Cyber warrior

Steve Chang has a personality that is as infectious as the computer viruses his company combats.

He looks younger than his 53 years wearing a Trend Micro t-shirt under his jacket, instead of the collar and tie favoured by the executives who sit alongside him in the very business-like lobby of Dubai’s Emirates Towers hotel.

The chairman of the world’s largest internet security company wears a constant grin and exudes a boyish enthusiasm for the business of fighting cybercrime.

It’s clear he has a lot of pent-up energy that likes to find an outlet beyond the world of work.

You are as likely to find him mixing cement on a housing project for the poor in the Philippines as delivering a speech to a regional leadership summit, which is where I come to meet him in Dubai before he is due to speak.

The closest he comes to appearing serious is when he talks about the explosion of viruses, trojans and spam that he believes isn’t being taken seriously enough by the world’s biggest corporations that form his company’s client base.

“Internet security problems have become very bad over the last two quarters but the awareness among the big corporation in places like Japan and the US is very low. They still don’t see the real threat,” he says.

The extent of that deterioration becomes clear when Chang says that the number of known computer viruses has grown from less than 10,000 in 2006 to more than 5 million today.

Chang worked as a software engineer for Hewlett-Packard before starting his company in 1988 when he developed a software device that protected against pirating.

Two decades later Trend Micro generates global sales of about US$848m, with the greatest sales growth achieved in North America during 2007 where revenues advanced about 21%. It posted a 10% increase in first quarter net income which grew to US$43m.

That kind of growth may be hard to replicate during the rest of 2008 as the US slowdown hits computer sales, although Chang says there is always a lag before a decline in hardware sales is felt by the anti-virus software sector.

“The consumers are hit first. We already knew about six months ago that some IT budgets and headcounts were being frozen,” he says.Security is still high priority for IT managers so this hasn’t really affected us yet – but it will eventually.

Chang lives in the world of ‘phishing’ and ‘pharming’, IT-speak that describes the techniques used to steal personal information via phone, email or instant messaging that has grown to become a multi-billion dollar international business involving criminal gangs from across the globe.

“The profile has really changed from two years ago – it’s no longer kids in their bedrooms fooling around and breaking your system for the fun of it. Now there is a big financial incentive,” he says.

Chang cites the so-called ‘Italian Job’ as an example of the type of attacks which are increasingly emerging.

The attack succeeded in infecting tens of thousands of computers and hundreds of thousands of web pages last year.

Most of those infected were in Italy although web users in other countries were also affected as they browsed tourism sites.

It was generated by a malware kit called MPack, first detected in late 2006 and sold by Russian hackers at about US$1000 a pop.

This month Trend Micro reported on another mass web attack that has already been dubbed the ‘Italian Job II’.

It has hit sites in the country hosted by one primary provider.

The domains may be of English, US, Asian or Italian origin, but so far, all are in Italian language and the majority has Italian domains.

Locations that been hit include the fan sites of Johnny Depp and the band Pearl Jam, as well as the official site of 80s pop singer Sabrina (Salerno) and the Italian Mercedes-Benz club.

Visitors to sites that have been infected are redirected to one of two malicious sites, both of which are hosted in a single IP that has been traced back to San Diego, California.

Trend believes the criminals behind the attack are from Eastern Europe.

Such international gangs are becoming increasingly sophisticated according to Justin Doo, Trend Micro’s regional managing director.

“The belief is that it’s organised crime, behind many of these attacks. There’s money on the table. It’s almost impossible to prosecute these guys because they use so many different cutouts and they launch attacks from countries with no cybercrime laws,” he says.Trend Micro believes that Eastern European gangs are actively recruiting the best and brightest computing graduates to generate new and more deadly attacks.

“We have evidence of them running recruitment drives in universities in the Eastern Bloc where they are paying double or triple for a university graduate than that individual could expect to earn from working for a bank,” says Doo.

Trend itself became a victim of such an attack in March when its UK and Japanese sites were hit by malicious ‘iFrames’, which are HTML tags that link to other websites.

As many as 165,000 other websites were also affected.

So has Chang ever been tempted to hire the hackers themselves as poachers turned gamekeepers? “Absolutely not,” he says.

“We never hire these guys. Our credibility would be at stake. First of all you have to ask are they better than our own engineers and the answer is ‘no’.

It’s not difficult to write the script – attack is not the difficult bit, it is defence that is the difficult bit.”

However Trend is not averse to going ‘undercover’ as Chang says, with its engineers visiting bulletin board sites under the guise of being hackers.

“We send our experts to their BBS groups in order to find out what new technology they’re using,” he says.

Like the viruses of the physical world, computer viruses are also developing into super-bugs or what software engineers describe as ‘polymorphic’ viruses – able to change themselves every time they infect a new computer host.

“They’re like the flu virus – you can’t immunise against them because they come out with these new strains,” says Doo.

Attacks may increase this year as hackers seek to exploit the web traffic generated by events such as the Olympic Games or the US elections to steal personal information and attack networks.

Security experts expect a surge in so-called social engineering attacks, which exploit human error to steal from or damage computer systems.

“There will be an attack around the Olympics, there will be one around the US elections, anything like big sporting events, big political events, or big natural disasters will generate them,” says Doo, citing the case of a website that was established to receive credit card donations for tsunami victims that caught the attention of the FBI’s serious crimes unit.

“With this one the donations were actually being passed on but their credit card details were at the same time being logged and sold on three or four months later,” says Doo.”It was like he almost had a conscience in that the guy wasn’t taking the money that was sent in, but using the credit card information for personal gain.”

While Chang says that corporations are not taking the threat posted by computer virus attacks as seriously as they should, he says there is evidence of some companies spending heavily to shore up their cyber-defences in recent months.

That has been demonstrated by the investment some companies are now willing to make to protect their systems from an attack…

“In the last 20 years I’ve never seen a single deal worth more than one million dollars,” he says, “until this week when a single company paid us US$6m.”

He doesn’t disclose the identity of the client but says it may be a reflection of the increased threat corporations now face.

That may not be good news for companies with less than robustly protected networks as computer attacks become ever more virulent and the potential for catastrophic loss of information increases.

But for Chang and the rest of the global internet security industry, at least it’s got be good for business.