How computer attackers have changed

Graham Cluley, April 28, 2014

Computer security veteran Graham Cluley is speaking this week at the InfoSec show in London on the VASCO Data Security booth. Below he talks about how the perpetrators of online attacks have changed over the last 30 years.

In the mid-1980s, when computer malware first emerged, it was very different from how things are today.

For one thing, many people weren't even sure if computer viruses truly existed or if the stuff of legend - as unlikely to be real as the Loch Ness Monster or the Himalayan Yeti.

As late as 1988, some still believed that the threat was bogus, with the likes of Peter Norton pronouncing that computer viruses were "urban myths, like alligators in the new York sewers".

Of course, that was no impediment to the very first version of Norton AntiVirus being released two years later.

The early days

When I started writing anti-virus software in 1992, there were a mere 200 new viruses found every month - updates were sent to customers every three months (or monthly if they were really paranoid) on floppy disk through the post, and it was possible in your head to remember the ins-and-outs of how each sample worked, and its payload.

Those new viruses which did exist were primarily spread via floppy disks, taking months to travel around the world via infected boot sectors.

Eventually things changed, of course, and viruses became multipartite (infecting floppy disk boot sectors, partition sectors of hard drives, and executable files) in an attempt to spread more quickly, or embraced fast-infecting techniques in an attempt to infect every executable file on your hard drive as it was backed up.

But what most malware had in common was the type of person who was writing it. The virus writers were typically kids, or at least juvenile in their outlook, writing viruses - and it was primarily viruses at this point - for kicks, and to show off to their peers.

They took pride in their creations, sometimes spending months honing their creations, and wanted to generate interest with dramatic visual payloads and often data-damaging payloads.

But what was almost always true was that the motivation behind the malware wasn't to make money. Viruses were created because the author felt that he (and they were almost all male) could impress others on the virus-writing scene.

With names like "Apache Warrior", "Nowhere Man", "Ice 9" and "Dark Avenger", virus writers were the equivalent to graffiti artists. They damaged property and goaded each other on to create more and avoid detection, but there was little opportunity to benefit financially.

However, the increasing popularity of modems, with more and more homes connecting to early internet service providers like AOL and CompuServe, began to change things.

Some of the earliest financially-motivated malware were in fact password-stealing programs, designed to dupe unsophisticated users into handing over their AOL passwords. If a hacker managed to steal your AOL password, they could not only get cheaper internet access for themselves, but they could also read your emails, and perhaps even attempt to send spam.

The ways to make money from malware were evolving. Modems used a regular telephone line to transmit data (slowly) to and from the internet. Virus writers created rogue diallers - a breed of malware which could ring premium rate phone numbers from your PC without your knowledge, generating an income for them and a hefty bill for you.

High speed internet fuels the rise of cybercrime

Modems, over time, were upgraded to high speed broadband. Rogue diallers weren't going to survive the switch in technology, but attackers could take advantage of faster CPUs and broadband's always-on internet connection to exploit computers for their own ends.

It was the birth of the botnet.

A botnet is a network of hijacked computers, all under the control of a malicious hacker. Malware-infected computers, connected to the internet, can be commanded to send spam, or launch distributed denial-of-service attacks.

The way in which spam makes money is pretty obvious. The spammers want you to buy on their products, or click on their links. Even if they have nothing to sell they might want you to be duped by their spammed out message into clicking on a malicious link which might phish your banking passwords, or install a Trojan horse onto your computer.

And distributed denial of service attacks can earn online criminals money too. A successful DDoS attack can bring down a website, making it inaccessible for its legitimate users, and providing an opportunity for the attackers to demand a ransom be paid by the site's owners.

Furthermore, botnet computers can be rented out to other criminals who may want to exploit them for their own financial gain. A criminal ecosystem was developing where fraudsters, scammers and hackers would install adware and spyware onto hijacked computers, stealing passwords and earning money by displaying pop-up ads and installing irritating browser plugins.

Malware was no longer the work of teenage boys in back bedrooms without enough Vitamin D in their diet. Organised criminals were now involved, realising that the internet could be used to steal and rob.

After all, why go to the risk of a real-life bank robbery if it's easier to break into bank accounts from the safety of a computer?

Organised crime meant, of course, that the authorities couldn't be seen to be ignoring the problem. Greater resources were put into catching cybercriminals, and more efforts made to tackle what had become a multi-national problem.

Punishments became more severe, as judges understood that virtual crime could have significant financial consequences.

And it was the stiffer sentences being handed out to the organised cybercriminals which, to a large extent, drove the old virus-writing "enthusiasts" away. They realised that their fun and games would not be tolerated anymore, and there was an increasing risk that if caught they would not be treated leniently.

After all, even if a virus was not financially-motivated it still broke the laws of changing data on a computer without permission, and accessing computer systems without authorisation. It was probably for the best if that community of malware authors found another outlet for their coding skills, rather than get mixed up with an increasingly dangerous world of financially-motivated cybercrime.

And now? Well, the amateurs may have largely left the scene (if they have any sense) but organised crime on the internet remains a big problem. Hackers will exploit vulnerabilities, poor security practices, and plant malware to steal information and access systems that they shouldn't.

The likes of Anonymous may do this too, claiming to do it for the "lulz" or to expose hypocrisy, but the majority of malware activity today is driven by hardened criminals who are interested only in making money.

The people writing the malware, by and large, are not modern-day Robin Hoods, but act more like organised crime rings. If their activities are disrupted they risk losing large amounts of money - millions of dollars in some cases - and they aren't going to let that disappear without a fight.

It's no wonder that there are over 200,000 new malware samples analysed by virus labs every single day. A long way from the 200 a month I saw when I first started writing anti-virus software.

State-sponsored cybercrime

What has become clear in recent years, however, is that there is a new group involved in hacking and malware creation.

And this group's motivation is not so much financial as political, military or economic.

Countries have seen the internet grow at an extraordinary rate, changing the entire world in the process. Information today is predominantly held on computer systems, and most communication is electronic. Therefore, if you are in the business of spying - it makes sense to use the internet to your advantage.

State-sponsored attacks, run by intelligence agencies around the world, used to sound like the stuff of pulpy thriller novels, but are now an undeniable reality.

The advantages to countries of using malware to assist them in targeted attacks and data exfiltration, sometimes exploiting zero-day threats to plant their spyware, are considerable.

And details of the extent to which some countries have gone in their bid to spy upon other nations and their own citizens, have come to the fore because of the high profile news stories about the likes of NSA whistleblower Edward Snowden.

This isn't just a case of China spying on the United States, and the USA returning the favour. No, supposedly friendly countries are spying on each other too.

In fact, I would be surprised if there is any sophisticated country or intelligence agency which is *not* using the internet for the purposes of surveillance and spying, or launching denial-of-service attacks to silence the websites of dissenters.

This is, sadly, a problem for all of us.

Our personal privacy may have been exposed by the actions of those we have put in power, and the sensitive data stored by our company may be at risk.

Even if you think your company would never be the target of a state-sponsored attack, you need to ask yourself whether your firm might be a stepping stone used by hackers to infect one of your clients or partners.

After all, a cybercriminal (state-sponsored or otherwise) might be wary of directly attacking his target, but prefer to find a soft point of entry (your company!) to get to his intended destination.

That's why you need to take steps, building a layered defence in depth which reduces the chances of a hacking attack being successful, using technologies such a user authentication and strong encryption to keep sensitive information secure and unauthorised parties out.

The people we are defending our computer systems against have changed enormously in the last 25 years, and it is hard to predict what way things may change in the future.

But one thing is clear. As long as we use the internet to share information, there will be hackers keen to steal it from us, and exploit our computer systems to their own ends.

Graham Cluley is an award-winning security blogger, researcher and public speaker.  He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's.  He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. 

Graham Cluley was