Hackers Plant Attack File in Home Computers

Network Security Technologies, Inc. announced the discovery Thursday of destructive software that has been clandestinely implanted into thousands of business and home computers.

The Herndon, Virginia-based company says the software is secretly loaded on computers when an unsuspected user opens what appears to be a harmless small video file received via e-mail or download. Once opened, the program turns the user’s computer into a “zombie” platform for remote-controlled attacks on Web sites.

Threat to E-Commerce

Experts say the most likely targets of orchestrated attacks from these zombie computers are e-commerce sites, which can be incapacitated by floods of phony requests for data. Such denial-of-service (DoS) attacks were used in February to cripple some of the Internet’s leading Web sites, including Yahoo!, CNN and eBay.

However, in the February DoS attack, the hacker or hackers used corporate and academic computers, rather than tricking ordinary users into implanting the attack software themselves.

Thousands of Zombies

Network Security says the zombie program appears as a video file in the “.avi” format, but in actuality carries an “.exe” extension — making it capable of executing commands on the victim’s computer. The name of the infected file also changes randomly to avoid detection. The file usually includes nonsensical letters such as “WUYILLKM.”

As many as 2,000 computers worldwide may already be implanted with the attack software, which registers itself with two computers — one in Maine and the other in Canada. Furthermore, Network Security Vice President Todd Waskelis believes that the people behind those computers — who go by the online names of “Badman” and “Serbian” — are responsible for the zombie attack program, although Waskelis acknowledges that his company cannot prove it.

Canadian Connection

During an online chat session hosted on a Canadian computer recorded by Network Security, the hacker known as Serbian bragged to another hacker that he controlled “thousands” of computers.

Canada was also the hot spot for February’s spew of DoS attacks. In April, the Royal Canadian Mounted Police (RCMP) arrested a 15 year-old Canadian boy known online as “Mafiaboy” and charged him with two counts of mischief. The youth’s name was not released due to his age. That arrest was the result of a joint investigation by Canadian officials, the FBI, the National Infrastructure Protection Center and the U.S. Department of Justice (DOJ).

On Wednesday a Quebec prosecutor said that Mafiaboy is likely to face additional charges related to the jamming of the well-known Web sites in February.

Easy to Remove, Once Detected

To date, New Media Designs, an Internet design company based in Aurora, Colorado, is the only firm to confirm that the attack software was discovered on its computers and easily removed.

Network Security says the software only runs on computers with Microsoft Windows 95 or Windows 98 operating systems. New Media Designs discovered the problem after one of its workers unwittingly downloaded and opened the infected file on a laptop computer.

When the laptop was connected to the corporate network, Network Security administrators immediately investigated the suspicious data traffic it created.