By Bob Sullivan Technology correspondent
msnbc.com

One thousand home computers hijacked and used to serve up pornography. Perhaps tens of thousands co-opted by the “SoBig” virus, many of them turned into spam machines. Hundreds of other home computers loaded with secret software used to process stolen credit cards. If your biggest computer crime fear was lost or stolen files, think again: Someone may be using your PC to commit crimes.

A curious spam mail went out and disappeared without much fanfare on June 25. Playing on a familiar prank, the e-mail urged recipients to visit “Windows-update.com” and download a security fix for their computers. Those who fell for the ploy were tricked into downloading a Trojan horse program. The malicious software steered the victim computer into an Internet Relay Chat room, where a computer criminal playing the part of the Pied Piper awaited to issue instructions to the now enslaved PC.

Joe Stewart, senior intrusion analyst with Lurhq Corp., played along with the Windows-Update spam. For one hour that day, he was in the chat room, too. And during that hour, he watched as about 800 PCs were drawn in. There, the hacker loaded them with more software, a small “bot” program which could be used by other chat room members. But what for?

Hiding behind innocent PCs
Internet credit card thieves have a major barrier to cross when they sell stolen card numbers: “Hot” cards become “cold” very quickly, as victims get wise and call to cancel their accounts. No one wants to pay for stolen credit cards that have been canceled. So the theives have written a number of automated programs, or “bots”, that quickly verify the validity of a credit card number. One such bot simply checks to see if a supplied account number follows the mathmatical formulas designed by credit card companies to prevent random account numbers from being used for fraud, called a “checksum.” Windows-Update.com victims had this checksum bot placed on their machines, ready for use by an eager credit card thief looking to test out stolen numbers.

Only one machine would be used at a time, Stewart said. The moment one “bot” computer was disconnected, presumably by a victim who discovered the problem, another was ready to take its place. But each PC that was used in the scheme was an unwitting accomplice to credit card fraud.

“Maybe you don’t think you have anything on your machine worth stealing,” Stewart said. “Well, you do. Your bandwidth and your disk space.”

For years, computer intruders have had their fun at the expense of innocent computer users by seizing control of their machines. Such zombies were a central part of the the first famous major Internet attacks, which knocked Web sites like Yahoo.com and CNN.com offline in 1998.

But such attacks have for the most part been limited to pranks until just recently, when a new spate of malicious computer programs with obvious criminal intent have been unleashed. More and more, experts say, these are for-profit pranks.

“We’re definitely seeing a paradigm shift,” said Richard Smith, the well-known computer sleuth who last week helped uncover a widespread scheme that turned about 1,000 PCs into an elaborate system that served up porn Web sites. “There’s a real problem here. With hijacked computers, there’s a lot of bad things you can do with them. I think we’re just at the beginning.”

Beware of geeks bearing gifts
At the core of the problem is the type of computer virus known as a Trojan horse. It takes its name from the well-known Greek myth, and functions much the same. Trojan horses sneak onto a victim’s computer by appearing to be something benign, like a software update. Unlike the Melissa and LoveBug worms, Trojans don’t spread themselves far and wide, and they don’t call attention to themselves. These programs simply lie quietly on victims’ computers, but now those computers are at the beck and call of the Trojan author.

Five years ago, hacker groups like the Cult of the Dead Cow released Trojans with names like “Back Orifice” to much fanfare, but they were often used just to perform spooky tricks like opening and closing victims’ CD-ROM doors. This new batch of Trojan writers have far more serious crimes in mind, Smith said.

“It seems to me that when the (music industry) starts going after people, they will just start storing songs on other people’s computers. And what if there’s kiddie porn stored on someone else’s computer?” Smith said.

The trail gets cold
Using an army of hijacked computers to commit crimes or send out spam obscures the computer criminal’s tracks effectively — and rotating rogue programs among the machines makes shutting down criminal operations tricky for Internet service providers. Smith actually discovered the porn ring when he was investigating a “phishing” e-mail, a note sent out which appeared to be a request from PayPal.com for users to update their password information on a Web site. The site was actually controlled by people intent on stealing the data.

Such “phishing” e-mails are common now, and the corresponding Web sites are normally shut down within hours when investigators like Smith complain to the Web host provider. But this site stayed up for days because its location was constantly changing — from one innocent victim’s computer to another.

“I got an IP address for it, but the host didn’t know what was going on, and finally I said, ‘Oh my God, it moved.’ It is much harder to do anything about this. The hacker gained a week on us,” Smith said.

Another disturbing fact about the new wave of programs: They are simple and small, and nearly impossible to spot with an untrained eye, said Oliver Friedrichs, senior manager at Symantec’s Security Response Team. The hijackings will likely go unnoticed by victims who aren’t running up-to-date antivirus software and personal firewalls, he said.

“When this thing is running, you’re really not going see it on your system,” he said.

Spam, virus, hacking worlds converge
The trouble really started when the worlds of spam and computer viruses began to converge, said Mark Sumner, chief technology officer at antivirus firm MessageLabs Inc. For years, virus writers were content to just get attention by causing a nuisance. But now, some have discovered that clever virus programming can be profitable — by enabling spammers to hide their trails and send out e-mail from hijacked computers, for example.

“There’s never been any money in writing viruses but now there’s the potential of commercial gain,” Sumner said.

The SoBig virus, first released in January, probably ushered in this new era Trojan horse programs. From the start, Stewart said, it was designed to enable spammers to sneak their e-mail software onto unwitting home users computers who have high-bandwidth connections to the Internet. SoBig is now in its fifth iteration, the most recent released on June 24, the same day as the Windows-Update spam. The coincidence has some researchers, including Smith, thinking that all these Trojan horse incidents might be related — that the SoBig virus was used both to hijack PCs for spam and for serving up porn.

But even if one group is behind the recent spate of incidents, consumers should be aware that virus writers will likely seize on this new way of doing business, experts say. Whatever is successful in the computer underground world is immediately imitated.

“The possibilities are growing as to what your machine can be used for,” Stewart said. “The likelihood that people will encounter (Trojan horses) is pretty high. Whether they infect you or not depends on the computer user.”

© 2013 msnbc.com Reprints

Discuss:

Discussion comments

,

Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments