The people who design rogue programs that take over computers from afar are now applying the tactic that made music-pirating programs so effective -- and the Internet may never be the same.
The rogue programs, known generically as "Trojan horses," have enabled pornographers and others to mask their identities by using the computer of unwitting users as relay stations. It had been assumed that diligent investigators could ultimately shut down a system by identifying the server computer used as the initial launching pad. But now a researcher has determined that a new kind of Trojan horse could make the systems virtually unstoppable.
Joe Stewart, a computer expert at the LURHQ Corp, a security company based in Chicago, said that he discovered this new phase in the evolution of Trojan horse programs while taking apart a program called Backdoor.Sinit, which has been circulating on the Internet since late September.
Sinit, Stewart said, does something unexpected: It uses the commandeered PCs to form a peer-to-peer network like the popular KaZaa file-sharing program. Each machine on the network can share resources and provide information to the others without being controlled by a central server machine.
"It's like KaZaa only without all the pesky copyrighted files," Stewart said. And, as the music industry has discovered, when there is no central machine, "these tactics make it impossible to shut down," he said.
Computer security researchers have been watching the evolution of remote-access rogue programs as they have become more common and have put more machines under the control of hackers. Programs like Sinit infect target machines and surreptitiously open back doors that allow outsiders to control the PCs. The rings of infected computers have been used to send spam, to present online advertisements for pornographic Web sites or to trick people into giving up information like credit card numbers.
At least a third of all spam circulating on the Internet is now sent from or relayed by personal home computers that have been taken over, said Jesse Dougherty, director of development at Sophos, an antivirus and antispam company.
Security researchers began to notice an enormous rise in the volume of spam in the summer, when versions of the SoBig virus were making their way across the Internet. SoBig, Dougherty said, "was so big and so virulent that people started to wonder, `What is the purpose of all this?'"
Clues have started to emerge. Each version of SoBig was programmed with a life span, turning itself off after a month. The regular updating of the program hinted at a commercial use, Dougherty said, "almost like a subscription" that would expire after a time. Researchers found further evidence that Trojan programs were used in spamming, Dougherty said, when a new malicious program, MiMail, circulated and caused infected machines to attack the computers of organizations that fight spam.
The problem for the hackers was that the system could still be defeated at its weakest point. Many of the early rings were programmed to download software updates and instructions from a single site that could be discovered and shut down.
Now the Trojan program designers are taking the "next logical step," Stewart said, and moving to the peer-to-peer model. The Sinit program has been discovered on machines that have been hijacked to serve pop-up advertisements and to download "porn-dialers."