Botnets: A global threat
Cybercrime is one of the fastest growing crimes in the world. With advancements in technology come individuals who have bad intentions and plan on using technology for harmful purposes. Many times, these individuals come together to form groups that can terrorize networks and global e-commerce. In 2005, the FBI estimated cybercrime caused $67.2 billion in damages to businesses in the United States alone. In recent years, criminals have become increasingly successful at profiting from illegal remote access into networks. Money is the foremost motive of these criminals. By tapping into “secure” networks or completely hijacking a host, criminals gain access to financial information, customer data, and intellectual property along with the resources needed to launch DoS (Denial of Service) attacks against other organizations or pump out billions of phishing/spam messages. Online criminal gangs heavily invest in botnets and complex malware to carry out their work. A botnet is a network of many infected hosts (bots) that are under the control of a malicious operator. These workstations become infected in a variety of ways.
Users might open an email attachment from a trusted contact. Little do they know that their contact has already been infected and this attachment is a Trojan Horse or worm. Zero-day exploits are undiscovered loopholes that malware authors find in Operating Systems, web browsers, document software, and nearly any other program. Simply by visiting a compromised site or opening a bad file associated with vulnerable software, a user allows malicious code to be executed bypassing even the most up-to-date security software. Something as common as a banner ad can even be used to deliver malware. One of the more popular methods used to infect PCs is called social engineering. Intelligent humans understand how other humans think and act in most situations. Malware authors either trick or scare end users into explicitly allowing something to be installed onto their computer. Perhaps a pop-up appears to come from the Windows taskbar. It urges the user to update their drivers, install antivirus, or patch the OS. So with the click of the mouse, their system is suddenly “updated”. In reality, what they’ve done is installed a rootkit or other form of malware. The widespread popularity of social networking also lends a hand to online criminals. Through sites like Facebook and Twitter, compromised users unknowingly share “videos” or other links. These will lead to a page that requires a user to run a small utility to view the desired content. If they decide to run it, the PC is infected and the user is left confused as to why the original link doesn’t seem to exist. To the trained eye of a network professional, these methods of infection are easy to spot. But when attempted on the average home user or employee, the success rate is astonishing.
The groups behind these attacks are serious about making money over a long period of time and remaining under the radar. Their goal is not to become famous by proving that they can hack into Fortune 500 companies but ensuring a stable business model for stealthy criminal activity. While these professional bad guys work very hard to cause havoc, there are their counterparts in the fields of law enforcement and research that work to detect, track, dismantle, and prevent botnets. These tasks are becoming more difficult because of the highly advanced Command-and-Control (CnC) infrastructure and topologies used in botnets. Criminals put a considerable amount of time and money into building logical groupings of compromised systems that are responsible for controlling other bots. The malware used to infect host PCs is updated to evade signature-based antivirus programs. It is polymorphic and/or unique to the host it is infecting to avoid triggering heuristic analysis. It also mimics normal application/traffic activity so as to not raise any red flags. If that isn’t enough, criminals employ some other techniques to avoid detection. Spammers often register websites with a registrar and then select some bots to act as web and name servers. This allows them to save money on hosting fees as well as remain untraceable.
“Fast Flux” is when the location of a Web, email, or DNS server is constantly moved from bot to bot to keep malicious activity (i.e.: spamming or phishing) successful and difficult to detect. Blacklisting IPs is useless in fighting fast flux-based botnets because of how dynamic they are. Fast flux is kind of a first generation technique. A newer, more complex method called “double flux” is the current standard for botnets. Using this method, DNS name servers that resolve the Web host names are moved from bot to bot, as are the actual hosts serving up the fraudulent sites. This way, you’re not even resolving to the actual Web server but rather through a series of proxies. Frustrating indeed for researchers trying to find the actual IP of a server or host! And by the time investigators navigate through the trail of proxies, the fast-flux botnet has changed the IP address again. Many of these systems encrypt their communications as well, making it nearly impossible to track them.
Looking at the statistics from the past few years can be scary. The recent headline making botnets known simply as “Storm” and “Conficker” infected a combined 50 million PCs! It is possible for a machine to be under the control of multiple botnet operators. In 2010, over 35% of botnet victims were, at the same time, members of another botnet. Although combatting these crime rings seems impossible, great strides have been made recently in arresting operators, studying the way they work, and even shutting down entire botnets. Extremely robust CnC topologies are ever-evolving and mostly resistant to being disabled. Yet, ICANN encourages registrars to verify any name server changes, prevent automated changes, and set a minimum TTL for a server so operators are not able to change them every few minutes. There can be no doubt that botnets are still causing damage and stealing money at an alarming rate. As security companies work to improve their methods of detection, users must also be educated when it comes to basic networking protocol to prevent the catastrophic damage a botnet can cause.
References:
http://blog.damballa.com/?p=1120
http://spamtrackers.eu/wiki/index.php/Botnet
http://spamtrackers.eu/wiki/index.php/Botnet_hosting
http://spamtrackers.eu/wiki/index.php/Fast-flux
http://www.damballa.com/cyber-threats/
http://www.darkreading.com/security/vulnerabilities/211201257/index.html
And of course 2 days AFTER I wrote this paper for a college class, a HUGE paper came out about botnets. Here are some other great sources of information. The PDF in the second link is quite big. I didn’t read it all but it’s worth skimming.
http://garwarner.blogspot.com/
http://www.enisa.europa.eu/act/res/botnets/botnets-measurement-detection-disinfection-and-defence
Top comments (0)