Attack of the killer bots

If malware were insects, botnets would be termites

If malware were insects, botnets would be termites -- they burrow in behind the walls of your security perimeter, lie dormant for a period of time, then attack.

Once a computer has been infested, it waits for orders from criminal bot herders, who turn these zombie computers into massive bot networks that spew spam and other malware across the Internet.

You may not be able to block the botnet invasion completely, but with layers of bot-hunting technologies and common sense, you can minimize the effect on your network.

'Everybody gets bots'

Before you can battle the bots, you've got to understand the scope of the problem. "We've been in denial about the scale of the problem,'' says Michael Barrett, CISO of PayPal in San Jose, Calif.

In fact, in a recent survey of 394 Network World readers responsible for network security, a surprising 43.7 percent said that compromised clients were not a significant problem. Another 30.2 percent said that they have not seen evidence that any computer on the network has ever been infected.

Just because nearly three-quarters of respondents aren't on high alert, it doesn't mean the threat isn't there, says Rick Wesson, CEO of Support Intelligence, a San Francisco firm that tracks bot outbreaks. On any given day, his company's honeypot will trap all kinds of insidious and fraudulent spam coming from zombie clients.

"The deal is that these bot herders are pretty smart, operating systems are very vulnerable, and everybody gets bots. Most companies run pretty tight networks, but the idea that you are not going to have bot networks running on your systems is naive. We have a lot of data that says a sizable portion of the Fortune 1000 has bots," he says.

If the Fortune 1000 can't stop bots, smaller organizations and consumers don't have a prayer. The little guys have fewer resources to perform security updates or to monitor their networks and machines for strange traffic patterns, says Ken Lloyd, director of security for security service provider Cyveillance in Arlington, Va. Consumers are at the highest risk because they tend to have the least security, Lloyd says.

"Enterprises have the problem, too, no doubt about it," says Martin Roesch, CTO of intrusion-detection software-maker Sourcefire. Enterprises are most vulnerable to roving machines that aren't properly set up to fight off malware attacks. "That's when there's trouble -- it's people getting spammed over [instant messaging], or Trojans and viruses over IM, or getting these things in their in-box, or surfing where they shouldn't be with vulnerable versions of [Internet Explorer] and Firefox," he says.

In fact, Gartner predicts that 75 percent of enterprises will be infected by bots by year-end.

Criminalization of the Internet

In the past year, bot herding has taken a disturbing turn to organized criminal activity aimed at making money. The stereotypical teenager out for ego-gratifying distributed denial-of-service attacks is a thing of the past. For example, a high-profile arrest in London last summer involved a 63-year-old, a 28-year-old and a 19-year-old. These people are more organized, more professional and more interested in stealth.

"The amount of effort involved in this would literally take a distribution channel. You have the people making it, the people selling it, the people using it. One person could not do this entire thing from creation to use. Script kiddies are out of the question," Lloyd says. "The people who are running these things are basically into organized crime."

Specifically, bot herders are launching high-paying scams, such as spam, identity theft through keylogging (capturing keystrokes to learn users' names and passwords), click fraud (automatically clicking on ad banners for which advertisers pay per click) and warez (the distribution of pirated software).

The scale and the amount of money involved can be enormous, researchers say. For instance, click fraud accounts for about 14 percent of all clicks and as much as 20 percent of the higher-priced ads, ClickForensics says. It cost advertisers an estimated $666 million last year, research firm IncreMentalAdvantage says. The Business Software Alliance claims that a quarter of the world's software is pirated, amounting to billions of dollars in losses for software makers.

Black-market servers -- where people buy, sell and contract for botnets -- are flourishing.

"Bots are a big part of the underground economy. . . . It's a new twist, an explosion that we've seen in the last six months or so," says Oliver Friedrichs, director of emerging technologies for Symantec Security Response. These servers are also the place where criminals sell stolen information obtained from their bots, such as credit card numbers.

Page Break

Battle of the botnets

Because bot herders obviously spend resources managing and running their botnets, they have become less interested in increasing the number of networks they manage. Symantec reports that the number of command-and-control servers diminished by 25 percent in the second half of 2006, which indicates that bot herders are consolidating and making each network larger, the company says.

Strange new attacks have caused security researchers to speculate that bot herders are engaged in turf wars and attacking each other. The goal of some malware may be to disable rivals' drones; in the process, that causes havoc with networks. For instance, one recent worm was directed at machines that had visited a malicious pump-and-dump Web site. It infected the machines with a virus that caused them to reboot continuously, rendering them useless for legitimate work (and illegitimate uses), Web-monitoring firm Websense reports.

Because bot herders are more interested in keeping their millions of infected machines secret, they will activate a machine, blast the spam or run the click-fraud game and quickly shut the connection down. Rootkit infections operate invisibly to the operating system. And bot herders control their machines via HTTP (not necessarily relying on Internet Relay Chat); that means detecting bots on your network is hard to do.

Social-networking diseases

More worrisome still is that today's bot herders use such techniques as toxic blogs, cross-site scripting and iFrames, which do not require a user to take any action, such as clicking on an e-mail attachment, to become infected. If a PC with a vulnerable operating system or browser visits a Web site or blog that contains malicious code, it is secretly infected. Malicious JavaScript, sometimes in adware, is downloaded automatically to the PC. Then it's directed to other malicious Web sites to receive its commands, and the bot is in business. With the popularity of inexpensive Web-hosting based on shared servers, a hacker can use a single operating-system vulnerability to gain access to dozens of Web servers.

Toxic blogs and cross-site scripting, which involve planting malicious code into an otherwise legitimate site, have been around for years. Bot herders are finding new ways to make use of them, however. Among the more infamous instances was the bot herder who hacked into the Dolphins Stadium Web site just before the Super Bowl -- a time when thousands of people would be trying to buy tickets.

Social networks, too, can become cesspools of malware, because these networks let users upload and share files, data and other potentially harmful code. With iFrames, invisible frames can be used to download undetected malware automatically on compromised Web sites, as well as on blogs and social networks.

"Web sites and social-networking sites -- there's so much personal information on these sites and so many users, it's just a gold mine of info," says Chris Boyd, director of malware research for FaceTime Communications, a Web-monitoring company specializing in protecting real-time applications, such as IM and VoIP.

Page Break

Sidebar: How big is the botnet problem?

Gigantic. Watchdog organization Shadowserver Foundation monitors the number of detected command-and-control servers -- which indicates how many individual botnets are out there -- and the number of clients these servers control.

From November 2006 through May 2007, Shadowserver reported roughly 1,400 command-and-control servers active at any given time, though the number varied hourly and ranged from 1,100 to more than 1,700.

If that sounds like small potatoes, consider that the real problem for enterprises isn't the number of networks but the skyrocketing number of drones they control. From March through May, active drones grew at an alarming rate from about a half million to more than 3 million, the organization says.

Shadowserver doesn't claim this is a count of all the bots and botnets out there, just the ones it detected in active use. No one knows how many machines lie dormant. Some researchers even have made the controversial claim that as many as 11 percent of the 1.1 billion computers worldwide with Internet access are infected and part of the available bot pool.

Symantec says it found 6 million infected bots in the second half of 2006. Currently, about 3.5 million bots are used to send spam daily, says Gadi Evron, a well-known botnet hunter.

The point is that the scale now is so vast that trying to count bots has become irrelevant, "The number doesn't matter," Evron says. "The bad guys control as many bots as they need to."

In fact, the Department of Justice and FBI have identified more than 1 million victims of botnet crimes.

Sidebar: Six ways to fight back against botnets

Botnets are a growing threat, but there are six steps that security professionals can take to fight back.

1. Hire a Web-filtering service.

Web-filtering services are one of the best ways to fight bots. These services scan for Web sites exhibiting unusual behavior or known malicious activity and block those sites from users.

Websense, Cyveillance and FaceTime Communications are examples. All monitor the Internet in real time to find Web sites engaged in suspicious activity, such as downloading JavaScript and performing screen scrapes and other tricks outside the boundaries of normal Web browsing. Cyveillance and Support Intelligence also offer services that notify Web-site operators and ISPs that malware has been discovered, so hacked servers can be fixed, they say.

2. Switch browsers

Another tactic to prevent bot infections is to standardize on a browser other than Internet Explorer or Mozilla Firefox, the two most popular and hence the browsers for which most malware is written. The same tactic works for operating systems. Macs statistically are safe from botnets, as is desktop Linux, because most bot herders target Windows.

3. Disable scripts

A more extreme measure is to disable browsers from scripts altogether, though this could put a damper on productivity if employees use custom, Web-based applications in their work.

Page Break

4. Deploy intrusion-detection and intrusion-prevention systems

Another approach is to fine-tune your IDSs and IPSs to look for botlike activity. For example, any machine suddenly blasting away on Internet Relay Chat is certainly suspicious. Ditto those connecting to offshore IP addresses or illegitimate DNS addresses. Harder to notice, but another telltale sign, is a sudden uptake in SSL traffic on a machine, particularly in unusual ports. That could indicate a botnet-control channel has been activated. Look for machines routing e-mail to servers other than your own e-mail server. Botnet hunter Gadi Evron further suggests that you learn to watch for Web crawlers that operate at high "fetch levels." Fetch levels activate all links located on a Web page, and a high level could indicate a machine is being sent to a malicious Web site.

An IPS monitors for behavior anomalies that indicate hard-to-spot HTTP-based attacks and those from remote-call-procedure, Telnet- and address-resolution-protocol spoofing, among others. Worth noting, however, is that many IPS sensors use signature-based detection, meaning that attacks are added to a database as they are discovered. The IPS must be updated regularly to recognize them, so after-the-fact detection will require ongoing effort.

5. Protect user-generated content

Your own Web operations must also be protected from becoming unwitting accomplices to malware writers. Unless you are trying to become the next hip, Web 2.0 social network, your company's public blogs and forums should be restricted to text-only entries, advises Michael Krieg, vice president of Web Crossing, maker of social-networking software and hosting services.

"I'm not aware of any one of our thousands of users that allows a JavaScript within text of a message; same thing with embedded code and other HTML tags. We don't let people do it. Our apps by default strip them out," Krieg says.

Dan Hubbard, vice president of security research at Websense, adds, "That is one of the big problems of user-created content sites, the Web 2.0 phenomenon. How do you balance the great functionality of allowing people to upload stuff but not allow them to upload anything bad?"

The answer is to be specific. If your site needs to let members swap files, it should be set to allow only limited and relatively safe file-types, those with .jpeg or .mp3 extensions, for instance. (Malware writers have begun to target the MP3 players themselves with worms, however.)

6. Use a remediation tool

If you do find an infected machine, the jury is out about how best to do remediation. Companies like Symantec assert they can detect and clean even the deepest rootkit infection. In Symantec's case, it points to technology it acquired with Veritas, VxMS (Veritas Mapping Service), which lets the antivirus scanner bypass Windows File System APIs, which are controlled by the operating system and therefore vulnerable to manipulation by a rootkit. VxMS directly accesses raw Windows NT File System files. Other antivirus vendors trying to protect against rootkits include McAfee and FSecure. Their success has varied, given how inventive malware writers can be.

Yet Evron argues that detecting malware after the fact could really be a false scent -- bait intended to make IT professionals believe they've scrubbed the PC while the real bot code remains hidden. "Antivirus is not a solution, because it is naturally reactive. The antivirus would have to recognize [the problem], and therefore the antivirus could have been manipulated," he says.

This is not to say you shouldn't try to implement the best rootkit fighter you can find in your antivirus software, just that you should be aware that doing so is a bit like buying a safe after your valuables have been stolen. Evron believes the only way to be sure that a machine is clean after bot malware is detected is to wipe it and start from scratch.

By not letting your users visit known malicious sites, monitoring your network for strange behaviors and defending your public sites from attacks, you'll be in good shape, security experts unanimously agree.

"I can see where this odd sense of futility and hopelessness can come in if some network guy wakes up and thinks, 'What am I going to do about those millions of botnets?' Let the folks concentrating on fighting botnets on a day-to-day basis worry about that one," says Chris Boyd, FaceTime's director of malware research. "Just concentrate on locking down your network and protecting it against infections -- viruses, Trojans, spyware or adware. . . . Treat it as a rogue file found on a PC. That's all you need to do."