A Brief History of Malware and Cybercrime

Since the first spam e-mail sent on the Arpanet, there’s been a steady rise in the complexity of online threats, and the industry’s best efforts to respond. Here’s a historical review.

Spam

When it began: The first spam e-mail was sent in 1978 over the ARPAnet, the Defense Department network that was precursor to today’s Internet, by a Digital Equipment Corp. marketing executive named Gary Thuerk to flog a new computer. To read it and see some of the reactions, see this entry on Brad Templeton’s website.

More On Cybercrime

How You Can Fight Cybercrime

How the Mob uses IT

What Adult and Gaming Sites Can Teach You About Innovation

A Brief History of Cybercrime

What it is: Mass mailings (usually advertisements, though today they are as often criminal attacks) via an ever expanding array of channels—including e-mail, newsgroups, instant messaging, comment fields in blogs, cellphones and VOIP telephone systems—to a large group of recipients who have not requested them and have no ability to remove themselves from the mailing list (The CAN-SPAM Act made it illegal to send unsolicited email without offering a way to opt out from future mailings.) Over time, spam has grown more malevolent, as criminals have made it the carrier for a host of scams, from identity theft to fraud to malicious software designed to control the recipient’s computer.

Variant: spim, the name for spam sent by instant messaging

Response: IP address blacklists, Bayesian content filters, content heuristics engines, and content fingerprinting schemes augmented by sender authentication.

Rootkits

When it began: 1970s-80s. Originally developed by hackers to hide traces of intruders on Unix computers, rootkits for all types of networked computers are packaged and sold on the Internet by the emerging malware development community. Perhaps the king of these programs is the open source rootkit FU, which can be downloaded freely here.

More On Cybercrime

How You Can Fight Cybercrime

How the Mob uses IT

What Adult and Gaming Sites Can Teach You About Innovation

A Brief History of Cybercrime

What it is: Software that hides the presence and activity of intruders. Used in combination with Trojan software, hackers can change system settings and make use of the computer without the user—and usually without monitoring software such as firewalls or anti-virus programs—being able to detect it. Once hackers get “root access,” to a computer, they can manipulate it to do anything they want. For example, in 2005, a computer science researcher discovered that Sony BMG Music Entertainment had used rootkit techniques to disguise digital rights management software that installed itself on consumers’ computers when they played a Sony CD. The case ended with a settlement.

Response: No reliable response exists, though there are anti-rootkit software programs that attempt to detect rootkit takeovers. For more, see “Rootkit Reality” from CSOonline.com.

Viruses

When it began: In 1982, a high school student named Rich Skrenta wrote Elk Cloner for Apple II computers. Hidden on a floppy disk necessary to load the operating system on the computer, it spread when users unknowingly used an infected disk to boot up. It contained an awful poem that appeared on the screen once every 50 boot-up attempts.

More On Cybercrime

How You Can Fight Cybercrime

How the Mob uses IT

What Adult and Gaming Sites Can Teach You About Innovation

A Brief History of Cybercrime

What it is: Viruses are software that is capable of executing an unwanted action on the victim’s computer and has a mechanism for replicating itself inside other computers that come in contact with the infected machine. Viruses spread through networks to which infected computers are attached, such as e-mail systems, corporate networks or the Internet. They may also be physically transferred to another computer via portable media such as a USB drive.

Viruses started as harmless pranks—for example, a silly message that would appear on screen then disappear—and quickly graduated to criminal destruction. Today viruses can destroy data or render the computer’s hard drive unusable.

Response: Anti-virus software, teaching computer users not to click on communications or software that they are not expecting to receive.

Computer intrusions

When it began: The first high-profile computer intrustion occurred in 1983, when a group of young Milwaukee hackers known by their area code (the 414’s) broke into computer systems at institutions ranging from the Los Alamos Laboratories to Manhattan’s Memorial Sloan-Kettering Cancer Center before being arrested after an FBI investigation, The New York Times reported.

More On Cybercrime

How You Can Fight Cybercrime

How the Mob uses IT

What Adult and Gaming Sites Can Teach You About Innovation

A Brief History of Cybercrime

What it is: Unathorized access to a computer system, whether it be manual, such as using a stolen password, or automated, in which computer coders develop software enabling them to bypass network security protection and gain access to computer systems via the Internet.

Response: Multi-factor authentication; intrusion detection software; firewalls; data encryption; security risk training for computer users.

Worms

When it began: In 1988, Robert T. Morris, Jr., a graduate student at Cornell University and son of a National Security Agency scientist created software that would automatically replicate itself on computers hooked up to the government’s ARPAnet (the precursor to the Internet). Though Morris, who is now a professor at MIT, insisted he was only trying to gauge the size of the Internet, the worm may have infected thousands of government computers and caused anywhere from $10-$100 million in damage, according to the U.S. General Accounting Office.

Morris was convicted of violating the 1986 Computer Fraud and Abuse Act and was sentenced to three years’ probation, 400 hours of community service, and a fine of $10,050. The worm shattered perceptions of the emerging Internet’s security and stability.

More On Cybercrime

How You Can Fight Cybercrime

How the Mob uses IT

What Adult and Gaming Sites Can Teach You About Innovation

A Brief History of Cybercrime

What it is: A more dangerous evolution of viruses, worms are self-propagating, meaning they do not need any intervention from the victim—such as clicking on an infected software attachment in an email—to transfer themselves to other computers. Instead, they rely on vulnerabilities in software and networks to allow propagation. For example, the “security patches” offered by Microsoft and other software vendors are usually the result of the discovery of a vulnerability in the software that could allow hackers to take control of users’ computers without warning.

Response: Anti-virus software, network monitoring, security training.

Trojan horse software

When it began: In 1989, a diskette proclaiming to be a database of AIDS information was mailed to thousands of AIDS researchers and subscribers to a U.K. computer magazine. The diskettes contained Trojan software that rendered the computers useless and demanded that $378 be sent to PC Cyborg Corporation at a post office box in Panama. The software was linked to an American doctor and AIDS researcher named Joseph Papp, who successfully invoked the insanity defense when he was extradited to the U.K. in 1990. To see an explanation of the Trojan horse exploit via diskette, see this article at Purdue University.

More On Cybercrime

How You Can Fight Cybercrime

How the Mob uses IT

What Adult and Gaming Sites Can Teach You About Innovation

A Brief History of Cybercrime

What it is: Trojan horse software installs itself on the user’s computer when they click on a link or a disguised computer file or attachment. Once installed, the software can be controlled remotely by hackers to extract money, passwords and other sensitive information. It can also be used to create a relay point, or zombie, for forwarding advertising spam, phishing e-mails and Trojan software to millions of other computers on the Internet.

Response: IP address blacklists; Bayesian content filters; content heuristics engines; content fingerprinting schemes augmented by sender authentication; anti-virus software; network monitoring; teaching computer users not to click on communications or software that they are not expecting to receive.

Phishing

When it began: The first well-known mention of phishing was in newsgroup called alt.2600 hacker newsgroup in January 1996, though it probably showed up earlier in a hacker newsletter called “2600.”

More On Cybercrime

How You Can Fight Cybercrime

How the Mob uses IT

What Adult and Gaming Sites Can Teach You About Innovation

A Brief History of Cybercrime

What it is: Phishing attempts to trick Internet users into divulging their personal information for use or resale by criminals who can profit from the information. Originally delivered through crude typo-ridden e-mails, phishing has matured into a range of sophisticated methods that are cable of fooling even experienced computer users (social engineering is the clinical term for this kind of trickery). For example, e-mails may contain the snazzy logos and the exact language used on websites of respected financial institutions or electronic commerce retailers. These emails link to websites that look just like the real thing. They may also contain personal or account information gleaned from other sources. Phishing has become so successful that it has been adopted by organized crime around the world as a new channel for theft, extortion and blackmail, according to security vendor RSA.

Variants of phishing include:

Vishing: Computer users are cajoled into calling a phone number to give up their personal information directly to a waiting criminal.

Spear phishing: Criminals obtain access to a corporate network or social networking site, and obtain e-mail addresses of people familiar to the potential victim and create messages that purport to come from direct bosses, HR departments or close friends.

Pharming: Criminals manipulate legitimate websites or use tools to redirect traffic to bogus sites that collect victims’ information or take over their machines.

Responses: IP address blacklists; Bayesian content filters; content heuristics engines; content fingerprinting schemes augmented by sender authentication; anti-virus software; network monitoring; teaching computer users not to click on communications or software that they are not expecting to receive.

Man-in-the-middle attack

When it began: Though first recognized as an attack in 1998 by the NSA, the most well-known attacks occurred in October 2005 and July 2006, when large European and U.S. banks with one time password (OTP) scratch cards and tokens were targeted with man-in-the-middle attacks. Subsequently, Amazon.com was also attacked, according to a report by security vendor Tricipher. Security experts believe that criminal software developers now have created the equivalent of Microsoft Office for man-in-the-middle exploits: a software package for sale on the Internet that even non-experienced computer users can set up to carry out attacks.

More On Cybercrime

How You Can Fight Cybercrime

How the Mob uses IT

What Adult and Gaming Sites Can Teach You About Innovation

A Brief History of Cybercrime

What it is: Criminals create bogus sites that are capable of communicating directly with legitimate sites in real time. Victims access their actual accounts, perhaps even using a hardware token or other one-time password device, but do it through the man-in-the-middle servers that capture all their information. These servers can even force the legitimate site to keep secure sessions open after the victim has logged off, allowing criminals to access the account themselves and withdraw money.

Response: IP address blacklists; Bayesian content filters; content heuristics engines; content fingerprinting schemes augmented by sender authentication; anti-virus software; network monitoring; teaching computer users not to click on communications or software that they are not expecting to receive; multi-factor authentication; intrusion detection software; firewalls; data encryption; security risk training.

Crimeware

When it began: Impossible to tell, but the first real large-scale attacks on financial institutions and gambling sites began gathering steam in the late ’90s One recent development, reported in January by security vendor RSA, is the existence of a universal man-in-the-middle phishing kit being sold and used online by fraudsters. The distribution of such packages has broken down the last barrier to widespread online fraud: computing skills. Download the kit and you’re ready to go.

More On Cybercrime

How You Can Fight Cybercrime

How the Mob uses IT

What Adult and Gaming Sites Can Teach You About Innovation

A Brief History of Cybercrime

What it is: Organized crime has driven up demand for easy-to-use software tools that even non-expert users can employ to carry out sophisticated online attacks. As a result, according to security consultants and vendors, the hacking community has evolved into an efficient supply chain in which specialists contribute specialized software.

Examples: The report The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond, produced by the Anti-Phishing Working Group, the U.S. Department of Homeland Security and the SRI International Identity Theft Technology Council, identifies the tools and methods of professional online fraudsters. (See a PDF document of the report here.) These tools include:

Keyloggers and Screenloggers

Keyloggers are programs that install themselves either into a web browser or as a device driver. They monitor data that is input and send it to a phishing server.

E-mail and Instant Messaging Redirectors

E-mail redirectors are programs that intercept and relay outgoing emails, then send an additional copy to an address to which an attacker has access. Instant messaging redirectors monitor instant messaging applications and transmit transcripts to an attacker.

Session Hijackers

Session hijacking refers to an attack in which a legitimate user session is commandeered. In a session hijacking attack, a user’s activities are monitored, typically by a malicious browser component. When the user logs into an account or initiates a transaction, the software takes over the session to perform criminal actions, such as transferring money.

Transaction Generators

Unlike many of the other types of crimeware, a transaction generator targets not an end-user’s computer but a computer inside a company’s transaction processing center.. The software generates fraudulent transactions for the benefit of the attacker from within the payment processing system. Additionally, transaction generators often intercept and compromise legitimate credit card data.

Responses: IP address blacklists; Bayesian content filters; content heuristics engines; content fingerprinting schemes augmented by sender authentication; anti-virus software; network monitoring and intrusion detection; teaching computer users not to click on communications or software that they are not expecting to receive.

Denial-of-Service/Distributed Denial-of-Service Attack

When it began: In the second week of February, 2000. In the first and one of the biggest denial-of-service attacks to date, Canadian hacker MafiaBoy launched a distributed denial-of-service attack that took down several high-profile Web sites, including Amazon, CNN and Yahoo!

More On Cybercrime

How You Can Fight Cybercrime

How the Mob uses IT

What Adult and Gaming Sites Can Teach You About Innovation

A Brief History of Cybercrime

What it is: Denial-of-Service (DoS) Attacks (from a single IP address) and Distributed Denial-of-Service (DDoS) attacks (from multiple IP addresses) typically involve inundating a computer, router or other networked device with more packets of data than it can process, effectively blocking any legitimate requests to access the system. Like viruses, DoS attacks began as pranks to show off computer skills but quickly graduated to illegal uses like extortion, in which a criminal will attack or threaten an attack unless a website owner pays him.

Response: Null-routing, in which an ISP collects all of the traffic going to a site and redirects it to a dead-end; network monitoring; takedown services offered by security vendors that attempt to trace the source of the attack and shut it down. For an example of how a DDoS extortion attack and response played out read “How a Bookmaker and a Whiz Kid Took On an Extortionist—and Won” on CSOonline.com.

Botnets

When it began: The SoBig email worm of 2003 is thought to be the first organized attempt to create large-scale Botnets. Today, an estimated one million PCs are under the control of hackers worldwide, according to Trend Micro. In early 2005, German security analysts at Aachen University reported that they identified more than 100 botnets in a three-month period. These botnets ranged in size from a few hundred compromised PCs to 50,000 machines.

More On Cybercrime

How You Can Fight Cybercrime

How the Mob uses IT

What Adult and Gaming Sites Can Teach You About Innovation

A Brief History of Cybercrime

What it is: Botnets are networked groups of compromised computers—or zombies—that are controlled by hackers known as Bot herders, usually through Trojan software that users have clicked on. Using various Internet communications methods, including Internet Relay Chat, hackers can “wake up” tens of thousands of compromised computers (hence, zombies) and direct them to deliver spam, phishing attacks and crimeware.

Response: Null-routing, in which the ISP collects all of the traffic going to a site; network monitoring; takedown services from security vendors that attempt to trace the source of the attack and shut it down.

Pump-and-dump scheme

When it began: Pump and dump is as old as the financial markets themselves, but the Internet has given it new potency and made it a tool of organized crime. Late in 2006, hackers broke into accounts at two large U.S. brokerages to execute fraudulent trades. On Dec 15, shares of Apparel Manufacturing Associates were trading at 6 cents a share. A three-day spam campaign pumped the price up to 19 cents and trading volume on the 18th rose to 484,500 shares. The stock price peaked at 45 cents on Dec. 20. Two days later, the price had dropped to 30 cents and trading volume was down to 36,450 shares. In March this year, the SEC suspended trading on this stock and 34 others for ten business days, citing suspected manipulation.

More On Cybercrime

How You Can Fight Cybercrime

How the Mob uses IT

What Adult and Gaming Sites Can Teach You About Innovation

A Brief History of Cybercrime

What it is: Criminals buy stocks of companies whose shares sell for pennies—stocks usually sold over the counter rather than on exchanges—and then employ spammers to send e-mail inviting investors to reap the value of these undervalued companies. Because the prices and trading volumes of the penny stocks are so low to begin with, it doesn’t take much trading activity to pump up the stock price. Then the criminals cash in, causing the stock price to crash.

Response: Caveat emptor.

ADDITIONAL SOURCES:

Technicalinfo.net’s paper on the history of phishing; Ronald B. Standler’s essay about the Morris case; and Wikipedia.org articles on hacker history, Elk Cloner virus, rootkits, Morris worm, and the AIDS trojan horse.