IT strategy: Spy games – tackling malware

The first computer virus to appear ‘in the wild’ reared its ugly head in 1981. Created as a practical joke by a schoolboy, the Rother J infection spread by way of floppy disk ­ but very slowly. Its ‘payload’ was to display a short poem beginning ‘Elk Cloner: The program with a personality’. Though distasteful for anyone who appreciates poetry, to repeat the famous Times headline about a small earthquake in South America, there were not many dead.

However, the simple virus has been joined by worms, Trojans and other malicious nasties collectively dubbed malware. And the creation of such malware is no longer a hobby for socially-maladjusted nerds who should get out more often. Neither does today’s malware take the form so beloved of Hollywood: when an infected computer’s screen dissolves into black, to be replaced with a skull and crossbones while Vincent Price laughs spookily in the background. In the real world today, the worst types of infection are the ones that you do not know have hit you.

Malware has become big business and organised criminals are muscling in on the act. Targeted email attacks that exploit vulnerabilities in commonly-used operating systems and applications are now a first line of attack, according to the Top Cyber Security Risks report produced by the Sans Institute. Its analysis of data from appliances and applications across thousands of enterprises that have been recently targeted by cybercriminals reveals that these so-called highly targeted ‘spear phishing’ attacks are now one of the gravest IT security threats facing organisations. These differ markedly from the amateurish, untargeted phishing attacks that feature millions of emails full of spelling mistakes, urging recipients to enter bank user names and passwords into clearly bogus websites.

The cyber criminals behind spear phishing campaigns typically research their victims thoroughly. The attack is launched by an email that targets a specific organisation, or even a specific senior executive. This email, which appears to come from a trusted source, is designed to elicit confidential information from its unwitting recipient. In addition, such emails will usually contain links to seemingly genuine websites hosting malicious software, which the victim will unwittingly download if they click through to the bogus site. Once compromised, the ‘zombie’ PCs can be controlled and made to spread the infection to other computers.

A recent example of spear phishing saw thousands of CEOs and other executives from major US companies receive seemingly genuine federal subpoenas by email. These bogus documents called for recipients to testify before a grand jury in a civil case and asked them to click a link and download the case history, which was actually a malware cocktail.

This software logged keystrokes on infected PCs, including usernames and passwords, before sending the information back to the controlling cybercriminals. The use of password-stealing malware has jumped some 400 per cent in the past year, according to a recent McAfee report.

Exact figures for the number of companies impacted by spear phishing attacks are notoriously hard to come by as the affected are often reticent to reveals details of such security breaches. However, the new MarkMonitor Brandjacking Index revealed that, during Q2 2009, phishing incidents reached record levels with more than 151,000 unique attacks.

This pessimism was echoed in a recently published report compiled by the Verizon Business RISK Team, which manages IT security incidents for large enterprises. It reveals that 90 breaches resulted in the theft of 285m separate records last year. Most data breaches were found to originate from external sources and 91 per cent of all compromised records were linked to organised criminal groups. Custom malware, which had been created specially to launch the specific attacks was used to steal 85 per cent of these files.

It is clear the fight is ramping up against a well-resourced, well-educated and totally ruthless criminal enemy able to create malware to order for specific scams. Thousands of these unique, malicious applications are being written every month and no technological solution could hope to intercept them all.

The sad truth is that there is no way to kill this monster but, to fight it, businesses need to take a more holistic view of IT infrastructures and not expect security to be provided by technology bolted on by IT departments. IT must take the lead: antivirus and firewall systems need to be fine tuned, access to unauthorised sites and use of unauthorised applications must be banned. Passwords must be changed regularly. However, it is vital not to neglect the human factor.

Employees at all levels need to be educated about the risks of cybercrime and steps must be taken to change processes and polices so that risk is minimised. These changes must be pervasive, systemic and regularly updated.

It may sound melodramatic, but constant and unceasing vigilance is the key: just because you’re paranoid, it does not mean that they’re not out to get you.