Hackers Hijack PC's for Sex Sites

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: "John F. McMullen" <observer () westnet com>
Date: Fri, 11 Jul 2003 01:14:26 -0400 (EDT)
To: "johnmac's living room" <johnmacsgroup () yahoogroups com>
Cc: Dave Farber <farber () cis upenn edu>, Declan McCullagh <declan () well com>
Subject: Hackers Hijack PC's for Sex Sites

> From the New York Times --
http://www.nytimes.com/2003/07/11/technology/11HACK.html?hp

Hackers Hijack PC's for Sex Sites
By JOHN SCHWARTZ

More than a thousand unsuspecting Internet users around the world have
recently had their computers hijacked by hackers, who computer security
experts say are using them for pornographic Web sites.

The hijacked computers, which are chosen by the hackers apparently because
they have high-speed connections to the Internet, are secretly loaded with
software that makes them send explicit Web pages advertising pornographic
sites and offer to sign visitors up as customers.

Unless the owner of the hijacked computer is technologically
sophisticated, the activity is likely to go unnoticed. The program, which
only briefly downloads the pornographic material to the usurped computer,
is invisible to the computer's owner. It apparently does not harm the
computer or disturb its operation.

The hackers operating the ring direct traffic to each hijacked computer in
their network for a few minutes at a time, quickly rotating through a
large number. Some are also used to send spam e-mail messages to boost
traffic to the sites.

"Here people are sort of involved in the porno business and don't even
know it," said Richard M. Smith, an independent computer researcher who
first noticed the problem earlier this month. Mr. Smith said he thought
the ring could be traced to Russian senders of spam, or unwanted
commercial e-mail.

By hiding behind a ring of machines, the senders can cloak their identity
while helping to solve one of the biggest problems for purveyors of
pornography and spam: getting shut down by Internet service providers who
receive complaints about the raunchy material.

The web of front machines hides the identity of the true server computer
so "there's no individual computer to shut down," Mr. Smith said. "We're
dealing with somebody here who is very clever."

By monitoring Web traffic to the porn advertisements, Mr. Smith has
counted more than a thousand machines that have been affected.

The creators of the ring, whose identities are unknown, are collecting
money from the pornographic sites for signing up customers, the security
experts say. Many companies play this role in Internet commerce, getting
referral fees for driving customers to sites with which they have no other
connection.

The ring system could also be used by the hackers to skim off the credit
card numbers of the people signing up, said Joe Stewart, senior intrusion
analyst with Lurhq, a computer security company based in Myrtle Beach,
S.C.

The current version of the ring is not completely anonymous, since the
hijacked machines download the pornographic ads from a single Web server.
According to the computer investigators, that machine apparently is owned
by Everyones Internet, a large independent Internet service company in
Houston that also offers Web hosting services to a large number of
companies. Jeff Lowenberg, the company's vice president of operations,
said that he was not aware of any illegal activity on one of his company's
computers but said that he would investigate.

Mr. Stewart said the ring was most likely a work in progress, and that
flaws, like being tied to a single server, would be eliminated over time.

He said the ring was troubling not just because of what it is being used
for now but also because of what it might be used for next.

"This system is especially worrisome because they have an end-to-end
anonymous system for spamming and running scams," he said. "It's not a far
stretch to say that people who are running kiddie porn sites could say,
`Hey, this is something we could use.' "

The computer ring is the latest in an evolution of attacks that allow
creators of spam and illicit computer schemes to use other people's
computers as accomplices. For several years, senders of spam have relied
upon a vestigial element of the Internet mail infrastructure known as
"open relay" to use Internet servers as conduits for their spam.

As network administrators have gradually shut down the open relay
networks, spam senders have used viruses to plant similar capabilities on
home and business computers.

But this appears to be the first viral infection to cause target computers
to display whole Web sites, Mr. Smith, the researcher, said.

A Justice Department official said that the computer ring, as described to
him, could be a violation of at least two provisions of the federal
Computer Fraud and Abuse Act.

The ring has also been used to run a version of a scheme for collecting
credit card information from unwary consumers that has been called the
"PayPal scam," Mr. Smith said. The hijacked computers send e-mail messages
that purport to come from PayPal, an online payment service owned by eBay,
asking recipients to fill out a Web site form with account information.

It is unclear precisely how the program, which depends on computers hooked
up to high-capacity, high-speed Internet connections, gets into people's
computers. Mr. Smith said that he thought that the delivery vehicle was a
variant of the "sobig" virus. But Mr. Stewart, the computer security
expert at Lurhq, said he had seen no evidence that the "sobig" virus was
the culprit, and is looking at other mechanisms for delivery.

Neither Mr. Smith nor Mr. Stewart has found a simple way to tell whether a
computer is infected. Technically, the rogue program is a reverse proxy
server, which turns a computer into a conduit for content from a server
while making it appear to be that server. Mr. Smith said when word of the
program gets out, antivirus companies are likely to offer quick updates to
their products to find and disable the invasive software.

Computer owners can protect themselves by using firewall software or
hardware, which prevent unauthorized entry and use of computers, Mr. Smith
said. The rogue program does not affect the Apple Macintosh line of
computers or computers running variants of the Unix operating system.

Mr. Stewart, who has written a technical paper to help antivirus companies
devise defenses against the porn-hijacking network, has named the program
"migmaf," for "migrant Mafia," because he thinks the program originated in
the Russian high-tech underworld.

Hackers from the former Soviet Union have been linked to several schemes,
including extortion attempts in which they threaten to shut down online
casinos through Internet attacks unless the companies pay them off.

Antispam activists have also accused Russian organized crime organizations
of taking over home and business PC's to create networks for sending spam.
"They always seem to lead back to the Russian mob," Mr. Stewart said.

Copyright 2003 The New York Times Company
*** FAIR USE NOTICE. This message contains copyrighted material whose use
has not been specifically authorized by the copyright owner. The
'johnmacsgroup' Internet discussion group is making it available without
profit to group members who have expressed a prior interest in receiving
the included information in their efforts to advance the understanding of
literary, educational, political, and economic issues, for non-profit
research and educational purposes only. I believe that this constitutes a
'fair use' of the copyrighted material as provided for in section 107 of
the U.S. Copyright Law. If you wish to use this copyrighted material for
purposes of your own that go beyond 'fair use,' you must obtain permission
from the copyright owner.

For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml

   "When you come to the fork in the road, take it" - L.P. Berra
   "Always make new mistakes" -- Esther Dyson
   "Be precise in the use of words and expect precision from others" -
    Pierre Abelard
   "Any sufficiently advanced technology is indistinguishable from magic"
    -- Arthur C. Clarke
   "Bobby Layne never lost a game. Time just ran out." -- Doak Walker
                          John F. McMullen
                 johnmac () acm org johnmac () cyberspace org
              ICQ: 4368412 AIM & Yahoo Messenger: johnmac13
                  http://www.westnet.com/~observer


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/