Battle stations

28 Apr 2006

If you go down to the Sophos anti-virus lab (pictured) today, you’re sure for a big surprise. The only white lab coat in the place hangs on a coat rack as a sort of practical joke and the place is a sunlit, airy new building in Oxfordshire, far removed from some imagined dark den where white hat hackers pit their wits against malware writers.

Staff there are anything but idle, however; SophosLabs processes an estimated five million messages over a 24-hour period, across its operations in the UK, Australia, Canada and the US. LCD displays suspended from the ceiling show the current level of activity within the lab. All suspected email is processed into a system called Detach where it is analysed by experts to determine whether it qualifies as malware. “This is very different from 10 years ago when you had one virus a week,” observes Carole Theriault, senior security consultant with Sophos.

The fact that Sophos maintains the lab at all is a function of having to update its security software products so that customers can apply these updates to filter the latest viruses and spam. The level and sophistication of malware development has accelerated and constant monitoring is vital. Computers may be able to identify telltale malware patterns but human intervention is also a critical part of the process. Theriault candidly admits there is a considerable reactive element to its work when it comes to battling malicious programs. “Anybody who says ‘we offer 100pc protection’ is not necessarily telling the truth,” she says.

“There’s only one way to make yourself 100pc secure,” adds Mark Harris, director of SophosLabs, “and that’s to turn off the power, take out the network cable and lock the door.”

The lab does the next best thing, by operating on a separate network to the rest of the company, so that viruses, worms and assorted programs can be studied without the risk that they will spread. The nature of the lab means that all manner of nasties come across its radar. The last week in March saw a huge jump in email containing offensive or illegal material — Sophos recorded seven in two days compared with a normal rate of one per week or even one per fortnight.

Around the same time, staff in the lab also discovered a Russian website selling readymade spyware kits for US$15. As if to illustrate the professionalism of the operation, buyers were even offered technical support for the product. The site referred to the kit’s creators as spyware and adware developers and marketed the strengths of the toolset, which included dialogue boxes aimed at making it easy for script kiddies to infect computers.

In addition to viruses, the sheer volume and variety of junk email that Sophos receives occasionally throws up some interesting spammer tactics. One of the most common is to include extracts from literature in the body of the message to fool Bayesian analysis filters into thinking that the email is genuine. Sharp-eyed human analysts spotted that a raft of recent mails included quotes from a famous Russian novel The Master and Margarita.

One of the most interesting set-ups in the lab is a demonstration unit comprising three PCs, which each represent an attacker, a server on the internet and a victim. There are no fancy displays to set it apart from anything else in the lab but in the starkest way possible, this facility illustrates just what the security companies mean when they inform us that a particular exploit allows a third party to remotely control a PC.

Vanja Svajcer, principal virus researcher at Sophos, acts as the attacker for the purpose of the demo, composing a simple email, which in practice would be several thousand at a time. He then attaches an executable file such as a keylogger. The body text of the message draws on the usual social engineering techniques to trick the user into opening it. But then, nothing apparently happens when the user clicks on the attachment.

In fact, the user will have downloaded the malware. According to Svajcer, this is a deliberate ploy by the attackers — nothing appears to change on the computer so the user’s suspicions aren’t raised. Meanwhile a message is relayed to the attacker alerting him to the fact that the malware has been installed. All he has to do is wait. In the demo, the user visits an online banking website — a fake set-up purposely for the test — and goes through the security procedures, typing random numbers as if they were genuine passwords. Shortly after, Svajcer draws my attention to the middle PC and asks, like a magician performing a card trick, if these were my numbers. Like the best magicians, he’s right — but my reaction is to be shocked rather than impressed, so the analogy ends abruptly there.

The remote control capability isn’t restricted to installing keyloggers; mimicking an attacker, Svajcer demonstrates how it’s possible, and easy, to launch any program on the host computer. It’s quite a sight to see even something as innocuous as Microsoft Word open on the screen in front of you when you haven’t so much as pressed a key.

Machines that are compromised in this way are known as zombies or bots and there is increasing evidence that groups of these PCs are being sold to spammers who can use them to send out massive amounts of junk email. According to Svajcer, anyone controlling these PCs can send commands to an individual computer or to groups of machines.

The programs that allow this to happen are dubbed Trojan horses because of the way they avoid detection. Graham Cluley, senior technology consultant with Sophos, points out that spyware, which is currently gaining a lot of attention within the media and the security sector, is really just another name for Trojans.

Nonetheless, it’s a huge growth area. There are now 9,000 banking Trojans in Brazil alone, for example. Sophos believes that this may point the way to where the future lies for malware propagation. “There is a definite shift from worms and viruses to Trojans,” says Svajcer, who sums up the attraction for malware writers and senders. “You can craft and control it and make it fly under the radar; whereas with a virus, you send it out, you have no control over it [after that] and it quickly gets detected.”

By Gordon Smith