Russian security professionals Eugene and Natalya Kaspersky dropped by Network World this week en route from Moscow to the RSA Conference in California. In a wide-ranging interview with Features Editor Neal Weinberg, the Kaspersky Lab duo discussed the Russian mafia, the latest in hacker tricks and their view that the bad guys are winning.
Are we winning or losing the battle against cybercriminals?
Eugene: The industry itself is losing the game.
Natalya: We’re trying our best to stay on top, but unfortunately I must confess that the detection level is slowly going down. We develop new technology to stop them and they develop new technology to bypass. We still have the highest detection rate, but we cannot stop some malicious code. This makes us scared if we will be able to stop them in the future.
There was a time when we thought that antivirus technology was enough, but that time has gone. It’s not enough, obviously. We need help from local authorities. We need help from operating system providers. And one very important thing is education. Many people become infected because they don’t know.
In the United States, it’s common for new exploits and attacks to be blamed on “the Russian mafia.” Since you live in Russia, what’s your take on that?
Eugene: Traditional criminals are not in touch with computer criminals, probably because they still don’t understand how to manage it. With the traditional mafia, it’s drugs, it’s prostitution, it’s illegal weapons trading.
So the whole idea of the Russian mafia being behind global computer crime is a myth?
Eugene: I think it’s a myth.
Where is most of the criminal activity coming from?
Eugene: No. 1 is China. Different countries have specific malicious code that they develop. Chinese people mostly develop multi-vector backdoor Trojans, also Trojans that steal data from online games.
No. 2 is Spanish-speaking countries and Brazil. Most of the Trojans which we see from these countries are banking Trojans to steal money from personal banking accounts.
No. 3 was Russia, but I was really surprised to see a report from my virus lab that now Russia seems to be No. 4 and No. 3 is Turkey. Now there are more Internet users and more and more criminals in Turkey. Russian hackers are mostly developing proxy Trojans to send spam and also spyware to steal everything, all the personal data and all the access codes.
Is law enforcement making a dent in cybercrime?
Eugene: The situation is getting worse. In 2004, there were 100 arrests around the globe. In 2005, there was a few hundred. Last year, there were about 100 arrests again. It seems like the stupid guys were jailed. The smart guys, it’s very difficult to find them.
Why can’t law enforcement track them down?
Eugene: The problem is that many criminal actions are done internationally. Last week, there was a report of a bank robbery in Sweden. Customers of this bank were infected with a Trojan and the bank lost 1 million Euros. We don’t have proof but it seems like the Trojan was developed by a Russian guy, but he never used it. He had a Web page with an explanation of the Trojan and the price. The origin was Russian. Some people bought it, I have no idea who they are, and they attacked a Swedish bank. In order to investigate you need people from at least three countries. It’s not easy.
Are you worried about phones becoming the next big target for cybercriminals?
Eugene: Yes, unfortunately it’s possible to develop the very same malicious code for smartphones as for computers. The question is just the price of smartphones. When prices go down and when there are more and more services for smart phones, like users accessing their bank accounts, for sure there will be numbers of new malicious code developed for criminal means.
Is it already happening in the wild?
Eugene: Last year was the first example of Trojans which sent SMS messages to paid numbers [900-numbers, for example]. The hackers use social engineering to get the victim to download and execute a Trojan.
Just like the Love Letter worm that infected computers in 2001 and 2002, where the worm gets access to your [e-mail] contact list. It’s possible to develop the very same malicious code to access your [voice] contact list. Then the phone would dial premium numbers or send SMS messages.
People receive their bills from the local telephone company and the bill includes these charges. The local telephone company passes that fee to the criminal [who has set up the phony 900-number account].
I’m just waiting for the first smartphone Trojan that will steal personal ID codes to access personal bank accounts.
What are some other examples of new types of criminal activity?
Eugene: Internet bank robbers have been stealing access codes for bank accounts. So, one type of protection that banks use is to allow a connection only from the local area. Now, hackers have developed a network of proxy servers , they have infected thousands of servers across the globe, and they have created a database of infected servers. This database is for rent. Bank robbers just buy access to this database of proxies and get access to local banks.
Eugene: I was seeing financial spam and was curious about the business idea behind it. What happens is that criminals manage to hack into broker software and play on the stock exchange using other people’s money. It’s called pump and dump. They buy shares with somebody else’s resources and when the shares go up, they sell it and forget about it.
What’s changing in terms of corporate security?
Eugene: We are living not inside of some perimeter. We are living in the open world. And we need to change our mind about security — we need to protect all the devices.
We need to think about security from a different point of view, not just to secure your corporate network. It’s not enough. We need to secure all the devices which are getting into the network or removed from the network.
Now we’re hearing about polymorphic viruses that can change form over time. Is that a new problem?
Eugene: In the past, there were not so many mutated viruses, because there were just a few hooligans who developed it. Now there are a number of criminal groups that do it and the number of groups is increasing. Now we need more experienced developers to develop special routines to detect this malicious code. It’s not easy.
So, what’s it like fighting cybercriminals?
Eugene: Life is getting more complicated because these bad guys they want to have computers infected and they pay special attention to antivirus protection, developing new techniques to bypass antivirus technology. They know the IP addresses of the antivirus companies, so if you connect to a fake site from the IP address of an antivirus company you get back a clean sample. They are very tricky guys.
I’m watching the changes in their criminal technology and I’m really afraid, because these guys are getting more experienced. They develop anti-antivirus technology, we have to develo