Dell reports up to twenty five percent of their helpdesk calls
are spyware related. Spyware has become as intrusive and
pervasive as viruses. Some forms are a nuisance to the
point of making your computer crash Spyware has to be
running in order to work. It runs in your RAM and by doing
so uses your systems resources.The more spyware you
have the slower your machine will run until it crashes. Most
computers run like new after spyware has been removed.
There are too many forms of spyware to list here but this
link will give you a definition.
We have become very proficient at removing spyware.
Depending on the severity of the infestation a total
reinstallation is sometime required. A service call can give
We can help innoculate your computer but internet surfing
habits are generally what start the trouble. Below is a list
of things to watch to help keep you from becoming a
Spyware victim. We can also make a clone of your current
operating system drive and restore a spyware ruined
system from it.
1. If you are recieving an increasing number of
pop-ups you are probably in the early stages of an
infection. If not removed the spyware program will contact
it's writer for more spyware
2. When sufing the web don't click "OK" to
download or install anything unless you know what it is.
Many of these downloads are trojan type programs.
3. All spyware has to run using your RAM or system
resources. This can be checked in all Windows operating
systems. In XP and Windows 2000, right click on the
taskbar and select "Task Manager". Next choose
"resources." In order to run smoothly you should have a
minimum of forty percent or higher free resouces
In Windows 98 right click on "My Computer" and choose
the " resources " tab
4. Install a Firewall. Run the firewall program scan
during the setup stage so it will not constantly badger you
for various permissions
5. Check your browser security settings.If you use the
Windows Update site some of the security updates will
reset these for you.
6. Download and install Firefox. or Opera they are
browsers very similar in appearance and functionality to
Internet Explorer. So far they are much more secure than
IE but who knows.
7. If you use AOL download the latest version. It is
not the most secure browser to begin with but the newer
versions are much better than previous editions. Before
you upgrade to the newer AOL run the configurator at their
website. It will scan your system and tell you whether or
not your computer will handle the newer brower.
8. Most, but not all low price games and card creator
programs included spyware. If you take the time to read
the End User License Agreement (EULA) as you install the
program you will see you are agreeing to their terms which
includes the spyware. The cost of the software is
subsidised by the spyware , hence the low price. The
problem is you have to click "Agree" to use the software in
the first place so you are stuck. After installing one of
these programs run your anti-spyware utility to clean out
the spyware. If you are fortunate the main program will still
run. If not, re-install.
Invasion of the Computer Snatchers
Hackers are hijacking thousands of PCs to spy on users, shake down online businesses, steal identities and send millions of pieces of spam.
If you think your computer is safe, think again
By Brian Krebs Washington Post
Sunday, February 19, 2006; Page W10
In the six hours between crashing into bed and rolling out of it, the 21-year-old hacker has broken into nearly 2,000 personal computers
around the globe. He slept while software he wrote scoured the Internet for vulnerable computers and infected them with viruses that turned
them into slaves.
Now, with the smoke of his day's first Marlboro curling across the living room of his parents' brick rambler, the hacker known online as "0x80"
(pronounced X-eighty) plops his wiry frame into a tan, weathered couch, sets his new laptop on the coffee table and punches in a series of
commands. At his behest, the commandeered PCs will begin downloading and installing software that will bombard their users with
advertisements for pornographic Web sites. After the installation, 0x80 orders the machines to search the Internet for other potential victims.
The young hacker, who has agreed to be interviewed only if he isn't identified by name or home town, takes a deep drag of his smoke and
leans back against the couch to exhale. He smiles. This is his day job, and his work is finished in less than two minutes. In two weeks, he will
receive a $300 check from one of the online marketing companies that pays him for his services.
"Most days, I just sit at home and chat online while I make money," 0x80 says. "I get one check like every 15 days in the mail for a few
hundred bucks, and a buncha others I get from banks in Canada every 30 days." He says his work earns him an average of $6,800 per
month, although he's made as much as $10,000. Not bad money for a high school dropout.
Hacked, remote-controlled home computers, known as robots or "bots," and large groups of robot networks like the one 0x80 runs -- called
"botnets" -- are the souped-up cyber engines driving nearly all criminal commerce on the Internet. Botnets are used to relay millions of pieces
of junk e-mail, or spam, touting everything from cheap Viagra to get-rich-quick business schemes. And the botmasters who control these
computer networks are at the heart of ominous and increasingly common online shakedowns known as "denial of service attacks." In such an
attack, Web gangsters demand tens of thousands of dollars in protection money from businesses. If the businesses refuse to pay, the
criminals order the thousands of computers that make up their botnets to flood the Web sites with meaningless traffic, crippling the
businesses and costing them thousands or hundreds of thousands of dollars in lost revenue.
0x80 says that he doesn't use his botnet to shake down businesses. Instead, he and a growing number of botmasters make money by
seeding their botnets with spyware, also known as adware. Once installed on a PC, the adware serves up pop-up advertisements and mines
data about the user's online browsing habits. The computer worm that powers the botnet also gathers far more sensitive data from the
victim's machine, including passwords, e-mail addresses, Social Security numbers and credit card data. The spyware and adware problem is
pervasive and growing: A recent survey by the National Cyber Security Alliance and America Online found that four of five computers
connected to the Web have some type of spyware or adware installed on them, with or without the owner's knowledge.
The distribution of online advertisements via spyware and adware has become a $2 billion industry, according to security software maker
Webroot Software Inc. And as the industry has boomed, so have the botnets. Just a few months ago, FBI agents arrested a 20-year-old from
Southern California for installing adware on a botnet of more than 400,000 hacked computers. Jeanson James Ancheta's victims included
computers at the Naval Air Warfare Center and machines at the Defense Information Systems Agency, according to government documents.
He pleaded guilty to the charges last month.
Like Ancheta, 0x80 installs adware and spyware surreptitiously, though the law requires the computer owner's consent. The young hacker
doesn't have much sympathy for his victims. "All those people in my botnet, right, if I don't use them, they're just gonna eventually get caught
up in someone else's net, so it might as well be mine," 0x80 says. "I mean, most of these people I infect are so stupid they really ain't got no
business being on [the Internet] in the first place."
Tall and lanky, with hair that falls down to his eyebrows, 0x80 almost never looks you in the eye when he talks, his accent a slurry of heavy
Southern drawl and Midwestern nasality. He lives with his folks in a small town in Middle America. The nearest businesses are a used-car lot,
a gas station/convenience store and a strip club, where 0x80 says he recently dropped $800 for an hour alone in a VIP room with several
dancers. He tells his parents that he works from home for a Web design firm. His bedroom resembles a miniature mission control center, with
computers, television and computer monitors, and what must be several miles' worth of tangled wires plugged into an array of
surge-protected power strips.
At the moment, 0x80 controls more than 13,000 computers in more than 20 countries. This morning he installs spyware on just a few hundred
of the 2,000 PCs that he has commandeered in the last few hours. He will stagger the remaining installations throughout this day and into the
next, using a program he wrote that automates the process. If he installs too many bundles of spyware at once, the online marketing
companies, "get suspicious, they cut me off, and I don't get paid," he mumbles, squinting at the screen while the nub of his cigarette sprinkles
ashes all over his laptop and the coffee table. "I've learned not to get greedy."
A small dog with matted fur enters the living room and winds through 0x80's feet. 0x80 gives the dog a gentle shove with his foot, without
even looking up from his laptop. He furiously stabs at the keyboard with his two forefingers, punching out a short command that produces a
mesmerizing blur of black-on-white text that scrolls up the computer screen at several pages per second. 0x80 makes it halfway through a
cigarette before the text flying across the screen finally stops. The command he typed -- "pstore" -- is short for "password store." On the
screen in front of him is a listing of every user name and password that the owner of each infected computer has stored in the Microsoft
Internet Explorer Web browser on his or her computer.
A quick scroll through the first few dozen pages of the file reveals credentials his victims have used to log in to online accounts at PayPal,
eBay, Bank of America and Citibank, to name just a few. Many of the Web sites for which user names and passwords are stored are
harmless, such as sports or hobby sites. Others are potentially far more revealing, such as hard-core sex and fetish Web sites. 0x80 has also
found credentials for thousands of e-mail accounts, including dozens at ".mil" and ".gov" (U.S. military and government) addresses.
One of his victims, a computer-loving 29-year-old pastor named Michael White, could tell 0x80 plenty about jail. White runs the Agape Church
and Christian Center in Memphis but admits he wasn't always a man of God.
Ten years ago, he was a freshman at the University of Memphis, where he was on the track team and the dean's list. Then he fell in love with
liquor, he says, and flunked out of school. He landed in jail twice over the next 18 months, both times for driving a car that didn't belong to him.
Next came the accident that changed his life. One night, while White was driving a friend's Mitsubishi Eclipse, a police cruiser pulled up
behind him, lights flashing. White says he was intoxicated, and driving without a license or insurance. He panicked, floored the car and lost
control, flipping the Eclipse over and over until the fuel tank ignited. White woke up in a hospital bed with third-degree burns over 30 percent
of his body. The searing heat from the explosion had melted his ears into little nubs, and doctors had amputated the pinky finger on his
scarred left hand.
Fifteen plastic surgeries and more than two years of physical therapy later, White had healed enough to face the charges against him, which
included aggravated assault for endangering the lives of other motorists. He pleaded guilty in 1999 and served almost two years at a prison
During his time in prison, he says, "I realized the Lord had called me to ministry." Since White's release in 2001, God has played a huge part
in his life. And so have computers. He typically spends 50 to 60 hours a week surfing the Web, instant-messaging and e-mailing. He even met
his wife online. Shortly after starting his ministry, he entered an online chat room dedicated to Christian ministries and struck up a
conversation with a woman using the screen name "Warrior Princess." They hit it off immediately and married 15 months later. Taneshia gave
birth to their first child, MaKalya, last month.
But the same technology that led White to his wife betrayed him last summer. His desktop computer, which he had paid $350 for in 2004, was
suddenly inundated with pop-up ads for adult Web sites. A mysterious toolbar with the symbol "XXX" had shown up in the topmost portion of
every Internet Explorer Web browser window he opened.
A friend spent a few days trying to remove the pornographic software, but each time he did, the software reinstalled itself after the computer
was reconnected to the Internet. White initially suspected that one of the kids he tutors after school had used his PC to visit some
questionable Web sites. He wasn't aware that his computer had been hijacked by 0x80 until he was contacted by the reporter writing this
0x80's bot program was able to infiltrate the pastor's computer because the PC lacked dozens of software patches that Microsoft has issued
to fix security flaws in its Windows operating system. White says he was counting on a $50 firewall and antivirus software suite he purchased
from Trend Micro to keep hackers and viruses from attacking his PC, but he confesses he's not sure whether the software was equipped with
the latest updates that would allow it to detect the most recent viruses.
"I'll be honest, as someone who loves technology, I've not done a great job with this computer," White says. He eventually opted to buy a new
PC rather than spend the time and money to repair the infected one. "It just made more sense for me to get a new $300 Dell that came with a
free monitor that was better than the one I had," he says.
The whole episode, he says, has taught him a valuable lesson: It's easier to take the precautions needed to keep a computer from being
hacked than it is to clean it up after the damage has been done. "Overall, you've got to realize that, just like if you don't secure your home,
you run the risk of getting burglarized; if you're crazy enough to leave the door on your computer open these days, like I did, someone's
gonna walk right in and make themselves at home."
0x80 began learning how to program at age 14, before his family even owned a computer. Like many hackers of his generation, he got his
start by meeting techies on networks run by America Online.
This buddy of mine who lived two houses down from me had a computer before I did. He was always on AOL, but he also always had trouble
figuring out how to do stuff, so I'd just go on all the time and figure it out for him." 0x80 says he got into writing viruses by accident after
logging onto an AOL chat room named "Lesbians Only."
"Someone sent me a virus that made it so that every time I typed anything on the keyboard it would pop a message up on the screen that
said, 'I'M [expletive] GAY!'" 0x80 recalls. He tried to stop the computer from flashing the message, but nothing worked. "I finally found
[information] on it using my friend's PC and figured out how to write a batch script to stop the virus." After that, 0x80 became obsessed with
computer viruses and dedicated nearly all his time to tinkering with them. On his 16th birthday, his folks gave him his own computer to do
schoolwork. It wasn't long before 0x80 was skipping school to spend time in online channels known as Internet Relay Chat, a vast sea of
text-based communications networks that predates instant-messaging software. There are tens of thousands of IRC channels all over the
world catering to almost every imaginable audience or interest, including quite a few frequented exclusively by hackers, virus writers and
loose-knit criminal groups. IRC channels have traditionally been among the most popular means of controlling botnets.
About two years ago, 0x80 entered an IRC channel where several hackers were bragging about how much they were making using botnets to
install spyware. Up to that point, 0x80 had used his botnet mainly for "packeting," conducting petty denial-of-service attacks to knock his
buddies or enemies offline. Within a few weeks of visiting that channel, 0x80 was modifying the computer worm code he needed to transform
his botnet into a money machine.
He and his hacker friends are part of a generation raised on the Internet, where everything from software to digital music to a reliable income
can be had at little cost or effort. Some of them routinely go out of their way to avoid paying for anything. During a recent conference call with
half a dozen of 0x80's buddies using an 800-number conferencing system they had hacked, one guy suggests ordering food for delivery.
Nah, one of his friends says, "let's social it." The hackers take turns explaining how they "social" free food from pizza joints by counterfeiting
coupons or impersonating customer service managers.
"Dude, the best part is when you walk in, you hand them the coupon or whatever, they give you your [pizza], and you walk out," one of them
enthuses. "Then, it's like, yes, I am . . . the coolest man alive."
"Dude, that's so true," echoes a 16-year-old hacker. "Free pizza tastes so much better than pay pizza any day."
0x80 expresses some ambivalence about this lifestyle and occasionally ponders what he should do next. He's toyed with the notion of going
to a community college to get a degree in computer science, but the idea of getting an honest job with a legitimate tech company doesn't hold
much appeal. "I'd probably have to take a pretty bad pay cut no matter where I worked," he says.
Asked whether he worries about getting caught, 0x80 stuffs his hands into his jeans pockets, shrugs his shoulders and looks down at his
shoes. "To tell the truth, man, I'm sorta surprised they haven't caught me yet." He claims he doesn't care but then confesses that he
dedicates quite a bit of time to covering his tracks. "I do stay up very late each night trying to make sure nobody is going to kick in my front
door . . . If I do [get caught], I'm not all that worried. I've got enough money. I can always get a good lawyer."
Adware and spyware distribution companies promise instant riches to people who agree to help install their programs. These installers are
known in the business as "affiliates."
Many adware distribution sites recruit affiliates with photos of stacked $100 bills. GammaCash.com, for instance, the company that makes the
XXX toolbar that Michael White discovered on his computer, features an animated image of a pair of hands cupped to hold an expensive
watch. Wait a few seconds, and the watch disappears, only to be replaced by a Cadillac sport utility vehicle, which quickly morphs into a yacht.
The companies include in their "terms and conditions" disclaimers that they do not permit the installation of their products without the consent
of the person who owns the computer. Most claim they will terminate without pay any affiliates who violate that rule
But 0x80 and one of his friends -- who goes by the screen name Majy -- say they've easily disguised their installation methods. Their biggest
complaint about the whole enterprise: being routinely shortchanged by the adware distribution companies, which often "shave," or
undercount, the number of programs installed by their affiliates.
"It sucks, too, because the companies will shaft you, and there isn't a lot you can do about it," says Majy, 19, who claims to have had as many
as 30,000 computers in his botnet.
There are, in fact, legal ways to induce PC owners to download spyware and adware. Most computer users acquire spyware and adware
simply by browsing certain Web sites, or agreeing to install games or software programs that come bundled with spyware and adware. Before
its Web site went dark not long ago, TopConverting.com bundled its adware and spyware with products most likely to appeal to children and
teenagers: simple games, online game insignias or "avatars," and "emoticons," custom-made smiley faces for use in instant-message
software. The company also marketed short digital videos that catered to the humor of teenage boys: "Beavis and Butt-Head" cartoons, a
short clip called "Boob Boxing" and another titled "Bath Fart."
Computer users may or may not understand what they are consenting to when they click "OK" to the lengthy, legalistic disclosures that
accompany these games or videos. But those notices are legal contracts that essentially absolve the adware companies from any liability
associated with the use or misuse of their programs.
0x80 and Majy don't leave computer owners any chance to decline the adware. Once they invade a computer and add it to their botnet, they
use automated keystroke codes to order the enslaved machine to click "OK" on installation agreements. 0x80 says he even created a
program that allows him to remotely wipe computers in his botnet clean of old adware, making room for him to install new adware -- and get
And getting paid is the whole point. Majy says TopConverting, which did not respond to requests for comment for this article, paid him an
average of $2,400 every two weeks for installing its programs. He got 20 cents per install for computers in the United States and five cents
per install for PCs in 16 other countries, including France, Germany and the United Kingdom. A nickel per install doesn't sound like much,
unless you control a botnet of tens of thousands of computers.
Majy also receives income from Gamma-Cash, which bills itself on its Web site as "an industry leader in online adult affiliate programs." The
company pays affiliates to drive traffic to adult Web sites, mainly through pop-up advertisements for porn sites served to users through its
XXX toolbar, which hijacks the victim's Web browser and sets its home page to one of several subscription porn sites. Majy says
Gamma-Cash, which did not respond to requests for comment, sends him a $400 check each month from a bank in Canada.
0x80 also installs adware for Gamma-Cash. And he works for a company called Loudcash, which was recently purchased by one of the
largest and most important players in the adware business: 180solutions.
Half of the glass-and-steel structure that houses 180solutions' sprawling headquarters in Bellevue, Wash., rests underground; the other half
juts out at acute angles. The rooftop sports an AstroTurfed volleyball court, a gas grill and a commanding view of the Seattle skyline.
Some of the company's 200-plus employees zip around the long hallways on Segways or foot-powered scooters. Throughout the building are
polka-dotted posters that read, "Who Do You Want to Be?" The signs are meant to challenge employees to continuously reevaluate their
roles, but they also reflect the seven-year-old company's effort to prove to the world that it has executed a 180-degree shift away from its
past business practices.
180solutions got its start in the adware industry with a product called Epipo, which paid people roughly six cents per hour to view specially
targeted advertisements sent to their computers. The product became popular among college students, who quickly figured out ways to
automate browsing the Web so that they could get paid for viewing ads while they were away from their computers. According to allegations in
a lawsuit filed by the Washington state attorney general's office, 180 responded by changing the payment terms so that it was virtually
impossible for people to collect the promised money. The company nearly went bankrupt when it settled the suit in 2002.
By that time, 180 had changed its marketing strategy. Instead of paying people to install its adware, the company lured them with free games,
which came bundled with ad-serving software called "n-Case." The software tracked users' surfing and buying habits, and was extremely
difficult to remove. Consumer advocates had little difficulty showing that n-Case was being installed without user consent. Faced with
increasing criticism for the fraudulent installs, 180 rebranded the software as 180 Search Assistant. The new software's chief distinguishing
feature was that it was easier to remove than n-Case.
through bad business practices and that they continue to make money from that user base is hardly unique to them," Edelman says. "What
really makes people so mad is that 180 is far less apologetic than the other players" in the industry.
The Center for Democracy & Technology, the leader of a group called the Anti-Spyware Coalition, spent two years working with 180 to
resolve dozens of consumer complaints about surreptitious installs. Ari Schwartz, the center's deputy director, says each time the subject
arose, the company claimed it was blindsided by the accusations and that it needed more time to correct its distributors' behavior.
Weeks after 180solutions said it was discontinuing its 180 Search Assistant software, a computer worm began spreading rapidly across
AOL's instant message network, downloading and installing viruses and a host of other programs -- including 180 Search Assistant -- on
victims' computers. While 180 denied it had anything to do with the worm, for the CDT, that was the last straw: On January 23, the nonprofit
filed a detailed complaint with the Federal Trade Commission urging the agency to sue 180solutions for violating consumer protection laws.
In a statement, 180solutions denied that it was ignoring the problem, arguing that it had made "great progress in the fight against spyware"
and insisting that it shared the CDT's vision of "protecting the rights and privacy of consumers on the Internet . . . We have made voluntary
improvements to address every reasonable concern that the CDT has made us aware of."
Company executives acknowledge they didn't begin addressing the fraud problems wrought by what 180 co-founder Dan Todd calls "a few
bad actors" until mid-2004. Dressed in worn-out jeans and an untucked dress shirt, 34-year-old Todd puts one foot up on the coffee table in
his glass office and tries to explain how things spiraled so far out of control. "At some point between dealing with legitimate distributors and
these botnet guys who try real hard to look like good guys, we realized that something had gone terribly wrong and that our plan of
outsourcing our relationship to the consumer had backfired," Todd says.
Last year, he says, 180 executives purchased some of their biggest distributors, including Loudcash, as part of a plan to rein in "rogue
distributors" and help clean up the company's adware distribution practices. 180 says it no longer allows its adware to be bundled with adult
Web site content or peer-to-peer (P2P) online file-sharing services that many people accuse of promoting music and movie piracy. "Our
goal," he says, "is to minimize the financial incentive for people to install our software illegally, with the goal of making sure that our money
never gets paid to bad actors."
To demonstrate its commitment, 180 filed lawsuits last year against seven distributors, accusing them of using botnets to earn more than
$60,000 installing the company's adware without computer owners' consent. When the defendants -- all of whom live outside of the United
States -- refused to make the trip here to face the allegations against them, 180 referred the matter to the FBI, says company attorney Ken
The company also worked with the FBI and Dutch authorities last year on an investigation that shut down a botnet of more than 1 million
computers in the Netherlands. The FBI acknowledged that 180 was instrumental in helping to track down the botmasters. 180, in fact, became
the target of a denial-of-service attack by the botmasters, who were furious that the company was refusing to pay them for surreptitious
adware installs. The attack briefly crippled 180's Web site, making the company a victim of the botnet phenomenon.
Yet 180's insistence that it is cracking down on botmasters has yet to win over the anti-spyware activists, who have spent years unraveling
the labyrinthine economic ties among advertisers, adware vendors and their affiliates. The anti-spyware hawks don't believe 180solutions has
changed the way it operates or that the company is buying up major players in the adware industry in order to clean up its act. "That's sort of
like a drunk saying he's buying up a liquor store to solve his drinking habit," says Eric Howes, an executive at Sunbelt Software, an
At a recent anti-spyware conference, Todd was openly mocked for claiming that 180 previously had no way of knowing how many of its
distributors were installing its software illegally. Someone at the conference suggested that 180 use its technology to periodically present
users with pop-ups asking them whether they had authorized the adware to be installed in the first place. Now the company says it is doing
just that. If the answer is no, the user can remove the software with a click of a button.
0x80 hasn't paid much attention to the public condemnation of 180's business practices. And he says he doubts any of the measures the
company is taking will discourage botmasters from installing adware. "It doesn't really matter what  does to try and stop them," the
hacker says. "There's just too much money to be made there. People will just find another company to work with."
Sam Norris answers the door of his handsome stucco-and-Spanish-tile home near San Diego dressed in jeans, a polo shirt and
squeaky-clean blue and white suede sneakers. He smiles broadly. "You picked a great week to come out," he says. "I'm tracking quite a few
Norris, 31, is president of an Internet service company called ChangeIP.com that finds itself at the center of the battle against botnets. He
estimates that he is spending up to 20 hours a week preventing botmasters like 0x80 and Majy from using his network to control their botnets.
Botmasters typically control their herds of infected PCs by having each report to a central server and await instructions, which may be to
attack a Web site, send spam or download spyware programs. But many of the IRC networks that have been used for this purpose are
beginning to crack down on botmasters. As a result, an increasing number of hackers are trying to cover their tracks by taking advantage of
the services of companies like Norris's, which allow Internet browsers to find hundreds of small Web sites by name (for example:
smallwebsite.com), even though the actual numeric address of the sites can change from day to day.
Botmasters like 0x80, however, have turned that process inside out. They use Norris's service to hide their botnets when they jump from
server to server. Should authorities or computer security experts start to zero in on the server that's running their botnet, they can switch
servers, and ChangeIP.com will enable the hijacked computers to find the new hideout.
In most cases, it is easy for Norris to tell which hosts on his network are legitimate Web sites and which are botnets: Most small Web sites
don't have thousands of computers trying to access the site at precisely the same time. By tracking the communications traffic between the
infected machines and the botmaster's control channel, Norris can capture data that might be useful to law enforcement, including snippets of
text or code that may hold clues about the geographic location or identity of the botmaster.
Norris says he sees an average of 37 new botnets per week trying to use his company's service, and sometimes as many as 10 new botnets
per day. Last spring, he cut off access to a botnet of more than 40,000 PCs that was being used as a massive install base for spyware. "I am
seeing this botnet-spyware connection just skyrocket," Norris says, "and I think it's because these guys are realizing there's tons of cash to
be made here."
A computer programmer by trade, Norris dissected a copy of the bot used by one hacker he recently banished from ChangeIP.com's network.
The program contained instructions for installing 14 adware and spyware programs, and Norris says the bot code was encrypted and so
thoroughly disguised that none of the antivirus software he used detected the code as malicious. As he was examining the bot program,
Norris accidentally executed it, causing his machine to become infected. Almost immediately, he says, the program downloaded a package of
adware and launched several pop-up ads for pornographic Web sites. It also installed GammaCash's infamous XXX toolbar.
Norris's forensics work revealed that the bot program also contained more than 30 other features, including the ability to capture all of the
victim's Web traffic and keystrokes, as well as a program that looks for PayPal user names and passwords. Other programs installed by the
bot allowed the attackers to peek through a user's webcam.
Norris often works out of his home in the auburn hills of San Marcos, Calif., where F-16 fighter jets from nearby Miramar Naval Air Station
streak across the sky. Today he sits down at the desk in his cramped home office and clacks away at his keyboard, generating a slew of line
graphs measuring the level of traffic flowing across his company's networks. He's a member of an informal enforcement group of more than
100 independent security experts worldwide who share daily data on the size, location and activity of the Web's most disruptive botnets.
Hailing from Internet service providers, computer hardware manufacturers and software security firms, the group's members use that
information to shut down botnets by cutting off the infected computers and forwarding the intelligence they glean to law enforcement.
Each morning, Norris receives an e-mail listing the online locations of the Web servers used to control some the world's most dangerous
botnets. "First thing I do most days is go through this list and try to find out which ones" are using his network, he says, pointing to a report he
just generated that lists the top 20 traffic-generating sites on his company's system. "Most of these are botnets."
And the botnets are hardly limited to hijacked home computers. A few months back, Norris found more than 10,000 infected PCs on the inside
of a Fortune 100 company network, all trying to contact a control server located at ChangeIP.com. When Norris called the company with the
bad news, its poorly trained network administrator had no idea how to respond. "I call this guy up and say, 'Hey, you've got 10,000 infected
computers on your network that are attacking me,' and this guy is basically, like, 'Well, what do you want me to do about it?' "
Norris says that after collecting enough evidence about a botnet, he terminates the account and, he hopes, disconnects the botmaster from
his army of infected machines. He says "he hopes" because many times the botmaster will have instructed his enslaved machines in advance
to try several other domain names should the main control channel be shuttered. But in most cases, Norris says, the botmaster simply shifts
control of his botnet to another Internet service provider. "Other times, the attackers play dumb and send polite e-mails asking why their
service has been shut off." And, occasionally, the hackers will rebuild their botnets elsewhere and use them to retaliate against ChangeIP.
Last year a botmaster who had been cut off joined forces with another botnet to direct such a massive, constant stream of bogus Web traffic
at ChangeIP.com that the site had difficulty processing legitimate traffic for nearly a week.
As the botnet problem has escalated, so has the interest of federal law enforcement, Norris says. Not long ago, he was contacted by a
National Security Agency official who asked for records related to several ChangeIP accounts. He's also had visits from FBI agents hot on the
trail of several botmasters. One FBI agent said he couldn't disclose the details of his investigation but handed Norris a copy of a Time
magazine article about Chinese hackers suspected of infiltrating U.S. corporate and military computer networks.
"The feds are finally starting to understand that botnets are more than just a nuisance: They're the source of all that's evil on the Internet
today, from hacking and spamming to phishing and spying," Norris says. (Phishing involves impersonating trusted Web sites to gain
confidential information from computer users.)
Shutting down a botnet can be arduous work, but finding the criminal on the controlling end of the herd has proven an especially challenging
task for law enforcement. That's in part because security experts like Norris and others often disagree over whether to dismantle the botnets
as soon as possible or to monitor them for a period of time in order to gather intelligence that might prove useful in helping investigators track
down the criminals behind them.
Hank Nussbacher, an independent Internet security consultant based in Israel and a member of the group that's sharing information on
botnet activity, says most members have their hands full just shutting down the botnets' command and control centers. "Occasionally, the
Internet service provider where the [bot control center] is located requests that it not be shut down because they are collecting forensics
information for some law enforcement agency, but I'd say about 98 percent of the time, as soon as we find one, we shut it down."
Louis Reigel III, assistant director of the FBI's Cyber Division, says the botnet data regularly shared by security experts like Norris is
invaluable. But Reigel stresses that prosecuting botmasters is difficult because their crimes and networks usually span multiple continents,
which means working with foreign law enforcement agencies and depending on their cooperation.
The FBI has dedicated several agents from its special technologies section to tracking down botnet operators and is pursuing hundreds of
investigations, Reigel says. But "the techniques being used by these bot guys are becoming more efficient every day, so the bot situation is
probably going to get a lot worse before it gets better."
Norris shares that fear and worries that more botmasters will begin to exploit emerging peer-to-peer communication technologies of the sort
that power controversial music- and movie-sharing networks like Kazaa and LimeWire. Such networks would allow enslaved computers to
communicate instructions and share software updates among one other, so that they would no longer depend on orders from the master
servers that Norris and other bot hunters search out and disable every day.
"When P2P becomes the norm with these bots," Norris says, "that's when I call it quits with this botnet stuff, because, at that point, it will be
pretty much out of my hands."
On the eve of a visit to his home by a Washington Post photographer, 0x80 decides to tell his father what he really does for a living, in part,
he says, because hiding it is starting to eat him up inside. 0x80 tells his father the whole truth, but he can't bring himself to break the news to
his mother because, as he puts it, "she's really Christian and that would just crush her to know I'm involved in something like this."
"I told my dad I had made an Internet worm that infected people, and then I used their computers to make money, and he just shook his head
and was, like, 'I hope you don't go to jail for that . . .' and . . . 'I hope it wasn't underage porn you was doing.'"
That same question has been encroaching on 0x80's peace of mind of late. His hard-boiled pose has begun to break down, and instead of
sneering at the risks of getting caught and brought to justice, he's begun to talk about quitting the criminal hacking scene to join the Army,
which, he reasons, will offer not only discipline and the motivation to earn his GED but also potentially a free ride to college. From there, he
can imagine a more respectable future working on information technology projects for the military.
"It's nice to have up to $10,000 a month coming in, but, if it's not legit, then I also have all this other stuff to worry about," 0x80 says. "Like, I
gotta hide my laptop every night, and every time I don't come online for a day I have people blowing up my cell phone asking if I got raided by
0x80 has shared his plans with a few of his online buddies, many of whom have grown dependent on his ability to develop ever more stealthy
and effective botnet programs.
"Some of my people really don't want me to leave, but I've got to figure out a way to use the [expletive] I know to get something going for
myself," 0x80 says. "With the Army, I could get stationed someplace where I would have a better chance at getting a higher-paying job and
still be able to do what I like to do. Either way, I gotta get up outta this hole I'm living in."
Brian Krebs is a technology reporter for washingtonpost.com.
These are just a few things you
can do to protect yourself from
As spyware evolves we will post
new findings so check back
once in awhile to see what is
Thinking of getting your
own business or personal
Website ? Click HERE