Justice For Matt Bandy or How you could go to jail for life for images someone else put on your computer

Are You In Danger, Too?
How Your Computer Can Be Turned Into A Zombie
and You Could End Up In Prison

Jump to: Expert Interviews

Computer Zombies in the News
By Danielle Kozich

News coverage and expert testimony available on the Internet document just how easy it is for families like The Bandys to have a computer infected with viruses, backdoor software and Trojan horses. Those of us involved in creating the Justice4Matt.com website wonder if the investigating authorities are aware of this information because, if they were, we think they would have been hard-pressed to pursue a case against Matt Bandy. One expert we interviewed reports detection of 250,000 new "zombies" every day!

It's already happened

Remote control of others' computers is only just starting to show up in the news, because it's so hard to detect.
On January 7, 2007, just as 20/20 was getting ready to break Matt Bandy's story, The New York Times ran a front-page piece detailing the many dangers of computer zombies. One computer expert, Gadi Evron, says botnets represent "the perfect crime, both low-risk and high-profit. The war to make the Internet safe was lost long ago, and we need to figure out what to do now."

Worried? Learn some basics about how you can protect yourself and your children from online criminals.

In England, news reports detail the arrest of Julian Green in 2002 after police found 172 images of child pornography on his computer. He fought an uphill battle to prove his innocence — spending 9 days in prison and losing custody of his daughter and his home. The charges were finally dropped after investigators found evidence of 11 Trojan horse programs and one computer virus on his hard drive.

It was reported more recently, in 2005, hackers used worms in "an experiment which might be applied to far more malign purposes in the future" to download pirated movies onto others' computers. Luckily, the virus was discovered before anyone could be accused by law enforcement, but if it went undetected, the victims could have easily been accused of downloading copyright-protected material.

And in Denver, in December 2006, Serry Winkler was greeted at her door by four officers with a search warrant and a demand to turn over her computer. According to "Computer Hacking Results in Armed Police Raid," a report by 's KMGH, someone used a bot to hack in to Winkler's computer to make fraudulent purchases online — like the Bandys, she didn't have a firewall, either. What happened to Winkler was part of a large-scale cyber crime ring in Russia, and police are still investigating. In the meantime, Winkler is looking for a new computer.

Backdoor software, Trojan Horses and Viruses are pervasive

A computer forensics examiner, Tami Loehrs, found numerous viruses, backdoor software and Trojan horses on the Bandy family's computer, which left the computer "extensively infected with malicious software." The computer was so infected that it rendered the antivirus software useless. The Bandys were, unfortunately, like most American families, woefully under-educated about "safe computing." Ms. Loehrs' report, in summarizing the worst of the viruses found, wrote that one virus "enables an attacker to gain full control of an affected system."

Even with up-to-date software, one PC World article notes, Trojan horse and other virus programs are constantly evolving - popping up to challenge anti-virus programs and even security-smart computer owners. One of the top 10 biggest security risks to computers are rootkits — with "chilling new possiblities" emerging — one of which is the discovery that rootkits can make it "possible for crooks to hide files in the boot sector of the hard drive."

Backdoor software is dangerous because it lets hackers "piggyback" onto an Internet connection and basically use the victim's PC and IP address to camouflage the hacker's activities and identities. And malicious software can turn computers into zombies — allowing hackers "to store illegal content, such as child pornography," according to "Online threats outpacing law crackdowns." (Used with permission from CNET Networks, Inc., Copyright 2006. All rights reserved.)

A Business Week online article by Alex Salkever shows that these attacks are so prevalent, and hackers so adept, that in May 2001 they even managed to decimate the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University. The center's function is to warn companies about computer-related security hazards, so their employees are far from clueless when it comes to computer security threats, but their site was basically wiped from the Internet after a hacker attack. So if it can happen to computer experts, why is it so hard to believe that a normal Arizona family could be the victims of hackers as well?

Broadband and Windows are insecure

The increasing availability of broadband at home is a big convenience that's accompanied by huge risk. "Equally important is getting computer users — especially those individuals with broadband connections — to lock down their computers. Left insecure, the machines can be turned into zombies," notes Salkever. An unsecured broadband connection that's using Windows — a combination many families use every day — is basically the computer equivalent of leaving your car in the driveway, unlocked, with the keys in the ignition. Oh, and the car's loaded with your most valuable possessions. Obviously, no one would do that, but many people don't think twice about their computer's security.

"Today's operating systems, in particular the Windows operating system, are so insecure that it is impossible to say that any one individual was in control of their computer," says computer forensics expert Ted Coombs in Defense Forensics and Child Pornography He notes that there are multiple viruses and related programs written that can put "kiddie porn" onto the computers of unsuspecting owners — and it's not that hard, requiring only a "mid-range capability."

Forensic evidence techniques are falling behind

Coombs believes that forensic evidence has yet to catch up with this digital crime. "where the prosecution has the burden of proof, they must prove that the digital evidence being used to convict a person is the result of the actions taken by the accused and not by a hacker, either remotely or by a person in front of the keyboard... They can not, beyond a reasonable doubt, claim, in most cases, that the accused downloaded, viewed, or was in any way in control or had knowledge of the images he is accused of possessing."

In many "kiddie porn" cases, Coombs writes, "Partly because of the emotional nature of the crime, it has become the responsibility of the accused to prove innocence of possession, where the burden of proof seems to require no more than insinuation." It would be like "claiming someone guilty of possessing a firearm because it was found in a public restroom frequented by the accused."

The potential implications when law enforcement agencies are unable to prove how exactly information ended up on a computer are chilling. David Sklar, a computer consultant, worries here that someday, "a Trojan horse [may be] better at camouflaging itself than the investigator is at finding it. When combined with a targeted attack instead of random infection from a sketchy web site, this would certainly make the accused's pleas of ‘I'm innocent!' seem hollow. Child porn is good for discrediting political or business opponents; classified information for framing a government enemy; one criminal could use documents about entering the witness protection program to put false suspicion on another criminal; the list goes on and on."

Just as disturbing was a response to Sklar's story — a poster wrote that his friend was being accused of downloading "kiddie porn" by the Mendocino County (California) District Attorney. The poster describes his friend as "an old, sick, disabled man, living on permanent disability. He has no money and has already been forced to leave his home and seek refuge with his kids out of county. Tom has been intimidated, questioned without his lawyer present and jailed. We're not talking about a sophisticated computer user here... He wouldn't know how to determine if a Trojan was present on his computer or how to defend against one." We don't know who the man is, if he was convicted or if the charges were dropped, but it sounds like a similar story of police going after someone who was unaware of what was on their computer.

The FBI, testifying before Congress in 2001, weighed in on the difficulties posed by cyber crimes. In a presentation called The FBI's Perspective on the Cyber Crime Problem, Thomas T. Kubic, deputy assistant director, Criminal Investigative Division, said, "The Internet presents new and significant investigatory challenges for law enforcement at all levels. These challenges include: the need to track down sophisticated users who commit unlawful acts on the Internet while hiding their identities; the need for close coordination among law enforcement agencies; and the need for trained and well-equipped personnel to gather evidence, investigate and prosecute these cases."

And finally, a GAO (Government Accounting Office) report in 2003 was titled so obviously we again cannot understand how investigators could have failed to ask Matt Bandy if he ever used peer-to-peer file-sharing programs . The report was titled FILE SHARING PROGRAMS — Child Pornography is Readily Available Over Peer-to-Peer Networks. GAO investigators used "KaZaA" — which Matt Bandy also used — to see what was transmitted both intentionally and accidentally in peer-to-peer connections. One of their principal conclusions: "Juvenile users of peer-to-peer networks are at significant risk of inadvertent exposure to pornography, including child pornography."

A NewsForge article specifically points out that Trojans are easily to accidentally download by using filesharing programs. Trojans "make your computer do things you don't expect it to do. Like download kiddie porn that can get you arrested, for example," says the article. NewsForge is an online newspaper about the Linux operating system and the article details how easily Windows can be manipulated. Author Robin Miller writes "It's a scary thought, but Windows users may actually risk going to jail if they don't protect themselves well enough from the many worms, viruses and ‘Trojans' that can infect their operating system..." and continues on to suggest that Windows users switch their operating systems to stay safer. Even more chilling is the pay-per-click advertisement on the bottom of the story for a website that promises a "Live Demo & Free 7 Day Trial" of software to "Control a User's Desktop Remotely."

Miscarriage of Justice

Given the seemingly countless ways in which personal computers can be infected, commandeered and misused by nearly anyone on the Internet, it would behoove police, prosecutors and policy makers to go back to the basics on the concept of "reasonable doubt." There are ways to corroborate the evidence gathered against people who are accused of crimes involving the Internet. Failing to do so can lead to a gross miscarriage of justice.

Expert Interviews

Crisis management specialist Jonathan Bernstein interviewed Dmitri Alperovitch, Paul Davis, and John Quarterman for his ezine, Crisis Manager.

None of these experts was told about Matt Bandy's specific situation and the interviews were conducted before ABC News aired Matt's story nationally. The interviewees were told only that Bernstein was doing an article about what could be done to and with a computer that had been turned into a zombie. He did not want them to feel they had to comment specifically on a complex situation about which they had no first-hand knowledge, but was hoping that they could shed some light on how easy it could be for you, or me, or anyone, to have our computers turned into zombies for criminal purposes.

The experts didn't just shed some light; they set a bonfire. If you read these interviews and the other material in this section of the website, you'll have the same reaction everyone connected with the Justice For Matt site did — a gasp.


Principal Research Scientist
CipherTrust Inc.
Interview by Jonathan Bernstein, Editor, Crisis Manager Newsletter

Dmitri Alperovitch is Principal Research Scientist for CipherTrust, Inc., the global market leader in messaging security — and despite many who claim that title, they really are the leader, with the largest market share and revenue in their niche. As one of CipherTrust's leading researchers since December 2003, Alperovitch manages CipherTrust's global threat research and is one of the lead inventors of CipherTrust's key patent-pending anti-spam, anti-phishing and zombie-tracking technologies. He has accomplished extensive research in the areas of public-key and identity-based cryptography, as well as network intrusion detection and prevention.

Alperovitch currently serves on the steering committee for Digital PhishNet, a joint enforcement initiative between industry and law enforcement designed to stop those who perpetrate phishing attacks. A recognized authority on messaging security, he has appeared in media outlets including the New York Times, Business Week, LA Times, SC Magazine, CNET and Red Herring, and was a featured speaker at Virus Bulletin 2005 and numerous FBI conferences on the subject of phishing and online organized crime. Alperovitch received a Masters degree in Information Security, magna cum laude, from the Georgia Institute of Technology.

Crisis Manager: How easy is it to gain control over someone else's computer, remotely?

Dmitri Alperovitch: It is remarkably easy to take complete control over a machine connected to the Internet. There are millions of PCs, both home end-user machines as well as computers at many businesses, that are vulnerable to attack due to lax or non-existent security policies and procedures that are not followed to keep these machines protected and safe. In addition, even machines that are not vulnerable to attacks on the security holes in the software can be compromised due to end user's mistakes, such as running a malicious program received via e-mail or downloading and running software from unsafe or unknown websites.

Crisis Manager: What's the jargon you associate most often with this activity? Hijacking? Turning computers into zombies? Other?

Dmitri Alperovitch: This activity is typically called "turning machines into zombies" or "compromising a computer".

Crisis Manager: What can someone malicious do on another person's computer once they have access to it?

Dmitri Alperovitch: Once illicit access is gained to a computer, it can be completely taken over and used to run any type of software that the criminal mastermind chooses to deploy on the machine. Some of the more common uses for zombies are:

  • Sending out spam
  • Sending out phishing attacks
  • Hosting of malicious websites
  • Use of thousands of zombies together in coordinated activity to launch attacks on different companies (known as Denial of Service attacks)
  • Anonymization of hacker's activity on the Internet (the hacker will use the IP, or Internet Address, of the taken over machine to conceal his own address and location)

Crisis Manager: Could someone malicious write to a hard drive or burn to a CD if there was already one in the drive?

Dmitri Alperovitch: Yes. Virtually everything (short of things that require physical interaction, such as putting a disk into a CD drive or powering on the computer) that the owner of the machine can do on his PC can be done by the criminal who has taken over that machine remotely

Crisis Manager: Let's say someone is intent on a crime such as illegal bookkeeping or stealing intellectual property. Have computers been remotely controlled for the purpose of storing information away from the actual perpetrator's computer?

Dmitri Alperovitch: There have been a few cases like this involving warez (stolen software) servers and child pornography. For the most part they've been used to steal information and route it to the perpetrator's computer, as well as use the machine as a launchpad for other tacks. By using your computer, they hide their own identity.

Crisis Manager: Could they go through that computer to join in an online chat? To upload/download files?

Dmitri Alperovitch: Absolutely.

Crisis Manager: Have you heard of computers being hijacked for criminal purposes? Do you have any examples?

Dmitri Alperovitch: Not only have we heard about this activity, but we are witnessing it on a daily basis in our efforts to protect our customers from malicious messages that are targeting their corporate mail systems and end-users. On a daily basis, we are seeing 250,000 new zombies coming online every day.

Crisis Manager: Have you heard of cases where the police initially thought a home computer user was guilty of a crime based on what was found on their computer?

Dmitri Alperovitch: I know of cases where, in the process of the investigation, law enforcement had identified a machine they thought was conducting the illegal activity, only to find the owner to be some grandmother who knows nothing about computers and realize there's no way she could have committed the crime. Criminals can hop through a lot of machines and be hidden four or five computers away, which are often located in foreign countries.

Crisis Manager: Do you have any estimate of how many individuals are actively involved in trying to use other people's computers for criminal purposes?

Dmitri Alperovitch: I would estimate there are probably 50-70K people actively engaged in using other people's computers in a criminal manner, a lot of them working together in online organized criminal networks. They emulate traditional organized crime, with foot soldiers doing the work you can easily get caught for, then the capos, the captains, organizing the activity, reporting to the bosses. A lot of the bosses are very technical, some are not — they just realized the opportunity and recruited the right people.

Crisis Manager: What is the capability of U.S. law enforcement, in general, to solve such crimes?

Dmitri Alperovitch: A number of agencies are actively pursuing this. The challenge has been that the jurisdiction often creates a problem for them. The lead often ends up in Eastern Europe, where getting cooperation from local law enforcement is extremely difficult because they're not technically savvy and not particularly interested in helping US citizens who are victims of such crime.

Crisis Manager: What is the capability of U.S. law enforcement, in your typical metropolitan area, to properly analyze a computer which they suspect was involved in Internet-related crime?

Dmitri Alperovitch: Fairly limited. They often don't have the training or the resources. Federal law enforcement really is the one with most of the expertise and resources. Good police departments will submit their material to them to develop the case further.

Vice President & Program Manager for Enterprise Security
Global Outsourcing and Infrastructure Services
Interview by Jonathan Bernstein, Editor, Crisis Manager Newsletter

Paul Davis is vice president and program manager for Enterprise Security, Global Outsourcing and Infrastructure services, Unisys. He is a CISSP-certified IT Security strategist providing companies with advice and strategy on integrating business, security and IT strategies. Prior to joining Unisys in November 2006 he was principal in his own company, Security Radar. He has 20 years of experience in solving business security challenges for top global companies. Companies that he has worked with include EDS, General Motors, Dow Chemical, The Washington Post, The United Nations, MCI and Mitsui.

Crisis Manager: How easy is it to gain control over someone else's computer, remotely?

Paul Davis: There are two basic approaches to gaining control of a computer, exploiting a weakness in the operating systems, and applications, running on the target computer or through leveraging the gullibility of the user on the computer, otherwise known as social engineering.

The first approach of remotely exploiting vulnerabilities on a computer is achieved by attacking network facing services on the device. There is a continual need to balance protecting a system against attacks while the same time balancing the potential adverse impact of a patch or vulnerability fix. A key contributing factor to the continual exploitation of the "attack vector" is the lack of a really good inventory of systems, applications and network connectivity. I have always said that "For business security, ignorance is NOT bliss, awareness is". I would rather know where a problem is than for it to be hidden from me.

Social engineering attacks rely on tricking the user to perform an action like clicking on a web link, or a program. By appealing to their needs and ego, social engineering gets them to lower their defenses, and accept information and programs from an untrusted source. Once the initial attack has completed, the malicious software can "phone home" allowing the attacker to take control. Control can be in the form of installing more programs, manipulating files and executing commands from the compromised computer. We typically say that it only takes 15 seconds to compromise an "unprotected" computer. After that, the real challenge becomes detecting that is has been compromised.

Crisis Manager: What's the jargon you associate most often with this activity? Hijacking? Turning computers into zombies? Other?

Paul Davis: Zombies is a common name but also botnets that consist of groups of computers/bots/zombies. These are used to launch attacks or malicious activities. This allows the attacker to hide his point of origin. These were traditionally used for mass SMTP emailing and distributed denials of services (DDOS) but we are seeing a drop in this activity as the attackers are now moving into more subtle, and more targeted, attacks.

Trojans is another term commonly used to describe a software that "supposedly" provides a useful "free" service to the user but in reality is performing convert activities to track the user and allow the further leverage. A typical example of this is those "free virus scanner" pop-ups. Another more worrying form of attack is "rootkits". These malicious tools in sinuate themselves inside the operating system so that they cannot be detected or removed. This new wave of malicious usage is very worrying. There are also references to spyware, which tends to describe the whole range of Trojans, rootkits, malicious cookies, etc.

Crisis Manager: What can someone malicious do on another person's computer once they have access to it?

Paul Davis: It depends on the level of compromise and sophistication. Some of the most basic spyware components just use cookies to track where a web user goes in the Internet. Others replace key system files like the host lookup file or default setting, so that for example they reset your default home page. Some of the more advanced attacks leverage your data. In the past, we have seen these programs scan all of the your emails, documents and spreadsheets for email addresses and then use an internal email engine to send malicious email to your colleagues and friends.

A new breed of sophisticated programs install themselves on your computer, monitoring your keystrokes. They take screenshots and then send all of this data to another compromised computer or some website in an encrypted form.

Some of them allow the malicious attacker to effectively have a command line interface and some allow the same level of control as something like PC-Anywhere for complete screen. keyboard and mouse control. They can transfer files, add or delete programs, change your settings, or run any command.

The more worrying trend in today's world is the targeted attack, where the program installs itself, hides itself and then waits to activate when a particular event or situation occurs. For example, when you visit your online bank, the program wakes up and captures your login information.

Crisis Manager: Have computers been remotely controlled by criminals for the purpose of storing information away from the actual perpetrator's computer?

Paul Davis: Criminals can pretty much do whatever they want once they've compromised a system.

Crisis Manager: Could someone malicious write to a hard drive or burn to a CD if there was already one in the drive?

Paul Davis: Easily.

Crisis Manager: Does your typical police agency have the expertise to analyze the more sophisticated forms of computer hijacking?

Paul Davis: Law enforcement doesn't always have the resources to understand fully how computers can be exploited. Because they don't always have the full capabilities or skills in-house, they sometimes outsource that function.

InternetPerils Inc.
Interview by Jonathan Bernstein, Editor, Crisis Manager Newsletter

While there's a veritable army of young geeks running around the business world today, John Quarterman has been around since well before the modern World Wide Web was launched and was, in fact, instrumental in that process.

I interviewed John, a Harvard grad, because of his industry-leading experience about internet risk management and security. His company, InternetPerils Inc is in the business of spotting threatening trends and activity on the Web so that organizations can respond more proactively. You can read more about John here.

Crisis Manager: How easy is it to gain control over someone else's computer, remotely?

John Quarterman: If it's running old unpatched software, especially monoculture software such as Internet Explorer, pretty easy. Monoculture means "being used by everybody" — like pretty much anything by Microsoft — and the chance of a patch being needed for most people's monoculture software is pretty high. Monoculture software is vulnerable to being taken over like cotton was vulnerable to the boll weevi1.

Crisis Manager: What's the jargon you associate most often with this activity? Hijacking? Turning computers into zombies? Other?

John Quarterman: Botnets, zombies, pwned.

Crisis Manager: What can someone malicious do on another person's computer once they have access to it?

John Quarterman: There's a criminal economy doing this. Warez dealers (warez is illegal software or goods used on a computer) sell exploits (software written to exploit vulnerabilities, e.g., in IE. Exploits today are often written as soon as the bug is known. Exploit writers sell the exploits, that's how they make their money. Botnet herders use the exploits to break into mom and pop or other machines and turn them into bots — short for robot or sometimes called zombies. They create herds of bots, and then sell access to these herds of bots to someone else in the criminal economy, such as spammers, who can then send their spam from other people's computers, a whole group of them at once. Botnet herds tend to be in the hundreds or thousands in size.

Phishers (people who trick you into going to a fake website which emulates a real site, such as a bank site) are particularly fond of bot herds. Phishers use botherds to phish for servers on which they can store and send out material to avoid having and not leave a path of legal liability. So they use the bots computers as servers to store whatever they want to send out. Usually the owner doesn't even know it's running a virtual server and sometimes the host computer already has a real server and the phishers set up a page deep under the real server.

You could have illegal activity happening on your computer, right now, and you wouldn't know it. It's relatively hard to find out. If you use all the spyware scanners and pay attention to your system usage you might, but most people aren't doing that.

Crisis Manager: Could someone malicious write to a hard drive or burn to a CD if there was already one in the drive?

John Quarterman: They could.

Crisis Manager: Let's say someone is intent on a crime such as illegal bookkeeping or stealing intellectual property. Have computers been remotely controlled for the purpose of storing information away from the actual perpetrator's computer?

John Quarterman: Yes, other people do that. There are a lot of nefarious things people can do when they break into your computer. There's a lot of spam whose purpose is to plant spyware on your computer, like a keystroke logger, so that anything you type gets recorded, so that sometime later the program "calls home" and sends the criminal what you've found, which they may be able to use to steal money or commit blackmail. A criminal can piggyback someone else's online session to cover his tracks. There have been cases where botnet herders are compromised that way, where someone figures out how to use someone elses' botnet herds!

Traditionally, internet security practices cede the advantage to the bad guys.

Crisis Manager: Have you heard of cases where the police initially thought a home computer user was guilty of a crime based on what was found on their computer?

John Quarterman: I'm surprised I haven't heard of any specific cases yet, that's an area that's definitely going to be a problem as these illegal practices continue. You don't know what's running on your computer and it could be massively illegal.

Crisis Manager: Could they go through that computer to join in an online chat? To upload/download files?

John Quarterman: That depends on how well the computer is compromised. In principle, yes.

Crisis Manager: Have you heard of computers being hijacked for criminal purposes? Do you have any examples?

John Quarterman: Yes, all the time. Much of phishing and spamming is conducted using botnets.

Home |  Matt's Story |  Judge For Yourself |  Are You In Danger Too? |  Articles & Links Of Interest
How You Can Help Protect Yourself and Your Children |  The Bandy Family & Supporters

© 2006 - Present by Matthew, Gregory & Jeanne Bandy. All Rights Reserved.