IE 11 is not supported. For an optimal experience visit our site on another browser.

Who's behind criminal bot networks?


They have infected perhaps 100 million computers with viruses, turning the PCs around the world into an army of willing criminal assistants known as “bots.” They are using those PCs to send out billions of spam e-mails and make millions of dollars by attacking Web sites and extorting their owners. They have even attacked the core computers that keep the Internet running smoothly. Who are they?

The answer to that question is elusive, but there are a few clues.

In part one of this series, we described the epidemic of hijacked computers that’s swept the Internet. Controlled by malicious programs, the computers are turned into robots, or bots, that are directed by criminals known as bot herders.

Part two looked at how profitable the bot business has become, leading hackers to engage in gang warfare in cyberspace for control of these hijacked computers -- a digital battle that has spilled out onto the Internet’s Main Street.

Today, we examine who is behind these networks of infected computers.

For years, computer hackers typically were precocious, anti-social teen-agers who committed digital violence just to get attention. But computer crime has grown up, and grown into a big business. Now it is used by highly organized gangs to steal millions of dollars.

The top gangs, most agree, are in Russia, Eastern Europe and Brazil, although there also are a few up-and-coming cybercrime syndicates in Asia.

Cybercriminals tend to be talented computer programmers who can make much more money stealing than working, the experts agree. There is so much money to be made in cybercrime that some observers speculate that terrorists are using it to raise money and support their organizations.

Computer security experts disagree on whether terrorists are involved in cybercrime, but there is one sure sign that computer crime has become a much more sober affair: Many experts interviewed for this story shied away from talking about the topic of who’s behind botnets, pointing to concerns for family safety.

"When I got into this, it was kind of a game," said one expert who spoke on condition of anonymity. "Now, it's very serious. I wouldn't want my name attached (to comments about the topic)."

That's a new sentiment in an industry that has often been criticized for using hyperbole to generate publicity.

Recruited by professionals

Bot herders are still typically young – perhaps 18 to 25 -- often only a little bit older than a teenage hacker, says David Marcus, security research and communications manager with McAfee. They are nearly always men. And they often live in an area where traditional, big-money computing jobs are difficult to find.

"There are limited ways to make money," he said. "This is the way for them to make a lot." Marcus said he thinks organized crime is behind a lot of bot activity, but Mafiosi aren’t coding Trojan horse programs. Instead, their money funds hacker operations and is used to recruit computer savvy youngsters, he believes.





"They watch for bright kids and they start them on small tasks, like ‘Find me 100 passwords and I'll give you 1,000 rubles,’” he said.

In more aggressive recruitment programs, organized crime will actually pay for a computer geek to get through college, essentially a hacker scholarship, said Marcus.

Some say there are as many as 45,000 different botnets sending out spam and being used for other cybercrimes, but Professor Randy Vaughn of Baylor University said he believes there are as few as six or seven major bot gangs and as few as 1,000 criminals controlling all the infected computers.

“And the number of genuine genius bot programmers is probably much smaller than that,” he said. “In each group there are a few geniuses and there are a bunch of groupies who hang around on the botnet and attempt to gain credibility with the botnet operators.”

The groupies hope to learn enough that they can control their own vast botnets, but in the meantime they act as money handlers or perform other menial tasks for the “genius” programmers, Vaughn said.

E-commerce nightmare

Bot herders aren't necessarily spammers, but the two are often linked, as virtually all spam is now sent from hijacked computers, experts say.

The Spamhaus top 10 list of worst spammers is now populated by Russians, Ukrainians and a Chinese ring.

Craig Schiller, a professor at Portland State University and author of “Botnets: The Killer Web Applications,” said those who designed the Internet wanted a system that would allow buyers and sellers to connect from around the globe. They had no idea that the network would become a platform for global crime, he said.

“This is the e-commerce that people dreamed about but didn't realize it was a nightmare,” said Schiller.

The arrest of three Russian bot herders last year offers a rare glimpse into the world where such nightmares are born.

Three men -- Alexander Petrov, Denis Stepanov and Ivan Maksakov – spent a year terrorizing e-commerce sites as part of a ring of 16 criminals. The ring used armies of computers to overwhelm gambling Web sites and other firms that could ill-afford Internet down time, then extorted money from the operators to halt the traffic flood.

Mikko Hypponen, a security expert at F-Secure, acted as a consultant to one victim, an online CD and DVD retailer. The store eventually paid a ransom of $40,000 to get its site back, he said.

In all, the hackers took in about $3.9 million in payments, according to evidence presented at their trial.

“And many companies invested much, much more paying to build a defense against these attacks,” Hypponen said. Russian media estimated the total damages caused by the group at $79 million.

The ransom money was wired in small amounts to 10 different bank accounts in Riga, Latvia, Hypponen said. So-called “money mules” – middle men who simply help move stolen money from one account to another, usually crossing borders along the way – picked it up from these accounts and wired the money to accounts in St. Petersburg or Moscow.

Another set of mules eventually brought the money to the small city of Balakov in western Russia. It was in Balakov that Maksakov, a 22-year-old student at the Balakov Institute of Engineering, Technology and Management, issued orders for the botnet attacks, according to Russian media reports. But while the orders were given in Balakov, the main computer server that controlled the attack was in Houston.

Russian police nabbed the threesome with the help of Scotland Yard by following the money trail, Hypponen said.

The three Russians were sentenced to eight years apiece in jail by a Balakov court last fall. But Hypponen said most of the gang remains at large, including several suspects in Kazakhstan.

Their exploits don’t rival those of Brazilian gangs, experts say. In 2005, more than 50 Brazilians were arrested after allegedly stealing $33 million with targeted, Trojan horse program that stole online banking passwords.

Domingo Montanaro, a computer forensics expert and banking consultant in Sao Paolo, Brazil, said Internet crime gangs there operate almost with impunity. In a recent case, he said, he helped nab a ring of 100 criminals that had gained access to 10,000 Brazilian bank accounts.

“Criminals in Brazil do some incredible stuff because police cannot fight them anymore,” he said. “They are not even using techniques to hide themselves. We only arrest maybe 3 or 4 percent of them.”

Driven by revenge

Some attacks are driven by revenge as well as financial gain.

Last year, a noted Russian spammer nicknamed PharmaMaster – he usually advertises pharmaceuticals – felt his business was endangered by a Silicon Valley anti-spam startup named Blue Security.

PharmaMaster initiated an attack that crippled Blue Security’s Web site. The firm countered by placing information about the attack on its corporate blog, hosted by popular blog site TypePad, owned by Six Apart Ltd. PharmaMaster then hired a bot herder to conduct a denial-of-service attack that shut down all of Six Apart’s blogs, including those hosted on its service.

Eventually, Blue Security surrendered and got out of the business of anti-spam software.

“PharmaMaster paid $1 million to take out Blue Security,” or about $2,000 an hour for the attack, said Schiller, the Portland State professor. “But (PharmaMaster) was making $3 million a month, so it was worth it.”

At the time, security experts said the Blue Security attack was so severe that only a few of the world’s largest corporations would have been able to withstand it.

Given the power that the bot herders wield, questions inevitably arise about whether terrorists are behind such crimes. There is no clear answer, and security experts are divided on the issue.

Terrorism link?

The discussion was energized by Gartner security analyst Avivah Litan last month, when she issued a report describing the recent arrest of about 50 hackers in Egypt and Lebanon.

“My hypothesis is that the computer brains are still in Russia and Eastern Europe, but some of their operations are being financed by terror organizations. I am hearing that,” she said. “If you were terrorists, wouldn’t you get in touch with these guys?”

Hypponen disagrees, saying there isn’t any evidence that terrorists are playing with bot networks.

“Sure it could happen some day. But I don’t have any information, or even any hearsay, that links this to terrorism,” he said.

There is plenty of evidence that organizations like al-Qaida are willing to use the Internet to get attention or to communicate, counters Schiller.

“I’d be surprised if (terrorists) weren’t using these (botnets),” he said. “In their charters they talk about using terrorism to further their aims. They are inclined to use technology against us; it is a huge force multiplier for them.”

Botnets are indeed a textbook example of a “force multiplier” -- one computer, telling 100 other computers, telling 10,000 others computers to attack someone or something.

That makes it inevitable that terrorists bent on disrupting communications and financial systems will at least attempt to harness their power.

But while terrorism’s link to botnets is tenuous at best, there is no doubt that real-world criminals already are using them to make big money. And given the alarm bells being rung in almost all corners of the computer security world, it seems likely that the botnet problem is going to get worse before it gets better.

Are you infected? Click here to see.