Companies, governments, institutions: beware of the dude carrying an iPod.
Bernhard Warner, Reuters’ excellent European Internet Correspondent, points out that the high-capacity iPod is getting banned from a lot of places as high-tech security risk. The UK’s Ministry of Defence “has become the latest organisation to add the iPod to its list of high-tech security risks” and “no longer allow into most sections of its headquarters in the UK and abroad”.
This policy kicked in when the MoD “switched to the USB-friendly Microsoft XP operating system over the past year”. And it’s not just the chaps from the MoD: Bernhard also quotes a survey of 200 mid-sized and large UK companies by security software firm Reflex Magnetics that says 82 percent of respondents said they regard so-called mobile media devices like the iPod as a security threat.
And it’s not just stealing stuff: Bernhard says technology consultancy Gartner a week ago “advised companies to consider banning the devices because they can also unwittingly introduce computer viruses to a corporate network”.
This all makes sense, but if you’re going to ban the iPod, you’re going to have to ban USB keychains, USB pens, microdrives and other small forms of storage. What about PDAs? What about smart phones?
Was the recent virus war just between kids, or something more sinister?
Mi2g, the British Internet security consultants, reckon not. “Upon analysing the juvenile dialogue between the malware writers of NetSky, Bagle and MyDoom it has been prematurely concluded by a range of commentators that this is a turf war between teenagers or college students seeking global notoriety. Whilst script kiddies are active in large numbers around the globe benefiting from freely available online hacking and malware authoring tools, a coincidental release of malware variants that have contributed to a tsunami is highly unlikely to be merely the work of teenagers.”
Some folk have pointed to discussion on some online bulletin boards as evidence of the gangstyle war behind these recent viruses. Mi2g see it differently: “It could well be that the teenager-type messages were deliberately left behind by more mature malevolents to benefit from the publicity of their intended disguise that delivers obscurity to the real motives behind this rapid release of malware variants and the colonisation of millions of zombie computers in homes, places of learning, government departments and corporations.”
The fact that Bagle and its many variaents involved advanced social engineering — tricks to persuade you to open, and therefore activate, the virus-laden attachment —
“suggests a high level of specificity in what the malware writers seek,” mi2g reckon. The email containing the virus mimics the email address domain to which it is being sent, thereby confusing the user (and confusing me too). Other elements convince mi2g these guys are not just mucking about:
The backdoors that are left open by MyDoom, for example, cannot be exploited easily by a novice;
Hundreds of thousands of tailor-made emails received over the last week carry a Bagle variant, for example, within an encrypted attachment that bypasses the defences of many corporations and ISPs;
- The rapacious way in which the address books are then plundered across the corporate network also suggests a more ‘legitimate email address‘ harvesting motive than simply an intellectual challenge frenzy between rivals.
Mi2g also points to the NetSky variants which also “sniff for evidence of MyDoom and Bagle infections as well as their previous incarnations before attempting to deactivate them”. Mi2g concludes that “groups of malware authors are battling for market share of infected computers and there is a protracted turf war underway, where large sums of money or valuable assets are involved. ”
I tend to agree, and have said so
, in my usual quiet way. But I think there’s a slight difference in my analysis and theirs. While mi2g say “It would be a folly to assume that all these groups of malware writers, who masquerade as juvenile teenagers, are not linked to trans-national criminal syndicate activity. All this suggests a grander financial plan than mere bragging rights”, I don’t believe they are grown-ups masquerading as kids. I think they are probably kids who are sharing some of the loot with the gangs.
In fact, I think it may be wrong to think of the people behind these scams as big established gangs. They may be relatively large in number for a culture not known to cooperate but, at a pop, I’d say there were no more than 10 or so per group — and, importantly, they are fluid and ad-hoc. For a scam to work you need someone with the brains to figure out how to extract money (the scammer), someone to do the coding (the coder), and someone to distribute it (the spammer). All of them could, in effect, be kids. To see what life among these kind of folk is like, look no further than Robin Miller’s interview on NewsForge with Andrew D Kirch, a security administrator who recently infiltrated some script kiddie groups. While script kiddies — generally derided for the belief they copy most of the code they use, they don’t write it themselves — may not be up to creating the viruses we’re talking about here, one gets a pretty good general idea of the culture.
It seems that there’s a purpose behind the viruses we’ve all been getting: old-fashioned extortion
. Reuters reports
that extortionists — many thought to come from eastern Europe — have been targetting casinos and retailers, but one recent high-profile victim was the Port of Houston. The attacks, which can cripple a corporate network with a barrage of bogus data requests, are followed by a demand for money. An effective attack can knock a Web site offline for extended periods.
Online casinos appear to be a favorite target as they do brisk business and many are located in the Caribbean where investigators are poorly equipped to tackle such investigations. Police said because of a lack of information from victimized companies, they are unsure whether these are isolated incidents or the start of a new crime wave.
Last week, the online payment service WorldPay admitted to suffering a major DDoS attack that lasted three days. WorldPay, owned by the Royal Bank of Scotland, has been fully restored. The NHTCU spokeswoman said the investigation into the WorldPay is ongoing.