Messaging Newswire
Follow Us on Twitter
Facebook Page
Google Plus Page
RSS feeds
Botnets Go Marching On
Widgets & RSS FeedsThe reduction in ad spending. A chilling effect on valid e-commerce. Frustrated end-users. The lack of trust in the Internet and Web as a medium. These are the feared outcomes that Christopher Boyd, senior director of Malware Research for FaceTime Security Labs shared with conference attendees at RSA in April when discussing the ramifications of botnets continuing uncontrolled. Is this vendor hype? No, the current scope of the botnet problem continues to grow at a shocking pace. Written almost two years ago, Team Cymru’s whitepaper The Underground Economy: Priceless, by Rob Thomas and Jerry Martin reported, “Fully 61 percent of U.S. computers are infected with spyware and that Americans say they lost more than $336 Million (USD) last year to online fraud. These figures are largely based on self-reporting, which is often suspect. Given the enormous quantity of data witnessed on numerous Internet Relay Chat (IRC) channels, both numbers may be underreported.”
Traditionally, Messaging Anti-Abuse Working Group (MAAWG) has focused on handling messaging abuse. “It is very good work and it is what we need to do and it has been effective at suppressing messaging abuse on the Internet,” says Michael O’Reirdan, MAAWG chairperson. “But given the rise of the botnets, it would be a bit like when a child has measles, and you paint over the spots on the face rather than dealing with the germs themselves. We are turning our focus now to dealing with the bots.” O’Reirdan passes on the observance of Vint Cerf, most often credited with being the father of the Internet, as saying ‘If we are not careful botnets are going to eat the Internet’ noting that Cerf’s comment was made in 2007. “It is certainly true,” agrees O’Reirdan. “These things are a massive problem.”
Consumers and Businesses at Risk
The rising tide of botnet armies is largely due to the prominence of the Web. “Our research, as well as research of others, confirms that the Web is one of the biggest infection vectors,” states Ashar Aziz, founder and CEO of FireEye, Inc. Several years ago the early reports of zombies (compromised PCs) seemed to point to the Internet Service Provider (ISP) as the one that needed to address the problem. But today consumer machines are not the only ones being taken hostage. “If Web malware, by and large is proliferating botnet infrastructures today, then when you think about it, it is no longer a consumer issue. It is now an enterprise issue because all businesses—large or small—go to the Web. While you may have firewalls to block port 135 and other sorts of things that may still infect consumers, they are wide open on the port 80 front, and therefore, this infection vector affects everybody that visits the Web,” explains Aziz.
O’Reirdan agrees that it is not just a consumer problem. “Botnets exist on corporate networks just as they exist on the residential networks run by the ISPs,” he confirms. “Plus they are quite discriminating. A bot sitting on a corporate network is going to be worth more than one sitting on a residential network, and one sitting on a military network is worth even more.”
Contributing to the problem is the stealth in the attacks. “Behind the scenes and below the surface, iFrame injections are taking your browser on a tour of different malicious Web sites without you even knowing it,” says Arnie Bjorklund, VP sales and business development for MXTools. “Your browser could be going to Singapore, Russia, China and all these places, and you wouldn’t even know it. It has been incredibly easy for these guys to build armies of botnets on demand.”
MXTools provides sales and technical support for the Spamhaus Datafeed Service. “Spamhaus is generally regarded as a key piece of the best practices approach to protecting email systems from the onslaught of messaging abuse,” states Bjorklund. “The Spamhaus Project started out as a free open source project, but in some ways has become a victim of it’s own success. Due to the tremendous volume of queries it receives, Spamhaus has designed a model which will ‘future proof’ the service and ensure it’s available and reliable ongoing. That’s where we get involved. MXTools assists by providing sales and dedicated support for commercial customers.”
Another common notion about botnets is that they are about spam. According to O’Reirdan, “It is about identity theft, keylogging, DDoS and extortion attacks and as we have seen recently—out and out attacks on government infrastructure.”
Even once detected it is not easy to be rid of an infection. “When we discover an infection, primarily because these are new and novel attacks never before seen, it is unclear how to clean it off,” warns Phillip Lin, director of marketing for FireEye. “Customers end up saving critical data and then re-imaging the machine. If you look at the spyware client vendors they are struggling with this, because as soon as you remove it, it re-installs itself. It looks innocent, but what happens is they go back to a Web site to download the malicious executables and re-installs a different version of itself that will bypass the anti-virus and spyware scanners.”
The Underground Economy
Why have botnets proliferated to this extent? It is because there is tremendous money to be made. “They used to barter, but now it is a whole economy where they rent the botnets for pennies a piece,” says Bjorklund. “They sell credit cards, passports, domains, etc. For example, you can buy a fully authorized credit card, with mother’s maiden name and security questions, for $25 to $30 (USD). A lot of damage can be done in a short amount of time.”
O’Reirdan describes the underground economy in this way, “It goes from the people that write the code all the way through to the people that deploy the code, people that rent time on botnets, people who then are involved in the laundry of cash that is generated and finally the delivery of goods. The whole thing is a business. A lot of the bots come with technical support, customer service, and refunds if you do not get the value for your money. It is a parallel economy and it is turning over an enormous amount of money. Today it is all about making money.”
Thomas and Martin wrote, “Extracting cash from the underground economy is the goal of many, if not most, participating miscreants. They find all sorts of ways to accomplish this goal, though these aren’t new techniques; physical world criminals have been doing this for years. So what’s different? Online crime is often easier and has a lot less inherent risk. The biggest challenges to the miscreants aren’t IDS, firewalls, 0day creation, or any other technological hurdle. The biggest challenge is where to cash the checks. Those who actively participate in the underground economy have another problem—how to move the significant quantity of illegally obtained funds.”
The botnet armies are required in order to maintain this underground economy. “The goal is to always have lots of systems under their control,” says Aziz. “Using the systems can sometime compromise their presence, so they like to have a lot of systems and use subsets for their nefarious activities.” Aziz explains that if a botnet is discovered by an ISP or enterprise then they move to another set. “It is amazing the amount of design consideration they have put into this infrastructure for resiliency. It is one of the most resilient criminal infrastructures out there. Every time they run one of those campaigns they are increasing the resiliency of their infrastructure and the computer network bandwidth available to them, because that is money to them. Their goal is to be resilient and widespread.”
Lin adds, “You can almost treat it like a virtual campaign—they are trying to increase their prospects—maybe they will turn them on and maybe they won’t. They do subsets of very valuable PCs that they keep closer to the vest, which they use for data mining.” Lin notes that the expendable consumer type PCs are more often used as spam engines or for DDoS attacks, “things that might reveal the existence of your botnet. You have sophistication built into the design.”
Solving the Botnet Problem
Because of the complexity of the underground economy, is the problem as complex to fix? “This is a problem capable of being solved,” says O’Reirdan. “This is very much a public-private joint initiative. You have got to look at it from a number of contexts.” O’Reirdan likens the botnet to the racketeering of the 1930s, which started out small and grew exponentially as organized crime took an interest. “Very similar here,” he says. “There has been a lot of organized crime involved based out of Europe and a number of other places with good broadband connectivity and weaker legal systems. That is where a lot of the coding is done. The bots themselves are deployed where there is strong broadband connectivity, like in the U.S., U.K. and other parts of Europe.” This economy makes this a multi-faceted problem. “This is a legal issue. All sorts of issues on territorial jurisdiction; you must have cooperation between a number of law enforcement.” All in all O’Reirdan believes they are doing a good job of cooperating on an international basis. O’Reirdan also says that it is an educational issue with the industry needing to help educate about good online hygiene.
At FireEye, researchers recently made an interesting observation. “As you know the botnet can be commanded and controlled to do various activities, such as to send spam, or install a keylogger. We read about these infrastructures—like Storm or Rustock—but what is less well know is the linkages that are emerging in these dynamic malware infrastructures. Due to a lot of good work being done by our malware research team, we have found linkages in terms of common malware families being deployed across these different botnet platforms. Sometimes in the press it sounds like they are rivals and they are fighting for control or turf, but we find that in the back they are the same puppeteer commandeering these different infrastructures.” While it is unclear to what extend they are related, it is fairly certain there is a relationship between them.
Defending against the Armies
Most all agree that combating the armies will take a community effort. Boyd sites cooperative communications among security vendors, law enforcement and advertising networks as a crucial piece to solving the botnet problem. “It requires a community effort and a technology effort,” believes Bjorklund. “Botnets are used to pump out volumes of spam, DDoS attacks, and other types of distributed initiatives. Spamhaus helps with the mitigation of the spam resulting from these botnet armies.” Two of the three lists maintained by Spamhaus address botnets, the PBL (Policy Block List) which contains IP addresses that should not deliver unauthenticated SMTP email and XBL (Exploits Block List), which contains IP addresses of virus-compromised computers that are sending spam. “People look to Spamhaus as a trusted third party to help track the known sources of spam and botnets. Spamhaus currently protects over 1.4 billion user mailboxes and responds to over 100,000 individual queries every second.” Bjorklund recommends the target be the command and control centers. “Think of it as an octopus” he says. “If you can cut off the head, you make the tentacles worthless or die. There are six to eight million compromised zombies that generate about 85 percent of all the spam on the Internet today,” concludes Bjorklund. “Using the PBL and the XBL can immediately reject up to 90 percent of that volume. Reducing the overall amount greatly.”
FireEye is offering a new technology approach. “Everyone talks about malware coming in, but the distinguishing feature of a botnet is the call back channel into the command and control infrastructure,” explains Aziz. “Our technology is designed to not just look at it coming in—like an anti-virus device might—but also going back out because that is, in the end, what you have to do to catch this blended threat. It may have come in from multiple mechanisms, but knowing what the command and control infrastructure coordinates are and the call back channel certainly is a very important aspect of detecting this class of activity.”
The blended threat that makes up today’s botnet army is re-defining how we look at system infections. “We need to get away from the word ‘virus’ and really re-focus on malware,” contends O’Reirdan. “Earlier viruses were meant to destroy a machine. Today, it is meant to be quiet and unnoticeable. It is meant to not bother the user. Botnets aren’t just a technology problem; it also involves legal, educational and cultural issues. People tend to view the Internet as a safe environment, but they need to be made aware of some of these concerns. Technologists can’t solve this problem on their own. Everyone has a role to play.”
For Your Reference
FireEye, Inc.
FaceTime Communications, Inc.
Messaging Anti-Abuse Working Group
MXTools
Team Cymru
