Web of Crime: Enter the Professionals

Night of the Techno-Zombies

Zombies do a lot of the heavy lifting in this dark business. No, not the walking dead--"zombies" are malware-infected computers that an online puppet master controls. Set to work in thousands or even tens of thousands, the machines in a zombie network or "botnet" attempt to carry out the high-tech money grab.

Botnets are popular because of their increasing sophistication and multiple uses. These versatile zombie armies can pull in cash for their controllers in a variety of ways. Sending spam--still a big money-maker--is one common use. Zombie networks can also steal personal information for purposes of identity theft.

When botnets are used to launch a DDoS attack, the ringleader instructs each zombie computer to send a flood of data to a particular Web site. By itself, the data from a single PC can't hurt a site. But multiply that traffic by 10,000 or more computers, and a Web site can easily be overwhelmed and cut off from the Internet.

Experts at Kaspersky Lab and elsewhere now believe that the infamous, sophisticated malware duo of the Bagle worm and the MyDoom worm, which afflicted systems around the globe starting in early 2004 were specifically meant to recruit computers for botnets. Together, Bagle and MyDoom cost businesses around the world almost $7 billion in lost productivity and revenue, labor costs, and other expenses last year, according to the Computer Economics study. And while similar measurements for the impact of the Sasser worm weren't available, it affected hundreds of thousands of PCs. Nearly 1.5 million users downloaded a Microsoft fix for the worm in the first two days it was offered.

MyDoom had a rather unsophisticated means of controlling host machines. Once it insinuated itself into an unprotected PC, anyone who knew a not-so-secret five-digit code could commandeer the computer for any desired purpose, according to Kaspersky Lab and other experts. As a result, MyDoom-compromised computers were very popular with online criminals for a while. The Bagle worm, by contrast, used a more sophisticated means of control to keep each machine's reins fully in the hands of its mysterious, still-uncaught author.

Nevertheless, botnets aren't the only means at the disposal of computer criminals to make an illegal buck.

Malware has made its way into the world of corporate espionage, too. In May, London police arrested two people suspected of writing the custom spyware used in a major business spy ring in Israel. As reported by the Israel News Service, Israeli police believe that the malware made its way to the target companies via files attached to e-mail messages or on computer discs distributed as a business proposal. Police found dozens of servers in Israel, the United States, and elsewhere containing stolen documents that the spyware sent to them, according to the report.

More to Come

Law enforcement is trying to keep up with the new trends; but in the meantime, experts say, you shouldn't look for profit-driven malware to disappear soon. CipherTrust, an e-mail security company that tracks botnets, reports that malware turned an average of 172,009 previously healthy computers into zombies every day during May 2005. As processing power improves and broadband Internet connections become more widespread, zombie computers will be able to send more spam or hit Web sites harder--and botnets will become more powerful.

Also, the ability to shuffle funds--including ransom payments--anonymously through convoluted Internet paths using human mules (in much the same way as in the drug trade) and online payment services means that criminals can revisit old approaches. For instance, Joe Stewart, a senior threat researcher at LURHQ, a South Carolina-based Internet security company, says that the attack responsible for encrypting the Websense customer's files and holding them for ransom had originally been tried back in 1989.

But "trying to get paid anonymously in 1989 was a lot different," Stewart says. "These schemes can now be reinvented because you can get away with it."

Tomorrow: How Botnets Work

Subscribe to the Security Watch Newsletter

Comments