Malware Party Tricks and Cybersecurity Trends
This week we welcome back to our program security pioneer Graham Cluley. After starting his career writing the original version of Dr. Solomon’s Antivirus Toolkit for Windows, Graham moved on to senior positions at Sophos and McAfee. In 2011 he was inducted into the Infosecurity Europe Hall of Fame. These days, he’s an independent blogger, podcaster and media pundit.
Our conversation takes a sometimes nostalgic look back at the origins of computer malware, what it was like fighting the good fight back then, how things have developed over the years, and what he thinks the future may hold.
This podcast was produced in partnership with the CyberWire.
Dave Bittner Hello everyone and welcome to episode 206 of the Recorded Future Podcast. I'm Dave Bittner from The Cyber Wire. This week, we welcome back to our program security pioneer, Graham Cluley. After starting his career writing the original version of Dr. Solomon's antivirus toolkit for Windows, Graham moved on to senior positions at Sophos and McAfee. In 2011, he was inducted into the Infosecurity Europe Hall of Fame. These days he's an independent blogger podcaster and media pundit. Our conversation takes a sometimes nostalgic look back at the origins of computer malware, what it was like fighting the good fight back then, how things have developed over the years, and what he thinks the future may hold. Stay with us.
Graham Cluley: Oh, way back in the midst of time in the early 1990s, I was an antivirus programmer and I worked for a European antivirus company called Dr. Solomon's and I was one of their very first programmers. And then I went to work for McAfee, and then I worked for Sophos, and for the last eight years or so, I've been working for myself. I blog, I podcast. Well, I don't stand on stage anymore, but I used to stand on stage and give talks there as well.
Dave Bittner Yeah. Before we move on, you have one of the more interesting, let's call it a party trick, that you used at trade show conferences when it came to malware. And I think it's quite noteworthy. What was it?
Graham Cluley: I used to do this trick. It was a long time ago now. I used to do the trick where I'd stand on stage and I'd say, "Look. I've got no earpiece. There's no one prompting me. There's no one who can whisper in my ear. I want you to shout out the name of a piece of malware and I will tell you what it does." And people would say things like Frodo and I'd say, "That's 4,096 bytes to the length of your files and it displays a message saying Frodo lives," or the Stoned boot sector virus and I'd say, "One in eight times that you boot up your computer, it says your PC is now stoned." Or Friday the 13th adds 1,813 bytes to the length of your common files until that breaks, when it reaches the 64K limits and it deletes your files and you get the idea.
Dave Bittner Right.
Graham Cluley: Isn't it sad. I still remember all these?
Dave Bittner How long were you single back then? I want to know. Graham Cluley: Well, I was an unmarried man. That's true. I basically read malware encyclopedias, but of course two things happened. One thing was that the sheer amount of malware which was coming out dramatically increased as money became the driver. But the other rather more annoying thing is that the malware became more boring because all malware was doing at the time was just would open up a backdoor, a remote access Trojan to your computer. It wouldn't display anything on the screen. You wouldn't announce that it infected you. It wouldn't play a tune by Kylie Minogue through your speaker. So there was nothing really to say about them anyway, because it was all just the imagination and the artistry had all disappeared from malware.
Interestingly, some of that artistry has actually returned because now, of course, we are living in the era of ransomware and ransomware does want you to notice it, at least at some point. Once it's encrypted your files, it wants you to notice it and it will then display a dripping skull or white text on a red background or do something more dramatic like that. So we are beginning to see a bit more of the artistry coming back, but largely it's all doing the same thing again, isn't it? Which is just that it's locking up your files. There's not interesting stories there, but the human brain isn't capable of remembering all the details of malware, which I was able to do in the old days for my party trick.
Dave Bittner Yeah. It strikes me that there was, back in the early days, a bit of swagger that came along with the folks who were creating these things. It wasn't just the technical thing of what they were doing or what they were trying to steal or access. So it was a bit of a flex as well that I can do this. Of course, there are way, way fewer people at it back then, even users of computers. I don't know. I may be going back a little too far, but this was the time when a business would proudly announce, "We bought a computer."
Graham Cluley: Oh, yeah.
Dave Bittner Right?
Graham Cluley: Well, when I started as a programmer at Dr. Solomon's, I don't think anyone had email. There was a lovely lady, used to push around a trolley which had tea on it and it also had memos from other departments. And you'd receive a memo. If you wanted to reply, you'd have to give her the memo for her return trip in the afternoon. And that's the way in which we communicated. We used to be able to read antivirus definitions down the phone to people or even fax them to people. We normally sent them through the post. So there was no electronic distribution of these sort of things, which also of course slowed down the malware, but you're quite right that there were different kinds of people who were writing malware. And back then it tended to be teenagers in their back bedrooms. I don't know. It was a long time ago for you, I know Dave, but when you were a teenager…
Dave Bittner Yes.
Graham Cluley: When you were a teenager, you had so much time on your hands-
Dave Bittner Yes.
Graham Cluley: ... And you didn't have Twitter and you didn't have video streaming services and things like this. And so you would do other things. You might get into music or you might read books. Well, here was a bunch of people who got into computers and they didn't really have a way of demonstrating their skill very much, but they would fall into a crowd, sometimes via belletin boards of other people who were writing malware. And they would write malware to show off. They didn't have girlfriends, they didn't have boyfriends. They didn't have much of a love life going, so they would show off that way. And they would have grandiose. They sounded like they were members of the World Wrestling Federation. So you'd have SLutty Butt Fast and Apache Warrior and Colostomy Bag Boy and Ice-Nine, and they would all have these names because they're living in this fantasy life where they imagine they're some master coder and-
Dave Bittner They'd create ASCII art logos for themselves.
Graham Cluley: They really did. Some of it, again, was quite artistic. Do you remember ANSI.SIS? This is going to be a real shout out to some of your older listeners. Used to load up in your config.cisco when your hard boot loaded. You have this file ANSI.SIS, which allowed you to do some elementary graphical things. Not really, but some fancy graphics. And that was the kind of thing which these guys were good at, was antsy art using extended characters.
Dave Bittner Yeah. Well, it's also hard to recall a time when not all computers were connected to a worldwide global network, 24/7. That as you say, you had to deliberately dial a phone number, connect to a computer, log in, download a file, run that file. We've become so accustomed to this, always on a ubiquitous global network on our mobile devices and our desktop machines. It's hard to imagine it being any other way.
Graham Cluley: I never had that much sympathy for people who have a go at the elderly for, "Oh, they can't cope with installing apps," or, "They can't cope with Netflix or setting that up or having technical problems." It's like, "Guys. The whole world has changed fundamentally in 20 years. Enormously." If you're 80 or something, unless you've had an active interest in technology at the time, it must be bewildering how much has changed in such a short period of time. I'm not that old, but I remember when our computers were not internet connected and if we wanted to check something like the cricket score, there would be one computer, which was on a dial up connection and you would have to visit that computer in your company to dial up or... And also that would act often as a sheep dip or a foot bath computer. So if any software came in to us at Dr. Solomon's at the antivirus company, we wanted to make sure it wasn't infected. So we would have to put it through the sheep dip computer, where we had about 20 different antiviruses installed and scan it with all of them, because we were paranoid about getting infected.
Dave Bittner That's right. Well, let's fast forward to the present here and ransomware continues unabated. It seems to me like, oh, back in 2018 or so we thought that perhaps crypto mining might replace it, but that did not happen.
Graham Cluley: No, it didn't, didn't it? There certainly was a wave of that where there were websites and malware, which was taking over your resources and trying to mine some Bitcoin. It just proved so processor to get yourself even a fraction of a Bitcoin. It didn't really work and people noticed even on their high speed computers, that they were being compromised and having their resources used in that way. So that hasn't really happened. Most of the criminals have seen that there's two huge ways to effectively make a lot of money out of bulletin right now. And they are ransomware and business email compromising. By business email compromising, they include those fake invoices coming from your partners, which often includes some element of business email compromise as well. Those two methods are gaining cyber criminal gangs millions and millions of dollars very successfully. And by using their anonymity via the internet, there's a relatively small chance that they're going to get caught. And so I think for many gangs who've previously tried other methods to make money, they've seen, "Wow, this really seems to work and we can extort money from some of the world's largest organizations as a result."
Dave Bittner Yeah. And it seems as though as long as they are careful not to soil their own garden, to only extort people who are in nations that are not their own, quite often their local governments are willing to turn a blind eye to them.
Graham Cluley: Yes. I can't imagine what countries you're thinking of right now, David.
Dave Bittner Oh, gosh.
Graham Cluley: But yeah, you're right.
Dave Bittner When's the check to see what kind of keyboard you're using? If it has Cyrillic characters or not.
Graham Cluley: Exactly. They will build that into their ransomware because they don't want to accidentally even infect companies based in the same country because they would rather the police did turn a blind eye. And some, of course, these criminal gangs, have literally earned hundreds of millions of dollars through this. And if they've got that much money, chances are they're going to be able to bribe some of the cops who might show an interest as well. I know of one cyber crime gang where I believe the woman he married, the head guy, not only has extremely fast cars with which he does donuts and the like through the streets of Moscow, but apparently he has married the daughter of a high up policeman. And you tend to think, "Well, he's probably going to carry on getting away with it, isn't he?"
Dave Bittner Mm-hmm (affirmative). Keeping it all in the family, right?
Graham Cluley: As long as he never goes on holiday to the States. As long as he never wants to go to Disney World or anything like that.
Dave Bittner But that's part of it too. You see every now and then one of these folks gets lazy and they decide to take a vacation to some country that has an extradition agreement with one of the other Western countries and they get nabbed.
Graham Cluley: Yeah, that is true. I heard a great case the other day, moving on from ransomware to business email compromise, where... I know it was ransomware where this guy basically hacked into a company. He stole some data because of course, that's the other thing that ransomware is doing now, is exfiltrating data and then threatening to release it. So the hacker contacted the company and said, "Hey, I've got all this data. I could release it onto the internet. I'm not going to ask you for money though. What I'm really after is a job. I want you to recognize how brilliant I've been and I would like you to employ me." And so what this company did was they spoke to the FBI. This guy was in Russia or wherever. They spoke to the FBI and the FBI person posed as an HR representative. And so they said, "Well, look. Okay, we agree. We're going to pay for your flight. We're going to need your passport details in order to book the ticket." And this hacker was getting really excited about this. He eventually flew over to Seattle or wherever it was and met a person who he believed was the HR rep for a job interview and turned out to be the FBI person instead. And he got nabbed. So the good news is plain old fashioned human stupidity continues to catch some of these guys at least.
Dave Bittner Yeah. Well, I'm reminded of the one we had recently here where there was a gentleman who wanted to blow up one of the AWS server centers, one of the big, big centers here in Virginia. And he got caught because he was trying to buy some C4 explosives. And-
Graham Cluley: Like you do?
Dave Bittner As you do, exactly. And as luck would have it, the people he tried to buy the C4 from ended up being FBI agents. So they handed over the C4, which of course wasn't C4. It was just some [crosstalk 00:14:22] Exactly. Right. But they provided him instructions on how to wire it up and how it works and all that sort of thing. And he loaded it up in his car and went to haul it away and that's when the got surrounded by police cars and arrested. But sometimes, it's better to be lucky than good. But the other thing that that incident struck me though with was this question, because there was an incident a few weeks ago where there was a fire at a service provider.
Graham Cluley: Oh, we have a data center in the Netherlands. I think it was. Yes.
Dave Bittner Right.
Graham Cluley: Yeah.
Dave Bittner And so what struck me about that and thinking about the potential of a major data center, like an AWS data center, suddenly becoming unavailable, a big smoking hole in the ground, everyone assumes that when they put their data in the cloud, that part of that is that the data is then automatically being distributed around the world and it's being backed up and it's being protected and all those sorts of things. And I have to be honest with you, I am not sure to what degree that is actually true.
Graham Cluley: Yeah. We all assume it, don't we?
Dave Bittner Yeah.
Graham Cluley: But of course it may not be going somewhere else in the world. It may be on the same side. Maybe this is the good news about modern ransomware, Dave, is that where we're all getting a backup when our data is exfiltrated and we're not even having to pay for it.
Dave Bittner Right.
Graham Cluley: We don't have to pay for it until we want to restore from the backup they very kindly made of our data.
Dave Bittner Mm-hmm (affirmative).
Graham Cluley: But yeah, there is this assumption that the cloud is somehow magical, but as someone very wise once said it, it's just somebody else's computer. And if that computer gets blown up, and if there aren't any backups, so it's not being stored securely, then you know...
Dave Bittner Yeah. One thing that I haven't seen with ransomware, there's been the specter of this happening, but I've yet to hear a story of it actually happening, which is not the data just being locked up, not a destructive attack, but the data being changed.
Graham Cluley: Yes.
Dave Bittner Someone going in and altering the data.
Graham Cluley: Yeah.
Dave Bittner And I hear a lot of folks worried about that, particularly when it comes to things like medical information. But so far, it seems like we haven't seen any real world cases of that. Have you?
Graham Cluley: I don't think I have. Maybe it's happening and people simply haven't noticed yet and assume it's regular data getting corrupted, but I'm not sure what the big benefit would be to the person perpetrating the attack. For most of them, it's not that difficult to get money out. I'm not sure you have to go to the extra effort of fiddling with the data as opposed to stealing it or simply locking it up. That seems to work well enough to get people to cough up the ransom. But potentially, if the motives of the attacker wasn't actually to make money, if the motive of the attacker was instead to create confusion or uncertainty about data, then maybe that is something which could happen in future. It'd be interesting, would it? We see so much misinformation now online and we see claims of state sponsored disinformation campaigns as well. I wonder whether in the future, who knows how far away, we might begin to see data being deliberately meddled with in databases so that we just simply aren't sure anymore whether we can trust it. Because that would be a nightmare because even if you have backups, can you trust the backup? How far back you go through the backups?
Dave Bittner Right. Yeah. How do you know? What is the one true copy that-
Graham Cluley: Right.
Dave Bittner ... Can be trusted to be accurate? Yeah.
Graham Cluley: We did use to see malware in the old days, which did that by the way. There was a piece of malware written by a Bulgarian. Here I go with my party trick, again. A virus called Nomenclature are written by a Bulgarian virus writer called Dark Avenger. And every now and then it would look at your data file and it'd take a little bit of the data from here up near the top of the file, a little bit of data from here, way down in the file, and it had just swapped them over. So nothing was overwritten, but it was like the jigsaw pieces were being moved. And again, really nasty attack that wasn't being done for financial reasons, that was simply destructive in its nature, but it made it extremely hard to know how to recover from it because you wouldn't know what data was right and what wasn't. It was just records in a database.
Dave Bittner There's no log of the pages.
Graham Cluley: There's no log of what they've done and how far back through the backups do you go? And if you go back a year, does that mean you're going to have to reenter all the data in between?
Dave Bittner I'm curious. Being in the UK as you are, do you suppose that there are any cultural differences between the way cybersecurity is approached on your side of the pond versus ours? Are there any cultural overlays that affect the way people approach their security?
Graham Cluley: I'm not sure there is that much. People have told me over the years that they think British people are much more cynical about things and Americans are more trusty. Now, in my experience of IT people from both countries, we both seem to be equally cynical and skeptical because we've been fighting on the front lines for so many decades against the bad guys. So we all have this eorish cloud of gloom hanging over us as to what we expect. A lot of the UK's principles of how to deal with attacks and so forth is actually led by America. What American IT administrators are doing, and indeed what the cybersecurity vendors are doing. And most of the vendors these days, let's face it, are American based or American owned. And so I actually think culturally, more and more of the world is becoming a little bit more American in terms of how it handles cybersecurity.
Dave Bittner Yeah. As we start to open up here and the vaccines are rolling out, businesses are opening, people are going out and about, what do you suppose we're going to see on the security side and people taking those machines that they've had at home back to the office, plugging them in? What do you think we're in for?
Graham Cluley: Well, I think one thing we probably should all consider, because we haven't been thinking about it too much, is the risk of leaving devices on public transport, on trains, and taxis. Remember we used to worry about that all the time? Or leaving it in the back of your car? And you haven't been doing that recently because you've been static in the main. You've been working from home or in some cases, some people did carry on working in the office, but most people just carried on in one particular place. What I think there's going to be is a slow transition for many people because this remote working has in the main worked probably far better than many people anticipated.
Graham Cluley: So I think there will be some people who will be in no rush to come back to the office. But those people who are beginning to be asked to come back into the office, we suddenly need to have to consider the security of those devices as they're transported back and forth. And of course, you need full disk encryption, and you need strong passwords and all the things which we normally talk about as well. But it'd be interesting to see if much changes. A lot of people have predicted that there'd be a huge peak in cyber crime with people working from home. I'm not sure if that's really happened. I think there'd been some new challenges. But overall, I'm not sure that it's massively accelerated in all areas.
Dave Bittner Our thanks to Graham Cluley for joining us. You can find his writing at grahamcluley.com and his podcast is Smashing Security. Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, thread actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel. We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future Podcast production team includes coordinating producer Caitlin Mattingly. The show is produced by The Cyber Wire with executive editor, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.