Photo credit: portalgda via Visualhunt.com / CC BY-NC-SA
This Site was Created to Help Other Families
Learn From Our Own 2 Year Nightmare
As a stay-at-home mom, I was beginning to see the light at the end of the tunnel. One child had already left the nest for college, and the second would follow soon. I was beginning to explore the idea of returning to work, and never really had any intention of starting my own website. I’m new to web creating and writing as well, so please bear with me as I try to tackle the learning curve of both!
In 2009 my family’s home computer network was invaded & taken over by a botnet…
Initially we didn’t realize it was a botnet that was responsible. We just knew that our problem was persistent and intractable. We had lost control of our home network & all of our computers and devices.
This Post Began as an Addendum to My ‘About Me’ Page
My ‘about me‘ page focuses on…well learning more on me :-)
It doesn’t discuss the subject of Botnets, nor do any of my other posts currently. But Botnets did play a huge role in who I am today. Since this is the one and only post I’ve written to date about these events, and because I’ve begun a new series of posts about network and digital security with the first one being an introduction to home firewalls, I’ve ended up linking to this page fairly often. To me, that’s preferable to my retelling our whole Botnet story over and over again…which is an endeavor fraught with anxiety.
Consequently, this post has ended up containing a mixture of my family’s horrifying Botnet experiences as well as more biographical and early career information about myself.
I’ve tired to blend these two topics because they are so intertwined. Hopefully readers wanting to just learn more about our Botnet experience won’t mind. Please leave comments at the bottom if you do or have suggestions!
In The Beginning: When We 1st Realized We had a Problem…But We Weren’t Able to Identify it’s Source
My story began as my years of being a stay-at-home mom were winding down. I was (inexplicably it seemed at the time) thrown head first into the tech side of things when my family’s home network and our computers were invaded by a botnet, although at the time we had no actual knowledge of what specifically had invaded our home network yet. We did have knowledge of, or at least we sensed that our loss of control was impacting every single family member including a new live-in houseguest & even one family member who lived far away while he attended college. We were all growing increasingly frustrated and worried by a steady stream of bizarre computer occurrences. Each of us experienced random instances in which our computers displayed really aberrant behavior…acts which appeared to occur freakishly of their own accord.
Worse yet was our frequent inability to use our own network. This was a network I’d personally setup just a few years prior with the help of a good friend’s tech savvy husband.
My role as a stay-at-home Mom afforded me a unique opportunity. I was the only one who had both the available time to figure things out as well as (a semblance of at least) the wherewithal to do so. In the ’80’s I’d been pretty good with tech things when I first sold and then consulted for clients in the healthcare industry.* My responsibilities focused on all aspects of outpatient administration and systems for patient registration, scheduling, billing and insurance processing.
*At the pinnacle of my short consulting career I was widely regarded as one of the nations’ experts on outpatient billing and insurance processing systems. There weren’t many consultants around at the time doing what I did because healthcare consulting was a pretty new field.
I worked for one of the now extant ‘Big 8 Accounting Firms.’ My firm back then was known as Coopers & Lybrand. Today it’s called PricewaterhouseCoopers or PwC. Our industry was young back then. Accounting firms were a late arrival following their lengthy battle to obtain the legal rights needed to gain entry into the field of consulting…a circumstance which likely explained my perceived ‘expert’ status!
It Was in the Fall of 2009…Around 25 Years Later…When My Family’s Ordeal Began
Faced with this present situation at home, I (somewhat begrudgingly at first) embarked upon a crash course to get up to speed with:
- 1st with current computer technology
- Next with network technology
- Last with setting up good security measures for both.
My ultimate goal was to prevent a recurrence of losing control of our network, our devices (primarily Windows computers back then) and protect both our personal data, our credit card information and our user accounts. Because throughout the 2 years time period, all of those were affected at various points in time…and some were repeatedly.
Our ‘Invasion Ordeal’ Persisted For Almost 2 Years From Start to Finish
The main reason it took us so long to correct the situation was because the learning curve for me was huge and botnets by their very nature are designed to keep their activities well hidden. Just diagnosing the problem alone took a year and a half!
This was despite the fact that we were greatly assisted by several great network consultants and hardware technicians who we brought on board at various points in time throughout our ordeal. They too experienced significant learning curves regarding network intrusions, malware and especially botnets.
Back then, which was almost 10 years ago, it seemed like very few individuals had encountered similar phenomenon.
In hindsight however, we discovered this wasn’t entirely true.**
What was true however and what set us apart from the pack was that through a series of slightly unusual circumstances we did become aware of our invasion. Thus we were able to document a lot of compelling evidence that decisively confirmed our final diagnosis and led to our final successful outcome regaining control over both our network and our devices.
Final Diagnosis 1 1/2 Years Later:
A botnet had taken over our network and all the devices connected to it!
Why Did it Take So Long to Diagnose?
Our Botnet tried very hard to avoid detection…and most do. Because detection makes remediation possible…although even once detected, we learned getting rid of a Botnet isn’t easy or for the feint of heart. If/when this occurs you must be prepared to lose some data, spend money on new devices and expect a degree of failure on the path of success for a final resolution.
It probably bears repeating that botnets are designed to avoid detection at all costs! That aspect cannot be emphasized enough! Even today in 2018, Botnets continue to thrive and infect millions of unknowing victims’ computers…turning many different kinds of devices into slaves which will continue to perform their dirty work….the work of hackers and criminals. Oftentimes today botnets attack things like IOt devices with greater frequency…at least according to current news stories.
How and Why Did We Figure Out it Was a Botnet?
What made our situation different was that we did figure it out. There were 3 reasons that we were able to do so.
- First, our Botnet got greedier overtime and usurped more and more of both our computers’ and our networks’ resources.
- This greediness led to made frequent network and device outage problems, which in turn motivated us to investigate.
- 3rd, a lot of Botnet activity occurs during victims typical sleeping hours…but we kept atypical schedules.
But ours was an atypical household in regard to,schedules. Our household was comprised of first 2 and then 3 teenaged boys who didn’t necessarily follow traditional sleep-wake patterns. I too had always been a night owl. As our problems grew so did my penchant for late night computer sessions. This in turn led me to discover that the vast majority of our problems really exhibited themselves during the early morning hours…the hours I should have been sleeping.
I happened by chance to discover that much of the really aberrant computer behavior occurred during these very early morning sessions. In retrospect, it was because that was the time that the Botnet was accomplishing its own work. It was using our computers, which were its zombies, to send thousands upon thousands of Spam emails to other unsuspecting individuals. Most likely, those emails contained viruses which would turn other victims computers into zombies too.
Once we we’re able to give a label to the reasons behind our inability to use our own network…a label which also explained all the other truly bizarre events we’d experienced too…ranging from things like the sounds of television shows emanating loudly from sleeping computers to the continual hacking of our credit cards, user accounts and other personal data…we set out to remedy the situation.
It took us another 6 months to completely rid ourselves of the botnet.
**As we began learning more about botnets we realized that we weren’t all that unique in falling prey to one…but because botnets try very hard to remain undetected, most of them generally do go unnoticed. This of course is because once detection occurs the botnet risks losing the zombie-ized computers they’ve taken over control of. If this were to occur on a large-scale the botnet would risk massive financial losses because their clients move their business elsewhere to more ‘successful’ botnets.
Most botnets are operated by hackers. In this instance oftentimes the hackers are ‘for hire’ freelancers who peddle their botnet’s resources to anyone wanting to use them. They may be used for a myriad of destructive attacks ranging from those against corporations and their computers and websites to the general public. One type of attack called a DDoS attack, can take down even very large websites. Other destructive activities include using victim’s computers as spam mills to grind out millions of virus-laden emails daily. Those emails tend to be of 2 main types. They may be vicious phishing attacks with identity theft or financial credentials as its endgame, or they may be trojans that work secretly to enslave other victims’ computers into that same botnet or another similar one. This was one activity our computers were being used for, which we figured out from network activity reports.
A Little More About My Role
I’m not oblivious to the fact that my story doesn’t really sound like a very big deal while reading about it after the fact. But for almost that entire 2 year time frame my heart, body, soul and mind were completely engrossed in just this one thing! I was clearly operating within the bounds of a significant form of tunnel vision.
I couldn’t seem to break free from this role. I was obsessively driven to find and get rid of what seemed to me at that time was a huge threat to my family’s wellbeing…certainly the most significant threat we’d ever been faced with. The whole experience impacted each and every one of our family members too and left a significant impression upon the future course of all our lives. While it was truly a frightening and devastating experience for each of us, I was the one person who experienced this prolonged event so profoundly that it quite literally changed my life from that point on.
If you take a moment to really think about how much we rely upon digital data today, you begin to see I think why I felt so panicked. Everything we do seems to have a component that’s web-based. Whether it’s our kids sports schedules from school or simply receiving information in emails…all that data is probably being scrutinized in situations like these. It’s mined for social engineering purposes…to make someone seem as though they know you for example…or simply for sale,
Someday I’ll hopefully write more about the intricacies of our invasion by this botnet (which I now believe to have been the Bredolab botnet discussed in this relatively recent Wired article) as well as botnets in general and how they’ve evolved into their present form in 2016…but not here and not right now. One interesting thing I learned many years later is that a very well known security author, Brian Krebs, who writes the popular series so many security specialists follow, KrebsonSecurity, also came to his role through a somewhat similiar experience when his home network was also attacked. You can read more about his experience here.
More on How We Discovered the Botnet on Our Network
Our First WiFi Network
There was one unique aspect of our network (dd-wrt) that allowed us to see really great evidence of what was happening, which in turn allowed us to finally conclude that a Botnet was to blame. But to understand it well, I think I should explain more about our network and how we it evolved.
In those days we were using a Linksys router and our network was a broadband one provided by Time Warner. This was back in the days when Time Warner basically just brought the broadband connection to your house. You had to figure out what to do with it from there. Many homes back then just had one computer connected to the internet. But because our family loved computers, and our kids were at the age of applying to colleges, which was already almost entirely a web-based endeavor. Our kids had managed to convince us that they each needed their own computer. That’s why I’d asked the father of my son’s friend to teach me how to setup a WiFi network in our home.
WiFi technology is so commonly used today in home networks, that it might be hard to envision a time when we didn’t have it! But back then it was still pretty cutting edge stuff! That Dad had created a WiFi network in their own home, which as we all know today allows many computers and devices to be online at the same time, but just using one broadband connection. When we first got the WiFi working it seemed pretty miraculous to us at the time!
Setting up the WiFi Network
The hardest part of setting up out new network involved placing a network card in each computer, which gave the computer the communications hardware and software needed to even be able to reach the Internet and then communicate once it arrived there.
The next thing necessary was for us to place a router between our cable company’s modem and our computers. The router broadcast a wireless network that each computer could join for simultaneous internet use.
Sharing our Network Grew to be More Challenging
Everything was so great at first but within a few short years, as our boys grew into their teen years, sharing the network began to strain our network’s resources. Plus that our kids were beginning to stream much of their media content…which demanded decent bandwidth (but we didn’t use the term bandwidth back then ; -)
Our Strained Network Resources Led My Son to Update Our Router Software Using Open Sourced DD-WRT
Our elder son researched the strain that sharing our network was causing. He came up with a brilliant solution! There was open-sourced firmware available for our router that would provide us with much better throughput (i.e….a leaner, faster network!) The solution he uncovered was called DD-WRT.
DD-WRT was (and still is) some pretty amazing firmware! Because it is Open Source, anyone can download it and use it for free. Not only did DD-WRT speed up our network throughput enough to address our initial problems…but it also provided us with the tools we used to see exactly what was happening in our network.
Below is a screenshot showing DD-WRT’s Dashboard. The consultants who I showed this too were blown away by the amount of data we found and it’s granularity. I spent hours pouring over management reports I accessed using the interface in this screenshot. I learned that at night there was a phenomenally high amount of network traffic…which was really odd given that almost everyone was generally asleep for much of that timeframe. The consultants helped us analyze that data to determine what was really going on.
What seemed even more unusual to us at first was that a high volume of network traffic also occurred when we weren’t even home! We generally took at least 2 family vacations a year back then. We were shocked to see how much traffic occurred when no one was home!
The reports even drilled down further to tell us what kind of traffic it was. In our case the vast majority of the traffic was emails that were being sent. Without access to DD-WRT’s management reports I really doubt that we would ever have figured out that a Botnet was responsible for our problems. In the long run there were many, many more problems with our network and devices too…but the Botnet was the root cause for all of those too.
What We Did to Evict the Botnet
Had we known the correct approach earlier, once we diagnosed the problem we should have implemented it immediately! But we didn’t. What we tried for the better part of 6 months was to address the problem in a piecemeal fashion. We reinstalled operating systems, removed viruses and even replaced a few computers completely when the viruses proved to be too plentiful. But within a short amount of time newly restored machines were once again acting infected.
The only successful way to remove a botnet from a network is to restore every single device at the same time…and to make sure going forward that no device which hasn’t been cleaned and restored is allowed back onto the network. By device, it could be something as small as a USB flash drive which could re-infect the entire network if it wasn’t cleaned too. Once we figured this out it took the better part of a day to restore everything at once. Since both boys were in college at that point we also needed to wait until they were physically in our home with their devices so that theirs could be restored too at the same time.
Restoring each device was simply a matter of reinstalling each operating system, and then putting back each computer’s data after having scanned that data for any viruses or malware.
We did this after Christmas in 2011. We had a consultant and his small team orchestrate the effort while we each needed to be present to provide operating system and other application keys for activation. It was an exhausting day preceded by several days worth of data backups, but in the end we were rewarded by once again being in control of our network and our computers. An added side benefit was that every family member had a new appreciation for digital safety and because of that we’ve never encountered another situation like that. I think I can even go so far as to say that we’ve never even allowed a virus onto one of our machines again.
Of course, the other side benefits were that we learned about hardware firewalls, password managers, the importance of updating operating systems and antivirus software as well as using anti-malware and anti-exploit software too. Most of these have also been the subjects of posts I’ve written too. So we learned firsthand how true that old adage is that states: ‘What doesn’t kill you makes you stronger!’
Below: A combined logo I made for my websites using a free app
My Transition into Writing My Blog
I first began to write about technology specifically because of that experience. I hoped that I could help other people who’d had similar problems. My earliest writing revolved entirely around one theme…keeping computers and networks safe.
Thankfully, those early writings are no longer readily available! I say ‘thankfully’ because writing for an online audience is really much different than any other form of writing I’ve encountered. Once I’d finally grasped that concept I was bound and determined to tackle that learning curve too.
My first true solo effort is also my first blog (although I went into it thinking I’d create a website, not a blog, on WordPress.com. It’s called vsatips, because ‘vsa’ are my initials and I liked the way they sounded merged with ‘tips.’
vsatips is dedicated to helping others who use similar technologies accomplish little tasks that prove to be difficult at first glance. My main devices are primarily Apple mobile ones and Windows’ computers. Although I also dabble in Android a bit too as well as Mac computers…and we recently acquired a 3D printer which I’d love to begin writing about but just haven’t found the time for yet.
My 2nd Blog vsatrends
About a year after I began vsatips I realized that there were also a lot of non-tech subjects that I wanted to write about too! Which is why, after a lot of careful consideration, I decided to create a different site for those topics. I decided to call it vsatrends.
My original intent with vsatrends was to focus exclusively on topics I love that have a strong design element. Those topics included fashion, interior design, architecture, landscape design, jewelry design and beginning silversmithing concepts.
Of course, in practice I’m much to practical for that idealized approach. So for now at least, my posts have taken on much more of the same tone as those at vsatips. Essentially I’ve ended up writing a few ‘How to’ articles which have less to do with aesthetics and more to do with the mechanics of accomplishing tasks.
In watching how this all unfolds, I guess I feel that if my type of ‘how to’ approach brings value to readers, then I’m OK with that approach.
How do I decide which site to publish a given post on then? Well, vsatips has evolved into focusing on several broad categories of technology that I use a lot including, Evernote, Dashlane’s Password Manager, Apple mobile devices including hardware, ios, apps and accessories I love, digital data security, learning to blog, YouTube, general information about computers and tablets and my most recent obsession finding amazing deals on Amazon! If I encounter and then decide to write about something outside of these topics I usually post it on vsatrends instead. Or if the subject seems to have a wider general appeal than just those which fall within my smaller niche topics I’ll post it on vsatrends too. Last, if a topic is more focused upon the design part of the equation rather than the functionality part I usually decide that my vsatrends readers will be a better audience for that.
But there is definite overlap amongst core readers for both sites as well as the topics for each site too.
In the end, vsatrends was and continues to be more of an experiment for me. It’s one that I’m not sure will stand the test of time, since I’m already recognizing that the sheer workload of keeping up 2 active blog sites may be more than I bargained for. It will be interesting to see how my experiment evolves with time.
There are 2 things I’m certain of…vsatips has a well-defined audience now and there are more topics than I’ll ever find the time to write about. I can’t imagine a time when I won’t be writing my tips here. So, in the end, one good thing did come out of our botnet invasion…I rediscovered something I loved and it opened new doors for me too.
Feel free to leave me any comments by scrolling down towards the bottom of the page and looking for the litttle comments box.