Late last year, the software engineers developing a new Windows-based networking client confronted an all-too-common problem in today's hostile internet environment: How would they make their software resistant to the legions of enemies waiting to attack it? Particularly worrisome was a key feature of their code, a mechanism to accept updates online. If it were subverted, an attacker could slip his own program into an installed base of millions of machines.
The coders decided to fortify their software with MIT's brand-new, high-security cryptographic hashing algorithm called MD-6. It was an ambitious choice: MD-6 had been released just two months before, and hadn't yet faced the rigors of real-life deployment. Sure enough, the move seemed to backfire when a security hole was found in MD-6's reference implementation not long after the launch. But the coders rallied, and pushed out a corrected version in a new release of their software just weeks later.
It would be a model for secure software development, except for one detail: The "Windows-based networking client" in the example above is the B-variant of the spam-spewing Conficker worm; the corrected version is Conficker C, and the hard-working security-minded coders and software engineers? A criminal gang of anonymous malware writers, likely based in Ukraine. The very first real-world use of MD-6, an important new security algorithm, was by the bad guys.
This is the future of hacking: professional, smart, and above-all well-funded. In the old days, hackers were mostly kids and college-age acolytes sowing their wild oats before joining the establishment. Today, the best hackers have the skill and discipline of the best legitimate programmers and security gurus. They're using mind-bending obfuscation techniques to deliver malicious code from hacked websites undetected. They're writing malware for mobile phones and PDAs. The underground has even embraced the next-generation internet protocol IPv6, according to research by IBM -- setting up IPv6 chat rooms, file stores and websites, even as legitimate adoption lags. Ten years ago, an oft-repeated aphorism held that hackers were unskilled vandals: Just because they can break a window, doesn't mean they could build one. Today's bad guys could handcraft the stained glass in the Sainte-Chapelle.
Money is the catalyst for this change: Computer criminals are scooping in millions through various scams and attacks. The best hackers are growing up in Russia and former Soviet satellite states, where there are fewer legitimate opportunities for smart coders. "If you're a sophisticated team of software developers, but you happen to be in Eastern Europe, what's your way of raising a lot of money?" says Phillip Porras, the cyber threat expert at SRI International who dissected Conficker. "Maybe we're dealing with business models that work for countries where it's more difficult for them to sell mainstream software."
One result is hacking-as-a-service. Want your custom code installed in a botnet of hacked machines? It'll cost you $23 for a 1,000 computers, $130 if you want them exclusively, says Uri Rivner, head of new technologies at security company RSA. Or you can pay for a custom Trojan horse that will sneak past anti-virus software, or a toolkit that will let you craft your own. "They actually have a testing lab where they test their malicious code against the latest anti-virus companies," says Rivner, whose group closely monitors the underground. While most computer criminals are "thugs," the programmers and software entrepreneurs supplying them are scary-smart, he says.
Particularly disturbing to security experts is the speed with which the bad guys are jumping on newly disclosed vulnerabilities. "Even one year ago, a lot of these web exploit toolkits were using vulnerabilities that had been discovered one or two years prior," says Holly Stewart, Threat Response Manager at IBM's X-Force. "They were really, really old.... That has really changed, especially this year. We're seeing more and more current exploits go into these toolkits. And we're seeing exploits come out that are even just a couple days after the vulnerability announcement."
Even worse, hackers are finding or purchasing their own vulnerabilities, called "zero day" exploits, for which no security patch exists. With real money to be had, there's evidence that legitimate security workers are being tempted themselves. In April, federal prosecutors filed a misdemeanor conspiracy charge against security consultant Jeremy Jethro for allegedly selling a "zero day" Internet Explorer exploit to accused TJ Maxx hacker Albert Gonzales. The price tag: $60,000. It could take a lot of consulting gigs to make that kind of money performing penetration tests.
The change is being felt at every level of the cyber security world. When SRI's Porras dug into the Conficker worm -- which still controls an estimated 5 million machines, mostly in China and Brazil -- the update mechanism initially baffled him and his team. "I know a lot of people stared at that segment of code and couldn't figure out what it was," he says. It wasn't until crypto experts analyzed it that they realized it was MD-6, which at the time was available only from the websites of MIT and the U.S. National Institute of Standards and Technologies. Other portions of Conficker were equally impressive: the way it doggedly hunts for anti-virus software on a victim's machine, and disables it; or the peer-to-peer mechanism. "There were points where it was pretty clear that certain major threads inside Conficker C seemed to be written by different people," he says. "It left us feeling that we had a more organized team that brought different skills to bear.... They aren't people who have day jobs."
Looking back, the first 20 years in the war between hackers and security defenders was pretty laid back for both sides. The hackers were tricky, sometimes even ingenious, but rarely organized. A wealthy anti-virus industry rose on the simple counter-measure of checking computer files for signatures of known attacks. Hackers and security researchers mixed amiably at DefCon every year, seamlessly switching sides without anyone really caring. From now on, it's serious. In the future, there won't be many amateurs.