Russians behind zombie PC threat

Cyber criminals are believed to have launched a renewed campaign to invade millions of home computers across the world with a so-called 'trojan', creating an international network of infected zombie computers which can then be used at will to send spam or even launch cyber attacks on websites - without the owner's knowledge.

The campaign is likely to peak on or around St Valentine's Day, the day of the year when people are most likely to click on an anonymous email and open the link inside.

The threat is a return of 2007's devastating 'Storm' trojan. Storm arrived almost exactly a year ago via a spam email headed '230 dead as storm batter Europe'. Clicking the link in the email's body was enough to infect a PC.

Storm-watchers believe they're seeing a resurgence, and have already begun intercepting St Valentine's Day messages hiding nasty surprises. Infected emails, with headings such as 'A Kiss Is So Gentle' and 'I Love You Because', carry a web address, much like a legitimate electronic greeting card. Click on the link and your own computer could be moonlighting for the criminals.

News of the Storm resurgence follows hard on the heels of concerns about a particularly vicious new virus called Mebroot, discovered earlier this month.

Mebroot exploits a weakness in Microsoft's Internet Explorer browser to install itself, via innocuous-looking websites, within the heart of a PC's operating system. Once there, it surreptitiously downloads a variety of keylogging applications, designed to recognise as many as 900 financial websites, record a user's keystrokes and forward login information to the criminals. Virus guards have proved ineffectual against Mebroot and it is difficult to tell if a computer is infected.

The really bad news is that, according to analysts, both the resurgent Storm and Mebroot carry digital DNA associated with the Russian Business Network, a St Petersburg-based ISP and hosting network linked to some of the world's most destructive viruses and phishing scams.

Last November, the RBN appeared to be dramatically scaling back their activities. The emergence of these twin threats suggest it might be re-organising.

IDefense, ­ the security wing of US internet giant VeriSign, ­ has described the Russian Business Network as 'the baddest of the bad'. Like a digital al-Qaeda, it is structured to cover its own tracks; technically it acts as merely a web host to clients who remain as anonymous as the RBN itself. It has no website of its own, nor any legal corporate identity, and its management are known by nicknames.

Despite protestations of its own respectability, it is believed by security experts to provide hosting to a significant proportion of the world's phishing sites, to sites selling virus kits, to false blogs riddled with malware, and it has been accused of running botnets for spammers and cyber-terrorists. Estimates of the RBN's earnings have been as high as £200m a year.

Following a short expose in the Washington Post last October, RBN-hosted websites appeared to move to servers in the Far East. Optimists linked the two: the RBN didn't like the attention, and perhaps it was in hot water with the Russian authorities.

Not so fast, says Jart Armin, an independent security expert who advises on Russian cyber-crime and tracks the RBN at RBNExploit.com. "The whole thing's a blind, he says. "In fact, the RBN began re-registering and moving retail sites back in the summer."

According to Armin, the RBN might be restructuring itself, choosing to shift operations to its firmly entrenched network of infected computers. "Why bring on the heat when you can do it all anonymously using botnets?" A stronger RBN is likely to mean more online crime.

Armin predicts we should expect Storm to infect a million PCs by February 14. From there, exponential increases are almost inevitable. Happy Valentine's Day - you probably have mail. ·