COLUMN

Security Blog Log: Clues point to bot 'sleeper cells'

By Bill Brenner 24 Mar 2006 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

---------------------------------------------------------------------------------------------------------

Security experts talk all the time about the growing botnet threat; about how the bad guys are quietly hijacking armies of machines to use in massive future attacks.

This week, experts in the blogosphere worried about some troubling activity that could be interpreted to suggest that an unknown number of botnets are preparing for something big.

One such warning came from an information security investigator who goes by the online name SecurityMonkey. In his A Day in the Life of an Information Security Investigator blog, he compares recent bot activity to that of a sleeper cell preparing for a big terrorist attack.

About Security Blog Log Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent columns: The sobering scope of data fraud A DRM threat to lives and infrastructure? Hacking for grades causes a stir

"These sleeper cells are one or more terrorists that slowly integrate themselves into society without attracting so much as a yawn from the Department of Homeland Security," he wrote. "Attracting far less attention is something that I believe will pose a huge threat to potentially any machine attached to the Internet: sleeper cell bots."

He then directed readers to a March 7 write-up from researcher Juuso Hukkanen in the Newsreader blog describing possible evidence of a future "mass-hack."

"During the last few days a bot using the name FuntKlakow has been registering to at least hundreds (maybe thousands) of phpBB forums," Hukkanen wrote. Next time a critical phpBB vulnerability is announced, he said, the bot will "have everything ready … just a post click away from attacking thousands of sites/forums."

As SecurityMonkey pointed out, Hukkanen noticed something strange, "like a waiter who checks the silverware on his guests' tables before dinner and notices something out of place. [It's] a perfect example of how a sleeper cell network of virtual 'terrorbots' could cause mass havoc in a short period of time."

Up to this point, botnets have been used primarily to relay large amounts of spam and launch distributed denial-of-service (DDoS) attacks.

But, SecurityMonkey said, "imagine if a few of these botnets were convinced to join a noble cause or (were) taken over by other sleeper cell bots. What if they decided to concentrate their attacks on the root name servers? Military networks? Government service Web sites? Or, for God's sake, Starbucks.com! Total mayhem could erupt in the monkey household."

He said the moral of the story is this: Investigators must take the extra time to notice things in everyday life, during investigations and through casual observation that might be significant three days from now, a year from now, or 10 years from now.

"The seemingly harmless act of a new username appearing on a car-talk forum may not raise an eyebrow," he said. "But the behavior of that username (or lack thereof) could be a clue."

eBay accounts for sale
A Russian Web site is offering eBay accounts for sale, according to the blog kept by Clearwater, Fla.-based Sunbelt Software Inc.

While the writing on the site in question is in Russian, Sunbelt Software CEO Alex Eckelberry said the basics of the text are that:

• They sell eBay and PayPal accounts.
• They have a Trojan horse that steals account information from eBay logs and prefers to steal accounts with minimal seller/buyer activities.
• The better the feedback on a given account, the more expensive it is.
• Real account holder e-mails are available.
• They even have a list of users to buy.

"As is our normal practice," Eckelberry said, "we have reported this to our security contacts at eBay."

The Sunbelt blog entry includes screen images from the Russian site.

Tags: Information Security Laws, Investigations and Ethics,  Hacker Tools and Techniques: Underground Sites and Hacking Groups,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Hacker Tools and Techniques: Underground Sites and Hacking Groups Russian cybercriminals target H1N1 Swine Flu fears Metasploit Project acquisition ups ante for penetration testing market Successful rogue antivirus hinges on social engineering DEFCON survey suggests hacker community on vacation DoD urges less network anonymity, more PKI use New hacker skills optimize revenue Maturing cybercriminal economy buoyed by business savvy hackers Juniper pulls ATM hacking presentation from Black Hat Botnet platform helps cybercriminals bid for zombie PCs Man pleads guilty in online banking hacking scam

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CALEA  (SearchSecurity.com) cyberstalking  (SearchSecurity.com) FERPA  (SearchSecurity.com) HSPD-7  (SearchSecurity.com) I-SPY Act  (SearchSecurity.com) Information Awareness Office  (SearchSecurity.com) intelligence community  (SearchSecurity.com) lawful interception  (SearchSecurity.com) lifestyle polygraph  (SearchSecurity.com) vulnerability disclosure  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary