/ 20 January 2014

Alistair Fairweather: Computer viruses are no longer for amateurs

Viruses have mutated well beyond disruptive nuisances into relentless plagues that can kill or cripple entire computer networks and the businesses that rely on them.
Viruses have mutated well beyond disruptive nuisances into relentless plagues that can kill or cripple entire computer networks and the businesses that rely on them.

Biological viruses are among the most rapidly evolving organisms on our planet. The same is true of computer viruses, except that malevolent human organisations are driving this evolution, not natural selection. The most recent strains of these digital pathogens are evidence that virus makers have reached a new level of sophistication.

Take CryptoLocker, a nasty piece of "ransomware" that swept through the world in October 2013. After tricking you into installing it – usually by masquerading as an attachment to a legitimate business-related email – CryptoLocker sets about stealthily encrypting every file on your computer.

This encryption essentially scrambles all your files, making them unusable by man or machine until they are decrypted. Since CryptoLocker uses 2 048-bit encryption – what used to be considered "military grade" – it is impossible to decrypt any of your data without having the appropriate decryption key.

That's where the "ransom" part comes in: when CryptoLocker has succeeded in encrypting all your files it pops up a window demanding $300 (or more) for the key that will decrypt them. It gives its hapless victim 72 hours to comply, after which the key is deleted forever. Payment is only accepted via (effectively) untraceable mechanisms like BitCoin and digital money orders that can only be purchased with cash.

The fact that criminals are using our own security tools to attack us is not particularly new. The computer security arms race has always been complicated by the fact that our enemies have access to the same (and sometimes better) technologies as those who defend us.

What is new is how organised and sophisticated these criminal gangs have become. Two decades ago viruses were almost exclusively the province of spotty misanthropes residing in their mothers' basements. These were people with an axe to grind or a point to prove (usually about their prowess at programming), not profit-maximising criminal enterprises.

What makes this new breed of virus maker particularly dangerous is that they have the resources to buy their way into digital ecosystems once effectively protected by their pay-to-play nature.

The global digital advertising supply chain is a perfect example of such an ecosystem. In the last 18 months, criminals have begun using a technique known as "malvertising" to attack the readers of large online publishers.

These criminals pose as legitimate buyers of advertising space, often purporting to be placing advertisements on behalf of trusted online brands. They approach online publishers or advertising networks (who buy and sell advertising space in bulk) and offer to buy large chunks of inventory, often over holiday periods. They are willing to pay up-front for this advertising space, although they will try to negotiate 30 or 60 day payment terms if they can.

For the first few days of the agreement, the criminals deliver innocuous but fake adverts to the unwitting publishers – just enough time to lull them into a false sense of security. As soon as the proverbial coast is clear, the criminals switch the fake adverts with malicious code that can infect readers' computers with viruses or fool them with scams.

Then, before either the readers or the publishers realise what is happening, the criminals switch back to the fake advert again, rendering the attack undetectable. They then repeat this cycle until they get caught.

This kind of bait-and-switch technique is possible because of the highly distributed and syndicated nature of online advertising. Adverts are often delivered to publishers via third party services; systems that act like giant clearinghouses for advertising space, matching buyers and sellers.

These services themselves routinely accept syndicated adverts, meaning that by the time an advert reaches a reader it might have passed through half a dozen different service providers. If only one of these service providers has lax security measures, the whole supply chain can be corrupted.

The Mail & Guardian was the target of a malvertising attack late last year. In our case the criminals were using another kind of ransomware – one that impersonates anti-virus software and requires you to pay to "upgrade" it and remove the (fake) viruses it has so helpfully detected.

The nature of the attack was so stealthy and sophisticated that it took the publication weeks to track down the source. Thankfully we at M&G have friends in the information security industry who helped us to do so. A smaller publisher might never have found and plugged this hole.

Another example of criminals' increasing willingness to invest money up front in their attacks emerged last week. Malware distributors have begun buying popular Google Chrome extensions and then using them to launch attacks on unsuspecting users.

Extensions are small pieces of software that add custom functionality to a browser. They typically do things like save a link to your favourite bookmark tool or share the article you are reading to Facebook. What makes them dangerous is that they can be remotely updated by their author without you giving them explicit permission.

This kind of unguarded back door is like mother's milk to criminals. Once they have control over the extension, they use it to silently inject all manner of horrific attacks into the users' computers. And because browser extensions are the last place most people would think to look, these attacks can continue for some time.

It's tempting to blame the original authors of the extensions, but if someone approached you and offered to pay you several thousand dollars for a piece of software that took you a couple of hours to write, chances are you would also sell.

And the fact that criminals are willing to spend tens of thousands of rands up front, shows you both how lucrative their activities are, and how skilled they are at balancing costs with benefits. Researchers at Symantec, a security firm, infiltrated the servers of a ransomware operation and found data that suggested these gangs can make millions of dollars per year from their schemes.

When Fred Cohen coined the term "computer virus" in his 1986 PhD thesis, he probably had no idea how apt it would prove. Nearly 30 years later, they have mutated well beyond disruptive nuisances into relentless plagues that can kill or cripple entire computer networks and the businesses that rely on them.

And yet these criminals remain a tiny minority. Computers have created trillions of dollars of value and unleashed the talents of billions of people. I would not exchange these enormous benefits for a world without viruses. But governments and ordinary citizens need to educate themselves about these threats, and soon. They are only going to get worse.