For Spammers, Worm Turns a Profit
By Brian Krebs
For the first two weeks of October 2004, relentless waves of Internet
t raffic swamped the Web site of Gaithersburg, Md.-based Harta
Instruments, one of six companies worldwide that manufacture devices
used to detect a vir us linked to genital warts and cervical cancer.
John Lee, the company's owner, initially suspected a digital attack
bent on destroying his mostly Internet-based business. Lee later
learned that the flood of Web traffic came from more than 300,000
computers seeking softwar e updates at his site. The computers had
been infected with the latest vers ion of the "Bagle" worm, one of
last year's most prolific and insidious Int ernet viruses.
The debilitating attacks have ceased now that his Web site is
operating under a new name, but Lee still fumes over the incident,
which he says cost his company tens of thousands of dollars in lost
sales.
"I don't know who was behind all of this, but they need to be caught
and then shot," Lee grumbled.
Barring a careless misstep by the virus author or authors, the
prospects for any repercussions appear dim. The worm that targeted
Lee's site was the 44th version of Bagle unleashed in 2004, a year in
which teams of virus wri ters forged new alliances with junk e-mail
artists to convert millions of home PCs into remote-controlled
"zombies" used to fuel spam and phishing attacks.
As a result of those alliances, junk e-mail and phishing attacks --
online scams that lure victims into giving up confidential
information -- far out numbered legitimate e-mail communications last
year. Roughly three-quarters of all e-mail in 2004 was spam or
fraud-related, according to Postini, a Redwood City, Calif.-based
anti-spam firm.
Rent-a-Zombie
Bagle was just one of countless e-mail worms unleashed onto the
Internet in 2004, but the attack on Lee's site offered security
experts a rare glimps e into the thriving economic and operational
ties between Internet criminals and virus writers.
In many ways, the Bagle virus is no different from other e-mail worms:
it seizes control of a recipient's PC after they click on an e-mail
attachment that harbors the virus.
But Bagle also has outpaced its brethren in other areas. It would
become one of 2004's most successful "multi-stage" viruses, in that
it was designed to lie dormant for several days after infection, then
instruct its host to download software updates from a pre-defined list
of more than 130 Web sites. Bagle also was the first high-profile
worm to disable the protective firewall that Microsoft Corp. enables
in all distributions of Service Pack 2, a software security upgrade
made available to Windows XP users in August.
Symantec Corp., an Internet security firm based in Cupertino, Calif.,
intentionally infected some of its computers with the Bagle virus in
order to monitor the worm's progress. In a 28-page report published in
December, the company found that some of the PCs downloaded software
that forced them to forward e-mails used in a pair of elaborate
phishing scams targeting customers of SunTrust Banks.
Other Bagle-infected PCs were used to spew junk e-mail. One piece of
spam hawked cheap generic prescription drugs. Another advertised
popular software titles -- including computer-security and anti-virus
programs -- at fire-sale prices. Experts say most software sold
through spam is pirated, and much of it is itself laced with viruses.
Alfred Huger, senior director of security response at Symantec, said
most of the infected computers were seeded with additional software
over a period of several weeks. "That kind of activity suggests that
the people behind the Bagle worm are either running a vast criminal
enterprise or they are loaning out their network" of infected PCs to
other scam artists and spammers , Huger said.
It is common for attackers to sell or rent access to PCs they have
compromised, according to Johannes Ullrich, chief technology officer
for the SANS Internet Storm Center. In certain little-known
underground chat rooms, a hacked computer in the United States can be
rented for pennies per week.
However, hijacked PCs in some foreign countries often fetch a higher
value because they are considered harder for authorities to shutter,
Ullrich added. "We've seen the asking price go as high as $25 for a
single compromised home system."
Recycling the Victim
One reason Bagle and hundreds of other so-called "mass-mailer" worms
are so prevalent is that virus authors typically reuse machines they
have infected to help spawn future incarnations of their
creations. Last year, hackers released new Bagle versions roughly
once a week, each time using thousands of hijacked computers to
"seed" the Internet with initial copies of the virus.
Harta's Lee and many others responsible for maintaining the Web sites
listed in Bagle's code acknowledged having inadvertently infected one
or more of their personal or work computers with earlier versions of
Bagle in the weeks leading up to the attacks on their sites.
The attackers likely located the victims' Web sites by using one of
Bagle' s built-in capabilities: eavesdropping on an infected
computer's Internet c onnection for usernames and passwords that
victims use to read e-mail, log in to bank sites or administer Web
sites.
Anthony Flanagan, a real estate development planner in San Francisco,
owns a laptop that was infected with the Bagle worm in early
September. Two weeks later his site buckled under the traffic of
Bagle-infected PCs trying to download software that attackers had
planted on his site and laptop.
Flanagan's Internet service provider quickly pulled the plug on his
Web site because it was crashing other sites operating on the same
server. Flanagan said his site normally receives four or five
visitors in a busy week, but when his ISP cut him off, the site was
choking on more than 120 hits per second.
"I didn't know I was infected, or that it was even possible for the
virus to make its way over to my Web site," he said.
Still, experts say many of the sites listed in Bagle's internal code
never hosted any of the phishing or spamming software and were
probably used as decoys to throw anti-virus researchers off their
trail. Nevertheless, those sites were just as affected by the deluge
of traffic from Bagle victims.
The Web site for Union Hospital in Elkton, Md., appears to have been
one such decoy. Hospital officials directed inquiries about the
incident to the site's Internet service provider, Hunt Valley,
Md.-based System Source.
System Source co-owner Robert Roswell said the hospital's Web address,
www.uhcc.com, received thousands of hits per second at the height of
the attack, cutting off public access to the site for more than 24
hours. Roswell declined to say how much the attack cost, but said the
company "put an enormous amount of defensive energy into keeping the
site alive."
"Let's just say we blew through about 10 years' worth of service contracts
defending the hospital from this attack," he said.
No Relief in Sight
For the first three weeks of 2005, anti-virus companies saw only minor
outbreaks of mass-mailing worms. But on Jan. 26, virus authors
unleashed a major outbreak with several new versions of the Bagle
worm. Within 24 hours, the amount of spam generated by Bagle-infected
PCs increased from 140,000 junk e-mails to more than 1 million a day,
according to Symantec, which recently acquired anti-spam company
Brightmail.
Experts say there are precious few signs that e-mail worms or the spam
and scams they facilitate will fade away in the near future. The
instructions for creating custom versions of Bagle and many of today's
most successful e-mail worms now are freely available online.
Virus authors also will continue to exploit weaknesses in commercial
anti- virus software, most of which must be constantly updated with
new "definitions" to be able to detect the latest viruses and
worms. This allows the virus writers to stay a step ahead by
releasing slightly different versions of their creations just hours
apart.
At the beginning of 2004, anti-virus companies took an average of 12
hours to release new definitions following a viral outbreak,
according to MessageLabs, a British anti-spam company. By December
2004, that window of opportunity had shrunk by less than two hours,
MessageLabs said.
Still, the biggest contributor to the future success of such viruses
will continue to be new, inexperienced Internet users, thousands of
whom venture forth each day worldwide, said Mikko Hypponen, director
of anti-virus research at F-Secure Corp. in Helsinki.
"There are new users coming online all the time who know nothing about
the risks of owning a computer and getting on the Internet," Hypponen
said. "We're going to be fighting these e-mail worms for quite some
time."
Copyright 2004 The Washington Post Company
NOTE: For more telecom/internet/networking/computer news from the daily
media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra . Hundreds of new articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, The Washington Post Company.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
Lisa Minter (lisa_minter2001@yahoo.com)