Imagine your home computer and a half-million others being secretly commandeered by criminals who use them remotely to send spam e-mails, spread viruses, steal personal information — even crack the codes at credit card companies and banks.

Sound far-fetched? It's already happening. In the past five years, these so-called "zombie" robot networks — or "botnets" — have become the key to most serious internet crimes.

"It's not uncommon for the bad guys to have 50,000 or 100,000 or even half a million computers under their control, and they have the ability to constantly update and wreak havoc with what these machines are doing," said Jose Nazario, a security engineer with Arbor Networks, a network security company based in Lexington, Mass.

"They're overwhelming a lot of systems, and they're also able to attack the internet at large with massive numbers of machines, beyond the scope of what we've seen before," Nazario told CBC News Online.

At the least, the botnets pose such a threat that they could lead to changes in the very nature of the internet.

And in worst-case scenarios? The botnets could be unleashed to cause chaos at airports and other transportation hubs, paralyze companies' financial systems so workers go unpaid, and permanently destroy vital records at hospitals, schools and other institutions.

Will virtual 'gated communities' arise?

Jonathan Zittrain, a professor of internet governance and regulation at Oxford University's Internet Institute, warns that these and other apocalyptic visions are possible.

"Combine one well-written worm [a type of self-replicating virus] of the sort that can evade firewalls and anti-virus software with one truly malicious worm-writer, and we have the prospect of a panic-generating event that could spill over to the real world," Zittrain writes in a section of a book he's completing on the future of the web, which he e-mailed to CBC News Online.

Zittrain believes that without concerted action to secure the web, an overwhelming and entirely plausible e-terrorist attack could spell the end of the open internet.

Under this scenario, users and businesses could decide to retreat to the relative safety of closed-off networks or virtual "gated communities," severely limiting the universal creative process that has characterized the web to date.

"If digital gated communities become the norm, highly skilled internet users … will still be able to enjoy generative computing on platforms that are not locked down, but the rest of the public will not be brought along for the ride," he writes.

It could also mean that things our online society is coming to take for granted, like the ready downloading of software, video and other media, would become much more difficult or disappear altogether.

'Bot-herder' sentenced to 57 months in jail

Some "bot-herders," as they've been called, have been brought to justice: May 2006 saw the first successful U.S. prosecution for criminal botnet outsourcing.

Jeanson Ancheta, 21, of California, was sentenced to 57 months in federal prison for controlling as many as 400,000 bots.

He would rent the bots to "clients" who would then use them to send spam, install spyware and launch distributed denial of service (DDOS) attacks — floods of useless traffic that block users from gaining access to the network — against business rivals.

The judge noted that Ancheta's crimes were "extensive, serious and sophisticated."

Wesley Hsu, the deputy chief of the U.S. Justice Department's cyber and intellectual property crimes section in Los Angeles, said cases like Ancheta's are important.

"We're getting the word out that you can go to jail for this, that this is not some prank that we take lightly," Hsu said in a telephone interview.

Not easy to fight cybercrime

Prosecutions remain relatively few, however, as the nature and scale of the botnet problem makes it difficult for law enforcement to effectively address.

"We're dealing with a kind of high-tech crime that [law enforcement] have never seen before," said Nazario of Arbor Networks.

"The people perpetrating this are not only experienced with programming these botnets, but also with how to hide themselves."

Joe Stewart, a senior researcher at the Atlanta-based security firm SecureWorks, agreed.

"It's not impossible to track these guys down, but it's technical," he told CBC News Online. "It takes people that really understand the guts of these things, and unfortunately there are not enough of these people in law enforcement."

Thorsten Holz of the German Honeynet Project, a group working to learn more about botnets, said lack of speed is one issue that has hampered the authorities.

"It takes too long. They always have to talk to the court to get permission, which takes at least a couple of weeks, and in this time the attackers can just move to another system."

A question of education and who to trust

More effective law enforcement is just one of the tools needed to defeat the cybercrooks, experts say. More education and caution is needed by home users, who have been called the weak link in the chain that allows the bots to flourish.

Symantec Internet Security says home users are the target of 86 per cent of internet attacks, largely because they are far less likely than corporate users to have effective security measures.

Home users can help keep their machines — and the web — free of trojans (malicious software disguised as a legitimate computer file or program) and bots through some basic, but often ignored, safety steps.

"I talk to law enforcement around the world and they tell me that when they knock on the door of someone whose machine has been compromised, there's a look of shock and horror — but invariably they find there are [security problems such as] no passwords, open wireless, no security software, etc.," said Vincent Weafer, the senior director of development at the information security firm Symantec Corp.

"The best-practice steps are very simple and they haven't changed over the last couple of years."

Any computer that attaches to the internet should always have up-to-date firewalls and anti-virus software in place, for example.

Of critical importance is the immediate installation of software updates as required, especially for Windows users, since bots often get access to machines through known holes in popular software.

Human weakness also continues to be a problem. Two serious worm outbreaks in 2006 — Storm and Meteor — spread to hundreds of thousands of computers because users ignored years of warnings and opened suspicious e-mail attachments from strangers.

Experts still hopeful

In spite of all these issues, security experts generally feel that the criminal botnets can be beaten without changing the way we use the internet.

Secureworks' Stewart said he was confident the open web would continue and Arbor's Nazario echoed the sentiment.

"I think we're going to win in the long run, and very few people will retreat to isolated networks," Nazario said. "When I think about this, I'm an optimist."

Still, Zittrain, who postulates a potentially darker future, may have the last word: "Internet technologists often dismiss the problems of viruses and worms … because technologists know how to protect themselves against them."

[an error occurred while processing this directive] [an error occurred while processing this directive]