Is your computer being hijacked to spread Porn or Spam?

If your home computer has a broadband (often called “cable” or “ADSL”) Internet connection you could be unwittingly acting as a middleman for pornographers by advertising their merchandise on the ‘net.

It’s just possible that you could be hosting a malicious program that helps pornographers hide their tracks by hijacking home computers to work on their behalf.

So far, at least two thousand Internet users, and probably a great many more, have had their computers redirected to pornographic websites, in a scheme that has security experts at a loss.

Once hijacked by the program, dubbed the "migmaf", short for "migrating mafia", your computer becomes a substitute server funnelling the requests of people clicking on porn sites or spam e-mails to other sites

Experts believe they have traced the attack to the Russian operatives of similar Internet scams, and suspect it is part of a money-making scheme, but remain baffled about the technique used to infiltrate PCs.

Known as a Trojan, it seems to be a new twist that blends both a hacker attack and spam, and that it is a new type of money-making scheme.

How does this system work?

Many of the computers that have been trapped into acting, as “middlemen”, were insecure home PCs sitting on fast net connections.

Spammers, computer vandals and virus makers, eagerly seek these computers because they have fast Internet links which means they tend to stay online for long periods, can pass information back and forth quickly and often possess minimal security.

When being used as a middleman, the user's computer passes on the requests for images or information triggered by people clicking on pornographic websites or addresses in spam e-mail messages.

What is in it for these criminals to hack in and compromise the average persons computer?

It’s believed that the hackers most probably get money, a “kick-back” every time a porn page pops up, very much the same as the commissions now paid from advertising "clicks". They may also get additional money by sending out spam from the infected computers.

Migmaf is particularly disturbing because it represents a new escalation in malware weaponry. This new form of malware can turn virtually any computer user into an unsuspecting accomplice of crime, making it especially difficult for authorities to shut down the networks.

If it is so difficult to trace, how was this new menace tracked down?

It appears the location of the attacks have been traced to the same site as a recent Paypal scam in which bogus e-mails were sent out to users, redirecting them to an imitation of the real Paypal site, attempting to obtain confidential bank or credit card information from them.

Experts warn that there could be other nefarious impacts from the hijacking. It is possible, for example, that a virus could be implanted that steals passwords or other confidential information from hijacked PCs.

Some of the same computers hosting websites for pornographic sites are also receiving stolen credit card information.

Wouldn’t people know if they had this sort of hijacking happening to their computer?

The Trojan runs in the background, so except for an increased activity on the net or hard drive light, you wouldn't even notice this going on. It is observed that the method of attack works by shifting from one computer to another every 10 minutes or so, that makes it very hard to track.

Is there no way of tracking down these criminals or sources?

By hiding behind a ring of machines, the senders can cloak their identity while helping to solve one of the biggest problems for purveyors of pornography and spam: getting shut down by Internet service providers who receive complaints about the raunchy material.

However, the current version of the ring is not completely anonymous, because the hijacked machines download the pornographic advertising from a single Web server. A large independent Internet service company in Houston – America, apparently owns this server.

However, it may be possible to track the attackers through their money trail, from advertisers, possibly in the United States.

We’ve seen scams come and go before why is this one of such concern?

The ring is perhaps more troubling not just because of what it is being used for now but also because of what it might be used for next.

This type of system is especially worrying because the scammers have an end-to-end anonymous system for spamming and running scams. It's not far from here to those types of people who run kiddie porn sites.

How do “we think” it is loaded or transmitted to a person’s computer?

Right at this time it is still not known how the Trojan gets installed on people's computers. There is a strong theory however that it may be a version of the Sobig.e virus. However the jury is still out for the time being.

How can we protect ourselves from this particular scam?

To protect themselves, home users with a broadband link are recommended to use a firewall and ensure that their anti-virus software is up to date.

Why do experts believe the Russians are involved in this threat?

Hackers from the former Soviet Union have been linked to several schemes, including extortion attempts in which they threaten to shut down online casinos through Internet attacks unless the companies pay them off.

Antispam activists have also accused Russian organized crime organizations of taking over home and business PC's to create networks for sending spam. They always seem to lead back to the Russian mob.

Arthur Hissey
Computer Research & Technology
www.crt.net.au