Tuesday, August 4, 2009

Nine very scarey things about Botnets

In a shrinking universe, the Botnet world is expanding.

Let me warn you that this article will paint a scarey picture of botnets taking over all PCs, both the ones on corporate networks as well as the ones at home.


I am sure you have long wondered just how widespread the botnet problem is. What you will learn is enough to make you want to return to the days of stand-alone computing. The reality is worse than most people suspect.

Here is a list of nine known things about botnets that will scare you but perhaps this article will help you to increase your effort to keep your PCs off the illicit botnets.


1. The process of developing software that creates and controls botnets has reached a professional level. Forget the amateur script kiddies that are out for kicks; developers are in it to make a lot of money. The techniques they use to create malware or command and control software are as sophisticated as those used by any commercial software company.

What's more, this underground development community is very cooperative, like a quasi-legitimate open source community. Software is shrink-wrapped, packaged and sold or passed around. The developers add their "personal touches" to create many variants of the malware. Finjan reports that the Golden Cash network operated by cybercriminals provides an exploit toolkit as well as an attack toolkit to distribute malware.

2. Once a PC is captured by a botnet, the use of that PC can be bought and sold many times e.g. the Golden Cash network is a vast botnet exchange. Cyberthieves purchase malware-infected PCs from anyone in the underground market, and then like bond traders, they bundle them and resell them to criminals who want to rent the use of a botnet. This provides a great incentive for criminals to create even larger botnets.

3. Botnets use multiple automated propagation vectors to spread, including spam, worms, viruses and drive-by download attacks e.g. legitimate Web sites are often compromised with HTML tags that force a victim's browser to download JavaScript code from a server that's controlled by the attacker.

That code can launch a number of exploits against the unsuspecting PC. If any of the exploits is successful, the PC can become the next zombie on the botnet, making it easier than ever for the attacker to collect new nodes on his illicit network.

4. The malware that turns the PC into a bot can hide as a rootkit, making it exceptionally hard to detect and eradicate the malware. The Torpig botnet, as an example, implants Mebroot on the victim PC. Mebroot is a rootkit that replaces the system's Master Boot Record. Therefore, the PC is under the attacker's control even before the operating system loads.

5. Once installed, the malware can attack and nullify the very software that is supposed to prevent or at least detect the malware infection. Intel researchers report that botnet developers have begun to target the antivirus, local firewall and intrusion prevention/detection software and services.

The researchers identified at least two ways that a botnet blocked the security software from getting updates:
  • A botnet changed the local DNS settings of the affected system to disable the antivirus software from reaching its update site.
  • A botnet was actively detecting connection attempts to the update site and blocking them.
6. Botnet malware code is often polymorphic; that is, it changes with every new infection. This means that signature-based antivirus software is useless against it. What's more, the Intel researchers have discovered the use of techniques such as code obfuscation, encryption and encoding that further hide the true nature of the code, making it hard for antivirus software to detect it.

7. Botnets can be reprogrammed, allowing their missions to change. One day the botnet can be sending out spam, and the next day it can be told to collect credit card information from the infected PCs.

8. It used to be that bots generated a lot of "noise," making it easier to spot a compromised PC on a network. These days, some bots transmit little traffic, helping them to fly under the radar of log management systems. What's more, botnet traffic can masquerade as legitimate network traffic, making it hard to detect.

9. Legitimate applications such as Web browsers or office productivity tools can be compromised as part of the botnet's malware infection. For instance, the Torpig botnet injects malevolent DLLs into browsers, popular applications, e-mail clients, instant messengers and system programs. After the injection, Torpig can peruse and steal any data that is handled by these applications, including logon IDs and passwords.

If you were under the impression that botnets are no big deal, it's time to realise that they are a big threat and that they are to legitimate businesses and organisations. Now all you have to do is find ways to detect botnet infestations on your network.

No comments:

Post a Comment