Erik Larkin, special to PC World
Tue Aug 23, 3:00 AM ET
Part 2 of a special five-part series.
As a teenager running his own online chat server in the 1990s, Barrett Lyon had no idea that the attacks routinely pounding his server would evolve into an Internet scourge that earned serious profit for online criminals.
Lyon says that he enjoyed using Internet Relay Chat, or IRC, as a place for people to share ideas and get instant answers to questions. But online, as in the real world, bringing a bunch of teenage male egos together inevitably resulted in battles, and Lyon was forced to become a de facto security expert in order to fend off frequent attempts to shut his server down.
It was «basically one big massive testosterone ego fight,» Lyon says, from «kids that wanted to prove themselves.» The teens of the late 1990s wrote and deployed software that became known as «bots,» short for «robots»–programs created to attack each other and to hit servers such as Lyon’s.
How Bot Networks Work
In a general sense, a bot is a program that acts semiautonomously in response to commands sent by humans. Bots aren’t necessarily evil or illegal. For instance, the GoogleBot scours the Web for the purpose of improving that search engine.
But harmful bots, when installed on the PCs of unspecting users, connect to IRC, or to a Web site, or even to a peer-to-peer network and await commands from their controllers. When the commands arrive, the bots execute them on their unwitting hosts–which might include your personal computer–enabling malicious hackers to gain complete control over those machines; the infected PCs are then called «zombies.»
When a bot has spread to a huge number of computers, the resulting botnet provides a ready source of computing power and Internet access that the bot’s owner can abuse at will.
What was once a weapon for attention-hungry teens in chat rooms has mutated into a digital tool that Internet criminals now use to steal millions of dollars across the globe.
For instance, a July 2005 study by antivirus vendor McAfee reported that the number of systems infected with malicious software that allows a PC to be used for unauthorized purposes jumped by 303 percent during the second quarter of 2005 from the previous quarter.
The primary purpose of these infiltrations is to make money, says Larry Johnson, special agent in charge of the Criminal Investigative Division of the U.S. Secret Service. And in some respects, the operations function just like a legitimate business. For instance, malicious entrepreneurs appear to be charging $2000 to $3000 for temporary use of armies of 20,000 zombie PCs, according to a June posting on SpecialHam.com, an electronic forum for hackers.
Organized criminals are emerging as a new and increasingly effective source of sophisticated attacks with botnets, according to Vincent Gullotto, vice president of McAfee’s Anti-virus and Vulnerability Emergency Response Team. «There’s a whole new ballgame that’s being played,» he adds.
Gullotto says that his team recorded nearly 13,000 cases of attempted bot hijackings in the second quarter of 2005, up from about 3000 during the first quarter of 2005. In fact, turning ordinary PCs into zombies has become so common that CipherTrust–a company that provides e-mail security and guards against spam–posts an hourly update on global zombie activity.
A graphical representation of what a distributed denial of service attack looks like.Meanwhile, Barrett Lyon has taken the skills he honed in the 1990s to the world of security. In 2004 he founded Prolexic, a company dedicated to protecting clients from botnet-launched distributed denial of service (DDoS) attacks, which miscreants launch in an effort to overwhelm a Web site with a flood of meaningless data. During a DDoS attack, each bot-infected computer sends as much data as it can to the target site. Multiply that by the thousands of zombie PCs in a given botnet, and the target Web site must dedicate all its resources to dealing with the DDos flood; as a result, the site can’t do anything else–such as respond to real users who are trying to reach it.
Financially motivated criminals use DDoS attacks as part of extortion schemes that may demand as much as $50,000 from a business. Some particularly unscrupulous companies use them to attack competitors. But botnets have many other uses.
Botnets’ Other Skills
Botnets began to emerge as money-making tools when spammers discovered that they could be use them to send e-mail messages that would evade blacklists and other antispam measures, according to analysts.
ID theft is another favorite activity of botnet wranglers. They use teams of zombie PCs to send out spam in the hope of capturing information through «phishing» schemes. One common variant of phishing is when scam artists design Web sites to look like real banking or e-commerce sites. The crooks then send out spam messages asking the recipients to enter their account or credit card number at the bogus site. If anyone does, the crooks can take control of that account.
Bot software is versatile because it opens a «back door» on its host that lets the controller gain covert control over the PC. Botnets can perform a multitude of tasks because they can update themselves with new features and install other software–including viruses, adware, and spyware–on the computers they rule, says Alfred Huger, senior director of engineering at Symantec.
Bots’ capacity for self-updating shows all the hallmarks of professional software, Huger says. Certain varieties of bots look «as if someone who has some formal software training is putting them together,» he says.
How They’re Controlled
One common characteristic of botnets is that they can be controlled from a central location. Reflecting their historical roots, most bots connect to an IRC chat channel to receive their commands.
But some sinister varieties now use other means of control, including peer-to-peer networks like EDonkey or Gnutella, to send control messages. «Those are the scary ones,» Lyon says, because they’re much harder to trace and shut down.
Creating a botnet is like «casting a net out wide,» Huger says. A would-be controller essentially releases the bot (or a precursor Trojan horse that installs the bot) onto the Internet to see how many computers it infects.
On the other hand, some criminals prefer to choose a particular target and use a tailored approach, without botnets. In one attack that spanned March and April 2005, cybercrooks tricked individual companies’ and organizations’ domain name servers–which guide all Internet traffic–into sending all of their Internet traffic to a server controlled by the attackers.
Ken Dunham, director of malicious code at IDefense, a Virginia-based Internet security company, estimates that 3000 DNS servers at a range of companies, including at least two with more than 8000 employees each, got hit.
Anyone inside one of the affected companies or organizations who tried to go to any Web page ended up instead at the attacker’s site, where stealth scripts surreptitiously installed about 80MB worth of adware and spyware onto any computer using an older version of Microsoft’s Internet Explorer browser.
Because so much malware was installed, its presence was immediately obvious to the hapless users, slowing their systems to a crawl and peppering their screens with pop-up ads. As a result, IT response was fast, and the companies quickly cleaned their employees’ PCs. But some analysts have theorized that the attackers designed the huge payload simply to create a diversion while a separate piece of malware not yet caught by antivirus and antispyware programs installed itself.
According to this theory, the remaining piece of stealth software may have been programmed to steal information in a corporate espionage scheme, a growing threat to businesses across the globe.
On June 16, the British government released a report titled «Targeted Trojan Email Attacks» that warned of directed attacks against government offices and businesses in the United Kingdom. According to the report, the attacks might infiltrate specific targets with spyware meant for «covert gathering and transmitting of commercially or economically valuable information» such as usernames, passwords, and sensitive documents.
American companies are at risk from this type of spyware as well. «It happens all the time,» Symantec’s Huger says. Unscrupulous companies seek a business advantage, and crooked individuals look for information they can sell.
If there’s money to be made, malware-based spying will continue, Huger says. «It’s very simple–it’s the unfortunate truth.»
Files Held for Ransom
Money was definitely at the heart of a novel new attack that infected victims’ computers with a virus that searched for and then encrypted various text files. Once the encryption was complete, the virus deleted itself and left a ransom note, demanding that $200 be sent to an account with E-Gold, a Paypal-like Internet currency service whose payments are backed by gold deposits.
Dan Hubbard, senior director of security and technology research at Websense, investigated this attack after one of his company’s clients was targeted. Hubbard says that only one business reported being hit; and Joe Stewart, an Internet security analyst he knows at LURHQ, a provider of managed security services, wrote a program to decrypt the relatively simple encryption used.
But «coming up with a better encryption scheme is a very simple thing to do,» Hubbard says. So another, nastier attack could be on the way.
Considering how much money is at stake to motivate criminals, expert after expert expects botnets and other malware attacks to continue to expand.
«This whole cybercrime wave is growing in numbers and sophistication,» Hubbard says. «We’re seeing technology evolve in ways we never have [before].»
Erik Larkin, special to PC World