By Rob Waugh
21st December 2007
Connect your new Christmas computer to the web and within minutes it
could be used for internet crime. Rob Waugh finds out how the
cyber-terrorists are using your PC to create a multi million-pound
Eighteen days ago, on December 5, a small 24-kilobyte package of
encrypted data pinged noiselessly from one PC to another, then another,
and another, across the internet in Europe, America and the Far East.
Soon, the electronic synapses of a network of millions of computers
around the world sprang to life. Thousands were in ordinary houses
The PCs had one thing in common: all had fast broadband connections.
Despite being in sleep mode, they were able to accept, process and react
to these digital commands from outside.
Once the first messages had been sent, the infected PCs reacted all by
themselves, communicating with 'cells', or batches, of 25 computers, in
machine-gun bursts of binary code.
High-grade encryption protected the messages that passed through the
legions of PCs so that observers at computer security firms could detect
that something was happening, but not what.
Each machine was able to detect other PCs whose internet ports were held
open. The attack spread organically, invisibly. And it all happened
within the space of half a minute.
None of the owners of the PCs had an inkling of what their machines were
doing. These were ordinary home computers that would betray no sign of
their activities the next day. If you are reading this feature online,
it's quite possible the PC you are reading it on was one of them.
What was it all for? The worm (and it is termed a worm, rather than a
virus) was called Storm, and was designed for a very specific and
effective purpose: a Distributed Denial of Service attack, or DDOS.
This is how it works: having inveigled themselves deep inside our
computer operating systems, the Storm replicants stopped and settled
into a simple "listen" mode, waiting for new orders from a website whose
details were already hard-coded into the worm.
When the orders came, the PCs began making simple requests of data first
in megabytes (1,024 bytes), then in gigabytes (1,024 megabytes), then in
terabytes (1,024 gigabytes) from specialist websites such as Antispam,
whose sole purpose is to combat the modern scourge of spam emails.
The idea was to swamp them with so many data requests that they could no
Like all anti-terrorist units, the anti-spam brigade were hardly
unprepared. They were armed with lightning fast connections designed to
cope with this sort of threat. Alas, on this occasion, they were
overwhelmed by the sheer ferocity of the onslaught.
To be fair, a DDOS attack, also known as a SYN Flood, is very hard
indeed to resist. Some connections can only withstand 500 requests a
second. Specially hardened connections can weather up to 14,000. No
website on Earth could have withstood what the Storm worm unleashed that
Thus the anti-spammers' servers overloaded. Their email system shut
down. Their connection to the outside world was broken. Within minutes,
the sites had to be taken offline by their owners.
But precisely what, you may ask, has any of this Michael Crichton-esque
tale got to do with you and me? Sadly, rather a lot.
On one level, the anti-spam campaigners whom we can all thank for an
often invisible shield against inbox-crippling and potentially damaging
spam email had been sent a brutal message: don't mess with our right to
use the internet for organised crime.
On another, it proved the sheer power of a new variety of internet
threat adaptable, socially engineered to spread via hugely popular sites
such as MySpace and YouTube, and designed to slip past both the defences
of the savviest web user and under the radar of most security software.
And then, once there, to use your machine for illegal activity: simple
grifting scams like asking for your credit card to eliminate
non-existent computer threats or identity theft, or using your PC as a
front for spreading, for example, pornography, both licit and illicit.
It all goes to show what kind of secret, highly illegal life your shiny
new Christmas computer may very soon be leading; and why, in 2008,
things are going to get a whole lot worse.
"From the moment you take your brand new PC out of its Christmas
wrapping paper and connect it to the internet, it can be less than ten
minutes before you become infected in some form or other," says Connor
Mallen of internet security expert Symantec, developer of the Norton
"You should be very concerned that your existing PC is already being
controlled. The old advice never open email attachments, don't visit
dodgy websites has been good up until this year. But the bad guys have
now come up with methods that let them plant their stuff in 'good
neighbourhoods' on the web; in sites you actually know. "
"And you don't have to click on something you get infected just by
visiting a website. It's becoming known as 'drive-by downloading.'"
How do we know if our machines are infected? "There might be a few
tell-tale signs," says Mallen.
"Your PC might run a bit slower. Pages on the internet might take a
little longer to pop up. You might see in your email outbox that you've
been sending emails you have no memory of. I always tell people that
before complaining about spam they should check that they aren't
"Unfortunately, the vast majority of users don't have the technical
expertise to even know it's happening. The idea that someone can steal
your PC, and your neighbours' PCs, and use them to commit crime it's
everyone's worst nightmare. But it's going to keep happening, and with
ever more frequency."
At this stage, we might comfort ourselves with this thought: Symantec
exists to protect us from viruses and worms. The more we have to be
nervous about, the better their business. But before you take that as
succour, you might want to take a trip out to Sandwich in Kent and visit
The place of last digital refuge certainly takes itself seriously. It
lies behind a razor-wire perimeter studded with concrete posts. It is
hardened against nuclear blasts, electro-magnetic pulse weapons and
Entry to the compound is strictly controlled by guards; dogs patrol the
facility; a guard behind a steel-lined slot checks your photo
identification as you arrive and a reinforced steel gate slides open.
Entry to The Bunker itself is controlled by a passcode panel set into a
concrete door leading into the hillside. Once beneath the ground, you
pass through an electronically secured steel turnstile.
Twenty feet further down the corridor, passage is blocked by two
blast-proof metal doors six inches thick, then two gas-proof doors,
flanked by a decontamination room. Finally, you reach the interior via a
passcode- controlled airlock.
This is The Bunker: not a military facility but a data centre. It is the
ultimate in PC security, and dramatic evidence of just what a wicked
place the modern digital world has become.
Within the core of the base is 50,000 sq ft of cutting-edge computer
hardware, temperature- controlled and hidden behind layers of electronic
security as well as the obvious physical safeguards.
The rooms are filled with steel cages that contain banks of servers
built from the ground up for business clients too afraid to leave their
data at the mercy of the outside world.
"This is a whole internet service provider," says Paul Lightfoot,
technical services director of The Bunker, gesturing at a stack of beige
components with LEDs flashing over the surface, housed inside a black
"It's like a pile of 500GB hard drives connected together and stacked on
top of one another it's got every IP address and piece of data owned by
the provider. This one here is a Far Eastern dealing floor. And over
here" he gestures at three racks housed inside a huge white cage "is PC
World's SmartBackUp service, for home users' photos and music."
"People's lives are data now. Their photos, their music. It's a big part
of our business, providing the security behind the services that promise
to back up your data."
"We build and harden systems, we put up an outer firewall, then we
firewall within the system. Then we offer advice to customers on how to
ensure the rest of their business is as safe as this. Even if the whole
internet went down, some of our customers have direct, purpose-built
lines leading to their data here, so they could keep on operating in
As we return to the surface of the former MoD radar bunker, we are met
by a guard who has a series of digital photographs of us taken inside
the facility merely entering The Bunker triggers motion-sensitive
cameras, an extra line of defence against intruders.
Lightfoot says, "People used to say to me, 'Why do you have a facility
like this surely it must be overkill?'"
"They don't ask that question any more. The threats have multiplied
exponentially over the past couple of years. Tools are now readily
available on the internet to let you penetrate systems. School children
can do it."
"And more and more systems have gone entirely online. Five years ago, if
your PC broke down you could use a fax. Who has one of those now? Today,
if your IT system goes out that's you gone. And that's where we come
The idea of systems that are hidden behind so many different layers of
protection has become irresistibly appealing to business in a time when
internet threats mutate by the hour and when hacking has gone from being
simple teenage cyber-vandalism to big business, as the Storm worm so
tangibly proves. And if businesses are this paranoid, shouldn't you be
Back in London, I meet Jart Armin, an anti-cyber-crime campaigner who
spoke at a seminar last week in Cambridge in front of the university's
security research group.
"Two-and-a-half weeks ago there was an attack on the Economist website
that meant if you visited the sites your PC was infected. You didn't
even need to click on anything."
"It was orchestrated by a group known as Russian Business Network (RBN).
I've heard it quoted that they are in some way involved in at least 60
per cent of crime committed online and I wouldn't dispute that. From my
investigations they are earning at least 200 million a year."
He shows me some web pages for "anti-virus software." They look
convincing, and are designed to the same professional specifications as
the genuine article from companies such as Symantec, McAfee or Sophos.
"Five million people downloaded this last month," he says. "It's fake.
This advert pops up, people get tricked into going to their website for
a 'free scan,' which then injects malicious software on to their PC. You
then have to pay them to download the full software."
That, in turn, loads more and more malicious software on to your PC.
"Clearly, RBN has hired web designers to make this look good. It is,
after all, a very efficient business. It was started by young unemployed
techies in St Petersburg. But then it was sponsored by ex-KGB men and
Earlier this year, RBN hackers broke into the Bank of India's website
and installed software that meant every visitor surrendered their
account details to the criminals. It was one of the first instances of
"If you're a young hacker, you can't just phone RBN and ask to use their
latest software," says Jart. "You pay them. I used to be a hacker and
write viruses. But for me it was always about intellectual games can I
take your PC offline faster than you can take mine offline? Now it's
"Along with a few others, I hacked into some of RBN's hidden servers. We
found 200 to 300 directories full of names, bank accounts and
compromised PCs. Each directory was worth around 5 million."
"As a client someone buying accounts to steal from you can select. You
can think, 'Do I want southern England? Do I want social class A, B or
Jart admits he does not know how many people make up RBN or who its
elusive hacker leader is. Known as Flyman, he is famous on the internet
(hackers are thought of almost as folk heroes in Russia, where IT skills
are plentiful but high-paying jobs scarce) and is being pursued by
police both in Russia and around the world.
Jart also claims that legitimate businesses have been involved in RBN
scams, with a major internet gambling site used to launder money.
"To watch them at work, you've got to enter the other side of the
internet Usenet," says Jart, referring to the older system that
connected computer to computer directly.
"There are no Google searches and little policing. It's all there, it's
unrestricted. People have been trading stolen software for decades. I
tell people to go there with armour plating and their six-gun cocked."
"When the 25 million addresses 'lost' from the British Government come
up for sale on the web and they will appear there are only five servers
in the world they are going to be appear on: all Usenet. Wholesalers
will be dealing in them, not RBN themselves, but they'll be bidding for
Cyber-crime gangs have become more like businesses with each passing
month. Stolen identities are currency to them. Compromised PCs are their
weapons. Worms and viruses are crafted specifically to fit with the
latest internet trends and to spread to the maximum number of people.
The Storm worm sent emails relating to free music, Myspace links,
YouTube videos and offers of free games such as Halo 3. But cleverly
tuned scams can target anyone.
"I have been an avid eBay user for about five years and have 100 per
cent feedback," says Jim Devlin, an IT consultant.
"However, about four months ago I received an email which I was sure was
a genuine message from eBay, so I logged on and entered my details,
password included. My PC froze about 15 minutes later and I had to
switch it off and re-start it."
"The next day I checked my eBay account, just to see if I had won an
item I was bidding on. I found that I was selling about 1,000 items of
very high value, all with a one-day sale and a bank transfer or credit
card- only payment system."
According to Richard Cox of UK-based internet security firm Spamhaus,
the police are almost powerless to stop this hi-tech crime.
"It's not one person sending 2,000 spam emails then cashing in the
revenue from the identity theft," he says.
"The people who write the emails will send them to someone who 'rents'
time on compromised PCs to send the mails; they'll send the stolen card
details to someone else, then someone else will use the cards."
"It's difficult to prosecute anyone you might get a prosecution for
copyright if they've used a bank's logo illegally, but otherwise it's
"The people who do this rely on the fact that any crime committed on the
web falls between international boundaries. Whose jurisdiction is the
The legal process also moves at a pace so much slower than the internet
itself that it can seem almost irrelevant.
While the internet fraud group ShadowCrew was implicated in extortion in
2004, the culprits to be charged in the UK were sentenced this month. In
that three years other internet crooks could have enjoyed an entire
Which leaves the onus on other agencies. Last month, the servers used by
RBN abruptly shut down. A report in the Wall Street Journal suggested
that media attention had made the organisation close down its
operations. Others remain more sceptical.
"RBN were already switching their IP addresses [a unique number that
computers use to communicate with each other] in August," says Jart.
"Many of them are still active today. Perhaps the RBN realised they had
become a target. But they have not gone away."
"Do you have a business earning that much money, and just shut up shop?
I don't think so."
Possibly not. And if you want definitive proof of just how efficient the
shop is, don't just take his word for it.
To read Jart Armin's blog, go to RBNexploit.com
Visit InfoSec News