Sophos' Graham Cluley: The end of the widespread virus era is at hand

Do more Trojan horses come from basements or caves?

Cluley: Last month, we saw the biggest amount of brand-new malware we had seen since we started in this business 20 years ago. We saw 2,312 brand new Trojans, viruses, worms, and pieces of spyware, which is astonishing. When I started in this business, there weren't 400 in total. So it was a huge jump that we saw. And because of that, people need additional ways to protect themselves, because the new stuff is coming out so quickly now, and in such quantity.

TG Daily: Of that 2,312 from last year, at least some of it had a little bit of ingenuity to it. I mean, it wasn't just the ILOVEYOU virus rewritten, was it?

They don't want 200,000 credit card details; they couldn't handle it. What they want is 200 credit card details.

Graham Cluley, Sophos

Cluley: No, although an awful lot are very similar Trojan horses these days. That's one of the real big growth areas we've seen. As you probably know, the virus writers are becoming more financially motivated. That's why they don't write worms like "Kama Sutra," because [when] they infect too many people, they make the headlines and they're too obvious. So they write Trojan horses which don't travel under their own steam, that can be sent to a small number of people. Then the virus writers know who they're targeting. They don't want 200,000 credit card details; they couldn't handle it. What they want is 200 credit card details, and once they've dealt with those, "Right, let's have another 200."

TG Daily: You make an interesting point there, because by its nature, you'd think a virus must spread itself; but part of the reason for doing that is the notoriety of it, which the financially motivated guy doesn't want.

Cluley: Definitely do not want. What they are doing is using other people's computers to span out the Trojans - maybe to a small number of people, so they go under the radar, don't draw attention to themselves, they can be in place maybe for weeks or months. They don't want to draw attention to themselves from the anti-virus community either. Whereas a worm like this recent one is so obvious that, of course, all the anti-virus vendors had patches for it two weeks ago.

So it is fascinating how the whole scene's changing. Trojan horses used to be a complete non-area in viruses; they didn't appeal to the virus writers because they didn't spread themselves, didn't give them the notoriety they wanted. Now, over 63% of all the malware we've seen written, are Trojan horses.

TG Daily: Six years ago, when the Y2K scare turned out not to be a terribly bad thing after all, a lot of individuals blamed the messenger for over-hyping it, as if the danger wasn't real to begin with. I wonder whether a similar backlash will happen as more of these less financially motivated, more conventional, viruses start to play themselves out in the media. There were reports of up to 500,000 computers possibly infected; and as it was discovered today, no, it's not that bad because, as you say, everybody's prepared. But once that cycle starts to close, I'm wondering whether there's going to be a backlash of skepticism among individuals, saying, "Ah, these viruses are's not such a big deal!" And then that actually creates a lack of preparedness as a backlash, which may start the whole wave over again.

Cluley: There has always been, and probably always will be, a cynicism about the anti-virus industry. I've heard for years, "I bet it's you guys who really write the viruses." I say, "Yea, yea, and it was us on the grassy knoll in November 1963." And "it's the dentists who put all the sugar in fizzy drinks." The thing is, with this latest worm, I'm sure some people will be thinking today, "Augh! They spun us a line again; they let us down again!" And that is a shame, because people might let down their guard.

But I think most businesses recognize that actually, although this may not have been as big an event as some of the newspapers and vendors may have suggested it might have been, they still know that they have to keep on protecting themselves every single day of the year, not just focusing on today, but there are threats coming out all the time which they have to defend themselves against.

I don't actually expect that this new virus is the first of many old-school viruses to return. I think most of the amateurs - if you can call them that, the teenage kids - have sort of left this market. There's probably a few hanging around; but I think [the rest] have been scared off, because these days, the virus writers, the hackers, the spammers are getting serious jail sentences. Most people in the underground community who are doing it for kicks realize that they've got an awful lot to lose these days from getting themselves involved. It's not like the old days. So it's the more professional organized criminals who are doing this.

I don't think we're going to see an avalanche of headline inducing viruses in the future. I think the financial ones are going to carry on, and probably get much worse.

TG Daily: You're saying, we're moving away from the era of what I call the "Elroy Jetsons" of the world, the boys in their dads' basements who are trying to make a show for themselves, and we're starting to see an era where we need to turn our attention more to professional thieves and, conceivably, terrorists.

If terrorists could cause such a big problem with viruses, why haven't they done it already?...It's an awful lot easier for them to write a virus from some cave in Afghanistan, than it is to get a lorry full of explosives at the center of New York.

Graham Cluley, Sophos

Cluley: Yea, the terrorist thing...Certainly, I agree about the thieves. I think the terrorist thing has been overplayed in the past. Of course, there is disruption you can do with computers and things like this, but I always think, well, if terrorists could cause such a big problem with viruses, why haven't they done it already? It's not hard to write a virus. I could teach you how to write a virus in 45 minutes. In fact, it's an awful lot easier for them to write a virus from some cave in Afghanistan, than it is to get a lorry full of explosives at the center of New York - it puts themselves at less risk.

So the terrorist thing might be overplayed, but I think certainly, there are many criminals out there who are recognizing they can make a lot of money. Of course, terrorist groups need money, too. So they may well be using this as a way to help finance some of their operations.

TG Daily: But you ask, why haven't the terrorists done this already? There are some people in Homeland Security and other departments who say, "Well, the reason you don't know that it's happened is partly proof that we've been doing our job, but we just can't tell you how well we've been doing it."

Cluley: Yeah, well, come off it. That's handy, isn't it? We've got bases all around the world, we're looking at the world's e-mail, we protect government departments. We do occasionally see hacking attempts and Trojans which have been written for specific government departments; there's been no evidence, though, that these have been terrorist-inspired. And the other thing is, of course, it's just as easy for us to write an antidote to a virus written by a terrorist as it is to write one [for a virus] written by a pimply teenager. It makes no difference to us. There are over 120,000 viruses in existence now. So a handful more really don't make much difference.