Getting more spam lately? Networks of compromised computers, running hidden software controlled remotely by God-knows-who, are probably the reason. These networks, known as “botnets,” are responsible for an estimated 80 percent of all spam. What’s worse, your computer may be part of the problem.
Take this example of how a bogus stock recommendation spam works: On Friday morning, a penny stock is trading at 8 cents a share. A spammer purchases 11.6 million shares of stock, driving the price up to 11 cents. After the market closes on Friday afternoon, the spammer sends out millions of spam messages touting the stock. Monday morning, the price peaks at 25 cents a share. Two days later, the stock is back at 12 cents a share. If the spammer sold his shares at the peak, he made a substantial amount of money. Hypothetical? No. It’s from the New York Times.
Of course, sending out millions of emails from your AOL account (or even your sonic.net account) is going to draw some attention from the people in charge of those networks. Most Internet service providers keep a close eye on the amount of email being sent by an individual user. If you’re a nefarious spammer, the answer is to create (or hire) a botnet to send out all those emails.
The botnet consists of thousands of computers that have been infected with a hidden program that sends emails and can be controlled remotely. With that many computers, you can send a large amount of email without setting off any alarms. And by hiding itself cleverly, the program will survive reboots of the computer system. The computer’s owner will likely never suspect they’re contributing to the spammer’s illegal “pump and dump” stock promotion.
How did those thousands of computers become infected? One way is via a computer “worm.” A worm program uses the Internet to transmit itself from one computer to another, making use of known security holes, almost exclusively within the Microsoft Windows operating system. Current estimates from researchers at the Internet Storm Center (part of the SANS Institute, www.sans.org) indicate that a Windows XP computer without current security patches installed and connected directly to the Internet will last about an hour before being compromised by a worm attempting to propagate. The good news: back in 2003, that “survival number” was less than 15 minutes.
The second way your computer can become infected is by opening an infected attachment or downloading information from an unscrupulous website. You might think a good anti-virus solution like Norton or McAfee would have addressed this problem by now, and you’re mostly correct.
These days, the problem is so-called “Zero Day” exploits, where a virus becomes widespread on the day of its discovery “in the wild,” before Norton and McAfee can create updates for their virus-scanning engines. The most recent example of this was a virus which exploited poorly written Windows code that animates mouse cursors (a feature of the various visual “themes” that Microsoft provides). Microsoft issued a patch via Windows Update in about five days, which constitutes record time for them.
It’s pretty clear that most corporate networks focus a lot of attention on security. The real vulnerability is computers in homes and small businesses. In the days of dial-up access, it was pretty easy to tell if your computer was trying to access the Internet without your permission. But with the rise of always-on DSL and cable connections, many computers are connected to the Internet all the time. And a zombie computer (as infected computers belonging to a botnet are called) doesn’t appear to have anything wrong with it. So how do you tell if your computer is infected?
The trouble is, because these so-called “rootkit” programs are actively trying to hide from you (and from programs that might be used to detect them), the answer tends to require some technical knowledge to implement. Having said that, a good anti-virus program should easily detect the existence of all known rootkits that pose a viable threat. A recent study (funded by Symantec, it should be clear) found Symantec’s Norton AntiVirus 2007 best at detecting and removing rootkits, followed by McAfee Internet Security 2006, and WebRoot Spy Sweeper. Regardless of the fact that Symantec funded the study, it’s worth reading if you’re interested in this general problem. You can find it at www.symantec.com by searching for “handling today’s tough security threats.”
So, if you don’t have an up-to-date copy of a quality anti-virus program, go buy one for each of your home or office computers (Costco sells ’em cheap), install it and make sure automatic updates are enabled. Leave your computer turned on all the time and have it scan your hard disk every night at 2 a.m. Just make sure it stays up-to-date and runs a full scan reasonably often.
Oh, and be sure to look at the results.
The other thing you absolutely must do is enable automatic updates of Windows, which you can do by opening the Start menu, choosing Control Panel and then Security Center. Unless you have IT support, it’s the best way to make sure your copy of Windows has all the current security patches. Again, since Windows Update runs at 3 a.m. by default, you’ll want to keep your computer turned on.
An additional bit of security is a software firewall, which keeps track of which programs are attempting to communicate over the network. Microsoft includes one with Windows, but it has some limitations. I prefer ZoneAlarm, which is still free for personal use.
The last thing I’d recommend is not physically plugging your computer directly into the Internet. If you have multiple computers sharing a single Internet connection, you probably already have that taken care of. Otherwise, you should consider buying an inexpensive router from Linksys (now owned by Cisco), Netgear or D-Link. Your computer(s) plug into the router (which hides them from the public Internet) and the router plugs into the cable or DSL modem. This provides a basic hardware “firewall.”
Here’s a funny thing I’ve noticed: People who do this don’t seem to have problems. Sadly, it’s the people who don’t take care of their computers by patching them and installing antivirus and hardware/software firewalls that end up with zombie computers.
I’d love to know if this column helps anyone discover a zombie in their midst. Please drop me a line at mduffy@northbaybiz.com if you do!
