Attack of the Killer Bots

Once a computer has been infested, it waits for orders from criminal bot herders, who turn these zombie computers into massive bot networks that spew spam and other malware across the Internet.

You may not be able to block the botnet invasion completely, but with layers of bot-hunting technologies and common sense, you can minimize the effect on your network.

'Everybody Gets Bots'

Before you can battle the bots, you've got to understand the scope of the problem. "We've been in denial about the scale of the problem,'' says Michael Barrett, CISO of PayPal in San Jose, Calif.
In fact, in a recent survey of 394 Network World readers responsible for network security, a surprising 43.7% said that compromised clients were not a significant problem. Another 30.2% said that they have not seen evidence that any computer on the network has ever been infected.
Just because nearly three-quarters of respondents aren't on high alert, it doesn't mean the threat isn't there, says Rick Wesson, CEO of Support Intelligence, a San Francisco firm that tracks bot outbreaks. On any given day, his company's honeypot will trap all kinds of insidious and fraudulent spam coming from zombie clients.

"The deal is that these bot herders are pretty smart, operating systems are very vulnerable, and everybody gets bots. Most companies run pretty tight networks, but the idea that you are not going to have bot networks running on your systems is naive. We have a lot of data that says a sizable portion of the Fortune 1000 has bots," he says.

If the Fortune 1000 can't stop bots, smaller organizations and consumers don't have a prayer. The little guys have fewer resources to perform security updates or to monitor their networks and machines for strange traffic patterns, says Ken Lloyd, director of security for security service provider Cyveillance in Arlington, Va. Consumers are at the highest risk because they tend to have the least security, Lloyd says.

"Enterprises have the problem, too, no doubt about it," says Martin Roesch, CTO of intrusion-detection software-maker Sourcefire. Enterprises are most vulnerable to roving machines that aren't properly set up to fight off malware attacks. "That's when there's trouble -- it's people getting spammed over [instant messaging], or Trojans and viruses over IM, or getting these things in their in-box, or surfing where they shouldn't be with vulnerable versions of [Internet Explorer] and Firefox," he says.

In fact, Gartner predicts that 75% of enterprises will be infected by bots by year-end.

Criminalization of the Internet

In the past year, bot herding has taken a disturbing turn to organized criminal activity aimed at making money. The stereotypical teenager out for ego-gratifying distributed denial-of-service attacks is a thing of the past.. For example, a high-profile arrest in London last summer involved a 63-year-old, a 28-year-old and a 19-year-old. These people are more organized, more professional and more interested in stealth.

"The amount of effort involved in this would literally take a distribution channel. You have the people making it, the people selling it, the people using it. One person could not do this entire thing from creation to use. Script kiddies are out of the question," Lloyd says. "The people who are running these things are basically into organized crime."

Specifically, bot herders are launching high-paying scams, such as spam, identity theft through keylogging (capturing keystrokes to learn users' names and passwords), click fraud (automatically clicking on ad banners for which advertisers pay per click) and warez (the distribution of pirated software).

The scale and the amount of money involved can be enormous, researchers say. For instance, click fraud accounts for about 14% of all clicks and as much as 20% of the higher-priced ads, ClickForensics says. It cost advertisers an estimated $666 million last year, research firm IncreMentalAdvantage says. The Business Software Alliance claims that a quarter of the world's software is pirated, amounting to billions of dollars in losses for software makers.

Black-market servers -- where people buy, sell and contract for botnets -- are flourishing.
"Bots are a big part of the underground economy. . . . It's a new twist, an explosion that we've seen in the last six months or so," says Oliver Friedrichs, director of emerging technologies for Symantec Security Response. These servers are also the place where criminals sell stolen information obtained from their bots, such as credit card numbers.
Battle of the Botnets

Because bot herders obviously spend resources managing and running their botnets, they have become less interested in increasing the number of networks they manage. Symantec reports that the number of command-and-control servers diminished by 25% in the second half of 2006, which indicates that bot herders are consolidating and making each network larger, the company says.

Strange new attacks have caused security researchers to speculate that bot herders are engaged in turf wars and attacking each other. The goal of some malware may be to disable rivals' drones; in the process, that causes havoc with networks. For instance, one recent worm was directed at machines that had visited a malicious pump-and-dump Web site. It infected the machines with a virus that caused them to reboot continuously, rendering them useless for legitimate work (and illegitimate uses), Web-monitoring firm Websense reports.
Because bot herders are more interested in keeping their millions of infected machines secret, they will activate a machine, blast the spam or run the click-fraud game and quickly shut the connection down. Rootkit infections operate invisibly to the operating system. And bot herders control their machines via HTTP (not necessarily relying on Internet Relay Chat); that means detecting bots on your network is hard to do.

Social-networking Diseases

More worrisome still is that today's bot herders use such techniques as toxic blogs, cross-site scripting and iFrames, which do not require a user to take any action, such as clicking on an e-mail attachment, to become infected.. If a PC with a vulnerable operating system or browser visits a Web site or blog that contains malicious code, it is secretly infected. Malicious JavaScript, sometimes in adware, is downloaded automatically to the PC. Then it's directed to other malicious Web sites to receive its commands, and the bot is in business. With the popularity of inexpensive Web-hosting based on shared servers, a hacker can use a single operating-system vulnerability to gain access to dozens of Web servers.

Toxic blogs and cross-site scripting, which involve planting malicious code into an otherwise legitimate site, have been around for years. Bot herders are finding new ways to make use of them, however. Among the more infamous instances was the bot herder who hacked into the Dolphins Stadium Web site just before the Super Bowl -- a time when thousands of people would be trying to buy tickets.

Social networks, too, can become cesspools of malware, because these networks let users upload and share files, data and other potentially harmful code. With iFrames, invisible frames can be used to download undetected malware automatically on compromised Web sites, as well as on blogs and social networks.

"Web sites and social-networking sites -- there's so much personal information on these sites and so many users, it's just a gold mine of info," says Chris Boyd, director of malware research for FaceTime Communications, a Web-monitoring company specializing in protecting real-time applications, such as IM and VoIP.