[ISN] Invasion of the Computer Snatchers

InfoSec News isn at c4i.org
Tue Feb 21 01:14:10 EST 2006


By Brian Krebs
February 19, 2006

In the six hours between crashing into bed and rolling out of it, the
21-year-old hacker has broken into nearly 2,000 personal computers
around the globe. He slept while software he wrote scoured the
Internet for vulnerable computers and infected them with viruses that
turned them into slaves.

Now, with the smoke of his day's first Marlboro curling across the
living room of his parents' brick rambler, the hacker known online as
"0x80" (pronounced X-eighty) plops his wiry frame into a tan,
weathered couch, sets his new laptop on the coffee table and punches
in a series of commands. At his behest, the commandeered PCs will
begin downloading and installing software that will bombard their
users with advertisements for pornographic Web sites. After the
installation, 0x80 orders the machines to search the Internet for
other potential victims.

The young hacker, who has agreed to be interviewed only if he isn't
identified by name or home town, takes a deep drag of his smoke and
leans back against the couch to exhale. He smiles. This is his day
job, and his work is finished in less than two minutes. In two weeks,
he will receive a $300 check from one of the online marketing
companies that pays him for his services.

"Most days, I just sit at home and chat online while I make money,"  
0x80 says. "I get one check like every 15 days in the mail for a few
hundred bucks, and a buncha others I get from banks in Canada every 30
days." He says his work earns him an average of $6,800 per month,
although he's made as much as $10,000. Not bad money for a high school

Hacked, remote-controlled home computers, known as robots or "bots,"  
and large groups of robot networks like the one 0x80 runs -- called
"botnets" -- are the souped-up cyber engines driving nearly all
criminal commerce on the Internet. Botnets are used to relay millions
of pieces of junk e-mail, or spam, touting everything from cheap
Viagra to get-rich-quick business schemes. And the botmasters who
control these computer networks are at the heart of ominous and
increasingly common online shakedowns known as "denial of service
attacks." In such an attack, Web gangsters demand tens of thousands of
dollars in protection money from businesses. If the businesses refuse
to pay, the criminals order the thousands of computers that make up
their botnets to flood the Web sites with meaningless traffic,
crippling the businesses and costing them thousands or hundreds of
thousands of dollars in lost revenue.

0x80 says that he doesn't use his botnet to shake down businesses.  
Instead, he and a growing number of botmasters make money by seeding
their botnets with spyware, also known as adware. Once installed on a
PC, the adware serves up pop-up advertisements and mines data about
the user's online browsing habits. The computer worm that powers the
botnet also gathers far more sensitive data from the victim's machine,
including passwords, e-mail addresses, Social Security numbers and
credit card data. The spyware and adware problem is pervasive and
growing: A recent survey by the National Cyber Security Alliance and
America Online found that four of five computers connected to the Web
have some type of spyware or adware installed on them, with or without
the owner's knowledge.

The distribution of online advertisements via spyware and adware has
become a $2 billion industry, according to security software maker
Webroot Software Inc. And as the industry has boomed, so have the
botnets. Just a few months ago, FBI agents arrested a 20-year-old from
Southern California for installing adware on a botnet of more than
400,000 hacked computers. Jeanson James Ancheta's victims included
computers at the Naval Air Warfare Center and machines at the Defense
Information Systems Agency, according to government documents. He
pleaded guilty to the charges last month.

Like Ancheta, 0x80 installs adware and spyware surreptitiously, though
the law requires the computer owner's consent. The young hacker
doesn't have much sympathy for his victims. "All those people in my
botnet, right, if I don't use them, they're just gonna eventually get
caught up in someone else's net, so it might as well be mine," 0x80
says. "I mean, most of these people I infect are so stupid they really
ain't got no business being on [the Internet] in the first place."

Tall and lanky, with hair that falls down to his eyebrows, 0x80 almost
never looks you in the eye when he talks, his accent a slurry of heavy
Southern drawl and Midwestern nasality. He lives with his folks in a
small town in Middle America. The nearest businesses are a used-car
lot, a gas station/convenience store and a strip club, where 0x80 says
he recently dropped $800 for an hour alone in a VIP room with several
dancers. He tells his parents that he works from home for a Web design
firm. His bedroom resembles a miniature mission control center, with
computers, television and computer monitors, and what must be several
miles' worth of tangled wires plugged into an array of surge-protected
power strips.

At the moment, 0x80 controls more than 13,000 computers in more than
20 countries. This morning he installs spyware on just a few hundred
of the 2,000 PCs that he has commandeered in the last few hours. He
will stagger the remaining installations throughout this day and into
the next, using a program he wrote that automates the process. If he
installs too many bundles of spyware at once, the online marketing
companies, "get suspicious, they cut me off, and I don't get paid," he
mumbles, squinting at the screen while the nub of his cigarette
sprinkles ashes all over his laptop and the coffee table. "I've
learned not to get greedy."

A small dog with matted fur enters the living room and winds through
0x80's feet. 0x80 gives the dog a gentle shove with his foot, without
even looking up from his laptop. He furiously stabs at the keyboard
with his two forefingers, punching out a short command that produces a
mesmerizing blur of black-on-white text that scrolls up the computer
screen at several pages per second. 0x80 makes it halfway through a
cigarette before the text flying across the screen finally stops. The
command he typed -- "pstore" -- is short for "password store." On the
screen in front of him is a listing of every user name and password
that the owner of each infected computer has stored in the Microsoft
Internet Explorer Web browser on his or her computer.

A quick scroll through the first few dozen pages of the file reveals
credentials his victims have used to log in to online accounts at
PayPal, eBay, Bank of America and Citibank, to name just a few. Many
of the Web sites for which user names and passwords are stored are
harmless, such as sports or hobby sites. Others are potentially far
more revealing, such as hard-core sex and fetish Web sites. 0x80 has
also found credentials for thousands of e-mail accounts, including
dozens at ".mil" and ".gov" (U.S. military and government) addresses.

"See all that info?" 0x80 asks. "I don't use it, and I don't sell it
like a lot of guys I know do. That's too risky." His goal is to make
money, not to end up in jail.


One of his victims, a computer-loving 29-year-old pastor named Michael
White, could tell 0x80 plenty about jail. White runs the Agape Church
and Christian Center in Memphis but admits he wasn't always a man of

Ten years ago, he was a freshman at the University of Memphis, where
he was on the track team and the dean's list. Then he fell in love
with liquor, he says, and flunked out of school. He landed in jail
twice over the next 18 months, both times for driving a car that
didn't belong to him.

Next came the accident that changed his life. One night, while White
was driving a friend's Mitsubishi Eclipse, a police cruiser pulled up
behind him, lights flashing. White says he was intoxicated, and
driving without a license or insurance. He panicked, floored the car
and lost control, flipping the Eclipse over and over until the fuel
tank ignited. White woke up in a hospital bed with third-degree burns
over 30 percent of his body. The searing heat from the explosion had
melted his ears into little nubs, and doctors had amputated the pinky
finger on his scarred left hand.

Fifteen plastic surgeries and more than two years of physical therapy
later, White had healed enough to face the charges against him, which
included aggravated assault for endangering the lives of other
motorists. He pleaded guilty in 1999 and served almost two years at a
prison in Tennessee.

During his time in prison, he says, "I realized the Lord had called me
to ministry." Since White's release in 2001, God has played a huge
part in his life. And so have computers. He typically spends 50 to 60
hours a week surfing the Web, instant-messaging and e-mailing. He even
met his wife online. Shortly after starting his ministry, he entered
an online chat room dedicated to Christian ministries and struck up a
conversation with a woman using the screen name "Warrior Princess."  
They hit it off immediately and married 15 months later. Taneshia gave
birth to their first child, MaKalya, last month.

But the same technology that led White to his wife betrayed him last
summer. His desktop computer, which he had paid $350 for in 2004, was
suddenly inundated with pop-up ads for adult Web sites. A mysterious
toolbar with the symbol "XXX" had shown up in the topmost portion of
every Internet Explorer Web browser window he opened.

A friend spent a few days trying to remove the pornographic software,
but each time he did, the software reinstalled itself after the
computer was reconnected to the Internet. White initially suspected
that one of the kids he tutors after school had used his PC to visit
some questionable Web sites. He wasn't aware that his computer had
been hijacked by 0x80 until he was contacted by the reporter writing
this story.

0x80's bot program was able to infiltrate the pastor's computer
because the PC lacked dozens of software patches that Microsoft has
issued to fix security flaws in its Windows operating system. White
says he was counting on a $50 firewall and antivirus software suite he
purchased from Trend Micro to keep hackers and viruses from attacking
his PC, but he confesses he's not sure whether the software was
equipped with the latest updates that would allow it to detect the
most recent viruses.

"I'll be honest, as someone who loves technology, I've not done a
great job with this computer," White says. He eventually opted to buy
a new PC rather than spend the time and money to repair the infected
one. "It just made more sense for me to get a new $300 Dell that came
with a free monitor that was better than the one I had," he says.

The whole episode, he says, has taught him a valuable lesson: It's
easier to take the precautions needed to keep a computer from being
hacked than it is to clean it up after the damage has been done.  
"Overall, you've got to realize that, just like if you don't secure
your home, you run the risk of getting burglarized; if you're crazy
enough to leave the door on your computer open these days, like I did,
someone's gonna walk right in and make themselves at home."


0x80 began learning how to program at age 14, before his family even
owned a computer. Like many hackers of his generation, he got his
start by meeting techies on networks run by America Online.

"This buddy of mine who lived two houses down from me had a computer
before I did. He was always on AOL, but he also always had trouble
figuring out how to do stuff, so I'd just go on all the time and
figure it out for him." 0x80 says he got into writing viruses by
accident after logging onto an AOL chat room named "Lesbians Only."

"Someone sent me a virus that made it so that every time I typed
anything on the keyboard it would pop a message up on the screen that
said, 'I'M [expletive] GAY!'" 0x80 recalls. He tried to stop the
computer from flashing the message, but nothing worked. "I finally
found [information] on it using my friend's PC and figured out how to
write a batch script to stop the virus."

After that, 0x80 became obsessed with computer viruses and dedicated
nearly all his time to tinkering with them. On his 16th birthday, his
folks gave him his own computer to do schoolwork. It wasn't long
before 0x80 was skipping school to spend time in online channels known
as Internet Relay Chat, a vast sea of text-based communications
networks that predates instant-messaging software. There are tens of
thousands of IRC channels all over the world catering to almost every
imaginable audience or interest, including quite a few frequented
exclusively by hackers, virus writers and loose-knit criminal groups.  
IRC channels have traditionally been among the most popular means of
controlling botnets.

About two years ago, 0x80 entered an IRC channel where several hackers
were bragging about how much they were making using botnets to install
spyware. Up to that point, 0x80 had used his botnet mainly for
"packeting," conducting petty denial-of-service attacks to knock his
buddies or enemies offline. Within a few weeks of visiting that
channel, 0x80 was modifying the computer worm code he needed to
transform his botnet into a money machine.

He and his hacker friends are part of a generation raised on the
Internet, where everything from software to digital music to a
reliable income can be had at little cost or effort. Some of them
routinely go out of their way to avoid paying for anything. During a
recent conference call with half a dozen of 0x80's buddies using an
800-number conferencing system they had hacked, one guy suggests
ordering food for delivery. Nah, one of his friends says, "let's
social it." The hackers take turns explaining how they "social" free
food from pizza joints by counterfeiting coupons or impersonating
customer service managers.

"Dude, the best part is when you walk in, you hand them the coupon or
whatever, they give you your [pizza], and you walk out," one of them
enthuses. "Then, it's like, yes, I am . . . the coolest man alive."

"Dude, that's so true," echoes a 16-year-old hacker. "Free pizza
tastes so much better than pay pizza any day."

0x80 expresses some ambivalence about this lifestyle and occasionally
ponders what he should do next. He's toyed with the notion of going to
a community college to get a degree in computer science, but the idea
of getting an honest job with a legitimate tech company doesn't hold
much appeal. "I'd probably have to take a pretty bad pay cut no matter
where I worked," he says.

Asked whether he worries about getting caught, 0x80 stuffs his hands
into his jeans pockets, shrugs his shoulders and looks down at his
shoes. "To tell the truth, man, I'm sorta surprised they haven't
caught me yet." He claims he doesn't care but then confesses that he
dedicates quite a bit of time to covering his tracks. "I do stay up
very late each night trying to make sure nobody is going to kick in my
front door . . . If I do [get caught], I'm not all that worried. I've
got enough money. I can always get a good lawyer."


Adware and spyware distribution companies promise instant riches to
people who agree to help install their programs. These installers are
known in the business as "affiliates."

Many adware distribution sites recruit affiliates with photos of
stacked $100 bills. GammaCash.com, for instance, the company that
makes the XXX toolbar that Michael White discovered on his computer,
features an animated image of a pair of hands cupped to hold an
expensive watch. Wait a few seconds, and the watch disappears, only to
be replaced by a Cadillac sport utility vehicle, which quickly morphs
into a yacht.

The companies include in their "terms and conditions" disclaimers that
they do not permit the installation of their products without the
consent of the person who owns the computer. Most claim they will
terminate without pay any affiliates who violate that rule.

But 0x80 and one of his friends -- who goes by the screen name Majy --
say they've easily disguised their installation methods. Their biggest
complaint about the whole enterprise: being routinely shortchanged by
the adware distribution companies, which often "shave," or undercount,
the number of programs installed by their affiliates.

"It sucks, too, because the companies will shaft you, and there isn't
a lot you can do about it," says Majy, 19, who claims to have had as
many as 30,000 computers in his botnet.

There are, in fact, legal ways to induce PC owners to download spyware
and adware. Most computer users acquire spyware and adware simply by
browsing certain Web sites, or agreeing to install games or software
programs that come bundled with spyware and adware. Before its Web
site went dark not long ago, TopConverting.com bundled its adware and
spyware with products most likely to appeal to children and teenagers:  
simple games, online game insignias or "avatars," and "emoticons,"  
custom-made smiley faces for use in instant-message software. The
company also marketed short digital videos that catered to the humor
of teenage boys: "Beavis and Butt-Head" cartoons, a short clip called
"Boob Boxing" and another titled "Bath Fart."

Computer users may or may not understand what they are consenting to
when they click "OK" to the lengthy, legalistic disclosures that
accompany these games or videos. But those notices are legal contracts
that essentially absolve the adware companies from any liability
associated with the use or misuse of their programs.

0x80 and Majy don't leave computer owners any chance to decline the
adware. Once they invade a computer and add it to their botnet, they
use automated keystroke codes to order the enslaved machine to click
"OK" on installation agreements. 0x80 says he even created a program
that allows him to remotely wipe computers in his botnet clean of old
adware, making room for him to install new adware -- and get paid

And getting paid is the whole point. Majy says TopConverting, which
did not respond to requests for comment for this article, paid him an
average of $2,400 every two weeks for installing its programs. He got
20 cents per install for computers in the United States and five cents
per install for PCs in 16 other countries, including France, Germany
and the United Kingdom. A nickel per install doesn't sound like much,
unless you control a botnet of tens of thousands of computers.

Majy also receives income from Gamma-Cash, which bills itself on its
Web site as "an industry leader in online adult affiliate programs."  
The company pays affiliates to drive traffic to adult Web sites,
mainly through pop-up advertisements for porn sites served to users
through its XXX toolbar, which hijacks the victim's Web browser and
sets its home page to one of several subscription porn sites. Majy
says Gamma-Cash, which did not respond to requests for comment, sends
him a $400 check each month from a bank in Canada.

0x80 also installs adware for Gamma-Cash. And he works for a company
called Loudcash, which was recently purchased by one of the largest
and most important players in the adware business: 180solutions.


Half of the glass-and-steel structure that houses 180solutions'
sprawling headquarters in Bellevue, Wash., rests underground; the
other half juts out at acute angles. The rooftop sports an AstroTurfed
volleyball court, a gas grill and a commanding view of the Seattle

Some of the company's 200-plus employees zip around the long hallways
on Segways or foot-powered scooters. Throughout the building are
polka-dotted posters that read, "Who Do You Want to Be?" The signs are
meant to challenge employees to continuously reevaluate their roles,
but they also reflect the seven-year-old company's effort to prove to
the world that it has executed a 180-degree shift away from its past
business practices.

180solutions got its start in the adware industry with a product
called Epipo, which paid people roughly six cents per hour to view
specially targeted advertisements sent to their computers. The product
became popular among college students, who quickly figured out ways to
automate browsing the Web so that they could get paid for viewing ads
while they were away from their computers. According to allegations in
a lawsuit filed by the Washington state attorney general's office, 180
responded by changing the payment terms so that it was virtually
impossible for people to collect the promised money. The company
nearly went bankrupt when it settled the suit in 2002.

By that time, 180 had changed its marketing strategy. Instead of
paying people to install its adware, the company lured them with free
games, which came bundled with ad-serving software called "n-Case."  
The software tracked users' surfing and buying habits, and was
extremely difficult to remove. Consumer advocates had little
difficulty showing that n-Case was being installed without user
consent. Faced with increasing criticism for the fraudulent installs,
180 rebranded the software as 180 Search Assistant. The new software's
chief distinguishing feature was that it was easier to remove than

In 2004, venture capitalists invested $40 million in 180solutions,
fueling rapid growth. That year, 180 says, it raked in more than $50
million delivering online ads for some of America's best-known
corporations, including JP Morgan Chase, Cingular, T-Mobile,
Monster.com and Expedia.com. (Among the hundreds of companies that
have placed ads through 180solutions is Kaplan University Online,
which is owned by The Washington Post Co.)

By 180's own count, its adware is installed on 20 million computers.  
The people who use those computers receive pop-up ads based on what
they are searching for online. If the user searches for the term
"travel," 180's software will look through its database of clients in
the travel business and present an ad from the company that bid the
most on that search term. The next time that user searches using the
same term, 180 will serve the ad of the next-highest bidder for that
word, and so on. 180 then gets paid from 1.5 to 2.5 cents for each ad
it delivers to the user. The more computers with 180's adware, the
more revenue each ad generates.

Consumer groups gathered mountains of evidence that 180 Search
Assistant was being installed on thousands of computers without user
consent. Once again, 180 tried to quiet its critics. Toward the end of
last year, the company announced it was phasing out 180 Search
Assistant in favor of the Seekmo Search Assistant. Company spokesman
Sean Sundwall says Seekmo will be more fraud resistant than 180 Search
Assistant, and that it will not be distributed or bundled with other
software programs without 180's permission. The company says this will
give it far more control over how Seekmo is installed and by whom.

But Ben Edelman, who has spent years chronicling the offenses of the
adware industry while working toward a PhD in economics at Harvard
University, says Seekmo is functionally the same program as 180 Search
Assistant. Edelman says 180's penchant for renaming its software each
time abuses are highlighted is part of the reason the anti-spyware
community directs so much vitriol at the company.

"The idea that 180solutions got where they are today through bad
business practices and that they continue to make money from that user
base is hardly unique to them," Edelman says. "What really makes
people so mad is that 180 is far less apologetic than the other
players" in the industry.

The Center for Democracy & Technology, the leader of a group called
the Anti-Spyware Coalition, spent two years working with 180 to
resolve dozens of consumer complaints about surreptitious installs.  
Ari Schwartz, the center's deputy director, says each time the subject
arose, the company claimed it was blindsided by the accusations and
that it needed more time to correct its distributors' behavior.

Weeks after 180solutions said it was discontinuing its 180 Search
Assistant software, a computer worm began spreading rapidly across
AOL's instant message network, downloading and installing viruses and
a host of other programs -- including 180 Search Assistant -- on
victims' computers. While 180 denied it had anything to do with the
worm, for the CDT, that was the last straw: On January 23, the
nonprofit filed a detailed complaint with the Federal Trade Commission
urging the agency to sue 180solutions for violating consumer
protection laws.

In a statement, 180solutions denied that it was ignoring the problem,
arguing that it had made "great progress in the fight against spyware"  
and insisting that it shared the CDT's vision of "protecting the
rights and privacy of consumers on the Internet . . . We have made
voluntary improvements to address every reasonable concern that the
CDT has made us aware of."

Company executives acknowledge they didn't begin addressing the fraud
problems wrought by what 180 co-founder Dan Todd calls "a few bad
actors" until mid-2004. Dressed in worn-out jeans and an untucked
dress shirt, 34-year-old Todd puts one foot up on the coffee table in
his glass office and tries to explain how things spiraled so far out
of control. "At some point between dealing with legitimate
distributors and these botnet guys who try real hard to look like good
guys, we realized that something had gone terribly wrong and that our
plan of outsourcing our relationship to the consumer had backfired,"  
Todd says.

Last year, he says, 180 executives purchased some of their biggest
distributors, including Loudcash, as part of a plan to rein in "rogue
distributors" and help clean up the company's adware distribution
practices. 180 says it no longer allows its adware to be bundled with
adult Web site content or peer-to-peer (P2P) online file-sharing
services that many people accuse of promoting music and movie piracy.  
"Our goal," he says, "is to minimize the financial incentive for
people to install our software illegally, with the goal of making sure
that our money never gets paid to bad actors."

To demonstrate its commitment, 180 filed lawsuits last year against
seven distributors, accusing them of using botnets to earn more than
$60,000 installing the company's adware without computer owners'
consent. When the defendants -- all of whom live outside of the United
States -- refused to make the trip here to face the allegations
against them, 180 referred the matter to the FBI, says company
attorney Ken McGraw.

The company also worked with the FBI and Dutch authorities last year
on an investigation that shut down a botnet of more than 1 million
computers in the Netherlands. The FBI acknowledged that 180 was
instrumental in helping to track down the botmasters. 180, in fact,
became the target of a denial-of-service attack by the botmasters, who
were furious that the company was refusing to pay them for
surreptitious adware installs. The attack briefly crippled 180's Web
site, making the company a victim of the botnet phenomenon.

Yet 180's insistence that it is cracking down on botmasters has yet to
win over the anti-spyware activists, who have spent years unraveling
the labyrinthine economic ties among advertisers, adware vendors and
their affiliates. The anti-spyware hawks don't believe 180solutions
has changed the way it operates or that the company is buying up major
players in the adware industry in order to clean up its act. "That's
sort of like a drunk saying he's buying up a liquor store to solve his
drinking habit," says Eric Howes, an executive at Sunbelt Software, an
anti-spyware firm.

At a recent anti-spyware conference, Todd was openly mocked for
claiming that 180 previously had no way of knowing how many of its
distributors were installing its software illegally. Someone at the
conference suggested that 180 use its technology to periodically
present users with pop-ups asking them whether they had authorized the
adware to be installed in the first place. Now the company says it is
doing just that. If the answer is no, the user can remove the software
with a click of a button.

0x80 hasn't paid much attention to the public condemnation of 180's
business practices. And he says he doubts any of the measures the
company is taking will discourage botmasters from installing adware.  
"It doesn't really matter what [180] does to try and stop them," the
hacker says. "There's just too much money to be made there. People
will just find another company to work with."


Sam Norris answers the door of his handsome stucco-and-Spanish-tile
home near San Diego dressed in jeans, a polo shirt and squeaky-clean
blue and white suede sneakers. He smiles broadly. "You picked a great
week to come out," he says. "I'm tracking quite a few botnets today."

Norris, 31, is president of an Internet service company called
ChangeIP.com that finds itself at the center of the battle against
botnets. He estimates that he is spending up to 20 hours a week
preventing botmasters like 0x80 and Majy from using his network to
control their botnets.

Botmasters typically control their herds of infected PCs by having
each report to a central server and await instructions, which may be
to attack a Web site, send spam or download spyware programs. But many
of the IRC networks that have been used for this purpose are beginning
to crack down on botmasters. As a result, an increasing number of
hackers are trying to cover their tracks by taking advantage of the
services of companies like Norris's, which allow Internet browsers to
find hundreds of small Web sites by name (for example:  
smallwebsite.com), even though the actual numeric address of the sites
can change from day to day.

Botmasters like 0x80, however, have turned that process inside out.  
They use Norris's service to hide their botnets when they jump from
server to server. Should authorities or computer security experts
start to zero in on the server that's running their botnet, they can
switch servers, and ChangeIP.com will enable the hijacked computers to
find the new hideout.

In most cases, it is easy for Norris to tell which hosts on his
network are legitimate Web sites and which are botnets: Most small Web
sites don't have thousands of computers trying to access the site at
precisely the same time. By tracking the communications traffic
between the infected machines and the botmaster's control channel,
Norris can capture data that might be useful to law enforcement,
including snippets of text or code that may hold clues about the
geographic location or identity of the botmaster.

Norris says he sees an average of 37 new botnets per week trying to
use his company's service, and sometimes as many as 10 new botnets per
day. Last spring, he cut off access to a botnet of more than 40,000
PCs that was being used as a massive install base for spyware. "I am
seeing this botnet-spyware connection just skyrocket," Norris says,
"and I think it's because these guys are realizing there's tons of
cash to be made here."

A computer programmer by trade, Norris dissected a copy of the bot
used by one hacker he recently banished from ChangeIP.com's network.  
The program contained instructions for installing 14 adware and
spyware programs, and Norris says the bot code was encrypted and so
thoroughly disguised that none of the antivirus software he used
detected the code as malicious. As he was examining the bot program,
Norris accidentally executed it, causing his machine to become
infected. Almost immediately, he says, the program downloaded a
package of adware and launched several pop-up ads for pornographic Web
sites. It also installed GammaCash's infamous XXX toolbar.

Norris's forensics work revealed that the bot program also contained
more than 30 other features, including the ability to capture all of
the victim's Web traffic and keystrokes, as well as a program that
looks for PayPal user names and passwords. Other programs installed by
the bot allowed the attackers to peek through a user's webcam.

Norris often works out of his home in the auburn hills of San Marcos,
Calif., where F-16 fighter jets from nearby Miramar Naval Air Station
streak across the sky. Today he sits down at the desk in his cramped
home office and clacks away at his keyboard, generating a slew of line
graphs measuring the level of traffic flowing across his company's
networks. He's a member of an informal enforcement group of more than
100 independent security experts worldwide who share daily data on the
size, location and activity of the Web's most disruptive botnets.  
Hailing from Internet service providers, computer hardware
manufacturers and software security firms, the group's members use
that information to shut down botnets by cutting off the infected
computers and forwarding the intelligence they glean to law

Each morning, Norris receives an e-mail listing the online locations
of the Web servers used to control some the world's most dangerous
botnets. "First thing I do most days is go through this list and try
to find out which ones" are using his network, he says, pointing to a
report he just generated that lists the top 20 traffic-generating
sites on his company's system. "Most of these are botnets."

And the botnets are hardly limited to hijacked home computers. A few
months back, Norris found more than 10,000 infected PCs on the inside
of a Fortune 100 company network, all trying to contact a control
server located at ChangeIP.com. When Norris called the company with
the bad news, its poorly trained network administrator had no idea how
to respond. "I call this guy up and say, 'Hey, you've got 10,000
infected computers on your network that are attacking me,' and this
guy is basically, like, 'Well, what do you want me to do about it?' "

Norris says that after collecting enough evidence about a botnet, he
terminates the account and, he hopes, disconnects the botmaster from
his army of infected machines. He says "he hopes" because many times
the botmaster will have instructed his enslaved machines in advance to
try several other domain names should the main control channel be
shuttered. But in most cases, Norris says, the botmaster simply shifts
control of his botnet to another Internet service provider. "Other
times, the attackers play dumb and send polite e-mails asking why
their service has been shut off." And, occasionally, the hackers will
rebuild their botnets elsewhere and use them to retaliate against
ChangeIP. Last year a botmaster who had been cut off joined forces
with another botnet to direct such a massive, constant stream of bogus
Web traffic at ChangeIP.com that the site had difficulty processing
legitimate traffic for nearly a week.

As the botnet problem has escalated, so has the interest of federal
law enforcement, Norris says. Not long ago, he was contacted by a
National Security Agency official who asked for records related to
several ChangeIP accounts. He's also had visits from FBI agents hot on
the trail of several botmasters. One FBI agent said he couldn't
disclose the details of his investigation but handed Norris a copy of
a Time magazine article about Chinese hackers suspected of
infiltrating U.S. corporate and military computer networks.

"The feds are finally starting to understand that botnets are more
than just a nuisance: They're the source of all that's evil on the
Internet today, from hacking and spamming to phishing and spying,"  
Norris says. (Phishing involves impersonating trusted Web sites to
gain confidential information from computer users.)

Shutting down a botnet can be arduous work, but finding the criminal
on the controlling end of the herd has proven an especially
challenging task for law enforcement. That's in part because security
experts like Norris and others often disagree over whether to
dismantle the botnets as soon as possible or to monitor them for a
period of time in order to gather intelligence that might prove useful
in helping investigators track down the criminals behind them.

Hank Nussbacher, an independent Internet security consultant based in
Israel and a member of the group that's sharing information on botnet
activity, says most members have their hands full just shutting down
the botnets' command and control centers. "Occasionally, the Internet
service provider where the [bot control center] is located requests
that it not be shut down because they are collecting forensics
information for some law enforcement agency, but I'd say about 98
percent of the time, as soon as we find one, we shut it down."

Louis Reigel III, assistant director of the FBI's Cyber Division, says
the botnet data regularly shared by security experts like Norris is
invaluable. But Reigel stresses that prosecuting botmasters is
difficult because their crimes and networks usually span multiple
continents, which means working with foreign law enforcement agencies
and depending on their cooperation.

The FBI has dedicated several agents from its special technologies
section to tracking down botnet operators and is pursuing hundreds of
investigations, Reigel says. But "the techniques being used by these
bot guys are becoming more efficient every day, so the bot situation
is probably going to get a lot worse before it gets better."

Norris shares that fear and worries that more botmasters will begin to
exploit emerging peer-to-peer communication technologies of the sort
that power controversial music- and movie-sharing networks like Kazaa
and LimeWire. Such networks would allow enslaved computers to
communicate instructions and share software updates among one other,
so that they would no longer depend on orders from the master servers
that Norris and other bot hunters search out and disable every day.

"When P2P becomes the norm with these bots," Norris says, "that's when
I call it quits with this botnet stuff, because, at that point, it
will be pretty much out of my hands."


On the eve of a visit to his home by a Washington Post photographer,
0x80 decides to tell his father what he really does for a living, in
part, he says, because hiding it is starting to eat him up inside.  
0x80 tells his father the whole truth, but he can't bring himself to
break the news to his mother because, as he puts it, "she's really
Christian and that would just crush her to know I'm involved in
something like this."

"I told my dad I had made an Internet worm that infected people, and
then I used their computers to make money, and he just shook his head
and was, like, 'I hope you don't go to jail for that . . .' and . . .  
'I hope it wasn't underage porn you was doing.'"

That same question has been encroaching on 0x80's peace of mind of
late. His hard-boiled pose has begun to break down, and instead of
sneering at the risks of getting caught and brought to justice, he's
begun to talk about quitting the criminal hacking scene to join the
Army, which, he reasons, will offer not only discipline and the
motivation to earn his GED but also potentially a free ride to
college. From there, he can imagine a more respectable future working
on information technology projects for the military.

"It's nice to have up to $10,000 a month coming in, but, if it's not
legit, then I also have all this other stuff to worry about," 0x80
says. "Like, I gotta hide my laptop every night, and every time I
don't come online for a day I have people blowing up my cell phone
asking if I got raided by the feds."

0x80 has shared his plans with a few of his online buddies, many of
whom have grown dependent on his ability to develop ever more stealthy
and effective botnet programs.

"Some of my people really don't want me to leave, but I've got to
figure out a way to use the [expletive] I know to get something going
for myself," 0x80 says. "With the Army, I could get stationed
someplace where I would have a better chance at getting a
higher-paying job and still be able to do what I like to do. Either
way, I gotta get up outta this hole I'm living in."


Brian Krebs is a technology reporter for washingtonpost.com. He will
be fielding questions and comments about this article Tuesday at 1
p.m. at washingtonpost.com/liveonline

© 2006 The Washington Post Company

More information about the ISN mailing list