Police Deactivate Network of 100,000 'Zombie PCs'

[Rubyait]

Police deactivate network of 100,000 'zombie' PCs

Three men have been arrested in the Netherlands on suspicion of controlling a vast illegal computer network made up of more than 100,000 "zombie" personal computers.

The colossal scale of the network indicates the growing sophistication of computer crooks, whose motivation is to make money via spam email, online extortion and identity theft.

The Dutch authorities accuse the three men of using a virus called W32.Toxbot, which was released in February 2005, to infect home computers with "bot" software in order to create a distributed "botnet" of machines all over the world.

"With 100,000 infected computers, the dismantled botnet is one of the largest ever seen," the Public Prosecution Service said in a statement.

Extortion attempt
Investigators allege that the men used this network for a range of nefarious purposes.

These include attempting to extort cash from a large unnamed US company by threatening to overload its servers with a torrent of internet traffic from infected computers. The trio also allegedly used the zombie machines to steal PayPal and eBay account information to buy goods over the internet.

Police confiscated computers, cash and a sports car on 7 October. The botnet was deactivated with the help of the Dutch Computer Emergency Response Team and several internet service providers, including XS4ALL.

Andrew Blyth, a specialist in computer security from the University of Glamorgan in the UK, says it is not uncommon for computer crooks to corral as many as 100,000 machines into a zombie network. "This is about average," he told New Scientist. "It is a constant arms race," he added.

Around the globe
Managing such a massive network requires substantial computing resources as well as a certain level of technical skill.

Botnets are almost always created using computer viruses. If a virus exploits a newly discovered software flaw, it can spread to millions of computers around the globe within a day or so. Viruses designed to build botnets will install a program onto a PC which will run behind the scenes and enable remote control of the system.

Most bots get their commands via an Internet Relay Chat (IRC) server, a simple communications system that can be used to send and receive commands. Bots will typically log into an IRC server at random times to check for new commands.

They do this to ensure the server is not overwhelmed. A botnet of 100,000 systems could easily cause an overload if they checked for commands at the same time.

In addition, major botnets will often be distributed across several IRC servers to prevent the whole network disappearing if a controlling server is found and deactivated.

Rising crime levels
Furthermore, as legitimate IRC operators will try to stop their systems being used to control a botnet, it may be necessary to set a separate IRC server up. This might be done by breaking into a corporate or academic computer network that has very large bandwidth.

The Dutch investigation illustrates the increasing diversity and scale of computer crime. On 7 October two British men were given prison sentences of 3 and 6 months to prison for unleashing the TK computer worm, which infected tens of thousands of computers around the globe. The judge concluded that, in this case, the men were motivated not by greed but by a desire to prove their technical skill.

There were also more computer-crime arrests worldwide in 2004 and 2005 than in preceding years.

http://www.newscientist.com/article.ns?id=dn8145

 

[Rubyait]

'Zombie master' pleads guilty to PC hijacking

In a landmark court case, a US man has pleaded guilty to hijacking more than 400,000 computers and using them to attack commercial websites and bombard internet users with spam email and pop-up ads.

On Monday, Jeanson Ancheta admitted hacking into computers and installing software enabling him to control them remotely. Prosecutors have accused him of creating a massive army of "zombie" computers, or "bots", which he used to launch attacks against websites and to send out huge quantities of spam email.

To increase the size of his network of infected computers, Ancheta programmed his zombie machines to automatically scan the internet for further vulnerable machines.

The size of the zombie network controlled by Ancheta highlights the scale of the problem faced by websites subjected to so-called distributed denial-of-service (DDoS) attacks, which are designed to block legitimate traffic.

These attacks are often linked to attempts to extort money. Gambling sites, and others that rely on uptime (uninterrupted site-availability) for revenue are a particular target.

It is possible to counter a DDoS attack, says Mike Prettlejohn, of UK internet monitoring company Netcraft, by ignoring packets of data sent from unknown machines, or by filtering out packets that are not normally received. However, both techniques may result in blocking some legitimate web users. "That's just part-and-parcel of the strategy," Prettlejohn told New Scientist. "If a site is successfully DDoS-ed, then no one can get to it at all."

Military networks
Ancheta has also admitted to causing pop-up advertising to appear on infected machines, in return for payment from advertisers. He has confessed to being paid $3000 in return for providing access to networks within his zombie network, selling networks of 10,000 machines on 30 different occasions.

Prettlejohn adds that creating zombie machines is becoming increasingly complex for hackers as software companies like Microsoft have improved their software maintenance policies. But he warns that hackers are also focusing on new techniques for spreading viruses and other forms of malicious code, such as malicious instant messaging programs.

Ancheta is accused of infecting computers at the Weapons Division of the US Naval Air Warfare Center in California and others used by the Defense Information Systems Agency in Virginia. In federal court in Los Angeles, he pleaded guilty to conspiring to violate the US Computer Fraud Abuse Act and anti-spam laws, and to causing damage to US military computers.

In a deal with prosecutors, Ancheta agreed to plead guilty in return for a shorter sentence of between six and eight years in prison. He will appear before a US district judge for sentencing on 1 May. In addition to paying restitution to the US government, Ancheta has agreed to forfeit his ill-gotten gains, which include $60,000 dollars in cash, a BMW luxury car, and assorted computer equipment.

http://www.newscientist.com/article.ns?id=dn8627