Much to my surprise, one of the aspects about the Mariposa case that has attracted most attention in the media is that the criminals involved were not the typical cunning IT wizards as portrayed in Hollywood films about these types of leonardo_da_vincicharacters. Yet this is just a reflection of other periods of enlightenment, when there were multi-disciplinary geniuses, such as Leonardo da Vinci, who were capable of outstanding artistic and scientific feats; unique individuals able to make us believe that human ability had no bounds.

When we hear on the news that a hacker has been arrested, we tend to imagine a person who can almost magically enter any IT system in the world, whether it is infiltrating NASA’s databases to see if there is extraterrestrial life, or hacking his employer’s server to bump up his own wages. But it’s not our fault, this is what we are used to seeing in the movies. One of the most memorable scenes that reflects this mythicising of hackers occurs in the film Swordfish, where after knocking back a tequila, Hugh Jackman is forced to enter the US Department of Defense swordfishnetwork in 60 seconds, with a pistol at his head and a gorgeous blonde giving him some ‘oral stimulation’. All of this takes place in a disco, with John Travolta and Hale Berry eagerly looking on. And does he manage to hack into the DoD’s systems? Of course he does! 🙂

In the real world, it’s true that there are a few people capable (almost) of working miracles with computers. I know one or two of them, and fortunately they are with the good guys. However the reality is that as human beings we tend to specialize, becoming very good at specific things, and so it’s unlikely that we’ll witness another Leonardo da Vinci any time soon. At the beginning of the computer era, there were many ‘Leonardos’. People who could conjure up all sorts of extraordinary things with software and hardware. Here at our laboratory there are a few people like that, able to reverse engineer the latest Trojan, or build an adaptor so that a ZX spec8[1]Spectrum+2 can read Compact Flash cards. But time moves on, technology evolves and the only way to stand out in any field is to specialize. Here in the laboratory we have technicians specialized in rootkits, banker Trojans, etc. Could we turn our hands to sales? Possibly, but no doubt we would be selling a lot less antiviruses 😉

The same thing happens in the world of cyber-criminals; when the first viruses appeared, there was just one person responsible for all the development work in each virus. Nowadays, several groups will work on the development of different modules of a Trojan. They will also work to order, receiving specifications from clients and agreeing on a price for purpose-built projects, such as designing malware able to steal passwords from the customers of a specific bank with a view to identity theft. Once a client has bought the Trojan, they will put it into action, infecting computers and stealing information. This will be their own specialist area, and it is to this area that those who have been arrested in Operation Mariposa belong. Soon, no doubt, we’ll have information about others involved, those specialized in recruiting money mules and withdrawing money from victims’ accounts, and surrounding this mafia we will see that there are numerous other players, each with their respective tasks, just in the same way say, that there are auxiliary businesses that depend on the motor industry.

When a business is profitable, large companies emerge (in this case it would be more accurate to talk about mafias) and the work involved bears increasing similarity to that of any other company: meetings with clients and suppliers, training courses… In the case of rogueware (fake antivirus) we have a clear example. In certain Eastern European countries young programmers are hired specifically to design these applications. If they lived in the US, they would probably be working for Microsoft or Google, if they were in Spain perhaps they would be working at PandaLabs chasing down the bad guys, but fate would have it that they are in a situation in which they don’t have many options. And if you were a programmer and you were offered a well-paid job, would you turn it down? The moral implications of working for such a mafia are quite clear, but when the alternative is hunger or loading bags of sand in order to afford some rice or perhaps get a couple of slugs of vodka, what would you choose?

But let’s not dedicate too much time to the last link in the chain. The true problem lies with these criminal gangs that contract the hackers, and their apparent immunity from the law. When arrests are announced, it is very often those of specific individuals that have slipped up, yet I can’t remember a single occasion in which an entire criminal gang has been brought down. Here in the security sector we are making serious efforts. Law-enforcement agencies around the world are aware of the situation and are truly conscientious in their work. Yet we are barely scraping the surface. Occasionally we catch the small fry, yet the big fish are still swimming free.

It is essential that we continue to work in a coordinated way, and the support from public authorities is essential. But careful, I’m not saying that “the nanny state” has to intervene to save us, just that governments should fulfill their obligations and prioritize what is important; passing laws which, without infringing upon the freedom that exists on the Internet, facilitate an effective effort to combat cyber-crime. This means that if you steal someone’s identity, you’ll pay the price; that cyber-criminals will have to think twice before stealing users’ information. There must be collaborative agreements between countries in order that investigations can be carried out speedily, without giving time to the criminals to cover their tracks.

We still have a long way to go. We still need to make those in power aware that we are facing a real, major problem, and that we need to act now before it’s too late. We, as citizens, are the victims of the situation, but we are all citizens: laborers, politicians or police, we are all potential victims. As long as there are countries in which it is not an offense to create and control a network of millions of bots, and yet at the same time you can end up in jail for downloading an MP3, we obviously still have a long way to go to resolve the problem. After the arrest of the criminals behind the Mariposa botnet, and their consequent release without bail, we joked in the laboratory that in order to remain behind bars they would’ve had to have downloaded a film from eMule. Sad but true.

The good news, I suppose, is that the situation is so bad that there is a good chance it will improve. I for one am committed to doing all I can, personally and through PandaLabs, to achieve these objectives.