Attack of the killer bots
- — 18 July, 2007 18:42
If malware were insects, botnets would be termites -- they burrow in behind the walls of your security perimeter, lie dormant for a period of time, then attack.
Once a computer has been infested, it waits for orders from criminal bot herders, who turn these zombie computers into massive bot networks that spew spam and other malware across the Internet.
You may not be able to block the botnet invasion completely, but with layers of bot-hunting technologies and common sense, you can minimize the effect on your network.
'Everybody gets bots'
Before you can battle the bots, you've got to understand the scope of the problem. "We've been in denial about the scale of the problem,'' says Michael Barrett, CISO of PayPal in San Jose, Calif.
In fact, in a recent survey of 394 Network World readers responsible for network security, a surprising 43.7 percent said that compromised clients were not a significant problem. Another 30.2 percent said that they have not seen evidence that any computer on the network has ever been infected.
Just because nearly three-quarters of respondents aren't on high alert, it doesn't mean the threat isn't there, says Rick Wesson, CEO of Support Intelligence, a San Francisco firm that tracks bot outbreaks. On any given day, his company's honeypot will trap all kinds of insidious and fraudulent spam coming from zombie clients.
"The deal is that these bot herders are pretty smart, operating systems are very vulnerable, and everybody gets bots. Most companies run pretty tight networks, but the idea that you are not going to have bot networks running on your systems is naive. We have a lot of data that says a sizable portion of the Fortune 1000 has bots," he says.
If the Fortune 1000 can't stop bots, smaller organizations and consumers don't have a prayer. The little guys have fewer resources to perform security updates or to monitor their networks and machines for strange traffic patterns, says Ken Lloyd, director of security for security service provider Cyveillance in Arlington, Va. Consumers are at the highest risk because they tend to have the least security, Lloyd says.
"Enterprises have the problem, too, no doubt about it," says Martin Roesch, CTO of intrusion-detection software-maker Sourcefire. Enterprises are most vulnerable to roving machines that aren't properly set up to fight off malware attacks. "That's when there's trouble -- it's people getting spammed over [instant messaging], or Trojans and viruses over IM, or getting these things in their in-box, or surfing where they shouldn't be with vulnerable versions of [Internet Explorer] and Firefox," he says.
In fact, Gartner predicts that 75 percent of enterprises will be infected by bots by year-end.
Criminalization of the Internet
In the past year, bot herding has taken a disturbing turn to organized criminal activity aimed at making money. The stereotypical teenager out for ego-gratifying distributed denial-of-service attacks is a thing of the past. For example, a high-profile arrest in London last summer involved a 63-year-old, a 28-year-old and a 19-year-old. These people are more organized, more professional and more interested in stealth.
"The amount of effort involved in this would literally take a distribution channel. You have the people making it, the people selling it, the people using it. One person could not do this entire thing from creation to use. Script kiddies are out of the question," Lloyd says. "The people who are running these things are basically into organized crime."
Specifically, bot herders are launching high-paying scams, such as spam, identity theft through keylogging (capturing keystrokes to learn users' names and passwords), click fraud (automatically clicking on ad banners for which advertisers pay per click) and warez (the distribution of pirated software).
The scale and the amount of money involved can be enormous, researchers say. For instance, click fraud accounts for about 14 percent of all clicks and as much as 20 percent of the higher-priced ads, ClickForensics says. It cost advertisers an estimated $666 million last year, research firm IncreMentalAdvantage says. The Business Software Alliance claims that a quarter of the world's software is pirated, amounting to billions of dollars in losses for software makers.
Black-market servers -- where people buy, sell and contract for botnets -- are flourishing.
"Bots are a big part of the underground economy. . . . It's a new twist, an explosion that we've seen in the last six months or so," says Oliver Friedrichs, director of emerging technologies for Symantec Security Response. These servers are also the place where criminals sell stolen information obtained from their bots, such as credit card numbers.