Your home computer may be committing a crime at this very moment. It might be sending out spam. It might be buying stock as part of a pump-and-dump scheme. Or it might be helping attack the Internet itself, silently and invisibly, as you read this story. And the odds your computer is a criminal are quickly rising.
The Web, some say, has been turned into an operating system for criminals. Computer viruses that hijack PCs and turn them into electronic robots, or “bots,” have become the killer app. The operation of networks of hijacked computers is so lucrative that hackers are actually fighting electronic wars over them, a story we will explore next week in part two of this series.
New hacker techniques make these virus attacks so subtle that there is no way you would know your computer is a criminal. And there is a growing sense among security experts that hackers have gained the upper hand in what was once a neck-and-neck arms race.
Bots can squirm their way onto home computers in myriad ways: a virus-laden e-mail or a booby-trapped Web site are the most common. But some viruses can attack your computer in the background, silently worming their way through networks via unprotected ports and porous firewalls, using vulnerabilities that software companies don’t know about.
Earlier this year, Internet founding father Vint Cerf dramatically suggested that 150 million computers worldwide may have been hijacked by criminals. Most experts think that his estimate is high, but they still count infected computers in the millions, or tens of millions. And there is general consensus that the Internet is under assault from virus writers like never before.
Listen carefully to the words of those who are trying to help us keep our computers safe from Net criminals and you’ll get a creeping sense that the boat is leaking faster than they can bail out the water. There were two-and-a-half times as many viruses released in 2006 as in 2005, and the growth rate has continued through the first quarter of 2007, said Eugene Kaspersky, chief researcher for Kaspersky Labs.
Antivirus firms “may not be able to withstand the onslaught,” he said at a recent computer security conference. “This is a competition where the antivirus companies, I fear, are not in a good position.”
Another antivirus executive put it more bluntly in a private conversation. “I think we’ve failed,” said the official, speaking on condition of anonymity. Computer security firms often use hyperbole to help get attention for their products, but expressing helplessness is something new.
Serious crimes for serious money
The security firms’ helplessness means more home computers than ever are being hijacked by organized criminals. Those who control the computers, known as “bot herders,” have little interest in the kinds of pranks that hackers typically played with their viruses five or 10 years ago. They commit serious crimes for serious money.
How serious? Earlier this year, a bot army sent a torrent of Internet traffic at two of the Web’s 13 critical domain name servers, directing the equivalent of millions of e-mails at them within a few minutes. The mysterious onslaught would have rendered the Web useless if it had succeeded in taking the domain name servers down, but after a few hours it stopped as quickly as it started.
Why would an attacker perform such a show of strength? It might have been a marketing ploy.
The Internet Corporation for Assigned Names and Numbers, or ICANN, which helps run the domain name servers, speculated in a recent report that the attack was the work of a bot herder trying to close a sale by demonstrating the size and power of his army of hijacked computers.
These bot armies – often between 50,000 and 70,000 PCs strong — are leased out for around $5,000 a day to spammers, said Howard Schmidt, former White House cyberczar. An attacker who might want to threaten a bank with denial of service and demand an extortion payment would probably have to pay more.
“These things are insidious,” he said.
And sometimes they are overwhelming. Ben Mayrides, a security guru for America Online, says the firm regularly sees bot armies – or “botnets” — of 200,000 infected computers. In 2005, Dutch authorities announced they had arrested three youths who controlled a botnet of 1.5 million computers that they assembled using a single Trojan horse program.
Big money is stock scams
Individual bots operate in complete silence, but we all see their handiwork. At this point, almost every spam e-mail is sent from a hijacked computer, according to Uriel Maimon, a researcher at security firm RSA. That means every time you receive a spam, a hijacked computer is at the other end. For evidence of a bot epidemic, researchers point to the recent resurgence of spam, which has doubled in the past 12 months.
Forget Viagra sales: Spammers have largely graduated to manipulating stock markets. Most spam is image spam now, designed to pump up stock prices in thinly traded companies so someone can make a quick profit. In a recent e-mail apparently written by a stock spammer and examined by MSNBC.com, the author brags he can more than double a stock price within two to three weeks.
“We can increase the cost of your share and we can increase average day trading,” the e-mail says. “We can increase price up to 200-260 percent in 2-3 weeks and also increase range by 10 times each trading day. … Our payment for that is 10 percent.”
With increasing sophistication and deliberation, computer hackers are getting the most out of hacked computers, too. The computer crime du jour is a simple but effective stock pump-and-dump scheme that goes like this: Hackers buy a stock, then use hijacked computers and stolen brokerage accounts to buy the stock at inflated prices using other people’s money. When the hackers sell their original shares, they make a killing.
In March, three Indian nationals were sued by the SEC for allegedly pocketing $121,000 after manipulating stocks and options on 14 firms, including Google and Sun Microsystems. They group managed to spend nearly $2 million in other people’s money, the U.S. Securities and Exchange Commission said. One victim had $180,000 in his brokerage account, left for a vacation, and returned to find his account had a negative $200,000 balance.
The SEC is aggressively pursuing stock spam criminals, said John Reed Stark, head of Internet enforcement for the agency. But, the dangerous combination of hijacked computers and global securities trading offers riches far beyond the legitimate dreams of computer experts in developing economies. As a result, cybercrime has become wonderfully profitable, and fantastically popular.
How do you count the bots?
No one knows how many infected bots there are, but there is little argument that millions of computers have been herded. If your computer isn’t infected, security experts say, certainly someone on your block is part of a bot army.
No government agency counts bots; even law enforcement officials rely on private industry for estimates. Here’s a few:
MessageLabs, a company that counts spam, recently stopped counting bot-infected computers because it literally could not keep up. It says it quit when the figure passed about 10 million a year ago. Symantec Corp. recently said it counted 6.7 million active bots during an Internet scan. Since all bots are not active at any given time, the number of infected computers is likely much higher. And Dave Dagon, who recently left Georgia Tech University to start a bot-fighting company named Damballa, pegs the number at closer to 30 million. The firm uses a “capture, mark, and release,” strategy borrowed from environmental science to study the movement of bot armies and estimate their size.
“It’s like asking how many people are on the planet, you are wrong the second you give the answer. … But the number is in the tens of millions,” Dagon said. “Had you told me five years ago that organized crime would control 1 out of every 10 home machines on the Internet, I would have not have believed that. And yet we are in an era where this is something that is happening.”
That means the Internet is becoming a very rough neighborhood. So rough that many of those who fight computer crime think, in some ways, they are fighting to save cyberspace.
“This is not just a battle between manufacturers of security software and some Internet criminals. It is a war between good and evil,” F-Secure researcher Mikko Hypponen said at a recent European security conference:
Why now? 1. More sophisticated viruses
It used to be that infected computers would eventually stall from the hard work of crime, stumbling over an e-mail blast involving thousands of messages and tipping off the rightful owners. Now, the organized criminals who do this work have remote-control crime down to a science. Instead of using your computer to send 5,000 spam messages in an evening, it might only be instructed to send out five. The bot herders reach the volume they need by repeating that technique with the tens of thousands of computers at their disposal.
AOL’s Mayrides says he’s seen bots instructed to send out only one e-mail per day.
This puts security firms at a distinct disadvantage. A few years ago, Internet service providers would notice tens of thousands of e-mails being sent from a home computer, and could easily remove it from their network. But how can an Internet provider spot five rogue e-mails sent from your machine while you sleep?
“We have a very difficult needle-haystack problem here,” Dagon said.
The Storm worm, which infected more than 1 million computers in January by promising information about the deadly winter weather hitting Europe, used a variation of this tactic. A Storm-infected PC observed by Symantec researchers sent out 1,800 e-mails in a five minute span, then simply went to sleep.
Consumers are unlikely to know their computer has been hijacked because there usually are no symptoms.
“People are not going to find out about the bot because it slows down their systems,” said Hypponen. “(Hackers) take great care in making sure it doesn’t do anything that the users might notice. Especially with new machines with 2 gigs of RAM, people will not notice they are sending out spam while playing World of Warcraft. The computers are just powerful enough to handle that.”
Why now? 2. China
But improved software is only one reason criminals appear to have gained the upper hand. Another is the sheer the size of their armies. Part of the deluge of new viruses can be attributed to a new generation of hackers from Asia, where broadband has proliferated, and particularly China, where hackers are learning fast, Hypponen said.
Asia is also a grand playground for hackers worldwide, because many home users run pirated copies of Windows and can’t load security patches, according to a January report by Florida-based security firm Prolexic. Since China now boasts more Internet users than any other country, it also has more infected computers.
Why now? 3. Volume
The sheer volume of new viruses has become overwhelming. Hypponen says there is so much new malware — malicious software – submitted every day to his firm that it has abandoned its long-standing practice of having each one analyzed by its researchers. The viruses are processed by computers now and ranked by severity.
“It’s getting harder and harder for us just to keep up with the amount of new malware coming in,” he said. “Right now on a typical day we receive more than two (possible new viruses) a minute. There are thousands every day. The increase in three years has been tenfold. So our lab all the other labs are rebuilding the way we handle them. You can’t do it with human power.”
Why now? 4. Perpetual ‘zero day’
The onslaught isn’t just about volume, however. Hacker techniques have improved markedly, says Dagon. It used to be that exploiting vulnerable software usually took weeks, as hackers probed software for security flaws. When they published their results, software makers would race to fix the flaws. Simultaneously, criminals would take those flaws and turn them into attacks, often by attaching them to specially crafted e-mails.
On rare occasions, criminals had both the security hole, or exploit, and the delivery tool before the software maker had any notion a flaw existed. Called a “zero-day” attack, these circumstances gave criminals a small window to mercilessly hack defenseless computers.
But this entire cycle of finding and exploiting flaws has been reduced to a few hours, Dagon said. Hackers find flaws, use them to attack, and erase all evidence so fast that software firms never even know there’s a flaw. Dagon has a chilling name for this: “A perpetual zero day window.”
Hackers also have learned to write viruses that mutate on their own. Because antivirus software usually catches only known viruses, mutating versions pose a major challenge for security firms. The Storm worm, for example, had 5,000 different variants within a few days of being launched.
Why now? 5. Better command and control
Hackers have more sophisticated tactics to command and control their massive bot armies – another sign that true professionals are in charge. Not long ago, remote-controlled bots used the old-fashioned Internet Relay Channel to communicate. Internet filters could pick out that traffic and disrupt their networks, at times even identifying the controlling computer and cutting off the “head” bot by removing it from the network.
Now, bot networks are increasingly peer-to-peer systems, designed to look like file and music swapping systems like eDonkey. This prevents Internet service providers from picking out bot communications from regular Web traffic. And it also means there is no head bot to cut off, so networks can only be dismantled one infected computer at a time.
Why now? 6. Competition for labor with crime rings
Adding to the challenge antivirus companies face in trying to keep up with cybercriminals is the intense competition for skilled labor. There is so much money being made in the underworld that legitimate firms have trouble recruiting.
“We are dealing more and more with a worldwide industry that employs thousands of people,” Kaspersky, the researcher, told the Bangkok Post earlier this month. Said another executive with the firm, “These people are paying programmers the kind of salary that I could never afford.”
What now?
For years, security experts have been repeating the same formula to consumers – update antivirus software frequently and use a firewall. But experts say that consumers can no longer trust a single antivirus product to protect them. Dagon points to a Web site named VirusTotal.com that scans potential viruses using 30 top antivirus products. The results are sobering.
On March 22, 9,408 virus-laden files were submitted. Only 28 were detected by all 30 antivirus products. Every other virus was capable of slipping past at least one of the antivirus products undetected, which means that even consumers who keep their security software up to date are at risk.
America Online deals with the problem by swarming its files and e-mail with antivirus products. Everything that’s sent through AOL is scanned by 13 or 14 different products, said Mayrides, the AOL security expert.
And still, viruses get through.
“It’s rough out there,” he said. “One (antivirus product) is not good enough. … There are too many attack vectors these days.”
So should consumers stop trusting the Internet? Yes, to a point, said F-Secure’s Hypponen.
“I don’t think end users should lose their trust, but they are trusting too much,” he said. For example, consumers still fall for phishing e-mails and hand over passwords to brokerage accounts despite years of warning. “We should make people lose their trust, break that trust.”
Experts advise computer users to scan their system with multiple antivirus products. It’s not necessary to pay for all the products. A number of online services are available to consumers. No single scan is perfect, but doing one is a worthwhile check-up.
Users also can take the energy-saving step of shutting down their computers when they aren’t in use. That way, even if your machine is infected, the computer’s resources won’t be available to criminals all night and all day while you’re at work.
