[ISN] Do you know what your PC is up to?

From: InfoSec News (alerts@private)
Date: Mon Dec 24 2007 - 03:19:58 PST


By Rob Waugh
Daily Mail
21st December 2007

Connect your new Christmas computer to the web and within minutes it 
could be used for internet crime. Rob Waugh finds out how the 
cyber-terrorists are using your PC to create a multi million-pound 

Eighteen days ago, on December 5, a small 24-kilobyte package of 
encrypted data pinged noiselessly from one PC to another, then another, 
and another, across the internet in Europe, America and the Far East.

Soon, the electronic synapses of a network of millions of computers 
around the world sprang to life. Thousands were in ordinary houses 
across Britain.

The PCs had one thing in common: all had fast broadband connections. 
Despite being in sleep mode, they were able to accept, process and react 
to these digital commands from outside.

Once the first messages had been sent, the infected PCs reacted all by 
themselves, communicating with 'cells', or batches, of 25 computers, in 
machine-gun bursts of binary code.

High-grade encryption protected the messages that passed through the 
legions of PCs so that observers at computer security firms could detect 
that something was happening, but not what.

Each machine was able to detect other PCs whose internet ports were held 
open. The attack spread organically, invisibly. And it all happened 
within the space of half a minute.

None of the owners of the PCs had an inkling of what their machines were 
doing. These were ordinary home computers that would betray no sign of 
their activities the next day. If you are reading this feature online, 
it's quite possible the PC you are reading it on was one of them.

What was it all for? The worm (and it is termed a worm, rather than a 
virus) was called Storm, and was designed for a very specific and 
effective purpose: a Distributed Denial of Service attack, or DDOS.

This is how it works: having inveigled themselves deep inside our 
computer operating systems, the Storm replicants stopped and settled 
into a simple "listen" mode, waiting for new orders from a website whose 
details were already hard-coded into the worm.

When the orders came, the PCs began making simple requests of data first 
in megabytes (1,024 bytes), then in gigabytes (1,024 megabytes), then in 
terabytes (1,024 gigabytes)  from specialist websites such as Antispam, 
whose sole purpose is to combat the modern scourge of spam emails.

The idea was to swamp them with so many data requests that they could no 
longer function.

Like all anti-terrorist units, the anti-spam brigade were hardly 
unprepared. They were armed with lightning fast connections designed to 
cope with this sort of threat. Alas, on this occasion, they were 
overwhelmed by the sheer ferocity of the onslaught.

To be fair, a DDOS attack, also known as a SYN Flood, is very hard 
indeed to resist. Some connections can only withstand 500 requests a 
second. Specially hardened connections can weather up to 14,000. No 
website on Earth could have withstood what the Storm worm unleashed that 

Thus the anti-spammers' servers overloaded. Their email system shut 
down. Their connection to the outside world was broken. Within minutes, 
the sites had to be taken offline by their owners.

But precisely what, you may ask, has any of this Michael Crichton-esque 
tale got to do with you and me? Sadly, rather a lot.

On one level, the anti-spam campaigners whom we can all thank for an 
often invisible shield against inbox-crippling and potentially damaging 
spam email had been sent a brutal message: don't mess with our right to 
use the internet for organised crime.

On another, it proved the sheer power of a new variety of internet 
threat adaptable, socially engineered to spread via hugely popular sites 
such as MySpace and YouTube, and designed to slip past both the defences 
of the savviest web user and under the radar of most security software.

And then, once there, to use your machine for illegal activity: simple 
grifting scams like asking for your credit card to eliminate 
non-existent computer threats or identity theft, or using your PC as a 
front for spreading, for example, pornography, both licit and illicit.

It all goes to show what kind of secret, highly illegal life your shiny 
new Christmas computer may very soon be leading; and why, in 2008, 
things are going to get a whole lot worse.

"From the moment you take your brand new PC out of its Christmas 
wrapping paper and connect it to the internet, it can be less than ten 
minutes before you become infected in some form or other," says Connor 
Mallen of internet security expert Symantec, developer of the Norton 
anti-virus systems.

"You should be very concerned that your existing PC is already being 
controlled. The old advice never open email attachments, don't visit 
dodgy websites has been good up until this year. But the bad guys have 
now come up with methods that let them plant their stuff in 'good 
neighbourhoods' on the web; in sites you actually know. "

"And you don't have to click on something you get infected just by 
visiting a website. It's becoming known as 'drive-by downloading.'"

How do we know if our machines are infected? "There might be a few 
tell-tale signs," says Mallen.

"Your PC might run a bit slower. Pages on the internet might take a 
little longer to pop up. You might see in your email outbox that you've 
been sending emails you have no memory of. I always tell people that 
before complaining about spam they should check that they aren't 
spammers themselves."

"Unfortunately, the vast majority of users don't have the technical 
expertise to even know it's happening. The idea that someone can steal 
your PC, and your neighbours' PCs, and use them to commit crime it's 
everyone's worst nightmare. But it's going to keep happening, and with 
ever more frequency."

At this stage, we might comfort ourselves with this thought: Symantec 
exists to protect us from viruses and worms. The more we have to be 
nervous about, the better their business. But before you take that as 
succour, you might want to take a trip out to Sandwich in Kent and visit 
The Bunker.

The place of last digital refuge certainly takes itself seriously. It 
lies behind a razor-wire perimeter studded with concrete posts. It is 
hardened against nuclear blasts, electro-magnetic pulse weapons and 
'dirty bombs'.

Entry to the compound is strictly controlled by guards; dogs patrol the 
facility; a guard behind a steel-lined slot checks your photo 
identification as you arrive and a reinforced steel gate slides open.

Entry to The Bunker itself is controlled by a passcode panel set into a 
concrete door leading into the hillside. Once beneath the ground, you 
pass through an electronically secured steel turnstile.

Twenty feet further down the corridor, passage is blocked by two 
blast-proof metal doors six inches thick, then two gas-proof doors, 
flanked by a decontamination room. Finally, you reach the interior via a 
passcode- controlled airlock.

This is The Bunker: not a military facility but a data centre. It is the 
ultimate in PC security, and dramatic evidence of just what a wicked 
place the modern digital world has become.

Within the core of the base is 50,000 sq ft of cutting-edge computer 
hardware, temperature- controlled and hidden behind layers of electronic 
security as well as the obvious physical safeguards.

The rooms are filled with steel cages that contain banks of servers 
built from the ground up for business clients too afraid to leave their 
data at the mercy of the outside world.

"This is a whole internet service provider," says Paul Lightfoot, 
technical services director of The Bunker, gesturing at a stack of beige 
components with LEDs flashing over the surface, housed inside a black 

"It's like a pile of 500GB hard drives connected together and stacked on 
top of one another it's got every IP address and piece of data owned by 
the provider. This one here is a Far Eastern dealing floor. And over 
here"  he gestures at three racks housed inside a huge white cage "is PC 
World's SmartBackUp service, for home users' photos and music."

"People's lives are data now. Their photos, their music. It's a big part 
of our business, providing the security behind the services that promise 
to back up your data."

"We build and harden systems, we put up an outer firewall, then we 
firewall within the system. Then we offer advice to customers on how to 
ensure the rest of their business is as safe as this. Even if the whole 
internet went down, some of our customers have direct, purpose-built 
lines leading to their data here, so they could keep on operating in 
some fashion."

As we return to the surface of the former MoD radar bunker, we are met 
by a guard who has a series of digital photographs of us taken inside 
the facility merely entering The Bunker triggers motion-sensitive 
cameras, an extra line of defence against intruders.

Lightfoot says, "People used to say to me, 'Why do you have a facility 
like this surely it must be overkill?'"

"They don't ask that question any more. The threats have multiplied 
exponentially over the past couple of years. Tools are now readily 
available on the internet to let you penetrate systems. School children 
can do it."

"And more and more systems have gone entirely online. Five years ago, if 
your PC broke down you could use a fax. Who has one of those now? Today, 
if your IT system goes out that's you gone. And that's where we come 

The idea of systems that are hidden behind so many different layers of 
protection has become irresistibly appealing to business in a time when 
internet threats mutate by the hour and when hacking has gone from being 
simple teenage cyber-vandalism to big business, as the Storm worm so 
tangibly proves. And if businesses are this paranoid, shouldn't you be 
worried too?

Back in London, I meet Jart Armin, an anti-cyber-crime campaigner who 
spoke at a seminar last week in Cambridge in front of the university's 
security research group.

"Two-and-a-half weeks ago there was an attack on the Economist website 
that meant if you visited the sites your PC was infected. You didn't 
even need to click on anything."

"It was orchestrated by a group known as Russian Business Network (RBN). 
I've heard it quoted that they are in some way involved in at least 60 
per cent of crime committed online and I wouldn't dispute that. From my 
investigations they are earning at least 200 million a year."

He shows me some web pages for "anti-virus software." They look 
convincing, and are designed to the same professional specifications as 
the genuine article from companies such as Symantec, McAfee or Sophos.

"Five million people downloaded this last month," he says. "It's fake. 
This advert pops up, people get tricked into going to their website for 
a 'free scan,' which then injects malicious software on to their PC. You 
then have to pay them to download the full software."

That, in turn, loads more and more malicious software on to your PC.

"Clearly, RBN has hired web designers to make this look good. It is, 
after all, a very efficient business. It was started by young unemployed 
techies in St Petersburg. But then it was sponsored by ex-KGB men and 
Russian gangsters."

Earlier this year, RBN hackers broke into the Bank of India's website 
and installed software that meant every visitor surrendered their 
account details to the criminals. It was one of the first instances of 
drive-by downloading.

"If you're a young hacker, you can't just phone RBN and ask to use their 
latest software," says Jart. "You pay them. I used to be a hacker and 
write viruses. But for me it was always about intellectual games can I 
take your PC offline faster than you can take mine offline? Now it's 

"Along with a few others, I hacked into some of RBN's hidden servers. We 
found 200 to 300 directories full of names, bank accounts and 
compromised PCs. Each directory was worth around 5 million."

"As a client someone buying accounts to steal from you can select. You 
can think, 'Do I want southern England? Do I want social class A, B or 

Jart admits he does not know how many people make up RBN or who its 
elusive hacker leader is. Known as Flyman, he is famous on the internet 
(hackers are thought of almost as folk heroes in Russia, where IT skills 
are plentiful but high-paying jobs scarce) and is being pursued by 
police both in Russia and around the world.

Jart also claims that legitimate businesses have been involved in RBN 
scams, with a major internet gambling site used to launder money.

"To watch them at work, you've got to enter the other side of the 
internet Usenet," says Jart, referring to the older system that 
connected computer to computer directly.

"There are no Google searches and little policing. It's all there, it's 
unrestricted. People have been trading stolen software for decades. I 
tell people to go there with armour plating and their six-gun cocked."

"When the 25 million addresses 'lost' from the British Government come 
up for sale on the web and they will appear there are only five servers 
in the world they are going to be appear on: all Usenet. Wholesalers 
will be dealing in them, not RBN themselves, but they'll be bidding for 

Cyber-crime gangs have become more like businesses with each passing 
month. Stolen identities are currency to them. Compromised PCs are their 
weapons. Worms and viruses are crafted specifically to fit with the 
latest internet trends and to spread to the maximum number of people.

The Storm worm sent emails relating to free music, Myspace links, 
YouTube videos and offers of free games such as Halo 3. But cleverly 
tuned scams can target anyone.

"I have been an avid eBay user for about five years and have 100 per 
cent feedback," says Jim Devlin, an IT consultant.

"However, about four months ago I received an email which I was sure was 
a genuine message from eBay, so I logged on and entered my details, 
password included. My PC froze about 15 minutes later and I had to 
switch it off and re-start it."

"The next day I checked my eBay account, just to see if I had won an 
item I was bidding on. I found that I was selling about 1,000 items of 
very high value, all with a one-day sale and a bank transfer or credit 
card- only payment system."

According to Richard Cox of UK-based internet security firm Spamhaus, 
the police are almost powerless to stop this hi-tech crime.

"It's not one person sending 2,000 spam emails then cashing in the 
revenue from the identity theft," he says.

"The people who write the emails will send them to someone who 'rents' 
time on compromised PCs to send the mails; they'll send the stolen card 
details to someone else, then someone else will use the cards."

"It's difficult to prosecute anyone you might get a prosecution for 
copyright if they've used a bank's logo illegally, but otherwise it's 

"The people who do this rely on the fact that any crime committed on the 
web falls between international boundaries. Whose jurisdiction is the 

The legal process also moves at a pace so much slower than the internet 
itself that it can seem almost irrelevant.

While the internet fraud group ShadowCrew was implicated in extortion in 
2004, the culprits to be charged in the UK were sentenced this month. In 
that three years other internet crooks could have enjoyed an entire 
criminal career.

Which leaves the onus on other agencies. Last month, the servers used by 
RBN abruptly shut down. A report in the Wall Street Journal suggested 
that media attention had made the organisation close down its 
operations. Others remain more sceptical.

"RBN were already switching their IP addresses [a unique number that 
computers use to communicate with each other] in August," says Jart. 
"Many of them are still active today. Perhaps the RBN realised they had 
become a target. But they have not gone away."

"Do you have a business earning that much money, and just shut up shop? 
I don't think so."

Possibly not. And if you want definitive proof of just how efficient the 
shop is, don't just take his word for it.

To read Jart Armin's blog, go to RBNexploit.com

Visit InfoSec News

This archive was generated by hypermail 2.1.3 : Mon Dec 24 2007 - 03:48:46 PST