Tag Archives: F-Secure

Is That a Virus on Your Phone or a New Business Model?

This week’s WSJ.com column (subscription only) is about mobile viruses — or the lack of them. First off I talked about CommWarrior, the virus any of you with a Symbian phone and Bluetooth switched no will have been pinged with anywhere in the world.

CommWarrior isn’t new: It has been around since March 2005. But this isn’t much comfort if you find yourself — as a lunch companion and I did — bombarded by a dozen attempts to infect our phones before the first course had arrived. So is CommWarrior just the thin end of a long wedge? Yes, if you listen to the Internet-security industry. “I can personally assure you that mobile threats are reality, and we have to start taking our mobile security seriously,” says Eric Everson, who admittedly has a stake in talking up the threat, given that he is founder of Atlanta-based MyMobiSafe, which offers cellphone antivirus protection at $4 a month.

But the security industry has been saying this for years about viruses — usually lumped together under the catchall “malware” — and, despite lots of scare stories, I couldn’t find any compelling evidence that they are actually causing us problems beyond those I experienced in the Italian restaurant.

For reasons of space quite a bit of material had to be dropped, so I’m adding it here for anyone who’s interested. Apologies to those sources who didn’t get their voices heard.

Symantec, F-Secure Security Labs and other antivirus companies call FlexiSPY a virus (though, strictly speaking, it’s a Trojan, meaning it must be installed by the user, who thinks the program does something harmless). “In terms of damaging the user, the most serious issue at the moment is commercial spyware applications such as FlexiSPY,” says Peter Harrison, of a new U.K.-based mobile-security company, UMU Ltd.

Not surprisingly, however, Mr. Raihan isn’t happy to have his product identified and removed by cellphone antivirus software, though he says his protests have fallen on deaf ears. “We are a godsend to them,” he says of the mobile antivirus companies. “They are fear-mongering as there is not a significant problem with viruses in the mobile space.”

Technorati Tags: , , , ,

Russia Gets Serious About Its Virus Writers?

Is Russia finally getting serious about its virus writers?

Kaspersky Labs and F-Secure, two anti-virus manufacturers, report that Evgenii Suchkov (or Eugene Suchkov, sometimes known as Whale or Cityhawk) has been found guilty of writing two viruses, Stepar and Gastropod. Suchkov was sentenced in the Russian republic of Udmurtia, and while he was only fined 3,000 rubles ($100) — a sentence which has attracted some derision — Kaspersky’s analyst reckons now “Russian virus writers know that they are not always going to be able to hide from the law. And the world knows that Russia is doing something about virus writing”.

Suchkov, it appears, is no small fish. He’s believed to be a member of 29A, a notorious virus writing group, according to Kaspersky, which also believes he’s a member of the HangUp Team, a group I’ve tried to look more carefully at for their alleged role in phishing. Interestingly, a Czech member of 29A was recently recruited by a Czech software company, a move which has ignited some controversy, not least because it would appear to make virus writing a good way to prepare a CV for more legitimate work.

I tend to agree that hiring these guys might not be the best idea. Beyond the moral hazard issue — why should virus writers care about getting caught if they know it will lead to a job anyway? — there’s the issue of where this guy’s loyalties may lie. Is he going to try to stop his old buddies from doing their thing? Or tracking them down? And even if he did want to do good work for his new employer, he’s going to be a marked man for his former buddies who it’s believed, have active links to the Russian mafia.

The point to remember is that virus writing is now an industry, or sub-industry, of the criminal underworld. So no longer could one argue that these guys are just lonely geeks trying to get some attention. They do what they do for money, which means a virus, worm or trojan is a piece of code designed to do something specific. It’s probably done to order. If one of these virus writers is now working for the other side, I would hope his new employers take a good hard look at his motives: If he’s a good virus writer he could probably command significant amounts of money. Is he going to say goodbye to all that?

Finally, Mikko Hypponen of F-Secure suggests that there may also be traffic the other way. “F-Secure also has evidence which suggest that spammers have succesfully recruited anti-spam software developers to their side,” Hypponen says in a recent email. He points out that “spammers make money from their efforts; that’s why they can actually afford to invest in making their attacks better.” Anti-spammers going to the dark side? There must still be good money in it somewhere. I’ll try to find out more.

The Year Of The Worm

Nothing new in this, but a fascinating summary of this year’s viruses, and a sober reminder of how tricky it’s all getting: F-Secure’s review of 2003 makes for interesting reading. This for example, on how the Slammer worm caused so much network traffic:

In theory, there are some 4 billion public IP addresses on the Internet. The Slammer worm was released on January 25, 2003 around 04:31 UTC. By 04:45 it had scanned through all Internet addresses – in less than 15 minutes! This operation can be compared to an automatic system dialing all available phone numbers in the world in 15 minutes. As on the net, only a small number of phones would answer the call but the lines would certainly be congested.

Or the Bugbear.B worm, which tried to steal information from banks and other financial institutions:

To this end, the worm carried a list of network addresses of more than 1300 banks. Among them were network addresses of American, African, Australian, Asian and European banks. As soon as this functionality was discovered, F-Secure warned the listed financial institutions about the potential threat. The response time of the F-Secure Anti-Virus Research Unit was 3 hours 59 minutes from the detection of the worm to the release of an anti-virus update. F-Secure also published a free tool to clean systems affected by Bugbear.B.

Or Sobig.F, which waited for a couple of days after infecting a machine and then turned affected machines into e-mail proxy servers:

The reason soon became apparent: spammers, or organizations sending bulk e-mail ads, used these proxies, which Sobig had created, to redistribute spam on a massive scale. Computers of innocent home users were taken over with the help of the worm and soon they were used to send hundreds of thousands of questionable advertisements without the owner being aware of this.

It is likely that there’s a virus writer group behind Sobig. They planned the operation, then used the worm to infect a huge number of computers and then sold various spammer groups lists of proxy servers which would be open for spreading spam. It was clearly a business operation.

A great read, and fodder for a novel were it not just the start of a difficult time for the Internet.