/ 1 May 2011

The cyberplague that threatens an internet Armageddon

In 1971, Bob Thomas, an engineer working for Bolt, Beranek and Newman, the Boston company that had the contract to build the Arpanet, the precursor of the internet, released a virus called the “creeper” on to the network. It was an experimental, self-replicating program that infected DEC PDP-10 minicomputers. It did no actual harm and merely displayed a cheeky message: “I’m the creeper, catch me if you can!” Someone else wrote a program to detect and delete it, called — inevitably — the “reaper”.

Although nobody could have known it 40 years ago, it was the start of something big, something that would one day threaten to undermine, if not overwhelm, the networked world. For as we became more and more dependent on information and communications technology, we were also subjected to a plague of what came to be called “malware”.

It’s an ugly term, as befits something that covers a multitude of sins, all involving computer code designed with destructive or malevolent intent. It includes not only viruses, which are programs that replicate by copying themselves into other programs, but also worms (self-replicating programs that use a network to send copies of themselves to other machines on the network, with or without human assistance) and Trojans (similar to viruses but instead of replicating they infiltrate a computer and perform some illicit activity, possibly under remote control). Malware also refers to other evils: the junk mail we call spam; “phishing”, or trying to hoodwink internet users into revealing bank account passwords etc; page-jacking, which makes it difficult or impossible for a victim to get rid of a web page; and other scams.

The malware plague has gone through several phases. It began in a harmless and experimental way with the creeper and a worm released on to the internet in 1988 by Robert Morris, a student from New York State’s Cornell University. Morris wanted to find out how many computers were connected to the internet so he wrote a small program that would install itself on every machine it found and send back a “present and correct” message.

But there was a flaw in his code that meant the worm replicated. On 2 November 1988, network administrators realised something was up because their machines — and the network itself — had slowed to a crawl. In the end, the culprit was identified and carpeted, though it doesn’t seem to have done him any lasting harm: Morris is now a professor at the Massachusetts Institute of Technology.

Malware began on the internet, but its next phase involved the stand-alone machines we now call personal computers. In 1982, a Pennsylvanian teenager named Rich Skrenta created the “elk cloner” virus that infected the Apple II, then the most popular personal computer in upmarket US households. Skrenta’s virus covertly altered the floppy disk needed to boot up the computer, displaying some doggerel on the screen on start up. It was annoying but harmless.

Early PC malware tended to be like that — irritating but not terribly destructive. And malware spread slowly, because most of these PCs were not networked; infections spread by “sneakernet” — ie users sharing floppy disks. The real trouble began when domestic internet use exploded in 1993. From then on, an infected PC was a potential menace not just to its owner, but to other machines with which it communicated.

Motiveless destructiveness
For many people, early malware was a baffling phenomenon. It was seen as something akin to physical vandalism in the real world — hooligans despoiling an environment for no obvious reason. What motivated them? Nobody knew, though several psychologists had a go at explaining it. The notion that malware was motiveless destructiveness was fuelled by the fact that much of it was imitative, carried out by “script kiddies” — non-programmers who downloaded DIY virus-construction kits.

In the 1990s, malware development accelerated. When Microsoft released Windows 95, it rapidly became the de facto standard for the PC industry and the world’s IT systems came to exhibit the characteristics of a monoculture: millions and millions of PCs across the globe, all running the same software, all sharing the same security vulnerabilities. At the same time, domestic broadband connections became common. Suddenly, there were millions of machines, operated by people with little understanding of computer security, with shared vulnerabilities and fast connections to the network.

Most importantly, malware found a business model in the late 1990s. The fragility of the monoculture could be exploited for profit. Spamming — junk emailing — could now be done on a truly gigantic scale. Hitherto, it had required identifiable servers with broadband access to the net. But the new broadband environment offered a better infrastructure. All you had to do was find machines with fast connections, unpatched security vulnerabilities and non-savvy owners and infect them with a Trojan that would turn them into relay stations for spam (and which could be turned off just as easily, to avoid detection).

Spamming works because it can be very profitable. It costs very little more to send 10-million emails than it does to send 100. If you’re selling a packet of Viagra for $20 and you have a response rate of 0,1%, you’ll make $20 from 1 000 emails. But if you send out 10-million and have the same response rate you’ll be earning $200 000 a day. This is the kind of serious money that makes organised criminal gangs sit up.

The idea of covertly suborning networked PCs was a critical breakthrough for malware because it enabled malefactors to set up “botnets” — networks of compromised machines that could be remotely controlled. Nobody knows how many of these botnets exist, but there are probably thousands of them worldwide and some are very large. A list of the 10 largest in the US in 2009, for example, estimated that they ranged in size from 210 000 to 3,6-million compromised machines.

In addition to spamming, botnets can be used for a wide variety of purposes. They can, for example, launch “distributed denial of service” (DDOS) attacks on e-commerce or other web sites. Each machine in the botnet bombards the targeted site with simultaneous requests, repeated incessantly, to the point where the site’s servers buckle under the load or the site becomes unusable by legitimate customers. More sinisterly, botnets can be used for blackmail, effectively extracting protection money from retail sites to ward off the threat of a DDOS attack. Nobody talks about this in public, but it goes on.

‘Prices are negotiable’
Domestic PCs that have been compromised by Trojans can be put to other uses too. For example, they can covertly monitor their user’s keystrokes when logging into banking and other sites, thereby stealing passwords and credit card details. At a recent presentation by officers from Soca (Serious Organised Crime Agency), I was struck by a slide that showed how highly developed the online market in stolen credit card data had become. It showed a marketplace for “USA 100% APPROVED TRACK2 DUMPS” in which Visa debit card details were going for $8 and American Express details were $10. On another such marketplace, American MasterCard details cost $15 while European credit card details were going for $40 a pop. “Buying large quantities,” it said, “prices are negotiable for every customers.” (Grammar and spelling are not a speciality in this particular netherworld.)

We’ve come a long way from the creeper and elk cloner. The driving forces behind contemporary malware are financial gain and organised crime, much of it with its headquarters in Russia and other parts of eastern Europe. One of the most blatant examples of an online marketplace in stolen credit card data was CarderPlanet.com, a website ostensibly based in Vietnam, but operated by people based in Russia and Ukraine, and now shut down. A senior US secret service official described CarderPlanet as “one of the most sophisticated organisations of online financial criminals in the world” which had been “repeatedly linked to nearly every major intrusion of financial information reported to the international law enforcement community”.

Some of the principals behind CarderPlanet were arrested after an intensive campaign by the US authorities. But one of them, Dmitry Ivanovich Golubov, was subsequently released by the Ukrainian authorities and has allegedly started a political organisation called “the Internet Party of the Ukraine”.

The latest round in the malware saga came in June last year when the Stuxnet worm finally broke cover. Stuxnet infects Windows computers and spreads mainly via infected USB sticks, so it doesn’t require the internet for dissemination.

Once a USB stick infects a machine, it uses a variety of tricks to infect other machines on the local network and to take control of them, but with an added twist. It looks for a special kind of programmable logic controller (PLC) made by the German company Siemens. If a PLC is found, the worm infects it using a vulnerability in the controller’s software and changes its code and thus its behaviour. This is scary because these Siemens controllers play a critical role in virtually every industrialised plant in the world, including water treatment plants, electricity grids and oil refineries, and nuclear reprocessing facilities.

One target of Stuxnet was Iran’s controversial nuclear weapons programme, specifically the gas centrifuges it uses to enrich uranium. It is claimed that the worm reprogrammed the Siemens PLCs to cause over 900 centrifuges to spin uncontrollably while at the same time feeding back “normal” data to the plant’s operators, thereby concealing the problem until it was too late.

The fact that this has set back Iran’s nuclear programme by several years has led to speculation that the worm was the creation not of criminal hackers, but of a state agency (possibly Israeli or American). This hunch was supported by the fact that Stuxnet seems a pretty sophisticated piece of malware. Bruce Schneier, a leading security expert, estimates that it would have taken eight to 10 accomplished programmers six months to design, implement and test it under laboratory conditions. It’s difficult to imagine the criminal hacking fraternity having the resources to do that.

Why has malware become so pervasive and so difficult to combat? The main reason is that malevolent innovation is the downside of the open architecture of the PC and the internet. The combination of an open, programmable PC and a network that is open to anyone created a “generative system” which was uniquely hospitable to what has come to be called “permissionless innovation”. This had some amazing benefits — it gave us the world wide web, for example, Wikipedia, the Linux operating system and the Apache web-server software that powers a majority of the world’s web sites. But it has also given us the malware plague.

There is another, deeper, fear — that the mysterious botnets that have been assembled by the merchants of malware may one day be used in some co-ordinated way to engineer a massive global event — cyberspace’s equivalent of 9/11, if you will. If something like that were to happen, then the response of governments everywhere would be draconian. Just as civil liberties in western democracies were massively eroded by the aftermath of 9/11 and the ensuing “war on terror”, so the freedoms we have hitherto taken for granted in cyberspace would be correspondingly curtailed. The day might come when you’ll need a government licence to connect to the internet. Bob Thomas’s creeper could have a creepy inheritance. – guardian.co.uk