Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Is the Botnet Battle Already Lost?



 By: Ryan Naraine
2006-10-16
Article Rating:starstarstarstarstar / 6


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Is the Botnet Battle Already Lost?
  2. ' Cat'
  3. ' The Profit Motive '

Rate This Article:
Poor Best
Is the Botnet Battle Already Lost?
( Page 1 of 3 )

Botnets have become a big underground business, and the security industry has few answers. eWEEK delves into the uphill challenge in front of vendors by going to one company's research facility to study live botnets in action.

Its dress-down Friday at Sunbelt Softwares Clearwater, Fla., headquarters. In a bland cubicle on the 12th floor, Eric Sites stares at the screen of a "dirty box," a Microsoft Windows machine infected with the self-replicating Wootbot network worm.

Within seconds, there is a significant spike in CPU usage as the infected computer starts scanning the network, looking for vulnerable hosts.

In a cubicle across the hall, Patrick Jordans unpatched test machine is hit by the worm, prompting a chuckle from the veteran spyware researcher.

Almost simultaneously, the contaminated machine connects to an IRC (Internet Relay Chat) server and joins a channel to receive commands, which resemble strings of gibberish, from an unknown attacker.

"Welcome to the world of botnets," said Sites, vice president of research and development at Sunbelt, a company that sells anti-spam and anti-spyware software.

"Basically, this machine is now owned by a criminal. Its now sitting there in the channel, saying Im here, ready to accept commands," Sites explained.

Resource Library:

A botnet is a collection of broadband-enabled PCs, hijacked during virus and worm attacks and seeded with software that connects back to a server to receive communications from a remote attacker. And these botnets are everywhere.

According to statistics released by Symantec, an average of 57,000 active bots was observed per day over the first six months of 2006.

During that period, the anti-virus vendor discovered a whopping 4.7 million distinct computers being actively used in botnets to spit out spam, launch DoS (denial of service) attacks, install malware or log keystrokes for identity theft.

Botnets filled—and easily replenished—with compromised Windows have emerged as the key hub for well-organized crime rings around the globe, using stolen bandwidth from drone zombies to make money from nefarious Internet activity, according to security experts tracking the threat.

From adware and spyware installations to spam runs and phishing attacks, CPU cycles from botnets drive a billion-dollar underground business that thrives on lax computer security and uses "money mules" to ship physical items around the world.

Click here to read more about money mules.

Now, there is a general feeling of hopelessness among security professionals involved in finding and disabling botnets. It remains to be seen how this despair affects security products and the attitudes of the technology executives who rely on them.

"Weve known about [the threat from] botnets for a few years, but were only now figuring out how they really work, and Im afraid we might be two to three years behind in terms of response mechanisms," said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va.

SRI is a nonprofit research institute that provides support for the Department of Homeland Securitys Cyber Security Research and Development Center.

The battle against the bots has been manned by volunteers who pinpoint the botnet command-and-control infrastructure and work with ISPs and law enforcement authorities to disable them. Now, there is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste.

"Weve managed to hold back the tide, but, for the most part, its been useless," said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. "When we disable a command-and-control server, the botnet is immediately re-created on another host. Were not hurting them anymore," Evron said in an interview with eWEEK.

"Were fighting a war of intelligence. The botnet herders keep advancing and moving forward at a fast rate, and we just cant keep up. There are just too many obstacles in our way," Evron added.

The complex setup now includes the use of hijacked computers to host the DNS (Domain Name System) servers that provide domain resolution services for the rogue.

This allows a bot herder to dynamically change IP addresses without changing a DNS record or the hosting—and constant moving around—of phishing Web sites on bot computers.

Statistics from multiple sources justify Evrons pessimism. According to data culled from Microsofts MSRT (Malicious Software Removal Tool), back-door Trojans and bots represent a "significant and tangible threat to Windows users."

Since the first iteration of the MSRT in January 2005, the tool has removed at least one Trojan from about 3.5 million unique computers. Of the 5.7 million infected Windows machines, about 62 percent was found with a Trojan or bot.

Next Page: Cat-and-mouse game.





  Reader Comments: Is the Botnet Battle Already Lost?
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


xv8 |NJ5]kV)-9Nr[tg}3G!ed闸g"pBI^狼Җ0D@?{{~$riOH1%3t;D{{?.ЇP|oS/92t i^_wD_*0QI- Y|/ Z@GS::y\B^,> x[n9,4E; Kxf1Sd!XIc/YTU9Df9iNMҺ췮۽NOۭ3d̲5<JEӀ Zvb#?ޙ#V7g͛ke{#gkl}nz _GlH  Wh6 N[_lxmķx0|kh2`=r8Lwjt( ?5/W-2 ୫O'Sdp*~߹ =M%˭%wܿ/Rx3oF5 tA%Ga":sPڊfCt-Mn #dh&ͻZh-Aho*KLr5&@Sk~$M 5ņ])!edFSۤ%/^(P%!P샖_.[ jF|*(If(;΀/3A.r)# 6=aL+^뻹(Y\08N>]7+De., s5-wnxaZTpx=O׭&]u/{]iz-xX18,]evb`\\Է7J06_)Ab/*r[ hS2e8l ԰2nб>lA05t3c|>9Նm'!|Бdmx=Z.s3GS4!>F& Ѐ w|hx: C 00gwk9LP#wC۠h&r<kIOlLJ.??6 ; G`p&;xk=`D+wCPb1LTE}vACAX' #}S(r`nZдc@l~9)4+9pPsf >`|=-0Xud9sc]edң!}?p*JNC_kVzq}nMAV?Ty v|9p‡9E#rUϚX 5<.&B#5w&Q OzBnehJJ*$,4)ŠpdjKݸ^`"3hqNNRЙB#@9zQ/OJb-yhֽkmH_ƠT:. B[+ M2%W}kaԕ %/DA n:bXG6X}iМ^fdTR0iMtv{jMj&M;_&TY9?>2eiF6oՒhcM;,WbzgܲK(!mʥʫ ;u\ cQDz[fln: 6)8{y4!%6$N?&BXSt+@Zl&VUmTHbp=Pq X0b={t9pJ.,q暺_,-*{g5eWlH Ws<&uE8` ;fcxF3FԱiQP7uk#RLא~3KJAUc?&i?怚H|A2exL,Z`_9cDzlʠ:7Ip]t%1y4h_G3sHb4"T2paLHa03] elqؼ;(kɜN4:E80Ge9Cb+[ꭧǙXT+[pfۻ(Sܧ&;alâk4'{E; :7a/)cpI,_ta@C^C)& SZ`\FLs  ZCbP$܌wт.[|X]OXL+*9GGs=?w2_!挮3t!VBLqQT*8Y+ :?cUQ@H.g<8}FӨ5 g_vo?{]wK\μ + ;2E<&{H˰"U`}JZYPIb6ʼnG =q?@*2G¹5`Qеa⢉!h{34khý235RzVU;OP(;Ђw>k-4Ӥ-`"KjZUv~Ie(#N枏~+ӥ ] 4}j-tpMU*Ղʾ_Yv+^t m(5#S #2qgrh)hMf55gH5ysV9y]%fZ+a1L*=:]6AP,2< *WGS<MxS ͳi54=_@HpfGi }䯦gQSM8^&оȣ*騫VJe0&30ʃϣ ek&w9*<l*k`=z{'v ܶ W!SD91^%Lwܒ; k@X;V-(7ϙ40p2Y=uK6,~xfO6)4D6>Dv? sc{~O0lu*%\.Yi {2u9p\s[;iJCo`s 车2Q&OB8Jh-[r_A~f:T(ȫͦ'0k(j'܉?>nVɵGZV?fIG{EY(..n$UHU(V $ yUrmn,: /6" ޜbl[ e|פ|X+Gs;"ʌg b|r{q>'F{lj#eWՄθ4;aʿͭGXLd;Ͳ6ڤiD@kXJ7ѭj`.ӪV$,: <d=^UL&2%SS]<  qΟݚr`>xHΝrQӊ5JR'0阆8zAbȣ,z(_d0rY+`7'ɠK= j ;!O}+tCZ6wOXOdK!Oo%EDOCVgX&1W+ʬڼ f@48&o;WZU{ EE@j߱?% ?/l8)F#t,+?~i7G}e_:kt_?v00Vy?J0WK޿ LЇ_e#R:&*);-~l1z˾WM$(XNp4q!'^y{{h6ۗk6|v:724H"rӸо_>^t)crѾlI^+΃ 7EBVç<uxi)qڎ7M ,#L=\=ֈ4FD!B2.f3 T/Us>֒\zF_ɾj,49Aϐa6(FkhMن{+^+[̚_f?ĄB?JΎy0(@RPOh[#EKtZ;3^t}dh !:Ua2"(BS.iDO§,:^78Sj6w EW%'k+ e{--':}mN1џ` e܃&WVr[k'5۟I‐ ׉ NAvhq_ϓgԢᬖ^}+ ɏX#zSaJf Sz/uOmOwgXm?{'q?K8t2Ti 'sXrw{ѺB ?݁M5=ICw5FG2]}Gt 7Xhǩ-{oCD'eNx>HАߙ=p9#M LwzzMYFc_ oc$Ǿv/ݻw~Zw[q*A-wC?'dc:M"I^U֭UdU)I=YE㳏)G8}b[0d&'zvA Js{Q[qec?o{ U<Ϻ4]f+wB%-JKz%nQhr;D҂%E(qQ#{"F%t`o14L,*z>;l-3'K-h,ѵTK_Я+Aw KzON 访_߶`$j+%<|Kq,vtIbq q,zDgRęu>J%t's4)usLvZz H߯oWe)Eu"LDXVg?K8#X1wnQD\N|2I,FP SY@#"Rhzt(P6a#1ahVς ( 2w['& Mt0-3}peyHLvG,3дVL;m0 n$r︧& xXy<%Wޮ8 CDZ%U00޶Fa1qz{RL8E¨#cFL@xl-!`eݢ^00=3J+ .t0% {x6hֿbcQ=,6o;d|o}'6!f_&x]`^Mb'Z [dԈeC4m0zYڷ;`i#`rg07=ї3tA_6D<'0"9"~!5"J=KˠdC>{ ,_]*nxFS*Z~<# 3t>@>W v#RK9j߱\tQWD U"K0sI FH$+)YL先=?JUR+OiVx '2LXqN9wn;J;Z!F|A-l;S+'F3:)e 2H.J yyFgRT?%9gY Y_/1 Xwg! 0n$` |[,BwCS]9 )ڶT~)R?J@eyMŒe&s ߌ%4o~,, k-T^\\gh37e `]c&9e+31#@ H8@@1"~[ji$ D ԟޮ+5cyr8V|k|B.n,JX73=~9qιTG;`Z` sHYD0vt7뎈Yg#1+AOidY愢j}cJ_e &jlS/LKɣR$ګH O#/~;4CΖC]~%'!D ;n)x5́?<<o4ͺha-> ϬCOy= PE$Z@mɧ/vF:J*`y:|v;^hPRXYgo` [ a |Rsمץ79s_:}}A'ߞe3cBA~×_k~"!rk1+N>%2M\NRYI /[7%|5q y{2!o1{ 2 c1צdgY*!<BQcg!mqo[k{-ݷ}ݺ.[*" L~Œ!랿 n~ Uח}m^R%dNlI>^s?F,ut C HygooBO!@ /0A1`#x1pOgK;;_e,>뇇ֿUk  *?[sn]/#Ӌa( Soaˆ'Ȁ/,4#kl Z5k}NaN@v։ p/{Esr^_ZZ2?YBsB-bOLܹT)=hPNZkKHܱ[`Wo.]N~ӆ2.y9~:nYNH^5& đ{[tp=#B/R3` n*D)4|6{Lzl/qDfph֒_fXU*l%I"q0M_é)⌉fneO%sl'I4pEXȓwajKǠ |O 8wiQn|^_V£$'W-NT v/*`5,k;hOר>2B\bd=-T?^<@!wmk0#{|3}9ܨ`nowTa1tq*o,2XzX67M ~VxrzV9T'ރG| ךODiH L|d7  /g*Dz'q/x"j\U[jsfO]I a!/(!/DnTqaI{G&sϘ$?9quEMm&^h kaD 'bl\M'p.$XD Ň^ K3G6 ͤ<؎7ӭ%ta8FSYhU!cbׇjP]-OQ/ ]ZX,:~eL<^^AFS3 i/ʍ"r\IoA$TGث)RMh9=Ũt <)fFllz^C `5vX5.Vڹq yK-y-J4sS567Z}j', . h-* ;,OtevNUE! An|lMᗚk烔KpʭBף:̹OMMĀNjlh*ejG{UMhբ Mnm*>=}!P="Z{2֑: bRI+-ݳiN@ kHl#膻,飏ji',6~KstRAl9 c;ZV]Mj8 WK+Nb ,85o]KjL߶"|1-tiҙ H۠[*н"%&hPjߙc۫us)ʒ2?+ 6Ƕl[va|Duv7H)nMPM=сHz.:N#V¯R9ʇ1f=E TQ1LV]=#ZNHx5J\SZx_!Ƅa)q1 \TbЭB1˪M;InP}wY?e=` '2t/x߹[!VU'ruY _Dx_{g.'~ }^MM  .Mo Arj$W|p N>lF_ 6a^ZgZq!IG)}o #b2zޘ8,Ye)+փފ> rF@Yj$GP56:nZl.Z~뺇V YzGgT,Cߑ7WHG7LH3 "+CO 2O_H"5񠳔]ΰ*@[`g* sn Q&@Ĕv7UI,Q/x ` 3 u|`EP00y?v?]_ ցAffp͒w\j:rtT(ʁ2|{C` > c<[7gΥiCZ<& .ycI ^yN4xXX ?2ڔwȗY AaP8Z  +z+U'I]U@)9CȮ KDU8k|.O蠿YV^*_ӄ^I+] / PIZ WuGs_Ч6#&To`9ꍫ/{M"O'Uݽ$' W¶V-r5ut_NW_ڗe?W?3=d(kyl2/*v(P]6:-f)L=\h^Epɂw]%;飱8/&'Q_lE_VCĨҫSa0L̙7VeS+_6Пxu3K_M:FySA^^ZYAj 'M& ϾL8SD^u'Vn"#(( FFyʻMAQ~ π>gv~^_nfF9?ϴ/3ʡ{_ fz'c|:'dv2t2;w?;d'esF9g QށNF9e^\f%eu݌wAt3OK7C\\e5u^=@?֗_sV99@rߛ o2ڿ\'I72q S*R~/2苬+ OY射<(? }VV<_`]fkWt.rg_2 ̭L_Wfr]!,.5PUZk /Y[3ݴq  | #r =Mԅ.nmG;yh#ֽ2"T_;Yo[췡^2TVl<-t&j\e9ͣf(+@J~@qa:f(Auž^ ebpbV`,1x|s&pN!3J8?0 fZ g8 a箩%g7CtF ۘsqo8uc0L ;J墦 V˕R;qO+F"ð""C^tP*R%}a`rX*V&K=# .=m^t f -ϡ'!pC>fJ-@ P1=:1 hۨ*ۼx0%aw8c+x;b(q ?,(sT[\FlBCVx3ϩ^ocƥ 6%dή1vkC']SL3O,O~f+g  تGШswӦB~`̀tWЫHGw. hJ/.ӡGx#KQ,Vk{ `V{9d [2FlX jXJr h;9_\$ǖ]`>s/R:=fՇ<0 ;V.򡟼O$ p.7 }/ٖ`QNߏnҸ؅Ivm4y>^ >qv|5h_uiHN,'c@诿J`Xkt JV7M5"f8̆I ůD|݅>Ϯ~r!n A#}qf+6yeWw-}f~K5 D 9bW{6M1L٥]FF ~1'~#pIi/ 0S\Ɨq/W?Ah"v]!6 R Ň%?1=`ϻ.Zs{LxŇ ?>KGJ Ǝ$z &o9/s{Pd>x*8" "H "s{B|%ijP%n3!L'KYNcӄ2t~SW, {+2‡_i 궯EݩcEi_cͅx{p1jÏ,?hPxUE0P$=Cf K P%)^xjA߭ed#əW B| ,*- O*_HQq1^R”s]q퀷*5zto4ZOe;BI<-<>,D*9"[o %P@EikA/?mwI3軉fKNvޒ{־( ;C7'[nI 5E`1v4`ehDSL/Tvy* *>% /)i+%:Ɛ=-)0p,\ftO#m2` G&ʖ$߀)0t1r:Y W96O~0qGĶ2C|R2͜epvRv ?93_-rxgsq@NDqDgPy 6s6`^|˼+AўYmw0w>L/#]Z$&+$~Il=au+Wrcd+{f:ePfEXl'!R}+Kei$Viؕ[Vmx~{ݺŀg kOTg{*.uf9Z7l#* XGڢZ QaW:~n`P[zw0XjPtP9˓z0 9\Mhc{pfif#3S3 {τ ixv4<5TF_E@G7dyUĔfٵ\RKnrmmSk }˦bN܌aBzar L%g% s^೐|,/A-r*r*]xD4;NbŠӞ_yfϸȅv0,#ŠN|]墵t1^ʳe_:kt_xH%L=C qFk+O(QF2p?ZQ|ڽ^`gh[^z8)-Gӽn D>Vl/?$+e={`ݯs g\JBS+$X/WfLNƇ̚J܄;66BKFslx61`)