Nov 24 2008

Does the banking industry really care about the Sinowal trojan?

No Gravatar

Windows Secrets editor Woody Leonhard and I go way back. I mean waaaay back. We moved in some of the same circles in those halcyon days when I worked deep within the financial industry. I labeled him “one of the foremost authorities on macro viruses” in the previous millennium.

Leonhard asked for my viewpoint while fleshing out his recent column on the Sinowal trojan, aka the Mebroot trojan. Let’s pick up at the point where he mentions me:

So, you’d figure the banks and finan­cial insti­tu­tions being targeted by Sinowal / Mebroot would be up in arms, right? Half a million compro­mised accounts for sale by an unknown, sophi­sti­cated, and capable team that’s still harvesting accounts should send a shiver up any banker’s spine.

I asked Rob Rosenberger about it, and he laughed. Rosenberger’s one of the original virus experts and was also one of the first people to work on network security at a large brokerage firm.

“I’ll be labeled a heretic for saying this, but … from a banking perspec­tive, frauds like this have never qualified as a major threat. A banker looks at his P&L sheets and writes off this kind of fraud as simply a cost of doing business. Such fraud may amount to billions of dollars each year, but the cost is spread across all sectors of the banking industry all over the world.

“Banks have dealt with this kind of fraud for many, many decades,” Rosenberger continued. “Forget the Internet — this kind of fraud existed back in the days of credit-card machines with carbon paper forms. The technology of fraud gets better each year, but this type of fraud remains consistent. From a banking perspec­tive, the cost to obey govern­ment regu­la­tions dwarfs the cost of any indivi­dual case of fraud.”

The banking industry will call me a heretic, claiming “we actually do quite a bit to reduce this kind of fraud!” Very true — but government regulations force bankers to be accurate, not to be advocates. If your credit card gets harvested, a banker will correctly tell you to file a police report so the cops can catch the robbers.

The government, too, will call me a heretic, claiming “we actually do quite a bit to reduce this kind of fraud!” Very true — but law enforcement agencies focus on protecting the society, not the individual. If your credit card gets harvested, a policeman will correctly tell you to file a copy of the report with your bank so they can credit you for any fraudulent transactions.

Let’s get back to Leonhard:

If the bankers aren’t going to take up the fight against Sinowal / Mebroot, who will? The antivirus software companies have a long tradition of crying wolf, and their credibility has suffered as a result.

In this particular case, the major AV packages have failed to detect Sinowal / Mebroot over and over again. It’s hard to imagine one of the AV companies drumming up enough user interest — or enough business — to fund a mano-a-mano fight against the threat. Besides, the AV companies are chasing the cows after they’ve left the barn, so to speak.

Very true. Vmyths has documented quite a bit of wolf-crying over the last two decades. I’d give you a link to something more specific … but I honestly don’t know where to begin.

And despite all their chest-thumping, the antivirus industry doesn’t put their money where their mouth is. They’ll only go so far as to announce they’ve joined “the fight against crime,” as if to lend credibility to the fact they wear tights & capes & codpieces and fight whatever crime amuses their shareholders.

Chest-thumping law enforcement agencies don’t put their money where their mouth is, either. You don’t hear about the U.S. Justice Department offering rewards for information leading to the arrest & conviction of credit card harvesters scattered all over the world.

Microsoft finally one-upped everyone when they set up a $5 million “Anti-Virus Reward Program.” Despite all their chest-thumping, the antivirus industry remained mostly silent about it. Go figure.

Continuing with Leonhard’s column:

The folks who make malware these days constantly tweak their products, often using VirusTotal or a proprietary set of scanners to make sure their programs pass muster. A day or an hour later — before the AV companies can update their signatures — the bad guys unleash a new version. AV companies know that and are moving to behavioral monitoring and other techniques to try to catch malware before it can do any harm.

Very true — but here I must defend the antivirus industry. They tried to offer “behavioral monitoring and other techniques” back in 1991, much of it based on techniques proven in the 1980s by Andy Hopkins and Wolfgang Stiller, et al. Antivirus firms couldn’t market their newfangled “hybrid” products because their customers wanted nothing to do with them. They blindly demanded virus-scanning technology, period.

Leonhard goes on to say:

The only company that seems to be in a position to fix the [exploited vulnerability] is Microsoft. But it’s hard to imagine MS management devoting the time and resources necessary to fix major security holes in a seven-year-old product, particularly when XP’s successors (I use the term lightly) don’t appear to have the same flaw.

This is short-sighted, however. It’s only a matter of time before Sinowal / Mebroot — or an even-more-dangerous offshoot — finds a way to do its damage on Vista systems as well.

I agree very strongly with Leonhard. Quoting myself from a previous column: “Symantec worked for years on Vista’s security back in the day when Microsoft called it the ‘Longhorn project.’ We know this because, years ago at a global Virus Bulletin conference, Symantec gave a hoity-toity speech on all of the new types of malware they feared would debut with Redmond’s new operating system.”

The tech­nology of fraud gets better each year, but this type of fraud remains con­sis­tent. From a banking per­spec­tive, the cost to obey govern­ment regu­la­tions dwarfs the cost of any indi­vi­dual case of fraud.

So. Who (besides the criminals) can we blame for present and future Internet-centric credit card fraud?

  • You can’t really finger Microsoft. Their customers scream so much for ease of use that it drowns out any whimpers for cumbersome security.
  • You can’t really finger the antivirus industry. Their customers still demand inferior technology.
  • You can’t really finger the customers. They only know what they find on store shelves.
  • You can’t really finger the government. They’re just a very large customer.

You could almost describe it as “four corners of stagnation,” couldn’t you? Continuing with Leonhard’s column:

If Microsoft decides to take on Sinowal / Mebroot, the company is up against a formidable opponent that draws on many talented programmers. John Hawes at Virus Bulletin says ‘I recently heard someone estimate that a team of 10 top programmers would need four full months of work to put together the basic setup.’

Aha, but the initial setup would be just that — initial. These Sisyphean programmers would toil forever just to keep up with the bad guys. It would be like … um … like … well, it would be like working at an antivirus firm, wouldn’t it?

Now, don’t get me wrong! I’ve long believed an elite team could tackle this eternal project. But they won’t work for Microsoft, they won’t work for an antivirus firm, and they certainly won’t work for the banking industry. There’s simply no profit in it.

A product for the good of society that prevents credit card harvesting would need to come from a government team working towards society’s best interests under the auspices of, say, US-CERT.

Just don’t hold your breath for a government solution to credit card harvesting over the Internet. As I told Leonhard: “from a banking perspec­tive, frauds like this have never qualified as a major threat.” The technology of fraud gets better each year, but this type of fraud remains consistent. Government officials and bankers alike will highlight the need for “user education” and that will be that.

From a banking perspective, Leonhard is just one more person with a Cassandra complex

  • By utterbackkNo Gravatar, 24 November 2008 @ 12:01 pm

    Sorry, Rob…I’m still tying to understand how to use the comment thing, here. I seem to have commented on an article that was pretty old. Glad to see you still at it and sharp as ever.

  • By andi1950No Gravatar, 30 November 2008 @ 7:29 am

    Have you read any of Tom Clancy’s ‘Net Force’ novels? Maybe it’s past time for an organization such as this.

Other Links to this Post