Security News > 2006 > February > Invasion of the Computer Snatchers

Invasion of the Computer Snatchers
2006-02-21 06:14

http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021401342.html By Brian Krebs February 19, 2006 In the six hours between crashing into bed and rolling out of it, the 21-year-old hacker has broken into nearly 2,000 personal computers around the globe. He slept while software he wrote scoured the Internet for vulnerable computers and infected them with viruses that turned them into slaves. Now, with the smoke of his day's first Marlboro curling across the living room of his parents' brick rambler, the hacker known online as "0x80" (pronounced X-eighty) plops his wiry frame into a tan, weathered couch, sets his new laptop on the coffee table and punches in a series of commands. At his behest, the commandeered PCs will begin downloading and installing software that will bombard their users with advertisements for pornographic Web sites. After the installation, 0x80 orders the machines to search the Internet for other potential victims. The young hacker, who has agreed to be interviewed only if he isn't identified by name or home town, takes a deep drag of his smoke and leans back against the couch to exhale. He smiles. This is his day job, and his work is finished in less than two minutes. In two weeks, he will receive a $300 check from one of the online marketing companies that pays him for his services. "Most days, I just sit at home and chat online while I make money," 0x80 says. "I get one check like every 15 days in the mail for a few hundred bucks, and a buncha others I get from banks in Canada every 30 days." He says his work earns him an average of $6,800 per month, although he's made as much as $10,000. Not bad money for a high school dropout. Hacked, remote-controlled home computers, known as robots or "bots," and large groups of robot networks like the one 0x80 runs -- called "botnets" -- are the souped-up cyber engines driving nearly all criminal commerce on the Internet. Botnets are used to relay millions of pieces of junk e-mail, or spam, touting everything from cheap Viagra to get-rich-quick business schemes. And the botmasters who control these computer networks are at the heart of ominous and increasingly common online shakedowns known as "denial of service attacks." In such an attack, Web gangsters demand tens of thousands of dollars in protection money from businesses. If the businesses refuse to pay, the criminals order the thousands of computers that make up their botnets to flood the Web sites with meaningless traffic, crippling the businesses and costing them thousands or hundreds of thousands of dollars in lost revenue. 0x80 says that he doesn't use his botnet to shake down businesses. Instead, he and a growing number of botmasters make money by seeding their botnets with spyware, also known as adware. Once installed on a PC, the adware serves up pop-up advertisements and mines data about the user's online browsing habits. The computer worm that powers the botnet also gathers far more sensitive data from the victim's machine, including passwords, e-mail addresses, Social Security numbers and credit card data. The spyware and adware problem is pervasive and growing: A recent survey by the National Cyber Security Alliance and America Online found that four of five computers connected to the Web have some type of spyware or adware installed on them, with or without the owner's knowledge. The distribution of online advertisements via spyware and adware has become a $2 billion industry, according to security software maker Webroot Software Inc. And as the industry has boomed, so have the botnets. Just a few months ago, FBI agents arrested a 20-year-old from Southern California for installing adware on a botnet of more than 400,000 hacked computers. Jeanson James Ancheta's victims included computers at the Naval Air Warfare Center and machines at the Defense Information Systems Agency, according to government documents. He pleaded guilty to the charges last month. Like Ancheta, 0x80 installs adware and spyware surreptitiously, though the law requires the computer owner's consent. The young hacker doesn't have much sympathy for his victims. "All those people in my botnet, right, if I don't use them, they're just gonna eventually get caught up in someone else's net, so it might as well be mine," 0x80 says. "I mean, most of these people I infect are so stupid they really ain't got no business being on [the Internet] in the first place." Tall and lanky, with hair that falls down to his eyebrows, 0x80 almost never looks you in the eye when he talks, his accent a slurry of heavy Southern drawl and Midwestern nasality. He lives with his folks in a small town in Middle America. The nearest businesses are a used-car lot, a gas station/convenience store and a strip club, where 0x80 says he recently dropped $800 for an hour alone in a VIP room with several dancers. He tells his parents that he works from home for a Web design firm. His bedroom resembles a miniature mission control center, with computers, television and computer monitors, and what must be several miles' worth of tangled wires plugged into an array of surge-protected power strips. At the moment, 0x80 controls more than 13,000 computers in more than 20 countries. This morning he installs spyware on just a few hundred of the 2,000 PCs that he has commandeered in the last few hours. He will stagger the remaining installations throughout this day and into the next, using a program he wrote that automates the process. If he installs too many bundles of spyware at once, the online marketing companies, "get suspicious, they cut me off, and I don't get paid," he mumbles, squinting at the screen while the nub of his cigarette sprinkles ashes all over his laptop and the coffee table. "I've learned not to get greedy." A small dog with matted fur enters the living room and winds through 0x80's feet. 0x80 gives the dog a gentle shove with his foot, without even looking up from his laptop. He furiously stabs at the keyboard with his two forefingers, punching out a short command that produces a mesmerizing blur of black-on-white text that scrolls up the computer screen at several pages per second. 0x80 makes it halfway through a cigarette before the text flying across the screen finally stops. The command he typed -- "pstore" -- is short for "password store." On the screen in front of him is a listing of every user name and password that the owner of each infected computer has stored in the Microsoft Internet Explorer Web browser on his or her computer. A quick scroll through the first few dozen pages of the file reveals credentials his victims have used to log in to online accounts at PayPal, eBay, Bank of America and Citibank, to name just a few. Many of the Web sites for which user names and passwords are stored are harmless, such as sports or hobby sites. Others are potentially far more revealing, such as hard-core sex and fetish Web sites. 0x80 has also found credentials for thousands of e-mail accounts, including dozens at ".mil" and ".gov" (U.S. military and government) addresses. "See all that info?" 0x80 asks. "I don't use it, and I don't sell it like a lot of guys I know do. That's too risky." His goal is to make money, not to end up in jail. One of his victims, a computer-loving 29-year-old pastor named Michael White, could tell 0x80 plenty about jail. White runs the Agape Church and Christian Center in Memphis but admits he wasn't always a man of God. Ten years ago, he was a freshman at the University of Memphis, where he was on the track team and the dean's list. Then he fell in love with liquor, he says, and flunked out of school. He landed in jail twice over the next 18 months, both times for driving a car that didn't belong to him. Next came the accident that changed his life. One night, while White was driving a friend's Mitsubishi Eclipse, a police cruiser pulled up behind him, lights flashing. White says he was intoxicated, and driving without a license or insurance. He panicked, floored the car and lost control, flipping the Eclipse over and over until the fuel tank ignited. White woke up in a hospital bed with third-degree burns over 30 percent of his body. The searing heat from the explosion had melted his ears into little nubs, and doctors had amputated the pinky finger on his scarred left hand. Fifteen plastic surgeries and more than two years of physical therapy later, White had healed enough to face the charges against him, which included aggravated assault for endangering the lives of other motorists. He pleaded guilty in 1999 and served almost two years at a prison in Tennessee. During his time in prison, he says, "I realized the Lord had called me to ministry." Since White's release in 2001, God has played a huge part in his life. And so have computers. He typically spends 50 to 60 hours a week surfing the Web, instant-messaging and e-mailing. He even met his wife online. Shortly after starting his ministry, he entered an online chat room dedicated to Christian ministries and struck up a conversation with a woman using the screen name "Warrior Princess." They hit it off immediately and married 15 months later. Taneshia gave birth to their first child, MaKalya, last month. But the same technology that led White to his wife betrayed him last summer. His desktop computer, which he had paid $350 for in 2004, was suddenly inundated with pop-up ads for adult Web sites. A mysterious toolbar with the symbol "XXX" had shown up in the topmost portion of every Internet Explorer Web browser window he opened. A friend spent a few days trying to remove the pornographic software, but each time he did, the software reinstalled itself after the computer was reconnected to the Internet. White initially suspected that one of the kids he tutors after school had used his PC to visit some questionable Web sites. He wasn't aware that his computer had been hijacked by 0x80 until he was contacted by the reporter writing this story. 0x80's bot program was able to infiltrate the pastor's computer because the PC lacked dozens of software patches that Microsoft has issued to fix security flaws in its Windows operating system. White says he was counting on a $50 firewall and antivirus software suite he purchased from Trend Micro to keep hackers and viruses from attacking his PC, but he confesses he's not sure whether the software was equipped with the latest updates that would allow it to detect the most recent viruses. "I'll be honest, as someone who loves technology, I've not done a great job with this computer," White says. He eventually opted to buy a new PC rather than spend the time and money to repair the infected one. "It just made more sense for me to get a new $300 Dell that came with a free monitor that was better than the one I had," he says. The whole episode, he says, has taught him a valuable lesson: It's easier to take the precautions needed to keep a computer from being hacked than it is to clean it up after the damage has been done. "Overall, you've got to realize that, just like if you don't secure your home, you run the risk of getting burglarized; if you're crazy enough to leave the door on your computer open these days, like I did, someone's gonna walk right in and make themselves at home." 0x80 began learning how to program at age 14, before his family even owned a computer. Like many hackers of his generation, he got his start by meeting techies on networks run by America Online. "This buddy of mine who lived two houses down from me had a computer before I did. He was always on AOL, but he also always had trouble figuring out how to do stuff, so I'd just go on all the time and figure it out for him." 0x80 says he got into writing viruses by accident after logging onto an AOL chat room named "Lesbians Only." "Someone sent me a virus that made it so that every time I typed anything on the keyboard it would pop a message up on the screen that said, 'I'M [expletive] GAY!'" 0x80 recalls. He tried to stop the computer from flashing the message, but nothing worked. "I finally found [information] on it using my friend's PC and figured out how to write a batch script to stop the virus." After that, 0x80 became obsessed with computer viruses and dedicated nearly all his time to tinkering with them. On his 16th birthday, his folks gave him his own computer to do schoolwork. It wasn't long before 0x80 was skipping school to spend time in online channels known as Internet Relay Chat, a vast sea of text-based communications networks that predates instant-messaging software. There are tens of thousands of IRC channels all over the world catering to almost every imaginable audience or interest, including quite a few frequented exclusively by hackers, virus writers and loose-knit criminal groups. IRC channels have traditionally been among the most popular means of controlling botnets. About two years ago, 0x80 entered an IRC channel where several hackers were bragging about how much they were making using botnets to install spyware. Up to that point, 0x80 had used his botnet mainly for "packeting," conducting petty denial-of-service attacks to knock his buddies or enemies offline. Within a few weeks of visiting that channel, 0x80 was modifying the computer worm code he needed to transform his botnet into a money machine. He and his hacker friends are part of a generation raised on the Internet, where everything from software to digital music to a reliable income can be had at little cost or effort. Some of them routinely go out of their way to avoid paying for anything. During a recent conference call with half a dozen of 0x80's buddies using an 800-number conferencing system they had hacked, one guy suggests ordering food for delivery. Nah, one of his friends says, "let's social it." The hackers take turns explaining how they "social" free food from pizza joints by counterfeiting coupons or impersonating customer service managers. "Dude, the best part is when you walk in, you hand them the coupon or whatever, they give you your [pizza], and you walk out," one of them enthuses. "Then, it's like, yes, I am . . . the coolest man alive." "Dude, that's so true," echoes a 16-year-old hacker. "Free pizza tastes so much better than pay pizza any day." 0x80 expresses some ambivalence about this lifestyle and occasionally ponders what he should do next. He's toyed with the notion of going to a community college to get a degree in computer science, but the idea of getting an honest job with a legitimate tech company doesn't hold much appeal. "I'd probably have to take a pretty bad pay cut no matter where I worked," he says. Asked whether he worries about getting caught, 0x80 stuffs his hands into his jeans pockets, shrugs his shoulders and looks down at his shoes. "To tell the truth, man, I'm sorta surprised they haven't caught me yet." He claims he doesn't care but then confesses that he dedicates quite a bit of time to covering his tracks. "I do stay up very late each night trying to make sure nobody is going to kick in my front door . . . If I do [get caught], I'm not all that worried. I've got enough money. I can always get a good lawyer." Adware and spyware distribution companies promise instant riches to people who agree to help install their programs. These installers are known in the business as "affiliates." Many adware distribution sites recruit affiliates with photos of stacked $100 bills. GammaCash.com, for instance, the company that makes the XXX toolbar that Michael White discovered on his computer, features an animated image of a pair of hands cupped to hold an expensive watch. Wait a few seconds, and the watch disappears, only to be replaced by a Cadillac sport utility vehicle, which quickly morphs into a yacht. The companies include in their "terms and conditions" disclaimers that they do not permit the installation of their products without the consent of the person who owns the computer. Most claim they will terminate without pay any affiliates who violate that rule. But 0x80 and one of his friends -- who goes by the screen name Majy -- say they've easily disguised their installation methods. Their biggest complaint about the whole enterprise: being routinely shortchanged by the adware distribution companies, which often "shave," or undercount, the number of programs installed by their affiliates. "It sucks, too, because the companies will shaft you, and there isn't a lot you can do about it," says Majy, 19, who claims to have had as many as 30,000 computers in his botnet. There are, in fact, legal ways to induce PC owners to download spyware and adware. Most computer users acquire spyware and adware simply by browsing certain Web sites, or agreeing to install games or software programs that come bundled with spyware and adware. Before its Web site went dark not long ago, TopConverting.com bundled its adware and spyware with products most likely to appeal to children and teenagers: simple games, online game insignias or "avatars," and "emoticons," custom-made smiley faces for use in instant-message software. The company also marketed short digital videos that catered to the humor of teenage boys: "Beavis and Butt-Head" cartoons, a short clip called "Boob Boxing" and another titled "Bath Fart." Computer users may or may not understand what they are consenting to when they click "OK" to the lengthy, legalistic disclosures that accompany these games or videos. But those notices are legal contracts that essentially absolve the adware companies from any liability associated with the use or misuse of their programs. 0x80 and Majy don't leave computer owners any chance to decline the adware. Once they invade a computer and add it to their botnet, they use automated keystroke codes to order the enslaved machine to click "OK" on installation agreements. 0x80 says he even created a program that allows him to remotely wipe computers in his botnet clean of old adware, making room for him to install new adware -- and get paid again. And getting paid is the whole point. Majy says TopConverting, which did not respond to requests for comment for this article, paid him an average of $2,400 every two weeks for installing its programs. He got 20 cents per install for computers in the United States and five cents per install for PCs in 16 other countries, including France, Germany and the United Kingdom. A nickel per install doesn't sound like much, unless you control a botnet of tens of thousands of computers. Majy also receives income from Gamma-Cash, which bills itself on its Web site as "an industry leader in online adult affiliate programs." The company pays affiliates to drive traffic to adult Web sites, mainly through pop-up advertisements for porn sites served to users through its XXX toolbar, which hijacks the victim's Web browser and sets its home page to one of several subscription porn sites. Majy says Gamma-Cash, which did not respond to requests for comment, sends him a $400 check each month from a bank in Canada. 0x80 also installs adware for Gamma-Cash. And he works for a company called Loudcash, which was recently purchased by one of the largest and most important players in the adware business: 180solutions. Half of the glass-and-steel structure that houses 180solutions' sprawling headquarters in Bellevue, Wash., rests underground; the other half juts out at acute angles. The rooftop sports an AstroTurfed volleyball court, a gas grill and a commanding view of the Seattle skyline. Some of the company's 200-plus employees zip around the long hallways on Segways or foot-powered scooters. Throughout the building are polka-dotted posters that read, "Who Do You Want to Be?" The signs are meant to challenge employees to continuously reevaluate their roles, but they also reflect the seven-year-old company's effort to prove to the world that it has executed a 180-degree shift away from its past business practices. 180solutions got its start in the adware industry with a product called Epipo, which paid people roughly six cents per hour to view specially targeted advertisements sent to their computers. The product became popular among college students, who quickly figured out ways to automate browsing the Web so that they could get paid for viewing ads while they were away from their computers. According to allegations in a lawsuit filed by the Washington state attorney general's office, 180 responded by changing the payment terms so that it was virtually impossible for people to collect the promised money. The company nearly went bankrupt when it settled the suit in 2002. By that time, 180 had changed its marketing strategy. Instead of paying people to install its adware, the company lured them with free games, which came bundled with ad-serving software called "n-Case." The software tracked users' surfing and buying habits, and was extremely difficult to remove. Consumer advocates had little difficulty showing that n-Case was being installed without user consent. Faced with increasing criticism for the fraudulent installs, 180 rebranded the software as 180 Search Assistant. The new software's chief distinguishing feature was that it was easier to remove than n-Case. In 2004, venture capitalists invested $40 million in 180solutions, fueling rapid growth. That year, 180 says, it raked in more than $50 million delivering online ads for some of America's best-known corporations, including JP Morgan Chase, Cingular, T-Mobile, Monster.com and Expedia.com. (Among the hundreds of companies that have placed ads through 180solutions is Kaplan University Online, which is owned by The Washington Post Co.) By 180's own count, its adware is installed on 20 million computers. The people who use those computers receive pop-up ads based on what they are searching for online. If the user searches for the term "travel," 180's software will look through its database of clients in the travel business and present an ad from the company that bid the most on that search term. The next time that user searches using the same term, 180 will serve the ad of the next-highest bidder for that word, and so on. 180 then gets paid from 1.5 to 2.5 cents for each ad it delivers to the user. The more computers with 180's adware, the more revenue each ad generates. Consumer groups gathered mountains of evidence that 180 Search Assistant was being installed on thousands of computers without user consent. Once again, 180 tried to quiet its critics. Toward the end of last year, the company announced it was phasing out 180 Search Assistant in favor of the Seekmo Search Assistant. Company spokesman Sean Sundwall says Seekmo will be more fraud resistant than 180 Search Assistant, and that it will not be distributed or bundled with other software programs without 180's permission. The company says this will give it far more control over how Seekmo is installed and by whom. But Ben Edelman, who has spent years chronicling the offenses of the adware industry while working toward a PhD in economics at Harvard University, says Seekmo is functionally the same program as 180 Search Assistant. Edelman says 180's penchant for renaming its software each time abuses are highlighted is part of the reason the anti-spyware community directs so much vitriol at the company. "The idea that 180solutions got where they are today through bad business practices and that they continue to make money from that user base is hardly unique to them," Edelman says. "What really makes people so mad is that 180 is far less apologetic than the other players" in the industry. The Center for Democracy & Technology, the leader of a group called the Anti-Spyware Coalition, spent two years working with 180 to resolve dozens of consumer complaints about surreptitious installs. Ari Schwartz, the center's deputy director, says each time the subject arose, the company claimed it was blindsided by the accusations and that it needed more time to correct its distributors' behavior. Weeks after 180solutions said it was discontinuing its 180 Search Assistant software, a computer worm began spreading rapidly across AOL's instant message network, downloading and installing viruses and a host of other programs -- including 180 Search Assistant -- on victims' computers. While 180 denied it had anything to do with the worm, for the CDT, that was the last straw: On January 23, the nonprofit filed a detailed complaint with the Federal Trade Commission urging the agency to sue 180solutions for violating consumer protection laws. In a statement, 180solutions denied that it was ignoring the problem, arguing that it had made "great progress in the fight against spyware" and insisting that it shared the CDT's vision of "protecting the rights and privacy of consumers on the Internet . . . We have made voluntary improvements to address every reasonable concern that the CDT has made us aware of." Company executives acknowledge they didn't begin addressing the fraud problems wrought by what 180 co-founder Dan Todd calls "a few bad actors" until mid-2004. Dressed in worn-out jeans and an untucked dress shirt, 34-year-old Todd puts one foot up on the coffee table in his glass office and tries to explain how things spiraled so far out of control. "At some point between dealing with legitimate distributors and these botnet guys who try real hard to look like good guys, we realized that something had gone terribly wrong and that our plan of outsourcing our relationship to the consumer had backfired," Todd says. Last year, he says, 180 executives purchased some of their biggest distributors, including Loudcash, as part of a plan to rein in "rogue distributors" and help clean up the company's adware distribution practices. 180 says it no longer allows its adware to be bundled with adult Web site content or peer-to-peer (P2P) online file-sharing services that many people accuse of promoting music and movie piracy. "Our goal," he says, "is to minimize the financial incentive for people to install our software illegally, with the goal of making sure that our money never gets paid to bad actors." To demonstrate its commitment, 180 filed lawsuits last year against seven distributors, accusing them of using botnets to earn more than $60,000 installing the company's adware without computer owners' consent. When the defendants -- all of whom live outside of the United States -- refused to make the trip here to face the allegations against them, 180 referred the matter to the FBI, says company attorney Ken McGraw. The company also worked with the FBI and Dutch authorities last year on an investigation that shut down a botnet of more than 1 million computers in the Netherlands. The FBI acknowledged that 180 was instrumental in helping to track down the botmasters. 180, in fact, became the target of a denial-of-service attack by the botmasters, who were furious that the company was refusing to pay them for surreptitious adware installs. The attack briefly crippled 180's Web site, making the company a victim of the botnet phenomenon. Yet 180's insistence that it is cracking down on botmasters has yet to win over the anti-spyware activists, who have spent years unraveling the labyrinthine economic ties among advertisers, adware vendors and their affiliates. The anti-spyware hawks don't believe 180solutions has changed the way it operates or that the company is buying up major players in the adware industry in order to clean up its act. "That's sort of like a drunk saying he's buying up a liquor store to solve his drinking habit," says Eric Howes, an executive at Sunbelt Software, an anti-spyware firm. At a recent anti-spyware conference, Todd was openly mocked for claiming that 180 previously had no way of knowing how many of its distributors were installing its software illegally. Someone at the conference suggested that 180 use its technology to periodically present users with pop-ups asking them whether they had authorized the adware to be installed in the first place. Now the company says it is doing just that. If the answer is no, the user can remove the software with a click of a button. 0x80 hasn't paid much attention to the public condemnation of 180's business practices. And he says he doubts any of the measures the company is taking will discourage botmasters from installing adware. "It doesn't really matter what [180] does to try and stop them," the hacker says. "There's just too much money to be made there. People will just find another company to work with." Sam Norris answers the door of his handsome stucco-and-Spanish-tile home near San Diego dressed in jeans, a polo shirt and squeaky-clean blue and white suede sneakers. He smiles broadly. "You picked a great week to come out," he says. "I'm tracking quite a few botnets today." Norris, 31, is president of an Internet service company called ChangeIP.com that finds itself at the center of the battle against botnets. He estimates that he is spending up to 20 hours a week preventing botmasters like 0x80 and Majy from using his network to control their botnets. Botmasters typically control their herds of infected PCs by having each report to a central server and await instructions, which may be to attack a Web site, send spam or download spyware programs. But many of the IRC networks that have been used for this purpose are beginning to crack down on botmasters. As a result, an increasing number of hackers are trying to cover their tracks by taking advantage of the services of companies like Norris's, which allow Internet browsers to find hundreds of small Web sites by name (for example: smallwebsite.com), even though the actual numeric address of the sites can change from day to day. Botmasters like 0x80, however, have turned that process inside out. They use Norris's service to hide their botnets when they jump from server to server. Should authorities or computer security experts start to zero in on the server that's running their botnet, they can switch servers, and ChangeIP.com will enable the hijacked computers to find the new hideout. In most cases, it is easy for Norris to tell which hosts on his network are legitimate Web sites and which are botnets: Most small Web sites don't have thousands of computers trying to access the site at precisely the same time. By tracking the communications traffic between the infected machines and the botmaster's control channel, Norris can capture data that might be useful to law enforcement, including snippets of text or code that may hold clues about the geographic location or identity of the botmaster. Norris says he sees an average of 37 new botnets per week trying to use his company's service, and sometimes as many as 10 new botnets per day. Last spring, he cut off access to a botnet of more than 40,000 PCs that was being used as a massive install base for spyware. "I am seeing this botnet-spyware connection just skyrocket," Norris says, "and I think it's because these guys are realizing there's tons of cash to be made here." A computer programmer by trade, Norris dissected a copy of the bot used by one hacker he recently banished from ChangeIP.com's network. The program contained instructions for installing 14 adware and spyware programs, and Norris says the bot code was encrypted and so thoroughly disguised that none of the antivirus software he used detected the code as malicious. As he was examining the bot program, Norris accidentally executed it, causing his machine to become infected. Almost immediately, he says, the program downloaded a package of adware and launched several pop-up ads for pornographic Web sites. It also installed GammaCash's infamous XXX toolbar. Norris's forensics work revealed that the bot program also contained more than 30 other features, including the ability to capture all of the victim's Web traffic and keystrokes, as well as a program that looks for PayPal user names and passwords. Other programs installed by the bot allowed the attackers to peek through a user's webcam. Norris often works out of his home in the auburn hills of San Marcos, Calif., where F-16 fighter jets from nearby Miramar Naval Air Station streak across the sky. Today he sits down at the desk in his cramped home office and clacks away at his keyboard, generating a slew of line graphs measuring the level of traffic flowing across his company's networks. He's a member of an informal enforcement group of more than 100 independent security experts worldwide who share daily data on the size, location and activity of the Web's most disruptive botnets. Hailing from Internet service providers, computer hardware manufacturers and software security firms, the group's members use that information to shut down botnets by cutting off the infected computers and forwarding the intelligence they glean to law enforcement. Each morning, Norris receives an e-mail listing the online locations of the Web servers used to control some the world's most dangerous botnets. "First thing I do most days is go through this list and try to find out which ones" are using his network, he says, pointing to a report he just generated that lists the top 20 traffic-generating sites on his company's system. "Most of these are botnets." And the botnets are hardly limited to hijacked home computers. A few months back, Norris found more than 10,000 infected PCs on the inside of a Fortune 100 company network, all trying to contact a control server located at ChangeIP.com. When Norris called the company with the bad news, its poorly trained network administrator had no idea how to respond. "I call this guy up and say, 'Hey, you've got 10,000 infected computers on your network that are attacking me,' and this guy is basically, like, 'Well, what do you want me to do about it?' " Norris says that after collecting enough evidence about a botnet, he terminates the account and, he hopes, disconnects the botmaster from his army of infected machines. He says "he hopes" because many times the botmaster will have instructed his enslaved machines in advance to try several other domain names should the main control channel be shuttered. But in most cases, Norris says, the botmaster simply shifts control of his botnet to another Internet service provider. "Other times, the attackers play dumb and send polite e-mails asking why their service has been shut off." And, occasionally, the hackers will rebuild their botnets elsewhere and use them to retaliate against ChangeIP. Last year a botmaster who had been cut off joined forces with another botnet to direct such a massive, constant stream of bogus Web traffic at ChangeIP.com that the site had difficulty processing legitimate traffic for nearly a week. As the botnet problem has escalated, so has the interest of federal law enforcement, Norris says. Not long ago, he was contacted by a National Security Agency official who asked for records related to several ChangeIP accounts. He's also had visits from FBI agents hot on the trail of several botmasters. One FBI agent said he couldn't disclose the details of his investigation but handed Norris a copy of a Time magazine article about Chinese hackers suspected of infiltrating U.S. corporate and military computer networks. "The feds are finally starting to understand that botnets are more than just a nuisance: They're the source of all that's evil on the Internet today, from hacking and spamming to phishing and spying," Norris says. (Phishing involves impersonating trusted Web sites to gain confidential information from computer users.) Shutting down a botnet can be arduous work, but finding the criminal on the controlling end of the herd has proven an especially challenging task for law enforcement. That's in part because security experts like Norris and others often disagree over whether to dismantle the botnets as soon as possible or to monitor them for a period of time in order to gather intelligence that might prove useful in helping investigators track down the criminals behind them. Hank Nussbacher, an independent Internet security consultant based in Israel and a member of the group that's sharing information on botnet activity, says most members have their hands full just shutting down the botnets' command and control centers. "Occasionally, the Internet service provider where the [bot control center] is located requests that it not be shut down because they are collecting forensics information for some law enforcement agency, but I'd say about 98 percent of the time, as soon as we find one, we shut it down." Louis Reigel III, assistant director of the FBI's Cyber Division, says the botnet data regularly shared by security experts like Norris is invaluable. But Reigel stresses that prosecuting botmasters is difficult because their crimes and networks usually span multiple continents, which means working with foreign law enforcement agencies and depending on their cooperation. The FBI has dedicated several agents from its special technologies section to tracking down botnet operators and is pursuing hundreds of investigations, Reigel says. But "the techniques being used by these bot guys are becoming more efficient every day, so the bot situation is probably going to get a lot worse before it gets better." Norris shares that fear and worries that more botmasters will begin to exploit emerging peer-to-peer communication technologies of the sort that power controversial music- and movie-sharing networks like Kazaa and LimeWire. Such networks would allow enslaved computers to communicate instructions and share software updates among one other, so that they would no longer depend on orders from the master servers that Norris and other bot hunters search out and disable every day. "When P2P becomes the norm with these bots," Norris says, "that's when I call it quits with this botnet stuff, because, at that point, it will be pretty much out of my hands." On the eve of a visit to his home by a Washington Post photographer, 0x80 decides to tell his father what he really does for a living, in part, he says, because hiding it is starting to eat him up inside. 0x80 tells his father the whole truth, but he can't bring himself to break the news to his mother because, as he puts it, "she's really Christian and that would just crush her to know I'm involved in something like this." "I told my dad I had made an Internet worm that infected people, and then I used their computers to make money, and he just shook his head and was, like, 'I hope you don't go to jail for that . . .' and . . . 'I hope it wasn't underage porn you was doing.'" That same question has been encroaching on 0x80's peace of mind of late. His hard-boiled pose has begun to break down, and instead of sneering at the risks of getting caught and brought to justice, he's begun to talk about quitting the criminal hacking scene to join the Army, which, he reasons, will offer not only discipline and the motivation to earn his GED but also potentially a free ride to college. From there, he can imagine a more respectable future working on information technology projects for the military. "It's nice to have up to $10,000 a month coming in, but, if it's not legit, then I also have all this other stuff to worry about," 0x80 says. "Like, I gotta hide my laptop every night, and every time I don't come online for a day I have people blowing up my cell phone asking if I got raided by the feds." 0x80 has shared his plans with a few of his online buddies, many of whom have grown dependent on his ability to develop ever more stealthy and effective botnet programs. "Some of my people really don't want me to leave, but I've got to figure out a way to use the [expletive] I know to get something going for myself," 0x80 says. "With the Army, I could get stationed someplace where I would have a better chance at getting a higher-paying job and still be able to do what I like to do. Either way, I gotta get up outta this hole I'm living in." -=- Brian Krebs is a technology reporter for washingtonpost.com. He will be fielding questions and comments about this article Tuesday at 1 p.m. at washingtonpost.com/liveonline © 2006 The Washington Post Company _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org


News URL

http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021401342.html