The biggest security problem for most computer users in 2003 was the relentless onslaught of worms – the pernicious type of virus that can replicate itself and make use of local memory, but unlike a virus, cannot attach itself to other programs. Worms spread across the network using automatic file sending and receiving features and can crash a computer or interfere with its operation in any number of ways. It is difficult to gauge accurately the damage worms have caused over the past year, but some observers say it runs into hundreds of millions of dollars.
Sobig.F was the most damaging virus of 2003, according to anti-virus software company Sophos. It says that one virus alone accounted for a fifth of infection reports from its customers.
MessageLabs, which operates a virus filtering service, agrees. The company described Sobig as the “fastest-spreading virus of all time” when it struck in August.
It is thought the worm originated in the US and was created to support a business process (albeit a malicious one), raising concern that virus writing and spamming are converging.
Sobig spread using spammer tactics, such as manipulating open relay servers and proxies, and used its victims for spam relaying and email harvesting sites, according to MessageLabs.
Sobig’s code included commands that made infected computers simultaneously call in to ‘sleeper computers’. The sleepers downloaded an Internet link that contained all of
the worm’s previous victims, a process that in turn launched other attacks or directing victims to pornographic web sites.
But the full impact of the planned attack was thwarted with only a day to spare by a team of Finnish anti-virus experts. Sobig, however, still managed to infect half a million computers worldwide, crashing mail servers and sending millions of bogus emails.
The respect for Sobig among authors was highlighted with the Sober worm, which carried the message: “Programmer of the Sobig Worm. Congratulations!! Your Sobig Worms are very good!!! You are a very good programmer!”
The Blaster worm was the second major virus threat of the year. Like Slammer, which appeared in January 2003, Blaster targeted Microsoft by exploiting a flaw in the Windows 2000 and XP operating systems. The goal was to gain access to computers through any open Internet connection, rather than merely through email.
The widespread use of broadband accentuated the problem, because many home or small business users leave unprotected computers permanently connected to the web. Blaster’s author also planned a distributed denial of service attack on windowsupdate.com on 16 August – the very web site from which users could download patches created to fight the worm.
Antivirus companies have been criticised for fuelling the fears of computer users and giving viruses media-friendly names, but they all denied trying to induce or exploit paranoia.
Jana Monroe, assistant director of cybercrime at the FBI, has called phishing “the most troubling new scam on the Internet”. In fact, the idea of stealing people’s details or passwords by posing as a trusted source is as old as the Internet itself.
But phishing certainly came of age in 2003, both in frequency and sophistication. In September, some 80 million fraudulent emails inciting people to part with passwords were distributed, according to anti-spam and anti-fraud service provider MailFrontier.
Two UK banks, Barclays and Lloyds TSB, were victims. Some of their customers were persuaded to part with their debit card details after receiving emails which asked for password information. The emails contained links to imitation web sites, threatening the cancellation of their accounts if the customer did not respond. In October, two other UK banks, Halifax and NatWest, were forced to close their online banking services following a spate of similar bogus emails, although all banks insisted none of their customers had lost money.
Breaches of nuclear power plants and an atomic weapons lab in the US in 2003 raised serious fears about potential terrorist attacks. In January 2003, the Slammer worm disabled a safety monitoring system at Ohio’s Davis Besse nuclear power plant in spite of a firewall which had been programmed to block that virus.
In November, 18-year-old Joseph McElroy from Woodford Green in London broke into 17 computers at the Fermi National Accelerator Laboratory outside Chicago. After his arrest, he was described by police as “a very pleasant boy” who was merely trying to use the laboratory’s processing power to download films and music from the Internet.
The National Security Agency at Fort Meade, Maryland was hacked in March. Only the public affairs office was affected, however, and no classified documents were accessed. It is thought that the hackers’ motives may have been political, part of a spate of web site defacements protesting against the war in Iraq by groups such as ‘The Ghost Boys’ and ‘DkD’.
As it turned out, none of these breaches presented a major security or safety risk – but they drew attention to the potential for something much worse. The US House Government Reform Subcommittee on Technology underlined this with its rating of US federal agencies’ computer security programs in September. Some improvement was shown but the overall score was still only a ‘D’ grade. Eight agencies received ‘F’ grades, including the Department for Homeland Security.
A more serious breach occurred in February, when hackers gained access to the accounts of five million MasterCard and Visa credit card holders, via a transaction processing company.
Later in the year, three German 18-year-olds spent £80 million online in just two hours using stolen credit card details. According to police, who caught them in December, the trio spent a fortune on aircraft, restaurants, industrial machinery, and patents because they were “bored”.
Happily, there were many near-misses. These included a foiled hacking competition scheduled for the US’s Independence Day weekend in July. Points were to be awarded to hackers according to the kind of system cracked. HP-UX and Apple OS X would have merited a maximum five points while Windows-based sites carried just one.
Although most of the year’s big high-tech crime cases are still ongoing, there were some highly publicised results.
The FBI’s ongoing ‘Operation Cyber Sweep’ bore fruit with 125 arrests over seven weeks in October and November. The arrests were related to $100 million lost in crimes affecting 125,000 Americans and dozens of businesses. But relatively little headway was made in tackling international gangs of cyber-thieves, said experts, many of whom are thought to be based in the Far East and a number of former Soviet states.
Among those people arrested and convicted in the UK were Simon Vallor, a 22-year-old web designer and virus writer from North Wales, who managed to infect 27,000 PCs in 42 countries, and 21-year-old Aun Sayal of Ilford, Essex, described by officers as an eBay conman, who tricked online shoppers out of thousands of pounds by selling airline tickets, computers and other electrical goods which he never delivered, hiding behind false contact details. Both Vallor and Sayal were jailed for two years.
The IT industry is not leaving everything to law-enforcement agencies. In November 2003, Microsoft launched a $5 million initiative, in partnership with the FBI, Interpol and the US Secret Service, to catch the authors of super-destructive viruses that attack its products, including the oft-targeted Windows operating system.
The fund included rewards of $250,000 each for information leading to the arrest and conviction of the people behind two of the most notorious worms seen so far, Blaster and Sobig.
Microsoft’s unprecedented initiative was seen partly as a response to the fact that its systems are often singled out for attack – hence the rewards only apply to viruses that affect Microsoft systems. But IT security experts are sceptical that offering rewards will necessarily yield results, pointing to the close-knit and underground nature of the hacker ‘community’. By the end of the year, neither reward had been claimed.