As a data security specialist, Jeremy Pickett sees all kinds of digital tricks. So on Mar. 20, when he was tracing the origins of a computer bug that had been blocked the night before from entering a client's computer network, Pickett wasn't too surprised that it tried to connect with four sleazy Web sites, most of them, he believes, in Russia. Or that it then tried to load victims' PCs with as many as 30 new pieces of "malware," ranging from spam programs to those that automatically dial in to expensive phone-sex services.
But the real shock came when Pickett decided to test another bug by infecting his own PC with it. Out slithered a program that promptly installed itself deep inside his computer. There it became virtually immune to detection from the basic antivirus software that scans for dangerous code. The bug -- known as a "Trojan," which in turn was hidden inside a "rootkit" -- was designed to activate whenever a Web surfer typed in a user name or password for bank accounts or Web sites for dating, social networking, or e-mail. Pickett went to a bank site and entered fictitious log-in information. Right before his eyes, those data were sent streaming back to Russia, joining the IDs of thousands of real victims. His reaction: "absolute horror."
This nasty bit of code, appropriately named "the Hearse" by Pickett's employer, Sana Security Inc. in San Mateo, Calif., is threatening to raise the stakes in the spy-vs.-spy war over cybercrime. That's because the average computer security program sifts for known worms and viruses on PCs. But rootkits cloak data-stealing code so that it can hide in the deepest guts of Windows software without showing up in task lists as an active program. Criminals, having greatly expanded their knowledge of Windows' inner workings, are flocking to this new tool. Russian computer security company Kaspersky Lab estimates that on average 28 new rootkits emerged each month in 2005, up from six per month in 2004.
Only five of 24 antivirus outfits picked up the Hearse outbreak by Mar. 21, according to virus tracker VirusTotal.com. At first, antivirus giant Symantec Corp. (SYMC) was not among them, though it says it detected the bug the next day. In one of the first real-time cyber stakeouts, Sana monitored one of the Russian Web sites for four days in late March. Ironically, it was left open to public view thanks to a security lapse by its unknown operators. Pickett watched as some 90,000 pieces of personal data from clients of more than 6,500 companies flowed across his screen. "It's like [Pickett] put on night vision goggles and watched," says John M. Frazzini, CEO of Secure Systems Corp. and former head of the Secret Service's Electronic Crimes Task Force in Washington. The show lasted until a Russian Web host, warned by Sana, took the site down on Mar. 24.
Equally alarming is the roster of victims, a cross-section of American business. Customer accounts for companies such as social networking site MySpace.com (NWS), auction site eBay Inc. (EBAY), credit-card and banking company Capital One Financial Corp. (COF), and Internet service provider AOL Inc. (TWX) were compromised, BusinessWeek learned. Names and passwords from over 2,000 MySpace accounts were stolen. Spokeswoman Dani Dudeck says the company "takes user privacy and site security very seriously and quickly responds to all potential threats."
Many companies, though menaced anew every day, still don't have systems in place to react quickly to warnings. When Pickett and co-workers contacted some of them, they received automated e-mail responses or had to call multiple people. One unnamed company reported Sana officials to its nuisance department. Some moved faster. EBay quickly blocked compromised accounts until new passwords could be set. Bank of America Corp. officials immediately contacted the Secret Service's Criminal Investigative Div.
And the Hearse? Analysts suspect the hackers simply moved to a new, undetected collection spot. Warns Sana CEO John Zicker: "How deep does the rabbit hole go? Did we get there? No."
By Brian Grow