The Silent Epidemic of Botnets
By Jim Hedger (c) 2006
If, as author Philip K. Dick wondered, robots dream of
electronic sheep, their collectivist cyber-equivalents, botnets
live for the fleece. Used to enable or commit several types of
fraud, including click fraud against PPC providers such as
Google, Yahoo and the host of smaller pay-per-click programs,
botnets are proliferating across the Internet at an alarming
rate. The only thing matching the increase in criminal use of
botnets is the increasing sophistication of their operators.
"The level of sophistication that we're seeing – and the speed
at which new fraudster techniques are introduced – is tremendous,"
says Keren Levy (http://www.rsasecurity.com/node.asp?id=3006),
director of the Online Threats Managed Services group at RSA
Security (http://rsasecurity.com/). In June of this year RSA
Security and Panda Software collaborated to detect and dismantle
one of hundreds of botnets operating online, one that was
specifically designed to commit click fraud.
"Botnets are a silent epidemic," states Ryan Sherstobitoff from
Panda Software (http://www.pandasoftware.com/) as he ducks behind
a row of trade-show booths to find a quieter place to speak. "The
botnet we recently helped dismantle with RSA had infected over
50,000 computers with the Clickbot.A Trojan. Imagine if each of
those 50,000 computers made the botnet controller one dollar each
day the system operated. If it takes us a few weeks to shut him
down, the operator makes millions."
The actual people who operated the network of bots that RSA and
Panda broke remain at large and anonymous. They have not been
identified and history suggests they will be back for more. The
folks who hack at this level are light years beyond the
script-kiddies of yesteryear. According to Sherstobitoff, the
folks who hack at this level are organized, well paid, and very,
very dangerous. So are the people they work for.
"We've traced a number of operations centers back to Eastern
Europe, the former Yugoslavia, China, and even to North Korea",
said Sherstobitoff. "There are multiple crime organizations
doing this, some of which sell Trojans to each other and to
outsiders."
When we spoke, Sherstobitoff was at an education and IT trade
show in Nashville Tennessee. He has worked with Panda Software
for three challenging years. His business card says he is a
Product Technology Officer for Panda Software U.S.A. To be more
accurate, Sherstobitoff has become Panda's security evangelist.
His job has him traveling to trade shows, speaking at
conventions and meeting with IT workers across the country
preaching the mantra of tighter computer security. Knowing that
cyber-security experts have only seen the tip of the iceberg,
Sherstobitoff emphasizes the importance of personal and
corporate responsibility.
Botnets can be described as a cross between a computer virus and
the Borg. Where common viruses are designed to act
independently, botnets are literally networks of infected
computers that can be controlled by a master computer. Infection
comes in the form of malicious code or malware. This code can
get onto a system in a number of ways including email
attachments, music or video downloads, and through open ports
and flakey firewalls. Most who have it will never know they are
running it and that's just the way the fraudsters like it.
Out of sight is out of mind is the axiom that online fraudsters
rely on to take money out of the pockets of their victims.
According to the Panda Software website, over 20% of all home,
school or office computers in the U.S. are infected with
malicious code and, just to hammer the point home, most of them
will never know it. This means that one in five computers in the
U.S. might, at any time, turn into a higher-functioning zombie.
Though computers that become zombies appear to run normally,
someone else is using part of their processing power. That
someone is likely doing illegal things. A medium sized network
like the one broken up by RSA and Panda is 50,000 computers
strong. Each zombie has its own IP address and each can be used
to fully mimic human behaviours or to scan and record personal
information when ordered to by its operator.
It is amazing how easily malicious files can be acquired and how
much financial and social damage they can do. These types of
files come in all shapes and sizes. Some burrow into a
computer's registry as a worm, some are invited in as Trojans,
and some are attached to ID phishing attempts. One noted example
of ID phishing email containing a Trojan is referred to as the
Barclays Bank letter (http://www.isolani.co.uk/blog/spam/
PhishingScamEmail).
Once inside a computer, malicious files can perform whatever
functions they are programmed to do. Some are even designed to
accomplish multiple tasks from recording ID and keystroke
information to using infected computers to mimic live visitors
in click fraud schemes.
The bust Panda and RSA made involved a botnet built around the
aptly named Clickbot.A, which was specifically designed to
commit click fraud. Clickbot.A is a Trojan file that registers
itself as a browser helper object (http://www.pandasoftware.com/
virus_info/glossary/#BHO) so that whenever Internet Explorer is
run it is automatically activated. When active, Clickbot.A is
used to obtain, "...financial profit from fraudulent clicks on
advertisements sponsored by a certain company, which in return
does not get any visits to its website."
According to a Panda Software press release
(http://www.pandasoftware.com/about_panda/press_room/
Panda+Software+and+RSA+Security+dismantle+a+new+online+fraud.htm),
the Clickbot.A Trojan scam went down this way:
"- Fraudsters set up a number of Internet addresses and posted
a series of (genuine) syndicated search-engine advertisements.
- The bot network -comprised of more than 50,000 zombie machines
infected by Clickbot.A – was programmed to access these Internet
addresses and to register clicks on the syndicated
advertisements.
- The fraudsters received a slice of the 'pay per click'
advertising revenues even though the original advertisers did
not receive any visits to their sites."
The real victims of click fraud are PPC advertisers. Both the
perpetrators and the PPC advertising providers make money every
time an advertiser pays for a fraudulent click. If the
fraudsters have been paid out by one of the PPC engines, it is a
safe bet that engine has made money as well. Though the search
providers, most notably Google and Yahoo, already detect and
delete a wide array of invalid clicks, the rapid proliferation
of botnets is considered mute testimony to the success of the
underworld endeavor.
As efficient as they are at automating fraud, botnets require
human control and activation. There is always a central
controller. The controller is not necessarily the person
responsible for writing the malicious code. The controller might
not even be directly associated with the person or organization
profiting from the scheme. Controllers are often highly paid
mercenaries who happen to be very, very good hackers.
There are hundreds, perhaps thousands of controllers out there.
They are extremely difficult to catch, even though they leave
traces everywhere they go. With the ability to manipulate a
massive network of zombies, Controllers can shift their command
centers from computer to computer, effectively masking the route
back to their own locations. When their networks are eventually
detected and parts of the network dismantled, they can turn
everything off and vanish into the ether of cyberspace. The
controller truly is the ghost in the machine. Even if a
controller happens to get caught, chances are that person has no
idea who has paid them for their talents.
Running a botnet operation requires a number of unique skill
sets. Fake businesses with bank accounts need to be established
to accept payments. When paid out, click fraud revenues need to
be laundered before the fraudsters can safely enjoy their
ill-gotten gains. Friendly bankers, more fake businesses and
allied accountants are required in order to facilitate the fraud
and keep difficult questions to a minimum. As none of the
players mentioned above are proficient enough hackers to build a
better botnet, someone needs to write the malicious code or know
someone who they can obtain a copy from. This isn't a world
where the script-kiddies play. This is the world of slash and
burn organized crime.
The criminals know what they are doing and time is truly on
their side. Sherstobitoff described the tension of living in
what is becoming a fulltime Zero Day posture. Zero Day, hour or
minute is the term used to describe when a botnet or other
cyber-security threat is detected. Once detected, that threat
needs to be dissected in order to learn how to destroy it. Any
one of those threats might have been active for days, weeks or
months before being detected.
Cyber-security experts play the role of Tom to the hackers' role
of Jerry. In the game of cat and mouse, the security cats are
always a bit behind the curve of the eight ball and the hackers
know and love it. When a new virus is discovered, the malicious
code writers make sure the security experts find a few thousand
variants, just to keep them busy figuring out which variant is
the real threat. Finding and figuring out a fix might take hours
or it might take a few days. Once the actual threat is
determined and a patch prepared to distribute through Norton,
McAfee or other anti-virus software it can take between 8 – 16
hours to update computers around the world. Zero Day for Variant
A is often the birthday of variants B, C, D, E, F, and Z.
Everyday can be a Zero Day and some must feel like Groundhog
Day.
Cyber-security experts are not really concerned about idle
threats. They have far too many real ones to deal with. The
threats posed by botnets are not limited to the personal or
business finances of personal or business computer users
either.
On December 1, the US Attorney's office indicted a 26-year old
Romanian hacker named Victor Faur on charges he hacked into over
150 NASA and US Navy computers. According to the US Government,
Faur leads a group of elite hackers known as the "WhiteHat
Team". While Faur is said to have only used his exploit to open
chat rooms for other WhiteHat members in order to prove he had
cracked the most robust systems in the world, his
accomplishments could earn him up to 54 years in an even more
secure setting, a US federal prison.
On the same day Faur's indictment was being read in a Los
Angeles courtroom, the Department of Homeland Security issued a
warning regarding a possible Internet attack on US banking and
investment interests including the New York Stock Exchange and
Nasdaq markets. Though the advisory was issued by HSD spokesman
Russ Knocke, "as a routine matter and out of an abundance of
caution," it speaks to very real and persistent fears that such
an attack is possible.
In May 2006, a botnet was used to bring down approximately
10-million TypePad blogs and LiveJournal communities in an
overwhelming DDoS attack (distributed denial of service) on Six
Apart. Six Apart client, BlueSecurity.com was the actual target
of the attack but the power of tens of thousands of zombie
computers sending repeating requests to their servers crashed
out their entire network. (source: Wired Magazine issue
14:11) (http://www.wired.com/wired/archive/14.11/botnet.html)
It is remarkably difficult to catch the controller. The fake
businesses and the bank accounts attached to them can come and
go as quickly as necessary. In the blink of a few short months,
a criminal organization can make a few million dollars.
According to Panda's Sherstobitoff, very few of the operations
detected and dismantled are actually caught, in a real-world
sense of the word, a discouraging 2 – 5%.
The sky is not falling but it is getting more expensive to keep
it suspended every passing day. Home computer users, education
networks and corporate IT departments might be under constant
attack but there are ways to deter, detect and disrupt the
hackers.
Using standard anti-virus products is important, however, they do
not cover the full spectrum of threats. Most anti-virus software
is also limited by the Zero Day concept and is therefore only as
effective as its most recent update. Products like ZoneAlarm
(http://www.zonelabs.com/) and AdAware
(http://www.lavasoftusa.com/) are good additions to home and
business computers but Sherstobitoff strongly recommends the
tightest security should come at the server and ISP level.
Sherstobitoff suggests ISPs and companies running web servers
use anti-hacking software based on Host Based Intrusion Detection
(http://www.google.com/search?hl=en&q=Host+Based+Initial+
Detection&btnG=Google+Search) systems that perform deep packet
inspection looking for common traits found in zombifing Trojans
at the kernel level.
With a 20% infection rate in the U.S. and similar rates around
the world, the only real certainty for cyber-security experts is
that there is a 1/5 chance the computer in front of you is being
used to assist thieves. That is a sad fact of life online. While
researching one of the few botnet cases that has been
prosecuted, that of Jeanson James Ancheta, this LinuxForums
botnet discussion (http://www.linuxforums.org/forum/coffee-lounge/
54066-botnets-how-many-jeanson-james-anchetas-exist.html) from
late January 2006 was found. If you're not quite disturbed enough
by this point, follow that link.
=============================================
Search marketing expert Jim Hedger is one of the most prolific
writers in the search sector with articles appearing in numerous
search related websites and newsletters, including SiteProNews,
Search Engine Journal, ISEDB.com, and Search Engine Guide.
He is currently Executive Editor for the Jayde Online news sources
SEO-News (http://www.seo-news.com) and SiteProNews
(http://www.sitepronews.com). You can also find additional tips
and news on webmaster and SEO topics by Jim at the SiteProNews
blog (http://blog.sitepronews.com/).
============================================
-----------------------------------------------------------------
Posted by Jeff Houdyschell providing proven income opportunities, ideas and information for the best work at home jobs, visit:
http://www.eSmartJob.com
By Jim Hedger (c) 2006
If, as author Philip K. Dick wondered, robots dream of
electronic sheep, their collectivist cyber-equivalents, botnets
live for the fleece. Used to enable or commit several types of
fraud, including click fraud against PPC providers such as
Google, Yahoo and the host of smaller pay-per-click programs,
botnets are proliferating across the Internet at an alarming
rate. The only thing matching the increase in criminal use of
botnets is the increasing sophistication of their operators.
"The level of sophistication that we're seeing – and the speed
at which new fraudster techniques are introduced – is tremendous,"
says Keren Levy (http://www.rsasecurity.com/node.asp?id=3006),
director of the Online Threats Managed Services group at RSA
Security (http://rsasecurity.com/). In June of this year RSA
Security and Panda Software collaborated to detect and dismantle
one of hundreds of botnets operating online, one that was
specifically designed to commit click fraud.
"Botnets are a silent epidemic," states Ryan Sherstobitoff from
Panda Software (http://www.pandasoftware.com/) as he ducks behind
a row of trade-show booths to find a quieter place to speak. "The
botnet we recently helped dismantle with RSA had infected over
50,000 computers with the Clickbot.A Trojan. Imagine if each of
those 50,000 computers made the botnet controller one dollar each
day the system operated. If it takes us a few weeks to shut him
down, the operator makes millions."
The actual people who operated the network of bots that RSA and
Panda broke remain at large and anonymous. They have not been
identified and history suggests they will be back for more. The
folks who hack at this level are light years beyond the
script-kiddies of yesteryear. According to Sherstobitoff, the
folks who hack at this level are organized, well paid, and very,
very dangerous. So are the people they work for.
"We've traced a number of operations centers back to Eastern
Europe, the former Yugoslavia, China, and even to North Korea",
said Sherstobitoff. "There are multiple crime organizations
doing this, some of which sell Trojans to each other and to
outsiders."
When we spoke, Sherstobitoff was at an education and IT trade
show in Nashville Tennessee. He has worked with Panda Software
for three challenging years. His business card says he is a
Product Technology Officer for Panda Software U.S.A. To be more
accurate, Sherstobitoff has become Panda's security evangelist.
His job has him traveling to trade shows, speaking at
conventions and meeting with IT workers across the country
preaching the mantra of tighter computer security. Knowing that
cyber-security experts have only seen the tip of the iceberg,
Sherstobitoff emphasizes the importance of personal and
corporate responsibility.
Botnets can be described as a cross between a computer virus and
the Borg. Where common viruses are designed to act
independently, botnets are literally networks of infected
computers that can be controlled by a master computer. Infection
comes in the form of malicious code or malware. This code can
get onto a system in a number of ways including email
attachments, music or video downloads, and through open ports
and flakey firewalls. Most who have it will never know they are
running it and that's just the way the fraudsters like it.
Out of sight is out of mind is the axiom that online fraudsters
rely on to take money out of the pockets of their victims.
According to the Panda Software website, over 20% of all home,
school or office computers in the U.S. are infected with
malicious code and, just to hammer the point home, most of them
will never know it. This means that one in five computers in the
U.S. might, at any time, turn into a higher-functioning zombie.
Though computers that become zombies appear to run normally,
someone else is using part of their processing power. That
someone is likely doing illegal things. A medium sized network
like the one broken up by RSA and Panda is 50,000 computers
strong. Each zombie has its own IP address and each can be used
to fully mimic human behaviours or to scan and record personal
information when ordered to by its operator.
It is amazing how easily malicious files can be acquired and how
much financial and social damage they can do. These types of
files come in all shapes and sizes. Some burrow into a
computer's registry as a worm, some are invited in as Trojans,
and some are attached to ID phishing attempts. One noted example
of ID phishing email containing a Trojan is referred to as the
Barclays Bank letter (http://www.isolani.co.uk/blog/spam/
PhishingScamEmail).
Once inside a computer, malicious files can perform whatever
functions they are programmed to do. Some are even designed to
accomplish multiple tasks from recording ID and keystroke
information to using infected computers to mimic live visitors
in click fraud schemes.
The bust Panda and RSA made involved a botnet built around the
aptly named Clickbot.A, which was specifically designed to
commit click fraud. Clickbot.A is a Trojan file that registers
itself as a browser helper object (http://www.pandasoftware.com/
virus_info/glossary/#BHO) so that whenever Internet Explorer is
run it is automatically activated. When active, Clickbot.A is
used to obtain, "...financial profit from fraudulent clicks on
advertisements sponsored by a certain company, which in return
does not get any visits to its website."
According to a Panda Software press release
(http://www.pandasoftware.com/about_panda/press_room/
Panda+Software+and+RSA+Security+dismantle+a+new+online+fraud.htm),
the Clickbot.A Trojan scam went down this way:
"- Fraudsters set up a number of Internet addresses and posted
a series of (genuine) syndicated search-engine advertisements.
- The bot network -comprised of more than 50,000 zombie machines
infected by Clickbot.A – was programmed to access these Internet
addresses and to register clicks on the syndicated
advertisements.
- The fraudsters received a slice of the 'pay per click'
advertising revenues even though the original advertisers did
not receive any visits to their sites."
The real victims of click fraud are PPC advertisers. Both the
perpetrators and the PPC advertising providers make money every
time an advertiser pays for a fraudulent click. If the
fraudsters have been paid out by one of the PPC engines, it is a
safe bet that engine has made money as well. Though the search
providers, most notably Google and Yahoo, already detect and
delete a wide array of invalid clicks, the rapid proliferation
of botnets is considered mute testimony to the success of the
underworld endeavor.
As efficient as they are at automating fraud, botnets require
human control and activation. There is always a central
controller. The controller is not necessarily the person
responsible for writing the malicious code. The controller might
not even be directly associated with the person or organization
profiting from the scheme. Controllers are often highly paid
mercenaries who happen to be very, very good hackers.
There are hundreds, perhaps thousands of controllers out there.
They are extremely difficult to catch, even though they leave
traces everywhere they go. With the ability to manipulate a
massive network of zombies, Controllers can shift their command
centers from computer to computer, effectively masking the route
back to their own locations. When their networks are eventually
detected and parts of the network dismantled, they can turn
everything off and vanish into the ether of cyberspace. The
controller truly is the ghost in the machine. Even if a
controller happens to get caught, chances are that person has no
idea who has paid them for their talents.
Running a botnet operation requires a number of unique skill
sets. Fake businesses with bank accounts need to be established
to accept payments. When paid out, click fraud revenues need to
be laundered before the fraudsters can safely enjoy their
ill-gotten gains. Friendly bankers, more fake businesses and
allied accountants are required in order to facilitate the fraud
and keep difficult questions to a minimum. As none of the
players mentioned above are proficient enough hackers to build a
better botnet, someone needs to write the malicious code or know
someone who they can obtain a copy from. This isn't a world
where the script-kiddies play. This is the world of slash and
burn organized crime.
The criminals know what they are doing and time is truly on
their side. Sherstobitoff described the tension of living in
what is becoming a fulltime Zero Day posture. Zero Day, hour or
minute is the term used to describe when a botnet or other
cyber-security threat is detected. Once detected, that threat
needs to be dissected in order to learn how to destroy it. Any
one of those threats might have been active for days, weeks or
months before being detected.
Cyber-security experts play the role of Tom to the hackers' role
of Jerry. In the game of cat and mouse, the security cats are
always a bit behind the curve of the eight ball and the hackers
know and love it. When a new virus is discovered, the malicious
code writers make sure the security experts find a few thousand
variants, just to keep them busy figuring out which variant is
the real threat. Finding and figuring out a fix might take hours
or it might take a few days. Once the actual threat is
determined and a patch prepared to distribute through Norton,
McAfee or other anti-virus software it can take between 8 – 16
hours to update computers around the world. Zero Day for Variant
A is often the birthday of variants B, C, D, E, F, and Z.
Everyday can be a Zero Day and some must feel like Groundhog
Day.
Cyber-security experts are not really concerned about idle
threats. They have far too many real ones to deal with. The
threats posed by botnets are not limited to the personal or
business finances of personal or business computer users
either.
On December 1, the US Attorney's office indicted a 26-year old
Romanian hacker named Victor Faur on charges he hacked into over
150 NASA and US Navy computers. According to the US Government,
Faur leads a group of elite hackers known as the "WhiteHat
Team". While Faur is said to have only used his exploit to open
chat rooms for other WhiteHat members in order to prove he had
cracked the most robust systems in the world, his
accomplishments could earn him up to 54 years in an even more
secure setting, a US federal prison.
On the same day Faur's indictment was being read in a Los
Angeles courtroom, the Department of Homeland Security issued a
warning regarding a possible Internet attack on US banking and
investment interests including the New York Stock Exchange and
Nasdaq markets. Though the advisory was issued by HSD spokesman
Russ Knocke, "as a routine matter and out of an abundance of
caution," it speaks to very real and persistent fears that such
an attack is possible.
In May 2006, a botnet was used to bring down approximately
10-million TypePad blogs and LiveJournal communities in an
overwhelming DDoS attack (distributed denial of service) on Six
Apart. Six Apart client, BlueSecurity.com was the actual target
of the attack but the power of tens of thousands of zombie
computers sending repeating requests to their servers crashed
out their entire network. (source: Wired Magazine issue
14:11) (http://www.wired.com/wired/archive/14.11/botnet.html)
It is remarkably difficult to catch the controller. The fake
businesses and the bank accounts attached to them can come and
go as quickly as necessary. In the blink of a few short months,
a criminal organization can make a few million dollars.
According to Panda's Sherstobitoff, very few of the operations
detected and dismantled are actually caught, in a real-world
sense of the word, a discouraging 2 – 5%.
The sky is not falling but it is getting more expensive to keep
it suspended every passing day. Home computer users, education
networks and corporate IT departments might be under constant
attack but there are ways to deter, detect and disrupt the
hackers.
Using standard anti-virus products is important, however, they do
not cover the full spectrum of threats. Most anti-virus software
is also limited by the Zero Day concept and is therefore only as
effective as its most recent update. Products like ZoneAlarm
(http://www.zonelabs.com/) and AdAware
(http://www.lavasoftusa.com/) are good additions to home and
business computers but Sherstobitoff strongly recommends the
tightest security should come at the server and ISP level.
Sherstobitoff suggests ISPs and companies running web servers
use anti-hacking software based on Host Based Intrusion Detection
(http://www.google.com/search?hl=en&q=Host+Based+Initial+
Detection&btnG=Google+Search) systems that perform deep packet
inspection looking for common traits found in zombifing Trojans
at the kernel level.
With a 20% infection rate in the U.S. and similar rates around
the world, the only real certainty for cyber-security experts is
that there is a 1/5 chance the computer in front of you is being
used to assist thieves. That is a sad fact of life online. While
researching one of the few botnet cases that has been
prosecuted, that of Jeanson James Ancheta, this LinuxForums
botnet discussion (http://www.linuxforums.org/forum/coffee-lounge/
54066-botnets-how-many-jeanson-james-anchetas-exist.html) from
late January 2006 was found. If you're not quite disturbed enough
by this point, follow that link.
=============================================
Search marketing expert Jim Hedger is one of the most prolific
writers in the search sector with articles appearing in numerous
search related websites and newsletters, including SiteProNews,
Search Engine Journal, ISEDB.com, and Search Engine Guide.
He is currently Executive Editor for the Jayde Online news sources
SEO-News (http://www.seo-news.com) and SiteProNews
(http://www.sitepronews.com). You can also find additional tips
and news on webmaster and SEO topics by Jim at the SiteProNews
blog (http://blog.sitepronews.com/).
============================================
-----------------------------------------------------------------
Posted by Jeff Houdyschell providing proven income opportunities, ideas and information for the best work at home jobs, visit:
http://www.eSmartJob.com
posted by Jeff Houdyschell at
2:25 PM
0 Comments:
Post a Comment
<< Home