Todays Hackers Code for Cash, Not Chaos

Q&A: Marc Sachs, director of the SANS Institute's Internet Storm Center, chats with Ziff Davis Internet News about network worms, browser vulnerabilities and the general state of Internet security.

As volunteer director of the SANS Institutes Internet Storm Center, Marcus Sachs has an eagle-eyed view of Internet security, tracking cyber-threats in real time and raising awareness when malicious hackers launch attacks.

Sachs also directs the Washington operations of the Cyber Security Research and Development Center, which is operated by SRI Internationals Computer Science Laboratory under a contract with the U.S. Department of Homeland Security.

On a typical day at the ISC, Sachs and a group of about 40 volunteers keep watch over about 500,000 different IP addresses to look for signs of malicious activity. In addition, the ISC incident handlers collect data from third-party sources and maintain the popular daily handlers diary of the biggest security issues of the day.

In this interview with Ziff Davis Internet News, Sachs talks about his work at the ISC, the changing face of network worms and virus attacks, his Web browser, of course, and the general state of Internet security.

Its been almost a year since Microsoft Corp. shipped XP Service Pack 2 to counter the big network worms. Are we any safer today?

I think we are, I really do. If you look at the numbers, there is a reduction in the traditional types of attacks. We havent seen a big worm since Sasser more than a year ago, so, in that sense, SP2 has served the purpose. But thats not to say the Internet has become safe, because the threats have shifted dramatically.

Were still seeing nonstop activity around e-mail viruses and Trojans and botnet zombies…

Thats the shift Im talking about. The attacks have moved from being a hacker wanting to prove a point by creating chaos, to one where he is out to make money. Thats why phishing is such a big problem.

The malware writers are looking to steal identities and credit card data. They are using their skills to make money from illegal activity. Theyre no longer going after typical attack mechanisms that are more along the lines of a nuisance. Now, its a subversive, organized scheme. Its about making money from the Internet rather than harassing the Internet.

It has always been changing over the years. In the mid- to late 1990s, the big threat was Web site defacements. Then it moved to the e-mail viruses and then to the self-replicating worm. A few years ago, we had all the big worms coming one after the other, but we havent seen one in over a year.

In the last 18 to 24 months, the big swing has been toward tricking people into giving up their credit card information. Were seeing massive intrusions into meeting points where the financial world comes together. Large containers of intellectual property are being breached.

Have we seen the last of the big, nuisance-related network worm?

I dont know that you can say that. Its hard to predict what the underground will do. Its not a stretch to imagine that a newcomer will still want to make his name with a nuisance worm, but I think the wave has crested in terms of types of worms weve seen.

/zimages/4/28571.gifSasser: the last big network worm? Click here to read analysts take.

There really is no value in it for the bad guys. They are not about putting all the effort into writing malicious code without real profit. It seems to me that the trend now is for malware writers to code for profit, and thats why were dealing with things like drive-by spyware installs and zombie botnets.

Most of defenses in the past 10 years have improved to cope with nuisance-type attacks. Now, we have to broaden our thinking. We cant just shift cycles, or theyll shift and stay ahead of us. If we start to think like attackers, start looking ahead to the places they will potentially target, we stand a better chance of protecting ourselves.

How severe is the botnet threat?

Its very legitimate, particularly in the last six months. But it was something we expected, once the cable companies got into the broadband ISP business. Until a few years ago, a high-speed connection was a 56K modem. Now, all the cable companies are stumbling over each other to get Internet bundled with TV service, and that becomes a very lucrative target to communicate with with botnets.

There you have this large pipe, and at the end of the pipe sits this computer thats lightly defended. Its the perfect condition for a forest fire, and thats why were seeing all these Trojans opening back doors. The concept of zombie armies isnt new, but whats new is the way its now associated with making money.

Next Page: Does Microsoft do enough to protect users?