Malware unmasked

Posted on 27 Sep 2006 at 10:46

Behind the mask

The people who create malware are spread out as far and wide as the internet itself. However, the greatest concentrations are to be found wherever there's a combination of skilled PC users to write the code, the network connections to spread it and sufficient financial motivation to want to become a malware author in the first place. Educational establishments, for example, are awash with computer-savvy types in need of extra cash.

Indeed, there are a number of hacking groups based in and around the old Soviet Union, where computer education is high, but money is hardly abundant. Most famous is the 29A group that wrote the first mobile phone virus 'Cabir', but increasingly it is in Eastern Europe where organised crime is using viruses and spyware to collect financially sensitive information.

Another hotspot is the Far East, which has produced such viruses as the BIOS-damaging 'Chernobyl' from Taiwan and the 'I Love You' worm from the Philippines, which spread around the world's computers in 2000. Nor did the slow pace international legal system do much to dissuade others - the author of 'I Love You', Onel de Guzman, was never prosecuted because there was no relevant law to break in the Philippines at the time.

Though there are indeed a few particularly active areas of the globe in terms of malware creation, these may be driven by forces in other parts of the world.

"These days geographical distinctions are gone," said Greg Day, security analyst at McAfee. "Virus writers are using open-source methods to build malware. This might mean a virus-writer in Russia being hired by a spammer in the US and using a botnet based in Europe to propagate the malware."

Malware motives

So what drives people to spread malware in the first place? As discussed previously, early viruses were created predominantly to show computing skill. But in the past five years or so, the primary motivation for malware writing has become financial. In other words, in one way or another malware is making people money.

There are a number of ways that malware writers will attempt to exploit you or your PC for profit. The simplest is to use a virus to harvest large numbers of email addresses - from an Outlook contacts book, say - and sell them on to spammers. CDs of such collections of email addresses are openly traded online, each containing hundreds of thousands of contacts. But the profit on such transactions is minimal since they are relatively easy to collect.

For this reason, many malware authors have moved on from simply harvesting email addresses to focus on the collection of more sensitive information. Software like keyloggers and screen scrapers can record almost everything a computer user does or views, and with more people shopping and banking online such information can be very attractive to the right buyer.

Even so, recording every keystroke is inefficient because it generates too much information to sift through. More sophisticated malware may be designed to target and steal specific information. Just a couple of years ago, for instance, users of the online payment system e-gold were targeted by a Trojan virus designed to record their login details. Hijacked accounts were then used to buy untraceable items like pre-paid phone cards, which can be easily sold on.

Indeed, online-banking operations are prime targets these days, not just of keylogging malware, but also phishing websites - these are designed to resemble the online homes of legitimate financial organisations, in the hope that visitors will log-in in the normal fashion. Should someone fall victim and proceed with the log-in procedure, their username, password and so forth will be captured, giving the fraudster responsible an opportunity to access their bank account for real. Typically, the fraudster will then transfer some money to a local co-operative 'mule' - someone who has a bank account in the same country. The mule will then forward the siphoned cash to the fraudster in exchange for a commission.

1 2 3 4