[ISN] Security expert Q&A: The virus writers are winning

InfoSec News isn at c4i.org
Thu Aug 5 06:09:49 EDT 2004


By Bob Brown and Neal Weinberg
Network World Fusion, 08/04/04

Mikko Hypponen has made a name for himself as a computer security
expert in directing anti-virus research at Finland's F-Secure, a $45
million company that regularly issues alerts warning of network
threats. He spoke recently with Network World News Editor Bob Brown
and Features Editor Neal Weinberg about the latest viruses and what
enterprise network executives are up against.

What's your take on Mydoom.M, the latest worm making the rounds?

 It's a really interesting technique remembering how big Mydoom.A was
in January. It was the single largest e-mail outbreak in history.  
Mydoom made headlines then because it was attacking SCO.com and then
later on Mydoom.C was attacking Microsoft.com.

What's happening here [with Mydoom.M] is that the attack that made
headlines with Google going down wasn’t really an attack on Google. It
was just using Google to harvest more e-mail addresses. But what
Mydoom.M left behind was a back door. We've seen this already with
Mydoom.A, which left a back door and several days later its authors
scanned public addresses looking for Mydoom.A-infected computers and
then installed a spam proxy Trojan called Mitglieder. What seems to be
the case with this new Mydoom is that instead of dropping in a spam
Trojan they've dropped in a [Distributed Denial-of-Service}client
aimed at overloading Microsoft.com's front page, though it hasn't been
too successful.

Do you have any idea who is behind it?

I think it is the same people not only behind the other Mydooms, but
also behind Bagle. Possibly even behind SoBig and others. I don't have
any concrete evidence on where these guys are operating from, though
there are some indications they have come from Russia and are living
in central Europe.  I think it is more than one guy and that they are

What are the chances of catching them?

This year has been really good at catching virus writers. But all the
arrests have been kids and small-time players, none of the
professional virus writers have been caught. The ones that have been
caught are not really the worst guys, the ones who are doing this for
money that they put back into development of their malicious code.

So these guys are doing this for profit?

With [Mydoom.M] they don't appear to make money. But looking at the
previous Mydoom variants and the Bagle operations the target is to
create a very large network of interconnected computers and either
turn them into spam proxies or free hosting servers, then steal
information like credit card numbers, passwords, user accounts. By far
the largest benefit is spamming; most spam today is being sent from
infected DSL- or cable-enabled home computers.

There are layers. You don't just have the virus writer writing a virus
and then using the computers to send spam. You have one group writing
the viruses. Once they create a list of IP addresses, they sell those
to underground bulletin boards, many of which are run in Russia or
China. The going price seems to be $500 for 10,000 IP addresses. That
probably gets resold a couple of times before a spammer picks it up
and starts using it. It really gets hard to trace the route backwards.

What do you think of Microsoft and others offering bounties to nail
virus writers?

It's great. What's most important is that they put pressure on virus
writers as they become afraid of others ratting them out. Obviously
Microsoft can afford to put up the bounties, though it hasn't had to
pay anything yet from what I know.

Who's winning this battle?

The virus writers always have the upper hand because they have access
to [security vendors'] products. They can download like anyone else.  
Why would they release a new virus that could be detected by McAfee or
Symantec or us?

There is no easy answer to this problem. Of course if you want to
protect a computer you have the three basic rules, which is running
anti-virus, a firewall and keep patching. Or, of course, you could
just get rid of Windows and get Linux and forget all sorts of
problems. Much of the problem is that home computer users are
infecting corporate networks by accident.

What responsibility do ISPs have in protecting these home users in the
first place?

It's irresponsible to sell Internet connections without telling the
users of the risks. If you go out and buy an [Asymmetric DSL] box and
connect it to your computer and you don’t use a firewall you will be
hit by one of the network viruses. If your customers are running
Windows and it hasn't been patched and nobody is telling them that
they should do that, I think it is irresponsible to be offering
network connections. But many of the ISPs are now including basic
safeguards with their services and that's what we're specializing in
at F-Secure, most successfully with European ISPs.

Based on recent reports from F-Secure and others, it sounds like
viruses hitting mobile devices could be the next big headache. How big
an issue is this?

Such viruses really haven't appeared till this summer, with Cabir, the
first proof-of-concept virus to hit Symbian-based Bluetooth phones.  
It's really interesting because it is the first virus that spreads
based on proximity -- if you are close to other Bluetooth devices you
can spread the virus. Imagine someone with an infected phone getting
on a crowded subway and transmitting the virus to hundreds of other
phones.  Then a couple of weeks ago we found a proof-of-concept
PocketPC virus from the same group of virus writers.

PocketPC is a very open platform and it's very easy for developers to
get their hands on code and port any desktop Windows software to
PocketPC. The fear is that such viruses eventually could be used to
make phone calls, send text messages and even delete phone numbers.  
These viruses haven't gone into the wild, but they're out there and
how likely is it that some kid will download them and try them out in
the wild? Very likely.

What's your overall take on the virus situation today?

It's been getting worse and worse. I entered the business in 1991, but
then things were easy. Back then we just had boot viruses that used to
be physically carried around on a disk to be spread, so it would take
a year for them to get around the world. Now with Slammer, Sasser,
Blaster and the others, viruses hit computers and networks all over
the world in a matter of minutes. We can't handle it. Of the 100,000
viruses seen over the last 18 years we've cracked every single one.  
But it's not a given that will continue to be the case. We might very
well see a virus some day that we can't crack.

More information about the ISN mailing list