Virus Gang Warfare Spills Onto the Net

Virus Gang Warfare Spills Onto the Net

By Bob Sullivan (MSN.com, April 3, 2007)

There might be a gang fight raging in your bedroom or study right now. There's no gunfire, no blood, and you won’t smell any smoke. But there is a battle. The fight is over your bandwidth and your PC processing power.

Last week, we told you that perhaps as many as 150 million computers connected to the Internet have been hijacked by hackers who use them in high-stakes, big-ticket crimes. Hacker gangs with creepy names like Rustock and Warezov order the armies of infected computers – called bots -- to send out spam or attack Web sites for profit.

They also use these armies to attack each other.

For years, hackers have created specially-crafted malicious programs called viruses and Trojan horses that sneak onto home computers through e-mail attachments or infected Web pages. Once there, the program turns the computer into a secret soldier in an army of hijacked machines that the hacker -- now called a bot-herder -- can use to send out billions of spam messages or to overwhelm Web sites with extraneous traffic. But lately, a sharp rise in the number of infected computers has security experts calling the attack an Internet epidemic.

The bot network industry has become so profitable, and hijacked computers so valuable, that rival gangs are now fighting over them. This digital gang warfare is not physically violent, but it certainly is no game. Bot herders steal each other's infected computers, fight off such raids, and often try to knock each other’s computers off-line. "They are cutthroat and competitive. They are in it to make a lot of money.... These guys are ruthless to begin with and don’t care who they hurt, as long as they get their dollars," said Jose Nazario, a security researcher at Arbor Networks.

The war has escalated to a level where bot herders must jealously guard their hijacked computers. In October, a yet-to-be-named Russian gang released a program called SpamThru that infected machines worldwide and quickly amassed an army of zombies nearly 100,000 strong, capable of sending out 1 billion messages each day.

To protect the investment, the malicious program actually included a stolen copy of the Kaspersky antivirus program, modified to stop all attacks but its own. SpamThru installed the anti-virus program on all infected computers, removing all other viruses. It even sent an infection rate report to the program’s author. The stolen antivirus software continues to defend SpamThru bots from other attacks to this day.

The foray into ad-hoc antivirus software is necessary because bot-herders now regularly train their armies against their rivals. When the Storm worm -- probably this year's biggest virus attack to date -- was released in January, it had a dual function. In addition to its spam functions, Storm-infected computers were instructed to attack Web sites run by the rival Russian Warezov gang, hitting sites with cryptic names like esunhuitionkdefunhsadwa.com. By taking those sites off line, the rival spam networks was partially disabled. The sites had been set up as communications hubs for Warezov-hijacked computers; without them, the zombie computers didn't know where to attack.

The Storm attack was clearly designed to cripple a rival. “They were attacking sites that were known distributors of other bots,” said Joe Stewart a prominent antivirus researcher at SecureWorks Inc. Because the attack was hard-coded into the original Storm virus, no human intervention was required to enjoin the battle. "It is an automated war at this point ... on a massive scale,” Stewart said.


They're No. 1
Why the war? Because bot-masters have to advertise their services like any other industry. And like any business, each bot-herder wants to be able to claim they’re number one. "These guys are at this as a business, asking how can they maximize their profits. It is not unexpected that they will go to these measures," Stewart said. "We expect them to keep trying to one-up each other. They want to be the one that has the biggest botnet."

There is a lot of money at stake. A single denial-of-service attack on a gambling Web site can cost $50,000 a day, said Jose Nazario. In an typical denial of service attack extortion scheme, a bot-herder will aim thousands of computers at a single Web site, overwhelming it with traffic, and rendering it unavailable. Legitimate users can no longer access the site, and instead receive the Web's equivalent of a telephone busy signal. Then, the hackers demand an extortion payment to end the flood of fake traffic. Such outages can be costly to firms like gambling site that make their money minute-by-minute online; without alternatives, many firms pay up, experts say. Three Russian bot herders were recently sentenced to eight years in prison after successfully extorting several gambling operators in the United Kingdom. The gang earned “several million dollars before they were caught,” said Mikko Hypponen, a researcher with Finnish firm F-Secure.com.

With so much money on the line, bot herders are hardly above stealing from each other. "If it takes a week to get 100,000 new infections, or it takes an hour to steal Bob's machines, what would you do?” Nazario said.


Bugs fixed 'faster than commercial software'
Bot authors steal each other’s bots in numerous ways. The most common: They attack vulnerabilities in the original bot software. That’s precisely the way virus writers attack Windows and other commercial software. In the classic example, the massive MyDoom virus in 2004 left an open back door on all infected machines for its author to install upgrades. But rivals gangs quickly found the back door, and took over the hijacked machines with a follow-on virus called "DoomJuice."

Once a previously hijacked computer is hijacked a second time, the thief moves quickly to disable previous bot software and shut out the first hijacker. Virtually all software, even hacker software, has flaws, Nazario said, so hackers regularly probe each other's tools for openings. Bot virus authors, meanwhile, react quickly when they find a flaw is being exploited and their investment is at risk. “Some of these bugs get are fixed faster than commercial software," Nazario said.

Vulture-like bot herders also poke around the Internet for infected but dormant hijacked computers, a process called “scavenging.” The attacks aren’t always designed to disable, says Andre' M. DiMino, a researcher at The Shadowserver Foundation. Sometimes the battle is joined simply as a demonstration of force.

“(They try to) demo that their net is stronger than the other guy's net,” Di Minoat said. A massive attack on the core computers than run the Internet earlier this year may have been a similar demonstration. Last month, the Internet Corporation for Assigned Names and Numbers, which helps run those computers, speculated in a recent report that the attack was the work of a bot herder trying to close a sale by demonstrating the size and power of his army of hijacked computers.

This latest spate of bot wars is not the first time hacker gang warfare has spilled over into the Internet’s Main Street. In 2004, virus writers who authored malicious programs called Bagle, Netsky, and the aforementioned MyDoom traded insults while attacking computers. And many viruses have targeted Spamhaus.org, a Web site devoted to stopping spam.

But those battles were ultimately just noisy, public demonstrations. The bot wars of today are much more focused –- on the competition -- and much more automated. There is also much more at stake, as profits from spam and denial of service attacks soar. But there is one important thing each of these attacks have in common. The weapons in this war aren’t guns or knives, or even fists. The weapon is your computer.