Cybercriminal gangs wielding hoards of malware-infected zombie machines are primarily using them for massive spam campaigns aimed at pushing pharmaceuticals, herbal remedies and porn, but they are also often rented out for more nefarious purposes, say experts who monitor them.
Anything you can imagine that somebody might steal in the virtual world, somebody has a botnet that is probably doing it.
Joe Stewart, director of malware research, Dell SecureWorks
Botnets can be used to conduct distributed denial-of-service attacks (DDoS), leveraging the power of infected systems to disrupt and wipe out websites. Botnets often spread malware, and are the main engine behind phishing campaigns or the fuel behind powerful clickjacking campaigns. What started as an amateur activity on Internet Relay Chat (IRC) networks -- using the power of people connected to IRC to knock victims offline -- quickly became a for-profit venture associated with cybercriminal fraud activities, said Joe Stewart, director of malware research at Dell SecureWorks. “Now we see you’ve got governments and hacktivists getting into the game for reasons that aren’t really just money related, Stewart said.”
Stewart and other security experts say many enterprises have zombie machines running on their networks without even realizing it. Rather than being aimed to disrupt systems, the malware is being remotely controlled to seek an enterprise’s most prized possession: intellectual property.
“They’re highly focused on companies and governments,” Stewart said. “Anything you can imagine that somebody might steal in the virtual world, somebody has a botnet that is probably doing it.”
Stewart and other security experts say many businesses are far too reliant on automated systems; big security appliances such as intrusion prevention and detection systems designed to monitor network traffic. They’re calling for enterprises to instead hire skilled IT security pros to proactively monitor those systems and investigate issues. The approach, they say, improves the security systems already deployed in most enterprises by addressing and isolating issues before they become a serious problem.
The good news is some of the malware associated with widely known botnets can be detected using most traditional security appliances and endpoint security software, including antivirus. But a much more serious threat is targeted attacks – particularly those hurled at enterprise employees – that use malware combined with techniques that are designed to evade detection. Once an endpoint machine is infected by stealthy malware, a Trojan embeds itself and then attempts to reach out to cybercriminals for orders. Enterprise network monitoring tools can detect the nefarious traffic and block some of it, but over the years, cybercriminals have become savvy at tunneling communications using strong encryption algorithms, timing communication drops for odd hours when systems aren’t being fully monitored or sending out tiny communication packets that assimilate with normal network traffic.
“You can hope your corporate antivirus [detects botnet infections] at the gateway or on the desktop, but we know from testing that those capabilities don’t have the highest rates of detection,” Stewart said. “If you move into the network realm you can pick up a lot of this activity because it doesn’t change its network fingerprint very often.”
Botnet size doesn’t matter
Stewart said the most powerful botnets are not necessarily the largest. The Flame malware toolkit for example, contained a botnet of less than 200 infected machines in Iran, yet it wielded a powerful arsenal for those behind it. The limited scope of the attack, believed to be a nation-state driven cyberespionage operation, enabled the botnet operators to stealthily eavesdrop on their victims, steal data and capture video for years.
By contrast, Stewart said larger botnets give cybercriminals the advantage of leveraging the computing power of infected computers to spread malware and other malicious activities. They can be used to amplify a denial-of-service attack to take down a website or quickly spread malware and steal account credentials.
The Zeus and SpyEye malware families make up massive botnets that have, for years, wreaked havoc on the financial industry. The botnets spread quickly due to the business model put in place by the cybercriminals behind the malware. Using automated attack toolkits, the cybercriminals set up an affiliate network, rewarding other cybercriminals for infecting machines. Zeus gained notoriety in 2006. The malware can be coded to spoof websites, steal account credentials and drain bank accounts. Security firms have tried to knock out portions of the botnets by disrupting the command-and-control servers associated with them, but despite those efforts, cybercriminals have built-in mechanisms to bring them back online. The most recent effort came from Microsoft, which used legal action to wipe out Zeus botnet servers in the United States.
Detection: The human factor
There is no technology better than a skilled IT pro assigned to look for anomalies on the corporate network, said Johannes Ullrich, chief research officer at the SANS Institute. Skilled system administrators should be inspecting network traffic and system logs, applying creative thought in the process of flagging potential problems for further investigation, Ullrich said. Packet analyzers and other filtering tools can help network security pros determine if suspicious traffic is malicious in nature.
“A lot of enterprises still rely on old, signature-based antivirus,” Ullrich said. “Particularly with [targeted] attacks and these kinds of botnets it depends on individuals at this point.”
The trend at many enterprises has been to outsource network monitoring activities, but Ullrich said that in his experience, outsourced security monitoring usually fails at detecting the targeted attacks and botnet infections that matter the most. Outsourced services follow a checklist and process a specific number of requests per hour, Ullrich said, adding that outsourced services would be better if they played a role in assisting a system administrator to “find the next new thing versus yesterday’s bot.”
“They don’t really understand the business and that’s why some enterprises are going through the expensive process of bringing it back in-house,” he said.
Endpoint security combined with network-based security such as host intrusion prevention (HIPS) technology and other reputation and filtering systems can help mitigate malware infections, said Mike Rothman, analyst and president of Phoenix, Ariz.-based security research firm Securosis LLC. The firm recently concluded its malware detection series that focused on why detection is so challenging. Network security appliances can provide context on application and user behavior, but it requires adjusting and tuning to avoid a serious impact to end users, Rothman said in a blog post describing the firm’s research series. The same goes for Web filtering and reputation-based. “Find a balance that is sufficiently secure but not too disruptive, navigating the constraints of device ownership and control, and workable across device locations and network connectivity scenarios,” Rothman wrote.