by Erik Larkin, PC World
As a teenager running his own online chat server in the 1990s, Barrett
Lyon had no idea that the attacks routinely pounding his server would
evolve into an Internet scourge that earned serious profit for online
criminals.
Lyon says that he enjoyed using Internet Relay Chat, or IRC, as a
place for people to share ideas and get instant answers to
questions. But online, as in the real world, bringing a bunch of
teenage male egos together inevitably resulted in battles, and Lyon
was forced to become a de facto security expert in order to fend off
frequent attempts to shut his server down.
It was "basically one big massive testosterone ego fight," Lyon says,
from "kids that wanted to prove themselves." The teens of the late
1990s wrote and deployed software that became known as "bots," short
for "robots"--programs created to attack each other and to hit servers
such as Lyon's.
How Bot Networks Work
In a general sense, a bot is a program that acts semiautonomously in
response to commands sent by humans. Bots aren't necessarily evil or
illegal. For instance, the GoogleBot scours the Web for the purpose of
improving that search engine.
But harmful bots, when installed on the PCs of unspecting users,
connect to IRC, or to a Web site, or even to a peer-to-peer network
and await commands from their controllers. When the commands arrive,
the bots execute them on their unwitting hosts -- which might include
your personal computer -- enabling malicious hackers to gain complete
control over those machines; the infected PCs are then called
"zombies."
When a bot has spread to a huge number of computers, the resulting
botnet provides a ready source of computing power and Internet access
that the bot's owner can abuse at will.
What was once a weapon for attention-hungry teens in chat rooms has
mutated into a digital tool that Internet criminals now use to steal
millions of dollars across the globe.
For instance, a July 2005 study by antivirus vendor McAfee reported
that the number of systems infected with malicious software that
allows a PC to be used for unauthorized purposes jumped by 303 percent
during the second quarter of 2005 from the previous quarter.
The primary purpose of these infiltrations is to make money, says
Larry Johnson, special agent in charge of the Criminal Investigative
Division of the U.S. Secret Service. And in some respects, the
operations function just like a legitimate business. For instance,
malicious entrepreneurs appear to be charging $2000 to $3000 for
temporary use of armies of 20,000 zombie PCs, according to a June
posting on SpecialHam.com, an electronic forum for hackers.
More Sophistication
Organized criminals are emerging as a new and increasingly effective
source of sophisticated attacks with botnets, according to Vincent
Gullotto, vice president of McAfee's Anti-virus and Vulnerability
Emergency Response Team. "There's a whole new ballgame that's being
played," he adds.
Gullotto says that his team recorded nearly 13,000 cases of attempted
bot hijackings in the second quarter of 2005, up from about 3000
during the first quarter of 2005. In fact, turning ordinary PCs into
zombies has become so common that CipherTrust -- a company that
provides e-mail security and guards against spam -- posts an hourly
update on global zombie activity.
A graphical representation of what a distributed denial of service
attack looks like.Meanwhile, Barrett Lyon has taken the skills he
honed in the 1990s to the world of security. In 2004 he founded
Prolexic, a company dedicated to protecting clients from
botnet-launched distributed denial of service (DDoS) attacks, which
miscreants launch in an effort to overwhelm a Web site with a flood of
meaningless data. During a DDoS attack, each bot-infected computer
sends as much data as it can to the target site. Multiply that by the
thousands of zombie PCs in a given botnet, and the target Web site
must dedicate all its resources to dealing with the DDos flood; as a
result, the site can't do anything else -- such as respond to real users
who are trying to reach it.
Financially motivated criminals use DDoS attacks as part of extortion
schemes that may demand as much as $50,000 from a business. Some
particularly unscrupulous companies use them to attack competitors.
But botnets have many other uses.
Botnets' Other Skills
Botnets began to emerge as money-making tools when spammers discovered
that they could be use them to send e-mail messages that would evade
blacklists and other antispam measures, according to analysts.
ID theft is another favorite activity of botnet wranglers. They use
teams of zombie PCs to send out spam in the hope of capturing
information through "phishing" schemes. One common variant of phishing
is when scam artists design Web sites to look like real banking or
e-commerce sites. The crooks then send out spam messages asking the
recipients to enter their account or credit card number at the bogus
site. If anyone does, the crooks can take control of that account.
Bot software is versatile because it opens a "back door" on its host
that lets the controller gain covert control over the PC. Botnets can
perform a multitude of tasks because they can update themselves with
new features and install other software -- including viruses, adware,
and spyware -- on the computers they rule, says Alfred Huger, senior
director of engineering at Symantec.
Bots' capacity for self-updating shows all the hallmarks of
professional software, Huger says. Certain varieties of bots look "as
if someone who has some formal software training is putting them
together," he says.
How They're Controlled
One common characteristic of botnets is that they can be controlled
from a central location. Reflecting their historical roots, most bots
connect to an IRC chat channel to receive their commands.
But some sinister varieties now use other means of control, including
peer-to-peer networks like EDonkey or Gnutella, to send control
messages. "Those are the scary ones," Lyon says, because they're much
harder to trace and shut down.
Creating a botnet is like "casting a net out wide," Huger says. A
would-be controller essentially releases the bot (or a precursor
Trojan horse that installs the bot) onto the Internet to see how many
computers it infects.
Targeted Malware
On the other hand, some criminals prefer to choose a particular target
and use a tailored approach, without botnets. In one attack that
spanned March and April 2005, cybercrooks tricked individual
companies' and organizations' domain name servers -- which guide all
Internet traffic -- into sending all of their Internet traffic to a
server controlled by the attackers.
Ken Dunham, director of malicious code at IDefense, a Virginia-based
Internet security company, estimates that 3000 DNS servers at a range
of companies, including at least two with more than 8000 employees
each, got hit.
Anyone inside one of the affected companies or organizations who tried
to go to any Web page ended up instead at the attacker's site, where
stealth scripts surreptitiously installed about 80MB worth of adware
and spyware onto any computer using an older version of Microsoft's
Internet Explorer browser.
Because so much malware was installed, its presence was immediately
obvious to the hapless users, slowing their systems to a crawl and
peppering their screens with pop-up ads. As a result, IT response was
fast, and the companies quickly cleaned their employees' PCs. But some
analysts have theorized that the attackers designed the huge payload
simply to create a diversion while a separate piece of malware not yet
caught by antivirus and antispyware programs installed itself.
According to this theory, the remaining piece of stealth software may
have been programmed to steal information in a corporate espionage
scheme, a growing threat to businesses across the globe.
Businesses Beware
On June 16, the British government released a report titled "Targeted
Trojan Email Attacks" that warned of directed attacks against
government offices and businesses in the United Kingdom. According to
the report, the attacks might infiltrate specific targets with spyware
meant for "covert gathering and transmitting of commercially or
economically valuable information" such as usernames, passwords, and
sensitive documents.
American companies are at risk from this type of spyware as well. "It
happens all the time," Symantec's Huger says. Unscrupulous companies
seek a business advantage, and crooked individuals look for
information they can sell.
If there's money to be made, malware-based spying will continue, Huger
says. "It's very simple -- it's the unfortunate truth."
Files Held for Ransom
Money was definitely at the heart of a novel new attack that infected
victims' computers with a virus that searched for and then encrypted
various text files. Once the encryption was complete, the virus
deleted itself and left a ransom note, demanding that $200 be sent to
an account with E-Gold, a Paypal-like Internet currency service whose
payments are backed by gold deposits.
Dan Hubbard, senior director of security and technology research at
Websense, investigated this attack after one of his company's clients
was targeted. Hubbard says that only one business reported being hit;
and Joe Stewart, an Internet security analyst he knows at LURHQ, a
provider of managed security services, wrote a program to decrypt the
relatively simple encryption used.
But "coming up with a better encryption scheme is a very simple thing
to do," Hubbard says. So another, nastier attack could be on the way.
Considering how much money is at stake to motivate criminals, expert
after expert expects botnets and other malware attacks to continue to
expand.
"This whole cybercrime wave is growing in numbers and sophistication,"
Hubbard says. "We're seeing technology evolve in ways we never have
[before]."
Copyright 2005 PC World Communications, Inc.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. Discuss this report with others in our chat room at
http://telecom-digest.org/td-extra/chatpage.html
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, PC World Communications, Inc.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
Erik Larkin (pc-world@telecom-digest.org)