How to measure the real cost associated with botnets today that control over a million PCs worldwide and launch more than 100 billion spam messages a day, flooding the mailboxes of unsuspecting recipients?
Cyber dependency has grown to such an extent that cyber vandalism is an issue that needs to be addressed by every computer owner, from large organisations to individuals. The current dynamics of internet crime—its sophisticated technology, boundless scale and massive economic impact—redefine the term internet security.
IBM ISS General Manager, Val Rahamani, claims, "The security industry is dead, long live sustainability." Just as new internet security products are launched, new online threats arise. In the endless game of catch up, most industry experts now believe that network security is doing its job if the processes and systems just stay one step ahead of the incessant threats.
Botnets: Top Threat in 2008Botnets, a collection of compromised computers infected with software robots or bots, continue to figure prominently in the "Top Threats of 2008" by many prominent leaders in the ICT industry. Botmasters, or bot herders, seem to have one purpose in life: launching viruses or worms to infect ordinary-user PCs with malicious applications or bots. Bots on the infected PCs are coded by the operator or botmaster to log onto a designated server—christened the Command and Control (C&C). Access to the network of bots attached to the C&C is then sold to spammers who use the data for monetary gain in a plethora of ways.
From Storm to Kraken and MayDay, now there's Sribzi—botnets have evolved to stunning levels of sophistication at lightning speeds, raking in big bucks for the spammers and botnet operators alike. Since their inception in 1998-1999, when the notorious NetBus and BackOrifice2000 appeared as the first backdoor programmes enabling remote administration of infected computers, cyber criminals have been having a field day wreaking havoc across the internet. Trojans worked behind the scenes—without the user's knowledge or consent—performing file operations on remote machines or launching new programmes. At that time, to control an infected computer, all a cyber criminal had to do was establish a connection with the infected machine via a LAN-based application on the TCP/IP protocol stack, and exploit the Windows API for control.
Within a year or two, programmes advanced to an extent wherein botmasters were able to control several machines simultaneously—operating as network servers, which opened a predefined port and passively waited for the botmaster to connect. Further innovations saw infected computers initiate connections themselves, monitoring every move the unknowing PC user made. This first lot of backdoor administrators was likely hackers, since they used a channel normally used only by hackers—Internet Relay Chat (IRC). They connected to IRC servers on a predefined IRC channel and waited for messages from the botmaster in control of the C&C.
Botnet hijacking soon became the norm as a new generation of malicious users appeared, scanning IRC channels with suspiciously heavy traffic where they could gain entry and hijack the botnet—effectively taking control of the network and reordering the bots to password-protected IRC channels. These hijackers eventually developed a way by which an unwitting computer on a LAN could connect to an internet server and relinquish control to a botmaster anywhere in the world—bypassing proxy servers and Network Address Translations (NATs). The hijacker could then establish an HTTP connection with the administration server using the client computer's local settings—ensuring accessibility. After that, a simple script could control small computer networks. Enter cyber criminals cashing in by selling botnets to spammers, who, in turn, lined their pockets by sending phishing emails, stealing files, documents or personal information—including passwords and other sensitive data—to launch spam-email campaigns, denial-of-service attacks (DDoS) and online-fraud schemes. In some cases, a large number of computers could even be managed using any internet device—including a mobile phone that supported WAP/GPRS—further raising the cyber-crime bar.
These first botnet networks were vulnerable; they depended on a single C&C and were designed to simultaneously infect computers with different bots connecting to different C&Cs. It was the evolution of peer-to-peer (P2P) botnets, without a C&C, that enabled botnets to become the internet’s worst enemy. Newfangled botmasters only had to send a single command to any computer on the network and the subservient bots would spread the command to other computers in the botnet automatically.
230 Dead as Storm Batters EuropeBatter it did. And not only within Europe. The new-kid-on-the-block took more than 503 million computers by storm worldwide. The Storm botnet emerged in January 2007 as a traditional computer worm and quickly morphed into the commander of the internet, luring users with spam hidden in subject lines related to extreme weather. In the beginning, the malicious programme was distributed as an email attachment to spam messages (often appearing as PDF files named "ReadMore.exe"). Once opened, the code infected victims' computers, leveraging P2P architecture to spread rapidly—converting into as many as three to five new Storm worms a day. Later, attachments were replaced with links to infected files inserted into spam messages and links to infected web pages and blogs.
It soon became clear that Storm was not yesterday's bot. Developed and distributed by professionals, the bot code mutated on a dedicated computer on the internet, rather than within the programme itself—spawning new versions as quickly as once an hour; thus, making antivirus database updates ineffective for many users. The Storm botnet was also programmed to protect itself from frequent requests from the same IP address, launching a DDoS attack on any suspicious address to keep network analysts at bay. Meanwhile, the bot tried to remain as inconspicuous as possible, using limited system resources to avoid detection. Notably, instead of communicating with a central server, Storm only connected to a small number of computers on the infected network (typically 85,000 machines, of which only 35,000 were set up to send spam)—making identification of all zombie machines virtually impossible. Finally, the botmaster was constantly changing distribution methods and using sophisticated social-engineering techniques.
"Storm evolved like an ever-shifting malware kaleidoscope," says Scott Pinzon, Information Security Analayst, WatchGuard LiveSecurity, CISSP. "As it grew in size and strength, Storm was called the world's most powerful super computer." From annoying, colossal amounts of spam to the fallout from the debilitating cyber attack on Estonia, the full extent of Storm's reach and ensuing damage will never be known. By year end, the Storm botnet seemed to have dissipated—either broken up into parts and sold or abandoned due to lack of continued profitability.
You Can Call Me Kraken or Bobax or Bobic, or…Emerging earlier this year, the so-called Kraken botnet, also known as Bobax, took over Storm's claim as the world's largest, most-destructive botnet—boasting between 185,000 to 400,000 hacked computers in its collection. With the capacity to spam about nine billion messages a day, Kraken has been in and out of the news with other aliases including Bobic, Oderoor, Cotmonger and Hacktool.Spammer—and is even disputed to be the same botnet known as MayDay.
Like most botnets, the purpose of Kraken seemed to be the propagation of massive amounts of spam. The Kraken code came in a file that looked like an ordinary image file, such as JPEG or PNG, but with a hidden extension that prevented users from recognising it as an executable file. Once an innocent user opened the file, it copied itself onto the user's PC and deleted the original copy—erasing all its tracks. Kraken, therefore, presented enormous difficulty for analysts to detect. This malicious botnet caused individual PCs or servers to send as many as 500,000 spam messages in a single day—double the size of Storm. Spotted in at least 50 Fortune 500 companies, it was undetectable in over 80 percent of machines running antivirus software on Microsoft Windows operating systems. Unlike Storm, the Kraken botnet code included a list of domains anywhere in the world where the C&C server might be located. Once a machine was newly infected, it began sifting through that list to find the current C&C. If a C&C server was taken down, which happens regularly with large botnets to avoid detection, Kraken's botmaster could simply move the C&C function to another domain instantly—effectively evading even the most robust network security. Until recently, Kraken ruled the internet, causing mayhem and uncountable monetary gain for both spammers and the bot herder.
MayDay: Storm’s Little BrotherBy late January/early February 2008, MayDay arrived on the scene, appearing as a P2P architecture-based Botnet, more cunning and more sophisticated than Storm. After launching, a bot—connected to the web server specified by the programme—registered itself in the server database and received a list of all bots on the infected computer. This established P2P communication, based on ICMP message, with other bots in the zombie network. To avoid detection, MayDay carefully measured how much traffic passed between the C&C and each bot client. In addition, it enforced a short window wherein communication must happen. However, its non-encrypted, network-communication protocol had not been designed to eclipse antivirus software and it never possessed the same ability to vary itself frequently, unlike Storm. Though it did not compare in size or strength, MayDay is heralded as a serious Botnet with a tidy code applicable to Windows and Linux—indicating a skilled development team. Nobody has seen hide nor hair of the MayDay bot for a few months now. Is it still lurking out there waiting for July to surface again?
Srizbi: The Perfect StormThe latest newcomer topping the botnet charts is Srizbi, accounting for up to 50 percent of all spam today—weighing in as the single-largest menace on the internet at this time, dwarfing even Storm. Total infection rate to date is around 300,000 PCs across the globe, spewing an estimated 60 billion spam emails per day. All those emails about watches, pens, and male-enhancement pills flooding your mailbox are all probably the work of Srizbi. Even at its height of destruction, Storm only accounted for 20 percent of worldwide spam. So far, Srizbi is out producing all the other botnets combined. Super botnets have already begun to dominate internet traffic.
It appears as if Srizbi is reproducing itself in the emails it distributes. Though not unique, this feature may be helping the botnet from being detected at this stage and deceiving people by using more sophisticated social engineering. History suggests that Sribzi will fade away, just like Storm, just like Kraken, just like Mayday. However, by then, another new super botnet will probably have taken its place.
SummaryNo doubt, botnets today are a key internet disrupter and have proven to be the most powerful and effective cyber-criminal tools to date. From lucrative phishing and fraud scams to extortion and exerting political pressure on governments, today's cyber criminals are an intelligent breed—using social engineering to entice a victim to click a link or open a file, instead of cracking a firewall to penetrate a machine. Additionally, botnet crime is becoming increasingly dangerous owing to its ease of use and availability. The economy supporting these cyber crimes has grown to such an extent that everything from virus-writing kits to spam-spewing zombies are now available for purchase or hire. Unfortunately, home-users' computers make up a large part of infected zombie machines. A bot master's worth is judged, not by his technical prowess, but by his ability to gain access to networks with millions of compromised machines. The bounty is just too great to expect cyber criminals to go away.
However, internet security experts debate how to control these damaging devils that creep into our machines and then run rampant day and night. Executive Director of National Cybersecurity Alliance, Ron Teixeira, strongly believes that only a combination of network-security tools can prevent botnet attacks in the future. We need to educate the industry and the average computer user about the problem and illustrate easy and practical ways to prevent malware infection. To the industry, he petitions more investment in network-security technology to thwart the attacks at the outset. Lastly, he urges heavy-handed law enforcement to ensure cyber criminals are seriously punished, once caught.
Tips to Banish Botnets Once and for All- Deploy in-depth defence strategies and multi-layered network security
- Promptly patch and vigilantly download security updates
- Block JavaScripts
- Monitor ports and plan port security to block unauthorised traffic
- Generate user awareness amongst friends and colleagues
REFERENCESKeizer, Gregg, 10 April 2008, “RSA – Top Botnets Control 1M Hijacked Computers”, Computerworld.com.au, http://www.computerworld.com.au/index.php/id;1183357273
Higgins. J.K, 10 April 2008, “IBM: The Security Business 'Has No Future'”, Dark Reading, San Francisco, http://www.darkreading.com/document.asp?doc_id=150830&f_src=darkreading_section_296
Gaudin. S, 6 September 2007, "Storm Worm Botnet More Powerful than Top Supercomputers," Information Week, New York, http://www.informationweek.com/news/showArticle.jhtml?articleID=201804528
Nachreiner. C & Pinzon. S, March 2008, “Understanding and Blocking the New Botnets”, WatchGuard Technologies, Inc.
Higgins. J.K, 7 April 2008, “New Massive Botnet Twice the Size of Storm”, Dark Reading, San Francisco, http://www.darkreading.com/document.asp?doc_id=150292&WT.svl=news1_1
Dunn, John E., 17 May 2008, “Srizbi Becomes World's Largest Botnet”, Techworld.com, http://www.pcworld.com/businesscenter/article/146017/srizbi_becomes_worlds_largest_botnet.html
Stewart. J, 8 April 2008, “Top Spam Botnets Exposed”, http://www.secureworks.com/research/threats/topbotnets
