What are Bots, Zombies, and Botnets?

June 12, 2010

News about internet crimes often mentions ‘bots’, ‘zombies’, and ‘botnets’. It’s not hard to figure out from the context that these are computer or network security threats. But what exactly are they and how do they work?

A ‘bot’ is a type of malicious code that allows an attacker to take complete control over the affected computer – turning the computer into a ‘robot’ that the criminal can remotely control. Once infected, these machines may also be referred to as ‘zombies’.

While taking over one computer is useful, the real value comes from collecting huge numbers of computers and networking these so they can all be controlled at once (a botnet). There are between 100-150 million computers worldwide (out of 600 million PCs on the Internet) infected with bots and under the control of hackers. These computer owners unwittingly put everyone at risk, and most would be shocked to learn that the spam you’re receiving is coming from thousands or even millions of computers just like (and including) theirs. Frankly, failing to adequately protect your computer is socially irresponsible.  Click here to learn how to protect your computer.

Now, the way criminals make money from connecting all of these computers is twofold:

  • Criminals can use the botnets themselves. This may be to send spam, phishing, or other scams to consumers that will earn them money. They may use them to create denial of service (DoS) attack that floods a service or network with an crushing amount of traffic to severely slow down the networks ability to respond or entirely overwhelm it and take it down. The revenue from DoS attacks comes in the form of extortion (pay or have your site taken down) or through payments by other groups with interest in inflicting damage. These groups include “hacktivists” — hackers with political agendas and foreign military and intelligence organizations. In 2008 several ISP’s reported multi-hour outages of their services due to advanced DoS attacks according to research by Arbor Networks.
  • Criminals also rent out their botnets to other criminals for the same exploits as they use the botnets for themselves.

Here’s an attempt at illustrating botnets are created:

If you have not installed security software and ensured that it is turned on, and kept up-to-date your machine is likely infected with all kinds of malicious software, including bots. The best protection is to run anti-virus and anti-spyware programs diligently and to install every patch that your operating system makes available. Set your computer up to run these automatically for the best protection.

Even with the most up-to-date protection tools, there is still some risk because the developers of malware are always looking for new ways to get around security measures, and your own actions may put you at risk. One common user risk is through downloading content from unknown sites OR from friends that don’t have up-to-date protections. The intent may not be at all malicious, but if content comes from an unprotected computer it may well be infected and by downloading the content you bring the malicious code past your security checkpoints. Interacting with others who have not protected their devices increases your risk.

Watch for symptoms like odd changes in settings, or your computer becoming really slow or crashing for no obvious reason. If these occur, take action. The cause may not be a bot, it could be another form of malicious software that causes the same symptoms, but they are clear indicators of trouble. If you experience these, check to be sure you have the latest operating system updates, and that your anti-virus and anti-spyware programs are updating properly, then run a new scan of your computer. You may want to use a second spyware tool (many, like Ad-Aware offer free versions)

Don’t contribute to this problem. Ensure you have adequate protections today.



Don’t Fall for the Xmas Variant of the Koobface Worm

December 1, 2009

There is always a Grinch. This year he comes in the form of malware, and his name is Koobface.

Koobface (an anagram for Facebook) is a malicious worm that uses social networks to send fake messages to users – things like “Hey! Are you really in this video?”, “LOL, check it out”, “My home video :)”, or “Hey! You are on news!” and contain a link to a website where you will supposedly be able to view the ‘video’.

Clicking on the malicious link starts your troubles. Once on the site, if you click to watch the ‘video’ you get a pop-up message telling you that in order to watch the video, you need to update your Adobe Flash player. Conveniently, they provide the option to install the ‘new’ version simply by clicking install.

What you really install of course is the Koobface Worm that infects your computer, steals your information, and enables a proxy tool so that your machine becomes part of a botnet so the attackers can continue to abuse your computer and any information it contains.

In this example, the ‘message’ refers to a fake video posted by ‘SantA’, and you are led to believe it will be cute entertainment to watch.

Adobe Flash player continues to be one of the most popular social engineering tactics used by criminals to turn your computer into a bot. But one simple rule will prevent you from becoming a victim.

Consistently applying one key principle will ensure that you don’t fall for these scams

Steer don’t be pulled

  • Do not use a link contained in a message – whether it comes in email, IM, on a social networking site, text message, or some other means. Find the proper URL yourself using a search engine – and use a malware filter like McAfee Site Advisor (it’s free) to be sure the site is legitimate before clicking the link.
  • If you think you need to install a newer version of ANY software, go to the company’s site (in this case Adobe.com) and download from there. It is the only way to ensure you are not getting something other than you bargained for.

Following a few safety principles will keep the Grinch, Koobface, and other nastiness out of your holiday festivities.


220 Million Personal Data Records Exposed So Far This Year

November 27, 2009

A new article by Andy Greenberg for Forbes reports a shocking 220 million personal data records containing highly sensitive information have been exposed by hackers so far this year.

Add to this the (reported) personal data records breached in security breaches in the US since Jan. 2005 and over 341,742,628 sensitive personal data records have now been compromised according to the Privacy Rights Clearinghouse that tracks breaches. The data exposed includes Social Security numbers, medical records, and credit card/banking information, as well as addresses, phone numbers, etc.

NOTE: Though the total US population today is roughly 310 million, it does not mean everyone’s records – and then some – have been exposed. Some people may have had their records breached multiple times, while others may not have been exposed. However, the likelihood that your data has been compromised is now staggering.

What does this mean to you?

  1. Be diligent in monitoring your financial and medical identities. This information has significant value to criminals and they will exploit any information they acquire. Learn how to protect your identity, get free credit reports, freeze your credit, and more in my blogs:
    1. Protect your credit: one free step towards peace of mind
    2. Stay Safer – Place a Security Freeze on Your Credit
    3. ShieldSafe: ID Theft Protection Reminder Service
  2. Understand the scope of the problem by reading these blogs:
    1. 130 Million Credit and Debit Card Numbers Stolen – Is Yours Secure?
    2. 11 Things an Online Criminal Will Never Tell You
  3. Be wary of allowing additional information about yourself be placed online before better security standards are in place. Your medical records are perhaps your biggest new threat area, learn how in these blogs;
    1. HHS Issue Notification Rules for Personal Health Record Breaches – But What Prevents Breaches?
    2. Online Medical Fraud: New Tools for Old Scams
    3. Risks of Placing Medical Records Online
  4. Demand better security and accountability of the companies, institutions, and government agencies holding your records.
    1. Internal security measures need to be in place to:
      1. Block dishonest employees from making off with records
      2. Prohibit employees to take records away from the secure facility – in laptops, flash drives, etc. that can be stolen, “lost” or otherwise compromised.
      3. Train employees in security measures – and continually test that these are upheld
      4. Ensure all sensitive information is encrypted rendering it useless to those without the necessary key
      5. Increase defenses against hackers, with stronger security measures and multi-tiered layers
    2. National security standards need to be strengthened to:
      1. Increase penalties to companies with data breaches
      2. Increase speed of notification to consumers affected by data breaches
      3. Increase assistance to consumers affected by data breaches

Stay diligent,


Search Engines Responsibility to Block Malware

November 24, 2009

New malware is released on the Internet every 30 seconds according to McAfee research, and the problems it causes threaten the very health of the online environment. Much of this malware is distributed through search results. Some is disseminated through the millions of legitimate websites that have been infected – including .gov, .edu, .org, and .net sites. Other malware is distributed via the millions of deliberately malicious websites whose express purpose is to dump malware onto hapless consumers’ devices.

Tackling the malware scourge are dozens of security software companies and law enforcement agencies. Enduring the most pain are consumers and companies doing business online. Who’s not at the table?

Search engine companies – the very companies that enable the dissemination of most malware today – are notably absent in this battle. Why have Google, Microsoft, Yahoo, and other search companies. failed to step up to their role and responsibility in blocking malicious sites?

Why is Google promoting harmful sites in their sponsored search links section?

Without using a tool that flags harmful sites (in this graphic, it’s McAfee Site Advisor, but there are several options) consumers have no way of knowing that the first sponsored link is harmful.

Defining ‘malicious’ is not an impossible task. Malicious is a matter of definition along a sliding scale, and it can be argued where the line should be drawn. Fine, argue about it – then set a standard.  

Identifying malicious sites is not an impossible task; dozens of companies flag and block malicious or infected sites. Though search engines can’t guarantee to catch every single malicious/compromised site, they could dramatically reduce the likelihood that consumers and companies would be infected – and dramatically reduce the revenue of organized crime groups promulgating this crap.

Blocking malicious sites is not a freedom of speech issue. Search engines are owned by companies with policies, and they can write those policies however they see fit. Freedom of speech does not apply in a company-owned environment, whether you’re standing in Disneyland or using a search engine. Companies have the right to set their standards for what they display, accept, monitor, or block.

  • One policy option could be that the search engine will not knowingly display sites that have been shown to be malicious or are currently infected.
  • Alternatively, search engines could have a policy that provides consumers choice – for example, giving an option for consumers to choose between “only show sites believed to be free of malware” vs. “show me all sites, but highlight ones with known risks”.

Identifying and blocking malicious sites should not be a financial issue. Identifying malicious sites isn’t inordinately expensive – or the free services available for consumers would not exist. Blocking malicious sites that want to get top placement as sponsored links does represent a loss of revenue– but is this revenue from criminal or malicious entities worth facilitating the exploitation of consumers?

In fact, search engine companies should be able to make a good business out of notifying legitimate companies, organizations, etc. that their sites are infected.

Search engines, step up to social responsibility

The major search engine companies need to step up to their social responsibility rather than simply abetting the circulation of malware. These engines are the ideal chokepoint – if malicious sites aren’t displayed in search results, or are clearly marked as malicious – consumers and companies alike won’t fall victim.

Consumers, hold companies accountable

If you want a safer online experience, you need to demand a safer online experience from the companies you use. Change doesn’t happen overnight, but change is much less likely to occur when consumers aren’t demanding it.

YOU have the power to change the level of risk search engines expose you, and your family, to – let your search engine provider know you want protection today.


If Your Tweet’s an Ad, Prepare to be Unfollowed

November 23, 2009

A growing number of Tweeters are jumping on the ad bandwagon to make money off their networks by allowing advertisers to use their identity and tweet their followers.

Ad.ly, Izea and Peer2 are three key players in this new consumer-to-consumer advertising strategy that is attempting to create an alternate marketing channel in the face of largely ignored ads delivered via print, TV or online media. The idea is that your Twitter followers will pay attention to (and place more trust in) an ad delivered by you as someone they respect.

According to Joey Caroni, co-founder of Peer2, “We don’t want to create an army of spammers, and we are not trying to turn Facebook and Twitter into one giant spam network. All we are trying to do is get consumers to become marketers for us.”

For tweeters with lots of followers, the payout can be significant – up to $10k for a celebrity who pushes a tweet ad – but the bigger opportunity in the minds of these companies is to marry topic experts with smaller brands to push their products. For example a running guru might accept payment to send a ‘tweet’ that promotes a new shoe – and by doing so her followers may choose to buy the product.

Deception and Exploitation

Paying consumers to insert ads in what is supposed to be their own thoughts isn’t new – Izea already has a service called PayPerPost that pays bloggers to pitch products to their readers – when first launched it was not transparent that the ‘posts’ were in fact paid ads, and the company was sharply criticized for the deceptive practice. Now, ads are more clearly marked but the sleaze factor remains.

Most Internet users do not want their online relationships and dialog sullied with commercial content. Even when deception isn’t a factor, why follow someone whose comments are based on profit, or at a bare minimum, sees your relationship as something to financially exploit?

Tech blogger, Robert Scoble, explained it this way in a New York Times article. “It [advertising within your content] interferes with your relationship with your friends and your audience.” Scoble also noted that he “unfollows” people on Twitter who send him ads.

My Promise

No content on ilookbothways.com, and my twitter account http://twitter.com/LindaCriddle has ever been influenced by profit. We do not, nor will we accept advertising. Right or wrong, the content we provide represents the best advice we have to give.

If I recommend a product, – and I do from time-to-time – it is because I genuinely recommend it. There is no financial compensation for doing so. Period.

When I follow someone’s blog, tweets, or comments, I do so because I want their honest take. If their comments are motivated by ad revenue, the honesty of the interchange is gone and so am I.


Consider Using a Free Browser Protection Utility

November 16, 2009

Malware, scumware, scareware, ransomware, call it what you want, there is a plague of exploits aimed at changing your defaults, stealing passwords, shoving pop-ups at you, and otherwise making your online experience far less than ideal.

Traditional methods for combating these attacks are with traditional antivirus and antispyware products – which are an absolute required defense on any internet connected device.

There is however, an emerging additional method for proactively defending against vulnerabilities called browser protection or intrusion detection utilities. These are worth more than a passing glance, particularly if you have kids (or are an inexperienced yourself) using your computer who may be more inclined to click on sites or ads that leave your computer particularly susceptible to exploits.

Here are two browser protection utilities to consider:

Sandboxie creates a locked down environment in which to run your applications – called a sandbox. Within this sandbox, applications operate normally and at full speed, but actions taken within the sandboxed area are isolated and cannot make changes to your computer.

This means that your operating system, memory, and existing files remain safe. Sandboxie is FREE, and easy to use, and the site has excellent instructions to get you started.

GeSWall isolates applications that can act as entry points for malware and targeted intrusions, like browsers and PDF’s, and applies access restrictions to effectively prevent damage.

GeSWall restrictions include blocking access to the kernel, allows read only access to trusted files, registry, processes etc., blocks local communications to trusted processes, like windows messages, and blocks access to confidential files. Addtionally, the product locks malware or an intruder within an isolated layer. Download GeSWall’s FREE product, or consider their for pay version.

There are also ways in which you can create limited user accounts within your existing operating system. For instructions on how do create these in Windows, click here.

Now, go have fun…


Scamming Users Part of Social Gaming Company Zynga’s business model

November 11, 2009


scamuse1Zynga’s CEO Mark Pincus admits he “did every horrible thing in the book just to get revenues” and that scamming users was part of social gaming company Zynga’s revenue model right from the start.

According to investigative reporter Michael Arrington, Zynga’s revenue estimates are likely “$250 million a year or more. That means $80+ million/year is being brought in from legitimate offers like Netflix subscriptions, as well as the really smelly stuff like recurring mobile phone and learning CD subscriptions that trick users into paying big dollars for little or no return value.

If you aren’t familiar with Zynga, playfish and Playdom, they are the big-3 players in the social gaming sphere and provide the most of the games on Facebook and MySpace, Bebo, iGoogle, iPhone, Android etc… If you or your kids have played games any of these services, chances are you have been scammed.  (In talking to my business partner about this blog earlier today, he said he just got off the phone with AT&T over a $9.99 charge on his phone bill that turned out to be a monthly subscription charge resulting from a scam his son fell victim to when downloading what he thought was a free background).

Arrington’s three-part exposé of the exploitive business practices of Zynga, other big social gaming sites, and the social networks that host the games are must read material for every online user:

Contritely Pincus claims he intends to make sure Zynga’s games don’t include scammy offers in the future. How Noble.
A day late and a Dollar Short – MySpace, Facebook address their role in consumer exploitation
After the public mea culpa by Zynga, other heads started rolling.

MySpace parent company News Corp. has announced, in response to the sharp media attention focused on the exploitive practices of their gaming partners – and News Corp.’s own ‘cut’ of the profits, that it will add new language to its terms of use to prohibit “promotions that include hidden renewals without specific opt-in” features. See MySpace Takes Close Aim At Scammy Offers) How Noble.

Similarly, Facebook’s felt the heat and announced Facebook To Increase Enforcement Of Anti-Scam Rules. In this article Arrington notes that in his talks with Facebook, the company held the position that they aggressively protect users. They blamed their failure to stop the spammy behavior on volume – with so many ads and so many apps, they claimed it was impossible to monitor the entire platform effectively.

Cutting through Facebook’s posturing, Arrington points out “it took me about 10 seconds to find really scammy ads on FarmVille, the most popular social game on Facebook with 63+ million monthly users. If they just start with the big guys, a lot of the problem will go away”.

Remarkably, with the spotlight on this form of consumer exploitation, the “impossibility” of monitoring the entire Facebook platform seems to have magically disappeared. Facebook now says they are building out teams and technologies to address “the problem”. How Noble.

Arrington also outlines the financial symbiosis between these ads and the services that host them in what he aptly describes as “a self-reinforcing downward cycle” of consumer exploitation. “Users are tricked into these lead gen scams. The games get paid, and they plow that money back into Facebook and MySpace in advertising, getting more users. Who are then monetized via lead gen scams. That money is then plowed back into Facebook and MySpace in advertising to get more users…”

“Here’s the really insidious part: game developers who monetize the best (and that’s Zynga) make the most money and can spend the most on advertising. Those that won’t touch this stuff (Slide and others) fall further and further behind. Other game developers have to either get in on the monetization or fall behind as well.”

It is time consumers return the ‘favor’ and do some economic damage of your own

While we’re still reeling from the banking racket, ponzi schemes ala Madoff, and general corporate greed that plunged the economy into dire straights, why make a big deal about one more piece of evidence that respecting – or protecting – consumers is optional? Or that the dollar is mightier than integrity? Why shouldn’t these online companies get away with their scams with no more than a wrist slap and a promise to be good in the future while ethical companies who balk at bilking consumers falter?

If you’re seething, and sick and tired of being exploited with no recourse at hand, here’s the good news:

Online you hold the aces. Collectively, you have the power to bankrupt any one – or all – of these companies – Zynga, playfish, Playdom, Facebook, MySpace, etc. in short order. How? Quit using them.

Want to know exactly which games to boycott?  Scroll to the bottom to see the top 25 games on Facebook and MySpace and who owns them – or boycott Facebook and MySpace entirely out of disgust for their role in this debacle.

Why does Facebook repeatedly roll back abusive features (think Beacon, and their terms of use debacle) when the first few million users complain? Because they are terrified of the collective power consumers wield. Why did MySpace remove 90,000 sexual predators from their service? Because they are terrified of the collective power consumers – and their elected law enforcement representatives- wield.

I am pro-business when business is pro-consumer. For those of you familiar with my consumer facing presentations, you’ll be familiar with two points I make in every lecture:

  • Internet companies make money in three ways – selling access to you and selling information about you…. and now, by deliberately scamming you – move over organized crime.
  • Whether you are a kid, adult, or senior, your biggest risks online are not contact, conduct or content, in spite of the frequency in which these are cited. Your greatest risks come from a lack of understanding:
    • Failure to consider what information you share and making appropriate decisions about whether information should be shared
    • Failure to identify trustworthiness – of people, products, services, Web sites, content, and businesses
    • Failure to understand predatory behavior in its broadest sense, including bullies, stalkers, scammers, hackers, ID thieves, exploitive companies, and other predators

I’ve got a few questions

  1. Where’s the class action lawsuit against these companies?
  2. Where is the legislative focus on protecting consumers against exploitive industry members?  This is a perfect example of where legislation/regulation has a role to play. Without the diligent efforts of investigative journalists, these scams would continue; just “business-as-usual”.
  3. Why did ‘legitimate’ investors, like Kleiner Perkins Caufield & Byers, pour money into companies whose business model included scamming? Companies like these pore over every inch of business models before investing.
  4. Why didn’t the social networking companies test the products they offer their consumers for exploitation? Or fail to adequately address the escalating problem before being publicly castigated?
    Arrington nails it with “There can be only one reason Facebook and MySpace turn a blind eye to user protection – they’re getting such a huge cut of revenue back from these developers in advertising. If they turn off the spigot, they hurt themselves.
  5. What besides utter greed and a lack of decency could convince these gaming companies that offering ‘free’ game currency in exchange for users filling in a moronic survey? The way this works is that you have to give your cell phone number the results via a text message. This is what sets up the scam – by simply opening the text message to see their survey ‘results’ the unwitting user is automatically subscribed to a $9.99 service (like my colleagues son). (read Scamville: The Social Gaming Ecosystem Of Hell for more examples like how they hide the terms of use by making them the same color as the page background so you can’t see them….)

You have a right to an online experience free of corporate exploitation. If you don’t know your rights, read Your Internet Safety Bill of Rights

Make a difference – jilt the companies that betray your trust


Read more on this unfolding scandal:

Wikipedia Definition of Lead generation: (commonly abbreviated as lead-gen) is a marketing term that refers to the creation or generation of prospective consumer interest or inquiry into a business’ products or services. Leads can be generated for a variety of purposes – list building, e-newsletter list acquisition or for winning customers. A lead is a sign-up for an advertiser offer that includes contact information and in some cases, demographic information.