Virus Seen As Gang Tool To Send Spam, Steal Funds
By Scott Shane, The Baltimore Sun
Once the province of young mischief-makers, computer worms and viruses are fast becoming a tool used by criminal gangs to harvest money from the Internet by spreading spam, stealing credit cards, blackmailing businesses and even creating phony online stores.
Criminals are believed to be responsible for most of the mass-mailing “worms” that have infested millions of PCs throughout the world over the past 18 months.
Many are disguised as innocent e-mails, often appearing to come from a colleague, friend or computer system administrator.
“If society has embraced technology - which is a great thing - so have criminals,” says Harold Hendershot, chief of the computer intrusion section in the FBI’s cybercrimes division. “Because that’s where the money is.”
When an unwary computer user is lured into clicking on an e-mail attachment containing one of these worms, he may unwittingly set off a cascade of invisible actions designed to put his PC at the service of computer criminals on the other side of the world.
Technical experts have begun to use the term “blended threat” for this kind of computer code, a virtual Swiss Army knife of malicious functions.
A worm infecting a computer can harvest hundreds of e-mail addresses that spammers, paid by unscrupulous advertisers, can bombard with junk mail. Or, it may hide a spy program to swipe credit card numbers and passwords as they’re typed in.
By installing an electronic backdoor to seize control of the PC, the worm can enlist the computer in an invisible army of “zombies.” Some of these armies send more spam, while others are weapons that criminals use to extort money from online companies by threatening a mass “denial of service” attack that can knock them off the Net.
In the latest development, worm-infected PCs are being used to host fake online stores that can hop from one hijacked machine to another as frequently as every five minutes. One such scam, identified by the Finnish anti-virus company F-Secure, attracts customers with spam advertising a Web site that offers software at tempting discounts. Their customers wind up with nothing but a bill.
“You have a totally untrackable online sales Web site,” says Mikko Hyppoenen, head of research at F-Secure. “They get your money, and they get your credit card number.”
Eric Pakulla, a real estate agent from Ellicott City, doesn’t know who seized control of his 2-year-old Dell computer, or what exactly the hijacker was using it for when it slowed down and began acting strangely last month.
All he knows is that when a technician came to check it, a diagnostic program showed the criminals in action as they manipulated his PC through his high-speed Comcast cable connection.
“They were literally hacking into my computer as I was watching,” Pakulla says. Horrified, he erased the hard disk and started from scratch with new anti-virus software.
Working since late last year, investigators from the FBI and Scotland Yard have been hunting for the authors of such recent worms as Bugbear, Sobig, Mimail, Mydoom and Bagle. But they’re also looking for the co-conspirators who are using them for profit, according to security experts who have helped collect evidence.
Some, but not all, of the key offenders appear to be Russians, some operating from their home country, others from Germany and other nations, the security experts say.
What makes their operation unprecedented is that they have apparently created loose-knit organizations from previously separate groups of criminals: virus-writers, spammers and credit-card thieves.
“These gangs combine for the first time all three of these professions,” says Steve Linford, director of the anti-spam organization Spamhaus, which has provided information to both the FBI and Scotland Yard. “They’re actively investigating the information we’ve been working on for years.”
Based in England but relying on a global network of volunteers, Spamhaus has compiled the world’s biggest database of people responsible for sending spam. The organization has taken part of its database off-line at the request of investigators who don’t want to tip off possible suspects, Linford says.
The FBI’s Hendershot, who says he and colleagues are tracking as many as 250 new worms and other bugs a month, declines to discuss the investigations. But any Web surfer can visit the online vice districts and criminal hangouts to get a sense of the gangs’ milieu.
On a Russian Web site called Carder Planet, a slick Flash introduction asks: “Feel tired of everyday routine? Want to change your lifestyle? Become one of us! ... . Credit Cards ... will make you rich!”
In a mix of Russian and broken English, someone calling himself “Script” (the term for a series of computer commands) offers credit card numbers for sale: MasterCard for $40, Visa Gold for $80.
“I am accept [sic] Western union, Wire transfer, e-gold, webmoney,” Script writes, referring to electronic payment methods and adding, presumably tongue in cheek, “cash in bag.”
A banner on the site pokes fun at the FBI, showing two agents and the legend: “Where is this site? We searched half the Europe [sic] already!”
A Google search returns dozens of Web pages offering software to permit a novice to write malicious code using “an easy-to-use Windows virus creation tool,” “a powerful ... worm generator” and so on.
Search for “proxy lists,” and you’ll find vendors peddling the numeric Internet protocol addresses of worm-infected PCs around the world that are available for hijacking.
On the U.S. site proxycity .com, visitors are assured: “We don’t supply lists full of dead proxies, unlike other services out there today. ... With our service you’ll always have large freshly checked proxy lists to suit your needs.”
Lately, online criminal neighborhoods have attracted a self-appointed vigilante - the author of the Netsky worm, which actually removes files created by the Mydoom and Bagle worms.
Sometimes the Netsky writer hides insults in the worm code. “Bagle is a [expletive] guy, he opens a backdoor and he makes a lot of money,” says an encrypted message in one recent version of Netsky.
But Netsky itself has been enormously disruptive, spreading through millions of computers in recent weeks. Some versions are programmed to attack specific Web sites, including the popular KaZaA music-sharing system.
In some ways, Netsky is a throwback to the early days of virus writing, when a misguided sense of mission - not profit - was the major motivation. In those days, malicious programs spread not by e-mail but by shared files and diskettes.
“Back in the 1970s and ‘80s, generally most people doing hacking did it under the guise of the greater good of society,” Hendershot says.
Other young virus writers were the cyber equivalent of graffiti writers or stand-up comedians. Among the first viruses was the Cookie Monster, which caused the computer to repeatedly ask for a cookie - no matter what was typed - until the user typed the word “cookie.”
“They were just teen-agers wanting to see how notorious they could be,” says Spamhaus’ Linford.
But the authors of Mydoom and Bagle are different. “These guys are not interested in fame,” Linford says. “They want to grab e-mail addresses and take over your computer.”
With that goal in mind, hackers have been increasingly clever in disguising their worms, prompting the recipient to bring them to life by clicking on an e-mail attachment that sets off the malicious program.
They arrive in users’ mailboxes with an insidious array of subject lines, including warnings purportedly from the user’s computer system administrator: “Your e-mail privileges are being suspended” or “Child pornography has been found on your computer.”
The most devious message informs the recipient his computer has been infected by a worm and is being used to send spam. It advises the user to click on the attachment to remove the worm - but of course, opening the attachment actually installs it.
Also increasingly common: By grabbing legitimate e-mail addresses from an infected PC’s address book, worms often manage to make their messages appear to come from a friend or co-worker. It’s a clever move, since security experts have long advised PC users to open only those attachments sent by people they know.
“The last 18 months, I’ve had to tell people that’s not good enough,” says Marc Seidler, who makes house calls on ailing Baltimore-area computers for the Computer Doctors. On his home PC, Seidler says, he’s been getting viruses that appear to be sent from an anti-virus group he belongs to.
Between viruses, spam and spyware - programs hidden on your computer by worms or certain Web sites, usually designed to gather marketing data - Seidler says a lot of customers are reaching the end of their patience.
“I hear all the time, ‘I’m about ready to give up the Internet,’” he says. “It is without a doubt getting worse all the time.”
Avi Rubin, technical director of the Information Security Institute at the Johns Hopkins University, says the proliferation of worms, spam and fraud may force fundamental changes to the Internet.
Originally designed for the use of a trusted community of military and scientific professionals, it was not constructed with security in mind.
Now, in the race between worm-writers and spammers on one hand, and those who write spam blockers and anti-virus program on the other, the bad guys are clearly winning, Rubin says.
“I think it’s very, very serious,” he says. “The Internet as we know it may not be around much longer if we don’t solve these problems.”