Malware myopia


Earlier this month, researchers discovered a cunning strain of malware, dubbed the Lurid Downloader, that has been systematically and silently stealing data from carefully targeted government computers in 61 countries.

The discovery was made by Trend Micro, a Tokyo-based computer security company, which identified the invader as a version of a well-known strain of malware that exploits vulnerabilities in the popular programs Adobe Reader and Microsoft Office. It inserts itself into a computer’s core, and then phones home to a remote operator who moves continually from domain to domain on the Internet to avoid detection.

The Lurid Downloader had been at work for more than a year inside sensitive government networks (diplomatic offices, space agencies, research institutions), mostly in Russia and countries that were formerly part of the Soviet Union. Once in place, the virus can easily hop around inside a network and, under the control of a remote operator, observe users’ keystrokes, peruse files and upload any data it wants to keep.


It is just the most recent example of the newest trend in cyberattacks, something those in the field have dubbed “advanced persistent threats,” or APTs. They forgo the more familiar blunderbuss methods of mass infection in favor of sniper-like precision, and they have begun bedeviling cyberspace like a cloud of stinging insects. All take advantage of the anarchic nature of the Internet itself, which emerged 30 years ago free of any central governance or oversight. Because of the essential fluidity of Internet Protocol addresses, which locate a computer in cyberspace, such attacks can be launched with little fear that authorities will be able to pinpoint their origin.

As modern society leans ever more heavily on the Internet for commerce, communications and the management of its vital infrastructures, its fragility becomes an ever greater concern. It was built to share data and to enable connection, with scarcely a thought given to the potential for malice. The only answer to the persistent problem of malware may be to rebuild the Internet from scratch, an undertaking in the planning stages by the Internet Engineering Task Force, an association of volunteer Internet experts supported by the computer industry. A redesigned Internet might “fingerprint” every bit and byte of data so that each packet launched can be traced to its source.

“The Internet has enabled any Mickey Mouse single player to launch something that could be catastrophic,” said Rodney Joffe, head of security for Neustar Inc., a company that provides directory services for the Web. “In the real world, you have to have access to plutonium or fleets of fighter jets to wreak widespread havoc. Because of the Internet, any one person can wreak havoc if they have knowledge and a computer.”

Sophisticated attacks

Malware has come a long way from the standard Hollywood portrayal of the hacker as an unwashed rebel surviving on junk food in his parents’ basement and showing off his skills online. “Botnets” capable of wreaking the kind of havoc Rodney Joffe was referring to, like the one assembled by the Conficker worm starting in 2008, pull computing power from millions of illicitly linked computers. Advanced persistent threats are designed for theft, espionage and sabotage and are the work of nation states or rich criminal gangs. They show a programming sophistication that rivals the best computer security experts in the world.

Here’s how Matt Olney, a Maryland-based security expert, defines those behind APTs: “There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that.”

A well-known strain called Poison Ivy has successfully penetrated the networks of the Defense and State departments. Another is the Stuxnet worm, thought to have been designed by Israel or the United States, or both, which set back Iran’s illicit nuclear weapons program. Perhaps the most surprising recent victim was RSA, the security arm of EMC Corp., which provides top-level encryption for the public transfer of sensitive data. Earlier this year, hackers stole privileged information and used it to craft fake RSA SecurID tokens, meant to be a key to supposedly secure information anywhere.

Whether posing a giant or a narrowly sculpted threat, malware relies on the ease of operating anonymously on the Internet. The mysterious creators and controllers of the Conficker worm, which infected an estimated 10 million to 12 million computers worldwide in 2008 and 2009, move daily among 50,000 randomly generated Internet domains. Volunteer security experts — known as the Cabal — labored mightily to shut down the botnet, which is no longer growing but remains very much alive.

The Cabal established an unprecedented template for international cooperation and security that must have given malefactors pause. It meant recruiting every national top level domain — the 110 Web addresses denoted by country initials (such as “.ca,” for Canada) — to thwart the worm.

The government steps up

The Conficker threat woke up the U.S. government, which had been conspicuously absent from the fight. In the years since, the Pentagon has established a cyber-command at the headquarters of the National Security Agency, and this year formally classified certain kinds of cyberattacks as acts of war. At the new National Cyber-Forensics Training Alliance in Pittsburgh, a privately funded effort affiliated with Carnegie-Mellon University, federal agents working with industry researchers helped bust a Ukrainian cyber-crime ring that used the Conficker botnet to drain $72 million from American bank accounts.

But law enforcement and security experts have their work cut out for them trying to protect systems designed to make data sharing easy, and looking for bad guys who are free to launch their malware from no fixed address.

The Internet was born, after all, in that brief period of inanity before and after what was dubbed the Summer of Love. Openness was the point. Sharing. It sprang out of a utopian spirit: Power to the people! Information should be free! Knowledge is power! No one was in charge. No one was allowed to be in charge. This pleased the anarchic spirit of the times, but it gave those bent on crime, espionage or sabotage a tool to reach nearly any computer anywhere.

“What were they thinking?” asks Paul Vixie, the author of Unix software who now sits on the advisory committee for security for ICANN, the International Corporation for Assigned Names and Numbers, the closest thing there is to a governing body for the Internet. “Were they thinking?”

They were far more worried about protecting the Web from state control than from the evil that lurks in the hearts of men. Such is the nature of most hopeful ventures. So along with the inestimable benefits of the Internet, we must live with the dangers of loosely guarded interconnectivity.

This is pretty much where Vixie comes down. In an email posted at the height of the Conficker battle, he wrote: “These problems have been here so long that the only way I’ve been able to function at all is by learning to ignore them. Else I would be in a constant state of panic, unable to think or act constructively. We have been one command away from catastrophe for a long time now.... In a thousand small ways that I’m aware of, and an expected million other ways I’m not aware of, the world has gotten dangerous and fragile and interdependent.... But I’ve lived with it so long that I have lost the ability to panic about it. One day at a time, I do what I can.”

Mark Bowden is the author of “Worm: The First Digital World War.”