February 20th, 2006

Brad @ Burning Man

Our Cyberpunk Present: Script-Kiddie Botnets = Gangster Supercomputers (part 1)

There's some really good, if incomplete, coverage in this weekend's Washington Post of the real reason why there's at least one new Windows virus detected in the wild every day. For a pretty good set of human stories, and some pretty good minimally technical explanations, see Brian Krebs, "Invasion of the Computer Snatchers," Washington Post, Sunday ,February 19th, 2006, page W10. (Registration, aggravatingly, required.) Wired News has been providing good coverage of this over about the last six months, and I've picked up some extra bits from Slashdot and from various computer security industry publication articles, websites, and technical webcasts, and I may be able to lend a little bit of perspective from my own years on both sides of the game.

I had somebody ask me just the other day what possesses hackers to go to the trouble of releasing a new virus every day. What could possibly be motivating them to do that much work? Well, the question starts off as somewhat naive. There actually isn't that much work involved. Virus writing, like a lot of computer applications development these days, doesn't actually involve a whole lot of programming. There are graphical interface enabled, point and click toolboxes that get updated at least as often as any of the proprietary anti-virus software packages. They don't use the same Concurrent Version Systems software that the Open Source movement (and most corporations) use to enable multiple people to edit a computer program at the same time, if only because at the current state of the art in CVSes that'd provide a central source that'd be easy for the anti-virus companies and law enforcement to target. But the virus development toolkits are coded in the same programming language, and have enough common ancestry to their code, that any code fragment posted to a chat room has been compiled into all of them within 48 to 72 hours. The net result is that as soon as any of the end users in the virus industry finds a new exploit, they code a module for it and add it to the toolkits. Anybody who hangs around the right online chat rooms, or who even checks in every day or two, can upgrade his virus with the latest technology and re-launch it however often he needs to, and no more computer programming expertise is required than to set up a simple report in Microsoft Access, or to sort and add up a table of numbers in Microsoft Excel. (Hence the dismissive nickname the end users get from the few real programmers, a nickname that goes back to the earliest days of the industry: script kiddies.)

But what's the incentive that keeps the toolkit creators working on their products, and that drives the script kiddies to spend as much time updating their viruses as they do downloading pr0n? Big damned money. Organized crime money. How much money? One of the more notorious gangsters in the industry just bought himself a gold medal in the Winter Olympics, outright, for cash, to go with his fleet of Lamborghini sports cars. That guy in Boston who whacked his wife and kid, then fled to England thinking he'd get away with it? Guess what he did for a living? And cops in Brazil rolled up one operation that stole at least $4,600,000 by way of computer viruses. Most of them were teenagers. And those are just this weekend's news stories on the cyber-gangster front. The only reason you don't see big-ticket crimes like the one in Brazil more often isn't that it's difficult. On the contrary, the toolkits include software to steal that kind of money as a built-in feature. It's just that most of the adults in the business know that if you steal that kind of money all at once, it attracts attention. No, street-level cyberpunks like the kid in Oklahoma who was featured in the WaPo article are the norm. He works about 15 to 20 minutes a day, which is all the time it takes him to earn about $6,800 a month for his contribution on behalf of organized crime, or, to add that up for you, about $80k US per year, tax free. He's a 21 year old high school dropout.

(He's also dead meat. Oh, not literally, but his criminal career is over. The reporter screwed up, and inadequately protected the guy's identity. When I last checked Slashdot, only a couple of hours after the story broke, they had his location narrowed down to about two blocks. Presumably by the time some of you read this, his identity will be in the hands of law enforcement. This will do you absolutely no good, any more than busting J. Random Lawyer as a dealer for splitting a kilo of cocaine with his partners will put a dent in the only slightly larger organized drug dealing industry.)

Where in the heck is the money coming from to pay script kiddies $80 large a year, pay even bigger slices to the guys who manage the virus construction toolkit projects, and still make the kind of money it takes for the gangsters at the top to live like Donald Trump and still pay for an Olympic training regimen out of their pocket change while only working at it a couple of months a year? Well, you see, the reason this isn't obvious to some of you is that you're still thinking of a virus as an annoying piece of software that crashes your computer at random. Viruses aren't about individual computers any more. They're about bigger, faster, more massively parallel super-computers than the US Department of Energy uses to simulate nuclear weapons tests. We're talking about technology that NASA contractors developed for the Search for Extra-Terrestrial Intelligence, combined with technology that Google uses make it possible for them to cheaply and instantly search every page on the Internet for millions of users per day. And they get to use it for next to free, without any government regulation, subject to no taxes or laws, for any criminal enterprise that can be furthered by infinite computer power.

(Next: At least fifteen to twenty of you, I'm guessing, work for the mobs and don't know it, distributing child pornography, robbing banks, selling fake prescription drugs to seniors, and running at least two types of big-money stock market scams that have the potential to dwarf WorldCom. The things you think you're doing to keep from helping them probably aren't working, because they're based on several year out of date mental models of how this stuff works. Even if you are managing to stay out of the rackets, you might not be in a couple of weeks, but don't feel isolated: the professionals are in the same bind. You can't get out of the rackets; you can only get out of the rackets temporarily. You haven't even gotten paid for your work, but if anybody actually goes to jail for it, it's more likely to be you than the gangsters running the operations, because law enforcement and the computer security industry are approaching this from the wrong angle, and show no signs of smartening up. And the mobs have only just begun to scratch the surface of what this technology can do.)