Summer of 2009: Bad URLs swamp the Internet. Through the first half of 2009, IBM’s X-Force team tracks a 508% leap in the number of new malicious Web links versus the first half of 2008. Most bad links function as relays to other Web pages set up to quickly embed a wormhole (referred to as a Trojan downloader) to the hard drive of the visitor’s PC. The attacker then uses this wormhole to install code that groups the PC with thousands of other infected machines in a botnet. The attacker is then able to lease out the botnet to other criminals who need computing power to deliver spam, steal data, spread promos for fake antivirus subscriptions and hijack online banking accounts. Bad links are moot, of course, if no one clicks on them. So the Internet has become swamped with ploys to steer people to bad links. They turn up in search query results and in e-mail spam. And bad links are surging through messages and postings on popular social networks. Source: LastWatchdog

2009: The Koobface worm steals logons and contact lists from users of Facebook, MySpace, Twitter, YouTube, Friendster, Bebo and Hi5.  It delivers bad links in messages and microblogs that appear to come from trusted acquaintances.  Source: LastWatchdog

2009: The Seattle Post-Intelligencer becomes the first major daily newspaper to move entirely online. Google announces development of a free computer operating system designed for a user experience that primarily takes place on the Web. Source: AP

2009: Twitter emerges as the fastest growing site on the Internet with 6 million unique monthly visitors and 55 million monthly visits — getting 1,400 percent larger every month. Source: LastWatchdog.

2009: Conficker RPC-DCOM worm. The Conficker worm has created a secure, worldwide infrastructure for cybercrime. The worm allows its creators to remotely install software on infected machines. What will that software do? We don’t know. Most likely the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites. Source: Symantec

2008: Cyber thieves crack database of Heatland Payment Systems and steal 130 million payment card transaction records over 13 months before getting detected. Source: LastWatchdog

2008: World Internet population surpasses 1.5 billion. China’s Internet population reaches 250 million, surpassing the United States as the world’s largest. Netscape’s developers pull the plug on the pioneer browser, though an offshoot, Firefox, remains strong. Major airlines intensify deployment of Internet service on flights. Source: AP

2007: Storm email virus. Poor Microsoft, always the popular target. Like Blaster and others before, this worm’s payload performed a denial-of-service attack on www.microsoft.com. During Symantec’s tests an infected machine was observed sending a burst of almost 1,800 emails in a five-minute period. Source: Symantec

2007: Apple releases iPhone, introducing millions more to wireless Internet access. Source: AP

2006: Cyber thieves breach TJX retail chain database to steal 94 million credit and debit card transaction records over an eight month period.  Source: LastWatchdog

2006: World Internet population surpasses 1 billion. Source: AP

2005: Launch of YouTube video-sharing site. Source: AP

2004: Mark Zuckerberg starts Facebook as a sophomore at Harvard University. Source: AP

2004: Sasser LSASS worm. This nasty worm spread by exploiting a vulnerable network port, meaning that it could spread without user intervention. Sasser wreaked havoc on everything from The British Coast Guard to Delta Airlines, which had to cancel some flights after its computers became infected. Source: Symantec

2003: MSBlast RPC-DCOM worm. Blaster is a worm that triggered a payload that launched a denial of service attack against windowsupdate.com, which included the message, “billy gates why do you make this possible? Stop making money and fix your software!!” Source: Symantec

2003: Slammer SQL server worm. This fast-moving worm managed to temporarily bring much of the Internet to its knees in January of 2003. The threat was so aggressive that it was mistaken by some countries to be an organized attack against them. Source: Symantec

2002: World Internet population surpasses 500 million. Source: AP

2001: Code Red ISS worm. Websites affected by the Code Red worm were defaced by the phrase “Hacked By Chinese!” At its peak, the number of infected hosts reached 359,000. Source: Symantec

2001: Nimda email virus. A mass-mailing worm that uses multiple methods to spread itself, within 22 minutes, Nimda became the Internet’s most widespread worm. The name of the virus came from the reversed spelling of “admin.” Source: Symantec

2000: The dot-com boom of the 1990s becomes a bust as technology companies slide. Amazon.com, eBay and other sites are crippled in one of the first widespread uses of the denial-of-service attack, which floods a site with so much bogus traffic that legitimate users cannot visit. Source: AP

2000: I Love You email virus. Who wouldn’t open an e-mail with “I Love You” in the subject line? Well, that was the problem. By May 2000, 50 million infections of this worm had been reported. The Pentagon, the CIA, and the British Parliament all had to shut down their e-mail systems in order to purge the threat. Source: Symantec

2000: Mafiaboy installs bots on computers at Yale and Harvard universities and used them to crash CNN’s Web site for four hours and create chaos at the Web sites of Yahoo, eBay, Amazon, Dell, Excite, and E-Trade. He bragged in chat rooms that the FBI would never catch him. Source: LastWatchdog

1999: First Harry Potter book is published; Ricky Martin has hit single, In Vida Loca; Amazon loses millions selling books on line, but investors shower it with funds, and its stock prices soars from $6 per share to $106, giving founder Jeff Bezos plenty to laugh about. Source: LastWatchdog

1999: Melissa email virus. Melissa was an exotic dancer and David L. Smith was obsessed with her and also with writing viruses. The virus he named after Melissa and released to the world on March 26th, 1999, kicked off a period of high-profile threats that rocked the Internet between 1999 and 2005. Source: Symantec

1999: Napster popularizes music file-sharing and spawns successors that have permanently changed the recording industry. World Internet population surpasses 250 million. Source: AP

1998: Google forms out of a project that began in Stanford dorm rooms. U.S. government delegates oversight of domain name policies to Internet Corporation for Assigned Names and Numbers, or ICANN. Justice Department and 20 states sue Microsoft, accusing the maker of the ubiquitous Windows operating system of abusing its market power to thwart competition from Netscape and others. Source: AP

1996: Passage of U.S. law curbing pornography online. Although key provisions are later struck down as unconstitutional, one that remains protects online services from liability for their users’ conduct, allowing information – and misinformation – to thrive. Source: AP

1995: Amazon.com opens its virtual doors. Source: AP

1994:Marc Andreessen and others on the Mosaic team form a company to develop the first commercial Web browser, Netscape, piquing the interest of Microsoft and other developers who would tap the Web’s commerce potential. Two immigration lawyers introduce the world to spam, advertising their green card lottery services. Source: AP

1993: Andreessen and colleagues at University of Illinois create Mosaic, the first Web browser to combine graphics and text on a single page, opening the Web to the world with software that is easy to use. Source: AP

1990: Tim Berners-Lee creates the World Wide Web while developing ways to control computers remotely at CERN, the European Organization for Nuclear Research. Source: AP

1989: Quantum Computer Services, now AOL, introduces America Online service for Macintosh and Apple II computers, beginning an expansion that would connect nearly 27 million Americans online by 2002. Source: AP

1988: One of the first Internet worms, Morris, cripples thousands of computers. Source: AP

1988: Morris worm. An oldie but a goodie; without Morris the current threat “superstars” wouldn’t exist. The Morris worm (or Internet worm) was created with innocent intentions. Robert Morris claims that he wrote the worm in an effort to gauge the size of the Internet. Unfortunately, the worm contained an error that caused it to infect computers multiple times, creating a denial of service. Source: Symantec

1983: Domain name system is proposed. Creation of suffixes such as “.com,” “.gov” and “.edu” comes a year later. Source: AP

1974: Vint Cerf and Bob Kahn develop communications technique called TCP, allowing multiple networks to understand one another, creating a true Internet. Concept later splits into TCP/IP before formal adoption on Jan. 1, 1983. Source: AP

1973: Arpanet gets first international nodes, in England and Norway. Source: AP

1972: Ray Tomlinson brings e-mail to the network, choosing “at” symbol as way to specify e-mail addresses belonging to other systems. Source: AP

1970: Arpanet gets first East Coast node, at Bolt, Beranek and Newman in Cambridge, Mass. Source: AP

1969: On Sept. 2, two computers at University of California, Los Angeles, exchange meaningless data in first test of Arpanet, an experimental military network. The first connection between two sites – UCLA and the Stanford Research Institute in Menlo Park, Calif. – takes place on Oct. 29, though the network crashes after the first two letters of the word “logon.” UC Santa Barbara and University of Utah later join. Source: AP

ISBN- 13: 978-1-4027-5695-5

White Hats, Black Hats, Gray Hats

Mafiaboy

The year is 1999-the close of the twentieth century. “Livin’ la Vida Loca,” Harry Potter, and The Blair Witch Project dominate pop culture. John F. Kennedy, Jr., piloting a small plane to a Martha’s Vineyard wedding, crashes; his wife, her sister, and he die in the tragic accident. Major news organizations hype what turns out to be an inert Y2K threat. Antitrust regulators bear down on Microsoft for using illegal monopolistic practices, while tech darlings Amazon.com and Netscape help inflate the dot-com bubble. Internet stocks launch into the stratosphere.

As dynamic as 1999 was, it was a comparative age of innocence when it comes to Internet security. Online shopping and online banking were in a nascent stage. Hacking was the dominion of computer geeks, invariably young males, seeking bragging rights. In the anonymity of cyberspace, the frail nerd pushed around by jocks in the schoolyard could log on to the Internet and emerge as a giant among peers by contriving the cleverest ways to exchange copyrighted music or to cheat at video games. In cyberspace, ethics became pliable, and reality altered, especially for impressionable teenage boys, says Ohio University telecommunications professor Mia Consalvo, author of Cheating: Gaining an Advantage in Video Games.

The introverted lad who would never dare to shoplift a CD from a music store or cheat playing a board game with flesh-and-blood acquaintances might think nothing of pirating a first-run movie or finding a shortcut to beat a popular online game.

“We now have kids who grew up as digital natives,” says Consalvo. “This is the first generation to grow up with computers in the home since the time they were born. They’ve grown up knowing that it’s easier to get away with things online, and there can be a little bit of confusion about what’s right and what’s wrong, especially during the teen years when you’re sorting out your identity anyway.”

As the new millennium dawned, the splashiest way to achieve geekdom immortality was to advance beyond piracy and cheating and create a headline-grabbing piece of malicious software, or malware, as antivirus companies called it.

In May 1999, the Melissa e-mail virus would establish a new malware high-water mark. Melissa lured naive victims into opening viral e-mail attachments with messages like “Check this!! This is some wicked stuff,” or “Question for you. It’s fairly complicated so I’ve attached it.” Clicking on the attachment activated a brilliantly invasive packet of coding. Melissa made copies of itself, which it then e-mailed to the first fifty names in the infected computer’s e-mail address book. Thus the next fifty potential victims would receive copies of the tainted attachment thinking it sent by a trusted source. If just a handful of the fifty fell for it, followed by a handful after that, and a handful after that, and so on, the e-mail virus would spread exponentially.

Indeed, Melissa propagated so rapidly that the e-mail systems at Microsoft, Intel, Lockheed Martin, and other big corporations crashed under the sheer volume of e-mail generated by the virus. Melissa’s author, David L. Smith, thirty, of Aberdeen Township, New Jersey, would ultimately spend twenty months in jail for infecting hundreds of thousands of computers with Melissa, which he reportedly named after a favorite stripper.

A bit old to be a hobbyist hacker, Smith, who worked as a troubleshooter at AT&T Labs, bragged in hacker chat rooms about spreading viruses under the bad-guy nickname Kwyjibo. But he also maintained a good-guy persona, using the name Doug Winterspoon to help people clean up infections caused by the evil Kwyjibo. “He had a bit of a Peter Pan complex,” says Roger Thompson, cofounder and CTO of Exploit Prevention Labs, one of a cadre of virus hunters who helped track down Smith.

Some hackers would consider a couple of years in lockup a small price to pay for securing a place in hacking lore. And if imitation is the highest form of flattery, then Smith secured the preeminent accolade: many of Melissa’s techniques were to become commonplace in e-mail worms to follow.

The Love Bug, also known as the ILOVEYOU virus, for instance, copied Melissa’s propagation engine. The author was Onel de Guzman, twenty-four, a lovesick student at the Amaconda programming institute in Manila’s upscale Makati district. Guzman’s claim to fame was concocting the compelling e-mail subject line “ILOVEYOU” and the irresistible attachment “LOVE-LETTER-FOR-YOU.TXT.vbs,” partly to impress an instructor whom he had a crush on.

De Guzman took psychological manipulation, or “social engineering,” as psychologists and law enforcement officials call it, to another level. ILOVEYOU sped westward from the Philippines, tricking workers into clicking on the attachment as they arrived at the office to start their workday. Following the arc of the rising sun, the Love Bug triggered an avalanche of e-mails around the globe, crippling systems and causing $5 billion in damages.

De Guzman’s masterstroke carried some nasty twists. It corrupted picture and music files and installed a password-stealing program. Why? De Guzman, who escaped punishment because his home nation lacked computer-hacking laws, would later reveal in a CNN interview that he launched the virus partly as a joke, but mostly to test his programming skills. De Guzman insisted that he was a creative programmer, not a malicious hacker, who aspired to a career in the tech field.

“If I may have done something wrong, if I stirred up a controversy, then I would like to apologize for it,” de Guzman told CNN. But he also blamed Microsoft for releasing sloppily built copies of its ubiquitous PC operating system, Windows. “The liability should lie in the hands of the software developers that come out with programs that are defective,” he told CNN.
De Guzman’s indignation-and his eagerness to expose security flaws in Windows-reflected a deep antipathy toward Microsoft that was widely held in the hacker community. This sentiment had been festering since the mid-1980s.

Back then, an upstart Harvard drop out named Bill Gates turned the chummy techie community upside down by lambasting the common belief that software should be cheap or free. Gates coined the phrase “software pirates” to describe anybody who didn’t pay Microsoft for its “intellectual property.” Gates went on to become the richest man in the world, in large part by using illegal tactics to crush the competition and monopolize the market for Windows, the operating system running 90 percent of the world’s personal computers, and for the Office suite of clerical programs, and Internet Explorer Web browser, which command similar market shares. Microsoft would prosper, despite being heavily sanctioned by antitrust regulators in the United States and Europe for resorting to illegal anticompetitive practices.

One ramification of Microsoft’s prosperity was that by the start of the twenty-first century, Windows would become the favorite target of hackers and malware writers. Three categories of Windows hackers, each with distinctive motives, emerged: white hats, black hats, and gray hats.

White hats were good-guy hackers who took to incessantly exposing new Windows vulnerabilities. White hats argued that the intense scrutiny would compel Microsoft to take security more seriously and patch security flaws with more alacrity. Black hats were the bad guys. Black hats searched for vulnerabilities, too, but were just as apt to wait for the white hats to discover them, then take advantage. Gray hats were somewhere in between, sometimes contributing to the cause of good, other times behaving more like black hats.

In this frenzied world of conflicting motivations, a kind of arms race took shape among white hats, black hats, and gray hats. Each group hustled to be the first to find the next gaping Windows security hole, referred to as a “vulnerability.” The number of known Windows vulnerabilities-flaws that could be exploited over the Internet-would balloon tenfold in four years, from 417 in 1999 to 4,129 in 2002, according to theCERT Coordination Center. (CERT is the U.S. Computer Emergency Readiness Team, a quasi-governmental organization established in 2003 at Pittsburgh’s Carnegie Mellon University to help protect the nation’s Internet infrastructure.)

Hackers were forced to pick sides in a polarized debate over when to disclose a newly discovered security hole. Proponents of “full disclosure” championed the practice of broadly announcing new vulnerabilities immediately upon discovery, the better to compel Microsoft (or other software vendors whose products were found lacking) to expedite a security patch. Opponents of full disclosure advocated notifying the software vendor first and giving the vendor a grace period of several weeks to prepare a patch before publicly announcing the new flaw.

Whether for or against full disclosure, white hats and gray hats-who referred to themselves as “researchers”-soaked up the stature gained from being the first to announce a new security hole. As with the virus-writing community, vulnerability researchers coveted bragging rights. Black hats, of course, were all for full disclosure since it broadened their opportunities to wreak havoc.

Each new Windows vulnerability made public was like opening a previously unnoticed trap door to hundreds of millions of Internet-connected PCs. As Microsoft scrambled to keep up with patches, black hats gravitated to the easiest holes to exploit. A flurry of attacks made the headlines in 2000 and 2001. The Anna Kournikova virus masqueraded as a photo of the celebrity tennis star. Bubble Boy infected PCs as soon as the user opened the e-mail; no need to click on the attachment. Nimda used five different methods to infect PCs and to self-propagate. SirCam bored into corporate servers.

It became trivial for hackers of modest technical savvy to infect Internet-connected Windows PCs in the home and in corporate settings. Yet the implications were profound. An intruder essentially usurped full control of the infected PC. It became the common practice of black hats to leave a back door open on an infected PC through which any intruder could install and run any program.

It almost seemed as if the youths who dabbled in copyright piracy and video game cheating had progressed to more serious forms of politically motivated hacking, sort of like advancing to hard narcotics after becoming inured to a gateway drug. Sarah Gordon, a senior researcher at Symantec Security Response, and an expert on the psychology of virus writers and hackers, doubts that a strong correlation can be drawn between simple cheating and more malicious forms of hacking. But she concedes it’s plausible.

“In some cases, yes, they will trip down that path,” says Gordon. “On the Internet, there are no other people involved, and no one you can see. There’s just enough depersonalization and desensitization to come up with an excuse [to cheat or hack] with very little inner conflict.”

Hacking began to cause increasingly heavy collateral damage. Hackers began routinely installing a small program, called a bot, short for robot. A bot sits on the hard drive and receives instructions from a controller over an IRC (Internet relay chat) channel. An IRC channel is nothing more than a private instant messaging line-the same technology used for popular public instant messaging services such as AOL’s AIM, Microsoft’s Windows Live Messenger, and Yahoo! Chat.

A hacker in command of an IRC channel through which dozens, hundreds, or even thousands of bots report for duty, is called a bot herder. Among black hats, one measure of skill became how good you were at assembling large bot herds and using them to launch so-called DDoS (distributed-denial-of-service) attacks.

In a DDoS attack, the controller instructs all of the bots in a bot herd to simultaneously flood a targeted Web address with repeated nuisance messages, thus crippling the Web site. In February 2000, a black hat calling himself Mafiaboy installed bots on computers at Yale and Harvard universities and used them to crash CNN’s Web site for four hours and create chaos at the Web sites of Yahoo, eBay, Amazon, Dell, Excite, and E-Trade. He bragged in chat rooms that the FBI would never catch him.

With help from the Royal Canadian Mounted Police (RCMP), the FBI traced Mafiaboy to a large Montreal home in an upscale subdivision astride the Club De Golf St. Raphael. A dozen RCMP agents raided the residence at 3 a.m. and arrested a fifteen-year-old boy, who instantly became a cause célèbre, the subject of editorial cartoons and a Free Mafiaboy campaign. Mafiaboy pleaded guilty to fifty-six criminal counts related to the attacks and was sentenced to eight months in a detention home.

Mafiaboy’s father told reporters the youth played sports and had other interests. “He’s not fixated on computers to the point where it would damage his health,” the father said. “I think he learned a big lesson and he’ll put it to good use.”

As the Mafiaboy furor subsided, Code Red slithered into the headlines. Code Red was created to take advantage of a security hole in Microsoft’s IIS software, used to serve up Web pages. The IIS vulnerability had been discovered by a black hat-turned-white hat, Marc Maiffret, cofounder and chief hacking officer of eEye Digital Security.

This is how Maiffret describes how he became a vulnerability researcher: “The short version is: Bad home life, computers were an escape, learned about phone phreaking, eventually led to hacking, eventually led to doing illegal things, which caused me to be raided by the FBI when I was seventeen, which caused me to have a wake-up call to do something with my life, in which I cofounded eEye, became the chief hacking officer, and have been one of the people shaping the security landscape ever since.”

Maiffret had advised Microsoft about the flaw in IIS in early 2001. He waited patiently to take credit for it on June 18, once Microsoft had a patch ready. At the time, simply issuing a patch didn’t mean the patch would get installed on all vulnerable machines in a timely manner. Patches can crash programs and foul corporate systems, and in 2001 they weren’t a high priority for many companies.

In mid-July-Friday the thirteenth, to be exact-twenty-five days after Microsoft released the IIS patch, Maiffret and some colleagues, energized by swigs of a megacaffeinated soft drink, worked through the night to reverse engineer Internet traffic logs from an IIS Web server that had bogged down. They uncovered an automated program that was snaking around the Internet in search of unpatched IIS Web servers. Each time the program found one, it posted “HELLO! Hacked By Chinese!” on the Web page.

Maiffret christened the program Code Red, a reference to the Asian defacement “and because Code Red Mountain Dew was the only thing that kept us awake while we disassembled the exploit.”

Unlike an e-mail virus, Code Red spread on its own with no action required by the PC user. Maiffret and his cohorts had uncovered the first major self-propagating worm.
Code Red did double duty. It also organized infected machines into bot herds standing at the ready to launch DDoS attacks against designated Web addresses. Its first target: www.whitehouse.gov, the White House’s Web site.

Code Red compromised 225,000 IIS Web servers in half a day, and set up a DDoS attack to shut down www.whitehouse.gov. The White House dodged the attack. Yet, Code Red would linger on the Internet for years, breaking into millions of PCs. And it established a model for what would become a familiar cycle. Vulnerability researchers would find a fresh security hole; Microsoft would issue a patch; black hats would race to exploit as many PCs as possible before the patch got widely distributed.

“No one was really patching their systems, or aware of the threat that their businesses were exposed to by running Microsoft software,” says Maiffret. “Code Red was the wake-up call not only to an industry but truly to the entire world, which had grown dependent on computers and Microsoft.”

ISBN- 13: 978-1-4027-5695-5

Expediters
Silly Samy

In another sort of counterintuitive development, a vast new sector opened up where cybercriminals could roam, but it did not derive from the work of a brilliant, handsomely paid mercenary programmer. It blossomed thanks to a popularity-starved script kiddie from Los Angeles, nicknamed Samy, who at age nineteen had too much free time on his hands.

Samy was one of the 32 million denizens-including a good many teenagers and adolescents-who populated the MySpace social networking site. MySpace used a hot new technology called AJAX, which stands for asynchronous JavaScript and XML. AJAX has been widely hailed as the enabling technology for “Web 2.0,” the coming generation of Web sites that are more feature rich and interactive.

Samy would underscore a lesson tech companies should have learned by now-hastily adding convenience-driven features to the Internet was akin to adding flimsy new doors and windows for criminals to test. Miffed by the brevity of his “friends” list, Samy scratched around for a way to hack into the Microsoft Internet Explorer browser and the Apple Safari browser of anybody who happened to click on his MySpace profile.

He began spending a couple of hours a day tweaking the AJAX component that allowed visitors to view his profile. After about a week, he discovered how to manipulate the code moving through AJAX, and contrived a way to install a self-propagating worm on the Internet Explorer or Safari browser of anyone who clicked on his profile. He included Apple’s browser because his girlfriend used a Mac.

Samy’s MySpace worm did three silly things: it added Samy to the visitor’s friends list; it printed “. . . and Samy is my hero” on the bottom of the visitor’s own profile; and it replicated itself to everyone on the visitor’s friends list. In an interview on German blogger Phillip Lenssen’s popular Google Blogoscoped Web site, Samy noted that “it didn’t take a rocket or computer scientist” to guess that his worm had the potential to spread exponentially. In a blog interview, Samy advised Lenssen:

I just had no idea it would proliferate so quickly. When I saw 200 friend requests after the first 8 hours, I was surprised. After 2,000 a few hours later, I was worried. Once it hit 200,000 in another few hours, I wasn’t sure what to do but to enjoy whatever freedom I had left, so I went to Chipotle and ordered myself a burrito. I went home and it had hit 1,000,000.

Samy was never arrested. He received hundreds of messages from angry MySpace users who didn’t consider him a hero for worming his way onto their friends list. It took Los Angeles-based MySpace, purchased in July 2006 by Rupert Murdoch’s News Corp. for $580 million, a day to clean out the worm. MySpace deleted Samy’s account.

Not long afterward, a copycat hacker launched the Yamanner worm against Yahoo’s free e-mail service to spread spam across Europe, and another hacker released the Spaceflash worm, which installed adware on the hard drives of more than a million MySpace users. Both hacked in through AJAX.

That drew the attention of some of the well-funded crime groups. At least six progressively more sophisticated MySpace worms appeared in the second half of 2006. Serious hackers began gathering up MySpace user names and passwords and systematically testing them to see if they might work as log-ons to other popular online services, said SPI Dynamics lead engineer Billy Hoffman.

“These criminals have programs to automatically check all the other big bank and e-commerce sites to see if you use that same user name and password,” said Hoffman, “which, chances are, if you’re lazy, that’s exactly what you do.”

AJAX is an enabling technology. It allows users of Google Maps to zoom in on a satellite photo of just about any address. It makes Yahoo Calendar, Yahoo Sports, Yahoo Photos, Yahoo Flickr, and Yahoo Mail come alive. It is the technology behind Windows Live, the slate of cutting-edge online services Microsoft continues to roll out. It is a fountainhead of thousands of ethereal data exchanges between the Web page program and the Web browser. And as Samy demonstrated, each such exchange is susceptible to being corrupted.

“AJAX introduced a huge attack surface,” said Hoffman. “AJAX works under the covers to make Web sites really responsive, but criminals can just as easily use it under the covers to do some really bad stuff.”

ISBN- 13: 978-1-4027-5695-5

Self-anointed Avenger
Exploiters
Fall 2003, Edmonton

Socrates at the Beverly Motel, Edmonton

The oldest of three children in a stable, churchgoing family, Socrates recalls getting hooked on computers as a young kid. Introverted, soft-spoken, and respectful of his parents, Socrates taught himself about all things digital. He became savvy enough around computers to land a job as a technical engineering draftsman not long after graduating from high school. He earned enough to get himself an apartment and buy a state-of-the-art desktop PC. By all outward appearances, by age twenty, he seemed well positioned to make his way in the world.

In his leisure time, Socrates spent endless hours at his keyboard smoking a little pot and playing Counter-Strike, a popular online video game in which participants role-play either as a terrorist out to plant bombs, take hostages, and assassinate enemies, or as a counterterrorist determined to neutralize the terrorists. Comrades communicate by text messaging one another, using Internet slang, on an IRC (Internet relay chat) channel. Chat channels are virtual meeting rooms where people from all over the world convene to exchange text messages in real time about topics of common interests. As with most online, multiplayer video games, cheating on Counter-Strike is not uncommon. For instance, some players will use “wallhacks”-cheat code that renders solid objects semitransparent. This allows the cheater to spot and take aim at rivals hiding behind solid objects.

When he wasn’t playing Counter-Strike, Socrates would navigate to mIRC.com, a popular public Web site that serves as a gateway to thousands of chat channels. He gravitated to certain chat rooms where cinema buffs bragged about being the first to post digital copies of the latest Hollywood blockbusters on the Internet for free downloading. He became an avid collector of pirated first-run Hollywood blockbusters. Increasingly, Socrates lost track of time. His punctuality-and ultimately attendance-at work suffered. He was fired in the summer of 2003.

“I was always at home, stuck on my computer,” he says. “I was too obsessed with doing what I was doing online, rather than going to work. I lost my apartment. Lost everything I owned. Then I started using heavier drugs. I started smoking meth.”

In the fall of 2003, Marilyn was trying to work out a new fraud scheme and had heard about a kid named Socrates who knew his way around computers and chat rooms. She had actually been acquainted briefly with Socrates years before. “I ran into him through a mutual friend when he lost his job,” she says. “I was, like, ‘Hey maybe you can help me out with something?’”

Marilyn introduced Socrates to Biggie and Frankie. By then Frankie was trying to lay low. Several weeks after almost getting shot by Detective Gauthier, he had been arrested a second time and was out on bail, awaiting disposition of a slew of criminal charges. A third bust would guarantee serious jail time.

Frankie, too, had been haunting IRC chat channels. He had found his way to chat rooms where participants from such countries as Romania, Austria, and Egypt expressed keen interest in the data Frankie was collecting from bank records in Dumpsters and mailboxes. The cash-extraction capabilities Frankie boasted about also caught their attention. But Frankie never pursued the chat channel connections very far. He got his charge out of conning customer reps into doing his bidding. And he loved graphic design, using Adobe Photoshop to produce counterfeit checks, Canadian currency, and drivers’ licenses.

Socrates, who felt most comfortable immersed in the virtual world, stepped in and picked up where Frankie left off. He handled the techie end of a scheme to exploit security holes in an online banking service unique to Canadian banks, called e-mail transfers. Canadian banks allowed their online banking customers to transfer up to $1,000 via e-mail to anyone with a valid e-mail address. In a few clicks, the recipient of an e-mail transfer could download the funds into his or her online account and have instant access to the cash at an ATM machine.

Marilyn and Frankie would get on the phone to cajole bank reps into changing the passwords and PIN numbers on accounts for which they had basic information, culled from records plucked from the trash or stolen from mailboxes. Biggie opened bank “drop” accounts all around town, using his true identity, into which he could download e-mail transfers, then withdraw the cash from an ATM machine shortly thereafter. He took charge of the recruitment and handling of runners who likewise opened drop accounts for the cell’s use.

The cell discovered that the banks generally would take no action to sanction drop-account holders for making withdrawals soon after large deposits were made into their accounts. After all, there was nothing illegal in withdrawing cash that was sitting in your own account. Once the bank suspected illicit funds had been transferred into an account, the most it would do was close the drop account and decline to open another one for the runner. The cell also learned that bank branches don’t necessarily communicate with one another. A runner whose account got shut down at one branch could scoot across town and open a drop account in a different branch of the same bank.

With Marilyn and Frankie assembling the pieces of data needed to breach accounts, and Biggie controlling the flow of extracted cash, Socrates’s job fell right in his comfort zone. Using a laptop computer, Socrates took command of the virtual components; he went online to access the breached accounts and trigger e-mail transfers into the drop accounts controlled by the cell.

The cell also had hundreds of stolen credit card numbers to work with. Marilyn, always good at math, mastered the art of “tumbling.” She could take a pair of sixteen-digit credit card numbers and decode the algorithm that would produce other working numbers in the same range. Socrates and Frankie went online and, using stolen credit card numbers, ordered the tools of their trade: computers, graphics software to manufacture fake IDs, and online services, such as Vonage Internet phone accounts.

The Vonage phone numbers came in handy if the cell needed to transfer cash from a breached bank account located in a different Canadian city. One way to defeat the bank’s security measures involved making a cash transfer to a $500 money order made out to Biggie and designated for pickup at an Edmonton Western Union office. If the bank’s fraud-detection system flagged the transfer as suspicious, triggering a phone call to verify the account holder, the bank employee would call the phone number listed with the account. Of course, Marilyn, beforehand, would change the number to a Vonage phone account, picking a number using the area code from the city where the account originated. There was no way for the bank rep to detect that it was a Vonage number, one of many issued to a meth addict in Edmonton. Upon answering, Marilyn, in a sweet voice, would confirm the authenticity of the money order.

ISBN- 13: 978-1-4027-5695-5

March 2005, Edmonton

In the year and a half Yolanda and Jacques were a couple, they had lived in three different places. The apartment they currently occupied, a two-bedroom, third-floor walk-up in the middle-class Mill Woods neighborhood south of the city, was by far the nicest.

Yolanda, twenty-three, was a functioning addict. Her drug of choice: crystal meth. Yolanda held down a decent job as a clerk for a courier company and earned enough to afford a car-she drove a white 1995 Chevy Cavalier-and cover rent and living expenses. Her apartment complex was done in a Hansel and Gretel motif with black trim and faux white stone walls. The rooms were compact. The living room opened via sliding glass door onto a small deck overlooking the street with a territorial view to the northeast of an expansive, undeveloped tract of land.

Prior to moving to Mill Woods, Yolanda and Jacques, twenty-four, a crack cocaine dealer, had lived in an apartment in the run-down Stadium neighborhood near the provincial courthouse, and before that they had lived for three months with Jacques’s father, a crack addict. It wasn’t very long into their relationship before Jacques hit Yolanda for the first time. Jacques had grown up watching his father strike his mother countless times. If his mother cried, the beatings would intensify. Jacques vividly remembered the beating his father administered that culminated with an ambulance rushing his mother to the hospital and cops hauling his father to jail. He was eight years old at the time.

Though Yolanda lived in constant fear, that didn’t stop her from mouthing off to Jacques-or making excuses to others for how he treated her. She spoke often to acquaintances about “Jacques’s psychosis” and “Jacques’s post traumatic stress syndrome.” Yolanda realized she, herself, probably needed mental health therapy. “I cried all the time, which induced Jacques’s psychosis, which made him beat me more,” she says. Yet, Yolanda stuck by Jacques, even after the couple was evicted from the Stadium apartment because Jacques, in a jealous rage, broke the front window and smashed all the closet doors.

In December 2004, Jacques was doing jail time, sharing a cell with another prisoner in the overcrowded Edmonton Remand Centre. A third prisoner was soon assigned to sleep on a floor mattress in their two-bunk lock-up. It was Socrates, fresh from his arrest at the Beverly. Through his connections in the drug-trafficking community, Jacques knew a little about Socrates. He knew, for instance, that Socrates owed another drug dealer some money, so he took it upon himself to step forward as a self-appointed collections agent.

“He says, ‘I’ll light you on fire if you don’t pay me,’” Socrates recalls. “I was, like, ‘OK.’ I was scared of him. But I was scared of most people, back then. That’s what meth does to you.”
Jacques backed off after he learned from another inmate that his new cell mate possessed the skills to scam-order new PCs. Jacques got Socrates to agree to supply him with a new laptop computer. After about a week in jail, Socrates was released. He reconnected with Biggie and slipped back into meth use and financial scams. When he skipped out on a scheduled court appearance, a warrant was issued for his arrest.

Socrates returned to the pattern of flitting among different sketch pads, including a brief stay with Jacques and Yolanda at Yolanda’s Mill Woods walk-up. In early 2005, he began building a reputation for himself in #cchouse, #carderz, and #carder-the IRC chat rooms where he befriended the Oklahoman who gave him the phished PayPal log-ins. Partnering with Biggie, Socrates began offering access to Edmonton drop accounts as a service to fraudsters, like the Oklahoman, who needed a way to extract cash from hijacked online accounts they controlled. The idea was to have the outsiders transfer funds into Edmonton drop accounts. Biggie would orchestrate the withdrawals. If the hijacker transferred, say, $2,000 into an Edmonton drop account, Biggie would make a withdrawal happen, then send $500 via Western Union wire to the source. After paying off the drop-account mule, Biggie would split $1,200 with Socrates.

Socrates was happy to leave such details to Biggie and stay immersed online. He caught a fascination with trying to crack the Web sites of medium-sized companies selling products or services on the Internet. He knew from chat room chatter that such companies often had weak Web security and that many linked their customer databases to their public-facing Web pages. He began hacking URL addresses-the http//:www.etc. line that appears in the top window of a Web browser and loads up the Web page. He struck it rich when he was able to break in to the customer data base of a Michigan retailer that sold work uniforms online. He was able to copy the company’s customer list with names, addresses, credit card numbers, and purchase histories for its 3,000 online customers.

Socrates’s stature as a brilliant techie hacker and scammer soon began to eclipse Frankie’s in local circles, which wasn’t necessarily a good thing. One day, two drug dealers showed up at the sketch pad where Socrates was holed up, muscled him into the trunk of their car, hauled him to another sketch pad, sat him down in front of a computer, and ordered him to get online and make them some money. When one of the drug dealers left to get some food and the other went to the bathroom, Socrates took off like a scared rabbit.

Not long after that, Hula Girl, the gutsy fake ID specialist, whom Socrates had long admired, began flirting with him and invited him to move in to her west end apartment, a few blocks from the gigantic Edmonton Mall. Socrates was making enough money to keep himself and his friends continually high and buy components to build his dream PC, which he began doing.

“He says she was his girlfriend, but she said she never really was,” says Detective Vonkeman. “She basically used him to whatever extent because she saw his talent and fully exploited that.”

Socrates gave Hula Girl a copy of everything he had, including the 3,000 profiles from the Michigan uniform company whose Web site he had hacked. Alone in Hula Girl’s apartment one day, he answered a knock at the door. In burst two assailants, one with a shotgun. Socrates would later say what happened to him next had no rhyme or reason. But his acquaintances passed along the story that another of Hula Girl’s beaus, a drug dealer, got jealous about Socrates moving into her apartment, and hired goons to put the fear of God in him.

“They smashed me with the back end of the shotgun five or six times in the head. Knocked me out. There was blood everywhere. On the ceiling of the apartment. And then they put zip ties around my hands and feet. Put me in the closet. Threw a bunch of blankets and stuff on me.

“I had to crawl out of the closet, doing this little worm-wiggle thing, all the way to the front door. Had to drag a chair across the kitchen with my teeth and prop myself up on the chair and unlock the door with my mouth. I went out into the hallway to the neighbor’s house and knocked on the door with my head, and he came to the door and he was, like, ‘What happened to you! What’s going on?’

“He’s, like, ‘In my thirty-two years of being alive, this is the scariest thing I’ve seen. Why don’t you call the cops?’ I was, like, ‘I can’t.’ I didn’t tell him it was because there was a warrant out for my arrest.”

Instead, Socrates made a phone call to Biggie, who whisked him across the city to Yolanda’s Mill Woods walk-up in the south end. With them went the powerful new dream PC Socrates had just finished assembling.

Photo: Socrates at the Beverly Motel, Edmonton

Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity 2008 by Byron Acohido and Jon Swartz, Union Square Press, Sterling Publishing Co. ISBN- 13: 978-1-4027-5695-5

Virus Wars

Subject: Hi

So began the Virus Wars of 2004. It would pit the new breed of for-profit virus writers against an idealistic German teenager. Collateral damage would reverberate around the globe: tens of millions of PCs compromised; hospitals, banks, and transportation systems briefly knocked out. The world would never be the same. After 2004, hacking would become almost exclusively a for-profit criminal exercise, and the Internet-the emergent information superhighway-would become a thoroughfare of thieves.
It would start with an innocuous-looking sliver of e-mail moving across the Internet in Australia and New Zealand on January 19, 2004, a Monday morning. It was the beginning of a new workweek. Windows PC users in the Southern Hemisphere logged on to company computers and began absentmindedly cleaning out e-mail in-boxes left dormant over the weekend. Thousands hastily clicked open the e-mail marked “Hi” and read this message:

Test =)

Dhygvlueqqh

Test, yep.

Lulled into thinking this was some sort of techie-looking test required for one vague reason or another, many took the next step and clicked on the attached icon, a Windows calculator, with the file name:

otnvvjevrg.exe

A functioning calculator, indeed, popped up on the screen. Unseen, a virus, dubbed Bagle.A, went to work. Bagle.A efficiently replicated itself to every e-mail address it could find on the infected PC and quietly opened a back door through which the intruder could return later and install a proxy server. After spreading for two weeks, Bagle.A-like the early variants of SoBig-went dormant.
On January 26, a much more aggressive e-mail virus grabbed the spotlight in America. Craig Schmugar was one of the first to see it spreading. A virus research manager at McAfee’s Anti-Virus Emergency Response Team Labs near San Francisco, Schmugar christened the virus Mydoom, after spotting the word “mydom,” short for “my domain,” in the virus code. “It was evident early on that this would be very big,” Schmugar told Newsweek.com editor Jennifer Barrett. “I thought having ‘doom’ in the name would be appropriate.”
Mydoom’s author created many flavors; the virus poured into e-mail in-boxes using one of a variety of subject headers:

error

status

test

hello

server report

mail delivery system

mail transaction failed

And the pretense to get a PC user to click on the viral attachment was much more refined than Bagle.A’s silliness:

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment

or

The message contains Unicode characters and has been sent as a binary attachment.

or

Mail transaction failed. Partial message is available.

Clicking on Mydoom’s attachment did more than let loose the standard address finder and e-mailing engine; it also implanted a copy of the virus on any shared Kazaa directories. Kazaa is a music-sharing service popular with teenagers and young adults. Anyone downloading music from the infected directory would also get the virus.
The virus also mixed and varied the extension of its attachments. Instead of using “text.exe,” for instance, it would use “test.txt.pif” or “test.htm.zip,” a ploy to slip through e-mail system filters set to block potentially hostile files. And to lower the odds of early detection, it did not send itself to e-mail addresses of government agencies, the military, or anyone at Microsoft.
While Bagle.A came and went and was barely noticed, Mydoom flooded e-mail systems like no other virus, sweeping around the globe in record time. In less than twenty-four hours, e-mail management company MessageLabs blocked more than 1 million viral e-mails, one in every twelve e-mails handled.
Mydoom also propped open a back door and planted a bot; each bot carried the same instructions: launch a DDoS attack against www.sco.com on February 1. The targeted Web site belonged to the SCO Group, a supplier of Unix computer systems and scourge of the Linux community. SCO had incurred the wrath of Linux supporters by suing IBM and Novell for donating code to Linux-code SCO claimed it partially owned.
SCO drew more ill will from the Linux crowd by posting a $250,000 reward for information leading to the arrest of Mydoom’s creator. No one ever collected the reward, and on February 1, right on schedule, legions of Mydoom bots assaulted www.sco.com, forcing it to shut down for two weeks.
While Mydoom grabbed headlines, Bagle’s author quietly prepared for a long-run assault. On February 17, the Bagle camp upped the ante. Bagle.B appeared on the Internet in Poland and spread to sixty-six countries in less than twenty-four hours. Taking a page from SoBig, it included instructions to self-expire in two weeks, foreshadowing improved variants to come.
As antivirus companies scrambled to thwart the twin attacks of Mydoom and Bagle, a third potent e-mail virus debuted on February 17. It was quickly named Netsky, a twist on a reference in the virus code to “Skynet,” the villainous computer network in the Terminator movies starring Arnold Schwarzenegger.
Netsky incorporated just about every trick in the book. It arrived with a variety of subject lines and message texts; it replicated to all addresses found on the hard drive; it sought out shared links with corporate servers; it infected the file-sharing directories of the music download services Kazaa, BearShare, and LimeWire; and it used attachments with double extensions, such as

dictionary.doc.exe

basics.doc.exe

sex sex sex sex.doc.exe

hardcore porn.jpg.exe

Upon clicking on Netsky’s viral attachment, the user would get this error message:

The file could not be opened!

Virus hunters had seen all of these techniques before. Netsky rather brilliantly combined them all. But the most distinctive thing about Netsky was its prime directive to clean out Mydoom infections. At its core, Netsky appeared to be an antivirus virus. Any doubts about this were put to rest by these cryptic messages woven into Netsky’s coding:

<-<- we are the skynet – you can’t hide yourself! – we kill malware writers (they have no chance!) – [LaMeRz-->] MyDoom.F is a thief of our idea! – -< SkyNet AV vs. Malware >–>->
#T#h#i#s# #i#s# #t#h#e# #[#W#3#2#.#S#k#y#n#e#t#.#c#z#]# #A#n#T#i#V#i#R#u#S# #-# #w#e# #w#a#n#t# #t#o# #k#i#l#l# #m#a#l#w#a#r#e# #w#r#i#t#e#r#s#!#

By his own account, as told to the German news magazine Stern, Sven Jaschan describes himself as a shy, quiet teenager, who eschewed partying and drinking. In January 2004, while attending computer science classes at a vocational high school in Rotenburg, Germany, Jaschan says he began discussing Mydoom with his school chums. Jaschan was fascinated. Here was a program, whose name everyone knew, reproducing itself at an incredible rate. Wouldn’t it be a crazy idea if someone could write something that reproduced just as quickly and deleted Mydoom? That person would become a self-anointed avenger, a hero.
Jaschan took the challenge upon himself. He spent all of his free time the next three weeks, up to ten hours a day, hunched over his computer in the basement of his parents’ home in the idyllic village of Waffensen. Swigging seltzer and listening to MTV and its German equivalent, VIVA, blaring on a TV set nearby, Jaschan researched e-mail viruses and began to craft Netsky. It would take 2,000 lines of code.
Jaschan told the Stern reporters that his siblings and school chums knew what he was up to. “They even encouraged me to add something that would cause damage, but that was never what I wanted,” claims Jaschan in the Stern article. Soon all the students in Jaschan’s class knew what he was doing; Jaschan even claims that some of them helped him distribute Netsky. “It was just great how Netsky began to spread, and I was the hero of my class,” he told Stern.
Graham Cluley, senior technology consultant at antivirus firm Sophos, can relate to the buzz Jaschan felt. As a college student back in 1991, Cluley won notoriety as the author of the free, text-based video games Jacaranda Jim and Humbug. He picked up spending cash soliciting donations from fans of his games, which happened to include Alan Solomon, creator of one of the early antivirus programs. Cluley took a job at Solomon’s start-up company, and headed off into a career as a virus hunter.
“It’s a shame that someone with obvious computer skills should turn to writing computer viruses to increase their self-esteem, rather than doing something positive like developing computer games or an innovative Web site,” says Cluley.
Jaschan could not have imagined the scale of the virus war he would instigate. As Netsky drew attention, the Mydoom camp sought to regain the spotlight by issuing variants that corrupted Microsoft Office documents and launched a DDoS attack against the Recording Industry Association of America. RIAA had drawn hostility for suing people caught swapping music online.
Over in the Bagle camp, the arrival of Netsky appeared to disrupt carefully laid plans to release a barrage of Bagle variants moving at least partly in the shadow of the headline-grabbing Mydoom. With Netsky on the scene, competition for vulnerable computers to infect had suddenly intensified. Soon Bagle began attacking Netsky, forcing Netsky to retaliate. What started as a Netsky versus Mydoom war evolved into mortal combat between Netsky and Bagle, with Netsky cleaning up Bagle variants as fast as the Bagle camp could put out new ones. Buried deep inside Bagle.J, virus hunters found this cry of frustration:

Hey, NetSky, fuck off you bitch, don’t ruine our business, wanna start a war?
Through the months of March and April, Jaschan would release twenty-nine variants of Netsky, as many as five in one week, counterattacking the latest Mydoom and Bagle variants. As April drew to a close, he began looking for a way to separate himself from the pack and vanquish Mydoom and Bagle for good. He got the germ of an idea on April 13, when Microsoft issued a security patch that sent red flags fluttering throughout the tech community.

What caught Jaschan’s eye was a patch to fix something called Local Security Authority Subsystem Service, or LSASS, a Windows component designed to manage security and authentication. The LSASS vulnerability looked like a repeat of the RPC security hole. It was just the previous summer, in July 2003, that Microsoft had released the RPC patch and seen its worst fears come to fruition in the form of the MSBlast worm, the infection that spread to 25 million Windows PCs worldwide.
Was history about to repeat itself? On April 25, Jaschan paid close attention when a Russian hacking group, known as House of Dabus, posted a proof of concept LSASS exploit on a French Web site. The exploit laid out programming code crafted to overwhelm the LSASS hole and take control of vulnerable Windows XP and Windows 2000 computers. “At that point, anyone with minimal programming skills could go and build a worm to hack into machines,” says Johannes Ullrich, chief technology officer of the SANS Institute Internet Storm Center.
Thursday, April 29, happened to be Jaschan’s eighteenth birthday. After returning home from a celebration with friends, he descended into his basement cubby and put the finishing touches on a self-propagating worm using the House of Dabus’s exploit. Just sixteen days had gone by since Microsoft released the LSASS patch. Hardly anyone had applied the patch. Jaschan set his worm loose on the Internet and went to bed.
Virus hunters first spotted the worm on the move on Friday, April 30, and christened it Sasser. Crudely written, Sasser soon gathered momentum and began to spread faster-and then too fast. The worm spread so rapidly that it caused infected machines to reboot constantly. From his basement, Jaschan tried to correct the problem by releasing Sasser.B, Sasser.C, and Sasser.D, but things only got worse. Within forty-eight hours, Sasser infected at least 1.3 million PCs. In particular, it wreaked havoc with groups of PCs linked together in Windows-based local area networks commonly used in businesses around the globe. Jaschan hoped Sasser would be his coupe de grace to wipe out Mydoom and Bagle. Instead it would lead authorities to his basement lair.
Because much of Asia and Europe was heading into a three-day weekend to celebrate May Day, many companies were operating with skeleton tech-service crews.
Sasser halted rail service in Australia, paralyzed a third of Taiwan’s post office, forced Finland’s Sampo Bank to shut down 130 branches, and prompted Delta Air Lines to cancel several transatlantic flights. Because its effects were so blatant, it spurred other businesses and consumers to install Microsoft’s LSASS patch right away. It also made Sven Jaschan a marked man.
Following the spread of MSBlast and SoBig, Microsoft had announced in the fall of 2003 that it was setting aside $5 million in reward money for the capture of notorious virus writers. A $250,000 prize awaited anyone who provided information leading to the arrest and conviction of the author of MSBlast, SoBig, or Mydoom. On May 5, two of Jaschan’s school chums contacted Microsoft’s German office and inquired whether a similar bounty might be available for information that led to Sasser’s author. When Microsoft assented, they fingered Jaschan.
Police arrested young Sven in his home on May 7. Reporters swooped in. Sabine Jaschan, his stepmother, told a reporter for RTL News, “About four months ago he was over here for a visit and said, ‘Papa, I’ve put out a computer worm.’ And then my husband said, ‘Sven, you didn’t do anything stupid, did you?’ He just kind of laughed nervously.”
Jaschan confessed to creating Sasser and Netsky. At a hearing more than a year after his arrest, Jaschan received a sentence of twenty-one months on probation and thirty hours of community service, based largely on the fact that most of his virus writing was done before he turned eighteen. Shortly thereafter, Microsoft paid his two school chums, who for a time were investigated as suspected accomplices, $250,000.
“He said he really wanted to develop an antidote to the virus,” Rainer Jaschan, Sven’s father, told reporters. “He said he didn’t want to cause any damage.”

Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity 2008 by Byron Acohido and Jon Swartz, Union Square Press, Sterling Publishing Co.

ISBN- 13: 978-1-4027-5695-5

Rife with Inaccuracies (Pages 88-94)

Lending is the art of hedging your bets. The basic model for doing it profitably is simple. Whenever possible, make loans only to borrowers of good repute likely to repay you as agreed, with reasonable interest. Should you choose to lend to folks who might be late with a payment-or worse, default on the loan-simply charge a higher interest rate to reflect your increased risk.

The art comes in differentiating reliable borrowers from risky ones; in short, profiling. When it comes to profiling prospective borrowers, lenders have a key accomplice: the big three credit bureaus, Equifax, Experian, and TransUnion. The big three comprise a singularly powerful and essential component of our built-for-speed credit-issuing and payments system. Together these giant data-handling companies keep close track of every loan, every installment payment, every credit application for every consumer. Each bureau maintains more than 210 million files and updates more than 4 billion pieces of data each month.

This intelligence is distilled down to individual credit reports, which form the basis for calculating interest rates and dictating repayment terms for all forms of consumer credit: bank loans, credit card accounts, auto loans, mortgages, stock portfolio margin loans-you name it. What’s more, insurance companies use credit reports to determine one’s policy premiums, landlords use them to decide whether to rent to someone, and employers sometimes use them to determine whether to hire a potential employee.

To consumers, credit reports loom as a cornerstone of financial life. Over a lifetime, your credit report will determine how much you’ll pay in interest rates and insurance premiums and could factor into where you are able to live and whether you qualify for certain jobs.

To lenders-banks, credit card companies, mortgage brokers, and others-credit reports are the magic profiling tool that enable them to hedge their bets and push out fresh credit very rapidly on a mass-market scale.

To the big three, credit reports are like flakes of gold. Each credit report issued brings in revenue ranging from 50 cents (as when delivered in bulk to large banks) to $15 (as when a report is sold to an individual consumer.) Experian reported revenues of $3.1 billion in the year 2006, Equifax reported $1.6 billion, and Hoover’s Company Reports estimated private TransUnion’s revenues at $1.2 billion.

The trouble is that credit reports are typically rife with inaccuracies. It turns out that the computer-to-computer exchange among the credit bureaus, keepers of payment behavior data, and lenders, who assign rates and terms based on that information, is quick to incorporate errors and yet highly resistant to correction.

“The goal is to try to deliver as many credit reports to lenders as possible and this requires a largely automated file identification and delivery system,” says John Ulzheimer, president of Credit.com Educational Services, which advises consumers on credit management. Ulzheimer is also a former Equifax and Fair Isaac customer service manager.

Once the credit bureaus’ automated systems add erroneous data to an individual’s credit history, it can be next to impossible to clear the inaccuracies. A 2005 survey by the U.S. Public Interest Research Group (PIRG) found that a whopping 79 percent of credit reports contained errors, and 25 percent contained mistakes serious enough to prevent the individual from obtaining credit.

The PIRG survey stands out among myriad surveys and anecdotes confirming how routinely strangers’ names, wrong addresses, payment history falsehoods, erroneous judgments, and even aberrant Social Security numbers get molded into credit reports.

Yet any consumer who attempts to get errors corrected is in for an Alice in Wonderland experience. Perseverance is a must, and a satisfactory resolution often requires assistance from the cottage industry of credit repair consultants and lawyers expert at bringing Fair Credit Reporting Act (FCRA) lawsuits against the big three. “Basically you’ve got to get a lawyer and hit them between the eyes with a two by four to get their attention,” says Richard Feferman, an Albuquerque, New Mexico-based attorney, who represents plaintiffs in FCRA lawsuits.

The bureaus typically respond to complaints by reducing each one to a two-digit code forwarded in a document called a CDV, or consumer dispute verification, to the lender. Often the CDV gets routed through a series of intermediaries working in sweatshops in third world countries. One such employee testified that the bureau she worked for received up to 8,000 CDVs per day and that each worker was required to handle one dispute every four minutes to meet quotas, says Anthony Rodriguez, staff attorney for the National Consumer Law Center.
In a 2006 FCRA lawsuit filed in New Mexico by Feferman, U.S. District Court Judge M. Christina Armijo ruled that “a rational factfinder could conclude that Equifax knew that the pointless repetition of the cursory CDV procedure by its various agents and contractors was not going to resolve Plaintiff’s dispute in a timely manner and only served to delay the matter until Plaintiff tired of the process or proceeded to litigation.”

Lenders typically respond to a CDV by referencing the document containing the error in question, and going no further, says Blair Drazic, a St. Louis-based FCRA attorney “When you apply for a loan, there’s supposed to be a paper with your name on it. They never have that. They’ll say you’re in our files as owing it [the disputed loan balance], and the investigation consists of checking the same computer that reported you to start with,” says Drazic.

Testifying before Congress in 2003, Rodriguez, the National Consumer Law Center attorney, delineated the economic incentive to perpetuate errors: “So long as the mistakes about consumers generally make the consumers appear to be a worse credit risk than they really are, rather than better, the credit industry has no incentive to improve the system, especially where the current system covers additional risk by charging more for riskier borrowers wrongfully identified as being a greater risk by the credit reporting system.”
Stuart Pratt, president and CEO of the Consumer Data Industry Association, the powerful lobbying group that represents the credit bureaus, says CDVs make the process more convenient for consumers because they can report problems at any time of the day or night. Pratt notes that under federal law, consumers who are unable to resolve errors can ask the credit bureau to include a statement about the dispute in their file. But such dispute letters are widely disregarded by lenders.

“This is all designed to save them [credit bureaus] money,” says Feferman. “They just don’t have the will to fix errors. They get the same amount for a credit report whether the credit report is accurate or not, and the costs of investigations are a drag on profits.”

Pratt insists mistakes are rare. He contends the greater good is compelling. After all, an automated, wide-ranging credit-approval system perfectly complements a card-based payments system that can process transactions in as little as 1.4 seconds. And this acceleration has been crucial to expanding consumers’ buying power. Meanwhile, revolving and nonrevolving household debt climbed 580 percent to $2.4 trillion by 2007, up from $352 billion in 1980, while the median household income of young families rose just .08 percent to $45,485 over roughly the same period, according to the Federal Reserve and U.S. Census Bureau.

That ability to extend credit to virtually everyone from teenagers to first-time business owners to any consumer desiring a new SUV or high-definition television, Pratt argues, far outweighs what he characterizes as comparatively minor glitches in the system. “Credit has been democratized,” says Pratt. “Credit has facilitated economic growth in this country and it has saved consumer money on an individual basis.” Pratt makes such statements with a practiced earnestness honed during years of defending the status quo in the halls of Congress.
But what Pratt won’t ever volunteer in public discourse is that no law or decree ever gave the credit bureaus exclusive rights to handle credit records. The bureaus simply grabbed that power. And the imperfect data-handling systems the bureaus have put in place makes no profit offering transparency to individual consumers. The credit bureaus’ data-handling systems have proved to be supremely efficient and productive at a singular task: keeping our credit-issuing and card-based payments system running full tilt.

Low-tech Spree

Among those who most appreciate our credit-issuing and payments system, as is, are the identity thieves who fully grasp its weaknesses. One such rogue put Matthew and Lisa Kirkpatrick, of Portland, Oregon, through five years of hell. In February 2001, the Kirkpatricks were getting desperate because they couldn’t get a loan to finish a remodeling project to make room for their third child, who was on the way. The loan should have been a slam dunk. After all, Matthew earned a good living as a union carpenter, and the couple had always maintained a credit score of around 750, good enough to get favorable loan rates and terms.

But a couple of years earlier, a scam artist in Coeur d’Alene, Idaho, had started probing soft membranes in the credit-issuing system. Somehow the crook had gotten hold of-and renewed-Kirkpatrick’s Washington state driver’s license, though Matthew hadn’t lived in Washington for a dozen years. He also somehow obtained Kirkpatrick’s Social Security number. With those two items, the crook had all he needed to go on a low-tech crime spree.

On the Friday before the 2000 Super Bowl, the imposter opened a Wells Fargo banking account in Spokane, Washington, depositing a bad check for $5,000. Two days later, on Super Bowl Sunday, he went on a shopping spree writing checks for up to $2,000 at various Spokane retailers. When the store clerks called to verify sufficient funds to cover the check, the automated systems showed a $5,000 balance. After the checks bounced the following week, a dozen merchants were looking for Matthew Kirkpatrick to make good.

The thief wasn’t done. Over the next several months, he used Kirkpatrick’s data to open a series of cell phone accounts and obtained credit cards, which he used to stay in hotels and go on shopping sprees. He also made several trips to hospital outpatient clinics across Washington seeking treatment-and medication-for ear aches, back aches, and joint pain. None of the bills ever got paid, and each one eventually got turned over to collections. A lot of creditors were looking for Matthew Kirkpatrick.

Kirkpatrick first got wind in early 2000 that a small army of collections agents was hunting for him. He knew there had been some kind of horrible mistake, but believed the mix-up was easily correctable. In a positive frame of mind, he immediately set out to definitively prove that he was the victim of fraud.

He compiled a package of documents with police reports, letters from lenders stating he was not at fault, a copy of his signed Social Security card, a copy of his Oregon driver’s license, and a detailed cover letter summarizing the circumstances. He mailed it to Equifax in February 2001. He resent another copy of the package in March, in April, and twice more after that, the last time by registered mail, return receipt both requested and received. Each time, Equifax representatives refused to confirm receipt of the documents, much less advise Kirkpatrick of the status of his corrupted files.

“We were living in this construction zone with a new baby and growing family for two and half years,” recalls Kirkpatrick. “It was very stressful calling Equifax and saying, ‘What happened to all the police reports and all the documents I sent you?’ and them saying, ‘We shredded them. We didn’t get them. We get a thousand of these every day.’

“It was stressful knowing they had this power over me and my family. And their business decision was that it was cheaper for them to deal with you in litigation, if you end up being stubborn enough to take it that far.”

The Kirkpatricks did get their day in court in January 2005. They were awarded $210,000. As he has done numerous times, Mike Baxter, the Kirkpatricks’ attorney, directed the jury’s attention to provision 1681 I(a)(2)(B) of the Fair Credit Reporting Act, which requires credit bureaus to promptly forward documentation of a dispute to the lender. That federal rule was one of the hard-won proconsumer protections hashed out in congressional subcommittee meetings between industry lobbyists and privacy advocates. It was intended to spur a process by which the creditor is compelled to evaluate the validity of dispute in a timely manner.

However, Baxter and other FCRA attorneys say the credit bureaus and lenders have long since established a practice of dispatching dispute documents into limbo. “I have never seen a credit bureau send supporting documents to the creditor; in fifteen years, I can’t recall a single instance,” says Baxter. “They never send those documents because it’s more profitable for them to not follow the law, than it is to actually follow the law, as far as I’m concerned.”

Sweeping Immunity (pages 98-102)

Credit bureaus began humbly enough more than 100 years ago. Brothers Cator and Guy Woolford launched Retail Credit Company in Atlanta in 1899 by publishing the Merchant’s Guide for a $25 annual subscription. The Woolfords gained intelligence on prospective borrowers by sending out inquisitive Welcome Wagon women with baskets of goodies-and keen powers of observation. Retail Credit endured, grew, and evolved into Equifax.

Homegrown credit bureaus proliferated steadily through the first half of the twentieth century; their number spiked in the 1950s with Frank McNamara’s introduction of the Diners Club card and Bank of America’s launch of the BankAmericard. By 1970 the number of credit bureaus in the United States peaked at more than 2,200.
As the financial industry began to apply digital technology to speed up and extend card-based payments, consolidation of the credit bureau industry became inevitable. The process of compiling credit reports needed to be centralized and accelerated to keep pace with the rising distribution of credit cards. By the end of the 1980s, five giant credit bureaus dominated the space, and by 1997 the big three controlled 90 percent of the market.

Experian emerged from the maneuvering of conglomerates TRW and Chilton Corporation and was acquired by Grand Universal Stores of the United Kingdom. Meanwhile, the credit bureau division of TransUnion, a onetime rail car- and equipment-leasing giant, landed in the portfolio of the Marmon Group, a private conglomerate that includes the Hyatt Hotel chain and is run by the Pritzkers of Chicago, one of America’s wealthiest families.

As this consolidation played out, leaders of the credit bureau industry were mindful to defuse rising concerns about inaccuracies and misleading data increasingly turning up in credit reports. In the late 1960s, Senator William Proxmire (D-WI) stepped forward as a vocal advocate for consumer privacy protection. However, in championing the Fair Credit Reporting Act of 1970, Proxmire got outmaneuvered by proindustry senators.

What began as a proconsumer proposal got twisted into a law so probusiness that one observer, Professor Arthur Miller, of the University of Michigan, described the final version as “an act to protect and immunize the credit bureaus rather than an act to protect the individual who has been abused by the credit information flow created by the bureaus.”

The FCRA of 1970 required credit bureaus to investigate complaints within a “reasonable” period of time but set no limits. It remained silent on whether lenders had a duty to supply accurate information to the bureaus. And the coup de grace for industry: it granted credit bureaus and lenders sweeping immunity from state defamation laws by which consumers could seek legal redress for bad data getting integrated into their credit histories. This represented a 180-degree divergence from Proxmire’s original intent to create federal liability while preserving state liability, says Evan Hendricks, editor and publisher of the newsletter Privacy Times and author of Credit Scores & Credit Reports: How the System Really Works, and What You Can Do.

For the next two decades, complaints about inaccuracies and the recalcitrance of bureaus and lenders to fix errors predictably mounted. Crooks figured out how to manipulate the system, and identity theft became a rising concern. By the late 1980s, consumer groups and privacy advocates began to clamor for reform. In the early 1990s attorneys general from some nineteen states won a court injunction mandating that credit bureaus improve accuracy and do a better job of investigating complaints.

Meanwhile, in the nation’s capitol, Congress, after several years of debate, finally strengthened the federal rules. Amendments to the FCRA that took effect in 1997 required credit bureaus and lenders to investigate consumer complaints within thirty days and make full credit reports available to consumers. Yet the savvy credit bureau lobbyists didn’t come away empty-handed. They scored a valued prize: preemption of state requirements calling for the meticulous handling of credit data and responsiveness to consumers’ complaints. The preemption was set to expire in 2004.

“Industry lobbyists claimed it would be too expensive to deal with fifty different state laws, but actually, most states pass very similar laws and the easiest and cheapest way to comply is to comply nationwide with the strongest one,” says Ed Mierzwinski, consumer program director of the U.S. Public Interest Research Group.

With the states’ preemption about to expire in 2003, the horse trading between lawmakers siding with privacy advocates and those lending a friendly ear to industry began anew. When the dust settled, the credit bureaus took home the trophy they most coveted: extension of the preemption that cut off states from setting data-handling rules. Consumers’ consolation prize: one free credit report per year from each of the big three bureaus.

The bureaus would soon figure out how to turn this seemingly trivial concession into a fresh source of profits. But what they did not see coming was the impact of provisions that allowed states to enact rules to mitigate identity theft. The battle lines in 2006 and 2007 would be drawn over data-breach notification laws, requiring companies to notify consumers if sensitive data is lost or stolen, and credit freeze laws that empower consumers to ban the bureaus from compiling and issuing a credit report without the consumer’s consent.

“The real reason industry doesn’t want states to protect consumers is because the states are quicker and more responsive than the Congress in passing tough laws, and more immune to their lobbying and donation excesses,” says Mierzwinski. “By the time Congress took its first identity theft baby steps in 2003, California had already invented the security [credit] freeze and seven other states had given consumers the right to a free credit report.”

As this wrangling over regulation unfolded, the credit bureaus continued issuing credit reports using essentially the same processes honed in the 1970s. The bureaus jealously guard details about how this process works. TransUnion spokesman Steve Katz cites the danger of divulging “an unintentional instruction manual” for crooks.

But criminals long ago triangulated how the bureaus verify the identities of loan applicants and decide which records to pull into a credit report. And they’ve devised countless scams that take advantage of the system’s propensity to readily accept and amalgamate close-enough data.

A prospective borrower filling out an online loan application can submit less than nine correct digits of Social Security number and just three matching letters of the first name of someone of good credit standing. Often that’s often enough to trigger the delivery of a credit report and subsequent approval for a new cell phone account or credit card, says David Szwak, a Shreveport, Louisiana-based FCRA attorney.

“The three letters of the first name don’t even have to be in the same order or sequence. Marsha and Mark would be the same person; David and Diana would be the same, as far as the credit bureaus are concerned,” says Szwak. Last-name matches aren’t necessary, he says.

One of Szwak’s clients, Cynthia Comeaux, a native of Laplace, Louisiana, now living in Dallas, had her credit history deeply entangled with that of Cindy Carr, a military wife, living in New Orleans. “Their Socials were within 7 of 9 digits, and both of them had a C and I and N in their first names, though not in the same order,” says Szwak. “They were repeatedly blended together for years; Experian never could get it unwound, had no desire to unwind it; the other two bureaus eventually fixed it.”

The bureaus also ignore the applicant’s date of birth and employment history; this makes it easy for thieves to create fraudulent new accounts by submitting a slightly tweaked name and Social Security number-or even using a dead person’s or juvenile’s personal data. Since the bureaus also accept any address submitted by a loan applicant, a crook can easily divert delivery of credit cards and billing statements into his or her own hands, says Szwak.

Perhaps most galling to consultants and attorneys who help consumers correct errors in their credit records is the fact that when a consumer requests a copy of his or her own credit report, the bureaus suddenly become sticklers for accuracy. The bureaus supply consumers with a report that includes only those loan and payment records with a perfect match of name, address, Social Security number, and date of birth, disregarding potentially fraudulent records with any of these items awry.

“When you order your own credit report, it may not contain derogatory information from someone with a similar name or Social Security number, but that data would appear on the credit report the bank or mortgage company orders, which is a huge problem,” says Mike Baxter, a Portland, Oregon-based FCRA attorney.

Consumers who go to court to get the bureaus to correct errors occasionally get big awards. Baxter was cocounsel for Judy Thomas, of Klamath Falls, Oregon, who spent six years trying to get TransUnion to correct her credit history. In 2003, a Portland, Oregon, jury ordered TransUnion to pay Thomas $5.3 million, but a federal judge later reduced the award to $1 million.

Most successful lawsuits bring only modest awards, and the vast majority of cases settle out of court for less than $25,000. Thanks to the skills of manipulative lobbyists, kid-glove treatment from regulators, and the absence of a unified constituency of aggrieved consumers, the credit bureaus remain insulated and haven’t had to change their practices much over the past three decades, says Hendricks, of Privacy Times. Nobody ever died from an error-riddled credit report. In fact, damages to consumers, such as losing sleep over credit history errors or having to pay higher interest rates, are difficult to quantify, much less prove in court.

“They’ve never been hit with tobacco-sized litigations, and the Federal Trade Commission has been very soft on the credit reporting agencies, especially in recent years,” says Hendricks. “They’ve been able to contain it all, and just write it all off as a cost of doing business as usual.”

Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity 2008 by Byron Acohido and Jon Swartz, Union Square Press, Sterling Publishing Co.

ISBN- 13: 978-1-4027-5695-5

Expediters

As the accountant for a boutique Atlanta law firm, Shaillie Gattis was naturally expected to be the resident techie. Gattis actually was well qualified. Her father, Roger Thompson, made his living as a virus guru, and as a teenager, she had worked for Thompson’s antivirus start-up, Leprechaun Software, back in Brisbane, Australia, before the family moved to America. So Gattis knew her way around computers.

But one day in early 2005, Gattis found herself stumped. The desktop PC of a coworker was hopelessly bogged down. She took the machine to her father, who confidently broke out the best set of diagnostic tools money could buy and went to work. Four hours later, Thompson was stumped.

“I couldn’t get file access to delete files, so I rebooted the system to safe mode and still couldn’t manage it,” said Thompson, cofounder and CTO of Exploit Prevention Labs. “I ran other diagnostics, trying to unpick this and unpick that. I eventually rendered the system unbootable.”

Gattis told her father that the last thing her coworker remembered doing was an Internet search for lyrics to “Pictures,” a duet sung by Kid Rock and Sheryl Crow. So Thompson fired up a test machine he used for analyzing malicious code and did a Google search for “lyrics Pictures Kid Rock Sheryl Crow.”

Clicking through a few music Web sites, he eventually came to one that displayed a prominent dialogue box, dense with text, and a “close” button at the bottom. Most PC users in a hurry would click the close button to make the box disappear. But clicking the close button also began a downloading sequence.

Thompson clicked the close button and watched his test computer get loaded up with a swarm of malicious code, including an adware installer for embedding pop-up ads, and a back door through which the attacker could turn his test PC into an obedient bot. Thompson’s test machine then began displaying a particularly intrusive ad for SpySheriff-a sales pitch kept popping up every two minutes badgering him to pay $49.95 for a fake antispyware program that purportedly would clean up his computer.

Thompson also spotted something relatively rare at the time: a cloaking mechanism, called a root kit, that rendered the malicious code inaccessible. It was the root kit that prevented Thompson from cleaning up the law firm’s PC. With a little sleuthing, Thompson learned that SpySheriff was distributed by a Russian Web site called iframeCASH.biz, one of the pioneers of a quick, surefire way to compromise PCs: Web exploits.

In a Web exploit, the attacker embeds malicious code on a Web site, then sits back and waits. The victim activates the code simply by visiting a tainted Web page. The malicious code probes the visitor’s Web browser, looking for security holes. When it finds one, it installs code through the visitor’s browser that gives the intruder complete control over the now-compromised PC.

The iframers, and other Russian groups like them, showed boundless inventiveness deploying Web exploits. First they commissioned purveyors of porn and gambling Web sites to taint their pages with malicious code. Then they began openly recruiting “affiliates” to plant malicious code on other kinds of innocuous-looking Web sites run by the affiliates, or, even better yet, to hack into popular travel, social-networking, and retail Web sites run by others to taint their Web pages and turn them into moneymakers.

Displaying a sleek, black automobile as an example of an attainable status symbol, the iframeCASH.biz home page brazenly offered to pay affiliates $61 per 1,000 infections, no questions asked. The sedan was similar to a $124,000 Mercedes S600 known in underground circles to be the personal ride of a St. Petersburg resident in his early twenties named Andrej Sporaw, believed to be the group’s leader.

Web exploits took off in 2005 for a couple of reasons. First, the antispamming community had gotten highly proficient at filtering spam, thus slowing down old-style e-mail viruses, while PC users, in turn, became more wary about opening viral e-mail attachments. Second, Microsoft in August 2004 delivered Service Pack 2 for its Windows XP operating system. Service Pack 2, or SP2, represented the first fruits from the Trustworthy Computing initiative Bill Gates launched so dramatically in early 2002.

SP2 turned on a personal firewall to block the ports most commonly used by botnet controllers, and it activated Windows Auto Update, a free online service set up by Microsoft to send PC users the latest security patches automatically. SP2 had a profound effect on the overall security of the Internet. All new Windows PCs sold after August 2004 came with SP2, and Microsoft launched an aggressive marketing campaign to distribute SP2 to 260 million current Windows XP users.

Thus SP2 put in place a basic level of security for hundreds of millions of Windows PCs, though it remained up to individual PC users to keep paid subscriptions for antivirus and antispyware protection up to date. Cybercrime gangs, like the iframers, responded by turning their full attention to Web exploits-a huge tunnel through firewalls. Thompson explained why: “When you start a browser, you punch a hole right through the firewall. Your browser immediately trusts the Web site you’re visiting and authorizes it to operate inside your firewall, so the intruder can go straight to your hard drive and install whatever he likes.”

By the close of 2005, Sporaw and the Russian iframers were ready to open the floodgates on Web exploits, says Mikko Hyppönen, virus hunter at F-Secure. They did so by retaining the services of a top-notch black hat virus researcher who went off in search of the next great, gaping vulnerability. In the cat-and-mouse world of criminal hacking, a security hole discovered and exploited before a patch can be developed is known as a zero day attack. The flaw is known only by the discoverer, not the public or the software vendor; day one would be the first day the vendor makes a patch available.

Andrej Sporaw’s iframe gang reportedly paid $5,000 to the researcher who discovered the Windows metafile, or WMF, zero day flaw, and designed an exploit to take advantage of it. Though consummately profit motivated, Sporaw took the trouble to also grab credit for what would emerge as a watershed attack. F-Secure was among the first to discover and decrypt the original WMF exploit. The Finnish security company noticed a superfluous string of numbers deep inside the code. The string turned out to be the license number of Sporaw’s Mercedes S600.

“We think he just couldn’t resist leaving his mark in the code,” says Hyppönen.

WMF was ripe for exploitation; it was a clunky old image format that became supplanted by the GIF and JPEG formats familiar to anyone who has ever worked with photos on a computer. It was one of those carelessly written features Microsoft developers churned out by the truckload in the early days of personal computing.

The mercenary programmer earned his $5,000 by concocting a way to take advantage of the fact that WMF files can execute programs, including, of course, malicious programs. He crafted a corrupted WMF file that could open a back door through which the iframers could install adware and cover it all up with a root kit. That would happen anytime someone simply viewed the doctored image. In mid-December, a wave of pop-up ads carrying corrupted WMF images began appearing on Web sites across the Internet. Anyone who saw such an ad was infected.

By December 28, the security firm Websense identified more than 1,000 Web sites carrying tainted WMF files distributed by iframeCASH.biz and its affiliates. Other hacking groups jumped on the bandwagon. A tool called WMFMaker began circulating that made it a snap for anyone, even script-kiddie hackers, to spread corrupted WMF images and create their own zero day attacks, says Johannes Ulrich, CTO of the SANS Internet Storm Center.

By January 3, Ulrich counted 200 unique variants of WMF zero day exploits. F-Secure discovered one that sent waves of corrupted WMF images into the Google Desktop indexing service, infecting countless users of that service. Websense found one circulating on instant messaging services. Another type inserted a tiny, imperceptible tainted WMF image on banner advertisements on hundreds of Web sites. Yet another went out as an attachment in an e-mail virus.

“Any application that automatically displays a WMF image can be a vector for infection,” warned Alex Eckelberry, president of Sunbelt Software, in his blog. “This is a zero day exploit, the kind that gives security researchers cold chills. You can get infected simply by viewing an infected WMF image.”

The inaugural WMF zero day attack had been launched on Wednesday, December 14, a day after Microsoft’s Patch Tuesday for that month. The next Patch Tuesday was scheduled for January 10. That gave the iframers a full month of zero days to compromise PCs before Microsoft was scheduled to issue more patches. Releasing a new zero day exploit on the day after Microsoft’s Patch Tuesday would become a common practice. In a highly unusual move, Microsoft broke from its monthly pattern and issued a patch for the WMF zero day vulnerability on January 5, five days early. The two-week turnaround was blazingly fast compared to the weeks and often months Microsoft usually took to develop and test patches for newly discovered security holes.

Debby Fry Wilson, a director of Microsoft’s Security Response Center, downplayed the significance of the forces at work compelling the software giant to move so quickly.

“Normally we do an out-of-band release when things change or a problem is more severe than we first anticipated,” Wilson told eWeek reporter Paul F. Roberts. “In this case, the data continues to show that attacks are limited.”

Book Excerpt

Chapter 11-Perception Change

Pages 140- 144

Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity

ISBN- 13: 978-1-4027-5695-5

Plausible Deniability

When it comes to who gets to eat the losses from fraudulent activity, banks draw a marked distinction between individual consumers and small-business owners. Banks don’t need the trust of its small-business customers in the same way they need consumers’ trust. That’s because small businesses must have access to banking services to survive. As the financial industry pushes Internet-based commerce to the fore, small businesses have had no choice but to go along for the ride under terms dictated by their banks.

Consider what happened to Joe Lopez, founder of Ahlo, a Miami-based ink and toner cartridge wholesaler. An irrepressible man with close-cropped dark hair, brown eyes, and a radiant smile, Lopez built Ahlo from scratch to annual sales of $20 million the old-fashioned way, one deal at a time. When it came time to pay his suppliers or receive payment from clients, Lopez made it a practice to drive down to his neighborhood Bank of America branch and execute wire transfers in person.

On each such trip to the bank, a teller never failed to urge Lopez to make the switch to an online business account, for convenience’s sake. In October 2003, Lopez relented and opened an online business account. Not once during any of the relentless sales pitches, nor during the software installation, did any of the bank’s representatives drill down on the security risks of online banking.

“They said it was safe,” Lopez recalls from his office in a gritty industrial neighborhood.

On the morning of April 6, 2004, Lopez had a lot on his mind. His wife was nearing the end of a difficult pregnancy, and an important payment of $25,000 was due from a client in Venezuela. After accompanying his wife to a doctor’s visit, Lopez hustled back to his office and logged on to his online business account. Noting an entry showing a large deposit from his Venezuelan client, he breathed a sigh of relief.

But then a wave of nausea struck. Lopez felt his left arm go numb. Below the deposit entry was a notation describing a fresh wire transfer of $90,348.65 to Deutsche Bank. “I thought I was going to vomit,” he recalls, shaking his head. Ahlo had no business dealings in Europe.

Lopez immediately reported the robbery to a supervisor at Bank of America headquarters in North Carolina, who shut down online access and assigned a case number. The next day, Lopez and his assistant, Soraya Ahamed, worked the phones to retrieve Ahlo’s cash. It became clear the bank was taking no steps to do so. “The bank didn’t do nothing,” says Ahamed, Lopez’s sister-in-law. “I thought Joe was going to have a heart attack.”

Receiving no instructions from Bank of America, Deutsche, the intermediary bank, carried out instructions to forward the $90,348.65 to a personal account at Parex Bank in Riga, Latvia. The benefactor? A mysterious figure named Yanson Arnold, who showed up at Parex Bank the morning of April 7 and quietly withdrew $20,000 in cash.

Back in America, Joyce Munoz, a Bank of America customer-service manager, advised Lopez that a wire recall was under way and that Ahlo’s account would soon be restored. Teresa Jones, a wire-room supervisor in North Carolina, subsequently told Lopez that the bank would issue a “provisional credit” to Ahlo in the amount of $90,348.65.

Relieved, Lopez resumed normal business dealings. After confirming the posting of the provisional credit, Lopez wired $25,908.74 to supplier Simon & Arrington in Fort Myers, Florida. A few hours later, Audrey Collins, from Bank of America corporate security, notified Lopez that the provisional credit for $90,348.65 had been frozen, pending further investigation of Arnold’s claim of proper ownership of the money.

Two weeks later, Lopez’s financial world came crashing down. He received a letter from Richard Heilbron, Jr., the bank’s assistant general counsel. Heilbron took the position that since the theft could be traced to a security breach of Lopez’s computer, the bank “was not in a position” to return Ahlo’s cash.

The U.S. Secret Service, which is charged with investigating financial fraud, had gotten involved. Agents discovered a common data-stealing program, called Coreflood, embedded on Lopez’s hard drive. A likely scenario: Lopez’s teenaged son may have unwittingly surfed to a tainted Web page that implants Coreflood surreptitiously, bypassing the firewall and antivirus software Lopez assumed kept his home computer network safe. Coreflood carried a keylogger that took note when Lopez logged onto Ahlo’s online business account and transmitted his user name and password back to the thief.

Armed with the Secret Service report, Heilbron invoked a provision of the Uniform Commercial Code, a collection of rules setting legal limitations and defining liability for commercial businesses. On the surface, the UCC has the imprimatur of independence because it is overseen by two private organizations: the National Conference of Commissioners on Uniform State Laws, and the American Law Institute.

In reality, attorneys representing financial institutions heavily influenced drafting of the rules, says Mark Budnitz, a professor at Georgia State University’s College of Law. The banking industry interests saturate the UCC. For instance, Section 202 of Article 4A of the UCC provides that a customer order—authorized or not—is valid once the customer and bank agree on security and authentication procedures.

The rules make the bank responsible for “consequential damages” only if the bank explicitly agrees to be liable for such damages. Of course, most banks take pains to omit any such contract language. Thus the UCC has become a legal rampart for financial institutions to fend off a variety of lawsuits, says Budnitz. “The fingerprints of the lawyers representing financial institutions are all over this,” says Budnitz. “That’s not necessarily bad, because they understand the practicality of bank operations.”

Practical daily operations are one thing. Yet banks can also use the UCC as a club to sweep aside claims from small-business customers like Lopez who are increasingly becoming victims of cybercrime. Budnitz has suggested adding provisions to various sections of the UCC so as to level the playing field somewhat for consumers and small businesses. But he says his ideas were shot down by attorneys representing financial institutions.

Indeed, in a letter to Lopez’s attorney, Heilbron cited Article 4A of the UCC as rationale for assigning full responsibility for the robbery of Ahlo to Lopez.

The bank’s internal investigation can “discount fraud or hacking at our end and . . . as a matter of law, the loss resulting from the payment order, even if unauthorized, is to be borne by your client and not the bank.”

Bank of America canceled the $90,348.65 credit back to Lopez. Since normal business dealings had drawn Lopez’s account down, at that point, to about $77,000, the bank claimed that Lopez was overdrawn $13,532.96. “Talk about adding salt to the wounds,” Lopez says.

Arnold, the Latvian, would quietly slip into the shadows $20,000 richer, leaving $70,000 frozen at Parex Bank. Heilbron advised Lopez that Parex refused to return the money, and Bank of America had no legal recourse because it was a victim of fraud.

An exasperated Lopez was forced to sue the bank in February 2005, alleging breach of contract, negligence, breach of fiduciary duty, fraud and deceit, and intentional misrepresentation. He faced very long odds of prevailing. Corporate defense lawyers get paid handsomely by the hour to delay, distract, dissuade, and ultimately destroy individual plaintiffs. They maintain an unwavering focus on the endgame: making an example of the upstart plaintiff to discourage other individuals from filing similar lawsuits.

A time-honored corporate legal defense tactic is to engage in plausible deniability. It involves taking a position that can be defended by a very narrow interpretation of the facts, then daring the plaintiff to disprove the argument. To fend off Lopez, and discourage other small-business online account users from getting the same idea, Bank of America resorted to plausible deniability. After USA Today published a cover story about Lopez’s plight in November 2005, Bank of America in mid-2006 agreed to a settlement.

Lopez’s attorney, Ralph Patino, says his client was made whole but is constrained by the terms of the settlement from saying anything more. Patino says cybercrooks are preying on small merchants like never before, and an increasing number are left twisting in the wind. He says he’s heard anecdotally about scores of small business that lose several thousands of dollars through theft from their online business accounts and are never able to recover any of it.

“I know it’s happening on a wide scale. What’s happening is you’re getting individual merchants losing small amounts of money, $5,000, $10,000, $15,000, a crack and they have no legal recourse because no one in the world is going to sue Bank of America over $15,000,” Patino says.

Bank of America spokeswoman Betty Reiss said it was difficult for the bank to respond to Patino’s assertion since she had “no idea where the attorney is getting his information or what it is based on.” Reiss laid out the bank’s final position: the Lopez case had nothing to do with online banking. “It is a wire transfer product used over a PC. But it was not online banking,” says Reiss.

ISBN- 13: 978-1-4027-5695-5

“billy gates . . . fix your software!!”

Precocious teenagers, disaffected computer geeks, egotistical virus researchers, determined spammers, all sharing varying degrees of disdain for Microsoft, most coveting each others’ respect and admiration-these were the enemies Bill Gates rallied his troops to repel in early 2002.

Gates had no way of knowing it at the time, but a cataclysmic shift in the attacker community was under way. A dozen years had slipped by since the Berlin Wall came tumbling down. Eastern Europe was crawling with educated, tech-savvy young men who were left to scratch for menial work in a perennially depressed economy. In North America, the dot-com bubble had burst, wiping out thousands of cushy tech jobs. With all this technical skill running around, the purist hacker’s mind-set was ripe for corruption. Hacking for profit was on the verge of becoming the new imperative.

The earliest manifestation of this change would surface on the Internet, in the private chat channels, where spammers began to communicate with virus writers, and on security bulletin boards, where researchers and virus hunters dissected obscure malware. This is where Joe Stewart, senior security researcher at SecureWorks, hung out.

Stewart never planned on becoming a virus hunter. Born in Athens, Ohio, he split time growing up between his mom’s home in Florida and his dad’s place in Arizona. An inveterate tinkerer, he and a sixth-grade buddy fiddled endlessly with a Radio Shack TRS-80 color desktop computer, staying after school every day to figure it out and teaching themselves how to program in BASIC. This was in the mid-1980s. Shortly thereafter, Stewart convinced his dad to buy a then-state-of-the-art Commodore VIC-20 desktop computer and progressed even further, sometimes running up $300 in long-distance phone charges to log on to the early techie bulletin boards.

By the time Stewart turned sixteen in the late 1980s, he considered himself fairly computer savvy. But he dropped out of computing for several years to dabble in becoming a rock musician, until one day in 1996 when his mom gave him her worn-out desktop computer. It had an outdated 386 microprocessor; Mom had purchased an upgraded 486 for herself.
“The motivation of being broke and having a wife and baby to support really kicked my learning back into high gear,” says Stewart. Four years later, Stewart found himself part of a select group of perhaps 200 virus hunters, the vast majority young males. These Internet sleuths worked at tech-security companies such as Symantec, McAfee, Trend Micro, Computer Associates, Sophos, F-Secure, MessageLabs, Postini, and several dozen smaller niche players. They had in common with mainstream software programmers a high aptitude for math and problem solving, but they also brought something extra to the table-a healthy sense of injustice.

“I’ve always admired a good hack-but modern viruses are not displays of skill; they are simple brutes that are polluting and pillaging the Internet landscape,” says Stewart. “It’s the powerful taking advantage of the weak. I’m disgusted at how they [criminal hackers] are so ready and willing to destroy what I view as one of mankind’s greatest developments, all for their own selfish greed.”

Stewart rose rapidly in his chosen field and landed the position of lead network intrusion analyst at LURHQ, a Myrtle Beach, South Carolina, tech-security firm that would later merge with SecureWorks. In August 2002, Stewart caught wind of a mysterious new type of proxy server that could be installed on compromised PCs in stages. This allowed the virus writer to send parts of the malware from different Web sites, the better to elude the virus hunters.

“The complete installation would happen in stages, sometimes over several days,” says Stewart. “The subsequent stages completely replace the first stage. Once the second stage takes over, the virus is removed and no longer spreads from that host.”

Once fully installed, this new type of proxy server could be used to relay spam or participate in DDoS attacks. It was ominous for another reason: Because standard proxy servers relayed data over “well-known ports,” they were easy to blacklist. But this new type could use any port.

Internet port numbers are categorized in three ranges: ports 0 through 1,023 are the so-called well-known ports, assigned to very specific purposes; ports 1,024 through 49,151 are available for general use; and ports 49,152 through 65,535 are for private communications. With this new proxy server, the entire range of ports was now in play for hackers.
On January 9, 2003, virus hunters took note of an obscure little e-mail virus, which they came to refer to as SoBig.A, launched from the spoofed e-mail address big@boss.com. SoBig.A used a variety of enticing subject descriptions to get victims to click on a tainted attachment.

Once activated, it launched into two tasks: spreading itself to every e-mail address it could find, and visiting a designated Web site, hosted at www.geocities.com, for further instructions. When Stewart visited the Geocities Web site, he found a Web-page link that led nowhere: www.blahblahblahblah.com. Stewart had a hunch. He repeatedly checked the Web site over a period of several hours, and, sure enough, caught the virus writer periodically dropping in the real link.
“He was trying to protect the progression from analysis,” Stewart says.

The real link directed the infected PC to another Web page to download stage two of the malicious program, and then to yet another Web page to download stage three. “It was quite successful at this,” says Stewart. “Thousands of proxy servers were surreptitiously installed on computers worldwide.”

SoBig.A got choked off when Internet service providers-AOL, MSN, EarthLink, and others-began to block all e-mail from big@boss.com, and Web site host Geocities cut off the designated Web site.

But SoBig.A’s author wouldn’t be discouraged so easily. On May 19, SoBig.B began spreading. It purported to come from support@microsoft.com and contained several improvements. For instance, it ran every time the user turned on his or her computer, and it sought to spread itself to any corporate servers that happened to be sharing a data-exchange link with the infected PC. By far, SoBig.B’s most distinctive new feature was this: the virus turned itself off after two weeks.

The day SoBig.B expired, SoBig.C appeared with more improvements. It, too, turned off after two weeks. SoBig.D followed, then SoBig.E. Like infectious bacteria mutating in response to antibiotics, each variant tried different ways to counter Geocities, which moved quickly to shut down the Web sites the infected PCs were instructed to report to.
“All the versions were very similar; they just kept improving, version after version, like a software development project,” says Mikko Hyppönen, chief research officer at F-Secure. “It was done professionally. Someone was investing money.”

After SoBig.E went mute in mid-July, no more variants followed, leaving Stewart, Hyppönen, and their fellow virus detectives to believe the SoBig virus family had run its course. They were wrong. But before anyone could contemplate the deeper significance of a virus strain that steadily improved with each iteration, MSBlast stormed the Internet.

MSBlast took absolutely no one in the close-knit community of vulnerability researchers and virus sleuths by surprise-quite the opposite. Something like MSBlast had been widely predicted early in the summer of 2003 after a Polish group of white hats, calling themselves the Last Stage of Delirium, notified Microsoft about a gaping hole in a Windows component called remote procedure call, or RPC, which allowed PCs to share files and use the same printer.

The Polish researchers had discovered that it was possible to overwhelm RPC by sending it too much data. Once overwhelmed, RPC would let the attacker have full access to the computer. This flaw existed on PCs running Windows XP, Windows 2000, Windows NT, and Windows Server 2003-hundreds of millions of machines worldwide. Any Windows computer connected to the Internet with RPC enabled was a ripe target.

On July 16, Microsoft issued a patch for the RPC hole and gave the Last Stage of Delirium credit for flushing it out. Nine days later, a group of Chinese researchers calling themselves Chinese X Focus posted a “proof of concept” RPC exploit on several security bulletin boards. The exploit showed how to overwhelm RPC and take control of the machine. It was only a matter of time before a black hat stepped forward to copy or improve upon the Chinese exploit-and release it on the Internet. The glory was there for the taking.

The inevitable occurred on August 11, just twenty-six days after Microsoft issued the RPC patch. Hardly anyone had installed the patch. A self-propagating worm, christened MSBlast, began searching out unpatched PCs and infecting them at an incredible rate. In contrast to the SoBig e-mail viruses, which had been handled like a series of carefully controlled pilot tests, MSBlast raced out of the starting blocks and cried out for attention.

Stewart was among the first virus hunters to reverse engineer MSBlast. He found this cryptic message buried inside the code:
billy gates why do you make this possible? Stop making money and fix your software!!

That brash admonishment told the virus hunters that MSBlast’s author almost certainly came from the subculture of braggarts who get a charge out of wreaking havoc on the Internet to make a name for themselves. By contrast, SoBig’s creator was a model of discreetness, clearly cut from different cloth.

“When it came to the motive behind a particular piece of malware, we were starting to see it separate into two groups: profit versus nonprofit,” says Stewart. “The nonprofit virus author wants to raise public awareness of viruses, but the for-profit virus author does not. Ideally, the for-profit author wants to use your computer for as long as possible without being discovered.”

MSBlast was anything but quiet. Within twenty-four hours, MSBlast breached 120,000 computers around the world; each infected computer, in turn, scoured the Internet for more vulnerable targets to infect. At its peak, MSBlast infected 4,000 PCs an hour. Corporate systems crashed under the surge of traffic.

A number of tech-security experts remain convinced to this day that the intense spreading of MSBlast contributed to a major power blackout that darkened New York, Toronto, and Detroit on August 14; while the fast-spreading worm may not have directly caused the outage, it very well could have crippled computer systems that could have kept the outage from spreading.
MSBlast did more than spread like wildfire. To add insult to injury, it implanted a bot instructed to stand by for an August 15 DDoS attack on windowsupdate.com, the Web site where Microsoft distributed security patches. Microsoft went into crisis mode to blunt the impending assault, and managed to do so at the eleventh hour. The software giant narrowly escaped infamy. Imagine the irony of a Windows virus spread via an unpatched security hole knocking out the Web site that distributed Windows patches.

The full scope of how invasive MSBlast turned out to be wouldn’t be known until Microsoft assigned an anti-malware program manager named Matthew Braverman to analyze the effectiveness of the MSBlast cleanup tool. Braverman found that within six months of making the removal tool publicly available, “Microsoft recorded approximately 25 million downloads and 12 million executions. In other words, over 25 million unique computers were identified as being infected by MSBlast,” Braverman wrote in his report.

MSBlast also left behind an easy-to-find back door. During the time those 25 million PCs were infected with MSBlast, any novice hacker could have skipped along and slipped in bots of his or her own-or any spamming group could have implanted proxy servers.

MSBlast’s creator was never caught. However, on August 29 FBI and Secret Service agents stormed an apartment in Hopkins, Minnesota, and arrested Jeffrey Lee Parson, eighteen, a senior at Hopkins High School. They were led to the apartment Parson shared with his parents by a clue buried in the coding of a variant of MSBlast. The clue was the address for a Web site belonging to Parson where he stored a stash of viruses alongside lyrics to songs from Judas Priest, “Weird Al” Yankovic, and Megadeth.

It turned out that the six-foot-four, 320-pound Parson was responsible only for a copycat variant of MSBlast that infected 48,000 PCs and caused an estimated $1.2 million in damage, prosecutors said. U.S. District Court judge Marsha Pechman described Parson as a lonely teenager who created his “own reality,” rarely leaving his bedroom. He served an eighteen-month jail sentence.

“Jeffrey Lee Parson foolishly considered himself an untouchable,” says Ken Dunham, director of the rapid response team at iDefense, a VeriSign company. “His arrest proved how overconfident some adolescents can become in the security of their own online worlds.”

The tumult over MSBlast must have struck SoBig’s profit-minded author as a golden opportunity. What better time to release the ultimate SoBig e-mail virus than when MSBlast’s braggart author commanded the full attention of virus hunters, law enforcement, and the media?

On August 18, an e-mail luring recipients to open an attachment containing pornographic images began circulating all across the Internet. SoBig.F was now on the loose. It fired off copies of itself to every e-mail address it could find on the hard drive, using a technique called “multithreading” for faster spreading.

Borrowing a refinement from SoBig.E, the attachment came in the form of a zip file so as to pass through e-mail systems that had begun to deny executable (.exe) attachments. Borrowing from SoBig.D, it implanted a bot tasked to report to not one, but twenty different Web servers around the world-PCs compromised by earlier SoBig variants, now standing at the ready to release the second and third stages of the attack.

“The worm writer learned two lessons from the endless cycle of Geocities closing the sites-stealth and redundancy,” says Stewart.

But the SoBig.F bots never downloaded stages two and three. The virus hunters and law enforcement agencies collaborated to get Internet service providers to take nineteen of the twenty Web servers off line. Seeing the good guys closing in, SoBig’s backers held off sending further commands through the one Web server left standing on August 22.

Chalk one up for the good guys. Yet an ominous unease lingered in the aftermath of MSBlast and SoBig. Defending the Internet had become magnitudes of order more complex. It was one thing to repel immature braggarts out to bedevil giant corporations and make political statements; it was quite another to also have to deter well-funded criminal elements methodically refining tried-and-true hacking techniques to make a profit.

The MSBlast worm appeared to be the work of a vigilante looking to chastise Microsoft, much like Onel de Guzman, the author of the ILOVEYOU virus, had done. By contrast, whoever was behind the SoBig family of viruses did not want attention of any kind. The incremental improvements in each version-from SoBig.A in January to SoBig.F in August-progressed exactly like a professional software development project. SoBig’s creators appeared to be dead serious about perfecting a virus that could infect a large number of computers for the express purpose of turning them into spamming machines and making a ton of money.

“The proof point is simply in the design of the virus,” says Stewart. “The typical moneymaking virus installs spam proxies or tries to steal passwords. We saw these activities with SoBig, but not with MSBlast.”

Hacking’s age of innocence was fast coming to a close.