Hackers for Profit

Remember the worms that plagued the Internet last August? During August 2003, the Internet was a devastated playground with the quickest spreading series of worms and viruses up to that time.

Such damages in 2002 were estimated at $48 billion; in 2003, these same damages were estimated at over $100 billion. A common belief is that these damages reflect victims’ lost productivity plus man-hours responding to and restoring their systems rather than a direct monetary gain for the creators of the worms and viruses. However, there is a growing understanding that the creators of these nefarious packets of code are profiting from these attacks.

Recent media reports have directed attention to the growing threat from business collaboration between virus writers and spammers. Spammers make money on the number of individual messages they can deliver to legitimate e-mail readers. As products become available that block or retard spam, they face an increasing challenge to deliver these messages. Even home users are becoming wise to the spam problem and are using e-mail client rules to defeat spam that makes it to their in-boxes.

What is a spammer to do?

Enter the virus/worm author

If a spammer can “own” a large network of legitimate systems, he has an improved chance of defeating many of the methods and products used to defend against spam. A new business opportunity presents itself to a virus or worm author.

Throughout the Internet there exist networks of zombie machines. Zombie machines are those systems that have fallen victim to a known or unknown attack, possibly through a virus or worm.

The system has become compromised to the point of joint ownership with another member of the Internet community. It is not clear that this joint ownership is good for both parties. Generally, the compromised owner is an unwitting victim and participant in further nefarious activity. His system is now a zombie machine, part of a larger community that is available for various activities on the Internet. These zombie networks become great hosts for launching distributed denial of service attacks and hosts for sending spam.

How did these zombies join this community? Many times it is through a worm or virus that infects their systems through e-mail or peer-to-peer file sharing that includes the necessary piece of code as part of the data payload. Spammers have recognized there is another opportunity to use these same networks—a distribution system.

Think of it: The ability to move a distribution system around the Internet at will. The threat to the total number of hosts diminishes and the ability to capitalize on spam increases.; What more effective business opportunity could one create?

One media report stated that as early as June 2003, MessageLabs discovered that one of the SoBig worms transiting the Internet was in fact establishing zombie networks to distribute spam. Many of the defenses deployed against spam rely on the ability to block messages originating from certain Internet Protocol (IP) addresses. What SoBig and others have created is an ever-changing, and harder-to-defend-against, series of systems with IP addresses not on a list to block (also known as blocklist or blacklist in anti-spam lingo).

Mounting a defense

So how does one mount a defense, especially when the attackers are often victims themselves? Many Internet Service Providers (ISPs) are beginning to terminate accounts when a system is identified as sending spam.

If your system goes fromsending a couple dozen messages a day to a couple hundred, and at the same time your ISP receives multiple complaints about spam originating from your system, you may find yourself without a connection. As more and more home users gain broadband connections, the population of potential spam distribution networks increase. An Associated Press article earlier this year reported that the spam distribution networks were largely focused out of Asia. With the recent trend toward using zombie systems, the focus is changing to the United States. ISPs are learning to combat this trend, resulting in the loss of service to an otherwise “law abiding” Internet citizenry.

In January, the Federal Trade Commission (FTC) announced an international effort against spam. Called “Operation Secure Your Server,” this activity is an effort structured to address business presence on the Internet where open mail services may be available to spammers.

The FTC also passed a consumer alert titled, “Who’s Spamming Who? Could it be You?” The website, http://www.ftc.gov/bcp/conline/ pubs/alerts/whospamalrt.htm, briefly addresses the idea of your system participating in a zombie network for spammers.

Of course, there is a law enforcement challenge to this activity as well. There now exist civil penalties against spam, but there also exist criminal penalties for unauthorized access of computers as well. If this unauthorized access impacts federal government computers or crosses state lines, there could be a federal violation and nexus for the US Secret Service or Federal Bureau of Investigation to step in.


The Internet is a large community of networks. It is often referred to as a network of networks of networks. There are not only home users, but also large enterprise, government and academic participants that make up this network, each a member of a large community that exists outside political and geographical boundaries.

Unfortunately, many of these members don’t take adequate security measures to protect their participation in this community. Doing so may not require anything more than installing and maintaining antivirus and firewall products on each system, as well as maintaining updates distributed by the vendors as new vulnerabilities are discovered. These simple acts can often defeat the activity of a worm and/or virus, and remove your system from the distribution network of spammers and profiteering worm and virus writers. In the end, the community at large benefits.  HST

Keith T. Schwalm, formerly a special agent with the US Secret Service and director of Cyber Security Research in the Department of Homeland Security, is vice president of Good Harbor Consulting, LLC

(Visited 31 times, 1 visits today)

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply