I've been posting a lot lately on security issues like why Unix (or Linux) tends to be more secure than Windows, and why Firefox tends to be more secure than Internet Explorer. Now I want to talk about what that malware does to your computer, if you get it. I'm taking some great examples from Cisco's new 2009 Midyear Security Report, which I highly recommend you read.
Disclaimer: I used to work for Cisco (until recently), and know several of the authors. I'd also like to thank Scott Olechowski at Cisco for sharing his slides from the recent Gartner security conference with me - I've swiped a few of his screenshots, although the text in this post is all mine.
This is Willie Sutton. He robbed a lot of banks during his career, netting perhaps $2 Million - back when that was a lot of money. It's said that when asked why he robbed banks, he replied "That's where the money is."
That's the reason that some people write malware, and other people distribute it: there's a lot of money to be made.
People make money primarilly three ways:
- Delivering Spam for other people, or for themselves
- Spyware and keylogging
Some Spam is trying to sell fake Viagra and that sort of thing. The fact that it's still around (in massive quantities) says that there's a critical mass of people who fall for the scam. Perhaps not a lot in absolute numbers, but the cost of sending a Spam email is essentially zero. Even with a one-in-a-hundred-thousand success rate, if someone sends a hundred million spam messages, they can expect a fair number of sales from trusting marks.
People assemble collections of infected machines ("bots") that they can remotely control ("botnets"). They rent out their botnets to people who want to send Spam, at commercially advertised rates (well, advertised if you know where to look, and a lot of folks do).
Malware is big news, and everyone expects to run across it sometime. Even worse, anti-virus products have a long history of not stopping malware, so everyone expects that they could run across malware that their anti-virus scanner missed. Scammers are exploiting this expectation with fake "antivirus" programs. Their scam is to try to scare you into thinking you're infected, and then selling you a program to clean the "infection". Of course, there is no infection, and their program is the malware, so they win on both ends - your initial purchase, and then renting your now zombiefied computer to a Spammer.
They go to great lengths to make the "infection" look real, and to set up sites with "reviews" of their "anti-virus" program.
This is big, big business. Scott talked about one of the "Business Affiliates" who made $147,000 in ten days, with 154,000 installs and almost 3,000 purchases.
3. Spyware and Keylogging
Botnets were a huge customer concern in the security industry 2 or 3 years ago. The reason was that a lot of the malware was poorly written, and made user's computers run slowly or crash. It was so bad that the Helpdesk got swamped with users needing to get their computers fixed.
Malware is written a lot better these days, and doesn't crash systems nearly so much. Since users aren't breaking down the Helpdesk's door, it's not nearly as much of a concern - out of sight, out of mind. Gartner Group's John Pescatore makes the analogy of kidney stones vs. tapeworms. A tapeworm is pretty serious, but it doesn't hurt.
It doesn't hurt, but it's stealing from you. A keylogger intercepts every character you type and stores it in a hidden file. The spyware looks for information that would let the controller (the "botmaster") commit fraud - your credit card numbers, online gaming user names and passwords (surprisingly, this is big business), and especially your bank account number and PIN.
In an IRC chat between a Cisco security researcher posing as a Black Hat and one of the Botmasters, he said that he made $5,000 - $10,000 a week stealing bank information. The reason? Easy money. That and his criminal background made it hard for him to get a job.
There's a lot more in the Cisco report, and I recommend that you take the time to read through it. This is the environment you live in, and the truth shall set you free.
Remember, malware almost always targets Windows. It targets Internet Explorer vulnerabilities to install itself. It tries to trick you into installing it, by posing as an anti-virus, or saying you need a new Codec.
Borepatch's First Law of Security is "free download" is Internet Security speak for "open your mouth and close your eyes." Being smart, and not replying to Spam, or installing software from unknown sites will reduce your risk profile. Changing from Internet Explorer to Firefox will reduce your risk profile.
And changing from Windows to Linux will massively reduce your risk. Tomorrow I'll cover what this takes, what you give up (and what you gain), how you can date it before you marry it, and which Linux is best for you.
Thanks to Scott Olechowski at Cisco for sharing his presentation with me, and letting me steal parts of it. And thanks to Albert Rasch for prodding me to do what's turning out to be a very interesting (to me) and fun (to me) set of posts.
UPDATE 16 July 2009 15:55: Link to Cisco report fixed. Thanks, Eseell!