The recent arrest of 17 hackers in Quebec for running a one million-computer botnet is a grim reminder that businesses should take malware threats seriously, cybercrime experts say.
Sûreté du Québec – the Québec provincial police force – nabbed eight suspects in connection with the racket, and held nine for questioning from 12 towns across the province.
The hackers reportedly caused computer infrastructure damage totaling $45 million.
The suspects in Quebec are accused of illegally obtaining computer service, hacking into computer data and possessing passwords to commit offences.
If convicted, they face a jail term of up to 10 years.
Police say it is the first time such a network has been disbanded in Canada.
“This operation is a reminder of the importance of computer security,” police captain Frédérick Gaudreau told journalists.
He urged computer users, who suspect their machines have been tampered with, to consult an expert.
The arrests, industry observers say, are a sign hackers are no longer the mischievous and annoying – but largely innocuous – phenomenon they were a decade ago.
Instead, today hacking for profit has become the norm and has spawned an underground economy worth billions.
Favoured tools of the cybercrooks controlling this economy are bots (short for robots) – networks of infected and “captured” computers used to broadcast spam or malware.
Security experts say the fastest growing zombie threat is from infected Web sites.
Last year, there was a Web site infected every 14 seconds, according to report from Sophos plc., a computer security company based in Abingdon, U.K.
“This is a much bigger problem than most people perceive,” concludes Mike Haro, senior security analyst with Sophos.
He said even the million-computer botnet operated by the Quebec gang is “a drop in the bucket” given the actual scope of the racket.
Another industry insider echoes this view.
The Quebec network represents the tip of the iceberg in terms of the sheer number of zombies out there, says Jim Lippard, director of information security at New Jersey-based Global Crossing, and a botnet expert.
Global Crossing is a network services provider whose customers include more than 35 percent of the Fortune 500, as well as 700 carriers, mobile operators and ISPs.
“There are tens of millions of infected computers out there and a lot of groups exploiting them,” Lippard says.
How zombies spread the infection
As with other technologies, in the area of malware too there’s been a convergence during the past decade, Lippard notes.
He says worms, viruses, and bots were discrete programs in 2000, but have now merged to create the botnet scourge.
And yet bots began harmlessly enough, as programs used to monitor Internet Relay Chat (IRC) rooms.
That software was taken and modified with additional functionality, the Global Crossing executive says.
Today bots can open up ports for spam to flood through, search for financial information on a computer, find passwords, or do a combination of all these, he says.
There are two parts to a working botnet: the infected end user, usually a Windows PC user with a broadband Internet connection. Then there’s the controller that is typically found in a Web-hosting environment.
That’s where businesses are most affected, Lippard says.
Corporate servers may not have adequate bandwidth and/or storage to handle from the massive traffic volumes coming from zombies, he said.
Zombie detection and protection
Hackers, such as those arrested in Quebec, typically prey on computer users who don’t use firewalls and anti-virus software.
But analysts warn that businesses are not immune, and those storing vital customer information are often targeted.
Last year, a prominent online job site lost personal information on one million users to hackers, according to the Sophos report.
Their customers were then subjected to phishing scams and malware.
“Businesses need to understand that the primary [responsibility] is still with the user,” Haro says, adding that when offered sex or money, users sometimes make poor decisions.”
But adult sites no longer account for a majority of compromised Web sites, he adds. Users visiting any legitimate Web site could get infected.
Companies should avoid installing unnecessary components on their servers because it creates more code for hackers to exploit, the report says.
If you notice a computer sending e-mails in the middle of the night, it’s a warning sign that you’re infected.
Another sign is when your server receives connections for lots of different hosts on IRC (Internet relay chat) ports – a holdover from days when bots used to monitor chat programs, Lippard says.
The port most often used for this type of bot is 6667, adds Dean Turner, director, global intelligence network at Symantec Canada.
If your system is infected, he says, you should quickly disconnect affected computers from the network and run a virus scan.
“Ensure those machines don’t have any bot traffic signs before you hook them back up to the network.”
Global crackdown on computer crime
The Quebec arrests may be the first of their kind in Canada.
However, globally enforcement authorities have been targeting hackers in a bid to shut down criminal activity.
In the U.S. alone, the FBI estimates such activity costs businesses tens of billions of dollars a year.
How significant are the Quebec arrests?
Experts say they are more symbolic than effectual in terms of being able to stop the botnet menace.
“These kids were working for someone else most likely,” Sophos analyst Haro says. “The mob boss wasn’t arrested.”
Hacker rings are usually multinational in scope, but police act in one jurisdiction at a time to make arrests, he adds.
People working for such rings are even hired for their specific abilities.
Some hackers might write the code, while others are effective at deploying malware. And yet others will work on sending spam to the affected computers, the analyst notes.
And this division of criminal labour can serve as a protection of the individual groups that together run this racket.
For instance, those using spam to advertise products or services can claim ignorance about the illegal methods being used, Lippard says.
How did the Quebec hackers get caught?
They likely came to the attention of authorities by extending their network to one million computers, and 100 countries, according to Haro.
He said the news is very welcome. “Each arrest is a point for the good guys.”