On the trail of internet's mysterious worm gang

Botnets such as Conficker are used to download fake security software notices. Photo / Supplied

The criminal motives of an unknown group of cyber bandits who are behind a mysterious network linking millions of computers has become clearer in the past two months.

The group is responsible for what has become known as the Conficker worm, a rogue piece of software code that has wiggled its way onto an estimated five million PCs around the world.

By being disseminated so widely, Conficker has created the biggest "botnet" IT security watchers have seen for several years.

A botnet is a network of computers infected with malicious programming code which enables them to be manipulated remotely over the internet.

Conficker first appeared late last year, and became a growing concern to the IT security industry as it began spreading rapidly around the globe.

"We were trying to work out what the hell it was there for because it was infecting machines at a faster rate than we'd seen with any botnet before, yet there was no obvious malicious intent," says David Freer, security company Symantec's vice-president of consumer sales in the Asia Pacific region.

What firms such as Symantec knew was that something involving Conficker was going to happen on April 1 this year - they didn't know exactly what.

Analysis of the code showed that on that date the worm would access an unknown website to download further instructions.

"People got really worried about what this thing was going to do," said Freer, one of several Symantec executives to speak at a media briefing by the company in Melbourne last month.

"You've got the biggest distributed computing network in the world available to one group of people who controlled it."

A number of theories evolved as to what Conficker would unleash come April Fool's Day. One was that it would launch a distributed denial of service attack, where infected computers band together to bombard websites in a united attack that makes them inaccessible to other users. Another was that it might attack bank computer networks, perhaps crippling ATM machines, or even reprogramming them to spit out their stores of cash.

When April 1 rolled around, nothing quite so dramatic happened, but Freer and his colleagues warn that what Conficker is up to could eventually be just as financially destructive as an electronic bank heist.

The botnet has started perpetrating what is becoming an increasingly popular online scam. Conficker-infected PCs have begun serving up notices to those who use them asking for payments to run fake anti-virus and computer security programs.

The authentic-looking programs ask users for credit card payments - typically about US$50 ($74) - to activate subscriptions for the pretend security protection.

David Hall, Symantec's regional consumer products manager, says the scam is big business for the criminals behind Conficker and other botnets working in similar ways.

"It's a lot easier to convince 10,000 people to give you $49.95 than it is to break into a bank."

Hall and Freer offer up a back-of-the-envelope calculation showing how lucrative this type of crime can be. If 1 per cent of the owners of the five million Conficker-infected machines fall for the scam and pay US$50 each, the criminals make US$25 million.

This type of scam is set to become a significant revenue stream for cyber criminals who are now turning over billions of dollars each year through a range of activities which also includes stealing and on-selling bank account and credit card details.

Symantec warns that Conficker, while a large and relatively high-profile concern, is one of millions of threats facing internet users. It says it has found more than 3000 examples of fake security programs alone.

Experts have suggested that Conficker's notoriety suggests it is under the control of less experienced criminals who, because of that inexperience, will not make as much money from it as they could. Others with more skills know how to keep their botnet activities below the radar of the security monitors, making them more effective.

AVOIDING SCAMS
* Computer users inadvertently download viruses, worms and Trojans linked to botnets by visiting infected websites or downloading malicious attachments.
* Don't download and run suspicious or unknown applications, or visit unknown websites.
* Make sure you have up-to-date security software and that you install operating system updates.
* If you pay online by credit card, check bank statements for unauthorised transactions.

* Simon Hendery travelled to Melbourne as a guest of Symantec.