Dell reports up to twenty five percent of their helpdesk calls
are spyware related. Spyware has become as intrusive and
pervasive as viruses. Some forms are a nuisance to the
point of making your computer crash Spyware has to be
running in order to work. It runs in your RAM and by doing
so uses your systems resources.The more spyware you
have the slower your machine will run until it crashes. Most
computers run like new after spyware has been removed.
There are too many forms of spyware to list here but this
link will give you a definition.
We have become very proficient at removing spyware.
Depending on the severity of the infestation a total
reinstallation is sometime required. A service call can give
We can help innoculate your computer but internet surfing
habits are generally what start the trouble. Below is a list
of things to watch to help keep you from becoming a
Spyware victim. We can also make a clone of your current
operating system drive and restore a spyware ruined
system from it.
1. If you are recieving an increasing number of
pop-ups you are probably in the early stages of an
infection. If not removed the spyware program will contact
it's writer for more spyware
2. When sufing the web don't click "OK" to
download or install anything unless you know what it is.
Many of these downloads are trojan type programs.
3. All spyware has to run using your RAM or system
resources. This can be checked in all Windows operating
systems. In XP and Windows 2000, right click on the
taskbar and select "Task Manager". Next choose
"resources." In order to run smoothly you should have a
minimum of forty percent or higher free resouces
In Windows 98 right click on "My Computer" and choose
the " resources " tab
4. Install a Firewall. Run the firewall program scan
during the setup stage so it will not constantly badger you
for various permissions
5. Check your browser security settings.If you use the
Windows Update site some of the security updates will
reset these for you.
6. Download and install Firefox. It is a browser very
similar in appearance and functionality to Internet Explorer.
So far it is much more secure than IE but who knows.
7. If you use AOL download the latest version. It is not
the most secure browser to begin with but the newer
versions are much better than previous editions. Before
you upgrade to the newer AOL run the configurator at their
website. It will scan your system and tell you whether or
not your computer will handle the newer brower.
8. Most, but not all low price games and card creator
programs included spyware. If you take the time to read
the End User License Agreement (EULA) as you install the
program you will see you are agreeing to their terms which
includes the spyware. The cost of the software is
subsidised by the spyware , hence the low price. The
problem is you have to click "Agree" to use the software in
the first place so you are stuck. After installing one of
these programs run your anti-spyware utility to clean out
the spyware. If you are fortunate the main program will still
run. If not re-install
These are just a few things you
can do to protect yourself from
As spyware evolves we will post
new findings so check back
once in awhile to see what is
Thinking of getting your
own business or personal
Website ? Click HERE
Invasion of the Computer Snatchers
Hackers are hijacking thousands of PCs to spy on users, shake down online businesses, steal identities and send millions of pieces of
spam. If you think your computer is safe, think again
By Brian Krebs Washington Post
Sunday, February 19, 2006; Page W10
In the six hours between crashing into bed and rolling out of it, the 21-year-old hacker has broken into nearly 2,000 personal computers
around the globe. He slept while software he wrote scoured the Internet for vulnerable computers and infected them with viruses that
turned them into slaves.
Now, with the smoke of his day's first Marlboro curling across the living room of his parents' brick rambler, the hacker known online as
"0x80" (pronounced X-eighty) plops his wiry frame into a tan, weathered couch, sets his new laptop on the coffee table and punches in a
series of commands. At his behest, the commandeered PCs will begin downloading and installing software that will bombard their users
with advertisements for pornographic Web sites. After the installation, 0x80 orders the machines to search the Internet for other potential
The young hacker, who has agreed to be interviewed only if he isn't identified by name or home town, takes a deep drag of his smoke
and leans back against the couch to exhale. He smiles. This is his day job, and his work is finished in less than two minutes. In two
weeks, he will receive a $300 check from one of the online marketing companies that pays him for his services.
"Most days, I just sit at home and chat online while I make money," 0x80 says. "I get one check like every 15 days in the mail for a few
hundred bucks, and a buncha others I get from banks in Canada every 30 days." He says his work earns him an average of $6,800 per
month, although he's made as much as $10,000. Not bad money for a high school dropout.
Hacked, remote-controlled home computers, known as robots or "bots," and large groups of robot networks like the one 0x80 runs --
called "botnets" -- are the souped-up cyber engines driving nearly all criminal commerce on the Internet. Botnets are used to relay millions
of pieces of junk e-mail, or spam, touting everything from cheap Viagra to get-rich-quick business schemes. And the botmasters who
control these computer networks are at the heart of ominous and increasingly common online shakedowns known as "denial of service
attacks." In such an attack, Web gangsters demand tens of thousands of dollars in protection money from businesses. If the businesses
refuse to pay, the criminals order the thousands of computers that make up their botnets to flood the Web sites with meaningless traffic,
crippling the businesses and costing them thousands or hundreds of thousands of dollars in lost revenue.
0x80 says that he doesn't use his botnet to shake down businesses. Instead, he and a growing number of botmasters make money by
seeding their botnets with spyware, also known as adware. Once installed on a PC, the adware serves up pop-up advertisements and
mines data about the user's online browsing habits. The computer worm that powers the botnet also gathers far more sensitive data from
the victim's machine, including passwords, e-mail addresses, Social Security numbers and credit card data. The spyware and adware
problem is pervasive and growing: A recent survey by the National Cyber Security Alliance and America Online found that four of five
computers connected to the Web have some type of spyware or adware installed on them, with or without the owner's knowledge.
The distribution of online advertisements via spyware and adware has become a $2 billion industry, according to security software maker
Webroot Software Inc. And as the industry has boomed, so have the botnets. Just a few months ago, FBI agents arrested a 20-year-old
from Southern California for installing adware on a botnet of more than 400,000 hacked computers. Jeanson James Ancheta's victims
included computers at the Naval Air Warfare Center and machines at the Defense Information Systems Agency, according to
government documents. He pleaded guilty to the charges last month.
Like Ancheta, 0x80 installs adware and spyware surreptitiously, though the law requires the computer owner's consent. The young hacker
doesn't have much sympathy for his victims. "All those people in my botnet, right, if I don't use them, they're just gonna eventually get
caught up in someone else's net, so it might as well be mine," 0x80 says. "I mean, most of these people I infect are so stupid they really
ain't got no business being on [the Internet] in the first place."
Tall and lanky, with hair that falls down to his eyebrows, 0x80 almost never looks you in the eye when he talks, his accent a slurry of heavy
Southern drawl and Midwestern nasality. He lives with his folks in a small town in Middle America. The nearest businesses are a
used-car lot, a gas station/convenience store and a strip club, where 0x80 says he recently dropped $800 for an hour alone in a VIP room
with several dancers. He tells his parents that he works from home for a Web design firm. His bedroom resembles a miniature mission
control center, with computers, television and computer monitors, and what must be several miles' worth of tangled wires plugged into an
array of surge-protected power strips.
At the moment, 0x80 controls more than 13,000 computers in more than 20 countries. This morning he installs spyware on just a few
hundred of the 2,000 PCs that he has commandeered in the last few hours. He will stagger the remaining installations throughout this day
and into the next, using a program he wrote that automates the process. If he installs too many bundles of spyware at once, the online
marketing companies, "get suspicious, they cut me off, and I don't get paid," he mumbles, squinting at the screen while the nub of his
cigarette sprinkles ashes all over his laptop and the coffee table. "I've learned not to get greedy."
A small dog with matted fur enters the living room and winds through 0x80's feet. 0x80 gives the dog a gentle shove with his foot, without
even looking up from his laptop. He furiously stabs at the keyboard with his two forefingers, punching out a short command that produces
a mesmerizing blur of black-on-white text that scrolls up the computer screen at several pages per second. 0x80 makes it halfway through
a cigarette before the text flying across the screen finally stops. The command he typed -- "pstore" -- is short for "password store." On the
screen in front of him is a listing of every user name and password that the owner of each infected computer has stored in the Microsoft
Internet Explorer Web browser on his or her computer.
A quick scroll through the first few dozen pages of the file reveals credentials his victims have used to log in to online accounts at PayPal,
eBay, Bank of America and Citibank, to name just a few. Many of the Web sites for which user names and passwords are stored are
harmless, such as sports or hobby sites. Others are potentially far more revealing, such as hard-core sex and fetish Web sites. 0x80 has
also found credentials for thousands of e-mail accounts, including dozens at ".mil" and ".gov" (U.S. military and government) addresses.
One of his victims, a computer-loving 29-year-old pastor named Michael White, could tell 0x80 plenty about jail. White runs the Agape
Church and Christian Center in Memphis but admits he wasn't always a man of God.
Ten years ago, he was a freshman at the University of Memphis, where he was on the track team and the dean's list. Then he fell in love
with liquor, he says, and flunked out of school. He landed in jail twice over the next 18 months, both times for driving a car that didn't
belong to him.
Next came the accident that changed his life. One night, while White was driving a friend's Mitsubishi Eclipse, a police cruiser pulled up
behind him, lights flashing. White says he was intoxicated, and driving without a license or insurance. He panicked, floored the car and
lost control, flipping the Eclipse over and over until the fuel tank ignited. White woke up in a hospital bed with third-degree burns over 30
percent of his body. The searing heat from the explosion had melted his ears into little nubs, and doctors had amputated the pinky finger
on his scarred left hand.
Fifteen plastic surgeries and more than two years of physical therapy later, White had healed enough to face the charges against him,
which included aggravated assault for endangering the lives of other motorists. He pleaded guilty in 1999 and served almost two years at
a prison in Tennessee.
During his time in prison, he says, "I realized the Lord had called me to ministry." Since White's release in 2001, God has played a huge
part in his life. And so have computers. He typically spends 50 to 60 hours a week surfing the Web, instant-messaging and e-mailing. He
even met his wife online. Shortly after starting his ministry, he entered an online chat room dedicated to Christian ministries and struck up
a conversation with a woman using the screen name "Warrior Princess." They hit it off immediately and married 15 months later.
Taneshia gave birth to their first child, MaKalya, last month.
But the same technology that led White to his wife betrayed him last summer. His desktop computer, which he had paid $350 for in 2004,
was suddenly inundated with pop-up ads for adult Web sites. A mysterious toolbar with the symbol "XXX" had shown up in the topmost
portion of every Internet Explorer Web browser window he opened.
A friend spent a few days trying to remove the pornographic software, but each time he did, the software reinstalled itself after the
computer was reconnected to the Internet. White initially suspected that one of the kids he tutors after school had used his PC to visit
some questionable Web sites. He wasn't aware that his computer had been hijacked by 0x80 until he was contacted by the reporter
writing this story.
0x80's bot program was able to infiltrate the pastor's computer because the PC lacked dozens of software patches that Microsoft has
issued to fix security flaws in its Windows operating system. White says he was counting on a $50 firewall and antivirus software suite he
purchased from Trend Micro to keep hackers and viruses from attacking his PC, but he confesses he's not sure whether the software
was equipped with the latest updates that would allow it to detect the most recent viruses.
"I'll be honest, as someone who loves technology, I've not done a great job with this computer," White says. He eventually opted to buy a
new PC rather than spend the time and money to repair the infected one. "It just made more sense for me to get a new $300 Dell that
came with a free monitor that was better than the one I had," he says.
The whole episode, he says, has taught him a valuable lesson: It's easier to take the precautions needed to keep a computer from being
hacked than it is to clean it up after the damage has been done. "Overall, you've got to realize that, just like if you don't secure your home,
you run the risk of getting burglarized; if you're crazy enough to leave the door on your computer open these days, like I did, someone's
gonna walk right in and make themselves at home."
0x80 began learning how to program at age 14, before his family even owned a computer. Like many hackers of his generation, he got
his start by meeting techies on networks run by America Online.
This buddy of mine who lived two houses down from me had a computer before I did. He was always on AOL, but he also always had
trouble figuring out how to do stuff, so I'd just go on all the time and figure it out for him." 0x80 says he got into writing viruses by accident
after logging onto an AOL chat room named "Lesbians Only."
"Someone sent me a virus that made it so that every time I typed anything on the keyboard it would pop a message up on the screen that
said, 'I'M [expletive] GAY!'" 0x80 recalls. He tried to stop the computer from flashing the message, but nothing worked. "I finally found
[information] on it using my friend's PC and figured out how to write a batch script to stop the virus." After that, 0x80 became obsessed
with computer viruses and dedicated nearly all his time to tinkering with them. On his 16th birthday, his folks gave him his own computer
to do schoolwork. It wasn't long before 0x80 was skipping school to spend time in online channels known as Internet Relay Chat, a vast
sea of text-based communications networks that predates instant-messaging software. There are tens of thousands of IRC channels all
over the world catering to almost every imaginable audience or interest, including quite a few frequented exclusively by hackers, virus
writers and loose-knit criminal groups. IRC channels have traditionally been among the most popular means of controlling botnets.
About two years ago, 0x80 entered an IRC channel where several hackers were bragging about how much they were making using
botnets to install spyware. Up to that point, 0x80 had used his botnet mainly for "packeting," conducting petty denial-of-service attacks to
knock his buddies or enemies offline. Within a few weeks of visiting that channel, 0x80 was modifying the computer worm code he
needed to transform his botnet into a money machine.
He and his hacker friends are part of a generation raised on the Internet, where everything from software to digital music to a reliable
income can be had at little cost or effort. Some of them routinely go out of their way to avoid paying for anything. During a recent
conference call with half a dozen of 0x80's buddies using an 800-number conferencing system they had hacked, one guy suggests
ordering food for delivery. Nah, one of his friends says, "let's social it." The hackers take turns explaining how they "social" free food from
pizza joints by counterfeiting coupons or impersonating customer service managers.
"Dude, the best part is when you walk in, you hand them the coupon or whatever, they give you your [pizza], and you walk out," one of
them enthuses. "Then, it's like, yes, I am . . . the coolest man alive."
"Dude, that's so true," echoes a 16-year-old hacker. "Free pizza tastes so much better than pay pizza any day."
0x80 expresses some ambivalence about this lifestyle and occasionally ponders what he should do next. He's toyed with the notion of
going to a community college to get a degree in computer science, but the idea of getting an honest job with a legitimate tech company
doesn't hold much appeal. "I'd probably have to take a pretty bad pay cut no matter where I worked," he says.
Asked whether he worries about getting caught, 0x80 stuffs his hands into his jeans pockets, shrugs his shoulders and looks down at his
shoes. "To tell the truth, man, I'm sorta surprised they haven't caught me yet." He claims he doesn't care but then confesses that he
dedicates quite a bit of time to covering his tracks. "I do stay up very late each night trying to make sure nobody is going to kick in my
front door . . . If I do [get caught], I'm not all that worried. I've got enough money. I can always get a good lawyer."
Adware and spyware distribution companies promise instant riches to people who agree to help install their programs. These installers
are known in the business as "affiliates."
Many adware distribution sites recruit affiliates with photos of stacked $100 bills. GammaCash.com, for instance, the company that
makes the XXX toolbar that Michael White discovered on his computer, features an animated image of a pair of hands cupped to hold
an expensive watch. Wait a few seconds, and the watch disappears, only to be replaced by a Cadillac sport utility vehicle, which quickly
morphs into a yacht.
The companies include in their "terms and conditions" disclaimers that they do not permit the installation of their products without the
consent of the person who owns the computer. Most claim they will terminate without pay any affiliates who violate that rule
But 0x80 and one of his friends -- who goes by the screen name Majy -- say they've easily disguised their installation methods. Their
biggest complaint about the whole enterprise: being routinely shortchanged by the adware distribution companies, which often "shave,"
or undercount, the number of programs installed by their affiliates.
"It sucks, too, because the companies will shaft you, and there isn't a lot you can do about it," says Majy, 19, who claims to have had as
many as 30,000 computers in his botnet.
There are, in fact, legal ways to induce PC owners to download spyware and adware. Most computer users acquire spyware and adware
simply by browsing certain Web sites, or agreeing to install games or software programs that come bundled with spyware and adware.
Before its Web site went dark not long ago, TopConverting.com bundled its adware and spyware with products most likely to appeal to
children and teenagers: simple games, online game insignias or "avatars," and "emoticons," custom-made smiley faces for use in
instant-message software. The company also marketed short digital videos that catered to the humor of teenage boys: "Beavis and
Butt-Head" cartoons, a short clip called "Boob Boxing" and another titled "Bath Fart."
Computer users may or may not understand what they are consenting to when they click "OK" to the lengthy, legalistic disclosures that
accompany these games or videos. But those notices are legal contracts that essentially absolve the adware companies from any liability
associated with the use or misuse of their programs.
0x80 and Majy don't leave computer owners any chance to decline the adware. Once they invade a computer and add it to their botnet,
they use automated keystroke codes to order the enslaved machine to click "OK" on installation agreements. 0x80 says he even created
a program that allows him to remotely wipe computers in his botnet clean of old adware, making room for him to install new adware -- and
get paid again.
And getting paid is the whole point. Majy says TopConverting, which did not respond to requests for comment for this article, paid him an
average of $2,400 every two weeks for installing its programs. He got 20 cents per install for computers in the United States and five
cents per install for PCs in 16 other countries, including France, Germany and the United Kingdom. A nickel per install doesn't sound like
much, unless you control a botnet of tens of thousands of computers.
Majy also receives income from Gamma-Cash, which bills itself on its Web site as "an industry leader in online adult affiliate programs."
The company pays affiliates to drive traffic to adult Web sites, mainly through pop-up advertisements for porn sites served to users
through its XXX toolbar, which hijacks the victim's Web browser and sets its home page to one of several subscription porn sites. Majy
says Gamma-Cash, which did not respond to requests for comment, sends him a $400 check each month from a bank in Canada.
0x80 also installs adware for Gamma-Cash. And he works for a company called Loudcash, which was recently purchased by one of the
largest and most important players in the adware business: 180solutions.
Half of the glass-and-steel structure that houses 180solutions' sprawling headquarters in Bellevue, Wash., rests underground; the other
half juts out at acute angles. The rooftop sports an AstroTurfed volleyball court, a gas grill and a commanding view of the Seattle skyline.
Some of the company's 200-plus employees zip around the long hallways on Segways or foot-powered scooters. Throughout the building
are polka-dotted posters that read, "Who Do You Want to Be?" The signs are meant to challenge employees to continuously reevaluate
their roles, but they also reflect the seven-year-old company's effort to prove to the world that it has executed a 180-degree shift away
from its past business practices.
180solutions got its start in the adware industry with a product called Epipo, which paid people roughly six cents per hour to view
specially targeted advertisements sent to their computers. The product became popular among college students, who quickly figured out
ways to automate browsing the Web so that they could get paid for viewing ads while they were away from their computers. According to
allegations in a lawsuit filed by the Washington state attorney general's office, 180 responded by changing the payment terms so that it
was virtually impossible for people to collect the promised money. The company nearly went bankrupt when it settled the suit in 2002.
By that time, 180 had changed its marketing strategy. Instead of paying people to install its adware, the company lured them with free
games, which came bundled with ad-serving software called "n-Case." The software tracked users' surfing and buying habits, and was
extremely difficult to remove. Consumer advocates had little difficulty showing that n-Case was being installed without user consent.
Faced with increasing criticism for the fraudulent installs, 180 rebranded the software as 180 Search Assistant. The new software's chief
distinguishing feature was that it was easier to remove than n-Case.
through bad business practices and that they continue to make money from that user base is hardly unique to them," Edelman says.
"What really makes people so mad is that 180 is far less apologetic than the other players" in the industry.
The Center for Democracy & Technology, the leader of a group called the Anti-Spyware Coalition, spent two years working with 180 to
resolve dozens of consumer complaints about surreptitious installs. Ari Schwartz, the center's deputy director, says each time the subject
arose, the company claimed it was blindsided by the accusations and that it needed more time to correct its distributors' behavior.
Weeks after 180solutions said it was discontinuing its 180 Search Assistant software, a computer worm began spreading rapidly across
AOL's instant message network, downloading and installing viruses and a host of other programs -- including 180 Search Assistant -- on
victims' computers. While 180 denied it had anything to do with the worm, for the CDT, that was the last straw: On January 23, the
nonprofit filed a detailed complaint with the Federal Trade Commission urging the agency to sue 180solutions for violating consumer
In a statement, 180solutions denied that it was ignoring the problem, arguing that it had made "great progress in the fight against
spyware" and insisting that it shared the CDT's vision of "protecting the rights and privacy of consumers on the Internet . . . We have
made voluntary improvements to address every reasonable concern that the CDT has made us aware of."
Company executives acknowledge they didn't begin addressing the fraud problems wrought by what 180 co-founder Dan Todd calls "a
few bad actors" until mid-2004. Dressed in worn-out jeans and an untucked dress shirt, 34-year-old Todd puts one foot up on the coffee
table in his glass office and tries to explain how things spiraled so far out of control. "At some point between dealing with legitimate
distributors and these botnet guys who try real hard to look like good guys, we realized that something had gone terribly wrong and that
our plan of outsourcing our relationship to the consumer had backfired," Todd says.
Last year, he says, 180 executives purchased some of their biggest distributors, including Loudcash, as part of a plan to rein in "rogue
distributors" and help clean up the company's adware distribution practices. 180 says it no longer allows its adware to be bundled with
adult Web site content or peer-to-peer (P2P) online file-sharing services that many people accuse of promoting music and movie piracy.
"Our goal," he says, "is to minimize the financial incentive for people to install our software illegally, with the goal of making sure that our
money never gets paid to bad actors."
To demonstrate its commitment, 180 filed lawsuits last year against seven distributors, accusing them of using botnets to earn more than
$60,000 installing the company's adware without computer owners' consent. When the defendants -- all of whom live outside of the United
States -- refused to make the trip here to face the allegations against them, 180 referred the matter to the FBI, says company attorney
The company also worked with the FBI and Dutch authorities last year on an investigation that shut down a botnet of more than 1 million
computers in the Netherlands. The FBI acknowledged that 180 was instrumental in helping to track down the botmasters. 180, in fact,
became the target of a denial-of-service attack by the botmasters, who were furious that the company was refusing to pay them for
surreptitious adware installs. The attack briefly crippled 180's Web site, making the company a victim of the botnet phenomenon.
Yet 180's insistence that it is cracking down on botmasters has yet to win over the anti-spyware activists, who have spent years
unraveling the labyrinthine economic ties among advertisers, adware vendors and their affiliates. The anti-spyware hawks don't believe
180solutions has changed the way it operates or that the company is buying up major players in the adware industry in order to clean up
its act. "That's sort of like a drunk saying he's buying up a liquor store to solve his drinking habit," says Eric Howes, an executive at
Sunbelt Software, an anti-spyware firm.
At a recent anti-spyware conference, Todd was openly mocked for claiming that 180 previously had no way of knowing how many of its
distributors were installing its software illegally. Someone at the conference suggested that 180 use its technology to periodically present
users with pop-ups asking them whether they had authorized the adware to be installed in the first place. Now the company says it is
doing just that. If the answer is no, the user can remove the software with a click of a button.
0x80 hasn't paid much attention to the public condemnation of 180's business practices. And he says he doubts any of the measures the
company is taking will discourage botmasters from installing adware. "It doesn't really matter what  does to try and stop them," the
hacker says. "There's just too much money to be made there. People will just find another company to work with."
Sam Norris answers the door of his handsome stucco-and-Spanish-tile home near San Diego dressed in jeans, a polo shirt and
squeaky-clean blue and white suede sneakers. He smiles broadly. "You picked a great week to come out," he says. "I'm tracking quite a
few botnets today."
Norris, 31, is president of an Internet service company called ChangeIP.com that finds itself at the center of the battle against botnets. He
estimates that he is spending up to 20 hours a week preventing botmasters like 0x80 and Majy from using his network to control their
Botmasters typically control their herds of infected PCs by having each report to a central server and await instructions, which may be to
attack a Web site, send spam or download spyware programs. But many of the IRC networks that have been used for this purpose are
beginning to crack down on botmasters. As a result, an increasing number of hackers are trying to cover their tracks by taking advantage
of the services of companies like Norris's, which allow Internet browsers to find hundreds of small Web sites by name (for example:
smallwebsite.com), even though the actual numeric address of the sites can change from day to day.
Botmasters like 0x80, however, have turned that process inside out. They use Norris's service to hide their botnets when they jump from
server to server. Should authorities or computer security experts start to zero in on the server that's running their botnet, they can switch
servers, and ChangeIP.com will enable the hijacked computers to find the new hideout.
In most cases, it is easy for Norris to tell which hosts on his network are legitimate Web sites and which are botnets: Most small Web
sites don't have thousands of computers trying to access the site at precisely the same time. By tracking the communications traffic
between the infected machines and the botmaster's control channel, Norris can capture data that might be useful to law enforcement,
including snippets of text or code that may hold clues about the geographic location or identity of the botmaster.
Norris says he sees an average of 37 new botnets per week trying to use his company's service, and sometimes as many as 10 new
botnets per day. Last spring, he cut off access to a botnet of more than 40,000 PCs that was being used as a massive install base for
spyware. "I am seeing this botnet-spyware connection just skyrocket," Norris says, "and I think it's because these guys are realizing
there's tons of cash to be made here."
A computer programmer by trade, Norris dissected a copy of the bot used by one hacker he recently banished from ChangeIP.com's
network. The program contained instructions for installing 14 adware and spyware programs, and Norris says the bot code was
encrypted and so thoroughly disguised that none of the antivirus software he used detected the code as malicious. As he was examining
the bot program, Norris accidentally executed it, causing his machine to become infected. Almost immediately, he says, the program
downloaded a package of adware and launched several pop-up ads for pornographic Web sites. It also installed GammaCash's
infamous XXX toolbar.
Norris's forensics work revealed that the bot program also contained more than 30 other features, including the ability to capture all of the
victim's Web traffic and keystrokes, as well as a program that looks for PayPal user names and passwords. Other programs installed by
the bot allowed the attackers to peek through a user's webcam.
Norris often works out of his home in the auburn hills of San Marcos, Calif., where F-16 fighter jets from nearby Miramar Naval Air Station
streak across the sky. Today he sits down at the desk in his cramped home office and clacks away at his keyboard, generating a slew of
line graphs measuring the level of traffic flowing across his company's networks. He's a member of an informal enforcement group of
more than 100 independent security experts worldwide who share daily data on the size, location and activity of the Web's most
disruptive botnets. Hailing from Internet service providers, computer hardware manufacturers and software security firms, the group's
members use that information to shut down botnets by cutting off the infected computers and forwarding the intelligence they glean to law
Each morning, Norris receives an e-mail listing the online locations of the Web servers used to control some the world's most dangerous
botnets. "First thing I do most days is go through this list and try to find out which ones" are using his network, he says, pointing to a report
he just generated that lists the top 20 traffic-generating sites on his company's system. "Most of these are botnets."
And the botnets are hardly limited to hijacked home computers. A few months back, Norris found more than 10,000 infected PCs on the
inside of a Fortune 100 company network, all trying to contact a control server located at ChangeIP.com. When Norris called the
company with the bad news, its poorly trained network administrator had no idea how to respond. "I call this guy up and say, 'Hey, you've
got 10,000 infected computers on your network that are attacking me,' and this guy is basically, like, 'Well, what do you want me to do
about it?' "
Norris says that after collecting enough evidence about a botnet, he terminates the account and, he hopes, disconnects the botmaster
from his army of infected machines. He says "he hopes" because many times the botmaster will have instructed his enslaved machines
in advance to try several other domain names should the main control channel be shuttered. But in most cases, Norris says, the
botmaster simply shifts control of his botnet to another Internet service provider. "Other times, the attackers play dumb and send polite
e-mails asking why their service has been shut off." And, occasionally, the hackers will rebuild their botnets elsewhere and use them to
retaliate against ChangeIP. Last year a botmaster who had been cut off joined forces with another botnet to direct such a massive,
constant stream of bogus Web traffic at ChangeIP.com that the site had difficulty processing legitimate traffic for nearly a week.
As the botnet problem has escalated, so has the interest of federal law enforcement, Norris says. Not long ago, he was contacted by a
National Security Agency official who asked for records related to several ChangeIP accounts. He's also had visits from FBI agents hot
on the trail of several botmasters. One FBI agent said he couldn't disclose the details of his investigation but handed Norris a copy of a
Time magazine article about Chinese hackers suspected of infiltrating U.S. corporate and military computer networks.
"The feds are finally starting to understand that botnets are more than just a nuisance: They're the source of all that's evil on the Internet
today, from hacking and spamming to phishing and spying," Norris says. (Phishing involves impersonating trusted Web sites to gain
confidential information from computer users.)
Shutting down a botnet can be arduous work, but finding the criminal on the controlling end of the herd has proven an especially
challenging task for law enforcement. That's in part because security experts like Norris and others often disagree over whether to
dismantle the botnets as soon as possible or to monitor them for a period of time in order to gather intelligence that might prove useful in
helping investigators track down the criminals behind them.
Hank Nussbacher, an independent Internet security consultant based in Israel and a member of the group that's sharing information on
botnet activity, says most members have their hands full just shutting down the botnets' command and control centers. "Occasionally, the
Internet service provider where the [bot control center] is located requests that it not be shut down because they are collecting forensics
information for some law enforcement agency, but I'd say about 98 percent of the time, as soon as we find one, we shut it down."
Louis Reigel III, assistant director of the FBI's Cyber Division, says the botnet data regularly shared by security experts like Norris is
invaluable. But Reigel stresses that prosecuting botmasters is difficult because their crimes and networks usually span multiple
continents, which means working with foreign law enforcement agencies and depending on their cooperation.
The FBI has dedicated several agents from its special technologies section to tracking down botnet operators and is pursuing hundreds
of investigations, Reigel says. But "the techniques being used by these bot guys are becoming more efficient every day, so the bot
situation is probably going to get a lot worse before it gets better."
Norris shares that fear and worries that more botmasters will begin to exploit emerging peer-to-peer communication technologies of the
sort that power controversial music- and movie-sharing networks like Kazaa and LimeWire. Such networks would allow enslaved
computers to communicate instructions and share software updates among one other, so that they would no longer depend on orders
from the master servers that Norris and other bot hunters search out and disable every day.
"When P2P becomes the norm with these bots," Norris says, "that's when I call it quits with this botnet stuff, because, at that point, it will
be pretty much out of my hands."
On the eve of a visit to his home by a Washington Post photographer, 0x80 decides to tell his father what he really does for a living, in
part, he says, because hiding it is starting to eat him up inside. 0x80 tells his father the whole truth, but he can't bring himself to break the
news to his mother because, as he puts it, "she's really Christian and that would just crush her to know I'm involved in something like this."
"I told my dad I had made an Internet worm that infected people, and then I used their computers to make money, and he just shook his
head and was, like, 'I hope you don't go to jail for that . . .' and . . . 'I hope it wasn't underage porn you was doing.'"
That same question has been encroaching on 0x80's peace of mind of late. His hard-boiled pose has begun to break down, and instead
of sneering at the risks of getting caught and brought to justice, he's begun to talk about quitting the criminal hacking scene to join the
Army, which, he reasons, will offer not only discipline and the motivation to earn his GED but also potentially a free ride to college. From
there, he can imagine a more respectable future working on information technology projects for the military.
"It's nice to have up to $10,000 a month coming in, but, if it's not legit, then I also have all this other stuff to worry about," 0x80 says. "Like, I
gotta hide my laptop every night, and every time I don't come online for a day I have people blowing up my cell phone asking if I got raided
by the feds."
0x80 has shared his plans with a few of his online buddies, many of whom have grown dependent on his ability to develop ever more
stealthy and effective botnet programs.
"Some of my people really don't want me to leave, but I've got to figure out a way to use the [expletive] I know to get something going for
myself," 0x80 says. "With the Army, I could get stationed someplace where I would have a better chance at getting a higher-paying job
and still be able to do what I like to do. Either way, I gotta get up outta this hole I'm living in."
Brian Krebs is a technology reporter for washingtonpost.com.