Page last updated at 09:55 GMT, Friday, 13 March 2009

Gaining access to a hacker's world

By Spencer Kelly
Presenter, BBC Click

Spencer Kelly finds out how hackers are making money from attacking commercial sites

For a short time in February, I had complete control over 21,696 personal computers around the world. These were machines whose owners had not taken the basic security precautions necessary to stay safe online.

While their owners were busy checking their e-mails, or playing Solitaire, or doing their accounts, I could have made their computers do anything I wanted without anyone knowing.

I could have ordered the machines to log keystrokes as they were typed, and then send me anything that looked like a banking user name and password.

I could have redirected the users to fake shopping websites - identical to the originals, apart from the fact that come point of sale, the credit card and security numbers would have been delivered to me.

Or I could have used them to spread spam and phishing e-mails to thousands of other computers.

I did not, of course. That would have been illegal.

Immense power

A network of remote-controlled "bots" like the one Click acquired is called a botnet.

How a botnet works

There are many available to buy or rent from cyber criminals hiding behind fake usernames and the non-cooperation of authorities across international borders.

The power of thousands or even hundreds of thousands of bots, all working in unison, is immense. It provides modern organised gangs with the firepower to make and launder vast amounts of money.

After months of investigation and a few thousand dollars, we had managed to buy a botnet from hackers in Russia and the Ukraine.

The process began in chatrooms where hackers advertise their services. You have to earn their confidence, then negotiations take place in instant messaging applications.

Once a service and a price have been agreed, payment is made using a money transfer to keep both sides anonymous.


The software controlling the botnet had an incredibly sophisticated user interface - it looks good, speaks 13 languages, and performing malicious tasks is as easy as clicking a couple of icons.

It behave just like legitimate software developed by experienced programmers.

In fact, Mark Sunner from security firm MessageLabs said the "level of sophistication" found in new botnets are "the technical equivalent of their opposite numbers in the security industry".

But we were not planning to make a quick buck and go loco in Acapulco.

Instead, we were planning to demonstrate the botnet's abilities in a controlled environment.

The spam attack

You know all that junk email that clogs up your inbox? Most of that comes from botnets.

Typing on a keyboard
The "Mega-D" botnet sends out an 28 million spam messages every minute

After all, the criminals behind the spam, "phishing" emails and adverts for fraudulent goods do not want their messages traced back to them.

Instead, they use armies of bots - other people's computers - to send it out for them.

It is estimated that 80% of e-mails on the net is spam - and with millions of bots pumping it out round the clock, it is easy to see why.

We set up a spam test - a low-power demo to show what is possible.

Even with our botnet set to "slow", we managed to send out over 10,000 e-mails in a few hours.

For hardly any more money, a determined spammer could easily add two zeroes to those figures.

The biggest botnet around at the moment, the "Mega-D", sends out an unbelievable 28 million spam messages every minute.

The web attack

Now, imagine holding a big gambling website to ransom.

If they do not pay you lots of money, you will take it offline which will make it unavailable to ordinary users for hours or days on end.

This is a Distributed Denial of Service (DDoS) attack, and it is well within the capabilities of a botnet.

Sometimes the danger of such an attack and the ensuing loss of business is enough to drive large websites to pay hackers that issue such a threat.

If they do not pay up, their site goes down.

Our second demonstration was to aim our botnet at a willing volunteer site, to see just how large an army you need to take the site down.

The answer was just 60 machines. Performing the DDoS attack three times, with our bots constantly trying to access the site, was enough to take it down.

We decided to call off the attack before the rest got stuck in, just in case we did some real damage.

It may seem like science-fiction, but armies of remote-controlled bots are a reality. It is estimated that tens of millions are infected each year.

There are three main things you need to do to protect your system and stop your computer from becoming part of a botnet.

Take a look at our step by step guide:


Step 1
1. Click the Start button
2. Then click Settings
3. Then click Control Panel
This guide is for Windows XP – other versions of Windows may vary slightly.

Step 2
Double-click the icon which is illustrated in the magnified image above.
The layout on your machine might be different – just look for the shield icon.

Step 3
In this window you can see what security measures are switched ON or OFF. Ideally you need all of them to be switched ON. The inset screen shows the Security Center in Windows Vista.

Step 4
1. Under Managed security settings(1) click Windows Firewall.
A firewall can warn you if a computer program is trying to run or connect to the internet. It will also give you the chance to deny that program permission, if you did not ask it to do anything.

Step 5
2. In the window that pops up, the best setting to select is On (recommended).
3. Then click OK to switch on the firewall.

Step 6
Automatic Updates
1. Under Managed security settings¹ click Automatic Updates.
Microsoft regularly updates your Windows operating system to fix bugs and vulnerabilities which let infections in. It is very important to allow these updates to happen automatically.

Step 7
Automatic Updates
2. In the window that pops up, choose Automatic (recommended), and specify when and how often you want Windows to check for updates. If you are unsure, choose every day and pick a time.
3. Click Apply.
4. Click OK.
Step 8
Virus Protection
Anti-virus software can scan your computer and check for dangerous programs that infect your machine. This is software you will need to get from a third party - some versions are free and others paid-for. Microsoft has advice under Virus Protection on just some of the brands available.
Step 9
When all protection measures are active, the bars in the Security Center will turn green.

BACK {current} of {total} NEXT


The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit

banner watch listen bbc sport Americas Africa Europe Middle East South Asia Asia Pacific