For Spammers, Worm Turns a Profit
By Brian Krebs
For the first two weeks of October 2004, relentless waves of Internet t raffic swamped the Web site of Gaithersburg, Md.-based Harta Instruments, one of six companies worldwide that manufacture devices used to detect a vir us linked to genital warts and cervical cancer.
John Lee, the company's owner, initially suspected a digital attack bent on destroying his mostly Internet-based business. Lee later learned that the flood of Web traffic came from more than 300,000 computers seeking softwar e updates at his site. The computers had been infected with the latest vers ion of the "Bagle" worm, one of last year's most prolific and insidious Int ernet viruses.
The debilitating attacks have ceased now that his Web site is operating under a new name, but Lee still fumes over the incident, which he says cost his company tens of thousands of dollars in lost sales.
"I don't know who was behind all of this, but they need to be caught and then shot," Lee grumbled.
Barring a careless misstep by the virus author or authors, the prospects for any repercussions appear dim. The worm that targeted Lee's site was the 44th version of Bagle unleashed in 2004, a year in which teams of virus wri ters forged new alliances with junk e-mail artists to convert millions of home PCs into remote-controlled "zombies" used to fuel spam and phishing attacks.
As a result of those alliances, junk e-mail and phishing attacks -- online scams that lure victims into giving up confidential information -- far out numbered legitimate e-mail communications last year. Roughly three-quarters of all e-mail in 2004 was spam or fraud-related, according to Postini, a Redwood City, Calif.-based anti-spam firm.
Rent-a-Zombie
Bagle was just one of countless e-mail worms unleashed onto the Internet in 2004, but the attack on Lee's site offered security experts a rare glimps e into the thriving economic and operational ties between Internet criminals and virus writers.
In many ways, the Bagle virus is no different from other e-mail worms: it seizes control of a recipient's PC after they click on an e-mail attachment that harbors the virus.
But Bagle also has outpaced its brethren in other areas. It would become one of 2004's most successful "multi-stage" viruses, in that it was designed to lie dormant for several days after infection, then instruct its host to download software updates from a pre-defined list of more than 130 Web sites. Bagle also was the first high-profile worm to disable the protective firewall that Microsoft Corp. enables in all distributions of Service Pack 2, a software security upgrade made available to Windows XP users in August.
Symantec Corp., an Internet security firm based in Cupertino, Calif., intentionally infected some of its computers with the Bagle virus in order to monitor the worm's progress. In a 28-page report published in December, the company found that some of the PCs downloaded software that forced them to forward e-mails used in a pair of elaborate phishing scams targeting customers of SunTrust Banks.
Other Bagle-infected PCs were used to spew junk e-mail. One piece of spam hawked cheap generic prescription drugs. Another advertised popular software titles -- including computer-security and anti-virus programs -- at fire-sale prices. Experts say most software sold through spam is pirated, and much of it is itself laced with viruses.
Alfred Huger, senior director of security response at Symantec, said most of the infected computers were seeded with additional software over a period of several weeks. "That kind of activity suggests that the people behind the Bagle worm are either running a vast criminal enterprise or they are loaning out their network" of infected PCs to other scam artists and spammers , Huger said.
It is common for attackers to sell or rent access to PCs they have compromised, according to Johannes Ullrich, chief technology officer for the SANS Internet Storm Center. In certain little-known underground chat rooms, a hacked computer in the United States can be rented for pennies per week.
However, hijacked PCs in some foreign countries often fetch a higher value because they are considered harder for authorities to shutter, Ullrich added. "We've seen the asking price go as high as $25 for a single compromised home system."
Recycling the Victim
One reason Bagle and hundreds of other so-called "mass-mailer" worms are so prevalent is that virus authors typically reuse machines they have infected to help spawn future incarnations of their creations. Last year, hackers released new Bagle versions roughly once a week, each time using thousands of hijacked computers to "seed" the Internet with initial copies of the virus.
Harta's Lee and many others responsible for maintaining the Web sites listed in Bagle's code acknowledged having inadvertently infected one or more of their personal or work computers with earlier versions of Bagle in the weeks leading up to the attacks on their sites.
The attackers likely located the victims' Web sites by using one of Bagle' s built-in capabilities: eavesdropping on an infected computer's Internet c onnection for usernames and passwords that victims use to read e-mail, log in to bank sites or administer Web sites.
Anthony Flanagan, a real estate development planner in San Francisco, owns a laptop that was infected with the Bagle worm in early September. Two weeks later his site buckled under the traffic of Bagle-infected PCs trying to download software that attackers had planted on his site and laptop.
Flanagan's Internet service provider quickly pulled the plug on his Web site because it was crashing other sites operating on the same server. Flanagan said his site normally receives four or five visitors in a busy week, but when his ISP cut him off, the site was choking on more than 120 hits per second.
"I didn't know I was infected, or that it was even possible for the virus to make its way over to my Web site," he said.
Still, experts say many of the sites listed in Bagle's internal code never hosted any of the phishing or spamming software and were probably used as decoys to throw anti-virus researchers off their trail. Nevertheless, those sites were just as affected by the deluge of traffic from Bagle victims.
The Web site for Union Hospital in Elkton, Md., appears to have been one such decoy. Hospital officials directed inquiries about the incident to the site's Internet service provider, Hunt Valley, Md.-based System Source.
System Source co-owner Robert Roswell said the hospital's Web address,
"Let's just say we blew through about 10 years' worth of service contracts defending the hospital from this attack," he said.
No Relief in Sight
For the first three weeks of 2005, anti-virus companies saw only minor outbreaks of mass-mailing worms. But on Jan. 26, virus authors unleashed a major outbreak with several new versions of the Bagle worm. Within 24 hours, the amount of spam generated by Bagle-infected PCs increased from 140,000 junk e-mails to more than 1 million a day, according to Symantec, which recently acquired anti-spam company Brightmail.
Experts say there are precious few signs that e-mail worms or the spam and scams they facilitate will fade away in the near future. The instructions for creating custom versions of Bagle and many of today's most successful e-mail worms now are freely available online.
Virus authors also will continue to exploit weaknesses in commercial anti- virus software, most of which must be constantly updated with new "definitions" to be able to detect the latest viruses and worms. This allows the virus writers to stay a step ahead by releasing slightly different versions of their creations just hours apart.
At the beginning of 2004, anti-virus companies took an average of 12 hours to release new definitions following a viral outbreak, according to MessageLabs, a British anti-spam company. By December
2004, that window of opportunity had shrunk by less than two hours, MessageLabs said.Still, the biggest contributor to the future success of such viruses will continue to be new, inexperienced Internet users, thousands of whom venture forth each day worldwide, said Mikko Hypponen, director of anti-virus research at F-Secure Corp. in Helsinki.
"There are new users coming online all the time who know nothing about the risks of owning a computer and getting on the Internet," Hypponen said. "We're going to be fighting these e-mail worms for quite some time."
Copyright 2004 The Washington Post Company
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at
For more information go to: