Who Makes Malware? Am I Paranoid, or Are They After Me?Last week, I wrote about old Internet scams not dying. This was prompted by a couple of attempted scams on some of my clients. (I do not count attempts on my own system because I suffer several attacks every day from something or another. I sometimes deliberately let an isolated machine get infected just to test my protection. This is probably not an activity for the faint of heart.) But I was surprised at the meeting of a club I attend to learn that there seems to be an epidemic of malware attacks in progress. I have no real statistics, but after several months of no one complaining about being attacked, three members related incidents and several nodded. Fortunately only one of the infections was serious enough to provoke a factory restore.

Although we tend to become inured to the presence of bad guys trying to corrupt our systems via the Internet, I wonder sometimes if something more serious is going on here. Two weeks ago I categorized the creators of malware as either trying to steal things (money or control of your computer for nefarious purposes) or simply trying to have perverted fun by harming or harassing other people. At the risk of being dismissed as a total paranoid, could there be something else at work? Can some of these attacks have a more sinister origin?

We all know that modern warfare has a cyber-component. We hear rumors of viruses being deliberately planted in Iran’s nuclear facilities to destroy the centrifuges. All countries have teams working on both sides of the cyber-security issues. If you wanted to bring another country to its knees cheaply — much more cheaply than using various explosive objects — then bringing down its banking system by infecting it with appropriate malware would work nicely. Your only hardware cost might be a small computer and an Internet connection. Assuming you already have a team that has developed the malware, your operating expenses are minimal. Such an attack is certainly more cost-effective than conventional weapons or even suicide bombers.

A major problem with developing cyber-attack tools is how do you test them under realistic conditions? You cannot just shut down a minor country as a beta test. Besides, the first time you bring down any major system, then everyone knows it can be done, and they might even be able to figure out who did it. More important, they might have time to develop counter-measures before you can deploy a fully working attack. The situation is similar to what would happen if you stole a military tank: the first time you take it out for a ride, everyone knows. The second time you take it out, someone probably has a shoulder-mounted missile waiting with your name on it.

So what would you do if you were part of an elite development team working for a major government to develop cyber-weapons of mass destruction? How would you test them? I suggest that one way would be to unleash minor variants on individual consumers to measure their effectiveness in propagating and to see how quickly counter-measures can be found to neutralize them. This would be inexpensive testing on a global scale. In fact, you would actually be commandeering the anti-virus software providers and individual PC users to do development research for you in addition to their obvious utility as reluctant testers.

Now combine that thought with the occasional coup such as stealing credit card information or hacking into a large corporation’s private network. These things make the evening news, but we can assume that other successful attacks are not reported. The victims prefer to keep it as quiet as possible and fix the issue. That is, the events we hear about in the open press are almost certainly only a lower limit to what has actually occurred.

How about minor annoyances like Internet access slowing down for no apparent reason or even becoming intermittent? Are you completely sure your computer has not been made a zombie?

Are these worries just paranoid ranting? Maybe, but maybe not. I only mean to explore the possibility that not all of the malware attacks we suffer are due to simple greed of petty criminals or the perverse enjoyment of misanthropes striking out at innocent victims. What we see might be just the tip of a cyber-iceberg heading for our Titanic.

One problem with musings like this is that they are almost impossible to disprove. A true paranoid would argue that the lack of proof of governmental interference is evidence of a high-level cover-up. Certainly no government is going to voluntarily ‘fess up to deliberately infecting civilian computers as a test, but we know that in the past governments of all types have had no problem infecting unsuspecting citizens with actual diseases or lethal dosages of radiation “for the greater good.” We also know that all major governments have developed or tested biological weapons, and that sometimes accidents have happened. So there is reason to at least consider the possibility that some of the malware normally experienced by my senior PC user friends is not generated by private individuals or criminal gangs.

So what? How would your life be different if you knew that the Trojan intercepted by MSE was a cousin to a clandestine tool designed to compromise the entire banking system of the United States of America? Conspiracies are difficult to disprove (witness the conspiracy theories still propagated about the Kennedy assassination), but that does not mean all conspiracy theories are bogus.

Malware is a fact of life just as the threat of nuclear annihilation is a fact of life. Neither should stop us from doing or enjoying things we like. One takes precautions and presses on. Besides, we have no evidence that malware originates from government development, do we?