Botnets: The backdoor to the enterprise network
Tomer Teller, security researcher and evangelist, Check Point Software
Botnets are one of the most significant network security threats facing organizations today. Compromising anywhere from a few thousand to well over a million systems, botnets are used by cyber criminals to take over computers and execute illegal and damaging activities – such as stealing data, gaining access to unauthorized network resources, initiating Denial of Service (DoS) attacks or distributing spam.
Botnets are here to stay. There is no more static malware; botnets in nature are dynamic and can quickly change form based on the cyber criminal's command. With bot toolkits being sold online for the mere price of $500 and their attacks costing businesses millions of dollars – it gives people insight into how big the problem has become.
The Impact of Bot Infection
It has been estimated that up to one quarter of all personal computers connected to the internet may be part of a botnet. In 2011, it was reported that the TDL Botnet infected more than 4.5 million computers and approximately 100,000 unique addresses per day. In addition, the industry saw nearly half of IT security professionals experience a dramatic increase in malware attacks.
This explosion has stemmed from a few core elements:
- Malware Has Become Big Business - Cyber criminals are no longer isolated amateurs. They belong to well-structured organizations that resemble terrorist cells - with money, motivation and goals. They can deploy considerable intelligence, time and resources in order to execute botnets that can cost businesses millions.
- Rise in Sophisticated Threats - Organizations are facing a “zoo” of malware types that result in a wide range of security threats, including viruses, worms, trojans, spyware, adware and botnets to name a few. Botnets are polymorphic in nature and can mimic normal application and traffic patterns – making it difficult for signature based solutions, such as anti-virus, to combat botnets alone. Businesses need a multi-layered approach to effectively mitigate the bot threat.
- Numerous Attack Vectors - There are multiple entry points to breach an organization's existing defenses, including browser-based vulnerabilities, and mobile phones. The explosion of Web 2.0 applications and social networks being used as business tools are giving hackers a huge opportunity to lure victims to clicking on malicious links or “malvertising” – malicious advertisements running on legitimate websites.
A Historical Look at Botnets
In looking at the evolution of the bot threat, the first bot, "GMBot," was not malicious. In fact, it was created in the late 1980s to emulate a live person in Internet Relay Chat (IRC) sessions. However, around 1999 bots emerged that were designed with harmful intentions. Thereafter, bots grew more sophisticated, and in some cases, were commercialized as products. The Zeus bot of 2006, for example, originally sold for several thousand dollars. In mid-2011, source code for the Zeus and SpyEye botnet kits was leaked, making these powerful botnet creators available to practically anyone that wants to establish their own botnet.
Today, botnets are primarily used as a backdoor into your enterprise. Once inside, hackers operate in silence and stay under the radar to steal as much information as possible before their presence is detected. Unfortunately, because bots are so stealthy, many companies aren't awar that their computers have been infected and security teams often lack the proper visibility into the threats that botnets create.
The Future Threat
In the coming years, botnets will continue to evolve using a combination of social engineering, zero-day exploits, as well as the proliferation of mobile computing and social networking.
In the past, it was assumed that most of the popular botnets were running on Windows machines, this is no longer true today. Linux and Mac systems are not immune. New botnet variants are cross-platform and the industry should also expect to see more Apple, Android and other mobile based botnets pop up where they communicate to Command and Control servers (C&C) using via 3G or Wi-Fi networks.
A disturbing trend is the use of social networks being used as command and control centers. Social networks and Web based services, like IM, are being used to send instructions to malicious programs installed on victim networks and can give hackers the ability to send encrypted commands.In this day and age, hackers can easily get the tools and resources needed to execute successful botnet attacks. Unfortunately, this is a cat and mouse game. Each time new antivirus releases a file signature, malware authors create new variants of the malware. Luckily, law enforcement, large corporations and security experts are starting to take things seriously and stop bots, such as the Rustock, in their tracks. By bringing down the C&C servers, bot masters lose control over all of the zombie computers and prevent infection from spreading. While thousands of companies have already been targets of bots and advanced persistent threats (APT), businesses have the responsibility to stop it from spreading.