Recently, Toowoomba based PC repairer Chaim (Hyam) Lee owner of Aspire Computing, discovered some very strange behaviour on one of his customer’s PCs.
The PC had been infected with Spam-Thru B and it was spewing out hundreds of Spam emails to non-existent addresses. This PC had been hijacked and made part of a Zombie Network.
Repairs involved Backing-up all useful data, re-formatting the Hard Disk Drive, Re-installing Windows and all User programs, re-configuring all User settings and Re-storing the previously Backed-Up User Data.
What Hyam Lee discovered led him to do a lot of follow up research which he then presented to the customer.
The following edited article from the New York Times Online edition tells the rest of the story.
“The bad guys are honing their weapons and increasing their firepower, they are taking advantage of programs that secretly install themselves onto thousands or even millions of personal computers; band these computers together into an army of zombies, and then use the collective power of the dragooned network to commit Internet crimes.
These networks are called Botnets and are being blamed for the huge spike in spam email, fraud and data theft that has bedevilled the Internet in recent times.
What is new is the vastly escalating scale of the problem — and the precision with which some of the programs can scan computers and steal specific information, like corporate and personal data, to drain money from online bank accounts and to get users to buy almost worthless shares.
So far, botnets have predominantly infected Windows-based computers, although there have been scattered reports of botnet-related attacks on computers running the Linux and Macintosh operating systems.
These programs are often created by small groups of code writers in Eastern Europe and elsewhere and distributed in a variety of ways, including by e-mail attachments and downloads by users who do not know they are getting something malicious. They can even be present in pirated software sold on online auction sites. Once installed on Internet-connected PCs, they can be controlled using a widely available communications system called Internet Relay Chat (I.R.C.) Command & Control servers.
Botnet authors assume that any personal document that a computer owner has used recently will also be of interest to a data thief.
Botnets systematically harvest stolen information and then hide it in a secret location where the data can be retrieved by the Botnet Master.
According to the annual intelligence report of security firm MessageLabs, more than 80 percent of all spam now originates from botnets.
The extent of the botnet threat was highlighted in late 2006 and early 2007; by the emergence of a stealth program called “rustock” that adds computers to the botnet.
Rustock has infected several hundred thousand Internet-connected computers including Mr Lee’s customer in Toowoomba and then began generating vast quantities of spam e-mail messages as part of a “pump and dump” stock scheme.
The author of the program, who is active on Internet technical discussion groups and claims to live in Zimbabwe, has found a way to hide the infecting agent in such a way that it leaves none of the traditional digital fingerprints that have been used to detect such programs.
Moreover, while rustock is currently being used to distribute spam, it is a general tool that can be used with many other forms of illegal Internet activity.
In late 2006, Mr. Stewart tracked trading of a penny stock being touted in a spam campaign. The Diamant Art Corporation was trading at 8 cents on Dec. 15 when a series of small transactions involving 11,532,726 shares raised the price of the stock to 11 cents. After the close of business on that day, a Friday, a botnet began spewing out millions of spam messages.
On the following Monday, the stock went first to 19 cents per share and then ultimately to 25 cents a share. He estimated that if the spammer then sold his shares at the peak on Monday he would have realized a $20,000 profit. By Dec. 20, those shares were back down to 12 cents.