When Bot Nets Attack
Is your computer part of a bot army, infiltrating systems and spreading spam?
Here’s a new stat for the data-ravenous tech industry: $100 per hour. No, its not the new wage programmers charge for their services. Rather, it’s the average going rate for your computers resources, sold without your knowledge in shadowy underground markets, according to Vincent Weafer, senior director of Symantecs security response team.
Weafer is speaking of bot networks, ad-hoc clusters of several thousands computers that, unbeknownst to the user, are being deployed toward some nefarious end. Bot nets originate when a user unwittingly downloads a Trojan horse program containing malicious code. Sometimes the code gets onto a users computer when the user clicks on an e-mail attachment. Other times it’s embedded in a virus, and other times it’s masked as a different program and downloaded through peer-to-peer networks or IRC channels. According to a semi-annual report released by Symantec this week, these bot nets are growing at an incredible rate. Last year, Symantec saw about 2,000 machines per day recruited into these bot armies. In its new report, that figure had grown to 30,000. An unprotected machine will typically be attacked within 20 minutes of being put on the Internet, according to Weafer. “The fastest we’ve seen was a machine taken over six seconds after it was connected to the Web,” he says.
The code typically lies fallow until its perpetrator calls it and its thousands of brethren to action. The perpetrator sends out code that any infected computer (also known as a zombie) connected to the Internet will understand; the zombie PC awakens, awaiting its next command. Bot nets have been used to conduct distributed denial-of-service (DDoS) attacks on high-profile websites, to serve up spam advertising, or whatever the issuer decides he or she wants to do with the computing power of thousands of machines. The SCO Group, a controversial Utah-based company that has angered much of the computing community with its lawsuits against companies running Linux, found itself attacked last year and then again earlier this year. In February, the FBI broke up a bot net ring in which the CEO of a small Ohio-based Internet service provider called CIT/Foonet had allegedly paid hackers to conduct bot network-based attacks on his business rivals. The attacks cost his rivals $2 million and the CEO is now a fugitive. Just within the last week and a half, Authorize.net, a credit-card processing company, fell victim to a coordinated attack that angered the firm’s customers and did untold financial damage.
Bot networks are the biggest problem on the Internet right now, says Johannes Ullrich, chief technology officer for the SANS Institute’s Internet Storm Center, a leading watchdog organization that monitors Internet security threats. One of the reasons these bot nets rile network administrators so greatly, says Ullrich, is that the bot writers craft their code in such a way that its very difficult for anti-virus software to detect it.
Tom Goltz, a network administrator for a small company in Londonderry, NH, has firsthand experience dealing with bot nets. ”A year ago, we were seeing 800 to 1,000 attack attempts per day on our network,” he says. Now its up to between 12,000 and 15,000 attacks.
The rapid growth of broadband into homes and small businesses has exacerbated the problem. With pokey dial-up connections, it’s easy to tell when your computer is going out onto the Internet without your telling it to do so: the speed drop is noticeable. With zippier broadband hookups, however, the speed drop is often imperceptible. What’s more, home and small business users are less likely to take the proper steps (setting up firewalls, using anti-virus software) to stop the bot nets than larger enterprise users, in part because home users are not aware of the problem and in part because corporations have far more to lose if attacked and make greater efforts to protect their computers.
The potential danger of these computer armies has scrambled some of the nations top security agencies to monitor the threat, with various bodies and coalitions forming to figure out the best way to handle the problem and protect critical infrastructure. The FBI has stepped up its efforts to fight the problem, and Republican leaders in Congress just introduced legislation that would move the office of cybersecurity, which, among other things, is concerned with the bot problem, from the Department of Homeland Security into the White House, signaling an increased effort to fight cybersecurity threats such as bot networks.
Individual ISPs have also taken up the fight. Erich Hablutzel, the supervisor of the abuse team at Earthlink, says that bot net attacks are on the rise and that his team works with customers to rid their machines of the malicious code and to educate them on how to prevent such infestations in the future. Earthlink has also partnered with Cox Communications, MSN, United Online, and others in the Global Infrastructure Alliance for Internet Safety (GIAIS), a Microsoft-led group aimed at reducing the number of such attacks. Hablutzel also cites efforts underway to create technological standards to make the Internet’s infrastructure less susceptible to these kinds of attacks.
Of course, a problem that in one year skyrockets from 2,000 users per day to 30,000 is one that demands immediate attention, especially when the profit motive (by serving spam or renting out resources) is introduced, further fueling the ambitions of these robot army commanders. “Over the last 12 months we’ve seen attention given to the problem,” says Weafer. “What else can we do? Its hard because in many cases you’re reaching out to people who aren’t aware their systems are unprotected.”