Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virus Author Motives Changing

Posted by Zonk on from the step-five-profit dept.

Tragamor writes "BBC News is reporting that, with the suspected authors behind the zotob virus recently arrested, they are giving insights into the motivation of modern hackers. With the availability of virus sourcecode, authors are spreading to countries which had previously no history of virus origins." From the article: "What the pair were probably taken aback by was the response that the worm generated. Few virus writers now want to hit the front pages, said Mr Hypponen, most prefer to have their creations sneak under the radar, rack up a few thousand unwitting victims who are then milked for money or saleable data. It appears that Mr Essebar was intending to make money several different ways from the people caught out by the Mytob and Zotob viruses he is alleged to have created. "

29 of 126 comments (clear)

  1. Oh, the good old days. by Silverlancer · · Score: 3, Insightful

    Back in the 90s, virus writing was a hobby, if a black-hat one. The most famous viruses--Melissa, ILOVEYOU, were all done for fun, not for profit. But as the internet went mainstream in the late 90s, the motivation changed--viruses are now merely a tool for a goal: criminal profit.

    1. Re:Oh, the good old days. by Dioscorea · · Score: 4, Informative
      Back in the 90s, virus writing was a hobby, if a black-hat one. The most famous viruses--Melissa, ILOVEYOU, were all done for fun, not for profit.

      Ehh, please don't use lame windoze rubbish like Melissa and ILoveYou as examples of some bygone golden age. Mention something with a bit of substance, like the Morris worm, Zalewski's WormNet, Creeper or even Shockwave Rider.

    2. Re:Oh, the good old days. by CDMA_Demo · · Score: 2, Insightful

      From the DOS days: you forgot Michaelangelo, Dark Avenger (Eddie Lives Somewhere in Time), Cannabis (Your PC is now Stoned), the Chrismas tree virus, or the Joker. There was also one called the Whale (The Whale is not a Fish) which used really advanced techniques to evade detection. Then there was a whole family of small viruses called the Tiny family which were written just as an experiment in writing really tiny code that works.

    3. Re:Oh, the good old days. by CDMA_Demo · · Score: 2, Interesting

      The Mutation engine it was called. It was big for a virus in its time. And there was Joshi from India, which asked the user to type "happy birthday Joshi", and the Cookie virus which asked you to type "Cookie" in order to proceed. The raindrop virus which made characters fall like raindrops on the screen, the Friday the 13th virus that attacked on (as you guessed) Friday the 13th, and many more. That was the golden period of virus writing it seems, as people came up with innovative ways of hacking the systems, instead of "breaking in" like these days.

  2. Finally! by RAMMS+EIN · · Score: 5, Funny

    ``With the availability of virus sourcecode, authors are spreading to countries which had previously no history of virus origins.''

    Finally! The year of open-source on the desktop has come!

    --
    Please correct me if I got my facts wrong.
    1. Re:Finally! by ackthpt · · Score: 2, Funny
      Finally! The year of open-source on the desktop has come!

      Yeah, and Microsoft has been so restrictive, only offering shared source. How's a virus/worm author to make a living under those conditions?

      they could start by writing a thank-you note to Bill Gates for spreading the most fertile ground for worms/virii throughout the world...

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:Finally! by JackDW · · Score: 2, Insightful

      Seriously, this could be bad. What if the clueless masses start to equate "available source code" and "virus"? Microsoft isn't going to correct them...

      --
      You're an immobile computer, remember?
    3. Re:Finally! by RAMMS+EIN · · Score: 2, Funny

      ``yeah, but try and get sourceforge to host
      an open source virus?''

      Why not just host the source on your botnet?

      --
      Please correct me if I got my facts wrong.
  3. What's more.. by ackthpt · · Score: 5, Interesting
    What's more is they didn't even want you to know that sneaking under the radar without being caught was their goal. Seems they failed on that account miserably. So what's the lesson here? Have a virus/worm with a limited life span? After the first n machines have been infected cease spreading?

    Sure as there's imagination there'll be more tactics to come.

    --

    A feeling of having made the same mistake before: Deja Foobar
    1. Re:What's more.. by cataclyst · · Score: 3, Interesting

      So what's the lesson here? Have a virus/worm with a limited life span? After the first n machines have been infected cease spreading?

      Interesting... I'm wondering if anyone could do this w/o the virus having to communicate with some sort of server. If there was a pointer that got changed when the virus hit a new target, it would have to go in a linear form (eg: not a hydra-type... one person infects only one other person) if it wanted to keep track (accurately!) of how many ppl got infected.

      Curious idea, but I dunno if it would work w/o requiring a server with the potential to get shut down and end the virus' lifetime.

      --
      E = m * c^(Hammer)
    2. Re:What's more.. by Amouth · · Score: 4, Interesting

      Set a ttl and have it relay messages back through its parent host..

      I infect A to infect B+C to infect D+E+F+G and so on.. the messages are passed backwards Have A send random messages to a nother host.. pic up your messages somewere in the stream

      they can't detect it by watching an irc server for inbound connections.. sure they can see who is infected but only one computer each way.. and if you have fun with it by fliping the address around (10.20.30.40 infects 40.30.20.11 infects 11.20.30.41 ....) just keep them guessing..

      use normal transport sockets.. make it look like valid traffic .. i sware the writers are getting lazy.. make something creative.. i have seen spyware that is harder to remove than most viruses these days..

      just some ideas for the people willing to write them.. :)

      --
      '...if only "Jumping to a Conclusion" was an event in the Olympics.'
  4. Four-words summary by Spy+der+Mann · · Score: 5, Insightful

    Before: Fame.
    Now: Fortune.

    'Nuff said.

    1. Re:Four-words summary by frankthechicken · · Score: 2, Funny

      Don't forget the chicks man, never forget the chicks.

  5. Or maybe they don't want you to look at porn! by antdude · · Score: 4, Interesting

    See The Register's story.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  6. Re:Why do not psycho virus writers exist? by Anonymous Coward · · Score: 2, Informative

    First of all, there hasn't been a VIRUS for years. All these modern "viruses" are actually worms.

    Secondly, if the worm destroys the harddrive then it also destroys itself and can no longer replicate. That means that it doesn't spread very well and doesn't last in the wild. The whole idea of a worm is to remain undetected for as long as possible, spreading itself all the while. The more owned hosts, the greater the profits and the bragging rights.

    Thirdly, there probably are "psychos" out there writing viruses. But, there are more Danish teens and Russian mafia writing viruses than the supposed psychos. The teens have too much time on their hands and in Soviet Russia, profit and a low likelyhood of prosecution is a massive motivation.

  7. Repeat after me... by Anonymous Coward · · Score: 4, Insightful
    If you MUST rely on virus detection software, you have already lost.

    I've had people argue furiously that this is not true. Yet, it does not make sense tactically; if your enemy knows your weakness, it is not benificial to them to let you know about it -- else they loose the ability to exploit the weakness.

    As such, do not attempt to secure what you do not control. Secure the hell out of what you do control. Treat everything else as potentially hostile.

    Do the right thing and spend time to make things as simple as possible on the design level. Eventually, this will pay you back in reduced 'emergencies', though initially it is a real PITA. There's no other way to get a handle on these things -- it's just too complex already.

    1. Re:Repeat after me... by HermanAB · · Score: 2, Interesting

      I know what you mean - signature based detection is always after the fact. However, it is possible to identify viruses using generic rules and a combination of these and signature detection creates a filter that is very strong and protects against known and future viruses. For example, see this: http://www.impsec.org/email-tools/procmail-securit y.html

      --
      Oh well, what the hell...
    2. Re:Repeat after me... by Spoing · · Score: 2, Informative
      While adaptive filters work fairly well, they aren't fool proof. (I still get spam through my mail filters, even if I automatically tag mail to dead and invalid accounts as spam and then use those new filters to tag mail to valid accounts.)

      I can't emphasise this enough: if you need to use a tool to secure something, what you're securing isn't secure to begin with or it is in an unsecurable environment. Change the environment or secure it.

      The bad guys expect you to have filtering methods that may catch what they try and slip through. You have to expect them to know that you have these defenses and to make you confident that they are working when they slip in something another way.

      That, and adaptive filters tend to flag useful tools as viruses even though they are there legitimately and have other uses (small VNC clients, SSH clients, ... for example).

      [Yes, I'm the one who posted the comment as an AC ... I was at work.]

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    3. Re:Repeat after me... by Noodlenose · · Score: 2, Informative

      well, another option would be to run OpenBSD. Even running it as a desktop OS it will give you enough apps for excellent productivity, and you always have the warm, fuzzy feeling in your belly that you're supporting peace-loving Canadians AND have a secure machine.

  8. Good Old Day.... With Virii like The Ripper..... by Shadow_139 · · Score: 2, Informative

    Ripper was on of the first Virii I have seen in the weirld, and that was back of 8086's :)

    It killed the MBR & BIOS and fucking up data been writen to the disc at random....

    Unlike all these pussy WinBlowz & Macro Virus that are going around...

  9. Makes perfect sense by kuzb · · Score: 2, Informative

    It's spreading to other countries that have never had a history of it before because there are now ways to make money with it. Most viruses these days are not put in to the wild without some kind of profit motive. Now, take in to consideration the fact that a few of these places where viruses are coming from are low-income countries, even a small amount of money made with it can equate to 'time well spent' to them.

    Think about it - say your income in a country is measured in tens or hundreds of dollars per month rather than thousands, which is more common in 1st world countries. Even something that makes you $50 - $100 USD per month is a big deal. How do you think they react when they learn they can make thousands with it? For some people, that's pretty much like winning the lottery. In order to stop the problem we need to either a) fix all vulnerabilities in all current (and future) operating systems (unlikely) or b) somehow find a way to make it not profitable for people to do it in the first place (also not likely). Otherwise, people are going to keep abusing it to make money.

    --
    BeauHD. Worst editor since kdawson.
    1. Re:Makes perfect sense by WillDraven · · Score: 2, Insightful

      how about c) eliminate povery in 3rd world countries?

      hey i can dream cant i?

      --
      This is my sig. There are many like it but this one is mine.
  10. Re:Good Old Day.... With Virii like The Ripper.... by MarkTina · · Score: 2, Informative

    Nah, it didn't touch the BIOS just inserted itself into the MBR so it would boot up when the machine did.

  11. Re:Why do not psycho virus writers exist? by vkkim · · Score: 2
    Why won't a big impact virus just destroy thousands of files, trash hard disks, or some other destructive action?

    I've wondered the same thing for years. Every day I hope that some worm would destroy all machines running M$ Windows, a sort of selective pressure or extinction event. I say, instead of bickering about which OS is the best, let evolution choose.
  12. But also trivial to detect by brunes69 · · Score: 2, Informative

    NBAD systems in enterprises are rapidly making hydra-like virus spreading a thing of the past, because the sudden surge in traffic coming from an infected host is so easily identifiable and quarentined automatically.

    What you need to worry about are viruses that spread very very slowly, are very well hidden, and only activate after some preset condition.

  13. AIDS by RAMMS+EIN · · Score: 2, Funny

    ``AIDS, on the other hand, won't manifest symptoms for years and therefore can travel across great spaces and through community barriers with ease.''

    Err? Does that mean that scores of people in various places and communities are having sex with ease? Why can't I have that!

    --
    Please correct me if I got my facts wrong.
  14. A trail that might lead back to the author. by zerofoo · · Score: 2, Insightful

    Virus writers are now trying to harvest data for monetary gain; one would assume that this would create a traceable path back to the virus creator.

    In the past, virus writers just wanted notoriety among other virus writers - not much of a trail left behind to follow.

    Now, hopefully, law enforcement will start catching some of these people.

    -ted

  15. Close by geekoid · · Score: 2, Insightful

    but ther is no reason a hacker can not also be a virus writer. Then tradition definition of hacker implies skill, not moral conduct.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  16. Another parallel to bio viruses by Red+Flayer · · Score: 2, Interesting

    Very interesting, that the author sees that modern-day computer viruses are perhaps less virulent, while they do whatever it is they were designed to do.

    Reminds me of syphilus -- when first discoverd in Europe, syphilus was a virulent disease that ravaged the body, killing victims off relatively quickly. Natural selection dictated that syphilus strains that avoided early detection were more successful at passing along their DNA to new hosts. Virulent, crippling strains died off. [1]

    Today, syphilus is rarely fatal, the symptoms are often just a little annoying for a long time. Plenty of time for new partners to be infected.

    Computer virues are very similar -- viruses that avoid detection and quietly do their work of replication, transfer, and whatever else they are designed for, end up surviving. Emergency patches don't happen unless the virus (or worm, whatever) disrupts enough computers.

    [1] Evolution? I'd say so...

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai