A White Hat Talks about Modern Malware

• By Dian Schaffhauser
• 03/11/08

##AUTHORSPLIT##<--->

When Julie Amero was convicted of four counts of risk of injury to a minor in Connecticut last year, it was a wake-up call for many schools to make sure their anti-virus and anti-spyware software was kept up to date. Amero was the substitute teacher who had chased students off of the regular teacher's computer and taken charge of the computer, on which pornographic images then allegedly started appearing. (Since then her conviction has been vacated, and she awaits a new trial.)

Having our computers serve up the unexpected doesn't surprise Roger Thompson, who has made a career out of being a white hat--one of the good guys in the realm of computer security. Thompson entered the business in 1987 by starting one of the first anti-virus companies in Australia. That was the same year that the Jerusalem virus first surfaced, with the goal of destroying every EXE file it attached itself to on an infected machine. That was shortly followed by the Morris Worm in 1988, one of the first computer worms distributed via the Internet. Since then, as we've all experienced, computer exploits have evolved and continued unabated.

Thompson, who pens the "Exploit Prevention Labs Blog," is currently the Chief Research Officer for AVG, formerly Grisoft. His blog is especially well known for its lists of "innocent search terms," search terms--such as "school closings in illinois parents" or "LEGO DUPLO Block-o-dile" that we might enter on our favorite search engine, which could lead us to hijacked sites where our computers can become infected. AVG, which acquired Thompson's company, Exploit Prevention Lab, in 2007, sells AVG Internet Security and other anti-virus software used, according to the firm, by 70 million users around the world.

The difference between the exploits of 20 years ago and today's hacks, according to Thompson, is that that the new ones are likely to infect our machines from the Web sites we visit and trust. He doesn't blame Amero by any means for what happened on the computer in that seventh-grade classroom. What happened to her could easily happen to any of us.

In this interview, Thompson shares the details about some of the exploits he and his team have recently discovered and explains why it's so difficult for schools to keep their computers clean.

Dian Schaffhauser: What kinds of security problems are hitting Web sites right now?

Roger Thompson: The bad guys are getting better at hacking into them. And then they're really good at using those hacks to infect visitors to those Web sites. If you look back just a few years, you could say that you were pretty safe, as long as you didn't visit any Web sites of 'ill repute.' [Now,] the bad guys could just as easily hack into a mom-and-pop barbecue Web site, and that would catch lots more victims because nobody expects to get into trouble reading the dinner menu.

Schaffhauser: Let's cover some of the exploits that you've referenced on your blog. What's the hack involving Google AdWords. How could a Google ad be dangerous?

Thompson: Indeed, what could be safer than a Google ad? It turns out that the bad guys figured out that if they bought AdWords and actually took you to the real site, most people would think that was pretty safe. But in between you clicking on the ad and getting to the real site, they took you via an exploit site. In the original case it was based in Russia, but it could be anywhere. This sort of happened in the blink of an eye. If you weren't watching closely, you wouldn't even know it was happening.

In the case of the [search for 'BetterBusinessBureau'], it actually took you to the Better Business Bureau, where you wanted to go. But in between it took you to an exploit site, which was busily trying to install software in the background.

Schaffhauser: What kind of software?

Thompson: This one was installing something called a post-logger, which is like a keylogger [a method for capturing and storing keystrokes]. A post-logger is one step up from that. When you fill in data, like a user ID and password, you're actually filling in a form. There's a field name and your response and a field name and your response... When you have a post-logger, it tracks the field names alongside your response.

Schaffhauser: Which makes the hacker's job easier.

Thompson: That's right. Not only that. This particular event installed an XML file that was full of commands--extra commands. If you were at the World Bank of Scotland Web site, then it would modify the Web page as it came back to ask some extra questions, like, 'What is your mother's maiden name?' or 'What is your secret question?' So it would look like a perfectly normal Webpage. But it would have extra questions injected, to make sure it got the information they needed.

Schaffhauser: But this isn't the same as phishing, because you're at the legitimate Web site?

Thompson: Yes, without the legitimate Web site having anything to do with it. They've brought this sort of thing to an art form.

Schaffhauser: What was the Alicia Keys hack?

Thompson: At first we thought they had a hack into the whole of MySpace, so we were quite concerned about that. It turned out to be an initial half a dozen Web sites that we pretty quickly detected was all there was. They're all music accounts, Alicia Keys was the highest profile, but there were lots of other bands. I'm pretty sure that if we had been able to look more closely, we would have seen they were all managed by the same music company or perhaps their MySpace accounts were managed by the same Webmaster, and he'd had his password phished.

Schaffhauser: What was that hack doing?

Thompson: Same thing. It went to a place in China. As well as trying to use the exploit, they tried to use social engineering, which is where they try to trick you into doing something. In this particular case, they showed a screen saying, 'Windows can't play this video. You have to install a new codec. Click here to install the new codec.' If you did install the codec, it wasn't really a codec; it was the bad software. That was a pretty good thing to attempt, from a MySpace Webpage, particularly Alicia Keys, because it's full of video--it's rich media. People would expect it...

If you go back six or seven years, worms were the main problem. But when Service pack 2 was released for [Windows] XP, the firewall was on by default. Even the pathetic old Windows firewall did a pretty good job of keeping the worms out. So when it was on by default, that was an extinction level event for worms. People still install worms, but they're not going to be anywhere near as effective as they once were.

But when you start a Web browser, you start that from within the firewall. You're starting from a trusted place. That creates a hole through the firewall. If you visit a Web site with hostile intent, the code is able to come back through the firewall. The firewall provides no protection against that sort of thing. The code is able to get back through to the desktop and has a shot at executing.

Schaffhauser: What about Web 2.0? What kinds of new problems does that introduce?

Thompson: You mean Web 2 oh-oh....

Everybody is trying to create the next MySpace or the next Google. In order to make their Web site more appealing than somebody else's Web site, they're trying to put in as much functionality and as many bells and whistles and dancing girls and dancing pigs as they can.

In security, there's an inverse relationship. The more secure you make something, the less functional it tends to be. And vice versa. The more functional, the less secure it tends to be.

It's just a natural consequence of having more things and more problems. And the bad guys are just really good at finding the problems.

Schaffhauser: And frequently the functions of Web 2.0 sites are pulled together from many different sources...

Thompson: They're trying to create the richest possible thing they can--the most functional thing they can. It's the emerging battleground for now and for the next few years.

Schaffhauser: How do you go about researching these exploits? How do you sift out the things you've seen a hundred times before from that new hack that stands out?

Thompson: It turns out that there aren't a million of these bad guys. There might be a couple of hundred gangs. There's a finite set. And they each have their own way of doing things. Once you've identified a gang's MO, you can create code and rules to find them wherever they happen to pop up. And all of our users have the option of becoming part of our eyes. When they install our software, they can all elect to become part of our network so they can report when they find something bad. If one of our users is just surfing, and they go to some Web site, and our software is watching and something bad tries to bite them, then it reports back to us. It doesn't tell us who they are, but it tells us where they were when something bad happened. So it becomes an Internet neighborhood watch.

Schaffhauser: When you find an exploit, do you contact the Webmaster for the site and say, 'You guys have been hacked'?

Thompson: We do. It gets kind of old, because they metaphorically blink, and their eyes glaze over and they don't tend to understand.

It's hard to know who the bad guys are, what the bad Web sites are. And it's transient. They get hacked and they get cleaned up. They get hacked and cleaned up. If you took any list of 10,000 Web sites and looked at them six weeks later, you'd probably find that only a few hundred of them are still doing bad things. But there are probably another 10,000 or 20,000 that have taken their place.

Schaffhauser: If you're running a computer in a school, what are the chances those computers are infected?

Thompson: Pretty good. Schools are incredibly vulnerable, because they're usually pretty poorly defended. People do their best, but it's probably some teacher's slapped-on job to keep it defended.

Schaffhauser: What's the remedy? Where do I as a school technical coordinator start in to evaluate the state of my computers?

Thompson: It's very difficult. I don't know that there's an easy an easy answer to that. I think you've got to understand that functionality and security have this inverse relationship. You've got to try to balance everybody's needs and desires to do whatever the heck they like on the Internet. Schools--particularly colleges--tend to dislike rules and limits. So it's a tough job.

Good security is all about getting as many layers in place as you can. Education is part of it. Cutting down the functionality as much as you can is part of it. Getting the antivirus software in place is another part. You get as many layers as you can. The idea is that whatever gets past one layer gets caught by another.

Schaffhauser: But if the bad guys do such a good job of looking innocent, what kind of education would help?

Thompson: It's very hard. Probably the best thing they can do is get the most software they can. Most software companies are prepared to work hard with any educational institution.

Schaffhauser: Would a security expert help?

Thompson: If you can find someone and put a little bit of budget together, that's probably a good idea--as another layer. The only real alternative is the Montana option. That's where you sell all your computers and move to Montana.

Get daily news from THE Journal's RSS News Feed

---

About the author: Dian Schaffhauser is a writer who covers technology and business for a number of publications. Contact her at [email protected].

Proposals for articles and tips for news stories, as well as questions and comments about this publication, should be submitted to David Nagel, executive editor, at [email protected].