By Thomas Claburn
Oct 9, 2006
Thousands of government computers may be under the control of
cybercriminals. Software bots--malicious code that turns PCs and servers
into remotely controlled "zombies"--have dug into the computers of
federal and state agencies, security experts say. Once infected, those
computers can be used to distribute spam, launch denial-of-service
attacks, and even direct sensitive information into the wrong hands.
Security vendor Trend Micro, which has been studying the phenomenon and
is pushing a service to detect bots, reports finding bot infestations in
government computers. Its list of bot-bitten organizations includes the
Department of Defense, Argonne National Laboratory, Alabama
Supercomputer Network, Arkansas Department of Information Systems, Iowa
Communications Network, and Connecticut's Department of IT. The
Pittsburgh Supercomputing Center and Navy Network Information Center may
end up on the list, too; Trend Micro last week said data pointing to
bots in those two organizations was inconclusive.
Trend Micro planned to disclose its findings last week--ostensibly in
the interest of public awareness. But as InformationWeek followed up
with organizations cited by the vendor, some of its conclusions were
called into question, owing in part to the complexity of tracking these
zombie computers. One national laboratory, for example, was initially
identified as having compromised machines, but the lab disputed those
findings, and subsequent analysis by Trend Micro revealed that the spam
in question doesn't appear to come from its machines. Trend Micro has
since postponed its announcement and is double-checking the 60 terabytes
of data it used to do its analysis.
Trend Micro attempts to identify compromised machines by analyzing spam
samples received from customers of its filtering service. It's tricky
work, because bot creators employ techniques to cover their tracks. "You
have no idea how complex this is," says Dave Rand, Trend Micro's CTO.
After initially claiming that "tens of thousands" of government
computers had bots within them, Rand last week revised that tally to
That doesn't mean bots aren't a problem--they most certainly are for
government agencies and businesses alike. Trend Micro estimates there
are 70 million subverted computers worldwide and that 8 million to 9
million are used to send spam in a given month. Bots can remain dormant
for weeks or months at a time. In general, about 60% of zombies are used
to send spam and 40% for more destructive reasons, including phishing,
pharming, click fraud, distributing adware or malware, denial-of-service
attacks, data theft, and temporarily storing illegal, malicious, or
While most everyone agrees that the attacks are getting larger, more
frequent, and more sophisticated, not everyone sees evidence that bots
are a growing problem on government computers. Network security
specialist Prolexic says there's been an increase in the size of
distributed denial-of-service attacks, from 3.5 Gbps last year to more
than 10 Gbps in 2006, yet a data sample from the company's clients
doesn't show evidence of those attacks originating from government
Internet addresses. That finding is based on about 40 distributed DoS
attacks monitored by Prolexic in the first seven months of 2006.
After being contacted by InformationWeek, Prolexic operations VP Matt
Wilson did a quick search of the company's computer logs for evidence of
bot attacks originating from government computers. "I didn't see
anything that would have indicated mass bot infections within any
government agencies or networks," he says. "That's not to say that they
don't exist, simply that they aren't being used to attack our customer
It's small comfort, however, because if government systems are being
hijacked, it could be for more devious purposes. "Something like that
would be much more valuable for targeted mining of things like
passwords, E-mail addresses, mapping out government networks," Wilson
Data maintained by security vendors MX Logic and IronPort confirms the
presence of spam-sending bots on government networks. IronPort reports a
40% increase in spam volume since February across government and
business accounts. Craig Sprosts, a senior product manager at IronPort,
notes that the percentage of spam coming from government accounts is
minor--1% to 2% of the overall problem--compared with what's originating
from Internet service providers and other compromised networks.
Bots land on computers in a dozen ways, including operating system or
application vulnerabilities, dictionary attacks that guess passwords, a
pre-existing back door created by a prior computer virus, and malicious
files downloaded via E-mail, instant message, or peer-to-peer
applications. Bots frequently are installed as a result of human
error--opening a malicious file or visiting an unsafe Web site, for
example. Once installed, bots may be able to update themselves or
install other malicious software. They're typically controlled though
commands received from an Internet Relay Chat server, and any
compromised PC can be turned into an IRC server that can then be used to
coordinate a bot network.
Increasingly, bots are using encrypted or covert channels of
communication rather than IRC, which can easily be blocked, and they
come with key-logging and screen capture capabilities, says Sam
Masiello, director of threat management at MX Logic.
A spokesman for the Defense Department declined to address specific
security concerns, including bots, but he acknowledged that the
department's computer systems are attacked daily. "The DoD aggressively
responds to deter all intrusions," says Maj. Patrick Ryder via E-mail.
"We're not immune, but we have a layered defense." Among the steps it
takes: intrusion-detection software, firewalls, and increased awareness
training of personnel.
Mike Skwarek, cybersecurity program manager and deputy CIO at Argonne
National Labs, hadn't seen the Trend Micro findings nor talked to the
security vendor early last week as this story was being researched. But
based on the description of Trend Micro's findings--that spam received
from the vendor's customers points to Argonne as one source--Skwarek
doesn't believe the assertions and points to spoofing as a possible
explanation. "You can forge where E-mails are coming from. It's quite
easy," he says.
Once or twice a week, Argonne gets complaints about being a source of
spam. Usually, however, its own analysis of the evidence shows that the
lab wasn't at fault, that a PC suspected of sending spam was actually
turned off at the time, for instance. If an Argonne PC gets infected by
a bot, all E-mail is blocked from the infected PC. "We have an early
warning, and that's effective," Skwarek says. Argonne has had two
viruses in the past year and a half that may have been related to bots,
but those viruses were quickly detected and removed. "We do a good job
on the desktop fighting this," Skwarek says.
While it may be tempting to discount the warnings of security vendors as
self-serving--bot fever means more business for Trend Micro and
others--there's unanimity about the growing risk of cybercrime. In its
list of the top 10 computer security developments to watch for in 2007,
released last week, the SANS Institute warns that targeted attacks will
become more prevalent, particularly against government agencies.
"Targeted cyberattacks by nation states against U.S. government systems
over the past three years have been enormously successful, demonstrating
the failure of federal cybersecurity activities," SANS director of
research Alan Paller says in an E-mail. "Other antagonistic nations and
terrorist groups, aware of the vulnerabilities, will radically expand
the number of attacks. "
Network security vendor Arbor Networks last month reported that
distributed DoS attacks and botnets are the most significant security
threat facing ISPs. Arbor contends that bot command-and-control networks
are harder to infiltrate and that today's bots are more powerful than
their ancestors, as well as more difficult to find and remove. Scott
Chasin, CTO of MX Logic, concurs: "Botnets are the most dangerous enemy
that the Internet has faced up until now."
How do government agencies and businesses protect themselves? Cigna has
perimeter filtering, and PCs are regularly scanned to ensure they "stay
clean," says chief information security officer Craig Shumard. The
health insurer looks for signatures that indicate bot activity.
Protecting against denial-of-service attacks is a concern, too, so Cigna
is strict about employees who telecommute. For instance, telecommuters
can use only company-issued PCs to access Cigna sys- tems. And company
PCs are regularly updated with antivirus and other security software.
Like Shumard, Bob Pappagianopoulos, chief information security officer
with Partners HealthCare System, says bots aren't a problem at his
organization. Pappagianopoulos got an update last week from staffers
responsible for monitoring, scanning, and detecting security problems.
"We haven't seen a gross influx of bots," he says. Yet he admits that
cybercriminals "are getting smarter in hiding their trail."
One of the most effective defenses against bots is to take
administrative access away from PC users, says Tom Olzak, IT security
director for HCR Manor Care, a $3 billion-a-year operator of nursing
homes in 32 states. But bots are wily, as are the people who create and
control them. Bots can be used to quietly gather information that
attackers can later use to extort a company through threat of
distributed DoS attacks that make their networks and systems unusable.
"The sky's the limit in terms of what they can do," Olzak says.
When installed as rootkits, bots are difficult to detect and remove, so
it's important to have systems for network intrusion detection and
prevention, in addition to PC security software.
The key is to "detect, identify, isolate, and stop" bots quickly before
they do damage or infect other systems, says Jim Mazzonna, chief of the
Info Assurance Division of the U.S. Coast Guard's Telecommunication &
Information Systems Command. "Are we seeing more bots? Yes. But we have
sensors all over the place, and we can detect and isolate them quickly,"
The U.S. Navy's Cyber Defense Operations Center uses intrusion detection
and prevention systems as part of a sensor grid to monitor and protect
Naval computers. In most cases, bot activity can be identified and shut
down automatically by these systems, according to the Navy. However, the
Navy acknowledges that the approach isn't foolproof. "From time to time
we get reports from other organizations that have visibility into
networks that we may not have sensors on," according to a written
statement provided by a Navy spokesman. "Once we get the report, we can
take appropriate action to get the network secured." The Navy neither
confirmed nor denied Trend Micro's report of bots on some of its
Security researchers and vendors have been warning about bots for years.
In his 2005 paper "Bots And Botnets: Risks, Issues And Prevention,"
Martin Overton, a security researcher with IBM Global Services, asserted
that IT professionals had only a vague understanding of the threat posed
by bots and botnets. "In many institutions and corporations, bots and
botnets are rife and causing significant damage to the infected network
owner," through lost bandwidth, intellectual property, and reputation,
The culprits don't always get away with it. In August, 21-year-old
Christopher Maxwell of Vacaville, Calif., was sentenced to 37 months in
prison and three years of supervised release for operating an IRC botnet
that compromised millions of computers, including some operated by the
Department of Defense. A Defense Department investigation determined
Maxwell was responsible for computer intrusions at military
installations worldwide, resulting in repair costs of at least $172,000.
In January, 20-year-old Jeanson James Ancheta pleaded guilty to
violating the Computer Fraud Abuse Act and damaging federal computers.
He admitted to generating some $60,000 in advertising proceeds by
directing more than 400,000 infected computers that were part of a
botnet army to servers he controlled, from which he would
surreptitiously download adware onto the zombies, according to the FBI.
The Federal Trade Commission last year launched Operation Spam Zombies,
a campaign to encourage ISPs to take steps to defend their networks from
misuse. "Your organization has an interest in the integrity of the
E-mail system, which is threatened by the onslaught of spam routed
through spam zombies," the FTC said in its call for action. The FTC,
however, can't say whether its campaign has been effective.
Trend Micro's Rand recalls uncovering a bot infestation at a network
operator in France that involved a half-million infected computers. At
the rate that the network operator is moving, he says, it will take 271
years to get the bots off all of its computers. "We in the security
industry have done a really crappy job of giving the ISP and IT
community the right set of tools to address this problem," he says.
Symantec, in its Internet Security Threat Report for the first six
months of 2006, isn't as alarmed, speculating that the bot population
has "reached the saturation point." But the report also states that bot
network owners are being more discreet about their activities to avoid
law enforcement. Symantec finds that 2.91% of all PCs in Beijing have
been compromised by bots, the highest percentage of any city worldwide.
The U.S. cities with the greatest bot infections are Los Angeles, where
an estimated 1.2% of all PCs are zombies, and Chicago, at 0.99%.
The sheer numbers are hard to pin down. Trend Micro claims that it once
shut down a botnet that had 1.25 million computers attached to it.
Cybercriminals are less likely to cast such a wide net today. "We don't
see that anymore," Rand says. "We don't see huge volumes of machines
under one command-and-control site. They're well dispersed."
Detection Is Difficult
That's what's new here: The crooks are adapting to avoid detection.
They've designed their botnets to minimize disruption when one bot gets
taken down. They're writing exploit code aimed at specific networks,
which makes detection much more difficult. Security vendors may never
even see limited-distribution exploit code, and if they do, it may not
be worth adding it to their pattern files because the exploit affects
only a few hundred or thousand machines.
What's more, attacks are becoming more sophisticated and automated. The
vast computational power of Google, the product of hundreds of thousands
of servers, is often cited as a benchmark for distributed
supercomputing. The reality is that cybercriminals could effectively run
the world's most powerful supercomputer, making it trivial to conduct
computationally intensive operations like generating millions of unique
image spam files to evade filters or unleashing massive malware attacks.
Rand cites the MS06-040 Microsoft vulnerability, disclosed on Aug. 8,
which changed the infection rate of PCs from about a quarter of a
million new machines per month to a quarter of a million new machines
per day in the first few days. "Those numbers are staggering," he says.
"When you start to put that together with other technologies, these
people have enormous, enormous computing power at their disposal."
Given their middleman role on the Internet, ISPs are in a position to
help stop bots, but Rand and others say they aren't doing enough. Fact
is, ISPs can make more money ignoring cybercrime than fighting it.
"Their feeling is, 'Hey, it's not our problem if the user is an idiot.'
And my response to that is, you can't expect my mother to be responsible
for Windows XP security. Sorry, you need to take a more active role."
Richi Jennings, an analyst with messaging research firm Ferris Research,
recommends that ISPs disconnect zombie PCs from the Internet until they
or the user can remove the malicious software.
Is that even possible? On a small scale it is. Lariat.net, a wireless
ISP serving Laramie, Wyo., offers to install freely available security
software for its users. "We scan every one of their machines before we
grant them network access," says Lariat owner Brett Glass. "We're not
Even so, Lariat's users may end up with compromised machines. A recent
round of zero-day attacks turned some machines into spam bots. But
thanks to traffic monitoring, Lariat was able to identify subverted
machines and fix them. "We keep the best handle on it we can," Glass
says. "But most Internet users who go to the store and buy a computer
are sitting ducks. If they use the computer as configured and as
directed, the odds are overwhelming that they'll be infected within a
Telecom carrier BellSouth can't say whether bots are any worse today
than in the past, but there's no doubt they're an issue. In the fourth
quarter, BellSouth will start using "an industry best solution" that's
in beta testing now to better understand its network usage so that it
can target malicious software, says Michael Spoor, director of network
infrastructure and security at BellSouth.
The company's multilayered strategy for fighting bots includes
encouraging its customers to "self-protect" home PCs, including
downloading a security software suite BellSouth makes available on its
site or from another source. "BellSouth looks to its customers to help
us help them," Spoor says.
Every day, BellSouth blocks millions of suspected spam messages from
crossing its network, he says. Teams within BellSouth work on the
problem of spam, bots, and viruses.
Ken Kousky, CEO of security market research firm IP3, argues that law
enforcement needs to do more, too. He contends that U.S. authorities
have been less than enthusiastic in their efforts to protect the porn
and gambling businesses that are often threatened by criminals armed
with botnets. "We've tried to find a case where law enforcement has
taken a proactive effort to defend a porn site and, as far as I know,
there are no instances of this," he says. "The challenge in botnets is
to stop the flow of funds."
New technologies promise some relief. Trend Micro recently announced its
InterCloud Security Service specifically for bot detection; IronPort
sells its C10 E-mail appliance and virus outbreak filters; MX Logic this
week plans to introduce a Web Defense Service to protect small and
midsize businesses from malware; and Symantec and Panda Software
recently released updated Internet security software packages.
But these are temporary fixes at best. Malware writers are adept at
countering the countermeasures. To complicate matters, it's hard to
change human nature. "The stuff we're talking about in general is caused
by human error," says the SANS Institute's Paller. "The government has
done essentially nothing to illuminate human error and get rid of it.
The awareness training that goes on in the federal government--except at
the U.S. Agency for International Development--is pretty much useless."
Not so at West Point. Computer security training, which has been part of
the curriculum for six years, was the subject of a series of exercises
called Carronade that ran between early 2004 and late 2005, testing the
susceptibility of E-mail users to both general and targeted phishing
attacks. The rate at which students fell for phishing attacks dropped
from more than 50% among freshmen to less than 20% for seniors, says Lt.
Col. Ronald C. Dodge Jr., associate professor in the academy's
department of electrical engineering and computer science.
There's still room for improvement. In a paper detailing the West Point
study, "Phishing For User Security Awareness," Dodge and co-authors
Curtis Carver and Aaron Ferguson conclude, "Our students continue to
disclose information that should not be disclosed to an unauthorized
user and expose themselves to malicious code by opening attachments."
Paller gives the U.S. Agency for International Development high marks
because it forces security training on its PC users every day as part of
the logon process. Ultimately, that kind of intrusive, unavoidable
insistence on security may be necessary to help bot-fighting technology
do its job.
Copyright 2005 CMP Media LLC
Visit the InfoSec News store!