Virus writers slow spread to boost gain

Deseret News (Salt Lake City), Sep 26, 2006 by Anick Jesdanun Associated Press

NEW YORK -- In the past, virus writers seeking fame and attention wrote their malicious programs to spread as quickly and broadly as possible, boasting to colleagues when they managed to cripple hundreds of thousands of computers worldwide in a matter of hours.

But now, many writers are driven by money instead. They write code to turn the computers of unsuspecting individuals into "botnets" -- networks for spreading junk e-mail or stealing financial data from others.

Security experts find that some are even taking measures to make sure their programs don't spread too quickly or too broadly, lest they get detected and blocked.

"If they are able to stay active longer, they make more money," said Alfred Huger, senior director of engineering with the security response team at Symantec Corp., a software vendor that issued its twice-annual state-of-security report Monday.

Not too long ago, he said, a single person took control of as many as 400,000 computers at once with the help of malicious programs. Today, the average is less than 1,000, making such networks more difficult to track and shut down.

Huger said spammers have been compiling e-mail lists specific to geographic areas, by targeting a single Internet service provider that serves a particular region or by combing mailing lists devoted to a city's happenings. Messages sent to those lists can be used for scams or the spread of malicious programs, such as those for stealing data.

Virus writers have also judiciously used Web sites with software vulnerabilities allowing for the spread of malicious code, Huger said. They will remove the malicious programs once enough users are infected and restore the malware later, he said.

"They are very careful about the spread," he said.

Many of the newer viruses spread primarily through social engineering -- tricking a user into opening an e-mail attachment by making a message appear legitimate.

Although virus writers have long used that technique, many had been trying to overcome delays inherent with the need for any user intervention, taking advantage of system flaws to automatically spread their programs.

Network worms such as 2004's "Sasser" exploited flaws in Microsoft Corp.'s Windows operating system, automatically scanning the Internet for computers with the vulnerability and sending copies of themselves there. But the rapid spread also triggered rapid- response alerts among security vendors and prompted network operators to prioritize applying fixes to the Windows flaws.

High-profile threats, often more an annoyance than an effort to set up armies of rogue computers, are typically contained within a day or two.

By contrast, botnet computers can stay active for months.