The Sunday Business Post published an article yesterday called in their Computers in Business Supplement. The article is The Virus Evolution and in it Gordon Smith discusses with me and a number of other industry experts the changes we have seen in how computer viruses have developed over the years.
Modern viruses are more complex than what we have seen previously. The main reason behind this trend is that organised crime is now heavily involved in the development and propagation of computer viruses. In previous years viruses were developed by people looking to become famous and gain “street cred” amongst their peers. Their motivations would be simply to gain notoriety as the individual who infected x number of PCs and therefore the type of viruses they wrote would be very noticeable.
Those virus writers are still out there but the majority of viruses are now being written by organised criminals, primarily in Russia, Eastern Europe and Asia. These viruses are written so the criminals can make money and therefore are designed not to be noticeable and to infect PCs silently. The main ways they make their money with viruses are as follows;
Some viruses have a feature whereby they monitor the keyboard and screen of the PC they have infected. All the keystrokes the user types are captured and then sent to the criminals, either via email or a file transferred to a server under the criminals’ control. The type of information captured can included passwords, credit card numbers and banking details. Some of the viruses are now sophisticated enough to capture only the information the criminal wants by detecting, for example, when you access a secure website such as your online bank etc.
This is the biggest threat we now face. Botnets are computers that have been infected with a virus that enables the criminals to remotely control all the computers infected with that virus. So instead of having to rely on the his/her own computers the criminal can now use thousands, if not hundreds of thousands, of infected PCs to carry out the criminals’ activities. These include
A botnet enables the criminals to send out spam which bypasses some of the traditional filtering methods. Previously spam would originate from one source so once identified it could be blocked by most filters by ignoring email from that source. This would force the criminal to find another server to send their spam from. With a botnet the criminal can send spam from each of the compromised computers that they have, so instead of thousands of emails coming from one source the criminal now just sends out one email from thousands of sources making it harder to detect.
In order to attack a site with a Distributed Denial of Service attack the criminals can make the thousands of PCs they control to make legitimate requests to the target server resulting in it being overwhelmed and in effect becoming unavailable to legitimate users. The criminals will then try to extort money from the target organisation to prevent the attack happening again.
Botnet for hire
Criminal gangs are now offering their botnets for hire for people to either send spam, propagate a new virus or conduct a DDOS attack against a victim. You can hire a botnet for a few hours for only a few hundred dollars. Many criminals are also now offering service level agreements and guaranteed levels of service to entice customers. Many of these customers would be people wishing to send out spam email but not having the resources themselves or targeting companies with a DDOS attack to either extort money or other motives such as political, revenge etc.
Some viruses are written specifically for a certain target. The criminals, or indeed a hostile nation, may want information from a certain target. A virus will be written specifically for the target organisation so that specific information or other details can be extracted. That virus would then be sent to targeted individuals in the organisation either as an infected program, an infected document (Word or PDF) or most likely as a link to a website that has code on it to exploit vulnerabilities in the target’s browser which are then used to download the malware.
From an Irish point of view IRISS has seen these type of viruses installed on a number of compromised Irish websites. Very often the website owner is unaware that their site has been compromised and is now silently infecting the PC’s of anyone who visits that site. These infections happen by the malware exploiting vulnerabilities in the client’s web browser. More recentlyvulnerabilities in some Adobe products have also been exploited. All of this will be done seamlessly to the victim who will not notice anything happening.
IRISS has also been involved in dealing with Irish sites that have been compromised by criminals to host Phishing sites for organisations outside of Ireland, e.g. financial institutions and tax authorities in other countries. People in the target country are then directed to the Phishing site via phishing emails. Once they visit the site they are then prompted to download the latest e-banking software which in fact is an infected file that the criminals have put onto the website in other to capture the victims’ financial details.
Finally, IRISS has also seen Irish websites being compromised with malware that pops up a window within the victim’s browser to warn them that their PC is infected with a computer virus and to download a free anti-virus software tool to detect and remove the viruses. This software turns out not to be anti-virus software but is in fact a ruse to install viruses onto the victim’s PC. Some of this “scareware” software also requests the victim to buy the software so it will remove the viruses from them, so the victim not only gets viruses installed on their PC but also pay for the privilege and of course have now given their credit card details to criminals.
How these Irish websites get infected we are not 100% sure but suspect that either;
- The criminals exploit a vulnerability in the web server software to place their malware on the site
- Have gotten login credentials from the owners or the developers of the website as a result of a virus infecting the website administrator’s PC
- Weak login credentials being used on the website, e.g. people using simple passwords to FTP information onto the site.
To protect against these viruses you should;
- Use reputable anti-virus software
- Make sure your anti-virus software is updated regularly
- Apply the latest patches to your operating system and ALL the applications you use. Criminals are targeting other products such as Adobe, iTunes, Realplayer etc.
- Do not open files in email attachments until you have verified they come from a trusted source and there is a legitimate reason for them to send you the file
- Do not click on links in emails sent to you until you have verified they come from a trusted source and there is a legitimate reason for them to send it.
- Make sure users are aware of the risks – I recommend company’s run these sessions with a view to educating people how to protect themselves online using their home PCs as this gets better engagement from the staff as the issue is more personal to them
- Make sure you have email filtering to detect viruses, spam and other suspicious files.
- Make sure your web browsing gateway has anti-virus capabilities and will block suspicious files
- Make sure that mobile workers have appropriate protections on their laptops (e.g. a, b, c above) and they use a firewall on their laptop when accessing the Internet away from the office.
- Ideally you should try and force all their Internet connections to route via your company’s VPN and not allow them access the Internet directly. Using your VPN connection ensures they have the same level of protection as if they were in the office.
- Ensure all mobile devices are checked for viruses before allowing them connect back onto your network.
- USB keys are becoming a common vector for computer viruses to spread so make sure that you have appropriate end point controls in place to ensure infected USB keys cannot impact your network. For example, allow users to only use certain authorised USB keys (there are software solutions available to manage this) and disable the autorun feature within Windows which will help prevent any viruses from being run once the USB key is inserted into the PC.
And for those Apple Mac and Linux users out there don’t think that you are immune from these attacks. Many of the modern attacks are targetted now at the browser and applications and not just the operating system.