[ISN] Hackers Hijack PC's for Sex Sites

From: InfoSec News (isnat_private)
Date: Mon Jul 14 2003 - 01:33:07 PDT

  • Next message: InfoSec News: "[ISN] HiverCon 2003 Call For Papers Reminder"

    Forwarded from: "eric wolbrom, CISSP" <ericat_private>
    
    http://www.nytimes.com/2003/07/11/technology/11HACK.html?hp
    
    Hackers Hijack PC's for Sex Sites
    By JOHN SCHWARTZ
    
    More than a thousand unsuspecting Internet users around the world have
    recently had their computers hijacked by hackers, who computer
    security experts say are using them for pornographic Web sites.
    
    The hijacked computers, which are chosen by the hackers apparently
    because they have high-speed connections to the Internet, are secretly
    loaded with software that makes them send explicit Web pages
    advertising pornographic sites and offer to sign visitors up as
    customers.
    
    Unless the owner of the hijacked computer is technologically
    sophisticated, the activity is likely to go unnoticed. The program,
    which only briefly downloads the pornographic material to the usurped
    computer, is invisible to the computer's owner. It apparently does not
    harm the computer or disturb its operation.
    
    The hackers operating the ring direct traffic to each hijacked
    computer in their network for a few minutes at a time, quickly
    rotating through a large number. Some are also used to send spam
    e-mail messages to boost traffic to the sites.
    
    "Here people are sort of involved in the porno business and don't even
    know it," said Richard M. Smith, an independent computer researcher
    who first noticed the problem earlier this month. Mr.  Smith said he
    thought the ring could be traced to Russian senders of spam, or
    unwanted commercial e-mail.
    
    By hiding behind a ring of machines, the senders can cloak their
    identity while helping to solve one of the biggest problems for
    purveyors of pornography and spam: getting shut down by Internet
    service providers who receive complaints about the raunchy material.
    
    The web of front machines hides the identity of the true server
    computer so "there's no individual computer to shut down," Mr. Smith
    said. "We're dealing with somebody here who is very clever."
    
    By monitoring Web traffic to the porn advertisements, Mr. Smith has
    counted more than a thousand machines that have been affected.
    
    The creators of the ring, whose identities are unknown, are collecting
    money from the pornographic sites for signing up customers, the
    security experts say. Many companies play this role in Internet
    commerce, getting referral fees for driving customers to sites with
    which they have no other connection.
    
    The ring system could also be used by the hackers to skim off the
    credit card numbers of the people signing up, said Joe Stewart, senior
    intrusion analyst with Lurhq, a computer security company based in
    Myrtle Beach, S.C.
    
    The current version of the ring is not completely anonymous, since the
    hijacked machines download the pornographic ads from a single Web
    server.  According to the computer investigators, that machine
    apparently is owned by Everyones Internet, a large independent
    Internet service company in Houston that also offers Web hosting
    services to a large number of companies. Jeff Lowenberg, the company's
    vice president of operations, said that he was not aware of any
    illegal activity on one of his company's computers but said that he
    would investigate.
    
    Mr. Stewart said the ring was most likely a work in progress, and that
    flaws, like being tied to a single server, would be eliminated over
    time.
    
    He said the ring was troubling not just because of what it is being
    used for now but also because of what it might be used for next.
    
    "This system is especially worrisome because they have an end-to-end
    anonymous system for spamming and running scams," he said. "It's not a
    far stretch to say that people who are running kiddie porn sites could
    say, `Hey, this is something we could use.' "
    
    The computer ring is the latest in an evolution of attacks that allow
    creators of spam and illicit computer schemes to use other people's
    computers as accomplices. For several years, senders of spam have
    relied upon a vestigial element of the Internet mail infrastructure
    known as "open relay" to use Internet servers as conduits for their
    spam.
    
    As network administrators have gradually shut down the open relay
    networks, spam senders have used viruses to plant similar capabilities
    on home and business computers.
    
    But this appears to be the first viral infection to cause target
    computers to display whole Web sites, Mr. Smith, the researcher, said.
    
    A Justice Department official said that the computer ring, as
    described to him, could be a violation of at least two provisions of
    the federal Computer Fraud and Abuse Act.
    
    The ring has also been used to run a version of a scheme for
    collecting credit card information from unwary consumers that has been
    called the "PayPal scam," Mr. Smith said. The hijacked computers send
    e-mail messages that purport to come from PayPal, an online payment
    service owned by eBay , asking recipients to fill out a Web site form
    with account information.
    
    It is unclear precisely how the program, which depends on computers
    hooked up to high-capacity, high-speed Internet connections, gets into
    people's computers.  Mr. Smith said that he thought that the delivery
    vehicle was a variant of the "sobig" virus. But Mr. Stewart, the
    computer security expert at Lurhq, said he had seen no evidence that
    the "sobig" virus was the culprit, and is looking at other mechanisms
    for delivery.
    
    Neither Mr. Smith nor Mr. Stewart has found a simple way to tell
    whether a computer is infected. Technically, the rogue program is a
    reverse proxy server, which turns a computer into a conduit for
    content from a server while making it appear to be that server. Mr.  
    Smith said when word of the program gets out, antivirus companies are
    likely to offer quick updates to their products to find and disable
    the invasive software.
    
    Computer owners can protect themselves by using firewall software or
    hardware, which prevent unauthorized entry and use of computers, Mr.  
    Smith said. The rogue program does not affect the Apple Macintosh line
    of computers or computers running variants of the Unix operating
    system.
    
    Mr. Stewart, who has written a technical paper to help antivirus
    companies devise defenses against the porn-hijacking network, has
    named the program "migmaf," for "migrant Mafia," because he thinks the
    program originated in the Russian high-tech underworld.
    
    Hackers from the former Soviet Union have been linked to several
    schemes, including extortion attempts in which they threaten to shut
    down online casinos through Internet attacks unless the companies pay
    them off.
    
    Antispam activists have also accused Russian organized crime
    organizations of taking over home and business PC's to create networks
    for sending spam. "They always seem to lead back to the Russian mob,"
    Mr. Stewart said.
    
     
    _______________________________________________________________________
    eric wolbrom, CISSP			Safe Harbor Technologies
    President & CIO				66 Garlen Road
    Voice 914.767.9090				Katonah, NY 10536
    Fax   914.767.3911				http://www.shtech.net
    _______________________________________________________________________
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 06:11:15 PDT