. They pedal our stolen data and wring it dry.
Malware has become the generic term for all viruses, worms, trojans, adware, spyware and anything else that makes our systems execute programs that we hadn’t intended them to run and it is not just made for fun anymore. It’s not made to prove a point. It’s written, targeted distributed and deployed with the sole purpose of stealing and extorting money.
The authorities know it’s happening and they know where it’s happening. There are forums out there, well-known forums where skills are sought and trades exchanged. You’ll find people to write code for you, sellers of the raw materials like blank credit cards and skimming devices, data for sale and a host of merchant services. There are people selling trojans or other “loads” – a term used to describe infections – at the cost of $200 for a 1,000. You can purchase IDs, passports, driving licences or just plain data that could be as cheap as $2 per MB of text taken from keystroke logging programs. Exactly how many words is 1 MB of text data? How much information can you gather from that?
All of this is known but the community is a very tight, closed group and to get a look in you need an introduction. Someone has to vouch for you and even then some will only deal with you if you can speak Russian, the language of the major players of the malware world. These forums are the hacker’s Linkedin.
“Does everyone know what bulletproof hosting is?” Edward Gibson interjects as his colleague begins to get carried away with terminology from the behind the glow of disappointingly ordinary Dell XPS laptop. I raise my hand for an explanation.
“Bulletproof hosting is the cornerstone of the business,” says Mr X getting me up to speed. Hackers need safe havens to run their programs, servers where no one can shut them down or trace them, places where they can operate safe from the authorities. This is either done with a network of remote controlled computers called botnets, including the groups of zombie PCs working P2P that people talk of. These become like decentralised servers where files flow untraceably, impossible to track and if a malware attack ever finally is sourced, it’ll just end up with Interpol and their SWAT team bursting into the house of some unsuspecting pensioner in Leeds, a thousand infra red dots trained on his cardigan; slippers on and tea cup shaking in his hands. It’s bulletproof because it’s perfect, unstoppable and all it costs the hacker is around 47 cents per node.
The other more sinister method is to find countries that have got no problem with hosting your illegal activities or certainly no problem compared to the sums of money you’re paying them for the privilege.
Bulletproof hosting rakes in millions each month for the top players in the field. They guarantee you server space and protection for you to run your malware. They even offer 24/7 telephone support should there be a problem.
Once you’ve acquired your webspace, you may wish to purchase a load which you could get standard or tailor made. Common popular choices are trojans. The price of a load depends on what you order and where you wish it to be deployed. Security is tighter in UK, Denmark and the US where load crews charge a premium. They’re paid per infection, so the loads must be more sophisticated and deployed in greater numbers for reasonable rates of success.
Just in case any of those in these “drops services” are short of ideas, there are legitimate market places such as the Swiss based WabiSabiLabi where you’ll find software exploits up for sale. It’s an eBay for weaknesses, loopholes and backdoors into everything from Windows Vista to the networks and databases of private companies.
One of the most recent developments in loads is the genius “exploitation packs”. As in nature, a good virus is not the one that kills you. It’s the one that keeps you alive so you can continue to be of use. If malware causes your computer to crash, bluescreen and die then it can’t gather anymore data nor use your PC as a part of a botnet. Exploitation packs deploy 1KB or 2KB downloaders that profile your machine; evaluate exactly where you are, what you use it for, what your hardware’s capable of and then deploy a specific set of programs to to run quietly in the background skimming your details and data while you go about your business and nearly all of them install what are known as “rootkits” which make the entire package completely undetectable to whatever anti-virus or security you may have.
The makers and vendors of these packs might only sell a few licence each month to keep their product more exclusive and effective and they’ll even add DRM as well such that the domain to which the malware will divert all the data and traffic will be hardcoded into the programs requiring second and third payments for any subsequent attacks.
Cloud labs monitor your malware to see how it’s performing and can send you an SMS when you have a problem and need to redesign. Malware can be created on the fly, tailored to get by every individual system it meets. You may have all your Microsoft updates and patches but they’ll even find a way in if your third party software isn’t up to date. Mr X shows us one such exploit in all computers where Adobe Acrobat Reader is of version 8 or less regardless of what other kind of protection the system has.
But most impressive for me is one of the pieces of big brand malware known as Limbo. It’s so subtle that all it does is inject the odd extra field in banking forms. Where you’re usually asked for three digits of your security number, it may just ask you for a fourth until it slowly builds up the picture of your whole profile. Then full access to your savings can be sold for between 5-10% of the contents of your account.
These products and services are so sophisticated and user friendly that you don’t even need any computer knowledge to be a hacker any more. All you have to do is hire the right people to do the job for you and you too can hold companies to ransom by threatening to shut down their servers or give away their secrets. You can collect any kind of data you like and there’s always a market for whatever you can steal.
It’s simply impossible for any one internet security system to give you the protection they claim to. The idea of protection against 98.7% of the malware online is an utter nonsense. The same malware .exe file can repackage itself against security updates far faster than anti-virus can keep up. The malware world is further reaching and much more sophisticated. One option you have is to run different anti-virus programs simultaneously to cover yourself as best as possible but good luck trying to run a stable computer or having enough processing power to do anything else.
Companies like Prevx supply such a solution that’ll run alongside whatever main security program you have; a different downloadable scanning tool depending upon whether you are a home user or a small or large business. I’ve had a try of it since. It seems to work pretty well. My copy of Avast hasn’t had a fit, my computer hasn’t crashed and, if a piece of malware has got through, it’s obviously deployed a rootkit as well because everything seems to running normally.
For the final part of the morning, Mr X gives us a demonstration of what a virus can do if you happen to click on the wrong link with not enough updated software to protect you. One click and then minutes later we watch as load after load descends upon the breached XPS until finally it crumbles under the weight. Bluescreen. Game over.
With 15,000 pieces of malware detected every day and so many weaknesses in operating systems and so much human error and oversight, I walk out of the briefing into the day bamboozled by fear and dazed by the light. It’s easy to panic until you realize what all this means. No one should be scared by e-commerce or online banking or data theft through the web. The virtual world is just the same as the real one. You just have to use common sense. Going online using XP with no service packs or anti-virus is like walking down the street with your mobile phone in your open palm and money pinned to your shirt. Now, that would’ve been ok five or ten years ago but the point Mr Gibson and friends are making is that the streets have got a rougher. In Mayfair you might be ok but try it in Brixton and you won’t last long.
The infect rate of the load crews is still only around 30%, so there are plenty of people who are doing the right things. Update your software, patch your apps, use an anti-virus (a free one will do) and probably install Vista as well. It may be annoying but it’s got a very low infection rate. So remember kids, surf safe.