Spying on Spyware

Continued from page 1

The war is still a long way from over, though, says Craig Schmugar, a virus research manager at McAfee Inc., the noted security software vendor in Santa Clara, CA. Both rootkits and polymorphic code have been around for several years, he says, and there are counter-measures that can be marshaled against them.

"Do the bad guys have an A-bomb? There has been speculation about that for years," Schmugar says. "There have been flare-ups, and there have been zero-day attacks [that is, malicious code using a trick unknown to the software vendors until the day of the attack], but most have been mitigated by good security policies and procedures. Then it becomes a race to implement the anti-technology."

But today there's a new factor changing the way viruses are created and delivered: money.

"Several years ago one of the ways we received sample viruses was directly from the authors, who wanted their five minutes of fame," says Schmugar. "It might come from an anonymous address, or from someone who says they had 'found' it. There are still some of those, but now money is the driving factor. They get advertising money from affiliate programs, so it behooves them to conceal their installation as long as they can."

In other words, lone, anti-social hackers have turned into an underground of socially aware advertisers, according to Schmugar, seeking to turn the world's PCs into little zombie billboards that can spring to life at the spyware writer's request. "Botmasters" have also arisen, he says, who control multiple infected computers by passing commands to them through Internet Relay Chat channels. They can test their "bot" spyware against multiple anti-virus programs until it proves it can survive, and then download it to the other machines they control.

In fact, last week federal agents arrested a man in California for allegedly controlling a vast network of 400,000 infected PCs. He supposedly rented them out to spammers or people who wanted to launch denial-of-service attacks (which flood a website with traffic and make is unusable), asking as little as 20 cents per infected machine. Now he faces federal prison, because some of those machines belonged to the U.S. Navy.

While viruses used to be circulated as e-mail attachments, today they are disseminated from websites that users are tricked into visiting. The sites cannot be traced because they're set up by infected bots, at arms-length from the botmaster, Schmugar explains.

Although increasingly many advertisers don't want to be associated with spyware, that backlash won't put an end to these electronic invasions. There are always other advertisers, typically pornographers, who don't care, says Schmugar.