I like to think back on the good old days, when the worst thing Windows might do to us was crash.
Now we have to defend ourselves against invisible programs that silently take over our PCs, record our keystrokes to capture our banking passwords, use our bandwidth to send out junk e-mails that can’t be traced back to the senders, and then bury us in the spam we receive in turn from all the other PC users whose machines have been similarly hacked.
This week, Symantec, the antivirus and security company, released its sixth semiannual Internet Security Threat Report. It says the firm found a vast increase in the number of “bot networks” that are under the control of hackers. Each network consists of thousands of machines that have been infected with Trojan horses and are now controlled by criminals.
During the first six months of 2004, Symantec detected a rapid growth of bot networks from fewer then 2,000 to 30,000. The number of PCs in each network is said to average around 2,000. Multiply the number of networks by the average population of controlled machines and it works out to 60 million “zombie” PCs — that we know about.
Symantec found one bot network consisting of 400,000 zombies, according to an article by John Markoff in the New York Times. Each network can be used to broadcast spam, launch devastating denial-of-service attacks against Web sites the hackers don’t like, and more.
What’s going on here?
Is this it? Are we just going to face more and more attacks as our computer resources spiral more and more out of our control?
It seems to me that the computing industry is in denial of how bad the attacks on our PCs and our lives have become. Things aren’t going to get better without radical changes to bring about a safe and sane computing environment. The first step is for us to stand back and survey just how bad the situation has become.
What follows, therefore, is my first State of the Computing Industry report — a quick and dirty overview of the maddening crisis that has engulfed us.
I focus in this report on four areas — viruses, spam, phishing, and adware — although an entire book could be written on all the problems that “making computers easier and more fun” has brought down on our heads. Here we go; I hope you’re sitting down.
- Four and a half times more viruses and worms targeted Windows systems in the first half of 2004 than the same period of 2003, according to the Symantec report. That’s 4,496 new viruses and worms this year so far. More info
- About 1 in 12 e-mails carried viruses in the first six months of 2004 that are capable of penetrating firewalls meant to keep them out, according to an analysis of 5.6 billion e-mails by monitoring firm MessageLabs. Up-to-date antivirus programs are capable of stopping most such viruses at this point — but the viruses are growing stronger every month. More info
- There are now 1,740 known, unpatched security flaws in Windows and other operating systems, according to statistics collected by US-CERT, a nonprofit security coordination center. That’s more than a 300% increase over the 417 vulnerabilities that were known to researchers as recently as 1999. More info
- Access to zombie-PC networks is being sold and traded among hackers for about 10 cents per compromised machine, according to reports in The Register, a British high-tech news site. More info
- Spam exceeded 70% of all e-mail in July 2004, the highest rate ever detected by MessageLabs. It’s over 80% of the e-mail received by Internet service providers AOL and MSN. That compares with the halcyon era when only 7% of all e-mail was spam, as measured by Brightmail as recently as April 2001. More info (click the “Spam” tab for statistics)
- About 60% of all spam is now sent via zombie-infected machines, according to Spamhaus.org, a respected antispam service. Besides using their bot networks to send spam, spammers last year started directing their zombie armies to flood and disable the servers used by antispam groups. Four such antispam organizations were forced to shut down in 2003 alone due to these denial-of-service attacks. More info
- A single U.S. ISP, Comcast.net, sends 700 million spam messages a day, out of a total of 800 million daily outgoing messages. This enormous spam outflow is generated by the large number of ISP users whose PCs have been hijacked by zombie software, Comcast network engineer Sean Lutner told News.com in May. More info
- Almost 1/6 of all spam now conforms to SPF (Sender Policy Framework), according to an analysis by e-mail service provider MX Logic. SPF is an identification system that’s been promoted since last year to prevent malicious people from “bouncing” junk e-mail onto innocent victims. The spammers have adopted the SPF system, to make their e-mail appear legitimate, much more quickly than respected corporations, only a small minority of which have implemented SPF to date. More info
- More than 1,974 unique phishing attacks were reported in July 2004. Phishing occurs when spammers send official-looking e-mails, posing as messages from a bank asking customers to “confirm” their accounts by entering their passwords. The spammers capture and use these passwords, which are dutifully provided by up to 5% of the victims who are contacted, according to Antiphishing.org, a coalition of financial institutions and major e-commerce sites. More info
- Phishing attacks are growing at a rate of 50% PER MONTH, the group’s figures indicate. Although we often hear that Web sites that collect password data for phishers are in Russia and other non-Western countries, 35% of phishing sites are actually located in the U.S. More info (PDF file)
- Thirty percent of American consumers have experienced online identity theft, according to a survey by the Gartner Inc. consulting firm. Ninety percent of those cases occurred in the past year alone. More info
- Adware is exploding on users’ PCs, with security firm McAfee alone finding more than 14 million instances in March 2004, up from fewer than 2 million just last August. Adware is often called by other names, including spyware and malware. Since these categories overlap, I use instead the general term “adware,” which I define as “programs that are installed on a user’s PC for the financial benefit of a sponsor without the user’s full knowledge and consent.” Putting the approval language into a license agreement and then asking users to click OK on the entire license is not full knowledge and consent. More info
- More than 20% of PCs tested by PCPitstop have active in memory one or more programs the company defines as “spyware.” Such programs always reduce the performance of the affected machines but often have much more serious side-effects as well. (PCPitstop is an online service that diagnoses more than 1 million machines per month.) More info
- In surveys, 74% of users whose PCs are running adware from Claria (formerly Gator) said they had no knowledge of it being installed. The figure is 87% for adware from WhenU. In papers filed for a court case in 2003, Gator executives said only 16% of their 27 million “users” were unaware of the presence of the program on their machines, according to an article published by Forbes Magazine. Even when such adware runs perfectly and doesn’t negatively affect a PC’s reliability, serious issues of privacy and security are raised. More info
- In the worst cases, adware installs via “drive-by downloads,” exploiting weaknesses in Internet Explorer that allow Web sites to run programs on users’ PCs without them even clicking “OK.” Programs downloaded in this way, as explained in Christian Wagner’s spyware/adware/malware FAQ linked to at the end of this paragraph, can operate like the worst traditional viruses. The downloaded programs may install keylogging software to capture user passwords, send personal information back to a central server, and more. (The recent Service Pack 2 for Windows XP closes some but not all of the security flaws in Internet Explorer.) More info
Regular readers of the Windows Secrets Newsletter know that they can protect themselves from the above threats by maintaining what I call a “security baseline.” Every PC and computer network should be running at least the following five protective measures:
1. A hardware firewall to keep hackers from accessing your PC from the Internet;
2. A software (or “personal”) firewall to prevent any undetected Trojan horses from sending out your personal data or anything else;
3. An antivirus program that’s set to constantly update its virus signatures to detect threats in e-mail messages and shared files;
4. An antispam program to reduce junk e-mail, which is a common method of delivering viruses into PCs; and
5. An antiadware program to remove adware and guard against its re-introduction into your PC in the future.
A special report on the security baseline, and a review that names the best products in each of the categories above, is in our June 3, 2004, issue.
What percentage of PC users do you think have all five of the above protections in place and working? How many consumers do you think even know that all of these five defenses are needed? Not many.
More importantly, how many computers that retailers sell to consumers have all five of the above protections installed and working when the PC goes out the door? My guess is, “Almost none” — and that’s the problem in a nutshell.
Every high-tech seller seems to want someone else to be responsible for taking, and paying for, the security steps that will make PCs and the Internet safe to use. If computer professionals, manufacturers, and retailers won’t give consumers PCs armed with a comprehensive security baseline, why do we think consumers will figure it out and do it themselves?
I’m sorry, but saying, “You shouldn’t click any links you don’t trust” isn’t an acceptable response to the millions of people who’ve already been victimized by the insecurities that were designed into Windows and the Internet.
The industry’s leaders must work together and pay the tab
I believe the responsibility to clean up this mess resides squarely on the shoulders of our computing giants — the Microsofts and AOLs of the world. They’ve made billions of dollars by selling people on Windows and the Internet. They’re the only entities with the financial resources to take Windows and the Internet back from the scum who are now wreaking havoc.
The industry giants, of course, want someone else — consumers, corporations, the government — to pay to make computing safe again. But it’s ridiculous to think that millions of private individuals, or, worst of all, the governments of the world, can handle this task.
The U.S. Congress would probably make the situation worse with new legislation, just as Congress unwittingly legalized opt-out spam in the U.S. when it passed the infamous CAN-SPAM Act in 2003. The bill bears numerous provisions that were lobbied for by the Direct Marketing Association, an advertising interest group that Microsoft is a member of.
Taking back the Internet will require drastic changes in Windows and the way the Internet itself works. I’ve previously editorialized about one such step, involving digital signatures to identify the source of e-mail, called Domain Keys. It’s being promoted by Yahoo.com and other computing groups — but Microsoft and AOL, after promising to work together on such systems, now don’t agree and are pushing their own, incompatible technologies.
Our industry’s 600-pound gorillas may not be able to come together and agree on the solutions we need to restore basic safety and reliability to our computing lives. But if we don’t at least demand that they do so, we’ll watch the Internet slide further and further down the rat hole it’s already in.
To send us more information about this, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.
(A portion of the above report was originally presented in a keynote address by Brian Livingston at the SMB Nation Conference in Seattle, Washington, on Sept. 10, 2004.)