Virus writers look to turn a profit

The shady world of the virus writer is changing. Programmers of computer viruses used to do it for fun, out of intellectual curiosity, or just bloody-mindedness, infecting computers with malevolent code because they could.

But now there are worrying signs that virus writing has evolved into a lucrative industry, with spammers, mobsters and blackmailers in on the act.

"What we've seen in the past 18 months or so is a shift in the way viruses work," says Graham Cluley, senior technology consultant at Sophos, the UK-based anti-virus company. "It's all about money."

Yesterday's viruses carried isolated payloads, which could be anything from displaying a benign message on the screen to wiping your hard drive. Once the payload had been delivered and the virus had copied itself to another machine, its work was done.

Today's malware is often different: it creates a back door on a PC, enabling hackers to control it over the Internet and use it for nefarious purposes.

"Zombies," or "bots," PCs that have been infected in this way, are being used to make money for a new generation of criminal, explains Alex Shipp, senior anti-virus technologist at MessageLabs.

For example, "the hackers will change the phone number your PC's modem dials to dial an expensive number and make money for them. If you are using broadband, that's even better, because you have a fast connection to the Internet. They can use your computer to send out spam and charge people for the service."

Spammers to send unsolicited commercial email from compromised machines on "botnets" because it makes it more difficult for recipients to block the mail, and it protects the spammers' servers from being tracked and shut down. Networks of tens of thousands of Windows PCs are used for such purposes.

Telenor, an ISP, recently shut down a 10,000-strong botnet of computers controlled over the Internet Relay Chat (IRC) network.

Once a team of virus writers has grown its botnet to a sufficient size, it can sell it as a resource.

Sales "botnet time" between criminals are often conducted through covert negotiations on IRC, the very mechanism used to control the botnets.

Internet are now becoming increasingly sophisticated in their attempts to recruit desktop PCs into botnets.

One the latest, Bofra, sets up its own Web server on an infected PC and then e-mails its address to contacts in the PC's e-mail address book. When recipients click on the e-mail -- which has no virus inside it -- they are taken to the infected PC, which in turn tries to infect their computers.

Each infected computer listens on the IRC network for hackers that want to take control of it.

The spread of Bofra has been limited, and corporate machines are unlikely to be infected by it because of weaknesses in the way it works.

However, that doesn't matter, says Pete Simpson, Threatlab manager at Clearswift, an e-mail security software company.

"It's the unprotected PCs -- the soft underbelly of the Internet -- that have been infected," he said.

"These crooks are not interested in collecting owned corporate PCs. They are gathering a free resource that can be sold on for spamming attacks," he said.

The sort of people who use Windows PCs that have not been patched with recent updates, including SP2, and who don't have firewalls, are also the ones who may not notice their PC is being used for spamming, and won't know how to respond.

Spamming the only reason for collecting zombie PCs. Some criminals marshal "their" machines to mount distributed denial of service attacks on corporate computers, blackmailing the victims before they will stop the attacks. Web sites of several online betting companies have been attacked recently.

Botnet can also be used as free Web hosts, says Miko Hypponnen, head of anti-virus research at F-Secure, a security firm.

"These guys use infected computers to run Web sites selling hardcore porn and illegal goods," Hypponnen said.

Who behind this fast-growing criminal industry? Many of the groups come from Eastern Europe or Russia, and the UK's National High-Tech Crime Unit (NHTCU) has in the past year arrested dozens of people connected with identity theft and extortion through denial of service attacks.