September 24, 2004

When Bot Nets Attack

Is your computer part of a bot army, infiltrating systems and spreading spam?

By Eric Hellweg

Here's a new stat for the data-ravenous tech industry: $100 per hour. No, its not the new wage programmers charge for their services. Rather, it's the average going rate for your computers resources, sold without your knowledge in shadowy underground markets, according to Vincent Weafer, senior director of Symantecs security response team.

Weafer is speaking of  bot networks, ad-hoc clusters of several thousands computers that, unbeknownst to the user, are being deployed toward some nefarious end. Bot nets originate when a user unwittingly downloads a Trojan horse program containing malicious code. Sometimes the code gets onto a users computer when the user clicks on an e-mail attachment. Other times it's embedded in a virus, and other times it's masked as a different program and downloaded through peer-to-peer networks or IRC channels. According to a semi-annual report released by Symantec this week, these bot nets are growing at an incredible rate. Last year, Symantec saw about 2,000 machines per day recruited into these bot armies. In its new report, that figure had grown to 30,000. An unprotected machine will typically be attacked within 20 minutes of being put on the Internet, according to Weafer. "The fastest we've seen was a machine taken over six seconds after it was connected to the Web," he says.

The code typically lies fallow until its perpetrator calls it and its thousands of brethren to action. The perpetrator sends out code that any infected computer (also known as a zombie) connected to the Internet will understand; the zombie PC awakens, awaiting its next command. Bot nets have been used to conduct distributed denial-of-service (DDoS) attacks on high-profile websites, to serve up spam advertising, or whatever the issuer decides he or she wants to do with the computing power of thousands of machines. The SCO Group, a controversial Utah-based company that has angered much of the computing community with its lawsuits against companies running Linux, found itself attacked last year and then again earlier this year. In February, the FBI broke up a bot net ring in which the CEO of a small Ohio-based Internet service provider called CIT/Foonet had allegedly paid hackers to conduct bot network-based attacks on his business rivals. The attacks cost his rivals $2 million and the CEO is now a fugitive. Just within the last week and a half, Authorize.net, a credit-card processing company, fell victim to a coordinated attack that angered the firm's customers and did untold financial damage.

Bot networks are the biggest problem on the Internet right now, says Johannes Ullrich, chief technology officer for the SANS Institute's Internet Storm Center, a leading watchdog organization that monitors Internet security threats. One of the reasons these bot nets rile network administrators so greatly, says Ullrich, is that the bot writers craft their code in such a way that its very difficult for anti-virus software to detect it.