The Economics of Malware
September 9, 2007 12:28 AM   Subscribe

The problem is "big idea" programmers, sloppy commercial vendors and breathtakingly complicated software.

The idealists come up with something cool, like email or a web browser but never consider human nature in their designs. Of course people are going to send ads over email. Of course criminals are going to be attracted to the internet if there is money there.

The sloppy commercial vendors think things like "wouldn't it be cool if the browser automatically could install plug-ins that did neat stuff?" Sure. But no thought is given to who might be installing what and how to protect against that until it is too late.

Finally, when software is as complicated as, say, Vista, it's almost impossible to make "safe." There is just too much code that is all tangled together. Fixes and updates just ad to the bowl of spaghetti.

Time to go burn chrome, I guess.
posted by maxwelton at 12:50 AM on September 9, 2007 [1 favorite]

MetaTalking about William Gibson's new novel...
posted by Poolio at 1:06 AM on September 9, 2007

Not sure if this has been posted elsewhere on Mefi yet, but this recent audio interview with Gibson on The Bat Segundo Show was fascinating. I love how he speaks somewhat slowly yet wastes no words and comes across as exceptionally intelligent. I'll definitely be making a point of reading Spook Country when I get the chance.
posted by good in a vacuum at 2:08 AM on September 9, 2007

And wow is that PDF interesting and scary. Sort of a flash card set for the Modern Scamming 101 midterm. Thanks!
posted by good in a vacuum at 2:20 AM on September 9, 2007

wow, great read! and from a new zealand university :) *pride*... the author has a nice sense of humour, too. Wonder if a full transcript is available?

"Engage users in IM chat sessions inviting them to
download malware..."
• The typical AOL “lol d00d check this out” is hardly a Turing
test level challenge"

heh, so true. :) i think it might be time to run a virus/adware scan..
posted by Dillonlikescookies at 2:21 AM on September 9, 2007

"and from a new zealand university"

Peter Gutmann has been doing cool security and crypto stuff for a long time now. He's a local legend in the computing fraternity. Check out his other publications, you'll enjoy them too.
posted by i_am_joe's_spleen at 2:35 AM on September 9, 2007

Awesome and interesting information, even if it's Powerpoint slides. I wish someone would come out with one of these for say, drug distribution, prostitution rings, etc...

Won’t run if the system contains SoftICE, Filemon, Regmon, Visual Studio, Ethereal, … (Numerous)

So, my packet capture software might be doing more to keep me safe than my anti virus software. Funny.

As for the whole William Gibson sci-fi in the present thing? My example's not Gibson, but a while ago I realized that "cyberspace" like the Metaverse as predicted in Snow Crash has basically come to pass in the form of World of Warcraft, Second Life, and so on. The thing no one predicted? The Metaverse would not be cool and filled with the elite of the day. Instead it's lame, boring, and filled with the socially disconnected and furries.
posted by TheOnlyCoolTim at 3:41 AM on September 9, 2007 [4 favorites]

TheOnlyCoolTim writes "Instead it's lame, boring, and filled with the socially disconnected and furries."

Cause you maybe see cyberspace best implementation (so far) as the image that was proposed to us in some depiction, which is a dude with a rather geeky attire flying in the middle of the net like he just doesn't care. Given that direct neural interfaces just aren't here, we still use eyes and interfaces called SL and WW , but there's a sea of difference between SL and WW.

SL isn't doing too well because it's too ahead (and not that well implemented) as you can actually insert your own 3d content and develop your own interpretation of reality ; the unpleasant reality is that most people are still primarily consumers (and educated as such !) and will remain for quite some time and never completely quit the consuming schemes, while SL encourages creativity and creation to breed content. Unsurprisingly representation of sex and lowest commond denominator funs are the first to appear, not because of commercial reasoning, but because they are understood as common in all human beings and therefore also commercially interesting. Regardless, SL may not be perceived as cyberfun, but as cyberwork ..which is still understood as cybershit (and that's another problem)

Suprise : many favour W0W over SL because the former is a complete wank of a game, imho is as obsessive as consumable. The image that runs to mind is Homer saying "mmmmhhhh WoW" while clicking on the keyboard. Almost no -focused fatiguing effort- needed, an illusion so strong I remember reading about some parents who neglected feeding their kids because of their obsession-compulsion with the game (ok two wacko among millions, but still...).

Another image that runs to mind is that of one of my fav movies, Wim Wender's "Until the end of the world" , in which the deliciously yet troubled Claire becomes obsessed with watching her dreams on some kind of laptop and feels pain when she no longer can indulge in watching the monitor. The technology originally developed to help an old blind woman can certainly be used for "good" , but may as well have unintended consequences, such as favouring obsessions.

Remember flying cars and private airplanes that guide themselves ? They are not quite avaiable, but we can enjoy our GPS navigator that combined with a relatively high speed connection can bring info to us while we move in the space. Certainly that GPS may interactively bring us to a brothel, armed with the latest coupon pushed by the sleaziest casino owner, but that's not a fault of technology itself, it's just an instrument. NRA would side with that, but for the completely wrong reasons.
posted by elpapacito at 5:58 AM on September 9, 2007 [1 favorite]

This was very impressive, thanks.
posted by blacklite at 7:27 AM on September 9, 2007

Man, I still remember people saying that "Spammers are Stupid" and therefore wouldn't figure out new advances in spam fighting or whatever.
posted by delmoi at 9:18 AM on September 9, 2007

The linked pdf, though long, is entirely worth the read. Especially towards the end, where some safeguards are suggested (for maximum protection...use a locked-down *nix box for online)

Most people's response is somewhere between "meh", or like maxwelton, a shrug, saying it's everyone's fault and it's too complex to fix now.

That may be the reality this far down the road, but the technical truth is that most popular OS's and the apps that run on them were created with a fatal flaw - that just about any application or process is immediately granted all the rights of the user. This is ridiculous, because most of the apps used daily by users DO NOT NEED that level to run. Most apps, eg document writers like Word, email, browsers, graphics, games, only need to read/write files specific to that app, or files that are merely "documents" or records. In other words, apps should only be granted the system rights they truly need to run, not the whole keyring. Historically, only *NIX systems have had this as a central feature; the popular OS's are slowly coming around. Kinda late, though.

If modern OS's were designed like this, where access to system internals were restricted to the very few specialist apps that actually use them (like development systems), and the majority of applications installed with a more restricted set of rights, the average user would not be so easily tricked into installing malware, and it would be alot harder for trojans and worms to invade via regular apps or installers.

Browsers... gon't get me started ;-). IE still sucks. Run Firefox. Nuff said.

I still hold Micro$oft largely responsible for alot of this mess, because their initial offerings, especially Windows, Office and IE had gaping holes from the get-go, and they are still playing catch-up with those. Notice how they try to stay below the radar on this; they try to make a virtue of necessity (Windows Genuine Advantage) and they suck most people into enabling automatic updates, which means that the patching efforts go unnoticed. They also single-handedly created the anti-virus and firewall industry.

Some will say that it's futile to hope for a solution, that no matter what's tried, there will be hacks. That's mostly true, but as the linked article points out, it's a numbers game. Right now, all the system holes make it dead easy. The harder it gets to hack, the fewer successes there will be, and the pro's will go in search of easier prey.
posted by Artful Codger at 9:41 AM on September 9, 2007

Suprise : many favour W0W over SL because the former is a complete wank of a game, imho is as obsessive as consumable. The image that runs to mind is Homer saying "mmmmhhhh WoW" while clicking on the keyboard.

SL is almost the definition of wanking. You accomplish nothing whatsoever- there's no goals to be accomplished, very little of any interest to explore, and everything is cosmetic. Second Life isn't some amazing leap forward in cyberspace- it's a fucking chatroom with pretty graphics. WoW is a computer game. SL is not.
posted by Pope Guilty at 9:51 AM on September 9, 2007

the world is fully caught up with any future we could make up.

*Ahem*... Then where are the robot sex slaves?
posted by shmegegge at 9:54 AM on September 9, 2007


# grep " Ban" /var/log/fail2ban.log | awk '{print $7}' |sort|uniq|wc -l
3937


That's IP addresses who have attempted to spam through my server more than three times per minute in the last 10 hours.

Considerably down since I instituted some banning procedures...at one point I was getting more than 200 attempts per second.
posted by Kickstart70 at 9:56 AM on September 9, 2007

Most apps, eg document writers like Word, email, browsers, graphics, games, only need to read/write files specific to that app, or files that are merely "documents" or records.

Sometime in the distant future, when Microsoft finally gets their shit together, everything on your computer will be secure from hackers and malware, except for your documents and email. Huzzah!
posted by ryanrs at 10:30 AM on September 9, 2007

That's pretty crazy, Kickstart. I think you must be an outlier. My logs show only two actual relay attempts. Total failed delivery attempts yesterday, for various reasons from blacklists to bad addresses, were a little short of 500.

It's gotten pretty hostile out there, but 200/second? That's ... unusual.
posted by Malor at 10:34 AM on September 9, 2007

The pdf says that about 10% of users have bought something advertised via email spam. I find that number amazingly high, and I wonder how accurate it is. It would also be really interesting to see the demographics of spam shoppers - who are these people who make spam profitable enough to
plague us all? And what do they buy? I don't get a whole lot of spam, thankfully, but the products/service being flogged are pretty limited (a few undoubtedly fake luxury goods, some overseas pharmacies, the rest sex-related). Where exactly are the profits?

I sometimes wonder if spam isn't really as profitable as we assume. Sure, the tech guys who set up the botnets etc get paid but do their clients, who advertise sketchy goods and services, really make much profit? As long as they hope or think they're making money, they'll continue to pay the Black Hats, regardless of the reality. I wonder if the spam industry isn't like a MLM scam, where only the people on top (the tech guys) get paid and the rest of them just throw money away chasing some crazy get-rich-quick scheme.

(Yeah, I know it's impossible to get hard data on an illegal industry, so these are somewhat moot questions, but I have a hunch that many spammers are getting scammed themselves. Apologies if my speculation is common knowledge/complete BS - I'm pretty clueless about these here intertubes.)
posted by Quietgal at 10:41 AM on September 9, 2007

Sometime in the distant future, when Microsoft finally gets their shit together, everything on your computer will be secure from hackers and malware, except for your documents and email. Huzzah!

You missed the point.

If the OS access points don't permit invisible access to installation, stuff won't spontaneously install itself. If the user is duped into installing something they believe is innocuous, it still won't have the ability to see or alter critical system internals. If the app does see users documents, and user is dumb enough to put vital data in those sorts of docs, in an unprotected area, the app may be able to transmit this info out, but only as itself, it won't be able to cloak this action, therefore it will be an order of magnitude easier to detect and remove.

If the user installs something innocuous, and they're stupid enough to grant it system rights when challenged, they deserve what they get.

I'll repeat my main point - most common computer applications shouldn't need full system rights to be installed and run. The user should be able to install an app with confidence that it can only access or alter non-critical parts of the system. Any app that requires more rights should bring up a system dialog saying that the installer is requesting access to such and such, do you want to allow this. For the average user this would be a red flag.

Yes some innocents will still be duped into granting those rights, but that's preferable to the current situation where any executable you run, installers or otherwise, is given enough rights by default to utterly destroy your system.
posted by Artful Codger at 11:03 AM on September 9, 2007

*Ahem*... Then where are the robot sex slaves?

http://www.metafilter.com/8902/
http://www.metafilter.com/21071/
http://www.metafilter.com/36526/Hello-Dolly
http://www.metafilter.com/50094/RentaRealdoll
http://www.metafilter.com/50934/men-and-dolls
http://www.metafilter.com/62759/Guys-and-Dolls-uncanny-love

There seems to be consensus that the dolls are less creepy than their owners. So they pass the sexbot Turing test, I guess.
posted by ryanrs at 11:08 AM on September 9, 2007

Possibly interesting, but painful to try to read. Reminded me of the Gettysburg powerpoint.
posted by neuron at 11:19 AM on September 9, 2007 [1 favorite]

If you look at the CERT and other statistics, you'll actually see a very large number of vulnerabilities for OSX and Linux, as well. It's popular to bash Microsoft, but do not be fooled into thinking OSX or Linux are secure either. All are full of exploitable vulnerabilities (at least without significant sysadmin attention), Windows sheer numbers make it the most obvious and the focus of most hackers attention.

The relative security is debatable, but the implication that this is primarily Microsoft's fault is ludicrous. There have been plenty of recent examples of severe OSX holes, for example.
posted by wildcrdj at 11:41 AM on September 9, 2007

You missed the point.

Do you think most users will be able to manage fine-grain access control? Do you run any apps as nobody, or from a jail?

Most people won't put up with that kind of hassle until after they've been burned. Other techniques, like automated filesystems snapshots, are more tolerant of laziness.
posted by ryanrs at 12:08 PM on September 9, 2007

the implication that this is primarily Microsoft's fault is ludicrous

Yes, George W. Bush and the DOJ deserve some blame as well. And Windows users, especially if they paid for the privilege.
posted by ryanrs at 12:17 PM on September 9, 2007

Quietgal writes "I wonder if the spam industry isn't like a MLM scam, where only the people on top (the tech guys) get paid and the rest of them just throw money away chasing some crazy get-rich-quick scheme."

As far as I understand, not exactly. There are only a handful of spammers whose output constitutes the vast majority of spam. It's a numbers game, and the people who understand that make money. I don't know who you mean by "the rest of them," but there aren't that many people involved. Most of the companies which advertise using spam are either gray or black market, like open-market pharmacies and pump-and-dump junk stock scams. Some of those are very successful, some not so much, but a persistent, enterprising spammer will do pretty well, as long as they can avoid the law and civil suits. They may need the assistance of botnets to send their spam, but the guys running those also do pretty well, and are mostly based in the nations mentioned in the article. Of course, I am personally and professionally (I work for an ISP) very opposed to spam, malware and the existence of these schemes, but the economics aren't hard to understand. Organized crime took over a segment of the market that wasn't being fulfilled by the "legitimate" market, and guys with too much brains and not enough money (in economically depressed nations with lots of corruption and mob ties) are enlisted to help them. You bet there's money in it. I'm sure some of the advertisers themselves aren't all that bright and may fail, just like many legitimate companies which advertise legally, but the people involved in the existing spam networks are all getting paid.
posted by krinklyfig at 12:20 PM on September 9, 2007

krinklyfig writes "but the people involved in the existing spam networks are all getting paid"

Ah, well, with the exception of those people whose computers are infected and used for these purposes without their permission or knowledge, and the ISP(s) (and ultimately their customers) which have to pay for increasingly difficult filtering and for the bandwidth and maintenance time they suck up.
posted by krinklyfig at 12:23 PM on September 9, 2007

Artful Codger writes "If the user installs something innocuous, and they're stupid enough to grant it system rights when challenged, they deserve what they get."

For the most part, people who do that have no idea what you just said. I clean their machines every day. I cannot teach everyone those concepts; most people will just never get it, just as most people will never work on their own cars. For some people, getting a Mac is a much better short-term solution, although some people, especially some offices can't do that. I'm not really an Apple fanboy, but it would make my job easier. And as much as I loathe the concept of the "Internet appliance," (e.g., the iPhone), I'm afraid that's the only way this thing will work itself out in the long run. And even then we will have security issues, but people won't have to deal with it like they do now.

Now that your average non-techie Joe and Jane Six-Pack family has a computer (or two or three), they are expected to learn the theory behind computer security and implement it. That makes no sense. That's like saying everyone who drives a car has to understand how to rebuild a carburetor (or clean their fuel injector by hand). It will only be effective if they never have to think about it, or if it's as simple and innocuous as an oil change. Note that when most people take their cars in for oil changes, they don't usually have to fix their cars at the same time.
posted by krinklyfig at 12:43 PM on September 9, 2007 [1 favorite]

Finally, when software is as complicated as, say, Vista, it's almost impossible to make "safe." There is just too much code that is all tangled together. Fixes and updates just ad to the bowl of spaghetti.

Lines of source for three OS distributions:

50M Windows Vista
86M Mac OS X 10.4
215M Debian 3.1

Note: Above figures are from a cursory google search, direct comparisons may not be meaningful, etc.
posted by ryanrs at 3:26 PM on September 9, 2007

Absolutely not meaningful, because the debian figures include all the applications that comprise Debian. A meaningful comparison with Vista and OSX would either be Linux kernel + gnu userland + xorg only, or include all common Windows and Mac apps as well.
posted by i_am_joe's_spleen at 3:44 PM on September 9, 2007 [1 favorite]

ryanrs: lines of code are poor indicators of complexity and organization of software.

see here, perhaps a better metric.
posted by Freen at 3:54 PM on September 9, 2007

Do you think most users will be able to manage fine-grain access control? Do you run any apps as nobody, or from a jail?

Most people won't put up with that kind of hassle until after they've been burned. Other techniques, like automated filesystems snapshots, are more tolerant of laziness.

You missed the point too. The common types of applications used by most people don't require "all access" passes to their computers. So, the the OS should DEFAULT any install to a safe security level, without them having to take action. ( eg no ability to read/write system files or any file outside of a configured set). If an app requires more access, there should be an OS-generated prompt to the user, who then has to grant this. This would protect most people.

Yes OSX, Linux, and others are not perfect, and there are vulnerabilities to them too. But they are safer choices right now, if for no other reason that there's relatively too few of them to bother with, compared to the ocean of vulnerable Windoze boxes out there.
posted by Artful Codger at 4:20 PM on September 9, 2007

It's gotten pretty hostile out there, but 200/second? That's ... unusual.

I used to keep comments open on my blog. I haven't in a while, because even after I implemented a pretty solid captcha screen, I'd get hit with so many comment attempts in such a short span of time that it would routinely crash my Apache process. Several comment attempts per second sometimes. It would keep up until the process crashed; sometimes my logs would show that it picked right up again as soon as the process restarted, implying that they just kept on banging while my process was restarted.

It didn't get better until I took my site offline for several weeks. Presumably the spambots flagged me as useless and took me off their lists.
posted by lodurr at 4:48 PM on September 9, 2007

There are two things that are interesting to me about this thread:

1. That it more or less right away devolved to "your OS is bad"
2. That in all this discussion of malware, no one has mentioned Storm

Storm's kind of amazing, really; more than a worm, it's a whole large strategy for propagating the worm, including propagating new hosting sites and attacking people who are trying to stop it. Whatever punks created it, they were thorough punks: The thing is polymorphic and adaptive in how it attacks. And the botnet they've built is vast.

Call "cybermageddon!" if you like, but this is the big hairy real deal.
posted by lodurr at 5:02 PM on September 9, 2007

Not sure if this has been posted elsewhere on Mefi yet, but this recent audio interview with Gibson on The Bat Segundo Show was fascinating.

Note that that site is run by Metafilter's own ed.
posted by stavrosthewonderchicken at 5:38 PM on September 9, 2007

lines of code are poor indicators of complexity and organization of software

...and bugs are indicators of complexity and poor organization of software. I was trying to show that the two aren't directly related, but I could have been more explicit.


Absolutely not meaningful, because the debian figures include all the applications that comprise Debian.

Mac OS X ships with lots of apps too. Microsoft, on the other hand, seems to develop pretty much everything in-house. LOC appears to be correlated with the number of included apps, which is not surprising.


The common types of applications used by most people don't require "all access" passes to their computers. So, the the OS should DEFAULT any install to a safe security level, without them having to take action.

Ok, assume that apps can't arbitrarily write to /usr, /etc, /bin, /sbin. Those files are important to the OS, but not to the user. Since the user never touches them, they are trivial to protect.

But what about the stuff I actually care about? My photos, my email, my project, my tax returns? The photos, for example, need to be accessible to my editing app, web browser, email client, instant messenger, etc. Coincidentally, these same apps are the ones most likely to communicate over the network, load untrusted content, and support plugins and themes and scripting. Separating these very important apps from my very important files is going to be a real pain in the ass. Nobody will pay attention to a warning box that pops up every half hour.

I guess my point is that mere file permissions cannot protect important data from careless users and buggy apps. Unfortunately, many users are careless and many apps are buggy.


your OS is bad

What, we can't bitch about Windows in a thread about botnets? If you like, I can gripe about BIND and sendmail to sort of even things out.
posted by ryanrs at 5:58 PM on September 9, 2007

...But what about the stuff I actually care about? My photos, my email, my project, my tax returns?

First, most people develop some sort of strategy for storing their content files. It's not that hard to NOT save your files in the /windows/system folder, right. Windows, to their credit, try to encourage saving in the users' own My Documents area.

The photos, for example, need to be accessible to my editing app, web browser, email client, instant messenger, etc. Coincidentally, these same apps are the ones most likely to communicate over the network, load untrusted content, and support plugins and themes and scripting. Separating these very important apps from my very important files is going to be a real pain in the ass.

Ok let's continue with your example of images, and associated apps. Please allow me first to assume that the photos are stored somewhere reasonable. Next, can we assume that your installed apps (editing app, web browser, email client, instant messenger) are known to be good?

Each of these apps make it easy to open or get image files so there's no issue with where they're stored. Regarding untrusted content, the clients for email and the WWW are supposed to protect you from content exploits. I can name several popular ones that do. If yours is vulnerable to content exploits this late in the game, change it. Straightforward so far, yes?

Now lets look at plugins and other downloads. Say you are enticed into downloading an app or a plugin that is actually malware. Currently, if you now run an infected installer or exe, you're just about f*ed if your anti-virus software doesn't catch it (or you forget to scan it). Under my suggestion of a safe default level, the exe cannot alter system stuff or hook into out-facing services unless you expressly allow that ...and why would you allow an image processing app to do that?

Nobody will pay attention to a warning box that pops up every half hour.

I'm talking about a warning box at the time of install. Far less frequent.
posted by Artful Codger at 6:43 PM on September 9, 2007

Next, can we assume that your installed apps (editing app, web browser, email client, instant messenger) are known to be good?

Uh, no? Aren't these apps the ones with the bugs and the security holes?

I haven't actually used a Windows machine since the late nineties so maybe I'm misunderstanding this stuff. I have owned Windows machines running Win 3.1, NT 3.51, and NT 4.0. Currently I have a laptop running Mac OS X and a file server running Solaris.

I've been assuming Windows machines get rooted by way of bugs in IE and the mail client. Is that no longer the case? (It was all the rage about five years ago). If so, wouldn't that preclude trusting the local software?
posted by ryanrs at 8:26 PM on September 9, 2007

Ah I understand. You own a Mac. They're so superior that you no longer have to read entire posts to grok their essence. ;^)

In the paragraph right after the one containing this:
Next, can we assume that your installed apps (editing app, web browser, email client, instant messenger) are known to be good?

...I wrote:
Regarding untrusted content, the clients for email and the WWW are supposed to protect you from content exploits. I can name several popular ones that do. If yours is vulnerable to content exploits this late in the game, change it.

Anyway, that's off the point. Again. Even assuming that there exists a directly exploitable hole in a browser or email client, if the OS restricts the ability of files or executables to automatically install themselves or attack the system, the danger is very much reduced.

For the record, I've always run Windows computers because I develop software for people who mostly use Windows. Despite experience and caution I have been infected a couple times; the worst infection I caught came in via an unpatched development tool I downloaded ... from Microsoft. Ahem.

At this point I realize no-one's up for a real technical discussion about this, so I'll just shaddup now.
posted by Artful Codger at 9:26 PM on September 9, 2007

What, we can't bitch about Windows in a thread about botnets?

Oh, by all means. I don't run Windows unless I absolutely have to, and I'm quite happy to give people my simple three-step plan for radically increasing your safety level when using Windows (/self). (Which isn't as good anymore, obviously, but is still a good start.)

It's just that given the risk that botnets pose, and given the increasing importance of the server-side botnet (viz the Storm botnet's thousands-strong network of webserver bots), I'd hope (and this isn't high-dudgeon hope, just a hope) for a little less falling back on the same comfortable old flamewars.

The interesting stuff is not what parts of the plumbing make this possible. The interesting parts are what the botsters are going to do with the plumbing, now that they've got control of it.
posted by lodurr at 6:09 AM on September 10, 2007

Quietgal wrote "who are these people who make spam profitable enough to
"plague us all? And what do they buy?"

Apparently, people with penis size issues. They buy cock-enlargement pills. Do you not read the ads?
posted by caution live frogs at 2:30 PM on September 10, 2007

Lately I've actually been reading a few. A surprising number of these people are also savvy investors looking for a hot new stock.
posted by lodurr at 6:36 AM on September 11, 2007

(... and of course, I check my mail and the new message at the top of the heap has the subject line "Cure for your penis problems." The sledgehammer of irony strikes again.)
posted by lodurr at 6:39 AM on September 11, 2007