Malware is no longer the preserve of geeks, but increasingly comes from organised crime gangs based in Russia and eastern Europe.
In October, the Russian authorities jailed a gang of cyber criminals who were blackmailing online companies through distributed denial-of-service (DDoS) attacks.
The group had extorted more than £2m from a number of British online casinos and betting shops after threatening to attack their web sites and block access to customers.
One victim, Canbet Sports Bookmakers, refused to pay a £5,000 ransom demand and had its web site taken out of action.
Sitting in a high-rise block on the outskirts of Moscow, Eugene Kaspersky, head of research at anti-virus company Kaspersky Lab, says catching one gang is just a drop in the ocean.
‘To be a computer criminal at the moment is profitable and not very dangerous – there are more and more of them and the police are doing very little,’ said Kaspersky.
‘Technically, it is possible to trace anything, but to investigate cases properly you need to contact police from all over the world, and that is not possible at the moment. All we can do is act like a flak jacket.’
The job of a virus analyst represents a continuous challenge, says Kaspersky.
‘It is like a sport – the winner is not the team with the biggest budget but the team with the best players,’ he said.
‘But I do not expect that the security issue will be solved for years and years to come. There is still a lot of money to be made on both sides.’
At any one time, the Kaspersky virus laboratory has nine analysts working 12-hour shifts. A large screen in the middle of the room shows how many viruses have been identified in the past hour and who analysed them.
On the right of the screen is the virus watch, showing up-to-the-minute information about viruses released from different areas of the world.
Analysis work is continuous because threats appear every minute and virus authors have no respect for the time of day, says Kaspersky Lab senior analyst Alex Gostev.
‘I once came across 45 samples of the same worm in two hours,’ said Gostev.
‘On average, a new version of a worm is released every 10 minutes. Our reaction time has become very fast, but by releasing lots of variants they are trying to swamp us.’
Speed of response is crucial. It takes between one and five minutes to work through a virus and write a signature for it, though a complex, polymorphic virus can take up to three hours.
‘We have competitions in the office to see who can do it the fastest,’ said Gostev.
‘Some of the new guys take a while to get up to speed, but they are usually not far behind us after six months or so.’
The Kaspersky Lab team analyses an average of 10,000 viruses a month, an increase of more than 300 per cent on the average at the beginning of 2005.
‘These are not all new viruses,’ said Gostev. ‘Most of the viruses are simple variants – the code is written by one person, but is used by dozens of different people with only small differences.’
The company is developing automated systems to detect the simple variants of existing viruses so they can focus on the more complicated threats.
‘We are constantly developing new detection systems to help us deal with the simpler viruses,’ said Gostev. ‘Our dream is to create a virus analyst robot, but there will always be some things that we can do that a robot will not be able to.’
The most complicated polymorphic viruses are rare, but nearly always have a specific intent.
‘Often the really technologically complicated viruses are created with the specific intent of attacking a single database or network,’ said Gostev.
‘Employees can be planted in companies and then install Trojans that are controlled externally. They have often been developed from information from company insiders who know how the databases and networks work,’ he said.
Despite fierce commercial competition between anti-virus specialists, companies do exchange information.
‘Users must be protected as quickly as possible, even if that means losing a competitive edge sometimes,’ said Gostev.
‘If we protect our customers, but users of different types of anti-virus software stay unprotected, then their computers could be infected and used as part of new attacks that we then have to deal with,’ he said.
The three most serious virus epidemics
2000
The Love Bug, also known as the ILoveYou and the LoveLetter virus, sent itself to PCs using Microsoft’s Outlook email program. The virus then deleted files, including MP3, MP2, and JPG. It also sent usernames and passwords to the virus’ author. LoveLetter spread across the US and Europe in six hours and
infected 2.5 million PCs, causing an estimated
$8.7bn (£4.4bn) of damage.
2003
The Sobig Worm infected millions of Microsoft Windows PCs in August 2003. It set the record for the highest number of emails used by a virus. One anti-virus firm detected one million copies in 24 hours.
2004
The speed with which the MyDoom virus spread across the world was the key to its destructive capacity. In just a few hours, MyDoom spread so rapidly it accounted for about 30 per cent of all global email traffic and generated in excess of 100 million infected emails in its first 36 hours, blocking networks and overloading servers.
From
Russia with Malice
Email gives
way to new virus distribution tactics
reader comments