Security Blog Log: Clues point to bot 'sleeper cells'

This week, security bloggers see signs of a massive bot attack in the works, while Sunbelt Software warns of a Russian Web site selling eBay accounts.

This Content Component encountered an error

---------------------------------------------------------------------------------------------------------

Security Blog Log
Security experts talk all the time about the growing botnet threat; about how the bad guys are quietly hijacking armies of machines to use in massive future attacks.

This week, experts in the blogosphere worried about some troubling activity that could be interpreted to suggest that an unknown number of botnets are preparing for something big.

One such warning came from an information security investigator who goes by the online name SecurityMonkey. In his A Day in the Life of an Information Security Investigator blog, he compares recent bot activity to that of a sleeper cell preparing for a big terrorist attack.

About Security Blog Log

Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Recent columns:
The sobering scope of data fraud

A DRM threat to lives and infrastructure?

Hacking for grades causes a stir

"These sleeper cells are one or more terrorists that slowly integrate themselves into society without attracting so much as a yawn from the Department of Homeland Security," he wrote. "Attracting far less attention is something that I believe will pose a huge threat to potentially any machine attached to the Internet: sleeper cell bots."

He then directed readers to a March 7 write-up from researcher Juuso Hukkanen in the Newsreader blog describing possible evidence of a future "mass-hack."

"During the last few days a bot using the name FuntKlakow has been registering to at least hundreds (maybe thousands) of phpBB forums," Hukkanen wrote. Next time a critical phpBB vulnerability is announced, he said, the bot will "have everything ready … just a post click away from attacking thousands of sites/forums."

As SecurityMonkey pointed out, Hukkanen noticed something strange, "like a waiter who checks the silverware on his guests' tables before dinner and notices something out of place. [It's] a perfect example of how a sleeper cell network of virtual 'terrorbots' could cause mass havoc in a short period of time."

Up to this point, botnets have been used primarily to relay large amounts of spam and launch distributed denial-of-service (DDoS) attacks.

But, SecurityMonkey said, "imagine if a few of these botnets were convinced to join a noble cause or (were) taken over by other sleeper cell bots. What if they decided to concentrate their attacks on the root name servers? Military networks? Government service Web sites? Or, for God's sake, Starbucks.com! Total mayhem could erupt in the monkey household."

He said the moral of the story is this: Investigators must take the extra time to notice things in everyday life, during investigations and through casual observation that might be significant three days from now, a year from now, or 10 years from now.

"The seemingly harmless act of a new username appearing on a car-talk forum may not raise an eyebrow," he said. "But the behavior of that username (or lack thereof) could be a clue."

eBay accounts for sale
A Russian Web site is offering eBay accounts for sale, according to the blog kept by Clearwater, Fla.-based Sunbelt Software Inc.

While the writing on the site in question is in Russian, Sunbelt Software CEO Alex Eckelberry said the basics of the text are that:

  • They sell eBay and PayPal accounts.
  • They have a Trojan horse that steals account information from eBay logs and prefers to steal accounts with minimal seller/buyer activities.
  • The better the feedback on a given account, the more expensive it is.
  • Real account holder e-mails are available.
  • They even have a list of users to buy.

"As is our normal practice," Eckelberry said, "we have reported this to our security contacts at eBay."

The Sunbelt blog entry includes screen images from the Russian site.

Dig deeper on Information Security Laws, Investigations and Ethics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close