The cyberplague that threatens an internet Armageddon

The unchecked rise of malware could culminate in a massive global event that would change forever the way we use the internetIn 1971, Bob Thomas, an engineer working for Bolt, Beranek and Newman, the Boston company that had the contract to build the Arpanet, the precursor of the internet, released a virus called the "creeper" on to the network. It was an experimental, self-replicating program that infected DEC PDP-10 minicomputers. It did no actual harm and merely displayed a cheeky message: "I'm the creeper, catch me if you can!" Someone else wrote a program to detect and delete it, called – inevitably – the "reaper".Although nobody could have known it 40 years ago, it was the start of something big, something that would one day threaten to undermine, if not overwhelm, the networked world. For as we became more and more dependent on information and communications technology, we were also subjected to a plague of what came to be called "malware".It's an ugly term, as befits something that covers a multitude of sins, all involving computer code designed with destructive or malevolent intent. It includes not only viruses, which are programs that replicate by copying themselves into other programs, but also worms (self-replicating programs that use a network to send copies of themselves to other machines on the network, with or without human assistance) and Trojans (similar to viruses but instead of replicating they infiltrate a computer and perform some illicit activity, possibly under remote control). Malware also refers to other evils: the junk mail we call spam; "phishing", or trying to hoodwink internet users into revealing bank account passwords etc; page-jacking, which makes it difficult or impossible for a victim to get rid of a web page; and other scams.The malware plague has gone through several phases. It began in a harmless and experimental way with the creeper and a worm released on to the internet in 1988 by Robert Morris, a student from New York State's Cornell University. Morris wanted to find out how many computers were connected to the internet so he wrote a small program that would install itself on every machine it found and send back a "present and correct" message.But there was a flaw in his code that meant the worm replicated. On 2 November 1988, network administrators realised something was up because their machines – and the network itself – had slowed to a crawl. In the end, the culprit was identified and carpeted, though it doesn't seem to have done him any lasting harm: Morris is now a professor at the Massachusetts Institute of Technology.Malware began on the internet, but its next phase involved the stand-alone machines we now call personal computers. In 1982, a Pennsylvanian teenager named Rich Skrenta created the "elk cloner" virus that infected the Apple II, then the most popular personal computer in upmarket US households. Skrenta's virus covertly altered the floppy disk needed to boot up the computer, displaying some doggerel on the screen on start up. It was annoying but harmless.Early PC malware tended to be like that – irritating but not terribly destructive. And malware spread slowly, because most of these PCs were not networked; infections spread by "sneakernet" – ie users sharing floppy disks. The real trouble began when domestic internet use exploded in 1993. From then on, an infected PC was a potential menace not just to its owner, but to other machines with which it communicated.For many people, early malware was a baffling phenomenon. It was seen as something akin to physical vandalism in the real world – hooligans despoiling an environment for no obvious reason. What motivated them? Nobody knew, though several psychologists had a go at explaining it. The notion that malware was motiveless destructiveness was fuelled by the fact that much of it was imitative, carried out by "script kiddies" – non-programmers who downloaded DIY virus-construction kits.In the 1990s, malware development accelerated. When Microsoft released Windows 95, it rapidly became the de facto standard for the PC industry and the world's IT systems came to exhibit the characteristics of a monoculture: millions and millions of PCs across the globe, all running the same software, all sharing the same security vulnerabilities. At the same time, domestic broadband connections became common. Suddenly, there were millions of machines, operated by people with little understanding of computer security, with shared vulnerabilities and fast connections to the network.Most importantly, malware found a business model in the late 1990s. The fragility of the monoculture could be exploited for profit. Spamming – junk emailing – could now be done on a truly gigantic scale. Hitherto, it had required identifiable servers with broadband access to the net. But the new broadband environment offered a better infrastructure. All you had to do was find machines with fast connections, unpatched security vulnerabilities and non-savvy owners and infect them with a Trojan that would turn them into relay stations for spam (and which could be turned off just as easily, to avoid detection).Spamming works because it can be very profitable. It costs very little more to send 10m emails than it does to send 100. If you're selling a packet of Viagra for $20 and you have a response rate of 0.1%, you'll make $20 from 1,000 emails. But if you send out 10m and have the same response rate you'll be earning $200,000 a day. This is the kind of serious money that makes organised criminal gangs sit up.The idea of covertly suborning networked PCs was a critical breakthrough for malware because it enabled malefactors to set up "botnets" – networks of compromised machines that could be remotely controlled. Nobody knows how many of these botnets exist, but there are probably thousands of them worldwide and some are very large. A list of the 10 largest in the US in 2009, for example, estimated that they ranged in size from 210,000 to 3.6m compromised machines.In addition to spamming, botnets can be used for a wide variety of purposes. They can, for example, launch "distributed denial of service" (DDOS) attacks on e-commerce or other web sites. Each machine in the botnet bombards the targeted site with simultaneous requests, repeated incessantly, to the point where the site's servers buckle under the load or the site becomes unusable by legitimate customers. More sinisterly, botnets can be used for blackmail, effectively extracting protection money from retail sites to ward off the threat of a DDOS attack. Nobody talks about this in public, but it goes on.Domestic PCs that have been compromised by Trojans can be put to other uses too. For example, they can covertly monitor their user's keystrokes when logging into banking and other sites, thereby stealing passwords and credit card details. At a recent presentation by officers from Soca (Serious Organised Crime Agency), I was struck by a slide that showed how highly developed the online market in stolen credit card data had become. It showed a marketplace for "USA 100% APPROVED TRACK2 DUMPS" in which Visa debit card details were going for $8 and American Express details were $10. On another such marketplace, American MasterCard details cost $15 while European credit card details were going for $40 a pop. "Buying large quantities," it said, "prices are negotiable for every customers." (Grammar and spelling are not a speciality in this particular netherworld.)We've come a long way from the creeper and elk cloner. The driving forces behind contemporary malware are financial gain and organised crime, much of it with its headquarters in Russia and other parts of eastern Europe. One of the most blatant examples of an online marketplace in stolen credit card data was CarderPlanet.com, a website ostensibly based in Vietnam, but operated by people based in Russia and Ukraine, and now shut down. A senior US secret service offic