Organized Crime Invades Cyberspace

Computerworld - Antivirus researchers have uncovered a startling increase in organized virus- and worm-writing activity that they say is powering an underground economy specializing in identity theft and spam.

"The July outbreak of MyDoom.O was yet another reminder that spammers are now using sophisticated, blended threats that mix spam, viruses and denial-of-service attacks," according to Andrew Lochart, director of product marketing at Postini Inc., an e-mail security services provider in Redwood City, Calif. In July alone, Postini's customers reported more than 16 million directory harvest attacks, which are attempts by spammers to hijack a company's entire e-mail directory.

The link between viruses, worms and the underground criminal economy, however, goes back to long before the latest version of MyDoom, says Mikko Hypponen, antivirus research director at F-Secure Corp. in Helsinki, Finland. Starting with the initial outbreak of MyDoom in January, Hypponen began to notice that what had previously been considered little more than a rogue virus-writing subculture actually had a significant link to organized efforts to use malicious code to make money.

"MyDoom got press coverage because of the denial-of-service attack it launched against SCO and Microsoft Corp.," says Hypponen. "But nobody was paying attention to what was happening behind the scenes."

And what was happening, according to Hypponen, was the beginning of a concerted, unabashed effort to turn virus and worm infections into cash.

Eight days after MyDoom.A hit the Internet, somebody scanned millions of IP addresses looking for the back door left by the worm, said Hypponen. The attackers searched for systems with a Trojan horse called Mitglieder installed and then used those systems as their spam engines. As a result, millions of computers across the Internet were now for sale to the underground spam community.

Image Credit: Anastasia Vasilakis

By the end of January, Internet users were busy dealing with the Bagle mass mailer. And although the first version wasn't particularly successful, at least a dozen variants soon followed, including variants that carried Mitglieder.

But the real clues that organized gangs were using Bagle and MyDoom to sell spam proxies -- as well as links to phony Web sites that exist only to harvest identities and personal financial information -- came when the writer behind Netsky.R posed a direct challenge to the so-called professional virus writers.

In addition to attempting to remove Bagle and MyDoom from infected computers, Netsky conducted a denial-of-service attack against Web sites known to be fronts for identity thieves, according to Hypponen.