Yo! Tony lets use Bustacap.exe...

~Sethos

I was kinda thinking MS released the viruses actually... but then again there's not all that much of a difference from them and organized crime.

MS did release one. They called it "Windows"

windows ME if we're being pedantic!

In my opinion, this notion is a load of codswallop. Organised crime is not interested in the little idiots who haven't got enough sense to put in firewalls and up-to-date anti-virus software. They would be after cracking into the banks and suchlike. For the moment, these have always been one or two steps ahead of the crackers.

This crime is perpetrated by little guys. Remember, the SobigF uses a Trojan Horse to obtain users' info and there is nothing new about such animals, they have been around for years. What is new is combining a TH into a worm and which can seek its own updates and therefore keep propagating its own mutations for as long as its not eliminated.

This beastie and its variants will be around for a long time.

From little trojans BIG CRACKS grow.

I think trojans/worms are a standard item in most crackers toolkit.

Those little users are the stepping stones used to obscure and gain access to the Big ones..

Actually...think of it in terms of Organized Crime... you pay protection money to get a heads up (and maybe a pre-emptive fix) for the next Big Nasty that hits the Net... Oh yeah, I can see this being a definite venue for Organized Crime.

It wan't so long ago that people were wagging their tongues about McAfee releasing Nasties to get people to buy anti-virus software.

MMM

How does cracking the Pentium II of a typical mindless home user without security get you into a "Big one's" computer?

Yes, I know some businesses have been infected with SobigF and MSBlaster, as well, but this is only because they engage IT administrators who have no clue what they are doing. I actually witnessed, ~15 years ago, an entire SME corporate network being infected with Yankee Doodle Dandy. I'd sold then a complex CAD system, for which they bought an ad hoc PC from a local dealer. Before installing the software, the IT admin wanted it set up for one of the corporate networks and he tested it by sending the MS-DOS folder to the server as a back-up file. The supplier had delivered it with the virus installed on all the COM and EXE files. Needless to say, it escaped into the server and thence through a gateway to the other corporate networks, When it was discovered (initially on the new computer), the IT "Administrator" rushed upstairs to get a floppy with McAfee on it, but you cannot stem a tide with a broom. This kind of crass ignorance is inexcusable. If I was the bossman of a company today, and the IT system got infected, no matter how, I would sack the IT Admin guy, on the spot, on the grounds of gross negligence.

When a "cracker" gets one of those little users, they set up a relay, in fact they are likely to have several. The idea is that these act as host for a relay/tunneling agent, the more relays the supposedly better chance he has of not being tracked.
Most of these trojan/bots are used for stuff like DOS attacks. Which is a real threat in itself..send me $XX or you severs go down!!

The more subtle use of these trojans/bots is a lot more disturbing and is probably a LOT rarer, but the kind damage they often never be publicised, either because it is not detected or its to embarrasing for the company(BANKS).

Also, If somone who happens to be a manager or something of a large company AND he has cached/stored passwords for something important...the cracker has a head start. (Windows password storage is not known for being robust)

It might be rare, but its certainly is growing "business". Just after the USSR disolved there were a lot of reports about russian mafia and crackers going after "lucrative" US banks

I do think 98% od the stuff floating around is just nuisance L33Tists

MMM

If you consider the rigmarole it takes to access the sensitive data in a bank, I don't really think that this is a real threat. I have 2 netbanking a/c.s. To get into them, I have a contract number (8 digits). When this is approved, the bank site displays a random 6 digit number from which a code is generated by an individual a/c algorithm. I have a little calculator into which is slotted a "Smart card" with my a/c algorithm. I switch this on and it asks me for a 6 digit pin number: if this is the same as for the card, it then asks me to type in the random number to the calculator, whereupon it displays an 8 character alphanumeric code which I have to type into the computer. If this is identical to the calculated one on the bank server, I am allowed access. If I try thrice and fail, then all access is blocked and I need a new card to re-start it.

It would be easy to guess at a contract #, but a cracker would then need to know the user's pin#, the individual calculation algorithm and the random number. And he's only allowed two wrong guesses before he has a last chance and has to start again. And all this is done under 256 bit encryption, to boot. As it happens, I asked the security guys in this bank for stats, about 2 - 3 weeks ago. They replied that they have hundreds of attempts per day (including erroneous real entries). Since they introduced this system about 1 year ago, no one has succeeded in getting past stage 2. The single attempted fraud that was committed with the system was a case where a client lost his card and calculator or had it stolen. He had the contract and PIN #s actually written on the calculator. He reported the loss to the bank and they cancelled the personal algorithm but the contract number was routed to a special server (for recording the IP of all callers) which printed out the IP number of the caller, who was arrested a few minutes later!The security guy told me that their calculations had shown that if someone programmed a powerful PC to systematically go through all the possibilities to hack through an access, it would take them over 750 million years, on an average, before succeeding, assuming he used a different IP address for every 100 calls in a day (another security block).

The same bank has no back door, either, as their Intranet throughout the country and internationally is 100% over private optic fibres and private sat "wires" and does not use public transfer protocols. Any error of more than a single bit in a packet or two consecutive packets with an error will divert the problem to a security server where it is analysed.

My other bank is certainly less secure but requires three numbers, one of which is variable and one other changed monthly. Even with this, they give a written guarantee that anyone suffering from loss of money from illicit NetBanking activities will be integrally reimbursed, so they must be pretty confident.

Brian:

Those smart cards are getting more popular. My brother-in-law has to use one to access his company's secure site now.

Gpar_

All I need for my account is two passwords and a memorable phrase. I think any keyboard logging trogan would manage that. Then I'm not a big fish.

TP

Maybe you need a bank that takes security seriously????????

Even before the smart card system I mentioned, and for several years, I could not log on without an 8 digit ID#, a 6 digit PIN# and a 4 digit strike-out# from a list, so that it changed on each log-in, again with a max of 3 tries. If you made a mistake with the strike-out#, it told you the last one, so that you could find it on your list to give the correct next one. OK, I agree that the odds on a TH finding the first two are high and the chances of hitting, by random, the third one would be ~3300:1, but the keyboard logging TH was unknown in those days and my firewall should have stopped the TH from reporting out, anyway.

Why are people so reluctant to use firewalls?