Wednesday, 19 November 2008

20 Years of Worms, Viruses, Trojans…..

It may come as a bit of a surprise that the first piece of malware to use the Internet to spread was released into the wild in 1988. The "Morris Worm" was written by Robert Tappan Morris, then a student at Cornell University in the US and who, embarrassingly, was the son of Robert Morris, the former Chief Scientist at the US's National Security Agency (NSA). His worm infected roughly 10% of all systems connected to the Internet at that time (bearing in mind that in 1988, the Internet had a grand total of 60,000 connections; today, this figure lies somewhere around 1.1 billion) and still holds the record for the largest percentage infection of the Internet.

Why is this relevant?

The explosion in the numbers of devices connected to the Internet has resulted in an explosion in the number of programs designed to compromise the devices connected to it. Ever since people started using the Internet, others have been trying to subvert them. It's an ongoing battle and anti-virus companies have been making large sums of money by trying to protect people from them. Sophos recently reported that they are receiving 20,000 new samples of malware every single day. And it's not the traditional e-mail attachment, promising titillating pictures of the latest B-list celeb, either; in the same report, Sophos say that they see over 16,000 new website infections every day. This means that simply by looking at a website, often from a genuine and reputable company, a machine can be infected without any interaction from the user.

It's not about fame anymore

In the good old days of virus writing, authors would write something that would throw up messages, immediately telling the user of the machine that they were infected. Some examples can be found on F-Secure's virus screenshot archive. These days, however, the whole malware space has become much darker. Viruses, worms and Trojans no longer advertise their presence but rather attempt to lurk on a users PC without their knowledge, quietly subverting the machine.

Why the shift in MO? Simple: Money.

These days, most malware is written to infect machines in order to take control of them. These "zombie" machines are then part of a "botnet", controlled by a "bot herder", who sells time on his/her botnet to the highest bidder. Essentially, these zombie machines can be used to do anything. The faster the machine and faster the Internet connection, the better. They can be used to launch "Distributed Denial of Service" attacks, where vast amounts of junk data are thrown at a particular company or website, with the intention of taking them off the net as part of an extortion exercise, or for the storage of porn. Far worse is the ability for paedophiles to store their collections on the infected PCs of unsuspecting users, allowing them to keep distance between themselves and their images.

Storm

The largest of these botnets that has been found to date is known as "Storm". According to some sources, up to 50,000,000 devices are zombies were part of Storm in September 2007. It has been reported that the bot herders running Storm were making profits of $9,600 daily, with spam being the main revenue generator.

What can I do?

Really, it comes down to ensuring your anti-virus is up to date (and this includes Mac and Linux users! I'll come on to why in another posting), ensuring your firewall is enabled and patch, patch, patch! I have been made aware of a free tool to tell you which programs installed on your PC need patching, and not just those written by Microsoft. Potentially any vulnerable component could be used to crack open the machine and zombiefy it. I really recommend downloading this application and updating those things it finds.

No comments: