A few weeks ago Candace Locklear's office computer quietly started sending out
dozens of instant messages with photos attached that were infected with
malicious software.
She was sitting at her desk, with no sign that the messaging
software was active. By the time she figured out what was going on, several
friends and colleagues had opened the attachments and infected their
computers.
It took eight hours for a technician to clean up her computer. But
because the malicious software worked so secretly, she's still not convinced
that all's clear.
"I'd like to think that it's gone. But I just don't know," said
Ms. Locklear, 40, a publicist in San Francisco. "That's what is so frustrating."
Computer security experts estimate that tens of millions of
personal computers are infected with malicious software like the one that
attacked Ms. Locklear's machine. Such programs, generally classified as malware,
attack companies along with consumers.
Some are keyloggers, recording every key stroke that the user
enters -- sending valuable bank account information, passwords and credit card
numbers to hackers.
In July, hackers used keylogging software to gather passwords to
databases at the U.S. Department of Transportation, consulting firm Booz Allen,
Hewlett-Packard and satellite network company Hughes Network Systems,
according to British Internet security software maker Prevx.
And other malware programs turn PCs into "zombies," literally
giving hackers full control over the machine. The zombies can be instructed to
act as servers, sending out tens of thousands of spam emails promoting
counterfeit medications, luxury watches or penny stocks without the PC owner
ever knowing about it.
The computer that controls the zombies -- known as the command and
control center -- is able to change the text of the spam depending on what his
or her customer wants to sell.
Monster Worldwide said last month that
confidential contact information of millions of its job seekers was stolen by
criminals who used zombies. Contact data for 146,000 job seekers using the
official U.S. government jobs Web site was also taken.
Monster said it would beef up its security, but even with enhanced
protection there are no guarantees.
Security experts say that while companies and consumers need to be
vigilant to protect themselves against Internet-borne threats, determined
criminals are hard to beat.
"I hate to scare people, but there is never 100 percent
(security)," says Gadi Evron, a researcher with Internet security firm Beyond
Security. "If you want to know for sure, never do anything with your computer
and never connect to the Internet."
Mr. Evron has organized conferences between government and industry
researchers to fight hackers who set up botnets, or networks of millions of
zombies. He said the picture painted by some presenters was depressing.
"The problems are not getting solved. They are getting worse," he
said. "The bad guys are making a lot of money."
Still, he and other security experts recommend that PC users take
basic precautions, including installing up-to-date security software, keeping
current with updates that software providers distribute over the Web, and
backing up files.
There's a wide range of PC security software available, including
ones that were recently updated or about to be introduced by BiDefender, CA, Check Point's Zone Alarm, F-Secure, Kaspersky Labs, McAfee, Microsoft, Prevx, Symantec's Norton Security and Trend Micro.
More important than security software, users need to monitor their
own behavior. The bulk of malware is installed on computers by users who either
click on a Web link or on a file that is attached to an email or instant
message.
PC users can greatly reduce the risk of infection by only visiting
familiar Web sites and avoiding unknown attachments.
"You won't know you are infected until one day your ISP turns you
off or restricts access or money starts disappearing from your bank account,"
said Adam O'Donnell, a senior research scientist with Cloudmark, which sells
anti-spam software.