As you sit reading this, your computer could be mindlessly committing crimes in your name. Around the world, tens of millions
of computers are infected with sly viruses that invisibly take over a machine, letting it continue working but redirecting
part of its time to doing nefarious things, like storing ill-gotten data or sending out spam ads for improbable enlargements
of body parts.
They’re called “zombies” for obvious reasons, and a whole lot of them controlled from one computer is sometimes called a “zombie army.” A slightly more dignified name for a hijacked computer is “bot,” short for “robot,” a term often applied to a single-purpose piece of software that does something repetitively. Connecting bots together gives you a “botnet.” The bigger the botnet, the more you can do with it.
Most botnets are fairly small, perhaps only a few hundred zombies hooked together, but a few are truly colossal. In March, Spanish police took down a botnet ring that was reputed to be the largest ever dismantled. Data from 800,000 computer users was discovered during a search of the ringleader’s computer.
The thing is, as dastardly as the Spanish botnet is, I’m actually rather impressed. These guys showed real entrepreneurial spirit. You see, they didn’t build the botnet; they bought it from the actual programmer, who is still at large and reputed to be an Argentine.
And the guys who got pinched by the Spanish didn’t actually conceive of the criminal intrusions themselves. They rented the botnet to various other criminal organizations in other countries, each of which seems to have specialized in a particular type of cyber-devilment. The Spanish middlemen are said to have made only a modest profit and lived rather unpretentiously.
Now, criminal enterprise or no, these crooks have certainly learned their lessons as surely as any MBA. Do what you’re good at, outsource the rest, and go global. Enlist the very best to do your work for you. And those outsourced programmers are getting breathtakingly good. One recent botnet, known as “Storm,” was so sophisticated that it had its own encryption and morphed to elude detection. It operated peer-to-peer instead of from a central command computer, so even shutting down the mother ship wouldn’t stop it.
Botnets, in fact, have become a huge, if shadowy, international business. The Zeus Trojan has hit an estimated 3.6 million computers in the United States alone. The botnet Koobface is right behind, having zombified nearly 3 million. The latter is spread via social networking sites, including Facebook. Tidserv is a botnet that’s compromised perhaps 1.5 million computers through spam e-mails. The list stretches further every year, with total infection on an upward trend; just between January and May of 2009, 12 million new computers had become infected, the antivirus company McAfee reported last year. This, despite concerted efforts by law enforcement to pinch off the offending botnets.
Macintosh users are often smug in these discussions, believing their hardware is all but immune, but that’s not the case. In the spring of 2009, word flew around the Internet that the first Mac botnet had been found, but Brian Krebs, a computer security writer for The Washington Post, reported on one as far back as 2006. In fact, that botnet infected not only the Mac OS X, but the all-but-invulnerable Linux operating system, too. Even the venerable Unix-type operating systems aren’t proof against botnets.
Botnets are insidious, because they need to remain undetected to operate. Unlike other infections, they’re not intended to wreck your system, only to commandeer it. Detection advice from the experts sounds as if they’re grasping for good symptoms: The system slows down, shows odd error messages, does strange things, or stops working abruptly. These are all symptoms for lots of assorted problems besides parasitic takeovers. Antivirus software and a good firewall are essential for having a shot at identifying a botnet virus, but even those protections aren’t guaranteed to keep one out, or find the malware when it gets a grip on your hard drive.
Part of the challenge in stomping out a botnet is the lethargy built into international cooperation. But in February, Microsoft took the unprecedented step of suing in U.S. federal court to force Verisign, the global manager of Internet domains, to cut loose 277 Internet domains involved in the Waledac botnet’s command system. Most of the domains turned out to originate in China, so Verisign was nearly the only single point of international contact with a prayer of shutting off the botnet traffic.
Even though Verisign complied, the effort didn’t clean up the infected computers, nor did it really shut down the botnet, because the domain owners can simply reapply and get them back, or move to others. They are, after all, determined entrepreneurs, and those kinds of people can’t be kept out of the game for long.•
Altom is an independent local technology consultant. His column appears every other week. He can be reached at firstname.lastname@example.org.