Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
The Internet Security

Virus Author Motives Changing 126

Posted by Zonk from the step-five-profit dept.
Tragamor writes "BBC News is reporting that, with the suspected authors behind the zotob virus recently arrested, they are giving insights into the motivation of modern hackers. With the availability of virus sourcecode, authors are spreading to countries which had previously no history of virus origins." From the article: "What the pair were probably taken aback by was the response that the worm generated. Few virus writers now want to hit the front pages, said Mr Hypponen, most prefer to have their creations sneak under the radar, rack up a few thousand unwitting victims who are then milked for money or saleable data. It appears that Mr Essebar was intending to make money several different ways from the people caught out by the Mytob and Zotob viruses he is alleged to have created. "
This discussion has been archived. No new comments can be posted.

Virus Author Motives Changing More

Virus Author Motives Changing

Comments Filter:

  • Oh, the good old days. (Score:4, Insightful)

    by Silverlancer ( 786390 ) on Tuesday September 06, 2005 @05:54PM (#13493908)
    Back in the 90s, virus writing was a hobby, if a black-hat one. The most famous viruses--Melissa, ILOVEYOU, were all done for fun, not for profit. But as the internet went mainstream in the late 90s, the motivation changed--viruses are now merely a tool for a goal: criminal profit.

    • fault the doj (Score:1, Interesting)

      by Anonymous Coward
      The governments of the world went after the hobbyist virus writers and marginalized them.

      Now you have the malicious crowd filling that vacuum.

      Rather than fixing insecure software and educating the public, they chose the heavy handed route.

      Quite frankly most virus writers in the nineties had no intent to steal or destroy data.

      Seems like everytime a "war" is declared on a concept, it fails.

    • Re:Oh, the good old days. (Score:5, Informative)

      by Dioscorea ( 821163 ) on Tuesday September 06, 2005 @06:01PM (#13493978) Homepage
      Back in the 90s, virus writing was a hobby, if a black-hat one. The most famous viruses--Melissa, ILOVEYOU, were all done for fun, not for profit.

      Ehh, please don't use lame windoze rubbish like Melissa and ILoveYou as examples of some bygone golden age. Mention something with a bit of substance, like the Morris worm [textfiles.com], Zalewski's WormNet [reactor-core.org], Creeper [kernelthread.com] or even Shockwave Rider [wikipedia.org].

      • From the DOS days: you forgot Michaelangelo, Dark Avenger (Eddie Lives Somewhere in Time), Cannabis (Your PC is now Stoned), the Chrismas tree virus, or the Joker. There was also one called the Whale (The Whale is not a Fish) which used really advanced techniques to evade detection. Then there was a whole family of small viruses called the Tiny family which were written just as an experiment in writing really tiny code that works.
        • You forgot AIDS...

          And the funny Ping-Pong :)
        • Thanks for the info... didn't Dark Avenger self-regulate or something like that? I know it had reasonably advanced polymorphism [ibm.com] for the time. There was also one called Guru Meditation, not to mention all those Amiga [vht-dk.dk] and Atari ST viruses...
          • The Mutation engine it was called. It was big for a virus in its time. And there was Joshi from India, which asked the user to type "happy birthday Joshi", and the Cookie virus which asked you to type "Cookie" in order to proceed. The raindrop virus which made characters fall like raindrops on the screen, the Friday the 13th virus that attacked on (as you guessed) Friday the 13th, and many more. That was the golden period of virus writing it seems, as people came up with innovative ways of hacking the syste
        • You forgot Natas. I probably still have some Natas infected floppies somewhere.
        • I vaguely recall a virus named Jump... got its name from the one and only assembler instruction - JMP - used in its creation.

          Programming as an art form :)
          Even though it's a virus, I can more readily appreciate the art in it than in most of modern art.
          Go figure.

    • Well, I'm more confortable with "they bug me for profit" than with "they bug me for fun"...
    • If you want the Golden Age, you're talking about the Cascade virus, the Stoned virus or some of the others from the dawn of time(). Maybe you can go as far as the era of polymorphic and stealth viruses. Anything much more recent than that is really just a clone of stuff that has been done many many times over.

      Even earlier, however, you get "proof of concept" laboratory projects that escaped. The Internet Worm and the DEC Mail Worm were examples of this, where science fact and science fiction horror collided

    • Mellisa was not "the good old days". I remember the first virus i got on my old 386. Monkey.B. http://www.f-secure.com/v-descs/monkey.shtml [f-secure.com]
    • As more and more viruses are created and "contracted" by computer systems, more and more security fixes are released. It's evolution, baby.
    • It's all egoism one way or another. Finding things to exploit makes you feel good, dollars make you feel good, being able to make the world panic makes you feel good, having your name on this particular "monster" which does this makes you feel good.

  • Finally! (Score:5, Funny)

    by RAMMS+EIN ( 578166 ) on Tuesday September 06, 2005 @05:56PM (#13493932) Homepage Journal
    ``With the availability of virus sourcecode, authors are spreading to countries which had previously no history of virus origins.''

    Finally! The year of open-source on the desktop has come!

    • Re:Finally! (Score:2, Funny)

      by ackthpt ( 218170 ) *
      Finally! The year of open-source on the desktop has come!

      Yeah, and Microsoft has been so restrictive, only offering shared source. How's a virus/worm author to make a living under those conditions?

      they could start by writing a thank-you note to Bill Gates for spreading the most fertile ground for worms/virii throughout the world...

    • Re:Finally! (Score:2, Insightful)

      by JackDW ( 904211 )
      Seriously, this could be bad. What if the clueless masses start to equate "available source code" and "virus"? Microsoft isn't going to correct them...
    • yeah, but try and get sourceforge to host
      an open source virus?


      ---
      "Eh?"

    • Finally! The year of open-source on the desktop has come!

      Really? Sounds more like Open Sores to me.

  • What's more.. (Score:5, Interesting)

    by ackthpt ( 218170 ) * on Tuesday September 06, 2005 @05:57PM (#13493936) Homepage Journal
    What's more is they didn't even want you to know that sneaking under the radar without being caught was their goal. Seems they failed on that account miserably. So what's the lesson here? Have a virus/worm with a limited life span? After the first n machines have been infected cease spreading?

    Sure as there's imagination there'll be more tactics to come.

    • Re:What's more.. (Score:3, Interesting)

      by cataclyst ( 849310 )
      So what's the lesson here? Have a virus/worm with a limited life span? After the first n machines have been infected cease spreading?

      Interesting... I'm wondering if anyone could do this w/o the virus having to communicate with some sort of server. If there was a pointer that got changed when the virus hit a new target, it would have to go in a linear form (eg: not a hydra-type... one person infects only one other person) if it wanted to keep track (accurately!) of how many ppl got infected.

      Curious i

      • Re:What's more.. (Score:4, Interesting)

        by Amouth ( 879122 ) on Tuesday September 06, 2005 @06:11PM (#13494052)
        Set a ttl and have it relay messages back through its parent host..

        I infect A to infect B+C to infect D+E+F+G and so on.. the messages are passed backwards Have A send random messages to a nother host.. pic up your messages somewere in the stream

        they can't detect it by watching an irc server for inbound connections.. sure they can see who is infected but only one computer each way.. and if you have fun with it by fliping the address around (10.20.30.40 infects 40.30.20.11 infects 11.20.30.41 ....) just keep them guessing..

        use normal transport sockets.. make it look like valid traffic .. i sware the writers are getting lazy.. make something creative.. i have seen spyware that is harder to remove than most viruses these days..

        just some ideas for the people willing to write them.. :)
      • There's already an answer for that. Torrents don't need trackers any more, I'm sure someone could use that to keep track of how many people they have infected without using a central server.
      • > So what's the lesson here? Have a virus/worm with a limited life span? After the first n machines have been infected cease spreading?

        Interesting... I'm wondering if anyone could do this w/o the virus having to communicate with some sort of server.

        Sure you could. If each instance of the virus only propagates N times, and is constrained to M rounds of replication, then you have O(N^(M+1)) infected machines per initial seed, barring "excluded volume" effects (i.e. reinfection).

      • Simple. (Score:1)

        by Otto ( 17870 )
        I'm wondering if anyone could do this w/o the virus having to communicate with some sort of server.

        Easy. Just have a counter in the virus that it changes when it replicates to a new host.

        Each virus is limited to sending out X copies of itself. It continues spreading like that until it reaches X then stops. Every time it spreads, the new version gets a counter incremented. It's hardcoded so that when the counter reaches Y, it stops that version from spreading at all.

        Total infections = X * Y.
      • One method is similar to telemerase (sp?) on DNA. The grandmother(s) you seed start out with n iterations to live, say 20. That means their children have n-1 iterations to live. (the worm is copied, with that one modification) After a worm spends say, 25 minutes trying to spread, it then falls dormant until the system clock hits a day in the future, some set date, say a week after release. If after spreading and initial activation, a child sees its n is 0, that copy skips the "spread" phase of its activi
    • or just limit the time frame it lasts for (easier to implement i think)
      • NBAD systems in enterprises are rapidly making hydra-like virus spreading a thing of the past, because the sudden surge in traffic coming from an infected host is so easily identifiable and quarentined automatically.

        What you need to worry about are viruses that spread very very slowly, are very well hidden, and only activate after some preset condition.

    • Lesson #2: Don't distribute your viruses via Creative mp3 players.

  • Four-words summary (Score:5, Insightful)

    by Spy der Mann ( 805235 ) <`moc.liamg' `ta' `todhsals.nnamredyps'> on Tuesday September 06, 2005 @06:00PM (#13493964) Homepage Journal
    Before: Fame.
    Now: Fortune.

    'Nuff said.

  • Why do not psycho virus writers exist? (Score:1, Interesting)

    by Anonymous Coward
    I mean: with OSes being so vulnerable now and then, why won't any virus writer release hell on every Windows (l)user?

    Why won't a big impact virus just destroy thousands of files, trash hard disks, or some other destructive action?

    Some people here argue that people write viruses (or virii) for profit, for fun or just because they have too much free time (and no sexual partner ;-)). But are not there psychos outther? Or terrorists? Or whatever lives on Bush's delusional mind as a generic and computer literate

    • Re:Why do not psycho virus writers exist? (Score:2, Informative)

      by Anonymous Coward
      First of all, there hasn't been a VIRUS for years. All these modern "viruses" are actually worms.

      Secondly, if the worm destroys the harddrive then it also destroys itself and can no longer replicate. That means that it doesn't spread very well and doesn't last in the wild. The whole idea of a worm is to remain undetected for as long as possible, spreading itself all the while. The more owned hosts, the greater the profits and the bragging rights.

      Thirdly, there probably are "psychos" out there writing viruse
      • Thirdly, there probably are "psychos" out there writing viruses. But, there are more Danish teens and Russian mafia writing viruses than the supposed psychos.

        Actually, I don't think so. Not exactly sure why, but if there were 'psychos' or other blatantly evil people out there writing viruses, I think they would have come up with a large scale destructive virus before now. You have your script kiddies that are stupid about it and get caught and you've got the Russian mafia that uses bots for warez sites
        • Any virus writer that has read anything by Stanislaw Lem would know how to make a perfectly evil virus... it would only have to do two things:
          1. Replicate so that every single infectable $OS-based computer in the network is infected.
          2. When 1, do $MALICIOUS_ACTION.

          It is that simple; no attempts to re-install itself from the Registry would be necessary since even if it is deleted, since as the ratio of infected vs. clean computers grows, the likelihood of re-infection grows towards 1.
          The smaller and simp

          • Yes, I agree, it wouldn't be difficult. My question is, why hasn't anyone done this? Where are these psycho evil people that want to do us all in?

            Is it possible that there aren't evil terrorists, Chinese nationals and sociopaths out there that want to bring down our computer dependant society? Is it possible that people hackers and virus writers aren't as inherently evil as we've been led to believe?

    • There are two types of crazies: the psychopath and the standard-grade wackaloons.

      Standard wackaloons lack the concentration and knowledge to find an exploitable hole in an OS, and psychopaths are too busy killing people or running businesses to worry about such unfulfilling goals as virus-writing.

    • The reason many modern 'viruses' (worms mostly) don't all have high-payload attacks like MS-Blaster did is due to the nature of parasitic predators needing their prey.

      Ebola has a much larger payload than AIDS, but nobody's as worried about it because Ebola quickly kills its victim(s) and has trouble spreading to a greater community. AIDS, on the other hand, won't manifest symptoms for years and therefore can travel across great spaces and through community barriers with ease.

      If they want to infect the larg

      • AIDS (Score:3, Funny)

        by RAMMS+EIN ( 578166 )
        ``AIDS, on the other hand, won't manifest symptoms for years and therefore can travel across great spaces and through community barriers with ease.''

        Err? Does that mean that scores of people in various places and communities are having sex with ease? Why can't I have that!
      • If ebola could spread around the world in a day, it wouldn't matter would it?

        The first time ebola that effects humens is spread via the air, you will see how worried people get.
        1 person in an airport would spread it aroung the world before the first sympton began showing you.

        In short, you are only right if the spead to find the next vistum is slower then the time it takes to kill the victim.
    • Why won't a big impact virus just destroy thousands of files, trash hard disks, or some other destructive action?

      I've wondered the same thing for years. Every day I hope that some worm would destroy all machines running M$ Windows, a sort of selective pressure or extinction event. I say, instead of bickering about which OS is the best, let evolution choose.
    • ``Why won't a big impact virus just destroy thousands of files, trash hard disks, or some other destructive action?''

      I've wondered that myself. Especially since back in the days of bad old DOS, many (most?) viruses did exactly that.

      A virus that would take out lots of windows users' data would sure help people to realize that they're vulnerable, much more than the sneaky "you're infected but it doesn't show" worms of today.

      I think that's probably the reason. People don't write viruses that do something "funn

    • Why won't a big impact virus just destroy thousands of files, trash hard disks, or some other destructive action?
      Because if you kill the host, you lose the very thing that spreads the virus. This is true for physical viruses too. Think of the most sucessful viruses, the common cold. It never kills anyone (except perhaps immuno-compromised people), doesn't take you out of commision bad enough that you just sit in bed (so you interact with more people, more people to spread it to).

      If you started deleting h
    • Or whatever lives on Bush's delusional mind as a generic and computer literate 'evil doer'?

      You had a good post there until you decided to indulge in some gratuitous Bush-bashing. Bush is not responsible for this, no matter what you left-wing Democrat fanatics think. Grow up and learn to think for yourself instead of quoting whatever liberal extremist wack-job columnist you've been jacking off to.

  • It used to be about ego and saying "look what I can do" or "I was the first to do this", now it's more about 0-day exploits, scripting, and financial gain sometimes through extortion ..which is why they should go to jail!
    • It used to be about ego and saying "look what I can do" or "I was the first to do this", now it's more about 0-day exploits, scripting, and financial gain sometimes through extortion ..which is why they should go to jail!

      Oh, I dunno... I think "look what I can do!" first-posters deserve jail time too.

  • Or maybe they don't want you to look at porn! (Score:5, Interesting)

    by antdude ( 79039 ) on Tuesday September 06, 2005 @06:09PM (#13494040) Homepage Journal
    See The Register's story [theregister.co.uk].
  • I for one, think they need to make an example of every virus writer/distrubter and put them up in a federal pound-you-in-the-ass prison.

  • All you zealots (Score:1, Funny)

    by Anonymous Coward
    With the availability of virus sourcecode, authors are spreading to countries which had previously no history of virus origins.
    I hope all you zealots finally recognize the evil viral nature of the GPL!
  • and with it, the profile of the typical investor.

  • Repeat after me... (Score:4, Insightful)

    by Anonymous Coward on Tuesday September 06, 2005 @06:30PM (#13494230)
    If you MUST rely on virus detection software, you have already lost.

    I've had people argue furiously that this is not true. Yet, it does not make sense tactically; if your enemy knows your weakness, it is not benificial to them to let you know about it -- else they loose the ability to exploit the weakness.

    As such, do not attempt to secure what you do not control. Secure the hell out of what you do control. Treat everything else as potentially hostile.

    Do the right thing and spend time to make things as simple as possible on the design level. Eventually, this will pay you back in reduced 'emergencies', though initially it is a real PITA. There's no other way to get a handle on these things -- it's just too complex already.

    • Re:Repeat after me... (Score:3, Interesting)

      by HermanAB ( 661181 )
      I know what you mean - signature based detection is always after the fact. However, it is possible to identify viruses using generic rules and a combination of these and signature detection creates a filter that is very strong and protects against known and future viruses. For example, see this: http://www.impsec.org/email-tools/procmail-securit y.html [impsec.org]

      • Re:Repeat after me... (Score:3, Informative)

        by Spoing ( 152917 )
        While adaptive filters work fairly well, they aren't fool proof. (I still get spam through my mail filters, even if I automatically tag mail to dead and invalid accounts as spam and then use those new filters to tag mail to valid accounts.)

        I can't emphasise this enough: if you need to use a tool to secure something, what you're securing isn't secure to begin with or it is in an unsecurable environment. Change the environment or secure it.

        The bad guys expect you to have filtering methods that may catch

        • Spam is not the same thing as viruses though. Spam is a nuisance - it is malicious. Anyhoo, do go to Hardin's site and look at html-trap. Works very well and never needs updating - well, I update once per year. It Just Works (TM).
          • Spam is not the same thing as viruses though. Spam is a nuisance - it is malicious. Anyhoo, do go to Hardin's site and look at html-trap. Works very well and never needs updating - well, I update once per year. It Just Works (TM).

            Thanks for the reference. I'll check it out.

            That said, you sound quite confident. (Now, go read my last message!)

      • well, another option would be to run OpenBSD [openbsd.com]. Even running it as a desktop OS it will give you enough apps for excellent productivity, and you always have the warm, fuzzy feeling in your belly that you're supporting peace-loving Canadians AND have a secure machine.
    • I am with you on this! There are ways to prevent these kinds of worms from attacking your networks. Using multiple layers of security. It seems that a lot of network administrators out there are relaying on patches to be released as their first line of defense. If you can stop attacks to the ports these worms use up front then who cares when the patch is released (not saying don't ever patch). Just patiently wait for it while you are surfing ebay for that kewl new toy you want to buy. IPSEC for windo

  • Ripper [nai.com] was on of the first Virii I have seen in the weirld, and that was back of 8086's :)

    It killed the MBR & BIOS and fucking up data been writen to the disc at random....

    Unlike all these pussy WinBlowz & Macro Virus that are going around...

  • Makes perfect sense (Score:3, Informative)

    by kuzb ( 724081 ) on Tuesday September 06, 2005 @06:40PM (#13494344)

    It's spreading to other countries that have never had a history of it before because there are now ways to make money with it. Most viruses these days are not put in to the wild without some kind of profit motive. Now, take in to consideration the fact that a few of these places where viruses are coming from are low-income countries, even a small amount of money made with it can equate to 'time well spent' to them.

    Think about it - say your income in a country is measured in tens or hundreds of dollars per month rather than thousands, which is more common in 1st world countries. Even something that makes you $50 - $100 USD per month is a big deal. How do you think they react when they learn they can make thousands with it? For some people, that's pretty much like winning the lottery. In order to stop the problem we need to either a) fix all vulnerabilities in all current (and future) operating systems (unlikely) or b) somehow find a way to make it not profitable for people to do it in the first place (also not likely). Otherwise, people are going to keep abusing it to make money.

  • Thanks.... (Score:2, Redundant)

    by Ghengis ( 73865 )
    Thanks for yet another bastardization of the term "hackers." Virus writers are not hackers, and hackers get offended when you associate them with such cretins.

    • Thanks for yet another bastardization of the term "hackers." Virus writers are not hackers, and hackers get offended when you associate them with such cretins.

      Not anymore. Popular press stole that moniker years ago. Hackers are now the digital equivalents of L.A. gang bangers...

    • Close (Score:3, Insightful)

      by geekoid ( 135745 )
      but ther is no reason a hacker can not also be a virus writer. Then tradition definition of hacker implies skill, not moral conduct.
    • It safer to say that you "subscribe to the Hacker ethos". Calling yourself a Hacker will be misunderstood by the general public forever.
  • Correct me if I'm wrong, but the source codes of viri have been available for ages. Outside of the fact that a virus written in Assembler is essentially its own source code, anyway, there've always been virus writing diskmags etc. where commented versions with explanations were published - this is nothing new.

    The only thing that seems to have changed is that it's being done for money now, but that's not exactly a 2005 development, either, I'd say.
    • Agreed. Actually, I blame Hollywood, for making "viruses" a sexy thing to write, and capable of doing insanely-great things to either attack the protagonists or to attack the villan (e.g. Star Trek is very bad at writing inconcievable "nanoprobe viruses" that do really wierd things to aliens or their ship's systems).

      It's the same with drugs, guns, sex and even rock-and-roll, though the last seems to be backfiring, at least from the RIAA, ARIA, MPAA viewpoint.

      I also blame Hollywood for the mis-use of "hacke

  • Comment removed (Score:3, Insightful)

    by account_deleted ( 4530225 ) on Tuesday September 06, 2005 @07:15PM (#13494660)
    Comment removed based on user account deletion
    • While most who frequent /. might be relatively resistant to these attacks, I'd like to think that those who create them would be made to pay for the pain they cause. Have you ever helped a friend try to recover a system? Going for the profit instead of the glory intensifies that desire to find them and at least give them a swift kick in the butt. I'm afraid that unless a major corporation is victimized, even when there is a source found in the code that identifies the villain, law enforcement simply won'
  • If I were a virus writer, and wanted to infect only a small number of machines, I'd do this following:

    (1) Find some seldom used web page somewhere with a hits-counter on it.
    (2) Store the address of that web page in my virus, along with a limit count (say, 20,000.)
    (3) When the virus infects a new host, it visits the web page. If the hit counter is greater than the limit count (or the page is unavailable), the virus does not attempt to spread further.

    Because the hits-counter was not set up by me, this can't b

  • Another parallel to bio viruses (Score:3, Interesting)

    by Red Flayer ( 890720 ) on Tuesday September 06, 2005 @09:50PM (#13495825) Journal
    Very interesting, that the author sees that modern-day computer viruses are perhaps less virulent, while they do whatever it is they were designed to do.

    Reminds me of syphilus -- when first discoverd in Europe, syphilus was a virulent disease that ravaged the body, killing victims off relatively quickly. Natural selection dictated that syphilus strains that avoided early detection were more successful at passing along their DNA to new hosts. Virulent, crippling strains died off. [1]

    Today, syphilus is rarely fatal, the symptoms are often just a little annoying for a long time. Plenty of time for new partners to be infected.

    Computer virues are very similar -- viruses that avoid detection and quietly do their work of replication, transfer, and whatever else they are designed for, end up surviving. Emergency patches don't happen unless the virus (or worm, whatever) disrupts enough computers.

    [1] Evolution? I'd say so...
    • Perhaps its Intelligent Design. For years, while the various strains of 'newsworthy' virii evolved and propogated, there have been others. Trojans, either spread as virii, or more likely installed by insiders in a few companies. They have been operating quietly, conducting industrial espionage.


      I've been wondering how long it would be before all the amateurs finally figured that there is big money to be made grabbing data off the disks of unwitting users.

  • F-Secure has shifted to spreading FUD about mobile viruses and backdoors.

    Conveniently they have antivirus/antibackdoor software for sale.

    Seriously, read their weblog, it's full of stuff avout mobile virus threats, none of which are real threats that would justify purchase of mobile decelerator software.

  • We should take care about an "open source virus" initiative.
    What could happen in the case someone started such a thing?
    You publish your virus code, someone else tests and fixes it, later other vira spawn from that code ... and so on!
    Sounds really terrific!

Slashdot Top Deals

E = MC ** 2 +- 3db

Close