Mikko Hypponen has made a name for himself as a computer security expert in directing anti-virus research at Finland's F-Secure. Here he speaks about the latest viruses and what enterprise network executives are up against.
What's your take on Mydoom.M, the latest worm making the rounds?
It's a really interesting technique remembering how big Mydoom.A was in January. It was the single largest e-mail outbreak in history. Mydoom made headlines then because it was attacking SCO.com and then later on Mydoom.C was attacking Microsoft.com.
What's happening here (with Mydoom.M) is that the attack that made headlines with Google going down wasn’t really an attack on Google. It was just using Google to harvest more e-mail addresses. But what Mydoom.M left behind was a back door. We've seen this already with Mydoom.A, which left a back door and several days later its authors scanned public addresses looking for Mydoom.A-infected computers and then installed a spam proxy Trojan called Mitglieder. What seems to be the case with this new Mydoom is that instead of dropping in a spam Trojan they’ve dropped in a DDoS client aimed at overloading Microsoft.com's front page, though it hasn’t been too successful.
Do you have any idea who is behind it?
I think it is the same people not only behind the other Mydooms, but also behind Bagle. Possibly even behind SoBig and others. I don’t have any concrete evidence on where these guys are operating from, though there are some indications they have come from Russia and are living in central Europe. I think it is more than one guy and that they are organised.
What are the chances of catching them?
This year has been really good at catching virus writers. But all the arrests have been kids and small-time players, none of the professional virus writers have been caught. The ones that have been caught are not really the worst guys, the ones who are doing this for money that they put back into development of their malicious code.
So these guys are doing this for profit?
With Mydoom.M they don’t appear to make money. But looking at the previous Mydoom variants and the Bagle operations the target is to create a very large network of interconnected computers and either turn them into spam proxies or free hosting servers, then steal information like credit card numbers, passwords, user accounts. By far the largest benefit is spamming; most spam today is being sent from infected DSL or cable-enabled home computers.
There are layers. You don’t just have the virus writer writing a virus and then using the computers to send spam. You have one group writing the viruses. Once they create a list of IP addresses, they sell those to underground bulletin boards, many of which are run in Russia or China. The going price seems to be $500 for 10,000 IP addresses. That probably gets resold a couple of times before a spammer picks it up and starts using it. It really gets hard to trace the route backwards.
What do you think of Microsoft and others offering bounties to nail virus writers?
It's great. What's most important is that they put pressure on virus writers as they become afraid of others ratting them out. Obviously Microsoft can afford to put up the bounties, though it hasn’t had to pay anything yet from what I know.
Who's winning this battle?
The virus writers always have the upper hand because they have access to security vendors' products. They can download like anyone else. Why would they release a new virus that could be detected by McAfee or Symantec or us?
There is no easy answer to this problem. Of course if you want to protect a computer you have the three basic rules, which is running anti-virus, a firewall and keep patching. Or, of course, you could just get rid of Windows and get Linux and forget all sorts of problems. Much of the problem is that home computer users are infecting corporate networks by accident.
What responsibility do ISPs have in protecting these home users in the first place?
It's irresponsible to sell Internet connections without telling the users of the risks. If you go out and buy an ADSL box and connect it to your computer and you don’t use a firewall you will be hit by one of the network viruses. If your customers are running Windows and it hasn’t been patched and nobody is telling them that they should do that, I think it is irresponsible to be offering network connections. But many of the ISPs are now including basic safeguards with their services and that's what we're specializing in at F-Secure, most successfully with European ISPs.
Based on recent reports from F-Secure and others, it sounds like viruses hitting mobile devices could be the next big headache. How big an issue is this?
Such viruses really haven't appeared till this summer, with Cabir, the first proof-of-concept virus to hit Symbian-based Bluetooth phones. It's really interesting because it is the first virus that spreads based on proximity - if you are close to other Bluetooth devices you can spread the virus. Imagine someone with an infected phone getting on a crowded subway and transmitting the virus to hundreds of other phones. Then a couple of weeks ago we found a proof-of-concept PocketPC virus from the same group of virus writers.
PocketPC is a very open platform and it's very easy for developers to get their hands on code and port any desktop Windows software to PocketPC. The fear is that such viruses eventually could be used to make phone calls, send text messages and even delete phone numbers. These viruses haven’t gone into the wild, but they're out there and how likely is it that some kid will download them and try them out in the wild? Very likely.
What's your overall take on the virus situation today?
It’s been getting worse and worse. I entered the business in 1991, but then things were easy. Back then we just had boot viruses that used to be physically carried around on a disk to be spread, so it would take a year for them to get around the world. Now with Slammer, Sasser, Blaster and the others, viruses hit computers and networks all over the world in a matter of minutes. We can't handle it. Of the 100,000 viruses seen over the last 18 years we've cracked every single one. But it's not a given that will continue to be the case. We might very well see a virus some day that we can't crack.