CAPITOL HILL: The number of malware attacks soared 81 percent last year, from three billion in 2010 to five-and-a-half billion in 2012, Symantec senior engineer Patrick Gardner told congressional staff in a briefing here today.
But those raw numbers aren’t the really bad news.
What’s truly scary is the endless inventiveness of the attackers. They cull publicly available information from Facebook, LinkedIn, and other social media to trick low-level employees into thinking scam emails are legitimate in a practice known as phishing, in the hopes that some CEO or federal official’s assistant unwittingly downloads a virus that then slips through the network to spy on their boss.
The viruses automatically generate new versions of themselves different enough to avoid recognition by security systems, similar to the way real viruses mutate to fool the body’s immune system. Highly skilled hackers now hire less sophisticated “affiliates” as foot soldiers to spread their malware for them, disguising their involvement, and sell $500 “attack toolkits” that let a novice stage remarkably sophisticated attacks. What the experts can do at the top end is even more impressive.
The latest threat to grab the headlines, the Win32.Flamer (or Flame) virus, is “about 10 to 20 times bigger than Stuxnet” in terms of the sheer amount of code, said Gardner, with a complex set of features “more like a piece of commercial software” than past viruses. Flamer can set up its own web server, disable anti-virus software, take over Bluetooth devices, send encrypted communications, record keystrokes, take screenshots, and organize the information it steals in its internal database. It has its own internal “apps store” of specialized functions. Flamer even has the open-source scripting language Lua built in to make it easier for non-experts to add still more features. Gardner’s team at Symantec has been analyzing Flamer for almost a week, he said, and they’re still “weeks” from figuring it out.
So who made this monster? “This was built by a team of people,” Gardner said. “This was not something one person or ten people did. [But] whether some rich guy funded that or a country, I don’t know.”
The folks at Norton came to roughly the same conclusions but offered a bit more detail:
“The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date. As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives. Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry.”
“It seems to be targeting the Middle East,” said Gardner, notably Iran — which was definitely the target of the earlier Stuxnet virus. Its component “modules” are named in English, although that’s a language many programmers around the world know. Where and how it first hit the Internet is unknown, and anyway it’s virtually impossible to backtrack a virus to its source because an attacker can easily relay everything through a server in an innocent third country.
Worse, while forensic investigators like Gardner’s team can comb through a virus’s code to find what software was used to create it, those clues can be faked to throw suspicion on the wrong country. Nor is there any telltale to distinguish a state-sponsored virus from a criminal one: “State sponsored attacks, certainly, they reuse tools that are available” in the criminal world, said Gardner. The difference is that they’re harder to spot, he went on: “Their goal is really to be discreet as possible.”
Anti-virus watchdogs only found Flamer in the first place because it’s spreading itself far and wide, apparently just gathering information. Unlike Stuxnet, which sabotaged the controllers for centrifuges critical to the Iranian nuclear program, Flamer does not seem — yet — to have a specific target or the capacity to physically damage equipment. Stuxnet itself was only detected because it “over-propagated,” Gardner said, spreading itself to too many machines outside its target area and then not erasing all those copies before they were found. What else is out there that’s done a better job of covering its tracks? We may never know.