Botnets, or remote-controlled networks of compromised computers, are usually more carefully concealed than that, says Andre DiMino, a volunteer at the botnet takedown group, Shadowserver.org, founded by Albright 18 months ago. At the very least, DiMino says, bot operators (called "herders") would use encryption over their IRC control channel so as not to be so easily observed.
But there are others who have taken notice. There is a lot of money to be made off these botnets, say experts. So organized crime has moved in. These criminals and botnet sellers are harnessing the power of distributed computing to anonymously hurl spam, recruit other zombies, steal identity information or commit denial-of-service (DoS).
That’s why Shadowservers’ dozen volunteers scour IRC channels for bot control commands, analyzing traffic and pouring through malware trapped in its sensors to ferret out botnet operators and help engineers build new signatures to the latest botware code. And that makes Shadowserver.org a frequent target of botnet DoS attacks.
"The ones attacking Shadowserver are just braggers wanting to show off. The larger threats are the ones you never hear a peep out of," says Matthew Jonkman, senior security engineer and head of security/IT consulting firm Infotex.com. "To the organized criminals, the object is to keep their bots running as long as possible to keep turning a profit. So they do things like issue commands not to turn on unless the computer is in idle when the end-user is likely to be away."
Fortunately, Shadowserver is well looked after. To get to Shadowserver, DoS pings must first go through Infotex, which causes occasional outages there, and Jonkman’s other project, BleedingSnort.com. BleedingSnort is a 2,000-member community of anti-malware researchers (ISPs, forums, vendors) fighting the botware scourge by sharing information among ISPs, researchers and security vendors to slow botnet spread and take down bot controllers.
In particular, BleedingSnort is building behavioral and signature algorithms and maintaining a central signature library for users of the popular open source intrusion detection system.
Traffic analysis, packet scanning and signature analysis are still reactive (relying on known behavior and signatures), but they’re the only way to detect and stop bots at the network level, says Cindy Bellefeuille, director of Verizon’s security group solutions.
As part of its Network Intelligence Initiative, Verizon has set up collectors on its backbone devices and core routers to do flow and signature analysis in search of bot activity on its global network. For example, timed pings at regular intervals would be a sign of bot and master staying in contact with each other. Or scans against "dark space" (unassigned IP addresses) indicate a bot scanning engine looking for more machines to infect.
Ultimately, the goal is to use traffic and packet analysis to follow the herder’s commands back to the bot operator and shut it down, says Jose Nazario, senior security engineer at Arbor Networks’ Arbor Security Engineering & Response Team (ASERT).
"You need to smash the network at its center so bot machines no longer take updates," he explains.
But shutting these bot operators down is not so easy, says Bellefeuille.
"When we identify these hosts, some of them are overseas, a lot of them in the former Soviet Union and China, so we can’t get the controllers shut down because laws are different in those countries," she says. "But when we find bot controllers in the U.S. and we report them, most ISPs will work with us to shut those controllers down."
Unfortunately, that doesn’t help the victim computers. The botware, complete with rootkits to hide their existence, are still sitting on millions upon millions of infected machines calling out to a non-existent master, says Nazario. As such, they are suffering performance problems, causing network traffic congestion, and sitting wide open with backdoor trojan horses, and are infested with other forms of malware.
"This is dynamic bot software that’s updatable," Nazario adds. "The herder can just roll over to a backup and start the botnet again from another location. Or the infected computers can be easily hijacked."
For this reason, it’s important to remember the weakest factor in all of this — the end-user — who clicks on IM and email links or surfs questionable web sites, says Bob Gligorea, information security officer at Exchange Bank, based in northern California.
Ongoing user education is important, according to all experts interviewed for this story. But even with regular education, you can’t expect them to protect their computers from these increasingly sophisticated attacks, Gilgoria adds.
For example, by no fault of their own, users could get infected simply by going to websites which are also being recruited into botnets without the website owners’ knowledge or permission to exploit zero-day vulnerabilities in Web IE, Mozilla and Safari browsers. Last year, Websense noted a 170 percent rise in spyware-related websites, up to 130,000. And, 69 percent of the 2,000 new vulnerabilities tracked by Symantec in 2005 were vulnerabilities in web applications.
The malware, written in low-level programming languages to get in under the radar of desktop security, starts as a lightweight trojan that sneaks out to load a bag full of malware writing to the host file to subvert computer security, says Dave Cole, director of the Symantec Security Response Center in Santa Monica, Calif.
That’s why, in addition to user education, patch management, outbound filtering, anti-virus and other desktop defenses, Gilgoria also put managed intrusion prevention on every desktop and at each of its 20 network segments.
"We want intrusion prevention on every desktop, server and network segment, so if something happens we can see it and stop it at the device," he says. "If something does try to spread in our network, ISS [its managed intrusion prevention system vendor] will alert us if so much as an NMAP [Network Mapping] scan is launched, so we can lock down that segment."
According to Jonkman, network scanning and signature analysis technologies are just starting to catch up to the botware problem. And, already botnet creators are finding new ways to circumvent them.
He adds, "Until we have more people behind bars, better ways of catching them and stronger deterrents, botnet herders are going to continue to be recruited by organized criminals, and botnets will continue to spread."
- Deb Radcliff, a freelance writer in Northern California, has specialized in online crime and computer security since 1995.
THE BOTS ARE HOT
A brief history of botnets
The technology to remotely control compromised computers first surfaced in late 1999 when SANS Institute researchers discovered remotely executable code on thousands of Windows machines. Because of its remote control nature, they called the infected computers "robots," which quickly shortened to the term "bot." Because of the encryption, researchers were unable to determine what the code would do until four months later, in February 2000, when the bots caused the distributed denial-of-service (DDoS) that took Amazon, eBay and other secure ecommerce sites off the internet intermittently for a week.
For the next few years, bot activity occurred mostly for sport, under the radar of law enforcement and the enterprise leadership community ... until last year when bot-related software took 20 percent of Symantec’s top 50 malware slots, up from 14 percent in 2004. Now, botnets of more than a million compromised computers are found regularly in the wild, although they usually run in packs of 10 to 20,000 to avoid detection, according to security researchers at Verizon Business.