Graham Cluley’s blog

Regular visitors to the Sophos website will be familiar with the case of Ruth and Michael Haephrati, the husband-and-wife team who wrote a Trojan horse and then sold it to detective agencies in Israel who used it to help business rivals spy on each other.

The Haephratis were sentenced to prison, and received a fine of almost £250,000, back in 2006.  But little has been heard until now of what punishment the detective agencies (who did the actual spying on behalf of corporate clients) received.

This week it was announced that three members of the Modi’in Ezrahi private investigation firm have been jailed after they were found guilty of using the Haephrati’s Trojan horse to steal commercial information.  A fourth man, the former CEO of the firm, made a plea bargain and escaped with just a fine.

The Haephrai/Modi’in Ezrahi case is rare because it is one of the few cases of industrial espionage using malware to have made its way through the courts.  Most malicious code written today is designed to steal from infected victims, but usually the goal is to pinch system resources, CPU time and bandwidth in order to send spam or to run off with passwords and bank account information. 

But clearly there are also people prepared to garner commercial advantage over their competitors by using such dirty tricks too.  One wonders how many other companies may be using malware to spy on their rivals, and haven’t had their activities brought to the attention of the authorities yet..

There has been a right hoohah in the media and blogosphere about the “Race To Zero” contest being arranged for the next Defcon conference.    In a nutshell, the “Race To Zero” organisers think it’s a good idea to encourage people to create new malware variants in order to test anti-virus products.

The idea of running a virus-writing competition isn’t a new one of course.  In fact, they stretch back at least 15 years.

In 1993, Mark Ludwig, the author of “The Little Black Book of Computer Viruses” and a virus writer himself, publicised what he called the “First International Virus Writing Competition” and urged participants to send in DOS-based functional parasitic viruses.  The one which was the smallest (in other words, took up the least number of bytes on the hard disk) would win a prize of $200 and a subscription to Ludwig’s virus-writing periodical, “Computer Virus Developments Quarterly.”

The winner of Ludwig’s competiton was a malware author called “Stormbringer”, a member of the Phalcon/SKISM (Smart Kids Into Sick Methods) virus-writing gang.  By the way, Stormbringer’s true identity was later revealed when he attended the Virus Bulletin conference in San Francisco unsuccessfully seeking a job in the industry.  He turned out to be a young chap with a ponytail going by the name of Mike Ellison.

Phalcon/SKISM went on to unveil its own virus-writing competition in the pages of its electronic magazine, 40Hex, although details of who may have won that contest are lost in the mists of time.

The malware competitions run by Ludwig and Phalcon/SKISM were roundly condemned by the anti-virus industry, and similarly most people who work in the computer security field fail to see the benefits of the upcoming “Race To Zero” contest.

The fact is that there is enough malware already.  We don’t need contests to create new variants of malicious code.  We have seen more new malware variants in the last six months than in the last 25 years put together.

The “Race To Zero” organisers claim that one of their aims is to prove that signature-based anti-virus software is dead, because it cannot keep up with malware variants.  Well, whoopee-doo!  We know that relying on signature-based anti-virus is dead.  We know because we buried it.

In the early 1990s the first polymorphic, shape-shifting viruses emerged which changed their appearance on each infection.  Some malware came in millions of different combinations, meaning that there wasn’t a simple “string” or “signature” to scan for which would be unique to the malware not in legitimate code.  Anti-virus companies all developed new detection techniques to counter these threats way back then, and have continued to develop their technology and defences.

So, although some vendors try to still seek media coverage by claiming that “traditional” anti-virus vendors still rely on signatures for detection, it isn’t true and hasn’t been for about 20 years.  “Race To Zero”, therefore, proves nothing in this regard.

What also galls about the “Race To Zero” competition is that they are urging people to modify self-replicating viruses.  This is the very worst kind of malware to suggest that people experiment with.  Viruses copy themselves over disks, networks, USB sticks, the internet… Is this really the kind of malicious code with which hackers should be experimenting?  It is far too easy for a mistake to happen - remember that these hackers do not have the same secure lab facilities into which the security vendors have invested huge amounts of money - and for a new piece of malware to break into the wild.

The simple fact is that writing new malware teaches you nothing about how to write a better anti-virus.  That’s why anti-malware vendors don’t create viruses.  If the hackers at Defcon really want to give something back to the community, and prove how clever they are, how about a competition to write a better anti-virus?  How about some of them get together to develop software which works on a multitude of operating systems, can detect hundreds of thousand of different pieces of malware in real-time without making mistakes, and can be seamlessly updated?

If they could do that better than the regular anti-virus companies, then that really would be of interest.

Thanks to those of you who have dropped me a line in the last week or so following this story on The Register, “Facebook Troll sends mob against Cluley.”

As the news story explains, some pumpkin-brain on Facebook thought it would be a good idea to create some controversial groups on the social-networking website and feed the flames by posting some inflammatory language.  So far, so normal.  But what this chap also did was decide to take one of my photographs and use it as his profile picture.

Inevitably, someone on Facebook recognised my picture, put two and two together, made five, and announced that I must be the person posting the nonsense onto the website.  Furthermore, encouragements were posted to bombard both my own work email address and other email addresses at Sophos with “information about what Cluley has been up to”.

All this was occurring as I was having a rather splendid holiday - with very poor internet connectivity - in Siem Reap, Cambodia.

Things got progressively nastier, as photos of me and my wife were posted to Facebook (complete with rather unflattering comments about my eyebrows and where I buy my shirts).  One guy, who claimed to be with the armed services, said that he had found out where my wife lived (probably not that tricky as my surname is somewhat unusual) and was considering shooting her.  Another emailed me saying he intended to burn down my house.

As my wife and I were adventuring Indiana Jones-style amongst the temples of Angkor Wat at the time you can understand why we might have felt a little alarmed as to what we would find upon our return to the UK.  The poor internet connectivity also made it tricky to contact the outside world, but I did file reports to Facebook asking them to delete the offending material.

Facebook’s response was, I’m sad to say, mixed.  Maybe I’ve upset them in the past, but I would have expected them to have taken stronger action when presented with evidence of death threats on their network.  Instead, Facebook advised me to contact the police and only removed the photographs when I logged them as a breach of Sophos’s copyright.

What The Register’s news story doesn’t mention is that not only were hotheaded internet users making death threats against me and my wife because they believed I was responsible for the troll-like postings on Facebook.  There was also at least one group on Facebook which was created claiming I was a paedophile, and saying that web users could visit my site at grahamisakiddyfiddler.c**t.uk.  Another group listed me as one of the “Top 20 c**ts on Facebook.”

I’m used to being disliked for expressing my opinions on computer security, I’ve even had virus writers lampoon me in their malware before, but to be on the receiving end of death threats against my wife and accusations of being a child abuser takes things to a whole new level of seriousness.

It was only when The Register published their story that Facebook finally removed all the slurs against me and my family and closed down the discussion groups that were, frankly, out of control. 

To my mind, Facebook should have acted faster in my case.  But I was fortunate enough to have connections in the media to make my position clear.  Imagine if I had been a more vulnerable member of society, or had not been alerted to what was being said about me?

And what is Facebook doing to stop this kind of abuse happening in the first place? A quick search on their website finds literally *thousands* of groups with extremely inflammatory titles and highly vulgar language.

British readers with long memories may remember in 2000 that The News of the World newspaper published a “name-and-shame” list of alleged paedophiles, which resulted in a paediatrician having her house vandalised, and innocent families asking to be rehoused as mobs descended onto the streets.   It seems to me that as more people get on the internet and believe everything that they read, that the chances of mobs attacking innocent people rises all the time.

The News of the World was far from the most highbrow newspaper in the UK in the first place, but its decision to publish the names of alleged sex offenders brought it into even more disrepute. 

One wonders if Facebook fails to police itself properly whether it might do similar damage to its reputation and real harm to some of its users?

Working in the computer security industry does mean from time-to-time that we come across some pretty unpleasant stories from the internet underworld. 

In the past we’ve told you about the lowlives who have preyed upon young women via webcams, using malware to either secretly capture movies of victims in their bedrooms or blackmailing them into removing their clothes.  This seems to have been an international problem, with investigations into webcam perverts taking place in countries such as Spain, Great Britain, and Cyprus.

The latest case to come to light is of a 27-year-old man who has been charged almost 60 times with allegations that he used malware to take over victims’ computers and intimidated young women into posing nude for him.

Daniel Lesiewicz, the owner of a computer support company, has appeared in a Montreal courtroom on charges of possessing and producing child pornography, extortion and threats.  According to the Sûreté du Québec, Lesiewicz made friends with teenage girls in internet chatrooms, sent them emails which infected their computers with malware, and then coerced them into posing naked online.

The victims are then said to have been contacted by another internet user called “Dave”, who told the women that nude photos of them would be posted on the net unless they posed again in front of their webcams.

Most victims were between 14 and 19 years old, but some women were in their twenties, according to a police spokeswoman.

What baffles me is why there are guys going to all of this effort to see (presumably grainy) footage of girls with not many clothes on?  Isn’t there a thing called the internet which is chockablock with photos and movies of glamorous nubile models - much of which you don’t have to pay for? 

Which leads me to think that maybe underage girls are the main attraction here - and that’s a really disturbing thought.

With many home users keeping poorly-defended PCs in their bedroom, there is clearly considerable potential for abuse - particularly amongst the young. The message is simple: keep your PC protected against the latest threats with anti-malware software, security patches and firewalls, and if in any doubt unplug your webcam when you’re not using it.

• Find out more about how to protect children from online threats at www.getsafeonline.org
• Find out about the Virtual Global Taskforce - a group of police forces working around the world to fight online child abuse

* Image source: YAXZONE’s Flickr photostream (Creative Commons 2.0)

An interesting news story broke this weekend in Germany.  According to reports in Der Spiegel, the BND - Germany’s foreign intelligence service - used spyware to monitor the Ministry of Commerce and Industry in Afghanistan.

Confidential documents, passwords and email communications are said to have been compromised by German spies, and sent to the BND’s headquarters in Pullach, Germany.

The news follows revelations last week that the BND had intercepted emails between Spiegel journalist Susanne Koelbl and Afghanistan’s Commerce Minister Amin Farhang.

Understandably, a diplomatic row has erupted between the two countries as a result of these revelations.

Of course, there have been rumours and accusations of different countries spying on each other using malware in the past.  For instance, in September 2007, the Financial Times reported that the Chinese military were being blamed for a cyberattack which targeted a Pentagon computer system serving the office of US defense secretary Robert Gates. The newspaper reported that the People’s Liberation Army (PLA) were being blamed for perpetrating the attempted hack. Media reports in The Guardian claimed that the British and German governments have also been subject to similar probes by hackers working for the PLA.

The fact is that spying has been going on between countries for thousands of years - whether it be for commerical or military advantage.  It would be dumb to think that nations would not take advantage of computers and the internet to assist them in their espionage activities, so we shouldn’t be too surprised to read these reports coming from Germany and Kabul.

Sophos’s position is that we detect all the spyware that we know about - regardless of who its author may be.  So, if this German-built spyware really does exist and it arrives in SophosLabs we will add detection of it regardless of whether it may be state-sponsored.  Indeed, perhaps with our proactive detection we may already be detecting it.

The advice for companies, organizations and governments alike is to keep their malware defenses up-to-date and ensure that proper security is in place to prevent intruders (be they cybercriminals or foreign government spies) from stealing information.

Some new research published by the Digital Music News Research Group has revealed some interesting changes in the use of peer-to-peer file-sharing applications.

Limewire rules the roost - according to the Digital Music News Research Group’s data it accounted for 36.4% of all P2P use in September 2007 (it was 34.1% a year before). The second most popular file-sharing application is µTorrent, which rose from 3.0% in September 2006 to 11.3% a year later.  Other products which have had their usage detailed include BitTorrent, Ares, Azureus, eMule, BitComet and Frostwire.

So why does this all matter to people tasked with securing their business?

Well, P2P file-sharing is not only a way for copyrighted material like music and movies to end up on your network, and a potential hit on your internet bandwidth, but it has also been a source for malware infection in the past (read about this Trojan which spread via the Japanese Winny P2P network for instance).

Furthermore, there have been countless incidents of uncontrolled use of P2P file-sharing applications leading to confidential data accidentally leaking into the public domain.

It’s important for all businesses to control their users’ behaviour online to avoid the problems of malware infection, accidental data leakage or copyright theft. One way to do that is only to allow authorised users to run approved P2P clients.

<shameless product plug> 
Sophos’s Application Control functionality - which is integrated into Sophos Endpoint Security and Control - puts the power in system administrator’s hands to control usage of all of the P2P clients mentioned in the article above, apart from Frostwire. We’ll have added Frostwire to the list by the end of this month.  Of course, we also provide control over computer games, instant messaging applications, VoIP, and much more else besides.
</shameless product plug>

* Image source: Anthony Piraino’s Flickr photostream (Creative Commons 2.0)

If my maths is right (and it probably isn’t), Trojan horses will be 3193 years old tomorrow.

Yes, according to military historians the city of Troy fell to the Greeks on April 24, 1184 BC, following a ten year siege.

Of course, no-one would fall for that kind of trick in these enlightened times would they..

When I first started working in the computer security field in the early 1990s, it wasn’t uncommon to find “dirty dozen” lists posted on Bulletin Board systems like Fidonet of known bad programs. The idea was that you would memorise the list, and would be careful not to download that particular program.

Can you imagine that working now?

Although Trojan horses faded into the background as the 1990s progressed and malware authors concentrated on spreading their self-replicating viruses and worms as far and as wide as possible, the emergence of financially-motivated criminals in recent years has turned things around once more.  We see more Trojan horses today than viruses or worms.  Most of the malware SophosLabs encounters is written to steal from your PC via a Trojan horse. 

Whether the end goal is to steal your identity or consume your bandwidth by turning your PC into part of a spam-spewing botnet this isn’t a Trojan war being fought over the beauty that was Helen of Troy, but a fight for your hard-earned money.