There are two questions in the realm of IT security that simply won't go away: Can cybercrooks successfully attack at will, and are those who report the details of these attacks causing more harm than good? The revelation earlier this week by a security vendor and research firm that a Trojan-horse may have stolen sensitive information from hundreds of businesses and government entities has revived this heated debate.
U.K.-based security vendor Prevx says its software last week detected a program running on customers' computers that behaved suspiciously, creating an outbound HTTP connection to a Web site and sending information out of customers' IT environments. "These were classic behaviors of an information-stealing Trojan," Prevx CEO Mel Morris told InformationWeek.
Further study led Prevx researchers to a directory on a Web site identified as www.martin-golf.net/pajero, which was live up until Tuesday afternoon Eastern Time but has since been taken down. The directory offered a list of 494 different computers (identified by their IP addresses) that were running the mysterious program Prevx had found. The program encrypted sensitive information such as logins and passwords while leaving an online ransom note informing the victim that all of their private information for the last three months had been taken and that they needed to pay $300 to buy software from the cybercrook that could decrypt the info.
Morris noted that the martin-golf.net directory was just a front for the cyberscam and that site's owner likely had no knowledge their site was being misused in this way.
Prevx, having determined that this was the work of a Trojan that had infected computers at hundreds of businesses and government agencies, notified U.K. law enforcement as well as the FBI in the U.S., Morris said. The next step was to send copies of the malware to a number of other security vendors, whose products Morris claimed had failed to detect the Trojan, which was relatively unsophisticated in that it didn't use a rootkit or techniques for hiding itself.
Here's where the story gets a bit contentious and exemplifies the competitiveness in the security vendor market as well as the fine line that security researchers walk when they want to disclose their findings.
Morris said that he and his team on July 14 alerted the FBI to the presence of this Trojan and had a conference call with the agency the following day. Prevx told the agency that it had identified 494 computer systems that had encrypted and transmitted about 200 Mbytes worth of data, which Prevx had decrypted only to find logins, passwords, and other sensitive data. "The FBI said they would be moving forward with their investigation," he said. The FBI confirmed that they had been contacted by Prevx, but would provide no further details nor confirm whether the July 15 discussion took place.
Prevx has spoken freely about which companies it contacted to inform them that they'd been hit by the Trojan. Morris claimed that the Trojan was found inside IT systems belonging to American Airlines, Booz Allen Hamilton, and the State Department, although none of them would comment on Prevx's story. Morris characterized their reaction to Prevx as ranging from apathetic responses ("they're too busy") to indignant responses that questioned Prevx's credentials.
Likewise, Prevx claimed to have contacted several security vendors to alert them that their products had not caught the Trojan. One of the security vendors, Trend Micro, acknowledged that it was aware of the Trojan and that its products can now detect and protect customers against this Trojan.
Yet Trend Micro was "ethically taken aback" by what they see as Prevx's cavalier attitude to go public so quickly with their research, David Perry, global director of education told InformationWeek.
Trend Micro, however, is no stranger to controversy over security disclosure. In late September, 2006, the company, which had been studying software bots and promoting a service to detect such bots, reported finding bot infestations in numerous government agencies. Trend Micro's list included the Defense Department, the Navy Network Information Center, and the Pittsburgh Supercomputing Center. Several organizations on the list challenged Trend Micro's research.
While it's not clear how much damage the Trojan in question has caused or why its creators were asking for only $300 in ransom, it is obvious that the IT industry, its customers, and law enforcement still aren't on the same page when it comes to finding, reporting, and fixing security threats.