Bringing Botnets Out of the Shadows
Tuesday, March 21, 2006; 9:39 AM
Nicholas Albright's first foray into some of the darkest alleys of the Internet came in November 2004, shortly after his father committed suicide. About a month following his father's death, Albright discovered that online criminals had broken into his dad's personal computer and programmed it to serve as part of a worldwide, distributed network for storing pirated software and movies.
Albright managed to get the network shuttered with a call to the company providing the Internet access the criminals were using to control it. From that day forward, Albright poured all of his free time and pent-up anger over his father's death into assembling "Shadowserver," a group of individuals dedicated to battling large, remote-controlled herds of hacked personal PCs, also known as "botnets."
Now 27, Albright supports his wife and two children as a dispatcher for a health care company just outside of Boulder, Colo. When he is not busy fielding calls, Albright is chatting online with fellow Shadowserver members, trading intelligence on the most active and elusive botnets. Each "bot" is a computer on which the controlling hacker has installed specialized software that allows him to commandeer many of its functions. Hackers use bots to further their online schemes or as collection points for users' personal and financial information.
"I take my [handheld computer] everywhere so I can keep tabs on the botnets when I'm not at home," Albright said in a recent online chat with a washingtonpost.com reporter. "I spend at least 16 hours a day monitoring and updating."
On a Sunday afternoon in late February, Albright was lurking in an online channel that a bot herder uses to control a network of more than 1,400 hacked computers running Microsoft Windows software. The hacker controlling this botnet was seeding infected machines with "keyloggers," programs that can record whatever the victim types into online login screens or other data-entry forms.
Albright had already intercepted and dissected a copy of the computer worm that the attacker uses to seize control of computers -- an operation that yielded the user name and password the hacker uses to run the control channel. By pretending to be just another freshly hacked bot reporting for duty, Albright passively monitors what the hackers are doing with their botnets and collects information that an Internet service provider would need to get the channel shut down.
Albright spied one infected PC reporting data about the online activities of its oblivious owner -- from the detailed information flowing across the wire, it was clear that one of the infected computers belongs to a physician in Michigan.
"The botnet is running a keylogger, and I see patient data," Albright said. The mere fact that the doctor's PC was infected with a keylogger is a violation of the Health Insurance Portability and Accountability Act (HIPAA), which requires physicians to take specific security precautions to protect the integrity and confidentiality of patient data. "The police need to be notified ASAP to get that machine off the network."
A little more than an hour and a few phone calls later, the doctor's Internet service provider had disconnected the infected PC from its network and alerted the physician. Albright sent an e-mail to the FBI including all the evidence he collected about the attack, but he wasn't terribly sanguine that the feds would do anything with it.
"Anything you submit to law enforcement may help later if an investigation occurs," he said. "Chances are, though, it will just be filed away in a database."
A Spreading Menace
Botnets are the workhorses of most online criminal enterprises today, allowing hackers to ply their trade anonymously -- sending spam, sowing infected PCs with adware from companies that pay for each installation, or hosting fraudulent e-commerce and banking Web sites.
As the profit motive for creating botnets has grown, so has the number of bot-infected PCs. David Dagon, a Ph.D. student at Georgia Tech who has spent several years charting the global spread of botnets, estimates that in the 13-month period ending in January, more than 13 million PCs around the world were infected with malicious code that turned them into bots.