PART 3 IN A 3-PART SERIES

They have infected perhaps 100 million computers with viruses, turning the PCs around the world into an army of willing criminal assistants known as "bots." They are using those PCs to send out billions of spam e-mails and make millions of dollars by attacking Web sites and extorting their owners. They have even attacked the core computers that keep the Internet running smoothly. Who are they?

The answer to that question is elusive, but there are a few clues.

In part one of this series, we described the epidemic of hijacked computers that's swept the Internet. Controlled by malicious programs, the computers are turned into robots, or bots, that are directed by criminals known as bot herders.

Part two looked at how profitable the bot business has become, leading hackers to engage in gang warfare in cyberspace for control of these hijacked computers -- a digital battle that has spilled out onto the Internet's Main Street.

Today, we examine who is behind these networks of infected computers.

For years, computer hackers typically were precocious, anti-social teen-agers who committed digital violence just to get attention. But computer crime has grown up, and grown into a big business. Now it is used by highly organized gangs to steal millions of dollars.

The top gangs, most agree, are in Russia, Eastern Europe and Brazil, although there also are a few up-and-coming cybercrime syndicates in Asia.

Cybercriminals tend to be talented computer programmers who can make much more money stealing than working, the experts agree. There is so much money to be made in cybercrime that some observers speculate that terrorists are using it to raise money and support their organizations.

Computer security experts disagree on whether terrorists are involved in cybercrime, but there is one sure sign that computer crime has become a much more sober affair: Many experts interviewed for this story shied away from talking about the topic of who's behind botnets, pointing to concerns for family safety.

"When I got into this, it was kind of a game," said one expert who spoke on condition of anonymity. "Now, it's very serious. I wouldn't want my name attached (to comments about the topic)."

That's a new sentiment in an industry that has often been criticized for using hyperbole to generate publicity.

Recruited by professionals

Bot herders are still typically young – perhaps 18 to 25 -- often only a little bit older than a teenage hacker, says David Marcus, security research and communications manager with McAfee. They are nearly always men. And they often live in an area where traditional, big-money computing jobs are difficult to find.

"There are limited ways to make money," he said. "This is the way for them to make a lot." Marcus said he thinks organized crime is behind a lot of bot activity, but Mafiosi aren't coding Trojan horse programs. Instead, their money funds hacker operations and is used to recruit computer savvy youngsters, he believes.

CLICK FOR RELATED CONTENT

THE LOWDOWN ON 'BOTS'
IS YOUR COMPUTER A CRIMINAL?
FIVE TIPS TO BOLSTER VISTA SECURITY

"They watch for bright kids and they start them on small tasks, like 'Find me 100 passwords and I'll give you 1,000 rubles,'" he said.

In more aggressive recruitment programs, organized crime will actually pay for a computer geek to get through college, essentially a hacker scholarship, said Marcus.

Some say there are as many as 45,000 different botnets sending out spam and being used for other cybercrimes, but Professor Randy Vaughn of Baylor University said he believes there are as few as six or seven major bot gangs and as few as 1,000 criminals controlling all the infected computers.

"And the number of genuine genius bot programmers is probably much smaller than that," he said. "In each group there are a few geniuses and there are a bunch of groupies who hang around on the botnet and attempt to gain credibility with the botnet operators."

The groupies hope to learn enough that they can control their own vast botnets, but in the meantime they act as money handlers or perform other menial tasks for the "genius" programmers, Vaughn said.

E-commerce nightmare

Bot herders aren't necessarily spammers, but the two are often linked, as virtually all spam is now sent from hijacked computers, experts say.

The Spamhaus top 10 list of worst spammers is now populated by Russians, Ukrainians and a Chinese ring.

Craig Schiller, a professor at Portland State University and author of "Botnets: The Killer Web Applications," said those who designed the Internet wanted a system that would allow buyers and sellers to connect from around the globe. They had no idea that the network would become a platform for global crime, he said.

"This is the e-commerce that people dreamed about but didn't realize it was a nightmare," said Schiller.

The arrest of three Russian bot herders last year offers a rare glimpse into the world where such nightmares are born.

Three men -- Alexander Petrov, Denis Stepanov and Ivan Maksakov – spent a year terrorizing e-commerce sites as part of a ring of 16 criminals. The ring used armies of computers to overwhelm gambling Web sites and other firms that could ill-afford Internet down time, then extorted money from the operators to halt the traffic flood.

Mikko Hypponen, a security expert at F-Secure, acted as a consultant to one victim, an online CD and DVD retailer. The store eventually paid a ransom of $40,000 to get its site back, he said.

In all, the hackers took in about $3.9 million in payments, according to evidence presented at their trial.

"And many companies invested much, much more paying to build a defense against these attacks," Hypponen said. Russian media estimated the total damages caused by the group at $79 million.

The ransom money was wired in small amounts to 10 different bank accounts in Riga, Latvia, Hypponen said. So-called "money mules" – middle men who simply help move stolen money from one account to another, usually crossing borders along the way – picked it up from these accounts and wired the money to accounts in St. Petersburg or Moscow.

Another set of mules eventually brought the money to the small city of Balakov in western Russia. It was in Balakov that Maksakov, a 22-year-old student at the Balakov Institute of Engineering, Technology and Management, issued orders for the botnet attacks, according to Russian media reports. But while the orders were given in Balakov, the main computer server that controlled the attack was in Houston.

Russian police nabbed the threesome with the help of Scotland Yard by following the money trail, Hypponen said.

The three Russians were sentenced to eight years apiece in jail by a Balakov court last fall. But Hypponen said most of the gang remains at large, including several suspects in Kazakhstan.

Their exploits don't rival those of Brazilian gangs, experts say. In 2005, more than 50 Brazilians were arrested after allegedly stealing $33 million with targeted, Trojan horse program that stole online banking passwords.

Domingo Montanaro, a computer forensics expert and banking consultant in Sao Paolo, Brazil, said Internet crime gangs there operate almost with impunity. In a recent case, he said, he helped nab a ring of 100 criminals that had gained access to 10,000 Brazilian bank accounts.

"Criminals in Brazil do some incredible stuff because police cannot fight them anymore," he said. "They are not even using techniques to hide themselves. We only arrest maybe 3 or 4 percent of them."

Driven by revenge

Some attacks are driven by revenge as well as financial gain.

Last year, a noted Russian spammer nicknamed PharmaMaster – he usually advertises pharmaceuticals – felt his business was endangered by a Silicon Valley anti-spam startup named Blue Security.

PharmaMaster initiated an attack that crippled Blue Security's Web site. The firm countered by placing information about the attack on its corporate blog, hosted by popular blog site TypePad, owned by Six Apart Ltd. PharmaMaster then hired a bot herder to conduct a denial-of-service attack that shut down all of Six Apart's blogs, including those hosted on its Typepad.com service.

Eventually, Blue Security surrendered and got out of the business of anti-spam software.

"PharmaMaster paid $1 million to take out Blue Security," or about $2,000 an hour for the attack, said Schiller, the Portland State professor. "But (PharmaMaster) was making $3 million a month, so it was worth it."

At the time, security experts said the Blue Security attack was so severe that only a few of the world's largest corporations would have been able to withstand it.

Given the power that the bot herders wield, questions inevitably arise about whether terrorists are behind such crimes. There is no clear answer, and security experts are divided on the issue.

Terrorism link?

The discussion was energized by Gartner security analyst Avivah Litan last month, when she issued a report describing the recent arrest of about 50 hackers in Egypt and Lebanon.

"My hypothesis is that the computer brains are still in Russia and Eastern Europe, but some of their operations are being financed by terror organizations. I am hearing that," she said. "If you were terrorists, wouldn't you get in touch with these guys?"

Hypponen disagrees, saying there isn't any evidence that terrorists are playing with bot networks.

"Sure it could happen some day. But I don't have any information, or even any hearsay, that links this to terrorism," he said.

There is plenty of evidence that organizations like al-Qaida are willing to use the Internet to get attention or to communicate, counters Schiller.

"I'd be surprised if (terrorists) weren't using these (botnets)," he said. "In their charters they talk about using terrorism to further their aims. They are inclined to use technology against us; it is a huge force multiplier for them."

Botnets are indeed a textbook example of a "force multiplier" -- one computer, telling 100 other computers, telling 10,000 others computers to attack someone or something.

That makes it inevitable that terrorists bent on disrupting communications and financial systems will at least attempt to harness their power.

But while terrorism's link to botnets is tenuous at best, there is no doubt that real-world criminals already are using them to make big money. And given the alarm bells being rung in almost all corners of the computer security world, it seems likely that the botnet problem is going to get worse before it gets better.

Are you infected? Click here to see.

Duane Hoffmann / MSNBC.com

PART 2 IN A 3-PART SERIES

There might be a gang fight raging in your bedroom or study right now. There's no gunfire, no blood, and you won't smell any smoke. But there is a battle. The fight is over your bandwidth and your PC processing power.

Last week, we told you that perhaps as many as 150 million computers connected to the Internet have been hijacked by hackers who use them in high-stakes, big-ticket crimes. Hacker gangs with creepy names like Rustock and Warezov order the armies of infected computers – called bots -- to send out spam or attack Web sites for profit.

They also use these armies to attack each other.

For years, hackers have created specially-crafted malicious programs called viruses and Trojan horses that sneak onto home computers through e-mail attachments or infected Web pages. Once there, the program turns the computer into a secret soldier in an army of hijacked machines that the hacker -- now called a bot-herder -- can use to send out billions of spam messages or to overwhelm Web sites with extraneous traffic. But lately, a sharp rise in the number of infected computers has security experts calling the attack an Internet epidemic.

The bot network industry has become so profitable, and hijacked computers so valuable, that rival gangs are now fighting over them. This digital gang warfare is not physically violent, but it certainly is no game. Bot herders steal each other's infected computers, fight off such raids, and often try to knock each other's computers off-line. "They are cutthroat and competitive. They are in it to make a lot of money.... These guys are ruthless to begin with and don't care who they hurt, as long as they get their dollars," said Jose Nazario, a security researcher at Arbor Networks.

The war has escalated to a level where bot herders must jealously guard their hijacked computers. In October, a yet-to-be-named Russian gang released a program called SpamThru that infected machines worldwide and quickly amassed an army of zombies nearly 100,000 strong, capable of sending out 1 billion messages each day.

To protect the investment, the malicious program actually included a stolen copy of the Kaspersky antivirus program, modified to stop all attacks but its own. SpamThru installed the anti-virus program on all infected computers, removing all other viruses. It even sent an infection rate report to the program's author. The stolen antivirus software continues to defend SpamThru bots from other attacks to this day.

The foray into ad-hoc antivirus software is necessary because bot-herders now regularly train their armies against their rivals. When the Storm worm -- probably this year's biggest virus attack to date -- was released in January, it had a dual function. In addition to its spam functions, Storm-infected computers were instructed to attack Web sites run by the rival Russian Warezov gang, hitting sites with cryptic names like esunhuitionkdefunhsadwa.com. By taking those sites off line, the rival spam networks was partially disabled. The sites had been set up as communications hubs for Warezov-hijacked computers; without them, the zombie computers didn't know where to attack.

The Storm attack was clearly designed to cripple a rival. "They were attacking sites that were known distributors of other bots," said Joe Stewart a prominent antivirus researcher at SecureWorks Inc. Because the attack was hard-coded into the original Storm virus, no human intervention was required to enjoin the battle. "It is an automated war at this point ... on a massive scale," Stewart said.

They're No. 1
Why the war? Because bot-masters have to advertise their services like any other industry. And like any business, each bot-herder wants to be able to claim they're number one. "These guys are at this as a business, asking how can they maximize their profits. It is not unexpected that they will go to these measures," Stewart said. "We expect them to keep trying to one-up each other. They want to be the one that has the biggest botnet."

There is a lot of money at stake. A single denial-of-service attack on a gambling Web site can cost $50,000 a day, said Jose Nazario. In an typical denial of service attack extortion scheme, a bot-herder will aim thousands of computers at a single Web site, overwhelming it with traffic, and rendering it unavailable. Legitimate users can no longer access the site, and instead receive the Web's equivalent of a telephone busy signal. Then, the hackers demand an extortion payment to end the flood of fake traffic. Such outages can be costly to firms like gambling site that make their money minute-by-minute online; without alternatives, many firms pay up, experts say. Three Russian bot herders were recently sentenced to eight years in prison after successfully extorting several gambling operators in the United Kingdom. The gang earned "several million dollars before they were caught," said Mikko Hypponen, a researcher with Finnish firm F-Secure.com.

With so much money on the line, bot herders are hardly above stealing from each other. "If it takes a week to get 100,000 new infections, or it takes an hour to steal Bob's machines, what would you do?" Nazario said.

Bugs fixed 'faster than commercial software'
Bot authors steal each other's bots in numerous ways. The most common: They attack vulnerabilities in the original bot software. That's precisely the way virus writers attack Windows and other commercial software. In the classic example, the massive MyDoom virus in 2004 left an open back door on all infected machines for its author to install upgrades. But rivals gangs quickly found the back door, and took over the hijacked machines with a follow-on virus called "DoomJuice."

Once a previously hijacked computer is hijacked a second time, the thief moves quickly to disable previous bot software and shut out the first hijacker. Virtually all software, even hacker software, has flaws, Nazario said, so hackers regularly probe each other's tools for openings. Bot virus authors, meanwhile, react quickly when they find a flaw is being exploited and their investment is at risk. "Some of these bugs get are fixed faster than commercial software," Nazario said.

Vulture-like bot herders also poke around the Internet for infected but dormant hijacked computers, a process called "scavenging." The attacks aren't always designed to disable, says Andre' M. DiMino, a researcher at The Shadowserver Foundation. Sometimes the battle is joined simply as a demonstration of force.

CLICK FOR RELATED CONTENT

PART 1: IS YOUR COMPUTER A CRIMINAL?

PART 3: WHO'S BEHIND CRIMINAL 'BOT' NETWORKS?

THE LOWDOWN ON 'BOTS'

"(They try to) demo that their net is stronger than the other guy's net," Di Minoat said. A massive attack on the core computers than run the Internet earlier this year may have been a similar demonstration. Last month, the Internet Corporation for Assigned Names and Numbers, which helps run those computers, speculated in a recent report that the attack was the work of a bot herder trying to close a sale by demonstrating the size and power of his army of hijacked computers.

This latest spate of bot wars is not the first time hacker gang warfare has spilled over into the Internet's Main Street. In 2004, virus writers who authored malicious programs called Bagle, Netsky, and the aforementioned MyDoom traded insults while attacking computers. And many viruses have targeted Spamhaus.org, a Web site devoted to stopping spam.

But those battles were ultimately just noisy, public demonstrations. The bot wars of today are much more focused –- on the competition -- and much more automated. There is also much more at stake, as profits from spam and denial of service attacks soar. But there is one important thing each of these attacks have in common. The weapons in this war aren't guns or knives, or even fists. The weapon is your computer. To learn more about the new, dramatic upswing of hijacked computers, click here. To see if your computer might be infected, run a free scan here.