Money talks for hackers
2004-09-20 08:35
New York - Online attackers are increasingly professional criminals bent on making money, a semi-annual study of internet threat trends due for release on Monday by security-software maker Symantec Corp shows.
While virus writers and hackers are still often portrayed as bored, crafty teenagers, today's most prevalent virus and hacking techniques and technologies indicate a more sophisticated criminal element is taking over.
According to the company's report, which covers the first half of 2004, viruses are now aggressively in the service of spam and identity-theft fraud schemes. Hackers are zoning in on e-commerce companies and small businesses, which have plenty to steal and can be easy targets.
Meanwhile, on the wane are the spectacular network worm outbreaks of recent years, which haven't been tools for monetary gain.
"It's moving toward more commercial motivation," says Alfred Huger, senior director of engineering for Symantec Security Response.
"With the change in motivation the quality has also changed ... I think we're likely looking at professional software developers in many cases."
Symantec's latest report shows a dramatic fourfold rise in the number of new viruses attacking Windows computers, to 4 496 during the first half of 2004, the largest increase the company has ever documented.
No headline-grabbing outbreaks
In many cases the viruses spread through e-mail and were new and improved versions of old viruses. The most prevalent e-mail viruses were the "MyDoom" virus and its variants.
Interestingly, most viruses during the period did not cause large, headline-grabbing outbreaks. Yet they were often more dangerous to computer users because of the hacker programs they typically carried.
Those programs were mainly designed to create huge networks of infected computers for use as anonymous spam relays or proxies to launch other attacks on internet users. Many quietly deposited so-called keylogger programs that collect people's sensitive financial-account information.
While Trojan horses were often at work here, viruses also installed "bots," increasingly popular hacker programs that allow remote control and networking of victim's machines that can be easily upgraded and used for a variety of nefarious purposes. Some bots spread among PCs by scanning for and exploiting those that run software with security flaws.
Over the first six months of the year, Symantec said it detected 30 000 bot-infected machines, up from 2 000 in the previous six-month period.
The largest culprit was "Gaobot" and its many variants, the second most common attack program during the period.
Hackers' profits come from controlling as many computers as possible. Spam networks, which range in size from 200 to 400 000 PCs, can now be bought and sold in the internet underground, he said, and are likely sending more than a third of all junk e-mail.
Small businesses, e-commerce firms easy targets
Cybercriminals' tactics have also changed when it comes to targeted hacker attacks on individual businesses.
During the period, attacks on e-commerce companies and small businesses shot up, making them by far the two most targeted groups. Companies providing business and financial services also saw increases, though they were much smaller.
Meanwhile, attacks on high-tech companies, previously the most attacked group, declined.
The jump for e-commerce companies reflects the attractiveness of their vast stores of credit-card information and position as a waypoint for products, Huger said. "They have a lot to steal is ultimately what it comes down to."
The increasing attacks on e-commerce companies in part reflects hackers' new interest in attacking web applications and the rising number of vulnerabilities being found in those programs.
Symantec documented 479 web application flaws in the six-month period, or 39% of the total 1 237 flaws it recorded, and 82% were considered easy to exploit.
And attackers became much more aggressive in their efforts to exploit them. During the most recent six-month period, the average time between the announcement of a software vulnerability and the appearance of an attack targeting it shrunk to 5.8 days from 99 days a year ago.
Activity markedly declined from so-called network worms, automated programs that spread from machine to machine directly through network connections by exploiting software flaws.
This type of attack, the most prevalent of which was the "Slammer" worm, have cost corporations billions of dollars in damages from shutdowns, but they haven't generally yielded anything tangible for attackers.