MY TAKE: Once upon a time, circa 2003-2004, botnets emerged as the engine of cybercrime

By Byron V. Acohido

Betty Carty figured she ought to be in the digital fast lane.

Last Christmas, Carty purchased a Dell desktop computer, then signed up for a Comcast high-speed Internet connection. But her new Windows XP machine crashed frequently and would only plod across the Internet.

(Editor’s note: This 2,200 word article was originally published, Sept. 8, 2004,  in print form as a USA TODAY Money section cover story, part of one of a three part series on the emergence of botnets for systemic criminal use. Botnets are today much larger, stealthier and more sophisticated. They actually pivot off cloud-based services — and they continue to be the engine that drives most forms of Internet-centric hacking.)

Dell was no help. The PC maker insisted — correctly — that Carty’s hardware worked fine.

But in June, Comcast curtailed Carty’s outbound e-mail privileges after pinpointing her PC as a major source of e-mail spam. An intruder had turned Carty’s PC into a “zombie,” spreading as many as 70,000 pieces of e-mail spam a day.

Related article: The care and feeding of botnets in 2017

The soft-spoken Carty, 54, a grandmother of three from southern New Jersey, was flabbergasted. “Someone had broken into my computer,” she says.

Since early 2003, wave after wave of infectious programs have begun to saturate the Internet, causing the number of PCs hijacked by hackers and turned into so-called zombies to soar into the millions — mostly in homes like Carty’s, at small businesses and on college campuses. And, much like zombies of voodoo legend, they mindlessly do the bidding of their masters and help commit crimes online.

Personal computers have never been more powerful — and dangerous. Just as millions of Americans are buying new PCs and signing up for ultrafast Internet connections, cybercrooks are stepping up schemes to take control of their machines — and most consumers don’t have a clue.

“We thought things were bad in 2003, but we’ve seen a sharp uptick in 2004. I’m worried things will get much worse,” says Ed Skoudis, co-founder of consulting firm Intelguardians

Carty’s PC could have been taken over in myriad ways. She could have been fooled into opening a virus-infected e-mail. She might have innocently surfed to a Web page bristling with contagious code. Or she may have done nothing at all. One of dozens of network worms, voracious, self-replicating programs that pinball around the Web searching for security holes in Windows PCs, may have found one on her new PC.

Profitable attacks

Cyberintrusions traditionally have been the domain of socially inept males launching electronic attacks for fun and bragging rights, often creating a huge, if transient, nuisance for companies and consumers. But things are changing: More PCs are being taken over purely for profit.

Over the past eight months, USA TODAY interviewed more than 100 tech-industry executives, consultants, analysts, regulators and security experts who say top-tier code writers now create malicious programs mainly to amass networks of zombie PCs. They then sell access to zombie networks to spammers, blackmailers and identity thieves who orchestrate fraudulent for-profit schemes.

Most consumers are slow to grasp that an intruder has usurped control of their PC. “We have a large population that is easily tricked,” says Dave Dittrich, senior security engineer at the University of Washington’s Center for Information Assurance and Cybersecurity.

One measure of the swelling tide of zombie PCs: E-mail spam continues to skyrocket, with zombies driving the increase. In July, spam made up 94.5% of e-mail traffic, nearly double from a year before, says e-mail management firm MessageLabs. Postini, another big e-mail handler, estimates nearly 40% of spam now comes from zombie networks.

Using zombies to broadcast spam for Viagra or quickie loans has emerged as a huge business. Yet spreading ordinary spam is actually one of a compromised computer’s more benign tasks. Bigger spoils lie in using zombies in elaborate phishing scams, in which e-mail directs consumers to bogus Web pages to trick them into surrendering personal information.

And zombie networks are perfectly suited to flood targeted Web sites with data requests, in so-called distributed denial-of-service, or DDoS, attacks. Cybercrooks use the threat of a DDoS attack to extort protection money from businesses keen to keep their Web sites running.

Few laws, few arrests

Until recently, little has been done to stop such attacks. The Justice Department’s Operation Web Snare netted 160 arrests in August that could lead to more busts, offering encouraging news to cybersecurity experts who have criticized law enforcement for not doing enough. Still, detractors point out there are few federal cybersecurity laws with stiff penalties.

Federal, state and local law enforcement officials face daunting jurisdictional hurdles trying to corner, much less extradite, suspects. Chasing bad guys equipped to commit virtual crimes in several countries simultaneously has proved problematic, as has the sheer volume of incidents.

“It’s easier trying to catch Osama bin Laden,” says Steve Jillings, CEO of e-mail security firm FrontBridge Technologies.

Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. “I had no clue at Christmas that I would become a security expert,” she says.

Consumers remain seduced by the Internet’s convenience. E-commerce is bigger than ever, and most casual computer users overlook safety practices. The vast majority don’t use firewall software to block intruders, patch vulnerabilities or keep anti-virus subscriptions current.

“Consumers seem almost bizarrely unconcerned by security in general,” says James Governor, founder of research firm RedMonk. “People will practically give out their Social Security number as easily as their phone number.”

Low and slow thievery

Heather Hall can trace the start of her online banking nightmare to the day she received what she thought was a legitimate e-mail request from Bank of America asking her to click a link to a bank Web page. The 27-year-old health services worker typed in her login, password and account number.

Not long afterward, Hall noticed an unauthorized withdrawal on her banking statement for $6.50. The withdrawals increased in frequency and amounts, to as much as $108. Hall was the victim of a “low and slow” phishing scam, in which cybercriminals purposely steal small amounts of cash — sometimes as little as 20 cents at a time — to avoid detection.

Though data are scarce, experts estimate millions of dollars are being skimmed from thousands of online banking accounts. About 23.6 million people had online accounts at the nation’s top 10 banks in the second quarter of 2004, up 28% from the year before, says ComScore Networks.

Sneaky cybercrooks are finding it profitable to “be patient and nick an account for a long time,” says Dan Larkin, unit chief of the FBI’s Internet Crime Complaint Center.

Bank of America agreed to reimburse the money stolen from Hall’s account, but only after she badgered them. “They wanted me to believe it was my fault,” says Hall.

Bank of America does not comment on specific cases. It reimburses victims of fraud and changes their online name and password, spokeswoman Betty Riess says.

First seen more than a year ago, phishing scams begin with e-mail messages broadcast to potential victims. The e-mail directs them, often under the guise of doing a security check, to a bogus Web page with the identical look and feel of an authentic page.

A network of zombie PCs e-mails the original request to tens of thousands of potential dupes. A separate zombie, usually a more powerful PC, often sitting in a remote country, perhaps in an obscure nook at a university, serves up the counterfeit Web page. Another zombie, in yet another country, perhaps in the basement of a small shop, stores the stolen account details and conducts the theft.

“Computer networks make this easy to do since they form a virtual world in which footprints and fingerprints are easily erased at a distance,” says the University of Washington’s Dittrich.

Experts say clues point to loosely organized crime syndicates, probably in Russia, Latvia, Kazakhstan and China, coordinating phishing scams with other schemes to quickly turn stolen account information into tangible booty. In what feds call one of the biggest phishing busts, a Romanian man was arrested last year and convicted for using an elaborate network of bogus Web pages and escrow accounts to fleece Americans out of $500,000.

Typically, filched financial information, such as credit card numbers, is sold on Web sites. Buyers often use card numbers to make long-distance phone calls, sign up for pornographic sites and buy computers over the Internet.

Unique phishing attacks have surged more than 10 times since January, to 1,974 in July, and show no sign of slowing. In early August, MessageLabs intercepted more than 125,000 phishing e-mails containing links to a replica of a well-known U.S. bank’s Web site within the first five hours of its appearance.

U.S. banks are in a delicate position. Their customers lost an estimated $2.4 billion from phishing in the 12 months ending in April, according to market researcher Gartner. Citibank, a frequent target, warned users of a dozen examples of phishing solicitations on its Web sites in the first half of June.

Few, however, are willing to discuss such matters in detail out of fear of scaring customers and undercutting trust in online banking, in which they’ve invested hundreds of millions of dollars, says John Pironti, a security consultant at Unisys.

Now, free, do-it-yourself phishing kits are surfacing on the Internet. Would-be cybercrooks can choose from a dozen kits containing bogus Web sites, programming code and spam tailored toward customers of Citibank, eBay and PayPal, says analyst Chris Kraft of security firm Sophos.

The same zombie network used in phishing scams can also bombard a Web site with data requests. When that happens, no one else can get to the targeted Web site, effectively shutting it down.

Such an assault is known as a distributed denial-of-service, or DDoS, attack. Cybercrooks threaten DDoS attacks just as racketeers wave truncheons. Last January, a series of such attacks began against major Internet gambling operators in the United Kingdom. The attacks were preceded with e-mail messages demanding $10,000 to $40,000.

Some operators paid — and were immediately attacked again, according to a report from the Association of Remote Gambling Operators. The blackmail attempts continue., one of the UK’s largest online gambling Web sites, recently reported coming under attack from 518,000 zombie computers.

New methods of attack

Seattle screenwriter Alex Tobias figured her laptop was immune to attacks. After all, she and her husband, Martin, a venture capitalist, worked from home a lot. To protect their home network, Martin installed top-notch firewall and anti-virus software.

Yet last fall, Alex’s laptop slowed until she couldn’t use e-mail or the Internet. It took extensive troubleshooting to determine that it had been turned into a spam-spreading zombie, and it took half a day to clean it up. “I don’t know what she got or how she got it,” says Martin. “The bottom line is she got it.”

Their experience underscores the notion that there are many ways for malicious code to slip past firewalls and anti-virus programs. E-mail viruses, for instance, rely on tricking the victim into opening an infectious attachment. Another widely used tool is harder to fight: direct planting of contagions, known as “come-and-get-it” viruses, on popular Web sites.

Such contagions commonly lurk on peer-to-peer sites, where music and movies are exchanged. They trick the computer user into giving up personal information, and they can activate other invasive programs unseen by the PC owner.

Web contagions are turning up on high-traffic Web pages across the Internet. Most do the basics: plant a back-door Trojan horse and turn over full control to an intruder who might be sitting half a globe away.

Some have begun implanting spyware called keystroke loggers, which are designed to notice whenever the PC user types anything that looks like account information. It grabs the information and sends it to a zombie computer for storage and risk-free access by the crooks.

The scariest type of attack is one most consumers aren’t aware of. Scores of sophisticated programs, called worms and bots, continually scour the Internet for Windows PCs with security holes. There are hundreds of Windows vulnerabilities, and new ones turn up regularly. Microsoft issues software patches, or fixes, each month for the most troublesome. But most home users, and many businesses, don’t keep up to date on patches.

Consumer outrage needed

Not long ago, securing the Internet meant cleaning up after so-called script kiddies, youths who use pre-written malicious code, available free on the Web, to pull digital pranks. But security has metastasized into an almost fatalistic endeavor. “Hackers can do almost anything with a compromised PC, and there isn’t much we can do about it,” says Keith Lourdeau, deputy assistant director of the FBI’s Cyber Division.

That will change only as tech suppliers who profit from the Internet simplify networks and collaborate on implementing universal security standards that may run counter to their current business strategies. Many experts say such a shift is at least five years away. The one thing that could make tech suppliers move more quickly is consumer outrage.

“Consumers should demand what they do of other utilities,” says Kip McClanahan, CEO of security firm Tipping Point. “When I pay my water bill, I expect my water to be drinkable out of the tap. Today, when you pay your Internet bill, the data you get is not consumable.”

Jon Swartz contributed to this article.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone