World Wide Worm

• In September 2007, Russian hackers wormed their way into Bank of India’s website and converted it into a minefield of nearly two dozen different malicious software tools that took over the computers of unsuspecting browsers. This brazen attack also brought the bank’s website down.
  
  
• Earlier this year, hackers waded into the networks of several embassies globally, including the Indian embassy in the US, and an electronic spying ring, housed in China, stole confidential data from these networks.
  
  
• Most recently, online conmen duplicated Reserve Bank of India’s website and enticed gullible people into transferring Rs 10 lakh online into their accounts.

But India is hardly the only target of hackers. Across the world, hackers are raising their activities to a fever pitch, using an assortment of tools ranging from worms and viruses to phishing attacks and botnets—a network of computers that spew out malicious code on unsuspecting enterprises and consumers.

According to David DeWalt, Chief Executive of McAfee, the world’s second-largest security software maker, the slowdown has only made opportunities more lucrative for hackers. “The threat landscape has evolved dramatically in the last 12 months,” he says. “There has been more malware generated in the last one year than the past five years combined.”

Hackers often use a flood of spam e-mail to wind their ways onto computers and the slowdown— messages with baits of economic stimulus grants or jobs with $100,000 salaries—is only egging them on. “E-mail users should be aware of this type of deception… spammers collect personal information that may be used to infect machines with malicious content,” says Shantanu Ghosh, Vice President, India Product Operations, Symantec. Spammers have even used the rejection letter sent to job hunters to spread their wares. Letters or e-mails sending perceived rejection letters are often opened by unsuspecting users, resulting in systems being attacked.

DeWalt ascribes three reasons for this growth: complexity of IT systems, which prevents the implementation of one single security policy; the of availability tool kits to build malicious code online; and the triple play of growing number of threats, device proliferation and uneven compliance. “Hacking techniques are available for $50 online and you can Google rudimentary virus-building kits and with a little help you can release it in as little as 30 minutes,” says DeWalt.

Simultaneously, a thriving and growing underground economy for these malicious software tools—with credit card details, including the critical CVV2 number for $0.50—has only spurred the growth of this market. “Creating malware today no longer has the same financial aim as previously… it is not about causing $50-100 billion in damage,” he adds. “Today, it is about stealing identities, credit card numbers and other confidential data for profiteering on the underground market.”

Despite the best efforts of security vendors, it is unlikely that the amount of spam will reduce anytime soon. According to figures from Symantec, the percentage of spam compared to total e-mail has gone up from 61 per cent in the first half of 2007 to 85 per cent today. India has gone from being just a recipient of these e-mails to being a country hosting spammers. Currently, India accounts for around 5 per cent of all spam globally, surpassing China (4 per cent), but still well behind the US, which generates a quarter of all spam in the world. “Developing markets like India, China and Brazil are establishing a footprint on the cyber map for being sources of attacks,” says Symantec’s Ghosh.

While enterprises have IT teams and large budgets to deal with these problems, it is the individual consumer who faces a huge challenge in keeping the hackers at bay. According to the Norton Online Living Report, adults in India (67 per cent), Italy (68 per cent) and Japan (72 per cent) are least likely to install security software and a fifth of all respondents globally don’t have any solutions installed at all. Indians, incidentally, are the most likely to share secrets online, with 37 per cent of Indian respondents rekindling romances online. Ninety-nine per cent of Indian respondents said they take steps to secure their personal information, but half of them visit untrusted sites, do not create data backup, and have unsafe passwords, and one-in-three have been hacked.

Many consumers often opt for free security solutions off the Internet, but large vendors say this move may be counter-productive. “Most of these free packages are usually focussed just on one area like virus detection... they have a very high rate of false positives, which could do more damage than good,” says McAfee’s DeWalt. With the constant growth of threats, free security vendors won’t be able to keep pace with the number of patches and fixes required, he adds.
  

Growing pain Cheap kits are freely available online to build malware Indians are prone to visit unsafe sites, do not backup data, and have unsafe passwords Several virus threats are emerging specifically for mobile phones A botnet attack paralysed a mobile network in Japan Free security software may not be able to keep pace with the number of patches and fixes required

However, security consultants admit that companies are increasingly adopting open source security tools such as Snort and Nessus, which allow IT managers to lower costs.

According to M.S. Rao, the Co-founder of security consulting firm Aujas Networks, companies need to change their focus from perimeter software such as intrusion protection and prevention solutions to application security. “According to (technology researcher) Gartner, 75 per cent of attacks happened on the application and not on the operating system like Windows,” says Rao. Besides, some companies, in financial services and insurance, for example, are extending the access to their IT networks to include agents and actuaries, and this includes the risks of infection.

As more people look beyond the PC and to the mobile and smart phone to access the Internet, they will quickly become the next big source of vulnerabilities, industry executives say. According to DeWalt: “Hackers can today make you download a seemingly innocent application off the web for an iPhone and without your knowledge activate the camera, dial an emergency line or activate the speaker phone,” he reveals. In Japan, for example, a botnet attack paralysed a mobile network by automatically dialling an emergency number and jamming the lines.

There are several types of threats emerging specifically for the mobile phone, says Symantec’s Ghosh. These include SMS-based threats, snoopware where applications can be enabled or disabled, malware transferred using Bluetooth and the latest threats, called Pranking4Pprofits, where value added services are commandeered. With over nine million subscribers added in February this year alone, this would perhaps be the fastest growing threat yet.