Botnets have been identified as the most prevalent and dangerous threats lurking in the Internet due to their devastative nature and very powerful infection strength than any other Malwares. This article delves deeper to understand their nature and to find effective methods to mitigate this challenge.

As internet has made the global network into a local network, it has also invited global intruders into the local premise. Though these intruders have used several tricks and methods to penetrate local digital fence, but possibly botnet have been their one of the most powerful weapon to attack. In fact incidents happened in recent past and current reports have strongly admitted the devastative nature of this lethal weapon. In early this year, a relatively new infestation dubbed Kneber, a variant of the ZeuS botnet,  affected 75,000 systems in 2,500 organizations worldwide. An investigation conducted early this year by NetWitness revealed an extensive compromise of commercial and government systems that included that 68,000 corporate login credentials, access to e-mail systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files and dossier-level data sets on individuals including complete dumps of entire identities from victim machines.

Stay Away From Botnets

Botnets are so insidious because they take one of the most promising trends of technology, the exponential increases in computer performance and connectivity, and turn them into a danger. Botnets are created when malware is implanted on a compromised computer (often referred to as a “bot”) that then networks or links multiple compromised computers together.  This botnet can then be remotely controlled by an attacker to launch distributed denial of service (DDoS) attacks, steal sensitive information, log keystrokes, spread new malware, or disseminate spam emails.  A single attacker can control a large number of compromised computers in a botnet, and botnet sizes can range from thousands to over a million computers.

Back in 2007, Vint Cerf told the World Economics Forum that up to 25% of all internet connected computers may, in fact, be bots. Verification for any sort of statistic measuring bot populations are difficult (you’ll hear everything from <1% to >35%). The consensus seems to be, however, that botnets are thriving as more people go online. Famous botnets, like Conficker, Kraken, and Srizbi, used software viruses and worms to infect millions of computers in the last few years. The Shadowserver Foundation—a volunteer watchdog group is currently monitoring over 3000 unique botnets, averaging 125,000 computers per botnet. Even a small botnet has the capability of transmitting several Gigabits per second of junk data – enough to take most large companies offline and disrupt the operations of critical infrastructure providers by interfering with communications, data flows and other services dependent upon the Internet.  Due to their size, strength, and malicious capabilities, botnets present one of the most serious online threats to critical infrastructures.

What does a bot herder gain from creating these botnets? Money certainly, either through using their network for spam or ID theft, or by renting out the network to others for their own nefarious purposes. Many botnet creators and users have ties to the Russian mafia, who take advantage of the systems to generate credit card theft rings, to propagate fraud through spam, and to extort companies with threats of denial of service attacks. Often, those operating the largest botnets aren’t its creators, they’ve simply purchased the network and grown it. It’s scary to think that such potentially devastating power is for sale.

Bot herders can also become potent political and even military weapons. During the 2008 Russia-Georgia conflict, cyber warfare reared its ugly head. Many Georgian political and national sites were shut down or subverted by attacks originating in Russia. Google and China have been in conflict since earlier this year after the company experienced a sophisticated cyber attack aimed at stealing trade secrets. While botnets may or may not have been important parts of these attacks, bot herders have impressive expertise in hacking that may make them desirable recruits for governments interested in committing cyber warfare. Those recruits could play an increasingly important role as the military becomes roboticized. Advanced drones and automated turrets are no good if they can be hijacked.

NPR had a great interview with Joseph Menn, author of Fatal Systems Error, and Barrett Lyon, cyber security specialist, that discussed bot herders becoming national resources (21:37) as well as many of the other problems with botnets and cyber attacks in general:

Of course, there are many looking to fight cyber crime. US President Obama announced the creation of a ‘cyber czar’ to head defense efforts, though the appointment process took time and had its setbacks. The US Department of Justice has a Cyber Crime division also handling intellectual property rights. India offers life in prison as a punishment for some cyber crimes. Europe has had a cyber crime treaty since 2001. Australia is working towards tightening its cyber defenses. Even China and Russia have made some motions to curb the growth of botnets in their homelands.

Yet an increase in botnets seems almost assured because of our computing habits. Pirated operating system software leaves many users unable to install patches and other fixes for known vulnerabilities. Even when they have access to these updates, many users may fail to install them. People click on e-mail attachments from senders they don’t know. Someone will send a link in Facebook, or in the comments section of a blog, that transports the clicker to a site that automatically downloads malware. We don’t spend the time to educate ourselves in how to keep our computers safe from becoming zombies.

So what’s the solution to the botnet problem? Greater minds than mine have spent years trying to find one. Users could take more personal responsibility (more careful internet browsing, keeping security software up to date, etc) but most are simply too apathetic to the problem. Operating systems (I’m looking at you Windows) could rebuild their platforms from the ground up to better close their vulnerabilities. Of course, there’s very little financial incentive for that, so it’s unlikely to happen. Governments could regulate software more and require standards that reduce the spread of botnet infection. That could damage private innovation, and may be very hard to implement.

The only real solution that seems to be left is the silver bullet -  the innovative leap forward in software that could kill the botnet scourge. What form will that silver bullet take? No one can say for sure, but it may be software that uses narrow artificial intelligence to greatly enhance our security. AI could create security programs that learn and adapt, protecting your computer from attacks no one has seen before without the need for patches and updates. It’s just one possibility, but there’s no doubt that some solution will be needed. And soon. New botnets are forming every day and they could threaten e-commerce, or even geopolitical stability.

Feeling the Heat

Botnets take a huge toll on businesses and individuals alike. Botnets were responsible for some 88 percent of spam emails in 2009, according to a MessageLabs report, with more than 23 percent of all global spam originating from a single botnet known as “Grum.” Bots were also behind a sizable portion of the 11 million identity thefts in 2009, at a global business cost of more than $220 billion. Less than two weeks ago, security vendors discovered that the Kneber bot had infected at least 75,000 computers at 2,500 companies and government agencies worldwide, collecting login credentials for financial services websites.

The problem is getting worse as online criminal gangs use increasingly sophisticated methods to shield their botnets from detection and disruption. Many botnets update themselves frequently to avoid detection by security software. Others hide malware sites by continually switching compromised proxy hosts. Some recent botnets can even detect attempts to study them online, and then react by directing denial-of-service attacks at the observer.

One big challenge is bot detection. Detecting bot infections with high accuracy (that is, without falsely identifying infections) is not a simple task, and the detection strategy will likely need to evolve over time. Another challenge lies in potential user confusion when they receive service notices as they go about their normal browsing. Some users may quickly close the notices and go on their way

Box Item

A different class of Botnet currently targets the enterprise, some call it the mini-Botnet.  Compared to the well known monster BotNets, the mini-Botnet is quiet, meticulous, and  better hidden.  They’re designed to harvest insider information and intellectual property for months and years.  And research suggests, Botnet infected PCs remain so for years.

Mini-Botnets employ black market malware kits that enable them to launch intelligent, multi-stage attacks on computers.  These kits automate production of never-before-seen malware attack code (i.e., zero day attack/exploit), which means no signature exists for typical anti-virus/spyware software to detect them.  Targeted email attacks, or spear phishing attacks, either include virus/worm/Trojan tainted attachments or a hyperlink to a compromised web server, 100,000’s of which are legitimate sites.

When a PC gets hit, temporary malware launches and assesses the computer, determines the best options for infestation, downloads the necessary code, and loads it into the PC.  This staged process is even used to conduct privilege escalation attacks such that computers running with limited user accounts (i.e., no local admin rights) can still be infested with rootkit-based malware.  Third generation rootkits are effectively invisible to commonly available detection techniques.

Once one or a few computers in an enterprise are part of a Botnet, the operators quietly explore network shares, application/database servers, network topology, available communication protocols, and other client computers, and they collect credentials so they can dig deep into information resources as needed.  They infect other computers when they seek to access additional information.

On the other hand, they may infect end-user documents and/or multimedia that are likely to be sent to another enterprise.  For the other enterprise, they may create a separate Botnet, meaning a separate command and control system.  This way, if one mini-Botnet is discovered, the other may continue unabated.

If all this seems unsettling, and it should, consider the steps following the harvesting of information.  Someone has to read through it to determine what is valuable and who would buy it.  These are significant challenges.  Consider the distinction between insider information and intellectual property from the Botnet operator perspective, for example.  Intellectual property materials not only require analysis but they also require a buyer, whereas insider information can yield considerable gains (e.g., stock market trades) without finding a trustworthy buyer.  The collection of enterprise information creates demand for a new black market industry of analysts and brokers.  This suggests that the enterprise might prioritize its anti-data leak efforts toward the most readily identifiably valuable and exploitable information.

The Internet is in the midst of a global network pandemic, with millions of computers on the Internet compromised in some fashion. It is estimated that the number of recent malware infections on the Internet is over 7 million, and over 70 percent of all e-mail messages are spam. It is also believed that 85 percent of spam comes from just six botnets. It was recently reported that there is an average of ten million active botnet members on any given day, and that botnets are winning the spam war.

These types of high-profile security threats receive significant publicity. However, another threat, a silent one, centers around low-bandwidth consumption, compared to legitimate traffic on a network. A large number of compromised machines, if directed by a malicious botnet, can take down key Internet infrastructure.

The compromised machines can also be used for other harmful activities that could cause a severe financial impact (that is, phishing). According to a recent survey, 3.6 million adults have lost money in phishing schemes, resulting in an estimated loss of $3.2 billion. Phishing is only one part of the problem. Attacks have already caused issues for countries such as Estonia and infrastructure such as the Domain Name System (DNS).

To help mitigate this threat, one of the many tools used is a darknet. According to Team Cymru's Darknet Project, a darknet is "a portion of routed, allocated IP space in which no active services or servers reside. These are 'dark' because there is, seemingly, nothing within these networks." In short, there should be no reason for any traffic to enter this space.

Actually, there is one server in a darknet which collects entering packets. This data can be used for immediate action or stored for further analysis. The levels of nefarious traffic from this silent threat are low compared to legitimate traffic, so many network operators may choose to ignore the traffic or they may not even realize the silent threat hiding in their legitimate traffic.

Most users and operators know a problem exists, but few are in a position to see how big the problem is. Solutions are simple: the right tools, dedicated staff and cooperation. Implementation is the most difficult part. Networks large and small must work together to mitigate this threat.

Stopping the Unwanted

If a machine receives a denial-of-service attack from a botnet, few choices exist. Given the general geographic dispersal of botnets, it becomes difficult to identify a pattern of offending machines, and the sheer volume of IP addresses does not lend itself to the filtering of individual cases. Passive OS fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from passive OS fingerprinting. The most serious preventive measures utilize rate-based intrusion prevention systems implemented with specialized hardware.

Some botnets use free DNS hosting services such as DynDns.org, No-IP.com, and Afraid.org to point a sub-domain towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet. Recently, these companies have undertaken efforts to purge their domains of these sub-domains. The botnet community refers to such efforts as "nullrouting", because the DNS hosting services usually re-direct the offending subdomains to an inaccessible IP address.

The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, if one was to find one server with one botnet channel, often all other servers, as well as other bots themselves, will be revealed. If a botnet server structure lacks redundancy, the disconnection of one server will cause the entire botnet to collapse, at least until the controller(s) decides on a new hosting space. However, more recent IRC server software includes features to mask other connected servers and bots, so that a discovery of one channel will not lead to disruption of the botnet

Several security companies such as Symantec, Trend Micro and other security solution vendors have announced offerings to stop botnets. While some, like Norton AntiBot, are aimed at consumers, most are aimed to protect enterprises and/or ISPs. The host-based techniques use heuristics to try to identify bot behavior that has bypassed conventional anti-virus software. Network-based approaches tend to use the techniques described above; shutting down C&C servers, nullrouting DNS entries, or completely shutting down IRC servers.

Newer botnets are almost entirely P2P, with command-and-control embedded into the botnet itself, by being dynamically update-able and variable they can evade having any single point of failure. Commanders can be identified solely through secure keys and all data except the binary itself can be encrypted. For example a spyware program may encrypt all suspected passwords with a public key hard coded or distributed into the bot software. Only with the private key, which only the commander has, can the data that the bot has captured be read.

Creating a Low Cost Budget Solution

Tools exist to monitor traffic at relatively low costs. A darknet, or any other similar monitoring device, allows networks to find potential compromised machines by watching their IP space. Some monitoring devices can be deployed at a relatively low cost using existing hardware or using data from existing intrusion detection systems. Let's look at some solutions:

Use scripts and NetFlow data

Using some scripts and NetFlow data, you can monitor your network for activities such as denial of service (DoS) attacks. IP addresses participating in a DoS attack can be investigated a bit further. By combining data from a DoS attack or a darknet and other sources (such as greylisting or spam traps), you can potentially find a botnet member.

Once suspicious hosts are located, you can check to see if these hosts are communicating with a common host—which could be a command-and-control (C&C) server. Taking down a C&C server can disrupt a botnet, even for a short while. If the compromised host's owner can be contacted, there may be a chance that a list of bots can be obtained and further notifications can be sent out.

Use existing data and equipment

Clever use of existing data and equipment is one way to keep costs down, while helping to secure your network. Providers based in the United States may have already purchased equipment for CALEA compliance. The Communications Assistance for Law Enforcement Act (CALEA) is a United States statute that covers lawful intercepts on digital transmissions, including data and voice over IP (VOIP).

Many companies sell surveillance platforms. These devices are capable of doing deep packet inspection, stealth packet filtering, transparent redirection, as well as a host of other services. A network operator could leverage the pattern-matching capabilities of these machines in their hunt for compromised hosts on their network. Even if CALEA is not a concern, these devices could be useful to a network operator who wants to monitor their network for harmful activities.

Block port 25 and use a walled garden

Most Internet providers block port 25 from their dynamic IP space and, in some cases, from their static IP space. This is great in helping to stop the flow of spam and other nefarious activity using e-mail, but it does not stop infected machines from launching attacks, nor does it fix the underlying problem of a compromised host.

There is now a trend to move toward a walled garden approach, which allows providers to restrict the activity of a user until their machine is clean. This also allows for another method of communicating the issue to the user. While users may ignore e-mail notifications sent to them, with a walled garden, those users can be notified via a redirect to a Web site on their browser, and access to the Internet can be severely restricted or cut off completely.

There are those who argue that providers should call these infected customers but, depending on the size of the provider and the number of infections, that may not be practical. Providers should also be willing to suspend infected user accounts if the problem persists. A walled garden does not have to be limited to an ISP. Networks of any size could benefit from this approach.

Hunt for compromised machines

The hunt for compromised machines is not limited to network providers. Anyone hooked up to the Internet can watch their traffic and report their findings. Instead of ignoring warnings from an intrusion detection system, automated reports could be sent out. Tools exist to locate the source network.

A good example of such a tool is Team Cymru's IP to ASN Mapping project. Other tools such as the abuse.net whois or DNS-based lookup services can be used to find out the correct reporting address. Most intrusion detection systems have some sort of reporting process and hopefully include enough automation so that it does not become like a second job. Automation means people might be willing to spend a little bit of time reporting intrusions.

These are only a few suggested solutions to this problem. The cost of tools for monitoring this threat can be very low if budget is a concern. If you take stock of what is already on your network, chances are you may already have the tools needed. It just takes a little bit of time and effort to use them to your advantage.

Be Watchful

Distributed computing may be the next paradigm in increasing digital processing power. We’ve already seen how a network of computers running programs in the background can actually be a tool that helps find cures for diseases and save the world. To enjoy that powerful benefit of internet connectivity, we must be prepared to face its darker alternative: botnets. Computer zombies are a dangerous threat to our tech and information based society but, as with real zombies, security lies in being prepared.

—By: 'InfoSecurity' Bureau.