Q&A: The virus writers are winning

Mikko Hyppönen has made a name for himself as a computer security expert in directing anti-virus research at Finland’s F-Secure, a $45 million company that regularly issues alerts warning of network threats. He spoke recently with Network World News Editor Bob Brown and Features Editor Neal Weinberg about the latest viruses and what enterprise network executives are up against.

NW: What’s your take on Mydoom.M, the latest worm making the rounds?

It’s a really interesting technique remembering how big Mydoom.A was in January. It was the single largest e-mail outbreak in history. Mydoom made headlines then because it was attacking SCO.com and then later on Mydoom.C was attacking Microsoft.com.

What’s happening here [with Mydoom.M] is that the attack that made headlines with Google going down wasn’t really an attack on Google. It was just using Google to harvest more e-mail addresses. But what Mydoom.M left behind was a back door. We’ve seen this already with Mydoom.A, which left a back door and several days later its authors scanned public addresses looking for Mydoom.A-infected computers and then installed a spam proxy Trojan called Mitglieder. What seems to be the case with this new Mydoom is that instead of dropping in  a spam Trojan they’ve dropped in a [Distributed Denial-of-Service] client aimed at overloading Microsoft.com’s front page, though it hasn’t been too successful.

NW: Do you have any idea who is behind it?

I think it is the same people not only behind the other Mydooms, but also behind Bagle. Possibly even behind SoBig and others. I don’t have any concrete evidence on where these guys are operating from, though there are some indications they have come from Russia and are living in central Europe. I think it is more than one guy and that they are organized.

NW: What are the chances of catching them?

This year has been really good at catching virus writers. But all the arrests have been kids and small-time players, none of the professional virus writers have been caught. The ones that have been caught are not really the worst guys, the ones who are doing this for money that they put back into development of their malicious code.

NW: So these guys are doing this for profit?

With [Mydoom.M] they don’t appear to make money. But looking at the previous Mydoom variants and the Bagle operations the target is to create a very large network of interconnected computers and either turn them into spam proxies or free hosting servers, then steal information like credit card numbers, passwords, user accounts. By far the largest benefit is spamming; most spam today is being sent from infected DSL- or cable-enabled home computers.

There are layers. You don’t just have the virus writer writing a virus and then using the computers to send spam. You have one group writing the viruses. Once they create a list of IP addresses, they sell those to underground bulletin boards, many of which are run in Russia or China. The going price seems to be $500 for 10,000 IP addresses. That probably gets resold a couple of times before a spammer picks it up and starts using it. It really gets hard to trace the route backwards.

NW: What do you think of Microsoft and others offering bounties to nail virus writers?

It’s great. What’s most important is that they put pressure on virus writers as they become afraid of others ratting them out. Obviously Microsoft can afford to put up the bounties, though it hasn’t had to pay anything yet from what I know.

For the full article, please go to:

https://www.nwfusion.com/news/2004/0804fsecure.html