AOH :: ISN-3114.HTM

Beware The Bots

Beware The Bots
Beware The Bots 

By Thomas Claburn
Oct 9, 2006

Thousands of government computers may be under the control of 
cybercriminals. Software bots--malicious code that turns PCs and servers 
into remotely controlled "zombies"--have dug into the computers of 
federal and state agencies, security experts say. Once infected, those 
computers can be used to distribute spam, launch denial-of-service 
attacks, and even direct sensitive information into the wrong hands.

Security vendor Trend Micro, which has been studying the phenomenon and 
is pushing a service to detect bots, reports finding bot infestations in 
government computers. Its list of bot-bitten organizations includes the 
Department of Defense, Argonne National Laboratory, Alabama 
Supercomputer Network, Arkansas Department of Information Systems, Iowa 
Communications Network, and Connecticut's Department of IT. The 
Pittsburgh Supercomputing Center and Navy Network Information Center may 
end up on the list, too; Trend Micro last week said data pointing to 
bots in those two organizations was inconclusive.

Trend Micro planned to disclose its findings last week--ostensibly in 
the interest of public awareness. But as InformationWeek followed up 
with organizations cited by the vendor, some of its conclusions were 
called into question, owing in part to the complexity of tracking these 
zombie computers. One national laboratory, for example, was initially 
identified as having compromised machines, but the lab disputed those 
findings, and subsequent analysis by Trend Micro revealed that the spam 
in question doesn't appear to come from its machines. Trend Micro has 
since postponed its announcement and is double-checking the 60 terabytes 
of data it used to do its analysis.

Trend Micro attempts to identify compromised machines by analyzing spam 
samples received from customers of its filtering service. It's tricky 
work, because bot creators employ techniques to cover their tracks. "You 
have no idea how complex this is," says Dave Rand, Trend Micro's CTO. 
After initially claiming that "tens of thousands" of government 
computers had bots within them, Rand last week revised that tally to 

That doesn't mean bots aren't a problem--they most certainly are for 
government agencies and businesses alike. Trend Micro estimates there 
are 70 million subverted computers worldwide and that 8 million to 9 
million are used to send spam in a given month. Bots can remain dormant 
for weeks or months at a time. In general, about 60% of zombies are used 
to send spam and 40% for more destructive reasons, including phishing, 
pharming, click fraud, distributing adware or malware, denial-of-service 
attacks, data theft, and temporarily storing illegal, malicious, or 
stolen files.

While most everyone agrees that the attacks are getting larger, more 
frequent, and more sophisticated, not everyone sees evidence that bots 
are a growing problem on government computers. Network security 
specialist Prolexic says there's been an increase in the size of 
distributed denial-of-service attacks, from 3.5 Gbps last year to more 
than 10 Gbps in 2006, yet a data sample from the company's clients 
doesn't show evidence of those attacks originating from government 
Internet addresses. That finding is based on about 40 distributed DoS 
attacks monitored by Prolexic in the first seven months of 2006.

After being contacted by InformationWeek, Prolexic operations VP Matt 
Wilson did a quick search of the company's computer logs for evidence of 
bot attacks originating from government computers. "I didn't see 
anything that would have indicated mass bot infections within any 
government agencies or networks," he says. "That's not to say that they 
don't exist, simply that they aren't being used to attack our customer 

It's small comfort, however, because if government systems are being 
hijacked, it could be for more devious purposes. "Something like that 
would be much more valuable for targeted mining of things like 
passwords, E-mail addresses, mapping out government networks," Wilson 

Data maintained by security vendors MX Logic and IronPort confirms the 
presence of spam-sending bots on government networks. IronPort reports a 
40% increase in spam volume since February across government and 
business accounts. Craig Sprosts, a senior product manager at IronPort, 
notes that the percentage of spam coming from government accounts is 
minor--1% to 2% of the overall problem--compared with what's originating 
from Internet service providers and other compromised networks.

Not Immune

Bots land on computers in a dozen ways, including operating system or 
application vulnerabilities, dictionary attacks that guess passwords, a 
pre-existing back door created by a prior computer virus, and malicious 
files downloaded via E-mail, instant message, or peer-to-peer 
applications. Bots frequently are installed as a result of human 
error--opening a malicious file or visiting an unsafe Web site, for 
example. Once installed, bots may be able to update themselves or 
install other malicious software. They're typically controlled though 
commands received from an Internet Relay Chat server, and any 
compromised PC can be turned into an IRC server that can then be used to 
coordinate a bot network.

Increasingly, bots are using encrypted or covert channels of 
communication rather than IRC, which can easily be blocked, and they 
come with key-logging and screen capture capabilities, says Sam 
Masiello, director of threat management at MX Logic.

A spokesman for the Defense Department declined to address specific 
security concerns, including bots, but he acknowledged that the 
department's computer systems are attacked daily. "The DoD aggressively 
responds to deter all intrusions," says Maj. Patrick Ryder via E-mail. 
"We're not immune, but we have a layered defense." Among the steps it 
takes: intrusion-detection software, firewalls, and increased awareness 
training of personnel.

Mike Skwarek, cybersecurity program manager and deputy CIO at Argonne 
National Labs, hadn't seen the Trend Micro findings nor talked to the 
security vendor early last week as this story was being researched. But 
based on the description of Trend Micro's findings--that spam received 
from the vendor's customers points to Argonne as one source--Skwarek 
doesn't believe the assertions and points to spoofing as a possible 
explanation. "You can forge where E-mails are coming from. It's quite 
easy," he says.

Once or twice a week, Argonne gets complaints about being a source of 
spam. Usually, however, its own analysis of the evidence shows that the 
lab wasn't at fault, that a PC suspected of sending spam was actually 
turned off at the time, for instance. If an Argonne PC gets infected by 
a bot, all E-mail is blocked from the infected PC. "We have an early 
warning, and that's effective," Skwarek says. Argonne has had two 
viruses in the past year and a half that may have been related to bots, 
but those viruses were quickly detected and removed. "We do a good job 
on the desktop fighting this," Skwarek says.

While it may be tempting to discount the warnings of security vendors as 
self-serving--bot fever means more business for Trend Micro and 
others--there's unanimity about the growing risk of cybercrime. In its 
list of the top 10 computer security developments to watch for in 2007, 
released last week, the SANS Institute warns that targeted attacks will 
become more prevalent, particularly against government agencies. 
"Targeted cyberattacks by nation states against U.S. government systems 
over the past three years have been enormously successful, demonstrating 
the failure of federal cybersecurity activities," SANS director of 
research Alan Paller says in an E-mail. "Other antagonistic nations and 
terrorist groups, aware of the vulnerabilities, will radically expand 
the number of attacks. "

Network security vendor Arbor Networks last month reported that 
distributed DoS attacks and botnets are the most significant security 
threat facing ISPs. Arbor contends that bot command-and-control networks 
are harder to infiltrate and that today's bots are more powerful than 
their ancestors, as well as more difficult to find and remove. Scott 
Chasin, CTO of MX Logic, concurs: "Botnets are the most dangerous enemy 
that the Internet has faced up until now."

Wily Creatures

How do government agencies and businesses protect themselves? Cigna has 
perimeter filtering, and PCs are regularly scanned to ensure they "stay 
clean," says chief information security officer Craig Shumard. The 
health insurer looks for signatures that indicate bot activity. 
Protecting against denial-of-service attacks is a concern, too, so Cigna 
is strict about employees who telecommute. For instance, telecommuters 
can use only company-issued PCs to access Cigna sys- tems. And company 
PCs are regularly updated with antivirus and other security software.

Like Shumard, Bob Pappagianopoulos, chief information security officer 
with Partners HealthCare System, says bots aren't a problem at his 
organization. Pappagianopoulos got an update last week from staffers 
responsible for monitoring, scanning, and detecting security problems. 
"We haven't seen a gross influx of bots," he says. Yet he admits that 
cybercriminals "are getting smarter in hiding their trail."

One of the most effective defenses against bots is to take 
administrative access away from PC users, says Tom Olzak, IT security 
director for HCR Manor Care, a $3 billion-a-year operator of nursing 
homes in 32 states. But bots are wily, as are the people who create and 
control them. Bots can be used to quietly gather information that 
attackers can later use to extort a company through threat of 
distributed DoS attacks that make their networks and systems unusable. 
"The sky's the limit in terms of what they can do," Olzak says.

When installed as rootkits, bots are difficult to detect and remove, so 
it's important to have systems for network intrusion detection and 
prevention, in addition to PC security software.

The key is to "detect, identify, isolate, and stop" bots quickly before 
they do damage or infect other systems, says Jim Mazzonna, chief of the 
Info Assurance Division of the U.S. Coast Guard's Telecommunication & 
Information Systems Command. "Are we seeing more bots? Yes. But we have 
sensors all over the place, and we can detect and isolate them quickly," 
he says.

The U.S. Navy's Cyber Defense Operations Center uses intrusion detection 
and prevention systems as part of a sensor grid to monitor and protect 
Naval computers. In most cases, bot activity can be identified and shut 
down automatically by these systems, according to the Navy. However, the 
Navy acknowledges that the approach isn't foolproof. "From time to time 
we get reports from other organizations that have visibility into 
networks that we may not have sensors on," according to a written 
statement provided by a Navy spokesman. "Once we get the report, we can 
take appropriate action to get the network secured." The Navy neither 
confirmed nor denied Trend Micro's report of bots on some of its 

Early Warning

Security researchers and vendors have been warning about bots for years. 
In his 2005 paper "Bots And Botnets: Risks, Issues And Prevention," 
Martin Overton, a security researcher with IBM Global Services, asserted 
that IT professionals had only a vague understanding of the threat posed 
by bots and botnets. "In many institutions and corporations, bots and 
botnets are rife and causing significant damage to the infected network 
owner," through lost bandwidth, intellectual property, and reputation, 
Overton wrote.

The culprits don't always get away with it. In August, 21-year-old 
Christopher Maxwell of Vacaville, Calif., was sentenced to 37 months in 
prison and three years of supervised release for operating an IRC botnet 
that compromised millions of computers, including some operated by the 
Department of Defense. A Defense Department investigation determined 
Maxwell was responsible for computer intrusions at military 
installations worldwide, resulting in repair costs of at least $172,000.

In January, 20-year-old Jeanson James Ancheta pleaded guilty to 
violating the Computer Fraud Abuse Act and damaging federal computers. 
He admitted to generating some $60,000 in advertising proceeds by 
directing more than 400,000 infected computers that were part of a 
botnet army to servers he controlled, from which he would 
surreptitiously download adware onto the zombies, according to the FBI.

The Federal Trade Commission last year launched Operation Spam Zombies, 
a campaign to encourage ISPs to take steps to defend their networks from 
misuse. "Your organization has an interest in the integrity of the 
E-mail system, which is threatened by the onslaught of spam routed 
through spam zombies," the FTC said in its call for action. The FTC, 
however, can't say whether its campaign has been effective.

Trend Micro's Rand recalls uncovering a bot infestation at a network 
operator in France that involved a half-million infected computers. At 
the rate that the network operator is moving, he says, it will take 271 
years to get the bots off all of its computers. "We in the security 
industry have done a really crappy job of giving the ISP and IT 
community the right set of tools to address this problem," he says.

Symantec, in its Internet Security Threat Report for the first six 
months of 2006, isn't as alarmed, speculating that the bot population 
has "reached the saturation point." But the report also states that bot 
network owners are being more discreet about their activities to avoid 
law enforcement. Symantec finds that 2.91% of all PCs in Beijing have 
been compromised by bots, the highest percentage of any city worldwide. 
The U.S. cities with the greatest bot infections are Los Angeles, where 
an estimated 1.2% of all PCs are zombies, and Chicago, at 0.99%.

The sheer numbers are hard to pin down. Trend Micro claims that it once 
shut down a botnet that had 1.25 million computers attached to it. 
Cybercriminals are less likely to cast such a wide net today. "We don't 
see that anymore," Rand says. "We don't see huge volumes of machines 
under one command-and-control site. They're well dispersed."

Detection Is Difficult

That's what's new here: The crooks are adapting to avoid detection. 
They've designed their botnets to minimize disruption when one bot gets 
taken down. They're writing exploit code aimed at specific networks, 
which makes detection much more difficult. Security vendors may never 
even see limited-distribution exploit code, and if they do, it may not 
be worth adding it to their pattern files because the exploit affects 
only a few hundred or thousand machines.

What's more, attacks are becoming more sophisticated and automated. The 
vast computational power of Google, the product of hundreds of thousands 
of servers, is often cited as a benchmark for distributed 
supercomputing. The reality is that cybercriminals could effectively run 
the world's most powerful supercomputer, making it trivial to conduct 
computationally intensive operations like generating millions of unique 
image spam files to evade filters or unleashing massive malware attacks.

Rand cites the MS06-040 Microsoft vulnerability, disclosed on Aug. 8, 
which changed the infection rate of PCs from about a quarter of a 
million new machines per month to a quarter of a million new machines 
per day in the first few days. "Those numbers are staggering," he says. 
"When you start to put that together with other technologies, these 
people have enormous, enormous computing power at their disposal."

Given their middleman role on the Internet, ISPs are in a position to 
help stop bots, but Rand and others say they aren't doing enough. Fact 
is, ISPs can make more money ignoring cybercrime than fighting it. 
"Their feeling is, 'Hey, it's not our problem if the user is an idiot.' 
And my response to that is, you can't expect my mother to be responsible 
for Windows XP security. Sorry, you need to take a more active role."

Richi Jennings, an analyst with messaging research firm Ferris Research, 
recommends that ISPs disconnect zombie PCs from the Internet until they 
or the user can remove the malicious software.

Is that even possible? On a small scale it is., a wireless 
ISP serving Laramie, Wyo., offers to install freely available security 
software for its users. "We scan every one of their machines before we 
grant them network access," says Lariat owner Brett Glass. "We're not 

Even so, Lariat's users may end up with compromised machines. A recent 
round of zero-day attacks turned some machines into spam bots. But 
thanks to traffic monitoring, Lariat was able to identify subverted 
machines and fix them. "We keep the best handle on it we can," Glass 
says. "But most Internet users who go to the store and buy a computer 
are sitting ducks. If they use the computer as configured and as 
directed, the odds are overwhelming that they'll be infected within a 
few hours."

Fight Back

Telecom carrier BellSouth can't say whether bots are any worse today 
than in the past, but there's no doubt they're an issue. In the fourth 
quarter, BellSouth will start using "an industry best solution" that's 
in beta testing now to better understand its network usage so that it 
can target malicious software, says Michael Spoor, director of network 
infrastructure and security at BellSouth.

The company's multilayered strategy for fighting bots includes 
encouraging its customers to "self-protect" home PCs, including 
downloading a security software suite BellSouth makes available on its 
site or from another source. "BellSouth looks to its customers to help 
us help them," Spoor says.

Every day, BellSouth blocks millions of suspected spam messages from 
crossing its network, he says. Teams within BellSouth work on the 
problem of spam, bots, and viruses.

Ken Kousky, CEO of security market research firm IP3, argues that law 
enforcement needs to do more, too. He contends that U.S. authorities 
have been less than enthusiastic in their efforts to protect the porn 
and gambling businesses that are often threatened by criminals armed 
with botnets. "We've tried to find a case where law enforcement has 
taken a proactive effort to defend a porn site and, as far as I know, 
there are no instances of this," he says. "The challenge in botnets is 
to stop the flow of funds."

New technologies promise some relief. Trend Micro recently announced its 
InterCloud Security Service specifically for bot detection; IronPort 
sells its C10 E-mail appliance and virus outbreak filters; MX Logic this 
week plans to introduce a Web Defense Service to protect small and 
midsize businesses from malware; and Symantec and Panda Software 
recently released updated Internet security software packages.

But these are temporary fixes at best. Malware writers are adept at 
countering the countermeasures. To complicate matters, it's hard to 
change human nature. "The stuff we're talking about in general is caused 
by human error," says the SANS Institute's Paller. "The government has 
done essentially nothing to illuminate human error and get rid of it. 
The awareness training that goes on in the federal government--except at 
the U.S. Agency for International Development--is pretty much useless."

Not so at West Point. Computer security training, which has been part of 
the curriculum for six years, was the subject of a series of exercises 
called Carronade that ran between early 2004 and late 2005, testing the 
susceptibility of E-mail users to both general and targeted phishing 
attacks. The rate at which students fell for phishing attacks dropped 
from more than 50% among freshmen to less than 20% for seniors, says Lt. 
Col. Ronald C. Dodge Jr., associate professor in the academy's 
department of electrical engineering and computer science.

There's still room for improvement. In a paper detailing the West Point 
study, "Phishing For User Security Awareness," Dodge and co-authors 
Curtis Carver and Aaron Ferguson conclude, "Our students continue to 
disclose information that should not be disclosed to an unauthorized 
user and expose themselves to malicious code by opening attachments."

Paller gives the U.S. Agency for International Development high marks 
because it forces security training on its PC users every day as part of 
the logon process. Ultimately, that kind of intrusive, unavoidable 
insistence on security may be necessary to help bot-fighting technology 
do its job.

Copyright 2005 CMP Media LLC

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2015 CodeGods