|Page (1) of 1 - 11/22/10||email article||print page|
Our digital world has faced a multitude of information security threats over the years, including worms, viruses, phishing, and spam. Now hackers have a new tool at their disposal: botnets. Botnets foster trade in the spread of malicious code (aka malware), stolen identities, and stolen computing resources by establishing a commercial network behind them.
Botnets are networks of bots, otherwise known as zombie computers, that have been infected and, unbeknownst to the computer owner, can be summoned to perform a wide variety of functions, including spreading spam and phishing schemes or launching distributed denial of service (DDoS) attacks. Unlike the earlier threats from hackers who were looking for notoriety, botnets are big business with high margins. The emergence of botnets, combined with better known threats like viruses, worms, Trojans, and spam, is creating a very concerning environment for CIOs and anyone who transacts online.
Growing botnet threat
Botnets can be rented to spread spam and phishing schemes, viruses, and other malware like keyloggers, which record a computer user's keystrokes and send the information back to their controllers acknowledging that a computer has been compromised and is available. The controller receives the communication in an online or IRC chat room, and it is from there that simple commands are given that can set the botnet into action.
Botnets are also hired to perpetrate DDoS attacks. From November 2004 through January 2005 alone, the Honeynet Project, a non-profit effort dedicated to improving the security of the Internet, cataloged 226 DDoS attacks against 99 unique targets. Sometimes just the threat of a DDoS attack is enough to extort thousands of dollars from companies whose businesses rely on always-on connections.
Honeynet research also noted that the average botnet includes about 2,000 broadband-connected computers; the Multi-State Information Sharing Analysis Center (MS-ISAC), a centrally coordinated mechanism for sharing information security intelligence between states, has reported one containing 350,000 computers. To give this size some relative proportion, a botnet with just 13 machines will have an average of 128K of bandwidth per machine, for a total of 1.664MB available -- more than enough to deny service for legitimate traffic on any T-1 line with a total bandwidth of 1.544MB. With hundreds of thousands of bots available, the potential impact on our communication systems, financial systems, and critical infrastructure could be significant. Because they are made of thousands of distributed computers, botnets can be very hard to track down before their profiteers have moved on.
The challenge for CIOs and law enforcement is countering a very sophisticated threat that is entering a hyper-growth stage. With increased revenue comes increased investment in new tools and better techniques. This blended threat cycle feeds on itself and is growing bigger every day.
One of the main challenges for CIOs is recognizing there is a problem. Unlike standard spyware or adware, a bot's malware infection can install kernel-level rootkits that modify many of the tools and libraries upon which all programs on the system depend and allow it to hide from standard anti-virus, intrusion detection, or anti-spyware applications. CIOs generally become aware of botnet infiltrations through end-user complaints about performance issues, third-party reports of attacks originating from their IP space, victims' reports of DDoS floods, detection of excessive inbound or outbound port scanning, or unusual traffic patterns on the network. In other words, most times, it's difficult to know if a bot or bots have infected the network until it is too late.
Once identified, an infected zombie computer can only be remedied through a complete re-installation of the operating system and reformatting of the hard drive on each computer. For large networks, this is a very expensive proposition because every single computer has to have its operating system reinstalled. According to the MS-ISAC, the organizations most vulnerable to bot infections include companies with large mobile workforces, universities, and colleges and home broadband users. The MS-ISAC and the U.S. Computer Emergency Readiness Team (US-CERT), a partnership between the Department of Homeland Security and the public and private sectors, recommend the following preventative measures and best practices to thwart botnets:
- Keep patches current and use automatic updates
- Use known anti-virus and intrusion detection along with automatic updates
- Use trusted firewalls on servers and clients along with automatic updates
- Monitor logs from firewalls, intrusion detection systems, DNS servers, and proxy servers on a daily basis for signs of worm infections as well as outbound SMTP connection attempts from anything other than normal SMTP mail gateways. Also monitor excessive or unusual scanning on TCP and UDP ports 135-139 and 445, outbound connection attempts on IRC or any other ports that are unusual, as well as other anomalies
- Monitor typical IRC chat room ports 6666 and 6667 but stay abreast of the latest research -- bots have also been - known to communicate over P2P networks and even port 80
- Set strong passwords on routers and servers and have end users set strong passwords as well
- Ensure that the only devices connected to the organization's network are those - devices provided by the organization -- USB keys and MP3 players may be a threat
- Disable default file sharing on IM clients (make prompt to accept file)
- Routinely scan for vulnerabilities to mimic known practices of those with malicious intent
- Implement outbound application layer proxy servers and Web content filters to prevent users from inadvertently being directed to malicious Web sites
- Harden operating systems -- scripts/checklists are available from NIST, NSA and CIS (Center for Information Security)
The MS-ISAC and US-CERT contend that the likelihood of becoming compromised is not a question of "if" but "when." They recommend having an incident response policy prepared in advance that identifies specific technical processes, techniques, checklists, and forms used by the incident response team and the organization as a whole to minimize stress when handling a botnet attack. It is also important to stay up-to-date with the latest research and best practices from MS-ISAC, US-CERT, and others.
As the black market for malicious code and stolen information grows, botnets are quickly becoming the tool of choice for those with malicious intent. Like mainstream service providers, botnets will evolve to reflect the demands of the market. They will add features over time to spread quicker, harvest more specific information, and perpetrate DDoS attacks more efficiently. CIOs can expect to see security vendors roll out new approaches to combat the threat. In the meantime, it is important that they stay vigilant to protect individuals, intellectual property, and their organization's critical infrastructure.
Scott Cherkin is a Director for a National Institute of Justice-funded information security research project exploring the unique attributes of academia and their ramifications for public safety and security.
Copyright (c) 2010 Studio One Networks. All rights reserved.>