The online battles between the forces of light and the forces of darkness are increasingly based on automated tools.
Thomas Claburn, InformationWeek
At the end of 2004, a worm appeared that knew how to perform automatic detection: with the help of the Google search engine, it automatically located websites running forum software that contained a loophole, and then attacked them. Last fall, the financial services industry suffered a real increase in phishing scams carried out by crooks with the aim of stealing money from accounts: the increase is largely attributed to a set of tools that made it easier to carry out scams of this type.
Ticket brokers use password cracking software to automatically purchase large quantities of tickets on e-commerce sites and then sell them at an inflated price. Spam distributors manage to bypass the image recognition mechanisms that internet providers operate in an attempt to prevent the delivery of large amounts of mail - by enticing surfers to solve puzzles. And for 24 hours a day, worms scan the network and look for vulnerable systems.
Welcome to the age of machine warfare, where armies of zombies - computers that have been attacked and controlled remotely by hackers - spread spam and hostile code in relentless raids on the PCs of home users and the information technology systems of commercial companies around the world. The security companies claim that an unprotected computer connected to the Internet will be attacked by hostile software within 6 to 15 seconds. "Automated tools tirelessly scan groups of IP addresses and never tire," says Bill Hancock, vice president and chief security officer at information technology services company Savvis Communications.
The forces of light fight back. One of the measures is more successful blocking of spam, through which many of the attacks are carried out. Another way is to use the network itself as a security measure. AT&T, the telecommunications company through which the largest amount of IP communication passes in the US, analyzes every day 1.7 petabits of information that passes through its main avenue, in an attempt to find new attack methods that can be automatically detected and automatically run counter-algorithms, without human involvement. "We recognize a real need for automated defense mechanisms," says Stanley Quintana, director of automated services at AT&T. "Such mechanisms can absorb some of the attacks, but for this purpose artificial intelligence must be activated."
The number of online attacks is so great that the federal government has given up and stopped counting them. The CERT coordination center, which operates within the Software Engineering Institute of Carnegie Mellon University, reported in 2000 on 21,756 attacks - each involving thousands of sites. In 2001 the number rose to 52,658, in 2002 to 82,094, and in 2003 to 137,529. Last year, the center stopped publishing the number of attacks. "Due to the widespread use of automated tools, attacks against systems connected to the Internet are so common that publishing any number will not faithfully reflect the extent of the phenomenon," the center said.
Automation has greatly changed the targets of cybercrime. When the well-known robber Willie Sutton was asked why he chose to rob banks, he replied "because that's where the money is." In today's information economy, criminals rob computers. The sophistication of the automatic tools is increasing, and their senders can count on the automatic pilot to navigate the world and deliver the goods. "We see a combined effort of criminals who are profiting from the increasing use of the Internet" says Gitis Bardox, product manager in the security and technology division of Microsoft.
Trojan horses are one of the automated tools used by fraudsters. The hostile software is distributed between the computers in a similar way to viruses, as an attachment in an e-mail or by downloading an infected file - and makes it possible to take over the PC remotely and turn it into a zombie. Fraudsters also make use of spyware, in order to reveal data such as ID numbers or access passwords to bank accounts. The data is exposed directly (by sending it to a fraudster) or indirectly (on phishing websites that pretend to be legitimate websites). Last November, the method was implemented in a Trojan horse called Banker-AJ that was sent to customers of many banks in the UK.
This, of course, is not the only attack. 53 people were arrested last October in Brazil, for allegedly using Trojan horses in order to steal 30 million dollars from customers of online banks. In December, the German police arrested five people who allegedly carried out a similar phishing attack and raked in 30,000 euros from Postbank customers. A few weeks ago, four high school students were arrested in Sydney, Australia, for allegedly using a Trojan horse to steal access passwords to online banks with the intention of committing international fraud.
The automation process of online crime is fueled by the increase in the number of computers connected to the Internet, the clock rate of these computers and the bandwidth in which they are connected. Crooks have learned to take advantage of new exploits very quickly as soon as they are published, and they try to infect as many computers as possible before the software manufacturers offer a patch. "Criminal organizations hire computer experts and programmers, often outside the US, in order to carry out the attacks" says Bardox. "If the computers are not constantly updated and patched, they are exposed to fast and automatic attacks."
Last May, the security company Sophos estimated that over 30% of spam was sent by zombie computers. In June, network equipment company Sandvine claimed that zombie computers are responsible for 80% of spam. The hackers who control these computers enjoy computers that cost them 3 to 8 cents a week - says Vincent Wiper, a senior manager at Symantec. The zombie computers can be used to distribute spam, porn, share pirated music files or perform denial of service attacks.
Robotic agents can perform many automated tasks - from searching for prices to detecting vulnerable systems, which is the task they usually perform. The security company IDefense estimates that the number of robotic agent programs - which can be reused - rose from 750 in 2003 to more than 2,300 in August 2004. "IT managers are struggling to deal with such a large amount of attacks," says Tony Redmond, vice president and chief technology officer. in HP's services division, which is also in charge of formulating the company's security strategy.
Pro information technology services company blocks about 80% of incoming mail traffic. "It's a huge amount of mail," says Chief Information Officer Mike McCluskey. If in 2003 one out of every 33 e-mail messages included a virus, and in the middle of 2004 one out of every 16 messages, then in the month of December one out of every ten messages included only the Zafi-D worm - according to Sophos. Between the months of July and November 2004, the number of phishing sites increased by 28% every month - estimates the working group against phishing. The main reason for the steep increase, the group estimates, lies in the set of tools that help to easily set up such sites.
To distinguish between automated tools for sending large amounts of spam and legitimate users, Internet providers use puzzles, obscure words, and other components that computers have difficulty recognizing. However, the ticket brokers use OCR software to identify the fuzzy words and purchase large quantities of tickets at discounted prices. "The OCR programs are able to recognize about 10% of the blurred words, which is good enough" - estimates Greg Murray, professor of computer science at Simon Fraser University in Canada.
Ticketmaster, the largest online marketer of event tickets, refuses to disclose the measures it uses to combat the phenomenon. "The optical barriers and the quantity limit are the visible measures, but behind the scenes we use additional ways to uncover fraud" says David Goldberg, Senior Vice President of Strategy and Business Development at Ticketmaster.
To identify the distributors of spam, questions are also used to make sure that it is a person and not a robotic agent for distributing porn - says Jay. times. Sullivan, marketing manager at the electronic mail company Senmail. However, despite the efforts, spammers don't seem to have any trouble doing their job. "Spammers know the technologies that are used" says Vipul Vada Parkash, the founder and chief scientist of the Cloudmark anti-spam company. "The automatic tools are designed to defeat the opposing technologies".
Ryan Trevino, director of corporate messages at the automation company National Instruments, is directly present with this. In the first two quarters of last year, the number of messages received daily increased from 125,000 to 160,000. "The effectiveness of the spam filter we developed ourselves decreased, and more users were attacked by viruses and phishing" says Trevino.
Some experts claim that due to the increasing distribution of the Internet - in third generation cell phones, handheld computers, game consoles and industrial control systems - and due to the increasing complexity of Internet software and services offered on the network, security problems are inevitable. On the other hand, others believe that doomsday predictions are exaggerated and believe that the risks can be reduced with the help of more effective security methods, innovative technologies, more effective law enforcement and user training.
Who will win the war - the sons of light or the sons of darkness? There is no clear answer yet, but it is likely that at least in the near future the fighting will intensify. Either way, we have to get used to a new reality in which the forces of evil do not turn a blind eye even for a single moment.
