Virtumundo knocks Stuxnet into a cocked hat
It’s a bit worrying, I said to James Lyne, senior technologist at Sophos, when a criminal gang is so capable and so resourced that they can find and afford to use multiple zero-day exploits in a single attack. I was of course referring to Stuxnet.
“Yes,” he replied. “But the problem here is that when you look at Stuxnet, it’s actually quite sloppy. It has been over-hyped as the pinnacle of malware when really there is much worse stuff out there. What’s clever about Stuxnet, and both alarming and interesting at the same time, is the low-level expertise and knowledge that is required to write the driver that attacks that particular command and control system. But they tried to distribute it everywhere simultaneously. It was not very targeted, which would have been the smart thing to do if they were seriously after key points of infrastructure. It was a bit all over the place; and ultimately quite easy to detect. We haven’t, for example, had to constantly update our definitions to deal with new versions – it’s not particularly fast-moving and is quite static.
“But,” he continued, “there is a malware campaign called Virtumundo which is produced by an organized criminal gang. We know they are organized because we run into forums online where they’re providing support; and there are tools available that you can purchase. It’s a multi-level organization, much like we have seen with Zeus – and where you have this degree of organization you will also get research, innovation and development. The Virtumundo campaign makes Stuxnet, and even Conficker, look like a pussycat. It is horrifically difficult to detect. When it first appeared it slashed through all of the vendors’ defences that had effectively been relied upon for the last 25 years; and has required the vendors to fundamentally change the way they do detection. This Virtumundo gang is associated with much of the fake anti-virus that most people have seen floating around. It has a huge distribution on the internet – and what they’re doing is compromising computers, mining them to find out what kind of data or systems is acceptable on those computers, and then they’re selling those computers to specialised organized criminal gangs.
“So, yes, what we are facing with malware is organised criminal gangs – and they are growing more and more organized. They are recruiting and working intelligently in communities which we often get to infiltrate. But most terrifying of all, as they continue to be successful at taking advantage of poorly protected people, they are building a base of resources that any government or vendor will struggle to match.”
That’s it then. Stuxnet is definitely a government job seeking to increase NSA/CIA/MI5 budgets. It’s simply not good enough to be organized crime.