By JOHN MARKOFF
SAN FRANCISCO


As many as 10 million computers are infected by malicious software.
A screen shows a cluster of victims.


INTERNET SECURITY IS broken, and nobody seems to know quite how to fix it.

Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware secretly takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught.

Criminals thriving on an underground economy of credit card thefts, bank fraud and other scams rob computer users of an estimated $100 billion a year, according to a conservative estimate by the Organization for Security and Cooperation in Europe. A Russian company that sells fake antivirus software that actually takes over a computer pays its illicit distributors as much as $5 million a year.

With vast resources from stolen credit card and other financial information, the cyberattackers are easily winning a technology arms race.

“Right now the bad guys are improving more quickly than the good guys,’’ said Patrick Lincoln, director of the computer science laboratory at SRI International, a science and technology research group in Menlo Park, California.

A well-financed computer underground has built an advantage by working in countries that have global Internet connections but authorities with little appetite for prosecuting offenders who are bringing in significant amounts of foreign currency.That was emphasized in late October when RSA FraudAction Research Lab, a security consulting group based in Bedford, Massachusetts, discovered a cache of half a million credit card numbers and bank account log-ins that had been stolen by a network of socalled zombie computers remotely controlled by an online gang.

In October, researchers at the Georgia Tech Information Security Center reported that the percentage of online computers worldwide infected by botnets - networks of programs connected via the Internet that send spam or disrupt Internet-based services - is likely to increase to 15 percent by the end of this year, from 10 percent in 2007. That suggests a staggering number of infected computers, as many as 10 million, being used to distribute spam and malware over the Internet each day, according to research by PandaLabs.

Security researchers concede that their efforts are largely futile because botnets that distribute malware like worms, the programs that can move from computer to computer, are still relatively invisible to commercial antivirus software. A research report in November by Stuart Staniford, chief scientist of FireEye, a Silicon Valley computer security firm, indicated that in tests of 36 commercial antivirus products, fewer than half of the newest malicious software programs were identified.

There have been some recent successes, but they are short-lived. On November 11, the volume of spam, which transports the malware, dropped by half around the globe after an Internet service provider disconnected the Mycolo Corporation, an American firm with Russian ties, from the Internet. But the respite is not expected to last long as cybercriminals regain control of their spam-generating computers.

“Modern worms are stealthier and they are professionally written,” said Bruce Schneier, chief security technology officer for British Telecom.“The criminals have gone upmarket, and they’re organized and international because there is real money to be made.”

The gangs keep improving their malware, and now programs can be written to hunt for a specific type of information stored on a computer. For example, some malware uses the operating system to look for recent documents created by a user, on the assumption that they will be more valuable. Some routinely watch for and then steal log-in and password information, specifically consumer financial information.

The sophistication of the programs has in the last two years begun to give them almost lifelike capabilities. For example, malware programs now infect computers and then routinely use their own antivirus capabilities to not only disable antivirus software but also remove competing malware programs.

Recently, Microsoft antimalware researchers disassembled an infecting program and were stunned to discover that it was programmed to turn on the Windows Update feature after it took over the user’s computer. The infection was ensuring that it was protected from other criminal attackers.

And there is more of it. Microsoft has monitored a 43 percent jump in malware removed from Windows computers just in the last half year.

The biggest problem may be that people cannot tell if their computers are infected because the malware often masks its presence from antivirus software.

Beyond the billions of dollars lost in theft of money and data is another, deeper impact. Many Internet executives fear the erosion of basic trust in what has become the foundation of 21st century commerce.

“There’s an increasing trend to depend on the Internet for a wide range of applications, many of them having to deal with financial institutions,” said Vinton G.Cerf, one of the original designers of the Internet, who is now Google’s “chief Internet evangelist.”“The more we depend on these types of systems, the more vulnerable we become.”

Security researchers at SRI International are now collecting over 10,000 unique samples of malware daily from around the globe.“To me it feels like job security,” said Phillip Porras, an SRI computer security expert who led the design of the company’s Bot hunter program, available free at www.bothunter.net.

“This is always an arms race, as long as it gets into your machine faster than the update to detect it, the bad guys win,” said Mr.Schneier of British Telecom.

Several computer security experts said they were worried that the economic downturn would make computer security the first casualty of corporate spending cutbacks. Security gets cut because it is hard to measure its effectiveness, said Eugene Spafford, a computer scientist at Purdue University.

He is pessimistic.“In many respects, we are probably worse off than we were 20 years ago,” he said, “because all of the money has been devoted to patching the current problem rather than investing in the redesign of our infrastructure.”