|
 |
|
General Information
|
Add To My Personal Library |
October 5, 2007
• Vol.29 Issue 40
Page(s) 27 in print issue
|
Botnets & The SME
What Every SME Should Know About The Threat
|
Botnets are the workhorses of cyber crime. These parasites lie dormant on compromised computers awaiting commands to reproduce themselves, send get-rich-quick spam to the gullible, and launch DDoS (distributed denial-of-service) attacks.
Individual compromised computers are called “bots,” and all bots that are under the same control are called a “botnet.” The size of botnets is a matter of guesswork by researchers, but some believe they range in size from a few thousand to millions of compromised computers.
 How Big Is Big?
Some researchers believe the new high-water mark of 10 million bots in a single botnet may have been reached this summer by those behind the Storm Worm virus. University of Auckland computer science professor Peter Gutmann claims if this is true, that botnet has more computing power that the world’s top 10 super computers.
“I think that’s one of the scariest aspects of this—to have such a vast amount of computing power at the disposal of unknown persons, and we don’t even know what they plan to do with it,” Gutmann says.
Researchers at Symantec (www.symantec.com) believe that a botnet of 10 million nodes could happen, but the company hasn’t seen anything that big yet. “There are large numbers of nodes involved in bots today, but only very few have moved past the 1 million mark,” says Dave Cole, director of Symantec Security Response.
Who & How Much
Andre DiMino, director of The Shadow-server Foundation (www.shadowserver.org), analyzes and reports botnet activity. “Initially starting as a script-kiddie activity, botnets are now primarily run and managed by organized crime and sophisticated networks of criminal enterprises,” he says.
Bot herders are “equal opportunity employers,” claims Trend Micro (us.trendmicro.com) network architect Paul Ferguson. “For the most part, the perpetrators of these crimes don’t really care whose computers get enlisted in their endeavors,” he says.
According to Cole, worldwide arrests during the past 24 months have shown the apprehended bot herders to be mainly young men in their late teens or 20s with moderate technical skills. Those arrested came from the United States, the Netherlands, China, the UK, and Vietnam.
DiMino says there is significant money in the use, sale, and rental of botnets: “Typically it’s been about $1 to $3 per drone for the rental of a decent-sized net for a single event.” Dave Marcus of McAfee Avert Labs (www.mcafee.com) says about 80% of all spam now comes from botnets. “Many botmasters have also used their bots to install spyware and adware as a way to generate revenue,” he states. “Identity theft, spam runs, phishing runs, etc. all have their connections with botnets.”
Gadi Evron of Beyond Security (www.beyondsecurity.com) estimates criminals can garner $30,000 a day by offenses such as click fraud or hundreds of millions a year though phishing schemes and credit card fraud. Cole places the lone bot herder’s income at up to tens of thousands of dollars.
Defense In Depth
Marcus and Cole agree that SMEs also don’t always have the IT staff to notice botnet activity on their networks, so there is a greater potential for the bots to become firmly established. Cole also recommends that organizations should notify their ISPs of any potentially malicious activity. For their part, ISPs should perform both ingress and egress filtering to block known bot traffic, Cole notes. ISPs should also filter out potentially malicious email attachments, he adds.
Ferguson advises that SMEs should have a defense in-depth strategy throughout their networks, “Stay on top of OS and application vulnerabilities and patch, patch, patch,” Ferguson says. He suggests that Windows (www.microsoft.com) users set their OSes to automatically update. Ferguson recommends using Secunia Software Inspector (secunia .com) to find third-party software that may be at risk of being exploited.
“We have seen variants of malware morph itself at a rate that makes it difficult for antivirus signatures to keep up,” DiMino says. “In many cases, detection and defense must be used together,” He adds that outbound network traffic should conform to a firewall egress plan, and IDS should be used throughout the network. DiMino and Cole agree that end users should be trained not to open unexpected attachments.
Defense in-depth with savvy security management practices can deny bot herders access to company computers. Only then can IT shops prevent further botnet expansion. 
by Bill Hayes, CISSP
Who’s Winning The Botnet Wars?
Gadi Evron of Beyond Security (www.beyondsecurity.com) is a long-time botnet warrior who actively works to train others to recognize and combat botnets. “The people who lead this fight are private individuals across industries . . . volunteers who care and do,” he says.
For the past three years, Evron has organized annual invitation-only ISOTF (Internet Security Operations and Intelligence Task Force) training sessions. “The ISOTF enables information sharing, global coordination, and face-to-face meetings to get things going where we haven’t been able to get traction before,” Evron says
When asked who is winning the battle, Evron says that for now the bad guys have the upper hand. “We need to start fighting back but cannot do so without becoming criminals ourselves,” he notes.
“Law enforcement has come a long way in the past 10 years and mostly means well,” he says. “They have good people working on these issues, but they are grossly understaffed and generally incapable of doing much, especially when it comes to international cases,” he notes.
Dave Marcus of McAfee Avert Labs (www.mcafee.com) is a bit more upbeat. The good guys may have lost the battle for the moment,” he says, “but I’m confident that we will win the war. . . . Every time we detect a bot or take down a botnet, we make headway.”
Here in the United States, police agencies have begun to respond to the threat. In June, the FBI announced the results of Operation Bot Roast, which culminated with arrests of three U.S. citizens suspected of operating botnets. The FBI identified more than 1 million computers compromised by botnet malware. It is now working with US-CERT (United States Computer Emergency Readiness Team) to notify the compromised PC owners.
|
|
|
