Sven Jaschan wanted to be seen as a hero to the millions of victims battling Bagle and Mydoom worms at home and work. Especially to his vocational school peers who had shunned the shy teen until they realized his virus-writing skills and encouraged him to produce a more malicious program.
First, he created the e-mail-borne worm Netsky to take on Bagle and Mydoom. Then came Sasser, which entered enterprises simply by scanning the Internet for networks yet to install a critical security patch. Companies worldwide reeled from infestations. Sasser made the news, as Jaschan had hoped, but it also made him nervous and he told his newfound friends he was calling it quits. But instead he was calling a lawyer several weeks later after his arrest with the aid of a classmate trying to claim a $250,000 reward.
Jaschan, 19, is expected to be sentenced today by a German judge for computer sabotage, data manipulation and interfering with public corporations related to $154,000 in damage his Sasser worm caused three German city governments and a public TV station in April 2004.
Essentially working alone and motivated by publicity, not profit, Jaschan represents a typical teen hacker -- five years ago. Today, the 14- to 18-year-olds that previously compromised networks for bragging rights now serve as foot soldiers of organized crime rings that dominate the digital underworld.
"The 14- to 18-year-olds are now the leaf nodes to a much larger tree," explains Jimmy Kuo, senior research fellow at the AVERT Lab of Santa Clara, Calif.-based security provider McAfee Inc. "There's an organization at the top now controlling this whole structure." @12016
Hide 'n' Sneak
In the past three to five years, the digital underground has moved from being inundated with script kiddies and hacktivists defacing Web sites for kicks to legions of polished programmers who steal databases for pay. Organized crime is behind the rising professionalism, gaining such a strong foothold by offering money, not just idealism, to those who could install malcode known as bots onto millions of machines without anyone noticing. Now, these remote-controlled botnets await orders to attack.
"The fact that there haven't been any big e-mail outbreaks out there this year is not a symptom that the threats are going away," Kuo warns. "The bad guys now have found a different path in which they're actually making money."
That path now includes spyware that logs keystrokes and phish scams that prompt people to provide the ingredients for identity theft and fraud by posing as a financial service in need of account verification. The scams have morphed in a matter of months from poorly disguised e-mails rife with grammar mistakes to ones that link to bogus sites indistinguishable from real ones, using real account information of the intended target.
McAfee this week released a Virtual Criminology Report to make its customers aware of existing and emerging threats that take advantage of the Internet's anonymity and connectivity. It's also meant to show the trouble cops and congressional leaders have in keeping up. The FBI estimates cybercrime cost $400 billion last year. "The growing sophistication of cybercriminals is a serious challenge to law enforcement," the report said. "Many police forces still lack the capability to operate effectively in cyberspace. In part, this is due to the absence of adequate laws for cybercrime."
The 20-page document doesn't break any new ground. Instead it connects the dots of various outbreaks and shows how criminal organizations' efforts to recruit from the top of the hacker hierarchy are paying off. For instance, 2003's Sobig worm automatically installed spyware without the user's knowledge. Others self-destructed to prevent detection or cannibalization. Another unidentified Trojan included a keystroke logger activated whenever "my account" or "account number" appeared in the browser.
That doesn't mean the Sven Jaschans of the world have vanished.
"They're still writing the malware. They're just writing it for profit now and they're doing it to learn the business," Kuo says. That includes creating code that doesn't make "a lot of noise." Hackers are now paid to produce scripts that capture precise numbers of machines. The number rarely exceeds 5,000 to 10,000 and is frequently closer to 1,000 -- also to sneak past intrusion detection systems or alert law enforcement.
Money changes everything
But it is harder to break into the malware writing business these days. Those hiring want proof of experience, and competition is keen.
"We hear more about the 14-year-olds and the younger set because they're more willing to talk," Kuo says. "When you turn 18, something naturally kicks into your brain that says 'I need to be a little more careful with the law.' Even if you're involved, you're certainly not talking to the press.
"The older set either doesn't talk about it as much, or they control the younger set," he continues. "They don't want to be the guy fingered as the one that infiltrates the machines. The law makes it clear it's illegal to plant something on someone else's machine without permission. So you send a 14-year-old in to do that."
This is especially true when it comes to spyware and spam, two avenues that differ from conventional cybercrime but share similarities in profit motives and network infiltrations. Payments come from how many page views, e-mail addresses and actual Web applications are captured.
The solutions to combating ever-changing crime patterns do not come easy. Each time a technology or policy is put in place to stop one threat, another more sinister emerges. Kuo says a key strategy for enterprises is to incorporate a multilayered defense system that provides different access controls within a network. He also advises IT security to not be fooled by the lack of major malware epidemics the past couple of years.
"The nature of the crime has changed to where it's a lot more little attacks rather than runaway outbreaks," Kuo says. "When we do have a virus outbreak, it's not planned but because something ran away or was written without any control. Now, because virus writing is essentially professional, those controls are in place now."