Invasion of the Computer Snatchers
By Brian Krebs
Sunday, February 19, 2006; Page W10
Hackers are hijacking thousands of PCs to spy on users, shake down online businesses, steal identities and send millions of pieces of spam. If you think your com-puter is safe, think again
In the six hours between crashing into bed and rolling out of it, the 21-year-old hacker has broken into nearly 2,000 personal computers around the globe. He slept while software he wrote scoured the Internet for vulnerable computers and infected them with viruses that turned them into slaves.
Now, with the smoke of his day's first Marlboro curling across the living room of his parents' brick rambler, the hacker known online as "0x80" (pronounced X-eighty) plops his wiry frame into a tan, weathered couch, sets his new laptop on the coffee table and punches in a series of commands. At his behest, the commandeered PCs will begin downloading and installing software that will bombard their users with advertisements for pornographic Web sites. After the installation, 0x80 orders the machines to search the Internet for other potential victims.
The young hacker, who has agreed to be interviewed only if he isn't identified by name or home town, takes a deep drag of his smoke and leans back against the couch to exhale. He smiles. This is his day job, and his work is finished in less than two minutes. In two weeks, he will receive a $300 check from one of the online marketing companies that pays him for his services.
"Most days, I just sit at home and chat online while I make money," 0x80 says. "I get one check like every 15 days in the mail for a few hundred bucks, and a buncha others I get from banks in Canada every 30 days." He says his work earns him an average of $6,800 per month, although he's made as much as $10,000. Not bad money for a high school dropout.
Hacked, remote-controlled home computers, known as robots or "bots," and large groups of robot networks like the one 0x80 runs -- called "botnets" -- are the souped-up cyber engines driv-ing nearly all criminal commerce on the Internet. Botnets are used to relay millions of pieces of junk e-mail, or spam, touting everything from cheap Viagra to get-rich-quick business schemes. And the botmasters who control these computer networks are at the heart of ominous and increasingly common online shakedowns known as "denial of service attacks." In such an attack, Web gangsters demand tens of thousands of dollars in protection money from businesses. If the businesses refuse to pay, the criminals order the thousands of computers that make up their botnets to flood the Web sites with meaningless traffic, crippling the businesses and costing them thousands or hundreds of thousands of dollars in lost revenue.
0x80 says that he doesn't use his botnet to shake down businesses. Instead, he and a growing number of botmasters make money by seeding their botnets with spyware, also known as adware. Once installed on a PC, the adware serves up pop-up advertisements and mines data about the user's online browsing habits. The computer worm that powers the botnet also gathers far more sensitive data from the victim's machine, including passwords, e-mail addresses, Social Security numbers and credit card data. The spyware and adware problem is pervasive and growing: A recent survey by the National Cyber Security Alliance and America Online found that four of five computers connected to the Web have some type of spyware or adware installed on them, with or without the owner's knowledge.
The distribution of online advertisements via spyware and adware has become a $2 billion industry, according to security software maker Webroot Software Inc. And as the industry has boomed, so have the botnets. Just a few months ago, FBI agents arrested a 20-year-old from Southern California for installing adware on a botnet of more than 400,000 hacked computers. Jeanson James Ancheta's victims included computers at the Naval Air Warfare Center and machines at the Defense Information Systems Agency, according to government documents. He pleaded guilty to the charges last month.
Like Ancheta, 0x80 installs adware and spyware surreptitiously, though the law requires the computer owner's consent. The young hacker doesn't have much sympathy for his victims. "All those people in my botnet, right, if I don't use them, they're just gonna eventually get caught up in someone else's net, so it might as well be mine," 0x80 says. "I mean, most of these people I infect are so stupid they really ain't got no business being on [the Internet] in the first place."
Tall and lanky, with hair that falls down to his eyebrows, 0x80 almost never looks you in the eye when he talks, his accent a slurry of heavy Southern drawl and Midwestern nasality. He lives with his folks in a small town in Middle America. The nearest businesses are a used-car lot, a gas station/convenience store and a strip club, where 0x80 says he recently dropped $800 for an hour alone in a VIP room with several dancers. He tells his parents that he works from home for a Web design firm. His bedroom resembles a miniature mission control center, with computers, television and computer monitors, and what must be several miles' worth of tangled wires plugged into an array of surge-protected power strips.
At the moment, 0x80 controls more than 13,000 computers in more than 20 countries. This morning he installs spyware on just a few hundred of the 2,000 PCs that he has commandeered in the last few hours. He will stagger the remaining installations throughout this day and into the next, using a program he wrote that automates the process. If he installs too many bundles of spyware at once, the online marketing companies, "get suspicious, they cut me off, and I don't get paid," he mumbles, squinting at the screen while the nub of his cigarette sprinkles ashes all over his laptop and the coffee table. "I've learned not to get greedy."
A small dog with matted fur enters the living room and winds through 0x80's feet. 0x80 gives the dog a gentle shove with his foot, without even looking up from his laptop. He furiously stabs at the keyboard with his two forefingers, punching out a short command that produces a mesmerizing blur of black-on-white text that scrolls up the computer screen at several pages per second. 0x80 makes it halfway through a cigarette before the text flying across the screen finally stops. The command he typed -- "pstore" -- is short for "password store." On the screen in front of him is a listing of every user name and password that the owner of each infected computer has stored in the Microsoft Internet Explorer Web browser on his or her computer.
Much More about this here, 4 more pages of the story: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021401342.html