Just after 3am on May 26, Karim Hijazi, the chief executive of Unveillance, a cyber-security firm, received an e-mail from hackers calling themselves LulzSec. They demanded he help them take over some networks of hijacked computers that other criminals were operating.
Unveillance had information on the so-called botnets because it was tracking them for potential corporate targets, Hijazi said in an interview. LulzSec had leverage to make Hijazi comply because it had hacked his company’s e-mail system and threatened to post captured confidential documents online if he did not help the group.
“If they did get a hold of these, they could potentially do way more damage than what’s already being done to these corporate targets,” said Hijazi, who rejected the demands. “The harm could be monumental,” Hijazi said.
Botnets, which secretly control almost one-fifth of all home computers, have become a hotly contested terrain in the cyber-underground, according to Alex Cox, a security researcher at NetWitness.
Criminals who run them or rivals who want to are facing off against each other and against law enforcement and intelligence agencies that seek to render the rogue networks harmless or use them for their own devices, according to cyber security experts.
Botnets are created through programmes secretly downloaded on computers in homes, offices and schools across the globe.
The programs have grown more powerful each year, and cyber criminals have learned to create networks far larger than any corporation using other peoples’ computers.
The enslaved “bots”, as the infected computers are known, had become so pervasive they now threatened the security of the internet, said Gunter Ollmann, the head of research at Atlanta-based Damballa, which tracks botnet activity.
At least 18 percent of home computers are now under remote command of cyber-thieves without their owners’ knowledge, according to Damballa’s research.
For corporate computers, which are usually protected by expensive security measures, about 7 percent were controlled by such malicious software or “malware”, which was hidden from the user and controlled via the Net, Ollmann said.
The FBI dismantled the so-called Coreflood botnet in April.
Operated by a gang of Russian cyber-thieves who siphoned financial information off their hosts, agents estimated the software that controlled it had infected more than 1.8 million computers in the US alone.
Botnet victims
The stolen information was used to make bank transfers in some cases of hundreds of thousands of dollars, the Justice Department said. Thieves attempted to transfer more than $934 000 (R6 million) from an unnamed defence contracting firm in Tennessee in one case. They removed $78 421 from the bank account of an unidentified law firm in South Carolina and $115 771 from an unidentified real estate company in Michigan, according to court papers.
“Botnets are one of the most common ways of making money in the cyber-underground,” said Cox, the NetWitness security researcher.
“When I have control of a botnet, regardless of what family of malware it is, I have a tremendous amount of power.”
Botnets do have a weakness. The infected computers feed confidential information to command-and-control servers, which can themselves be hijacked. Though technically demanding, the move allows the takeover of a valuable criminal asset by a rival or the dismantling of it if law enforcement does the seizing.
Unveillance had access to data that could make such hijacking easier, and Hijazi said, that was what LulzSec wanted.
“I’m sure we can settle on control of bots,” a LulzSec hacker called Ninetales told Hijazi, according to a computer log of their interaction provided to Bloomberg News by Hijazi. When Hijazi said he didn’t want to face extortion, another hacker named hamster_nipples replied: “Unfortunately, you have little choice at this point.”
Hijazi, who declined to identify his corporate clients, refused to comply with LulzSec’s demands and rejected a separate request for money. The hackers posted the company’s e-mails on the internet on June 3.
Botnets can be used to launch so-called denial-of-service attacks, which can bring down websites by inundating them with thousands of service requests a second.
“Imagine a crank phone call,” said E J Hilbert, a former FBI cyber-crime investigator.
“Now imagine 10 000 people calling your house all at the same time. That’s basically what a botnet can do to a website.”
More sophisticated malware can scrape company computers for login passwords and financial information, automatically siphoning terabytes of data into servers located in Ukraine or Belarus or China, where law enforcement is lax, according to Cox.
Zeus for sale
Malware sold under the name Zeus let cyber-thieves hijack online banking sessions in progress, transferring money to illicit accounts without the computer owner realising it, said Don Jackson, who tracks malware for Dell SecureWorks, a cyber-security firm based in Atlanta.
Jackson estimated that Zeus had been used to steal more than $1 billion from bank accounts over the past several years.
Hijazi said the LulzSec experience made him realise how his company’s research on botnets had turned his small firm into a target not just for LulzSec, but potentially much more powerful criminal enterprises. “We’re taking away their fraud machines, their DDOS tools,” Hijazi said, referring to denial-of-service programmes.
“It’s something that is going to make these people mad.”
So would a takeover of a botnet by a government agency.
“From an intelligence standpoint, getting control of a botnet in a country an intelligence officer is interested in would be a pretty good spying opportunity,” Cox said.
He said he didn’t have personal knowledge that US intelligence employees were using botnets.
Documents leaked when hackers posted the e-mails of another security firm, Sacramento, California-based HBGary, detailed how botnets were being used for spying by the US’s military and intelligence agencies.
The FBI’s seizure of Coreflood’s command-and-control systems was the first time that US law enforcement officials were known to have hijacked a botnet, a technique pioneered by researchers years before, according to Wenke Lee, a botnet researcher at the Georgia Institute of Technology.
Decapitating network
After obtaining a court order, FBI agents took control and ordered the malware in infected machines to shut down.
The move was praised by many cyber-security experts for decapitating a massive criminal network that had been operating for almost 10 years.
The FBI briefly had control over millions of individual computers in the same way the hackers did in what was previously considered a violation of federal hacking statutes, Hilbert said.
“Whenever we tried to do it before, we were always told it was illegal,” Hilbert said of earlier efforts by some in the FBI to try the takeover strategy.
“Shades of gray or not, the bottom line is you’re going into a computer without the owner’s permission and killing the programme.”
US District Judge Vanessa Bryant in Hartford, Connecticut, ruled that the US could set up a substitute server to replace the seized ones.
The ruling allowed the server to be operated, under law enforcement supervision, by the Internet Systems Consortium, a non-profit group in Redwood City, California.
Gordon Snow, FBI assistant director for the cyber-division, said the Coreflood operation would be followed by others like it.
“I expect we’ll see more of it,” he said. – Bloomberg