At the TechEd 2006 conference in Boston, Microsoft confirmed that “well-organized mobsters have established control [of] a global billion-dollar crime network using keystroke loggers, IRC bots, and rootkits,” according to
“Microsoft:Trojans, Bots Are ‘Significant and Tangible Threat,’” an article by Ryan Naraine in the June 12, 2006, edition of eWEEK.com. Microsoft is basing this conclusion on data collected by its Malicious Software Removal Tool (MSRT).The article says that MSRT has removed 16 million instances of malicious code on 5.7 million unique Windows systems. Sixty-two percent of these systems were found to have a Trojan or bot client.
The Alliance Against IP Theft, an organization in the U.K., published a document titled “Proving the Connection—Links between Intellectual Property Theft and Organised Crime” (www.allianceagainstiptheft.co.uk) that supports Microsoft’s claim.
On August 10, a group of information security professionals, vendors, and law enforcement gathered at Cisco Headquarters in San Jose. With little notice, the “Internet Security Operations and Intelligence Workshop”
attracted around 200 attendees. Led by the enigmatic Gadi Evron (security evangelist for Beyond Security and chief editor of the security portal
SecuriTeam), speaker after speaker painted a bleak and complex picture. Many lamented the increasing ineffectiveness of the prevailing strategy, which
focused on identifying and taking out C&C servers.This is the “kill the head of the snake” approach. Bots have begun to evolve beyond this weakness now.
Some now have multiple C&C servers, and, like a Hydra, if you cut off one C&C server, two more pop up. Some used protocols that lend themselves to a more decentralized organization. Some are using “Fast Flux” DNS technology (see Chapter 3) to play an electronic version of the shell game with the C&C server.There was much wailing and gnashing of teeth by the security and network professionals. However, amidst the lamentations, some very inter-esting and innovative ideas were presented.
These ideas involve different methods of detecting botnets, aggregating this information, and sharing it for the benefit of all. Some ideas were so tempting that participants began trying out aspects of the idea during the pre-sentation. When all was said and done, 200 minds knew what only a handful knew before. Further, a “call to action” had been issued. Come out of our shell, share what we know, organize our responses.
Summary
Botnet technology is the next killer Web application. It is a tremendous force multiplier for organized crime.The money from organized crime has created a fertile technology incubator for the darkside hacker.The problem they have created is huge, global in scope.Their primary victims targeted to become clients are the innocents, the elderly, the young, and the non-computer lit-erate. Many of the botherder schemes also target this defenseless group.The appetite for power doesn’t stop there. In the DDoS attack, bots have grown big enough to be a threat to major corporations and even nations.
Bot technology has evolved from simple agents that played games with users to mercenary robotic armies without morals, ready to carry out designer crimes on demand. From “Hunt the Wumpus” we now have botnets that col-lect information about customers of a specific bank, then target those cus-tomers with special botclients that contain features designed to defeat or bypass that bank’s security.Today’s bots are easy to customize, modular, adap-tive, targetable, and stealthy.They are moving to a more decentralized
approach and diversifying their C&C techniques.
Law enforcement has begun to catch and arrest some botnet developers and operators.The Microsoft bounty fund has proven useful in improving law enforcement opportunities to find the bad guys. Unfortunately, the court system is in serious need of change. Investigations take months for crimes that are over in seconds. Cases drag out for years, so much so that the affected businesses cannot afford to support prosecution efforts.The penalties being given are rarely more than a slap on the wrist, if anything at all is done. In many cases the arrested individual trades information for little or no punish-ment.The public reporting of light sentences and fines sends the message that crime does indeed pay and that you will likely never have to pay the piper.
In May of 2006, news articles were trumpeting the success of efforts by security and network professionals in taking down C&C servers around the world. By August, the headlines had changed to claims that we’ve already lost the botnet war.The hacker community responded to the security strategy of taking down C&C servers by reducing their dependence on a single C&C server.They’ve shifted their approach by creating multiple C&C servers and by employing “fast flux” DNS. By changing their architecture, they decimated the
effectiveness of our best weapon. Many of us had been touting the slogan “cut off the head of the snake.”The network and security professionals had been moving to implement a large-scale implementation of that in May. In hindsight, the war wasn’t lost, although it was a significant battle.This war will never be won or lost.The war between good and evil, like the road, goes ever on.
Instead of declaring surrender, a call to action has been issued. Network and security professionals gathered in August of 2006, with follow-on meet-ings planned throughout 2007. In these meetmeet-ings, a clearer view of the problem is emerging. Innovations are being shared and improved upon. For the new threat, new strategies and tools are being forged.The remainder of this book will bring you up to speed to join the battle.