« Intel MacOS X or the Tiger gets the x86 | Main | Responsible or irresponsible, that is the issue »
August 18, 2005
Social dynamics
"May we live in interesting times", says a Chinese bit of wisdom. The technological advances, the rapid evolution of software and hardware - there is no doubt we DO live in interesting times.
Fraud and crime has been with humanity since the very beginning. I will not debate the issue of good vs evil here, but I will touch a little bit on the side of computer malware.
Yesterday, it came to my mind that the evolution of malware is conditioned by three major factors:
1. Technological advances
2. The bad guys coming up with new methods of attack
3. The evolution of security technologies
Actually, there is another factor which may be less obvious, but one that for sure affects the evolution of malware:
4. The social dynamics
During the past years, the evolution of malware was conditioned mainly by the Technological advances, point one in the list above. Basically, I'm talking about the widespread access to the Internet and the proliferation of Internet-bourne malware. Points two and three have been there and played a secondary role - people upgrading from 2000 to XP, firewalls, IDSes, better heuristics, all these have affected the way malware is written an deployed on the Internet.
Wednesday, August 17th, people woke up to the chaos of Botori. On CNN, millions of people could watch the worm do its deeds, crashing Win 2000 machines. The renowed antivirus expert Kevin Mitnick provided a statement on the worm; I won't be getting there this time, though.
What is interesting with Botori is that while CNN was broadcasting chaos, there were virtually no reports on Smallpot. Zero, nada, nil, null. Of course, since the Sasser incident, it's almost impossible to do port 445 connections over the Internet. In Romania, they are probably completely blocked at ISP level. So, how could Botori cause an outbreak when it can't spread over the Internet?
The clever readers have by now guessed the answer - Botori causes _local_ outbreaks, whenever it can reach the critical mass. The worm is not able to reach many machines over the Internet because in these days everybody's firewalled. However, local networks have no firewalls - when an infected laptop is brought to a network with say 50 Win 2000 machines, chaos erupts. This is why small companies and the casual Joe Internet user weren't affected. On the other hand, big companies, running large networks of computers around the world, practically their own reduced versions of the Internet, were hit badly.
After years of learning the hard way, people have secured themselves behind their impenetrable firewalls, filtering all e-mails and ripping all executable content. Everybody felt secure and confident nothing bad could happen. So, the blow from the inside was even worse as it was totally unexpected.
Couple of years ago, the Internet was a large community with no walls. But people have started to put walls between their neighbourhoods and now malware can't easily go just about everywhere. However, there are still no walls in the neighbourhoods and when a worm is let loose in a big area, it can for sure wreak chaos.
The fact that the worm was designed to mainly target local networks is a proof to the fact that the author understands point four - Social Dynamics. And we can be sure the worms of the future will consolidate on this ground.
Interesting times, indeed.
Posted by Costin Raiu at August 18, 2005 2:49 PM