[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Friday, 5 March, 2004, 09:16 GMT
Spammers target home PCs
By Mark Ward
BBC News Online technology correspondent

You may hate getting spam but unless you are careful you could be responsible for sending some of it.

Family in living room, BBC
Home users could be unwitting spammers
It is estimated that at least one-third of all junk mail messages is being relayed by home computers.

And to make matters worse your humble home PC was probably turned into a spam-spewing relay by one or more computer viruses.

Computer viruses have come a long way since the days when they were just a nuisance put together by a teenager with too much time on their hands.

Remote control

Hackers for hire are crafting viruses that can search out vulnerable machines and adding them to so-called bot nets that become a pool of PCs ready react to commands sent by anyone who knows they are there.

This trend towards using home PCs as spam relays was started by the Sobig virus that first appeared in January 2003. Viruses such as Sinit, Fizzer and MyDoom have continued the trend.

Spammers want to use your PC to spread their unwanted wares because it has become impossible to send millions of e-mails any other way.

"You cannot effectively spam without a network of proxies," said Joe Stewart, senior security researcher at Lurhq. "You are being blocked everywhere you go."

Anti-spam projects, such as Spamhaus circulate lists of the net addresses used by spammers.

Clock hands, BBC
Stopping Sobig.F was a race against time
Many mail servers check these lists when a message turns up and drop mail from known spam domains.

Viruses like Sobig and MyDoom give spammers another way to despatch messages; they get your PC to do the job for them.

To cover their tracks they will use only a small number of the thousands of machines they remotely control at any one time.

These malicious programs use sophisticated techniques to create a bot net.

Paul Wood, chief information security analyst, at MessageLabs said this type of virus had a very distinct pattern of activity.

Initially, he said, infected machines were very busy sending copies of the virus they had contracted to all the addresses found on that PC.

Then, on a date coded into the virus, the machine stops looking for fresh victims and instead reports its existence into one or more locations on the net.

Usually at this time the virus is updated with new code that turns it into a spam relay.

It then waits to hear from its controller about what it should do next.

Sobig .A and Sobig.E were the most successful variants of this virus and created bot nets with many thousands of members.

Close control

The appearance of Sobig.F triggered a scramble by anti-virus firms as it contained a list of encrypted net addresses infected machines consulted for where to get updates or upload stolen data.

By 7pm on 22 August when machines infected by Sobig.F were due to activate all but two of those control machines had been shut down.

Infected machines knew when to ask for more information as Sobig.F consulted atomic clocks on the internet via the Network Time Protocol to ensure they all reacted at the right time.

Computer network cables, Eyewire
Some bot nets have thousands of members
One of these master machines was unreachable and the only working one was swamped when thousands of infected machines contacted it.

Many of the 20 net addresses were for broadband connections of home users.

Once a bot net exists it does not necessarily stay under the control of its creator.

Soon after the MyDoom virus struck many net service and security firms reported seeing lots of scanning for the backdoor that it opened up on infected machines.

Many semi-criminal hacking groups see bot nets as a general resource that anyone should be able to use.

Anti-spam organisations have now started publishing blocks of compromised net addresses for machines known to be acting as junk mail relays.

A huge swathe of net addresses for subscribers of the Comcast US net service was recently put online in a bid to encourage the company to improve its security procedures.

Projects such as MyNetWatchmen and DShield are collating information about attacks and help warn about new threats.

Security firms urge home broadband users to use a firewall and keep anti-virus software up to date to avoid their PC becoming a tool for junk mailers.


SEE ALSO:
Viruses turn to peer-to-peer nets
20 Jan 04  |  Technology
Cracking the hacker underground
14 Nov 03  |  Technology
Viruses make criminal move
31 Dec 03  |  Technology
Mydoom virus 'biggest in months'
27 Jan 04  |  Technology
Spammers and virus writers unite
30 Apr 03  |  Technology
Hi-tech criminals target UK firms
24 Feb 04  |  Technology


RELATED INTERNET LINKS:
The BBC is not responsible for the content of external internet sites


PRODUCTS AND SERVICES

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific