Last year, a computer worm that conducts automated reconnaissance appeared; it uses the Google Inc. search engine to automatically find Web sites running vulnerable bulletin-board software and then defaces them. The financial-services industry noticed a spike last fall in phishing attempts to steal money from customers' accounts and put the blame on a new toolkit that made it easier to set up such scams.
Ticket scalpers, meanwhile, use software that deciphers the wavy words that need to be entered to make purchases on E-commerce sites, hoping to scarf up automatically masses of tickets they then can sell at outrageous rates. Spammers are bypassing similar image-recognition challenges, used by Internet service providers to prevent bulk registration of E-mail accounts, with scripts that trick Web surfers into solving picture puzzles for them. And 24 hours a day, bots search the Net for vulnerable systems.
Welcome to the machine wars, where zombie armies--computers compromised and subverted by hackers--churn out spam and malicious code in relentless raids on the PCs of home users and the commercial world's IT systems. Security vendors say it takes as little as six to 15 seconds for a software-driven attack to find and infect an unprotected PC connected to the Internet. "Automated tools that scan IP address blocks are relentless and never get tired," says Bill Hancock, VP and chief security officer at IT service provider Savvis Communications Inc., via E-mail.
The good guys are fighting back. One means is through better blocking of spam, the river on which many automated attacks travel. Another is turning the network itself into a security device. AT&T, the largest carrier of IP data nationally, each day analyzes 1.7 petabytes of information that passes through its IP backbone, looking for new attacks so it can teach its network to spot and combat them through proprietary algorithms without human intervention. "We're seeing a substantial need to automate the defense mechanisms that are in place," says Stanley Quintana, AT&T's director of security services. "Automating real-time mitigation is a way to deal with this. But the only way you can really have good real-time mitigation is to have good real-time intelligence."
Automated hacking has gotten so bad that a federally funded effort to track cyberspace attacks has quit counting. The CERT Coordination Center, part of Carnegie Mellon University's Software Engineering Institute, noted that 21,756 incidents--each of which can involve thousands of sites--were reported in 2000, 52,658 in 2001, 82,094 in 2002, and 137,529 in 2003. Last year, it stopped publishing the number. "Given the widespread use of automated attack tools, attacks against Internet-connected systems have become so commonplace that counts of the number of incidents reported provide little information with regard to assessing the scope and impact of attacks," the group said.
Automation hasn't changed merely the techniques of online crime, it has changed the goal. Asked why he robbed banks, Depression-era thief Willie Sutton said, "Because that's where the money is." In today's information economy, criminals rob computers. And with increasingly sophisticated automated tools, they can ply their trade on autopilot, from anywhere in the world. "We're seeing coordinated efforts that are being driven by criminals who are interested in profiting from the increased use of the Internet," says Gytis Barzdukas, director of product management with Microsoft's security business and technology unit.
Trojan horses are one automated tool criminals have latched onto. These malicious programs--arriving through a virus infection, as a seemingly innocuous E-mail attachment or through an online download--may take control of a PC remotely, turning it into a zombie. Or they may lie in wait as spyware, watching for information such as Social Security numbers and online banking passwords that can be stolen through direct means (sent to a hacker) or indirect means (by loading a phishing site when the victim tries to visit a legitimate E-commerce site). In November, a Trojan called Banker-AJ employed this technique to target customers of banks in the United Kingdom, including Abbey, Barclays, Egg, HSBC, Lloyds TSB, Nationwide, and NatWest.
This isn't an isolated incident. Fifty-three people were arrested in Brazil in October for allegedly using Trojans, which generally spread through viruses, to steal $30 million from online banking customers. In December, German police arrested five men for allegedly conducting a similar phishing campaign that ripped off an estimated 30,000 euros from Postbank customers. This month, four high-school students in Sydney, Australia, were arrested for allegedly using a Trojan to steal online banking passwords on behalf of a global Internet banking scam operating out of Australia and Russia.
The automation of cybercrime has been enabled by the concurrent rise in the number of nodes on the Internet, in the processor speed of those machines, and in the bandwidth available to connected computers. Criminals have learned to move very quickly when a software flaw is found, trying to infect machines before vendors can offer a patch. "Crime syndicates are hiring experts and computer programmers, often offshore, that will then develop attacks," Barzdukas says. "And when people have environments that aren't up to date, aren't patched, and are susceptible to bots [that take control of PCs and turn them into zombies], the attacks can be much quicker and more automated."
In May, anti-spam and antivirus vendor Sophos plc estimated that more than 30% of spam originated from zombies. In June, network equipment company Sandvine Inc. said that spam Trojans--which turn PCs into zombies--are responsible for up to 80% of spam. Hackers controlling these machines rent them out for 3 to 8 cents per PC per week, says Vincent Weafer, senior director of Symantec Security Response at Symantec Corp. Renters of the zombie machines can use them for spamming, delivering porn, sharing copyrighted music, or launching attacks to create more zombies or run denial-of-service attacks.
Perot blocks about 80% of inbound E-mail, CIO Mike McClaskey says.
"Human administrators are finding it more difficult to cope with those attacks," says Tony Redmond, VP and chief technology officer of HP Services, which puts him in charge of setting strategy for Hewlett-Packard's security initiatives.
Keeping up with the machines isn't only a matter of speed. Volume is an issue, too. IT services company Perot Systems Corp. blocks about 80% of its inbound E-mail. "This is just a crushing amount of volume," CIO Mike McClaskey says.