Network Security

Bot-infected computers threaten network security

Botnets can capture sensitive information from millions of computers without being detected.

by Phillip Lin

The "business" of botnets is fueling a $67.2-billion-dollar cybercrime industry, according to FBI and GAO surveys. By understanding how botnets work and how criminals profit from botnets, IT and security professionals can gain insight into how to protect their networks against infiltration and abuse.

A botnet is a group of infected computers (bots) that are centrally controlled and used for cybercrime. Malware is designed to infect a computer and turn it into a bot. The malware may be written to infect PCs via self-propagating worms, via social engineering, by tricking users to install the malware, or through the Web, by exploiting browser or operating system vulnerabilities. The goal is to infect a large number of computers without attracting attention. The malware infection is just the first step.

Botnets are utilized in money-making schemes that result in fraud-related losses, intellectual property and identity thefts, compliance violations and brand damaging events. Experts estimate there are as many as 150 million bot-infected computers worldwide, with those computer resources being sold or rented in order to conduct illicit cybercrime activities. Originally, botnets were used to propagate spam and distributed denial-of-service attacks. Today, however, botnets are the main weapons of organized criminals who have built an underground economy based on the misuse of stolen computing power.

Bots "call home" to obtain further instructions and payloads. The infected computer downloads additional malware payloads like remote access Trojans, key loggers, spam relay software and password crackers. Some bots even download Microsoft Windows patches to prevent other bot malware from infecting the PC. The infected computer is still operational as far as the user is concerned, but is now part of a botnet controlled by "bot herders."

Once computers are infected and have successfully called home, they can be operated as a botnet. Older botnets have used Internet relay chat (IRC) as a communication mechanism, which was a precursor to today's instant messaging systems.

The traditional bot "command and control" infrastructure consists of one or more IRC servers that thousands of bots log into to receive further instructions. Bot herders then log into the IRC server and type out commands to thousands of bots on the chat server. Newer botnets now utilize peer-to-peer (P2P) technology (like that used in Skype) for added scalability and redundancy, as well as to better evade detection and shutdown.

Each particular botnet is formed by as few as a hundred infected machines to millions of bots. Accurately measuring the size of a particular botnet is difficult, especially newer P2P versions like the "Storm Worm" botnet. The Storm botnet was estimated to be in the millions at its peak, but today the estimates range from tens of thousands to several hundreds of thousands of bots.

One reason the estimation is difficult is because botnets are moving away from IRC communication technology. Security professionals can no longer trace a botnet back to a few IRC servers and estimate the botnet size based on bots connecting into the IRC server bot channel, by gathering DNS requests for the IRC servers. Also, bots often remain dormant for long periods of time, leading to a significant undercount.

Understanding what botnets are used for and why they are becoming more difficult to track and count is critical. For example, bot herders rent out botnets to send spam e-mails. This use of botnets is popular because it has been effective in bypassing antispam technologies. These spam e-mails seemingly are sent from trusted parties, making antispam blacklists useless. Botnets are one of the key reasons spam has been surging, despite the wide adoption of antispam products.

Botnets are rented out for much more than sending spam. Botnets also provide a valuable source of identity-related information. Botnets use keylogging software to capture credit card numbers and online banking credentials from the millions of infected PCs around the world. Bot herders simply sell the data for a quick profit.

 

How can IT professionals regain control of infected PCs and protect against infiltration? Enterprises can take a few steps toward botnet protection:

Begin the education process. Upper management and employees should be informed and educated to the potentially catastrophic risk of a botnet infiltration. A one-time botnet incident may mean millions of customer identities are exposed. Infected PCs used in botnet attacks may result in compliance violations and brand reputation damage.

Deploy detection mechanisms to identify botnet infiltrations. Botnets are designed to exhibit virtually no signs of infection. New anti-botnet products and services are available that can detect the subtle signs of botnet communications and activities. Botnets are especially susceptible to detection at the network level. The key is accurate and rapid identification of botnet communications and protocols before valuable enterprise data is compromised.

Implement best practices around network security and sensitive data. Tighten firewall policies by blocking IRC ports and enforcing strict data handling and storage procedures. Recognize, however, that botnets have evolved to communicate over port 80, so closing the botnet communication channel might not be possible. Post-infection botnet detection remains a key element of anti-botnet security.

Phillip Lin is director of marketing for FireEye, Menlo Park, Calif.

For more information (click here)