http://www.dailymail.co.uk/pages/live/articles/live/live.html?in_article_id=503898 By Rob Waugh Daily Mail 21st December 2007 Connect your new Christmas computer to the web and within minutes it could be used for internet crime. Rob Waugh finds out how the cyber-terrorists are using your PC to create a multi million-pound business... Eighteen days ago, on December 5, a small 24-kilobyte package of encrypted data pinged noiselessly from one PC to another, then another, and another, across the internet in Europe, America and the Far East. Soon, the electronic synapses of a network of millions of computers around the world sprang to life. Thousands were in ordinary houses across Britain. The PCs had one thing in common: all had fast broadband connections. Despite being in sleep mode, they were able to accept, process and react to these digital commands from outside. Once the first messages had been sent, the infected PCs reacted all by themselves, communicating with 'cells', or batches, of 25 computers, in machine-gun bursts of binary code. High-grade encryption protected the messages that passed through the legions of PCs so that observers at computer security firms could detect that something was happening, but not what. Each machine was able to detect other PCs whose internet ports were held open. The attack spread organically, invisibly. And it all happened within the space of half a minute. None of the owners of the PCs had an inkling of what their machines were doing. These were ordinary home computers that would betray no sign of their activities the next day. If you are reading this feature online, it's quite possible the PC you are reading it on was one of them. What was it all for? The worm (and it is termed a worm, rather than a virus) was called Storm, and was designed for a very specific and effective purpose: a Distributed Denial of Service attack, or DDOS. This is how it works: having inveigled themselves deep inside our computer operating systems, the Storm replicants stopped and settled into a simple "listen" mode, waiting for new orders from a website whose details were already hard-coded into the worm. When the orders came, the PCs began making simple requests of data first in megabytes (1,024 bytes), then in gigabytes (1,024 megabytes), then in terabytes (1,024 gigabytes) from specialist websites such as Antispam, whose sole purpose is to combat the modern scourge of spam emails. The idea was to swamp them with so many data requests that they could no longer function. Like all anti-terrorist units, the anti-spam brigade were hardly unprepared. They were armed with lightning fast connections designed to cope with this sort of threat. Alas, on this occasion, they were overwhelmed by the sheer ferocity of the onslaught. To be fair, a DDOS attack, also known as a SYN Flood, is very hard indeed to resist. Some connections can only withstand 500 requests a second. Specially hardened connections can weather up to 14,000. No website on Earth could have withstood what the Storm worm unleashed that night. Thus the anti-spammers' servers overloaded. Their email system shut down. Their connection to the outside world was broken. Within minutes, the sites had to be taken offline by their owners. But precisely what, you may ask, has any of this Michael Crichton-esque tale got to do with you and me? Sadly, rather a lot. On one level, the anti-spam campaigners whom we can all thank for an often invisible shield against inbox-crippling and potentially damaging spam email had been sent a brutal message: don't mess with our right to use the internet for organised crime. On another, it proved the sheer power of a new variety of internet threat adaptable, socially engineered to spread via hugely popular sites such as MySpace and YouTube, and designed to slip past both the defences of the savviest web user and under the radar of most security software. And then, once there, to use your machine for illegal activity: simple grifting scams like asking for your credit card to eliminate non-existent computer threats or identity theft, or using your PC as a front for spreading, for example, pornography, both licit and illicit. It all goes to show what kind of secret, highly illegal life your shiny new Christmas computer may very soon be leading; and why, in 2008, things are going to get a whole lot worse. "From the moment you take your brand new PC out of its Christmas wrapping paper and connect it to the internet, it can be less than ten minutes before you become infected in some form or other," says Connor Mallen of internet security expert Symantec, developer of the Norton anti-virus systems. "You should be very concerned that your existing PC is already being controlled. The old advice never open email attachments, don't visit dodgy websites has been good up until this year. But the bad guys have now come up with methods that let them plant their stuff in 'good neighbourhoods' on the web; in sites you actually know. " "And you don't have to click on something you get infected just by visiting a website. It's becoming known as 'drive-by downloading.'" How do we know if our machines are infected? "There might be a few tell-tale signs," says Mallen. "Your PC might run a bit slower. Pages on the internet might take a little longer to pop up. You might see in your email outbox that you've been sending emails you have no memory of. I always tell people that before complaining about spam they should check that they aren't spammers themselves." "Unfortunately, the vast majority of users don't have the technical expertise to even know it's happening. The idea that someone can steal your PC, and your neighbours' PCs, and use them to commit crime it's everyone's worst nightmare. But it's going to keep happening, and with ever more frequency." At this stage, we might comfort ourselves with this thought: Symantec exists to protect us from viruses and worms. The more we have to be nervous about, the better their business. But before you take that as succour, you might want to take a trip out to Sandwich in Kent and visit The Bunker. The place of last digital refuge certainly takes itself seriously. It lies behind a razor-wire perimeter studded with concrete posts. It is hardened against nuclear blasts, electro-magnetic pulse weapons and 'dirty bombs'. Entry to the compound is strictly controlled by guards; dogs patrol the facility; a guard behind a steel-lined slot checks your photo identification as you arrive and a reinforced steel gate slides open. Entry to The Bunker itself is controlled by a passcode panel set into a concrete door leading into the hillside. Once beneath the ground, you pass through an electronically secured steel turnstile. Twenty feet further down the corridor, passage is blocked by two blast-proof metal doors six inches thick, then two gas-proof doors, flanked by a decontamination room. Finally, you reach the interior via a passcode- controlled airlock. This is The Bunker: not a military facility but a data centre. It is the ultimate in PC security, and dramatic evidence of just what a wicked place the modern digital world has become. Within the core of the base is 50,000 sq ft of cutting-edge computer hardware, temperature- controlled and hidden behind layers of electronic security as well as the obvious physical safeguards. The rooms are filled with steel cages that contain banks of servers built from the ground up for business clients too afraid to leave their data at the mercy of the outside world. "This is a whole internet service provider," says Paul Lightfoot, technical services director of The Bunker, gesturing at a stack of beige components with LEDs flashing over the surface, housed inside a black cage. "It's like a pile of 500GB hard drives connected together and stacked on top of one another it's got every IP address and piece of data owned by the provider. This one here is a Far Eastern dealing floor. And over here" he gestures at three racks housed inside a huge white cage "is PC World's SmartBackUp service, for home users' photos and music." "People's lives are data now. Their photos, their music. It's a big part of our business, providing the security behind the services that promise to back up your data." "We build and harden systems, we put up an outer firewall, then we firewall within the system. Then we offer advice to customers on how to ensure the rest of their business is as safe as this. Even if the whole internet went down, some of our customers have direct, purpose-built lines leading to their data here, so they could keep on operating in some fashion." As we return to the surface of the former MoD radar bunker, we are met by a guard who has a series of digital photographs of us taken inside the facility merely entering The Bunker triggers motion-sensitive cameras, an extra line of defence against intruders. Lightfoot says, "People used to say to me, 'Why do you have a facility like this surely it must be overkill?'" "They don't ask that question any more. The threats have multiplied exponentially over the past couple of years. Tools are now readily available on the internet to let you penetrate systems. School children can do it." "And more and more systems have gone entirely online. Five years ago, if your PC broke down you could use a fax. Who has one of those now? Today, if your IT system goes out that's you gone. And that's where we come in." The idea of systems that are hidden behind so many different layers of protection has become irresistibly appealing to business in a time when internet threats mutate by the hour and when hacking has gone from being simple teenage cyber-vandalism to big business, as the Storm worm so tangibly proves. And if businesses are this paranoid, shouldn't you be worried too? Back in London, I meet Jart Armin, an anti-cyber-crime campaigner who spoke at a seminar last week in Cambridge in front of the university's security research group. "Two-and-a-half weeks ago there was an attack on the Economist website that meant if you visited the sites your PC was infected. You didn't even need to click on anything." "It was orchestrated by a group known as Russian Business Network (RBN). I've heard it quoted that they are in some way involved in at least 60 per cent of crime committed online and I wouldn't dispute that. From my investigations they are earning at least 200 million a year." He shows me some web pages for "anti-virus software." They look convincing, and are designed to the same professional specifications as the genuine article from companies such as Symantec, McAfee or Sophos. "Five million people downloaded this last month," he says. "It's fake. This advert pops up, people get tricked into going to their website for a 'free scan,' which then injects malicious software on to their PC. You then have to pay them to download the full software." That, in turn, loads more and more malicious software on to your PC. "Clearly, RBN has hired web designers to make this look good. It is, after all, a very efficient business. It was started by young unemployed techies in St Petersburg. But then it was sponsored by ex-KGB men and Russian gangsters." Earlier this year, RBN hackers broke into the Bank of India's website and installed software that meant every visitor surrendered their account details to the criminals. It was one of the first instances of drive-by downloading. "If you're a young hacker, you can't just phone RBN and ask to use their latest software," says Jart. "You pay them. I used to be a hacker and write viruses. But for me it was always about intellectual games can I take your PC offline faster than you can take mine offline? Now it's business." "Along with a few others, I hacked into some of RBN's hidden servers. We found 200 to 300 directories full of names, bank accounts and compromised PCs. Each directory was worth around 5 million." "As a client someone buying accounts to steal from you can select. You can think, 'Do I want southern England? Do I want social class A, B or C?' Jart admits he does not know how many people make up RBN or who its elusive hacker leader is. Known as Flyman, he is famous on the internet (hackers are thought of almost as folk heroes in Russia, where IT skills are plentiful but high-paying jobs scarce) and is being pursued by police both in Russia and around the world. Jart also claims that legitimate businesses have been involved in RBN scams, with a major internet gambling site used to launder money. "To watch them at work, you've got to enter the other side of the internet Usenet," says Jart, referring to the older system that connected computer to computer directly. "There are no Google searches and little policing. It's all there, it's unrestricted. People have been trading stolen software for decades. I tell people to go there with armour plating and their six-gun cocked." "When the 25 million addresses 'lost' from the British Government come up for sale on the web and they will appear there are only five servers in the world they are going to be appear on: all Usenet. Wholesalers will be dealing in them, not RBN themselves, but they'll be bidding for it." Cyber-crime gangs have become more like businesses with each passing month. Stolen identities are currency to them. Compromised PCs are their weapons. Worms and viruses are crafted specifically to fit with the latest internet trends and to spread to the maximum number of people. The Storm worm sent emails relating to free music, Myspace links, YouTube videos and offers of free games such as Halo 3. But cleverly tuned scams can target anyone. "I have been an avid eBay user for about five years and have 100 per cent feedback," says Jim Devlin, an IT consultant. "However, about four months ago I received an email which I was sure was a genuine message from eBay, so I logged on and entered my details, password included. My PC froze about 15 minutes later and I had to switch it off and re-start it." "The next day I checked my eBay account, just to see if I had won an item I was bidding on. I found that I was selling about 1,000 items of very high value, all with a one-day sale and a bank transfer or credit card- only payment system." According to Richard Cox of UK-based internet security firm Spamhaus, the police are almost powerless to stop this hi-tech crime. "It's not one person sending 2,000 spam emails then cashing in the revenue from the identity theft," he says. "The people who write the emails will send them to someone who 'rents' time on compromised PCs to send the mails; they'll send the stolen card details to someone else, then someone else will use the cards." "It's difficult to prosecute anyone you might get a prosecution for copyright if they've used a bank's logo illegally, but otherwise it's difficult." "The people who do this rely on the fact that any crime committed on the web falls between international boundaries. Whose jurisdiction is the internet?" The legal process also moves at a pace so much slower than the internet itself that it can seem almost irrelevant. While the internet fraud group ShadowCrew was implicated in extortion in 2004, the culprits to be charged in the UK were sentenced this month. In that three years other internet crooks could have enjoyed an entire criminal career. Which leaves the onus on other agencies. Last month, the servers used by RBN abruptly shut down. A report in the Wall Street Journal suggested that media attention had made the organisation close down its operations. Others remain more sceptical. "RBN were already switching their IP addresses [a unique number that computers use to communicate with each other] in August," says Jart. "Many of them are still active today. Perhaps the RBN realised they had become a target. But they have not gone away." "Do you have a business earning that much money, and just shut up shop? I don't think so." Possibly not. And if you want definitive proof of just how efficient the shop is, don't just take his word for it. To read Jart Armin's blog, go to RBNexploit.com __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Mon Dec 24 2007 - 03:48:46 PST