In cyberspace, a dark alliance
For years, they worked in shadowy corners of the electronic world. Spammers tried to get around filters and other network defenses to plant their junk e-mail. Virus writers exploited computers to take them over. Now, they're starting to work together.
Their emerging alliance is straining already embattled spam and virus defenses. For users, it means the Internet has grown more risky.
"They're learning from each other," says John Pironti, a security consultant at Unisys, the multinational information technology company. "The collaboration has begun."
Internet security experts are fighting back in the ongoing arms race of attack and defend. But right now the criminals are on the offensive. "We're way behind," says Stefan Savage, a computer science professor at the University of California at San Diego. Since 2001, he says, there have been "incredible advances in sophistication on the part of the bad guys. And yet what we do to defend is pretty much what we did five years ago."
Statistics seem to back him up. Today, not only is 63 percent of all e-mail spam, but 1 in 12 e-mail messages contains a virus, says MessageLabs, an e-mail security firm. That's a dramatic change from 20 years ago, when computer viruses spread slowly within limited networks or as floppy disks that had to be manually moved between machines. Today, the Internet zips these programs around the world at light speed.
Viruses can now enter computers as programs attached to e-mails sent by spammers. Once embedded in a machine, the viruses return the favor. By secretly taking control of computers, the viruses can create networks of "bots," programs that turn computers into "zombies." These computers are then employed by spammers to send out floods of anonymous spam messages.
These spams often include "phishing" scams - e-mails that appear to be from a bank or credit-card company but are really trying to steal account passwords or other financial information. Phishing has victimized some 1.8 million consumers and cost banks and credit-card issuers nearly $1.2 billion in the past year, estimates Symantec, a maker of computer-security software in Cupertino, Calif.
In the first half of 2003, the average number of bot networks monitored per day by Symantec was 2,000. By the first half of 2004, the number mushroomed to 30,000. Each bot network can contain thousands of infected computers.
Motivations have changed too. Early virusmakers wanted to show off. Today, criminals target individuals and businesses to try to make easy money. "We've definitely seen the motivation shift," says Brian Czarny, vice president of marketing at MessageLabs. His company first started noticing spammers and virusmakers working together back in the spring of 2003, he says. "Since then, it's grown exponentially."
Setting up in an Internet cafe anywhere in the world, these pirates can hit and run in a matter of hours. "They get somebody's identity, clear out their bank account, and then take off," Mr. Czarny says.
Other criminals hunt for personal data or a company's intellectual property for the purposes of extortion. "They send tidbits back to the organization and say, 'Look, I have your stuff,' " says Mr. Pironti, and then threaten to post the material on the Internet if their demands aren't met. In one recent example a British man was arrested last month in connection with stealing source code from Cisco Systems.
Big companies already spend a lot of time and money on state-of-the-art computer security. But in a new twist, criminals are sneaking in by attacking the less formidable defenses of smaller vendors who are linked into corporate computer networks. "That's one of our biggest challenges right now," Pironti says.
Not only are attacks more frequent and malicious, they're more skillful too. Some viruses are "sleepers" that quietly embed themselves in a computer system for months before starting up, Pironti says. That way they become copied onto the backup version of the operating system, making them very difficult to root out. Once activated, they can also "phone home" to get new instructions.
The speed of virus attacks and the skill of the virusmakers today require new defense strategies, says Professor Savage, who is also the project director of the Center for Internet Epidemiology and Defenses. The virus-fighting initiative, funded by a $6.2 million grant from the National Science Foundation, officially begins this month.
Even top-notch computer scientists may take hours to design a "patch" to stop a virus, a response time that's far too slow, Savage says. The Slammer worm, for example, doubled in size every 8.5 seconds and spread around the world within 10 minutes. "At these kinds of speeds, any solution that involves a human in the loop, which is our state of the practice today, isn't going to fly," he says.
Savage and his partner, Vern Paxson at the International Computer Science Institute in Berkeley, Calif., have set two goals for their center: One is to understand better how worms and viruses spread, accumulating minute detail on their limitations and characteristics. They also want to better predict how fast a virus will spread and how destructive it will be.
Using that knowledge, they hope to build fully automated defenses "that take whole classes of attacks off the playing field, as opposed to addressing one particular attack that happened last week," he says. Right now, "it's like you're constantly trying to come up with a flu vaccine, but a new version [of flu] is coming out every day."
He and Dr. Paxson have been working on concepts such as "content sifting" and "scan detection," ways of identifying "very untypical behavior" of computers - such as suddenly contacting thousands of other computers - before an actual virus is discovered. They've been able to detect signs that a virus was at work 12 hours before the virus was found. Their aim is to identify a new class of worms or viruses and devise a way to block it in less than a minute.
While thinking of these Internet-borne attacks as "viruses" is a helpful model, it isn't perfect, Savage points out. A computer virus is used by people who, like bioterrorists, have a malicious intent. It's not a random act of nature, he says.
Virusmakers also monitor online discussions about new defense techniques to learn how to get around them. Savage says he doesn't want to release information that can help attackers, but in the end, sharing information among colleagues will build the strongest defenses. "We're not going to be keeping all this stuff secret," he says.
While all attacks may never be stopped, he says he'll be satisfied if he can limit them to those from only a few really talented, if malevolent, people. "A 12-year-old shouldn't be able to take down the Internet," he says.
Not only is the stream of junk e-mail, or spam, rising, but an increasing share of the messages contain viruses, security firms warn. Among their findings:
• Nearly two-thirds - 63.5 percent - of e-mail in the first half of this year was spam, according to one analysis. That's up from 37.9 percent in 2003 and 1.5 percent in 2002.
• In January, 1 out of every 129 of those e-mails contained a virus; by June, 1 in 10 had one.
• The most common virus found in e-mail was the Netsky.P. worm, which accounted for 28.4 percent of all viruses discovered in August.
• US sites originated 42 percent of August's spam, followed by South Korea and China (14 percent) and Brazil (4 percent).
Sources: MessageLabs, Postini