SECURITY WAS pushed back to the top of the agenda this week with news emerging over the weekend of the Chinese GhostNet and April Fool’s Day passing with the Conficker worm failing to deliver its payload.
The GhostNet was discovered by Canadian security researchers and was found to have infected thousands of government computers in 103 countries. Once installed on PCs, the software was able to send documents back to its creators and even control the PC microphones and webcams.
Although the attacks emanated from China, the Chinese government has denied any involvement.
In contrast to the targeted attacks carried out by GhostNet, Conficker may have infected up to 10 million machines around the world using a weakeness in the Windows operating system which has been patched subsequently.
Although Conficker and many variants of it have lain dormant on infected machines, the virus was designed to begin communicating with its authors from April 1st. As a result, security experts believed that Conficker might deliver its payload on April Fool’s Day by responding to whatever commands were sent out by its authors.
“This is like having a multiple of sleeper cells in every city and country in the world but we don’t know what instructions they are going to be given,” says Conor Flynn, a director of security firm Rits.
Conficker operates in a similar manner to Blaster and other worms which proliferated quickly over the internet. But the reach of Conficker suggests that people are still not taking the basic steps of automatically patching their operating system, using a firewall and keeping an anti-virus package up to date, according to Michael Hofmeyr, a consultant with Deloitte Touche’s enterprise risk services division.
Although people have little excuse for being infected, Mr Hofmeyr credits Conficker with being more sophisticated than the average worm. “Once it gets on your system, it patches the vulnerability it used to get in, to make sure no one else can take over the machine,” explains Mr Hofmeyr.
While GhostNet targeted the machines of diplomats, media outlets and even the Dalai Lama, Mr Flynn says it is “more sinister and disturbing” because the current generation of security products would struggle to prevent it.
“An attack like this will not be detected by anti-virus software because it is brand new,” explains Mr Flynn.
“The anti-virus companies need a large number of people to report back an attack so that they can include it in their signature files. A custom trojan horse used to target a small number of companies may never be picked up.”
Security experts say that the discovery of GhostNet shows that it is time to move to heuristic security products which detect and prevent suspicious behaviour on a PC. The current generation of products rely on detecting the unique signature of a known piece of malware.
“The industry has been slow to react to this kind of targeted attack and move away from signatures,” says Mr Flynn.
