Why programmer Michael Haephrati decided to seed the computer of his former father-in-law with a Trojan may never be fully established, but it could turn out to be turning point in the wretched annals of computer break-ins.

The malware had been built from the ground up to do one thing – steal files from any PC it infected. In principle, the files could be any data format, but the files it removed from the PC of Israeli author Amnon Jacont turned out to be part of an novel he was writing. Haephrati is believed to have posted the confidential files on a website, without consent, a fact later discovered by the author.

Mystified, but suspecting a computer hack, Jacont complained to police in November 2004 and ventured the name of Haephrati as a line of investigation. The offending Trojan was discovered on the author’s PC, traced back to its creator, who was later arrested in London last May.

Then police discovered something very important. Haephrati had sold the Trojan program to several Israeli private investigation companies, which had in turn used it to steal information from leading companies in Israel on behalf of their competitors. The scale of industrial espionage uncovered astonished investigators, with possibly dozens of leading companies involved, both as perpetrators and victims. There have been multiple arrests since May, with more expected in the coming weeks and months.

The case has some important characteristics that have made security researchers sit bolt upright and take notice. First, the Trojan was custom-written to avoid detection by conventional security systems for as long as possible, and it turns out that worked as advertised on an unprecedented scale. Gaining access to FTP servers used to store documents taken during the Trojan’s many forays, the police discovered “tens of thousands” of files, many said by Israeli police sources to be highly confidential. In short, the Trojan worked brilliantly, more brilliantly than anyone thought possible for such a simple piece of software.

The Trojan was also highly targeted, and used very simple social engineering to infect its hosts, something that the industry has previously reckoned no attacker would go to the both of attempting. The attacks would typically come either via email to a specific person, or in the form of posted CDs, again to named individuals, masquerading as promotional materials. The important ingredient here was that the attack vector worked with the sort of inside information no generic Trojan attack would have access to – real names. The attacks had been finely tuned to attack specific companies, and they turned out to have no defence against this simple incursion.

Finally, the whole fraud only came to light because an ordinary citizen, a novelist in this case, decided to make a police complaint. No matter that the majority of the companies attacked had ample security – presumably including anti-virus programs - and a security-conscious culture that goes with the Israel’s business environment to back it up. They had been successfully targeted, and defrauded of inside information on a scale never before reported in security circles.

At the time all this started coming to light, many wondered whether the same species of attack had been employed elsewhere. It seemed likely that this was only the first to be discovered and not unique. It is highly probable, though unconfirmed, that the Trojan created by Haephrati had not been detected by anti-virus and anti-spyware packages, such as had been employed. Assuming Trojans could be created that were not detectible – even for a period of weeks – that would make them a highly attractive method of attack.

More recently, confirmation that this form of attack no longer unique to Haephrati’s programming skills, came with the warning from the UK’s National Infrastructure Security Coordination Centre (NISCC), that British companies and government institutions were being targeted by the same Trojan technique, apparently from Asia.

"We have never seen anything like this in terms of the industrial scale of this series of attacks," the UK’s NISCC director Roger Cumming was quoted as saying. The Trojans had been directed at hundreds of entities, dwarfing even the Israel incident. What has been less clear is to what extent the attacks were successful, and how they were detected given their stealthy nature.

Code espionage
Security experts and companies have fallen over themselves to describe the NISCC attacks as a “wake-up call”, but the real wake-up call was the Israel incident weeks before. In fact, it’s not clear why any of these attacks should be a surprise given the way that Trojans have been rapidly evolving in the last two years. Given that some of the highly-priced security systems and software meant to protect companies against attacks failed to do their job adequately, perhaps it’s the industry itself that needs a good kicking.

The UK and Israel Trojan incidents are only the ones we’ve heard about. How many other custom-written Trojans might be out there, silently collecting confidential information from companies and governments around the world?

“The virus problem is an annoyance. This is a much bigger worry,” concurs one vendor expert we contacted, Alex Shipp of MessageLabs. His company has tracked such attempted attacks for some time, including the one referred to by the NISCC.

“It looks like one gang because of the similarities in the pattern of attack. The Trojans are always undetectable by any of the major anti-virus programs. Some go undetected for weeks or even months,” he adds. “One attack we saw directed at the aerospace industry had a payload that only activated if it found AutoCAD (on the PC).”

Although the NISCC-referenced attack was likely to be initiated by a single gang, possibly in the pay of a foreign government, it was impossible to say who might be behind it. Because the gang had used Asian servers to launch the Trojans didn’t mean this entity was necessarily in the Far East. It could simply be that this was where the criminals had been able to find open relays or wanted to use language barriers in these countries to delay investigation.

There is one technology that would have stopped at least a good portion of what happened in these Trojan incidents: encryption. If the documents had been encrypted using a secure cipher, they would have been useless to anyone copying them. It sounds obvious but it will have profound implications for computer security.

At the moment, the use of encryption is patchy, and it tends to be associated with public key systems invented in the late 1970s. These depend on using a public key for encryption, with decryption happening using a mathematically-paired private key. Inverting this – encrypting using a private key and decrypting using the public half – is the basis of encrypted authentication and digital IDs (though the insecurity of this approach requires extra algorithmic layers). They are used where exchanging “static” symmetrical keys would be insecure or difficult.

The future of computer security is more likely to depend on a mixture of this and the older form of encryption, namely symmetrical encryption whereby keys are generated using one of a number of secret ciphers. These are ideal for securing the sort of data held on databases, spreadsheets and word processed files, as well as email repositories. How this is actually done will depend on a number of issues that will be covered in a future article.

Until now, much of the direct threat to data was theoretical or deemed unlikely. The recent incidents show that the theoretical has now become real, and may even become commonplace in the coming year. Data can be attacked by malware, stolen from PCs directly, or simply lost on laptops or portable computers by accident. This is no longer acceptable. A decade form now the idea of leaving confidential data unencrypted will look as out-of-date as making a phone call through an operator does now.