Reality Check: Keeping up with crimeware

Crimeware is a not a virtual reality - it's the real thing

If you are a cracker who has written an exploit, you have a choice between fame and fortune. In the good old days, crackers chose fame. But now fortune appears to be far more appealing.

Crimeware is a multibillion-dollar economy, according to Chad Harrington, vice president of marketing at FireEye, makers of a crime-stopping -- or should I say cracker-stopping -- appliance that uses virtual technology to stop an exploit before it gets into your network.

Lest you think crimeware is the domain of some 16-year-old kid with too much time on his hands, here's the multilayered reality. At the bottom level, there are the crackers. These guys sell the vulnerability information to the next level up, called bot herders. A bot in crimeware terminology is a compromised machine. The bot herders assemble this botnet of compromised machines and sell it to what are called the fraudsters. The fraudsters use the exploited machines to steal identities, customer and employee data, intellectual property, and the like. On the open market, an exploit can be sold for as little as US$200 (AUD$254) and as much as US$50,000, Harrington says.

Although there are layers of security to contend with beyond compromising the operating system, once in the door, the rest is relatively easy pickings.

"Getting back out again is the tricky part," Harrington says.

Bot herders typically charge US$1 per compromised machine, per month. But if they've cracked into a major corporation with access to customer and employee data, they could charge as much as US$100 per system, per month.

What's scary is that these botted systems are computers inside the firewall. Harrington tells the story of a botted system that sent out notification of upcoming layoffs and directed employees to a bogus HR site that was hosted on the local domain and managed by a bot herder.

One of the major trends in crimeware for 2007 will be polymorphing botnet worms. These worms morph -- change their signature -- every four to six hours. FireEye is using virtualization to combat these worms. Rather than trying to guess whether a packet will harm the network, FireEye runs virtual machines and fools the system into sending the worm to one of these VMs rather than the actual network. I asked whether this process slows down the network. Harrington says latency is measured in a couple of seconds if it is something the system hasn't seen, and microseconds if it has.

FireEye runs most OSes plus a full stack of applications and browsers with users adding what they like.

It sounds as if anyone can set up their own VM solution to do what FireEye does. Harrington admits it is a simple idea but says you have to intercept the traffic in real time, which takes a few patents.

If you set up a honey pot -- a machine intended to be compromised -- the attacker has to find that machine and compromise it. What FireEye does is "sniff the traffic" off the network and pretend it is the end point.

"There is a conversation on the network going on between Machine A and Machine B. We create a shadow version from Machine A Prime to Machine B Prime. As the protocol goes back and forth, we pretend we are the end point of this conversation," Harrington says.

Unfortunately, crimeware is a not a virtual reality. It's the real thing. Will 2007 be the year we finally gain the upper hand? Only time will tell.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ephraim Schwartz

InfoWorld
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?