Dark Corners of the web

Published 18.10.2010 ‘Feature’ Engineering & Technology Magazine

Barely out of its teens, the Web has a plethora of noble achievements as well as a few skeletons hiding in the closet. A shadow is cast by the growth of criminal activity online, dampening spirits and emptying pockets of users worldwide. Network resources are choking under the strain of botnets sending spam and phishing emails. Denial of service attacks and the looming threat of cyberwarfare are fuelling a digital arms race. Fraudsters, identity thieves and extortionists scour home pages and online profiles in search of their next victim. Will the Web survive as a tool of global progress and innovation, or will the Shadownet extinguish its short-lived spark, making life online unbearable?

spam, no capitals

Let’s begin with spam, and make sure not to capitalise the word, as requested by the Harmel Food Corporation, the maker of Spam luncheon meat. Spamming for commercial gain was popularised by two New York immigration lawyers, advertising their services on Usenet postings with the subject line ‘Green Card’ in 1994. Having earned over $100,000 in revenue from the ad and public scorn all over the city, they vehemently defended their right to free speech and came out with a book titled ‘How to make a fortune on the Information Superhighway’.

The minuscule cost of sending spam and the potential huge profits attracted many shadowy characters. Vardar Kushnir, an Armenian living in Moscow, was the director of the American Language Centre teaching English to Russian nationals. In 2003-04, his classrooms were kept full by 25 million advertising email messages sent out every day. Kushnir rented servers in China, bought email lists on the black market and used his technical know-how to beat the spam filters.

A year before his violent death in 2005, he was publicly chastised by Russia’s deputy-minister for communications. Kushnir went on the offensive, flooding the deputy’s inbox with Viagra promotions. In August of the following year, police detained four people in connection with Kushnir’s murder, but no names were released or trials set. All information related to the case is still embargoed.

The conversion rate for a successful sale of a product from spam messages is around one for every dozen million emails or so. Online black market rates for a million deliverable email addresses is around $50, and lists can be purchased from anonymous characters in IRC chatrooms or third-party companies who specialise in gathering addresses.

Studies from Kaspersky Labs show that spam made up for 82.6 per cent of all email sent in August 2010.

The search for reliable, cheap and untraceable servers has led to the growth and expansion of the Shadownet. Whereas originally spam servers were rented in jurisdictions without proper oversight or from ISPs that knowingly benefited from this industry, the preferred method for cybercriminals today is to break into your computer and use it as a drone for these activities. To do so, the spammers, hackers and virus writers got together.

Imagine that a malicious piece of software is installed on your computer. It may come embedded within another program or an email attachment. You may be the victim of a drive-by download or a script injection – malware that installs itself when you visit the wrong website, or click on a pop-up. Your computer is now ‘owned’.

The payload delivered, an agent opens a backdoor to the controller, awaiting further instructions. Your computer is a ‘zombie’, although you may never suspect this. One of the most notable changes within the Shadownet community has been the motivation and goals of its virus writers and hackers. No longer driven by fame and notoriety, their interests are purely financial and their methods have changed in order to cover up an unauthorised break-in or the installation of a malware for as long as possible.

As a similar piece of malware is activated on many computers, it creates a botnet – a network of infected zombies ready to spread viruses, send out spam or launch distributed denial of service attacks against a website, Internet service or, as of recently, national network infrastructures. A botnet is capable of sending billions of emails or requests for service per day.

Botnet vigilante

Andre DiMino is a botnet vigilante. He is part of the Shadowserver Foundation, the Internet’s equivalent of neighbourhood watch – a non-profit collective of technology and security specialists who monitor, report and often battle cybercrime.

They set up honeypots to catch and disassemble malware, monitoring its behaviour and communication with the operators. DiMino laments that ‘not so long ago it was possible to chat with a bot operator on an IRC channel. In the early days, it was a badge of honour to set up your own botnet’, he says, ‘now it is purely business and there is all incentive for them to remain anonymous. The bad guys’ advantage is that they only need to be correct once to infect a computer or network’.

Spamming has steadily progressed from advertising to phishing – fraudulent messages that attempt to withdraw personal and financial information from the reader. The origins of the Spanish Prisoner scam go back to the 1800s, with a supposed aristocrat languishing in a Spanish cell and requesting bail money with a promise of rewards upon his release. Its modern-day equivalents are run by organised criminal networks, most notably the Nigerian 419 Confidence Tricksters (the name arising from the Nigerian criminal code article for fraud) who bring in hundreds of millions of dollars each year from unsuspecting Web users.

Linguists, psychologists, computer hackers and collaborators, who reside in the victim’s country and pose as government officials or businessmen, are brought in when a hapless user replies to the initial message. The US and UK lose billions of dollars every year to phishing scams.

Kimberley Zenz, a cybercrime researcher for the former Soviet Union, speaks about the Russian Business Network, labelled the ‘baddest of the bad’ by the security company Verisign. ‘Run from St. Petersburg, the group openly offers hosting services to cybercriminals. You could run your botnet herder, spam server, porno site and what not, the RBN would host and protect the site for you. Just one of the schemes traced back to the RBN servers had netted $150m in a single year. The owners, who were said to have family connections in the government, had always bribed their way out of trouble. In the end, most ISPs around the world simply blocked the RBN IP range altogether and soon after the ‘company’ dissolved.’


‘A worrying trend is the evolving of targeted attacks against a government or organisation, otherwise known as spearphishing,’ explains DiMino. ‘Whereas a botnet is a shotgun approach, targeted attacks are more like snipers,’ he adds. Spearphishing is the business of preference for dedicated and highly skilled cybercriminals.

‘Its purpose is to defraud or steal confidential information from a specific person, usually the CEO or a highly placed government official.’ With social engineering attacks, aided by the prevalence of available personal data on Facebook, LinkedIn and the like, criminals convince the victim to install a malware on their computer. Subpoenas received from the Justice Department or requests for a meeting from Internal Revenue have people scrambling to follow the link within an email for more information.

Thousands of senior executives duped, billions of dollars lost. Whereas spam or general phishing may be easy to recognise, would you automatically delete an email from a school sweetheart with a link to pictures of a recent party?

Digital Attacks

The Shadownet continued to evolve. An innovative, yet highly destructive, use was discovered for existing botnets – distributed computing tasks. Similar in principle to the SETI project, the mission was to turn each zombie computer into a digital weapon. Botnet operators would direct the herd to a particular website with requests for service. As thousands or even millions of requests came through each second, the server or the last-leg of the communications channel would become overwhelmed. This became known as a distributed denial of service attack, or DDoS.

In 2000, Mixter, a German hacker and current member of the Cult of the Dead Cow collective, was investigated by the FBI for creating and releasing the Tribe Flood Network, a botnet tool that conducted a variety of sophisticated DDoS attacks.

Interviewed by E&T, Mixter explains his motivations for releasing the tool online: ‘In the spirit of full disclosure, [it was] to make available the first documented source code of a DDoS application… Beyond that, it was also an interest in professional recognition, some curiosity how well this application would work, since no comparable application was public, and personal training in writing a large-scale network application.’

The TFN was picked up by 15-year-old Mafiaboy, a script-kiddie (someone who uses or slightly modifies an already existing tool) of Montreal, who then launched an attack on CNN, eBay, Yahoo and Dell websites causing an estimated $1.2bn in damage.

Russian connections

‘If you don’t like someone, you can DDoS them in Russia,’ says Zenz. ‘Botnets are used very effectively and creatively here… wherever it may be possible to stem the flow of information. A small botnet of several thousand computers can be rented for as little as US$15/hour. DDoS attacks are launched to gain an advantage against a commercial competitor or as part of a criminal shakedown. Pay us now or we’ll DDoS you – a common threat you’ll hear these days’.

Botnets have begun to mix with politics and world events, with the Chinese allegedly fighting Taiwan, the Russians reportedly attacking Estonia and, soon after that, Georgia too. DDoS attacks are now frequently deployed to prove a point by disabling websites and even critical Internet services of the ‘enemy’. Although most experts agree that we have yet to witness a cyberwar, countries are scrambling to beef up their defences and make sure they too can retaliate when necessary. The NATO-led Cooperative Cyber Defence Centre of Excellence in Tallinn now runs a five-day Botnet Takeover Course, training its members on how to detect, analyse and take control of a hostile botnet.

No one can be sure as to how many botnets exist today. Conficker, with an army of the millions of infected government, business and home computers, has proven to be one of the most resilient and mysterious botnets. Its creators have adjusted the code several times in response to fixes and attempts to destroy the botnet by security groups set up to battle it. The Conficker payload switched off Windows services, error reporting, system restore and update functions.

Security companies have released fixes for all Conficker variants, yet to-date approximately five million workstations remain unpatched. The curious and most worrying aspect of Conficker is that it has never been fully used, apart from a small spam operation to show off its muscle. Security experts fear that a botnet the size of Conficker could bring down any nation’s Internet-connected infrastructure.


September 2010 may go down in history as the Stuxnet month. Experts branded the new worm ‘ground breaking’ as its ultimate purpose was not to steal money or personal information, but to sabotage industrial plant systems. Its target is thought to have been the Iranian nuclear reactor in Bushehr or the centrifuges in Natanz. Within its code were several undiscovered exploits and supposedly valid (if stolen) encryption certificates, issued by reputable companies.

Mixter explains further: ‘Stuxnet seems to be the leading candidate for botnet of the year, as it is very stealthy, very well-coded and targets specific industrial equipment. Stuxnet is most probably an example of a very rich client (or even state or agency) spending considerable money and effort to get a mature software product as well as developing or buying an unpublished Windows remote-exploit (the LNK exploit) that is very rare to discover and would probably cost a six-score sum on the exploit black market.’

Eugene Kaspersky was recently quoted on the worm’s discovery: ‘I am afraid this is the beginning of a new world… Twenty years ago we were faced with cybervandals, ten years ago – with cybercriminals, and I am afraid now it is a new era of cyberwars and cyberterrorism.’

Inevitably, malware creators and cybercriminals are bound to get better and more destructive as newcomers are attracted by potential rewards, and the complexity of operating systems and Web applications continue to increase.

The same, however, can also be said for security researchers, companies and civilian cyber-cops like Shadowserver, as the stakes grow higher.

The Web’s decentralised structure is a great place for cybercriminals to hide in, yet at the same time such decentralisation will ensure its survival and continuation. In fact, what we are witnessing now is not the birth of a new and dangerous world, but simply an electronic extension of our complex and multi-faceted society.