Digital Transformation » Systems & Software » IT strategy: Spy games – tackling malware

The first computer virus to appear ‘in the wild’ reared its
ugly head in 1981. Created as a practical joke by a schoolboy, the Rother J
infection spread by way of floppy disk ­ but very slowly. Its ‘payload’ was to
display a short poem beginning ‘Elk Cloner: The program with a personality’.
Though distasteful for anyone who appreciates poetry, to repeat the famous Times
headline about a small earthquake in South America, there were not many dead.

However, the simple virus has been joined by worms, Trojans and other
malicious nasties collectively dubbed malware. And the creation of such malware
is no longer a hobby for socially-maladjusted nerds who should get out more
often. Neither does today’s malware take the form so beloved of Hollywood: when
an infected computer’s screen dissolves into black, to be replaced with a skull
and crossbones while Vincent Price laughs spookily in the background. In the
real world today, the worst types of infection are the ones that you do not know
have hit you.

Malware has become big business and organised criminals are muscling in on
the act. Targeted email attacks that exploit vulnerabilities in commonly-used
operating systems and applications are now a first line of attack, according to
the Top Cyber Security Risks report produced by the Sans Institute. Its analysis
of data from appliances and applications across thousands of enterprises that
have been recently targeted by cybercriminals reveals that these so-called
highly targeted ‘spear phishing’ attacks are now one of the gravest IT security
threats facing organisations. These differ markedly from the amateurish,
untargeted phishing attacks that feature millions of emails full of spelling
mistakes, urging recipients to enter bank user names and passwords into clearly
bogus websites.

The cyber criminals behind spear phishing campaigns typically research their
victims thoroughly. The attack is launched by an email that targets a specific
organisation, or even a specific senior executive. This email, which appears to
come from a trusted source, is designed to elicit confidential information from
its unwitting recipient. In addition, such emails will usually contain links to
seemingly genuine websites hosting malicious software, which the victim will
unwittingly download if they click through to the bogus site. Once compromised,
the ‘zombie’ PCs can be controlled and made to spread the infection to other

A recent example of spear phishing saw thousands of CEOs and other executives
from major US companies receive seemingly genuine federal subpoenas by email.
These bogus documents called for recipients to testify before a grand jury in a
civil case and asked them to click a link and download the case history, which
was actually a malware cocktail.

This software logged keystrokes on infected PCs, including usernames and
passwords, before sending the information back to the controlling
cybercriminals. The use of password-stealing malware has jumped some 400 per
cent in the past year, according to a recent McAfee report.

Exact figures for the number of companies impacted by spear phishing attacks
are notoriously hard to come by as the affected are often reticent to reveals
details of such security breaches. However, the new MarkMonitor Brandjacking
Index revealed that, during Q2 2009, phishing incidents reached record levels
with more than 151,000 unique attacks.

This pessimism was echoed in a recently published report compiled by the
Verizon Business RISK Team, which manages IT security incidents for large
enterprises. It reveals that 90 breaches resulted in the theft of 285m separate
records last year. Most data breaches were found to originate from external
sources and 91 per cent of all compromised records were linked to organised
criminal groups. Custom malware, which had been created specially to launch the
specific attacks was used to steal 85 per cent of these files.

It is clear the fight is ramping up against a well-resourced, well-educated
and totally ruthless criminal enemy able to create malware to order for specific
scams. Thousands of these unique, malicious applications are being written every
month and no technological solution could hope to intercept them all.

The sad truth is that there is no way to kill this monster but, to fight it,
businesses need to take a more holistic view of IT infrastructures and not
expect security to be provided by technology bolted on by IT departments. IT
must take the lead: antivirus and firewall systems need to be fine tuned, access
to unauthorised sites and use of unauthorised applications must be banned.
Passwords must be changed regularly. However, it is vital not to neglect the
human factor.

Employees at all levels need to be educated about the risks of cybercrime and
steps must be taken to change processes and polices so that risk is minimised.
These changes must be pervasive, systemic and regularly updated.

It may sound melodramatic, but constant and unceasing vigilance is the key:
just because you’re paranoid, it does not mean that they’re not out to get you.