PC AUTHORITY [05/02/13]
Luke Millanta on what they are and steps you should take to combat them.
If you’ve worked in the IT industry, or are a member of one of the plethora of internet tech forums, there’s no doubt you have heard the term “botnet”. In its simplest form, a botnet is a series of computer terminals that have been infiltrated by a third party, and which are now under the control of that intruder. The infected terminals are commonly referred to as “slaves” or “zombies”, while the botnet controller is often called the “herder”, “master”, or “operator”.
In this article I explain how botnets arise and the way that a herder can make use of them. I also consider how botnets are increasing in complexity, and canvass some of the steps that law enforcement agencies are taking in a bid to stop botnets from spreading.
Botnet operators recruit slave terminals using a range of techniques. These include identifying and exploiting web browser vulnerabilities, sending malicious file attachments via email (spam email), and by posting infected files across a range of file sharing websites.
Figure 1 illustrates the structuring of a
simple botnet.
How Botnets Are Used
Although botnets can be used to achieve a number of objectives, a herder’s principal aim often boils down to be either a desire to make money, or to cause disruption to a target. Obviously, a botnet that is being used to deliberately disrupt one or more targets runs a higher risk of being detected, and in consequence, has a shorter life expectancy than a botnet which is being used more covertly.
Figure 1 illustrates the structuring of a
simple botnet.
How Botnets Are Used
Although botnets can be used to achieve a number of objectives, a herder’s principal aim often boils down to be either a desire to make money, or to cause disruption to a target. Obviously, a botnet that is being used to deliberately disrupt one or more targets runs a higher risk of being detected, and in consequence, has a shorter life expectancy than a botnet which is being used more covertly.
The most common type of botnet attack is the distributed denial of service (DDOS) attack. In a DDOS attack the herder instructs slave terminals to flood the target website with an inordinate number of requests. If the number of requests results in an overloading of the website, the target will be unable to service legitimate requests until the attack has finished. An example of a DDOS attack would be the February 2010 attack by the hacker group Anonymous, which resulted in several Australian government websites being taken offline for several hours.
While taking down a website is “cool”, a smart operator uses a botnet to make money, sometimes lots of it. When it comes to making money herders can do just about anything because they have essentially created their own little world where they rule supreme. One means of earning money is through “click fraud”. In click fraud, a herder directs the slaves to navigate to webpages owned by the herder and then click on advertising material displayed on the webpage. Every time an advertisement is clicked the advertiser pays a fee to the publisher, thereby generating revenue for the herder.
Botnet “stings” also include sending spam emails which directs a recipient to a website promoting some scam or which contain scareware advising of a fictitious virus infection and offering services to remove the infection once a fee has been paid. Another use is in distributing spyware, which is then used to steal sensitive user information such as credit card numbers and PayPal account passwords. Although the number of illicit uses of botnets is limitless, they are all directed at one thing – ensuring that the botnet operator makes some serious money.
Mobile Botnets
I have been a member of a number of major network security forums for years now and I regularly see threads asking about the existence of botnets involving mobile phones. Do they exist? I can tell you that they do, and they are becoming more prevalent.
I have been a member of a number of major network security forums for years now and I regularly see threads asking about the existence of botnets involving mobile phones. Do they exist? I can tell you that they do, and they are becoming more prevalent.
Since the 2007 release of the iPhone, network security firms have discovered a number of botnets with smart phone-based slaves. Mobile botnets are a worrying development as many smart phones do not come packaged with an anti-virus application. In fact, there is chatter suggesting that Apple has actively sought to prevent Kaspersky from developing such a product. Absence of anti-virus software means that once a botnet is established, there is every chance that it will spread from phone to phone until it is discovered and shutdown by a law enforcement agency or network security firm. One example of a botnet operating with mobile devices is the Zeus Botnet (also known as ZBot). In early 2012 Kaspersky Labs discovered that several updated versions of Zeus were being used to infect several BlackBerry and Android phones. Once infected the botnet operator could use these infected phones to steal user bank account details, send spam, steal Facebook and email account information, send text messages and perform various other activities.
In a world increasingly driven by smart phones it is not surprising that botnets and Remote Access Tools (RATs) are being developed for these devices. I believe that over the next couple of years, we will see a dramatic rise in mobile phone-based malware simply due to the inertia of many smart phone manufacturers.
The war against botnets
In the war against botnets, there are several approaches that law enforcement agencies and network security firms currently employ. Once the existence of a botnet is identified, one common approach used by law enforcement agencies and network security firms to disrupt its operation is to obtain control of the botnet’s command and control servers. Once control of the servers has been achieved, the botnet operator can be effectively locked out and the botnet dismantled. This approach has been successfully employed on several occasions. However there have also been instances of the herder regaining control of the botnet and then seeking to exact vengeance against those that attempted to stop their often lucrative operation. A prime example of this occurred in 2009 when the Mariposa Working Group (MWG) gained control of the Mariposa Botnet’s command and control server and attempted to lock out the herder. Everything was going to plan until the botnet operators regained control and struck back – big time. The botnet operators launched a broad DDOS attack which included an attack on the Canadian network security company, Defence Intelligence. The attack not only disrupted Defence Intelligence but also disrupted other users who were attempting to connect to the internet through the same Internet Service Provider.
In the war against botnets, there are several approaches that law enforcement agencies and network security firms currently employ. Once the existence of a botnet is identified, one common approach used by law enforcement agencies and network security firms to disrupt its operation is to obtain control of the botnet’s command and control servers. Once control of the servers has been achieved, the botnet operator can be effectively locked out and the botnet dismantled. This approach has been successfully employed on several occasions. However there have also been instances of the herder regaining control of the botnet and then seeking to exact vengeance against those that attempted to stop their often lucrative operation. A prime example of this occurred in 2009 when the Mariposa Working Group (MWG) gained control of the Mariposa Botnet’s command and control server and attempted to lock out the herder. Everything was going to plan until the botnet operators regained control and struck back – big time. The botnet operators launched a broad DDOS attack which included an attack on the Canadian network security company, Defence Intelligence. The attack not only disrupted Defence Intelligence but also disrupted other users who were attempting to connect to the internet through the same Internet Service Provider.
Another way that law enforcement agencies or a Domain Name Service hosting company can disrupt a botnet is to null route it. Null routing can be used where a botnet is using a free DNS host service to direct a sub-domain to an IRC server. If this service is removed a crippling blow is dealt to the botnet.
Stopping a botnet
There are several actions that you can take to lessen the chances of your home desktop terminal or laptop becoming a botnet slave. Although more advanced approaches than the ones considered below are available, their cost and sophistication generally restricts them to the corporate environment and renders them inappropriate to the domestic setting. Strategies that can be employed with minimum effort and cost include:
There are several actions that you can take to lessen the chances of your home desktop terminal or laptop becoming a botnet slave. Although more advanced approaches than the ones considered below are available, their cost and sophistication generally restricts them to the corporate environment and renders them inappropriate to the domestic setting. Strategies that can be employed with minimum effort and cost include:
1. Anti-Virus: You should already have an anti-virus installed. If you don’t, you should really think about turning your computer off and sitting in the naughty corner. Anti-virus software is an essential part of owning a computer because it provides an important line of defence against the nastier side of the internet. Forthright manufacturers of anti-virus products will readily admit that their product will not stop all infections. However, their products will stop the majority of threats. Installing an anti-virus, and most importantly, keeping it up to date is a critical step in preventing a botnet infection.
2. Trusted Downloads: Only download files from trusted sources. So many of my friends have seen their computers infected simply as the result of downloading a malicious file from a dodgy website. If you feel compelled to download a file, make sure that you scan it with your anti-virus software before opening it. This simple step should avoid the majority of infections.
3. Spam: Never open attachments, or follow links, in unsolicited emails. Spam emails are well known for containing malicious links that result in computer terminals being turned into botnet slaves. Stay away from emails offering such attractive services as free Viagra, charity penis extensions, or free workout guides. They aren’t legitimate; if they were, they wouldn’t be free.
4. Firewall: Ensure that your firewall is always active. A firewall places a protective barrier between you and the internet. There is no good reason for turning off your firewall, even for a minute. Turning it off, and then connecting to the net, greatly increases your chances of a malware infection.
5. Software Updates: Ensure that all software is up to date. Most major software applications have a built-in option that permits automatic installation updates. Selecting this option is recommended as it allows updates to be installed as soon as they become available and it removes the need for the user to initiate their installation.
Taking these simple steps should reduce significantly the risk of your desktop terminal, laptop, or mobile device becoming enmeshed in a botnet. Constant vigilance is necessary because while law enforcement agencies regularly do battle with the perpetrators of this insidious creature of cyberspace, the unfortunate truth is that for every botnet that is successfully removed, there is another waiting to take its place.
No comments:
Post a Comment