It's war out there as hostilities intensify between propagators of computer malware and those in the business of eradicating it.
British company Sophos, whose facilities in Sydney, Boston, Vancouver and Oxford form a virtual frontline against incoming security threats, is dealing with about 20,000 submitted threat samples a day.
Of those, about 1000 are new strands of malware that haven't been seen before, says Paul Ducklin, the company's Asia-Pacific head of technology.
If that sounds a lot, it is. It compares with the 1000 viruses or trojans that appeared in about seven years when the phenomenon first arose.
"That gives you an idea of how the scale of this has changed now that there is money in it."
To hear Ducklin describe it, the language and tactics of old-fashioned warfare have been neatly translated to the virtual world. A battle that has been raging for the past few months is against Conficker, a worm also known as Downadup.
It appeared last November and is reputed to have infected millions of PCs, including more than 2000 at the Ministry of Health. Last week reports revealed that it had also hit Britain's Houses of Parliament, infecting computers used by MPs and parliamentary staff.
In February Microsoft put up a US$250,000 ($444,755) bounty for information leading to the arrest and conviction of its perpetrators.
But the Conficker posse may be lucky to apprehend anyone. And, according to Ducklin, there may not be much point, since the threat of the worm doing anything more harmful than installing itself on your PC looks increasingly unlikely.
That's because Sophos - and, undoubtedly, the other companies that form the frontline against malware - have a pretty good understanding of what Conficker does.
For a start, they know how it spreads. Once on an organisation's network, it uses two main methods: it exploits a Windows vulnerability and it cracks passwords from a shortlist of obvious ones. Both methods, Ducklin points out, were used 20 years ago by US student Robert Morris, creator of the worm bearing his name that brought down much of the internet.
Conficker has an algorithm that instructs infected computers to connect to a web address determined by the date.
"It is setting up all these bridgeheads, but instead of calling out to HQ for instructions, they call out to these addresses which don't yet exist. The good news is, we know how the algorithm works so we can calculate what the domain names will be."
It's considered unlikely that Conficker's creators will attempt the next step - downloading software to its zombie army that then uses it for sending spam, for example - because they'll be too easily traced. In a sophisticated twist, Conficker has built-in software to ensure no one else exploits the army of infected computers. Ducklin says it verifies that whatever is downloaded from the list of domains is cryptographically signed.
"So they're preventing anyone else from muscling in on their botnet."
As April 1 passed, security specialists were nervous that Conficker might flicker back into life, but that appears not to have happened.
It's virtual war out there, all right. And, as in the physical kind, mercenaries are doing some of the fighting.
Freelance exploit hounds - people who spend their time probing for weaknesses in operating systems like Windows and Linux and other widely used software - have been around for a long time.
Mostly they operate by an informal protocol, whereby they will tell the vendor about any software flaw found, allowing a fix to be written before the world at large is alerted. No money changes hands.
Now, however, a market is developing for vulnerabilities. US company Tipping Point will pay thousands of dollars for details of newly discovered vulnerabilities and then act as go-between with the vendor of the compromised software. It's unclear whether Tipping Point asks for payment from the vendor concerned.
Ducklin met a researcher at an Australian security conference who bought a new kitchen with the proceeds of one vulnerability he found. "I haven't made my mind up yet on the morality of this."
Another development Ducklin is unsure of is making it compulsory to disclose security breaches, such the 2007 case in Britain in which the Revenue and Customs agency lost computer tapes with personal details, including bank account numbers, of 27 million citizens.
The reasoning is that coming clean about such slip-ups, as is mandatory in the US, is necessary to alert the potential victims. The trouble is, Ducklin says, it also alerts scamsters to opportunities that they can attempt to exploit.
"It tells them so-and-so organisation has had a problem so they can send emails to all their customers with a phish."
Given all the cunning the baddies already exhibit, that's probably help that they do not need.
How the worm turns
Known as: Conficker, Downadup, Downup and Kido.
First detected: November 2008.
Targets: Various Windows operating systems.
What it does: Installs itself on your PC and instructs it to connect to web addresses. Can disable services such as Windows Security Center and automatic updates, and block access to antivirus websites.
Removal: Tools available from Microsoft and many other computer-security companies.
Ultimate purpose: Unknown.
Anthony Doesburg is an Auckland-based technology journalist.
<i>Anthony Doesburg:</i> Computer malware spurred by profit motive
AdvertisementAdvertise with NZME.