Page 5 of 5   <      

Invasion of the Computer Snatchers

In 2004, venture capitalists invested $40 million in 180solutions, fueling rapid growth. That year, 180 says, it raked in more than $50 million delivering online ads for some of America's best-known corporations, including JP Morgan Chase, Cingular, T-Mobile, and (Among the hundreds of companies that have placed ads through 180solutions is Kaplan University Online, which is owned by The Washington Post Co.)

By 180's own count, its adware is installed on 20 million computers. The people who use those computers receive pop-up ads based on what they are searching for online. If the user searches for the term "travel," 180's software will look through its database of clients in the travel business and present an ad from the company that bid the most on that search term. The next time that user searches using the same term, 180 will serve the ad of the next-highest bidder for that word, and so on. 180 then gets paid from 1.5 to 2.5 cents for each ad it delivers to the user. The more computers with 180's adware, the more revenue each ad generates.

Consumer groups gathered mountains of evidence that 180 Search Assistant was being installed on thousands of computers without user consent. Once again, 180 tried to quiet its critics. Toward the end of last year, the company announced it was phasing out 180 Search Assistant in favor of the Seekmo Search Assistant. Company spokesman Sean Sundwall says Seekmo will be more fraud resistant than 180 Search Assistant, and that it will not be distributed or bundled with other software programs without 180's permission. The company says this will give it far more control over how Seekmo is installed and by whom.

But Ben Edelman, who has spent years chronicling the offenses of the adware industry while working toward a PhD in economics at Harvard University, says Seekmo is functionally the same program as 180 Search Assistant. Edelman says 180's penchant for renaming its software each time abuses are highlighted is part of the reason the anti-spyware community directs so much vitriol at the company.

"The idea that 180solutions got where they are today through bad business practices and that they continue to make money from that user base is hardly unique to them," Edelman says. "What really makes people so mad is that 180 is far less apologetic than the other players" in the industry.

The Center for Democracy & Technology, the leader of a group called the Anti-Spyware Coalition, spent two years working with 180 to resolve dozens of consumer complaints about surreptitious installs. Ari Schwartz, the center's deputy director, says each time the subject arose, the company claimed it was blindsided by the accusations and that it needed more time to correct its distributors' behavior.

Weeks after 180solutions said it was discontinuing its 180 Search Assistant software, a computer worm began spreading rapidly across AOL's instant message network, downloading and installing viruses and a host of other programs -- including 180 Search Assistant -- on victims' computers. While 180 denied it had anything to do with the worm, for the CDT, that was the last straw: On January 23, the nonprofit filed a detailed complaint with the Federal Trade Commission urging the agency to sue 180solutions for violating consumer protection laws.

In a statement, 180solutions denied that it was ignoring the problem, arguing that it had made "great progress in the fight against spyware" and insisting that it shared the CDT's vision of "protecting the rights and privacy of consumers on the Internet . . . We have made voluntary improvements to address every reasonable concern that the CDT has made us aware of."

Company executives acknowledge they didn't begin addressing the fraud problems wrought by what 180 co-founder Dan Todd calls "a few bad actors" until mid-2004. Dressed in worn-out jeans and an untucked dress shirt, 34-year-old Todd puts one foot up on the coffee table in his glass office and tries to explain how things spiraled so far out of control. "At some point between dealing with legitimate distributors and these botnet guys who try real hard to look like good guys, we realized that something had gone terribly wrong and that our plan of outsourcing our relationship to the consumer had backfired," Todd says.

Last year, he says, 180 executives purchased some of their biggest distributors, including Loudcash, as part of a plan to rein in "rogue distributors" and help clean up the company's adware distribution practices. 180 says it no longer allows its adware to be bundled with adult Web site content or peer-to-peer (P2P) online file-sharing services that many people accuse of promoting music and movie piracy. "Our goal," he says, "is to minimize the financial incentive for people to install our software illegally, with the goal of making sure that our money never gets paid to bad actors."

To demonstrate its commitment, 180 filed lawsuits last year against seven distributors, accusing them of using botnets to earn more than $60,000 installing the company's adware without computer owners' consent. When the defendants -- all of whom live outside of the United States -- refused to make the trip here to face the allegations against them, 180 referred the matter to the FBI, says company attorney Ken McGraw.

The company also worked with the FBI and Dutch authorities last year on an investigation that shut down a botnet of more than 1 million computers in the Netherlands. The FBI acknowledged that 180 was instrumental in helping to track down the botmasters. 180, in fact, became the target of a denial-of-service attack by the botmasters, who were furious that the company was refusing to pay them for surreptitious adware installs. The attack briefly crippled 180's Web site, making the company a victim of the botnet phenomenon.

Yet 180's insistence that it is cracking down on botmasters has yet to win over the anti-spyware activists, who have spent years unraveling the labyrinthine economic ties among advertisers, adware vendors and their affiliates. The anti-spyware hawks don't believe 180solutions has changed the way it operates or that the company is buying up major players in the adware industry in order to clean up its act. "That's sort of like a drunk saying he's buying up a liquor store to solve his drinking habit," says Eric Howes, an executive at Sunbelt Software, an anti-spyware firm.

At a recent anti-spyware conference, Todd was openly mocked for claiming that 180 previously had no way of knowing how many of its distributors were installing its software illegally. Someone at the conference suggested that 180 use its technology to periodically present users with pop-ups asking them whether they had authorized the adware to be installed in the first place. Now the company says it is doing just that. If the answer is no, the user can remove the software with a click of a button.

0x80 hasn't paid much attention to the public condemnation of 180's business practices. And he says he doubts any of the measures the company is taking will discourage botmasters from installing adware. "It doesn't really matter what [180] does to try and stop them," the hacker says. "There's just too much money to be made there. People will just find another company to work with."


Sam Norris answers the door of his handsome stucco-and-Spanish-tile home near San Diego dressed in jeans, a polo shirt and squeaky-clean blue and white suede sneakers. He smiles broadly. "You picked a great week to come out," he says. "I'm tracking quite a few botnets today."

"The feds are finally starting to understand that botnets are ... the source of all that's evil on the Internet today," president Sam Norris says, "from hacking and spamming to phishing and spying."(Brian Krebs -
Norris, 31, is president of an Internet service company called that finds itself at the center of the battle against botnets. He estimates that he is spending up to 20 hours a week preventing botmasters like 0x80 and Majy from using his network to control their botnets.

Botmasters typically control their herds of infected PCs by having each report to a central server and await instructions, which may be to attack a Web site, send spam or download spyware programs. But many of the IRC networks that have been used for this purpose are beginning to crack down on botmasters. As a result, an increasing number of hackers are trying to cover their tracks by taking advantage of the services of companies like Norris's, which allow Internet browsers to find hundreds of small Web sites by name (for example:, even though the actual numeric address of the sites can change from day to day.

Botmasters like 0x80, however, have turned that process inside out. They use Norris's service to hide their botnets when they jump from server to server. Should authorities or computer security experts start to zero in on the server that's running their botnet, they can switch servers, and will enable the hijacked computers to find the new hideout.

In most cases, it is easy for Norris to tell which hosts on his network are legitimate Web sites and which are botnets: Most small Web sites don't have thousands of computers trying to access the site at precisely the same time. By tracking the communications traffic between the infected machines and the botmaster's control channel, Norris can capture data that might be useful to law enforcement, including snippets of text or code that may hold clues about the geographic location or identity of the botmaster.

Norris says he sees an average of 37 new botnets per week trying to use his company's service, and sometimes as many as 10 new botnets per day. Last spring, he cut off access to a botnet of more than 40,000 PCs that was being used as a massive install base for spyware. "I am seeing this botnet-spyware connection just skyrocket," Norris says, "and I think it's because these guys are realizing there's tons of cash to be made here."

A computer programmer by trade, Norris dissected a copy of the bot used by one hacker he recently banished from's network. The program contained instructions for installing 14 adware and spyware programs, and Norris says the bot code was encrypted and so thoroughly disguised that none of the antivirus software he used detected the code as malicious. As he was examining the bot program, Norris accidentally executed it, causing his machine to become infected. Almost immediately, he says, the program downloaded a package of adware and launched several pop-up ads for pornographic Web sites. It also installed GammaCash's infamous XXX toolbar.

Norris's forensics work revealed that the bot program also contained more than 30 other features, including the ability to capture all of the victim's Web traffic and keystrokes, as well as a program that looks for PayPal user names and passwords. Other programs installed by the bot allowed the attackers to peek through a user's webcam.

Norris often works out of his home in the auburn hills of San Marcos, Calif., where F-16 fighter jets from nearby Miramar Naval Air Station streak across the sky. Today he sits down at the desk in his cramped home office and clacks away at his keyboard, generating a slew of line graphs measuring the level of traffic flowing across his company's networks. He's a member of an informal enforcement group of more than 100 independent security experts worldwide who share daily data on the size, location and activity of the Web's most disruptive botnets. Hailing from Internet service providers, computer hardware manufacturers and software security firms, the group's members use that information to shut down botnets by cutting off the infected computers and forwarding the intelligence they glean to law enforcement.

Each morning, Norris receives an e-mail listing the online locations of the Web servers used to control some the world's most dangerous botnets. "First thing I do most days is go through this list and try to find out which ones" are using his network, he says, pointing to a report he just generated that lists the top 20 traffic-generating sites on his company's system. "Most of these are botnets."

And the botnets are hardly limited to hijacked home computers. A few months back, Norris found more than 10,000 infected PCs on the inside of a Fortune 100 company network, all trying to contact a control server located at When Norris called the company with the bad news, its poorly trained network administrator had no idea how to respond. "I call this guy up and say, 'Hey, you've got 10,000 infected computers on your network that are attacking me,' and this guy is basically, like, 'Well, what do you want me to do about it?' "

Norris says that after collecting enough evidence about a botnet, he terminates the account and, he hopes, disconnects the botmaster from his army of infected machines. He says "he hopes" because many times the botmaster will have instructed his enslaved machines in advance to try several other domain names should the main control channel be shuttered. But in most cases, Norris says, the botmaster simply shifts control of his botnet to another Internet service provider. "Other times, the attackers play dumb and send polite e-mails asking why their service has been shut off." And, occasionally, the hackers will rebuild their botnets elsewhere and use them to retaliate against ChangeIP. Last year a botmaster who had been cut off joined forces with another botnet to direct such a massive, constant stream of bogus Web traffic at that the site had difficulty processing legitimate traffic for nearly a week.

As the botnet problem has escalated, so has the interest of federal law enforcement, Norris says. Not long ago, he was contacted by a National Security Agency official who asked for records related to several ChangeIP accounts. He's also had visits from FBI agents hot on the trail of several botmasters. One FBI agent said he couldn't disclose the details of his investigation but handed Norris a copy of a Time magazine article about Chinese hackers suspected of infiltrating U.S. corporate and military computer networks.

"The feds are finally starting to understand that botnets are more than just a nuisance: They're the source of all that's evil on the Internet today, from hacking and spamming to phishing and spying," Norris says. (Phishing involves impersonating trusted Web sites to gain confidential information from computer users.)

Shutting down a botnet can be arduous work, but finding the criminal on the controlling end of the herd has proven an especially challenging task for law enforcement. That's in part because security experts like Norris and others often disagree over whether to dismantle the botnets as soon as possible or to monitor them for a period of time in order to gather intelligence that might prove useful in helping investigators track down the criminals behind them.

Hank Nussbacher, an independent Internet security consultant based in Israel and a member of the group that's sharing information on botnet activity, says most members have their hands full just shutting down the botnets' command and control centers. "Occasionally, the Internet service provider where the [bot control center] is located requests that it not be shut down because they are collecting forensics information for some law enforcement agency, but I'd say about 98 percent of the time, as soon as we find one, we shut it down."

Louis Reigel III, assistant director of the FBI's Cyber Division, says the botnet data regularly shared by security experts like Norris is invaluable. But Reigel stresses that prosecuting botmasters is difficult because their crimes and networks usually span multiple continents, which means working with foreign law enforcement agencies and depending on their cooperation.

The FBI has dedicated several agents from its special technologies section to tracking down botnet operators and is pursuing hundreds of investigations, Reigel says. But "the techniques being used by these bot guys are becoming more efficient every day, so the bot situation is probably going to get a lot worse before it gets better."

Norris shares that fear and worries that more botmasters will begin to exploit emerging peer-to-peer communication technologies of the sort that power controversial music- and movie-sharing networks like Kazaa and LimeWire. Such networks would allow enslaved computers to communicate instructions and share software updates among one other, so that they would no longer depend on orders from the master servers that Norris and other bot hunters search out and disable every day.

"When P2P becomes the norm with these bots," Norris says, "that's when I call it quits with this botnet stuff, because, at that point, it will be pretty much out of my hands."


On the eve of a visit to his home by a Washington Post photographer, 0x80 decides to tell his father what he really does for a living, in part, he says, because hiding it is starting to eat him up inside. 0x80 tells his father the whole truth, but he can't bring himself to break the news to his mother because, as he puts it, "she's really Christian and that would just crush her to know I'm involved in something like this."

"I told my dad I had made an Internet worm that infected people, and then I used their computers to make money, and he just shook his head and was, like, 'I hope you don't go to jail for that . . .' and . . . 'I hope it wasn't underage porn you was doing.'"

That same question has been encroaching on 0x80's peace of mind of late. His hard-boiled pose has begun to break down, and instead of sneering at the risks of getting caught and brought to justice, he's begun to talk about quitting the criminal hacking scene to join the Army, which, he reasons, will offer not only discipline and the motivation to earn his GED but also potentially a free ride to college. From there, he can imagine a more respectable future working on information technology projects for the military.

"It's nice to have up to $10,000 a month coming in, but, if it's not legit, then I also have all this other stuff to worry about," 0x80 says. "Like, I gotta hide my laptop every night, and every time I don't come online for a day I have people blowing up my cell phone asking if I got raided by the feds."

0x80 has shared his plans with a few of his online buddies, many of whom have grown dependent on his ability to develop ever more stealthy and effective botnet programs.

"Some of my people really don't want me to leave, but I've got to figure out a way to use the [expletive] I know to get something going for myself," 0x80 says. "With the Army, I could get stationed someplace where I would have a better chance at getting a higher-paying job and still be able to do what I like to do. Either way, I gotta get up outta this hole I'm living in."

Brian Krebs is a technology reporter for He will be fielding questions and comments about this article Tuesday at 1 p.m. at


<                5

© 2006 The Washington Post Company