Can Batman rescue business from Bugat, Carberp and ZeuS?

One of the great infosecurity myths is that consumers are the primary target of cyber-criminal gangs. Anyone who has spent some time working in the industry will know the truth: business has been under siege for years. For every business breach story that makes the news pages, at least 99 remain unreported. There are probably another 100 that go undetected, so why the media blackout?

Allow me to quote the CEO of a high street business with whom I lunched this week, and who indirectly answered this question when the conversation got around to breach disclosure: "what happens on my network is none of your business." This can be interpreted in many different ways, although I would argue the main contenders for the true meaning of an off the record and off hand remark are 'Disclosure is a bad thing as it weakens consumer confidence in our brand, therefore we will only admit to a security problem if we have to' and 'Just like every other business, we come under attack on a regular basis and we deal with it. How we deal with it is not for public consumption and should not be of public concern. The fact that we deal with it is all that matters.' I would only add that if a breach occurs that somehow touches my data, then at that point it does become a public concern but otherwise I am not really interested and neither should you be. When it comes to the financial services sector there are already some pretty strict disclosure rules in operation and these function in a most acceptable way.

With Stuxnet soaking up the headlines after going for the Iranian nuclear power jugular and GCHQ warning that UK government computer systems face at least 1000 targeted malicious attacks every month, there is no real point in arguing that the phrases 'cyber-attack' and 'geek fantasy' are interchangeable any longer. If proof were needed that business is also pinpointed on the cyber-attack map, then I'm happy to provide it. Some will say that the ZeuS Trojan is aimed squarely at consumers but not I. The banks are the target, not the consumers whose computers are compromised.

It is the banks which have lost more than £40 million worldwide to date, and the total could end up being be higher than that. Then there is the ZeuS Trojan variant known as Bugat which targeted LinkedIn users recently, and you cannot get more corporate than your average LinkedIn user. This is a clever reworking of social engineering and spear phishing with traditional criminal activity, dropping Trojan cluster bombs where business people congregate in order to compromise business systems and appropriate cash and resources. Carberp is another case in point, being used to launch sophisticated fraud attacks on financial institutions.

Business is fighting back, aided by Microsoft wearing its underpants over its trousers and waving a big 'POW' sign over its head. Microsoft has finally added Zeus removal capability to the Malicious Software Removal Tool (MSRT) which should make a major dent in the ability of the Zeus Trojan to spread as virulently as it has in the recent past. If Microsoft is Batman, then IT security admins at businesses across the UK are Robin. These guys are also ensuring that systems are fully patched and detection systems deployed to prevent the likes of Bugat, Carberp and ZeuS from getting in.

I am under no illusion as to how serious the malware threat to business in the UK is, and cannot come to any other conclusion than 'cyber-attack' probably being the correct description for what is happening to those operating within the financial services sphere right now. To the Bankmobile, Batman!