It’s The Spammers – They’re In It With The Aliens!

by on September 8, 2006

The recent Sunday Times report(s) on keylogging got me thinking about why journos never examine the other dimension of the problem of keyloggers and security compromise: spam.

The Times basically took the start of the problem to be a mysterious process of “inadvertently downloading a Trojan” which then installs a keylogger, which then reports all your passwords and other interesting data to black hats in some faraway exotic place (like Swindon). After that, all hell breaks loose, and the journos in question (notably one Jonathan Ungoed-Thomas, more about whom later) had obviously had great fun finding numerous stories of innocent victims (including – shock – “IT professionals” who had taken “all precautions” to prevent it) having their savings stolen, computers crashed, etc. etc, ohmylordthisisterrible! You got the idea after about paragraph three of five thousand. The message was clear: we are all sitting ducks – you heard it here first!

If we assume that the consequences of downloading a Trojan are terrible, then isn’t it more productive to examine how this happens and what can be done to prevent it? But I do The TImes a disservice, I hear you say, for did not Mr Unagoad-Thomas sagely list the fact that you must run anti-virus software and a firewall? Oh, and keep Windows up to date and stuff too? Well, he did of course. Everyone does, or at least the poor saps in the articles said they did (and don’t forget the “IT professionals” too). Yet everyone gets infected – or so The Times would have it. So something doesn’t quite add up, does it?
The trouble is that:

  1. Anti-virus software is by definition useless (and I shall explain that statement).
  2. Ingress firewalls are of course valuable but largely irrelevant here (they only stop uninitiated traffic coming in). Egress firewalls are more important, but nobody understands the cryptic messages that come up like “scvhost.exe wants to access the Internet. Do you want to allow this?”
  3. Keyloggers (and most contemporary bad stuff) come via perfectly normal email and are installed directly by the rightful owner of the computer on their computer, on purpose. Nothing can (and morally should) prevent somebody if they want to install software on their machine.

Journos of course don’t want to deal with this complexity: it’s hard to explain to readers, and probably hard for the journos themselves to understand. Much better and easier for them to spread blind, ignorant panic. Panic sells. Job done. Who cares about the technology – let the geeks worry about that.

Before we continue, let me get the statement about anti-virus being useless out of the way. Anti-virus software is, put simply, a system that attempts to recognise bad software from good. If it can, it tries to remove it from the computer before it can do any damage. It does this by consulting a database of known bad programs (AKA “malware”). Think about that for a second: known malware – that is, software that has already damaged computers, that the anti-virus company has found, analysed and distributed a fix for their (paying) customers to install in case they too get hammered.

The problem with this of course is the time lag. Trojan writers don’t have to put much effort into the vector of attack: that’s easy – that’s the user themselves. The writers of malware then just team up with spammers to distribute millions of copies of their software via emails that say things like “I thought you’d like to see this” or “This is really funny…” This means that within hours, a keylogging virus is replicating across millions of computers, days or even weeks before the anti-virus companies can distribute a fix. By which time it’s mostly too late. And don’t forget that if you ain’t paying the anti-virus company for the privilege of getting that fix too late, you don’t get one at all. This fact, incidentally, does not prevent the said anti-virus software from running – it’s just out of date, and in many cases hoovering up resources, slowing down your system and causing things to crash – for no reason.

It’s obvious therefore that something close to the root of the problem is spam. Now, I don’t have a cure for spam, but I think that if the TImes and other “responsible” journalists made this connection relentlessly when talking about the horrors of keyloggers, etc. then perhaps the penny might drop somewhere: that stopping spam means stopping Trojans means stopping innocent victims being robbed of their savings. I have no sympathy for the “IT professionals” though – they, gentle reader, were either looking at porn or are in fact not “professionals” but Microsoft Certified Idiots.

At the very least, you’d think The Times would start all their ranting with the words “If you open email attachments from people you don’t know AND RUN THEM, you are an idiot. But if you don’t mind being an idiot, maybe the following story will help…”

A footnote to this is that Jonathan Ungoed-Thomas once sent me an hilariously ham-fisted email attempting to get me to “reveal” to him a hidden network of animal-rights extremists “co-ordinating” on the Internet. I sent it to NTK. Mine is Example 2.

PS: Just seen this on Mr Brown’s blog too.

PPS: For the curious: I don’t, and never have, run anti-virus software (even when I was running Windows).


There’s no shortage of news on this in the tech sphere of course.

During a four-day stretch, researchers at the Manheimm, Germany, honeynet project counted about 9,700 infections from a single command-and-control center and calculated that the attacker was making hundreds of dollars a day in commissions from DollarRevenue alone.

That’s a pretty hefty business model they got there…

Leave a Reply

Your email address will not be published.