Graham Cluley’s blog

The London hospitals struck by a infection of the Mytob worm earlier this week are returning to normal operation, according to The Register.

St Bartholomew’s (Barts) in the City, the Royal London Hospital in Whitechapel and the London Chest Hospital in Bethnal Green had their networks shut down at the beginning of the week, following an outbreak of the computer worm which is capable of stealing information, and giving access to remote hackers.

The case reminds me a little of what happened to the Northwest Hospital and Medical Center in north Seattle in January 2005. When it found 150 of its 1100 computers were infected with a piece of malware, they also put emergency backup measures in place. The facility’s intensive care unit was shut down, doctors’ pagers were prevented from working properly, and nurses are said to have run charts down hallways rather than transferring them electronically.

The following year, a 20-year-old hacker was sentenced to three years in jail and a $250,000 fine after being found guilty of the attack.

Anyone who still thinks that virus-writing is “mostly harmless” and only really impacts the foolish who don’t have backups, should consider what the possible consequences of taking down a hospital network might mean.

Microsoft has today announced its intention to kill off its commercial consumer OneCare anti-virus product.

In a move that is sure to send shivers down the spines of vendors like McAfee and Symantec who have traditionally dominated the home user market for paid for anti-virus products, Microsoft has announced its intention to release a free consumer product (codenamed “Morro”) in the second half of 2009.

In other words, it’s time to wave goodbye to OneCare, and say hello to Morro. (Sorry..)

Of course, “Morro” will not be the first anti-virus product given away for free to home users. Vendor like AVG and Avira have made security solutions available for the consumer market at no charge for some time in an attempt to raise brand awareness.

But a free anti-virus program coming from Microsoft is a rather different kettle of fish. They have the brand recognition and marketing muscle to make their free anti-virus software a no-brainer for the average guy in the street.

And lets face it - anything which encourages Joe User to run up-to-date anti-virus software has to be a good thing. For too long all of us have suffered because of the legions of effectively undefended home computers that have been enlisted into a botnet.

What will be fascinating is to see if McAfee and Symantec has been caught napping by Microsoft’s latest announcement. For years, the two security hippopotamuses were the behemoths of the consumer security pond. They had the opportunity to gobble up the end-user market, and yet still millions of home users were infected by malware, spyware and pop-ups each year. When OneCare is killed off next June, will consumers pay for an equivalent Norton or McAfee product?

The cognoscenti may be nervous of running the same anti-virus product as every other home user on the planet, but are they really likely to be running a free security product from Microsoft anyway?

Microsoft protecting home PCs for free might mean knee jerk reactions, and even perhaps more price-cuts and giveaways in an already aggressive market.

Oh, and the other side of this coin, of course, is how will the malware authors react? If budget-conscious home users begin to adopt the freebie “Morro” in droves, then surely the first thing the bad guys will do is make sure their latest creation can slip past Microsoft’s scanner.

Three hospitals in London are reported to be infected by a variant of the Mytob worm.

According to the BBC, St Bartholomew’s (also known as Barts) in the City, the Royal London Hospital in Whitechapel and The London Chest Hospital in Bethnal Green have been forced to shut down their entire computer systems as a result of the infection.

A statement on the Barts website has attempted to reassure the public and patients that the attack was being dealt with and that no one was in any danger.

According to The Register, some doctors have resorted to using pen-and-paper backup systems.

The Mytob worm spreads via email, planting a backdoor Trojan horse which can be used by remote hackers to gain access and control over a victim’s computer. The computer can then be spied upon (to steal confidential information), or used to send spam or launch denial of service attacks.

There will, no doubt, be concerns that the confidentiality of patients’ data may have been put at risk and the hospitals will surely be keen to reassure the public that security has been maintained.

• Read the full statement on the incident on the St Barts website

Put your best dancing shoes on and deck the halls with bunting, because it’s that time of year again. Yes, it’s Get Safe Online week here in the UK.

International celebrities like Brad Pitt, Bill Gates and that little guy who used to be in Diff’rent Strokes are converging on London for a media blitz to help raise awareness amongst the British public of computer security issues. A 120 foot 3D hologram of Carol Vorderman will be beamed above Nelson’s Column to provide shoppers and tourists with tips on how to avoid having their online bank account raided, and how to upgrade their version of Internet Explorer. Meanwhile, episodes of top soap operas Eastenders and Coronation Street will feature storylines about identity theft and scareware.

Okay, so some of that last paragraph may not be entirely true.

But wouldn’t it be great if it was? You see, I think Get Safe Online is a terrific website with superb material on it, and there’s no doubting the very real determination of the people behind the organisation to spread the word about how to use the internet safely. But - and it’s a big but - no-one apart from security geeks seem to know about the website, and we’re hardly the most important people to train about computer security.

I hope the awareness week is successful in raising the profile of the site and safe computing practices amongst the general public, but the government needs to put much more effort into educating the masses into how to surf safely online.

Bobbear is a British website designed to inform the community about websites set up by gangs stealing money from innocent internet users through email scams and money mule operations. You can normally reach it at www.bobbear.co.uk - but if you try and do that today you’ll probably discover that you can’t get through.

Bob Harrison, the administrator of the Bobbear website, got in touch with me this weekend to tell me that his site was under fire from a distributed denial-of-service (DDoS) attack using compromised botnet computers around the world. The botnet is bombarding Bob’s website with traffic, effectively blasting it off the internet and making it impossible for legitimate visitors to reach the site.

According to Bob, the botnet is “huge” with “over half a million recorded zombie hits from midnight to 8am today.”

This isn’t the first time that the Bobbear website has been attacked by the very criminals it tries to educate the public about. In October last year, hackers attempted to tarnish BobBear’s reputation by asking for money to be donated to the website via online payment service e-Gold.

An attack like this is unfortunate news for the internet community, as it disrupts the dissemination of hundreds of pages of warnings about email frauds archived by Bob over the years. The only consolation that Bobbear can take is that they must be having an impact on the fraudsters if they are prepared to launch an attack like this.

Apologies for the silence from the Clu-blog over the last few days.

Of course, it’s typical that when you take a few days holiday that various stories (large and small) will break in your absence. My wife always reminds me that it was while we were on holiday in Mexico that the notorious female virus writer Gigabyte was arrested.

So, if you can’t wait until I return to my desk on Monday, here’s a quick catch-up on some of the stories that occurred while I was out of keyboard range..

Spam takes a dive

Maybe the biggest story of the last few days has been the dramatic 75% drop in global spam which we witnessed after McColo was disconnected from the internet.

McColo is alleged to have been the home for command-and-control centres for some of the world’s largest botnets - including those responsible for distributing attacks like Rustock and Pushdo.

Of course, the drop in spam levels is likely to be only temporary - but that shouldn’t stop us from congratulating members of the security industry like Brian Krebs who helped make this happen.

Great work!

Inconsistent treatment for NASA hackers?

Remember Gary McKinnon, the British hacker who is facing extradition after breaking into NASA and Pentagon computers shortly after 9/11?

Well, his case contrasts dramatically with that of another NASA hacker sentenced this week. According to media reports, Victor Faur, a Romanian computer programmer who hacked into NASA, US Navy and Department of Energy computers has escaped a jail term.

28-year-old Faur received a suspended sentence of 16 months on Monday, and was ordered to pay a total of $238,000, after being found guilty of hacking into the government departments between November 2005 and September 2006.

What’s curious is, that as far as anyone can tell, the US doesn’t seem to be making much attempt to extradite Faur to their own shores. And furthermore, years after the McKinnon incident the American military systems were still open to exploitation by hackers.

My guess is that McKinnon would be very happy to receive a fine (and even spend time behind bars) if it meant he could stay in his country of birth and be tried by a British court.

$1 million bounty offered for capture of identity thief

Earlier this month I applauded Express Scripts who had refused to pay a ransom demand after data on some of their customers was apparently stolen by an identity thief.

Now the US-based company, which handles 500 million medical prescriptions every year, is offering a million dollar reward for information which might lead to the arrest and conviction of the thief.

Express Scripts have asked the FBI to investigate the theft - so if you have any clues about who might be responsible and fancy $1 million give them a call on 1-800-CALL-FBI.

Dental records extracted from University of Florida

The records of some 330,000 current and former patients at the University of Florida’s College of Dentistry were potentially compromised by hackers, reports revealed on Wednesday.

It turns out that the University’s IT team discovered unauthorised software on the computer system when they were doing a routine upgrade to the server in early October. Apparently, information stored on the computer included the names, addresses, dates of birth and social security numbers of dental patients reaching back as far as 1990.

There’s a worry here that educational establishments may be something of a soft target when it comes to identity theft and data leakage compared to, say, financial organisations who are more used to always looking over their shoulder for the next hacker attack. As more universities realise the severity of attacks like this we’re likely to see them instilling the need for stronger security throughout their systems.

Guest blogger Graham Lee, who is not only a near namesake of mine, but also the author of “Ten tips to secure Apple Mac laptops” and a senior Mac software engineer at Sophos, gives his personal opinion on the possibility of malware authors targeting Apple devices more in future. Over to you Graham…

Security researchers like to tell us that malware authors have largely ignored the Mac because there aren’t enough users.

I think there are two reasons that they say this: the first is that it’s hard to disprove.

The Mac user base is rapidly growing (according to Apple, at 3-4 times the rate that the rest of the PC industry is growing) so when the next attack comes around the market share will indeed be bigger; and a little bit of hand-waving lets the experts navigate us past the fact that there isn’t necessarily a causal relation.

The second reason I’d like to offer is that it’s true; the “return on investment” for writing Mac malware is lower than that for Windows malware just because there are more infectable Windows systems.

While I’m channeling the marketing department, I could possibly investigate whether Mac support for a botnet is a “value-added differentiator” for cybercriminals ;-).

Anyway, readers with a mathematical bent might like to read When Malware Attacks (anything but Windows), a game-theory treatment which estimates that the tipping point comes when Macs account for 1/6th of the market share. When that magic number is reached, it will become financially worthwhile for a Windows malware author to “get a Mac”.

That seems a long way off, but I’m going to propose firstly that our idea of “Mac market share” is flawed, and secondly that the magic number is too high.

The proportion of computers on the internet running Mac OS X was estimated at 8% last month, and we know from Apple’s sales figures that there must be about 30 million Macs in use.

But what about the “other” OS X platform? What about the iPhone?

We also know from the fruity salespeople that there are at least 10 million iPhones knocking around (and presumably a few million iPod Touches have been sold, too).

If a bad guy can use a generic “OS X” exploit which targets the technology or features common to the Mac and the iPhone, maybe the Safari web browser, then the number of boxes they can reach shoots past 40 million, turning that 8% figure into 11% or 12% - still not close to 18%.

As for my second statement, that we need to reduce that magic tipping point number, my reason is simple. A compromised iPhone (or “0wned”, hence iPh0wn) is worth a lot more than a compromised Mac.

Macs, particularly laptops where Apple’s sales are strongest, are not necessarily always on and when they are not necessarily connected to the network; and when they’re off or disconnected, they aren’t going to be very productive as spam zombies.

Mobile phones on the other hand tend to be left on all day, and whenever they’re on, they’re online. So the amount of use the botnets get out of an iPh0wn is much greater than that they get out of a Mac.

The way people interact with each device is also different; when I’m at my Mac I’m absorbed in whatever I’m doing, but for most of the day my phone is left in my pocket. Perhaps I’m just not as popular as some other people. Not only would I then not notice if the phone in my pocket was running slowly or connecting to the network more, but in fact I wouldn’t know what it means to have a “slow” mobile phone, as there’s no CPU meter or process viewer.

Options for securing the iPhone are limited - there isn’t a firewall, and availability of third-party security software currently severely lags other, clearly more popular, genres such as flashlight simulators and lightsabre-swooshy-things.

This means that from the attacker’s perspective, every iPhone is the same - hack one of them and you hack them all.

So taking 0wnership of an iPhone is cheaper than a Mac, and the chance of the user noticing is much lower.

Put all of this together and the worldwide cohort of iPhone users seem like very juicy targets for malware attacks - and if the criminals manage to bag a few thousand Macs into the bargain, well that’s just the icing on a zombie-ridden cake.

Today SophosLabs has published its latest report into the state of spam - focusing on how the problem has become increasingly malicious.

• Read the latest Sophos Spam Report

It makes for pretty interesting reading - particularly the revelation that there are eight times as many emails containing malware file attachments as there were earlier in the year.

The report also includes some stats on the dirty dozen spam-relaying countries, with - you guessed it - America still in the lead. As you can see in this video, my colleague Carole thinks that’s pretty boring and predictable:

You can also listen to a podcast all about the spam report. I don’t know what was going through podcast producer Yogi’s mind when she named it “The Spam Surge Unzipped”. Search engine rankings I expect…

• Download and listen to a Sophos podcast about the latest trends in malicious spam

A University of Pennsylvania student has escaped charges related to possessing child pornography, but been sentenced to three months in prison for his part in a worldwide botnet of compromised computers.

22-year-old Ryan Goldstein pleaded guilty to his involvement in the hacking ring and assisted the FBI in its investigations, but then blotted his copybook rather by engaging in “unspecified mischief” with the agency’s computers.

According to the FBI, Goldstein worked with Owen Thor Walker, a New Zealand teenager known by the handle “AKILL”, who comandeered thousands of computers.

In July Sophos reported on how Walker had been fined $11,000 - including over $7,000 to the University of Pennsylvania who suffered damage to their computer network - but managed to escape jail because of he assisted police in their investigation.

Walker and Goldstein’s gang were said to have infected 1.3 million computers around the world, installing revenue-generating adware and stealing information worth US $20 million.

The several thousand illegal images of child abuse are not believed to be related to Goldstein’s hacking activities. However, despite their discovery on Goldstein’s computer, prosecutors made the decision not to charge the student in relation to the under-age images porn because he assisted the authorities investigating the hacking ring.

Assistant US Attorney Michael Levy said the decision not to charge Goldstein with child porn was appropriate given his extensive co-operation. Some might argue that being interested in illegal content like that and creating a demand for children to be abused is more serious than hacking computers - but apparently that wasn’t the opinon of the authorities so it was swept under the carpet.

Extraordinary.

Next week we’ll be publishing our regular report into the top “dirty dozen” nations - in other words, those countries where the most compromised machines are found relaying spam to the rest of us.

It’s often a surprise to people outside the industry to learn that most of the time spammers don’t actually use their own computers to send their unwanted marketing messages - instead they use hacked PCs belonging to innocent people, taking remote control of them and forcing them en masse to pump out junk emails.

In SophosLabs we track spam in a number of ways. In this short video my colleagues Carole Theriault and Mark Harris demonstrate how we plot the PCs sending the spam using Google Earth.

And don’t forget to look out for our latest spam report next week.