 |
|
DAILY NEWS AND INFORMATION
FOR THE GLOBAL GRID COMMUNITY / JULY 21, 2003; VOL. 2 NO. 29
|
Special Features:
GRID TECHNOLOGY USED TO HIJACK
PC'S?
Internet users, more than a thousand, around the world have recently had
their
computers hijacked by hackers, who computer security experts say are using
them for pornographic Web sites.
The hijacked computers, which are chosen by the hackers apparently because
they have high-speed connections to the Internet, are secretly loaded with
software that makes them send explicit Web pages advertising pornographic
sites and offer to sign visitors up as customers.
Unless the owner of the hijacked computer is technologically able, the
activity is likely to go unnoticed. The program, which only briefly downloads
the pornographic material to the usurped computer, is invisible to the
computer's owner. It apparently does not harm the computer or disturb its
operation.
The hackers operating the ring direct traffic to each hijacked computer in
their network for a few minutes at a time, quickly rotating through a large
number. Some are also used to send spam e-mail messages to boost traffic to
the sites.
"Here people are sort of involved in the porno business and don't even know
it," said Richard M. Smith, an independent computer researcher who first
noticed the problem earlier this month. Mr. Smith said he thought the ring
could be traced to Russian senders of spam, or unwanted commercial e-mail.
By hiding behind a ring of machines, the senders can cloak their identity
while helping to solve one of the biggest problems for purveyors of
pornography and spam: getting shut down by Internet service providers who
receive complaints about the raunchy material.
The web of front machines hides the identity of the true server computer so
"there's no individual computer to shut down," Mr. Smith said. "We're dealing
with somebody here who is very clever."
By monitoring Web traffic to the porn advertisements, Mr. Smith has counted
more than a thousand machines that have been affected.
The creators of the ring, whose identities are unknown, are collecting
money
from the pornographic sites for signing up customers, the security experts
say. Many companies play this role in Internet commerce, getting referral fees
for driving customers to sites with which they have no other connection.
The ring system could also be used by the hackers to skim off the credit
card
numbers of the people signing up, said Joe Stewart, senior intrusion analyst
with Lurhq, a computer security company based in Myrtle Beach, S.C.
The current version of the ring is not completely anonymous, since the
hijacked machines download the pornographic ads from a single Web server.
According to the computer investigators, that machine apparently is owned by
Everyones Internet, a large independent Internet service company in Houston
that also offers Web hosting services to a large number of companies. Jeff
Lowenberg, the company's vice president of operations, said that he was not
aware of any illegal activity on one of his company's computers but said that
he would investigate.
Mr. Stewart said the ring was most likely a work in progress, and that
flaws,
like being tied to a single server, would be eliminated over time.
He said the ring was troubling not just because of what it is being used
for
now but also because of what it might be used for next.
"This system is especially worrisome because they have an end-to-end
anonymous
system for spamming and running scams," he said. "It's not a far stretch to
say that people who are running kiddie porn sites could say, `Hey, this is
something we could use.' "
The computer ring is the latest in an evolution of attacks that allow
creators
of spam and illicit computer schemes to use other people's computers as
accomplices. For several years, senders of spam have relied upon a vestigial
element of the Internet mail infrastructure known as "open relay" to use
Internet servers as conduits for their spam.
As network administrators have gradually shut down the open relay networks,
spam senders have used viruses to plant similar capabilities on home and
business computers.
But this appears to be the first viral infection to cause target computers
to
display whole Web sites, Mr. Smith, the researcher, said.
A Justice Department official said that the computer ring, as described to
him, could be a violation of at least two provisions of the federal Computer
Fraud and Abuse Act.
The ring has also been used to run a version of a scheme for collecting
credit
card information from unwary consumers that has been called the "PayPal scam,"
Mr. Smith said. The hijacked computers send e-mail messages that purport to
come from PayPal, an online payment service owned by eBay, asking recipients
to fill out a Web site form with account information.
It is unclear precisely how the program, which depends on computers hooked
up
to high-capacity, high-speed Internet connections, gets into people's
computers. Mr. Smith said that he thought that the delivery vehicle was a
variant of the "sobig" virus. But Mr. Stewart, the computer security expert at
Lurhq, said he had seen no evidence that the "sobig" virus was the culprit,
and is looking at other mechanisms for delivery.
Neither Mr. Smith nor Mr. Stewart has found a simple way to tell whether a
computer is infected. Technically, the rogue program is a reverse proxy
server, which turns a computer into a conduit for content from a server while
making it appear to be that server. Mr. Smith said when word of the program
gets out, antivirus companies are likely to offer quick updates to their
products to find and disable the invasive software.
Computer owners can protect themselves by using firewall software or
hardware,
which prevent unauthorized entry and use of computers, Mr. Smith said. The
rogue program does not affect the Apple Macintosh line of computers or
computers running variants of the Unix operating system.
Mr. Stewart, who has written a technical paper to help antivirus companies
devise defenses against the porn-hijacking network, has named the program
"migmaf," for "migrant Mafia," because he thinks the program originated in the
Russian high-tech underworld.
Hackers from the former Soviet Union have been linked to several schemes,
including extortion attempts in which they threaten to shut down online
casinos through Internet attacks unless the companies pay them off.
Antispam activists have also accused Russian organized crime organizations
of
taking over home and business PC's to create networks for sending spam. "They
always seem to lead back to the Russian mob," Mr. Stewart said.
|