| Power Lunch and ... |
a Power Lunch*
and a feature story
- on you - in Backbone
and an iPhone or a BlackBerry
To enter...
Fill out a readership survey
(confidential)
*with Dave Chalk, technology expert and our editor, Peter Wolchak |
|
|
| I, botnet |
March 17, 2008 |
 Chinese malware programmers are working with Russian mobsters, Romanian scammers and American spammers. Is your office or home computer part of their botnet?
By Danny Bradbury
Hey again. You make the transfer??” ran the e-mail to Isabel Thi Phan. She quickly typed back, “Yes, I transferred 842 + 40 fees - 403.14 GBP.” She was happy to have been chosen for this job, after having answered an advertisement on a popular Canadian job site. The deal was simple: she would take payments from the U.K. firm’s clients, forward the money and retain a commission. What could be simpler?
Twelve hundred miles away and 24 hours later, Eddie’s ageing Compaq PC whined to life and spat out Isabel’s details, including her bank account number and postal address. But Eddie didn’t work for the U.K. company, which, in any case, didn’t exist. Although Isabel didn’t know it, he was working on her behalf, and for thousands of online fraud victims like her.
Eddie (not his real name) growls at terms like vigilante or hacker, but when not working the night shift at his full-time job, that’s what he is. The jaded middle-aged loner was once a fraud victim himself, and fighting cybercrime is his life. He uses techniques that law enforcers wouldn’t approve of to sniff out Internet fraudsters and their victims. Concentrating on online auction fraud, he occasionally gets wind of other scams during his investigations, which is how he found Toronto-based Isabel. That’s not her real name either.
She was a small but key part of a larger scam. Crooks send out millions of phishing e-mails, which supposedly come from a real bank and link back to a Web site that verifies credentials for security purposes. A small proportion of recipients actually have accounts at the banks in question and, of those, a tiny percentage fall for the scam and enter their account details and passwords. The criminals use the harvested details to access victims’ accounts and steal the cash but — and here’s where Isabel enters the picture — to avoid detection they need the transfer to be untraceable. She was an unwitting money mule. The crooks transfer the cash from the compromised accounts to the mule, who then sends it in via Western Union to Europe. The mules think they’re involved in a legitimate business, until the authorities show up. By that time, the crooks have collected the cash and vanished.
Isabel was lucky because the bank understood her plight. “They called me and notified me about the fraud,” she said. “I went to see them and presented all e-mails between them and me so that the bank’s fraud department could investigate their crime.”
Eddie doesn’t contact people like Isabel directly anymore. He’s tired of being mistaken for a crook when trying to warn people. Instead, he concentrates on the Internet Service Providers that host fraudulent sites, and processes 20 fraudulent Web sites each day. “I go through them, I see what I can do, I move on,” he said, adding that he did report this specific case to the authorities. “That’s something they should be all over. What annoys me is not that the scammers are doing it: it’s that they can do it. People need to be educated about what’s going on.”
Bots in your home
Like many other online scammers, phishers use a gigantic underground network of compromised computers known as a botnet. Computers are infected en masse by malicious software (malware), sent via spam e-mail to thousands of PCs at once.
Today, computers can be joined to a botnet simply by visiting a Web site, and staying away from sites offering porn and pirated software won’t help. Last summer, thousands of mainstream Web sites were hacked and made to surreptitiously point to a server hosting a malware kit called MPACK. Machines visiting the legitimate sites consequently touched the MPACK software, which scanned for vulnerabilities and infected them, dragging them down into the botnet.
Thousands of visitors are still blissfully unaware that their PCs are listening for instructions from the botmaster — the person responsible for remotely controlling hundreds of thousands of computers. The botmaster can instruct infected PCs to do almost anything, including sending back a log of all the user’s keystrokes, hosting illegal porn and sending out more spam using lists of e-mail addresses sent by the botmaster. When criminals began realizing how profitable botnets could be, they were quick to exploit them. Spammers pay botmasters to send e-mails by the millions through these illicit networks. They have also been used for distributed denial of service (DDoS) attacks, in which tens of thousands of infected PCs are told to send packets of data to a particular Internet address, flooding Web servers with traffic and shutting them down. The mere threat of such an attack has been used to blackmail commercial enterprises.
So much money is involved that this shadowy economy has its own product cycles, technical support boards and software add-ons. “Some groups are sitting down, having a meeting and doing classic project management,” said Tom Bowers, senior security analyst for software vendor Kaspersky Labs. “They have a project manager, someone who’s parsing out the pieces, someone watching the finances, someone managing the encryption channels, and someone doing the internal and external security. They are becoming a much more cohesive unit.”
“From a criminal standpoint, you
couldn’t ask for a better way to
commit crime. The law hasn’t caught
up and the cops haven’t caught up.” |
- Ian Wilms, president of the
Canadian Association of Police Boards | Turf wars
The stakes are so high that rival botnet gangs are vying for control. Upon successful infection, one malware program called Netsky would look for a program from a rival gang called Bagle, and uninstall it. “From the bad guys’ perspective it’s not just about owning a botnet that you can sell airtime on,” said Mark Sunner, chief security analyst at security firm MessageLabs. “If you can displace your competitor, then you become the only game in town. That’s why the bad guys try to battle it out.”
Simon Heron, managing director of U.K.-based security company Network Box, said gangs have also been known to take down each other’s command and control networks. Traditionally, botmasters control PCs using commands sent by Internet Relay Chat (IRC), a popular means of live text-based communication used on the Internet. If the IRC server used to control a botnet’s computers can be identified and taken down, then the botnet is neutralized.
The Storm worm, which appeared in January 2007, took botnets to a new level of sophistication. Instead of using an IRC server, it employed the same peer-to-peer tactics used by file sharing software such as the old Napster. Instead of taking commands from a central server, PCs infected with the Storm worm relayed instructions to each other, creating a global matrix of infected machines with no single “head” to decapitate. It also obfuscated its activities using encryption, which makes it theoretically impossible for researchers and law enforcement to understand what the botnet is doing. It also makes it possible for the developers behind the Storm worm to segment the botnet into subnets, which can then be farmed out in a more manageable and profitable enterprise.
And now the Storm worm is automatically using DDoS attacks to defend itself, becoming something akin to a living organism. “If it senses that it is being probed — that many of its nodes are being pinged with traffic from the same range of IP addresses — it will automatically launch a distributed denial of service (DDoS) attack against that range,” said MessageLabs’ Sunner.
Criminal activity
Botnets are the basis for a startling number of online crimes, but it is also possible to scam the gullible using only basic technical resources. In one online eBay scam, crooks — often based in Eastern Europe — use fake or compromised accounts to run auctions. The winning bidder is told to electronically send the cash using an escrow or shipping company’s Web site. In reality, the site is operated by the scammer, who drains the bidder’s credit card and vanishes.
It’s a common activity, one Romanian hacker and scammer told Backbone. “I was once in a city in Romania, just visiting a friend. I was having a beer and at a table near me there were these two guys,” he said. “One kid enters the place, goes to the table and the two guys ask him, translated: ‘Hey, did you put something up today?’ And the kid said ‘Fifty! Got around 200 e-mails!’ They were speaking about auctions on eBay.”
The disparity between those committing the crimes and those trying to stop them is depressing. Journalist Tom Friedman’s book, The World is Flat, enthralled free-market liberals with its discussion of an electronic world without boundaries that had created a level economy. What few people understand is the flipside of that development; if the Internet enables manufacturing contracts and call centre work to flow between countries like water, it also enables Chinese malware programmers to work seamlessly with Russian mobsters, Romanian scammers and American spammers. Criminal organizations and the botnets they operate have evolved into dynamic, fluid systems. They traverse national boundaries easily, and so does the money they steal.
“I talked to the banks and was amazed at how much they’re losing. They try to give this stuff to law enforcement organizations that don’t have the capacity to deal with it,” said Ian Wilms. He should know; the president of the Canadian Association of Police Boards came from a technical background, having spent 14 years with IBM. He understands the problem’s scope and has spent his time as the Calgary police commissioner trying to get senior officials first to acknowledge the problem and then to develop defense strategies.
One-sided battle
That’s an uphill struggle. In contrast to the criminal groups, law enforcers are limited both in knowledge and in jurisdiction. “They haven’t figured out how to get past the jurisdictional constraints,” Wilms said. “From a criminal standpoint you couldn’t ask for a better way to commit crime. The law hasn’t caught up and the cops haven’t caught up.”
Private enterprise hasn’t either, said Brian Bourne, founder of the Toronto Security User Group. “What strikes me is the big gap between how secure people think they are and how secure they really are.”
Dealing with that awareness is a thorny challenge, said Dean Turner, senior manager at Symantec’s Security Response operation. Computer users must bear some responsibility for keeping their systems patched and spotting online scams. “Is the appropriate approach to legislate behaviour? I don’t know. But I think education is probably the ounce of prevention that will help.” But additional resources for law enforcers wouldn’t go amiss, either. Wilms is asking for a total of $53 million from all three levels of government for a 250-person national Calgary-based cybercrime unit. “Right now, we don’t even have the cash to build a state-of-the-art facility,” he said.
That project would last four years. Phase two is even more ambitious: a $1 billion Global Centre for Securing Cyberspace would bring together 10 times as many people, strengthening relationships with cybercrime law enforcers in other western countries who would work in concert with Canadians at the facility.
For Wilms, the question is a political one. “This would make us a world leader in securing cyberspace,” he said. “If Canada wants to be known as anything, how about the peacekeepers of the Internet?”
In the meantime, they’re all in the same position — the law enforcement agencies, the security researchers and the secret network of vigilantes like Eddie. They’re the Canutes of cybercrime, as they relentlessly try to hold back a dark and vicious tide.
Definition
Phishing: a fraudulent attempt to obtain sensitive personal information, such as passwords or account numbers, by masquerading as a trustworthy person or company. Phishing is conducted through e-mail and instant messaging.
ETrends Archive
|
|
|
| Top 300 Issue |
 
|
| Gadget of the Week (Canadian) |
|
Boost your cell
ARC Wireless Freedom Blade
Mobile data and voice are great, as long as the signal is strong. And while mobile networks are pretty good these days, road warriors quickly discover that dead zones still exist.
more>>
|
| Gadget of the Week (Japanese) |
Sounds of Japan
Why record just the visual when you can capture the sounds as well.
more>> |
| Backblog RSS feed |
Click to subscribe  |
|
sponsored by 
