Invasion of the Botnet Armies

In previous articles, I wrote about  malicious hackers (crackers) moving away from attacks for bragging rights to attacks for profit.  Part of this transition is the increased use of zombie PCs, or bots, to surreptitiously acquire personal and business information with criminal intent.  In this article, I describe the nature of bots and botnets, the danger to your organization from these growing threats, and some things you can do to protect your information assets.

What are botnets?

A bot is a program that, when installed on a system, provides the bot owner with remote control capabilities without the system owner’s knowledge.  The system on which the bot is installed is called a zombie.  A network of zombies, under the control of a bot master, is a botnet.   Botnets can range in size from just a few zombies to zombie herds of a million or more infected systems.  So what’s the big deal?  Most networks are protected by anti-virus software.  The big deal is that the way in which bots are deposited in systems is undetectable to most anti-malware software.

Bots are typically installed as part of a rootkit delivered to target systems via various attack vectors – the most common are email and spyware, with instant messaging closing fast.  Crackers use rootkits to install bots on target systems so they aren’t visible when listing processes, directories or folders, or by using any other administrative search or management utility. 

The value of botnets is their stealth.  Organizations or individuals who know sensitive information about them is compromised can take steps to protect themselves.  This limits the revenue potential of the illegally obtained information.

What is the danger to your business?

Once a bot master has control of a system, she can perform a variety of tasks to obtain valuable information.   These tasks include:

  • Keystroke logging of user IDs, passwords, and banking and credit card information
  • Theft of intellectual property
  • Information relevant to personal identity theft or social engineering
    • Social security numbers
    • Dates of birth
    • Addresses
    • Employee IDs

Zombies are also used to conduct Distributed Denial of Service (DDoS) attacks.  For example, criminals use DDoS attacks to shut down access to Internet businesses or to disrupt operations of brick-and-mortar organizations until the victim pays the bot master, or his client, a specified sum. 

A recent example of a more low key use of a botnet is the Jeanson James Ancheta case.  Ancheta, based in California, built an army of approximately 400,000 zombies.  He then allegedly sold access to his botnet to crackers and spammers.  Further, Ancheta allegedly generated revenue by using his remote control capabilities to deposit adware on the compromised systems (Brandt, 2005).  In January 2006, Ancheta pleaded guilty as part of a plea agreement.  But this is just one of a growing number of botnets, most of which are still alive and well.

According to Symantec’s Internet Security Threat Report (Volume VIII), 10,352 botnets operated each day during the first half of 2005.  This was a significant increase from the less than 5000 daily botnet count reported six months earlier.  Symantec gathers this information by using 24,000 global sensors. 

What can you do to protect your business?

The best thing you can do to protect your information assets is to be proactive.  Once bots are placed on your systems, they are difficult, if not impossible, to detect.  Some ways to prevent your systems from being shanghaied into a botnet army include:

  • Develop an effective patch management program to eliminate critical security vulnerabilities
  • Include in your employee security awareness training an explanation of the dangers of spyware and how it’s invited into end point devices
  • Monitor your network for network or packet anomalies indicative of attempted or successful zombie recruitment
  • Encrypt critical or sensitive information in transit and while residing in databases, flat files, backup tapes, laptops, etc. (see Data Storage Security)
  • Control or prohibit the use of public instant messaging or email services (i.e. AOL, MSN, Yahoo, et al)
  • Use enterprise web filtering software to prevent users from visiting sites known to harbor malicious code
  • Check enterprise email at the perimeter, before your users have to decide whether to open a message or attachment on their desktops

Malware detection vendors are beginning to provide software to identify and eradicate rootkits.  RootKitRevealer from Sysinternals is a free utility that performs this function.  Other vendors are working on solutions, but progress is slow.

Conclusion

The mission of crackers is changing.  Massive Internet attacks are being scaled back to attacks targeting specific targets for the purpose of generating revenue.  Organizations must take steps to ensure the safety of their systems, their employees, and their customers – including applying pressure to vendors to accelerate development of rootkit and bot prevention and detection solutions. 

Author:  Tom Olzak

Sources:

Brandt, A. (2005, November).  Alleged botnet crimes trigger arrests on two continents. PC World.  Retrieved February 11, 2006 from http://www.pcworld.com/news/article/0,aid,123436,00.asp

Symantec Internet Security Threat Report, Volume VIII

Resources:

CypherTrust’s ZombieMeter

Leave a Reply

You must be logged in to post a comment.