Botnets remain a major challenge for infosec professionals. Companies such as Microsoft and Symantec have proclaimed success using legal and technical countermeasures to disrupt a few of the Internet’s more egregious botnets, but we’re not likely to shrug ourselves free of this scourge anytime soon. The growing sophistication of the malware used to propagate bots—seen, for example in 2012’s peer-to-peer ZeroAccess bot—combined with creative monetization schemes, make botnets resurface almost as quickly as they are knocked down.
After a CrowdStrike dismantling in March 2012, the Kelihos 3 botnet, reestablished itself within 20 minutes of a significant takedown. There are steps security pros can take to help keep bots off their networks, but the infections and cyberattacks that botnets are sometimes used to launch, remain hard-to-detect malware threats for websites and increasingly, mobile devices.
As much as anything, botnets are about the money. Consider the ZeroAccess bot. First identified in 2011, ZeroAccess ranked at the top of security researchers’ malware threat lists in Q4 2012. The peer-to-peer bot network is estimated to have 200,000 “supernodes” controlling 10 times that number of zombie computers at any given time, according to Kindsight Security Labs.
ZeroAcess exemplifies what security researchers say is a growing problem for Google’s AdWords, Microsoft’s Bing Ads (formerly Adcenter) and online advertisers—automated monetization schemes known as malvertising and pay-per-click ad fraud. Botnet masters can infect and partially control millions of zombie computers, which, unbeknownst to end users, click on ads hosted on legitimate and fraudulent websites in an effort to game pay-per-click advertising on online search engines.
“From a malvertising perspective, we see an increasing trend of ads whose destinations are modified by the bots to other sites, which probably paid the bot masters for that service,” said Ziv Mador, the director of Security Research for the SpiderLabs team at Trustwave.
“Every fifteen minutes [ZeroAccess] will contact the Command and Control (C&C) site and get a list of ads to click on and it continues to do that throughout the day, twenty-four-seven,” said Brendan Ziolo, vice president of marketing at Kindsight, which estimates that the ZeroAccess bot is earning about $1 million per day. “They are basically getting paid to click on ads hosted on people’s websites. Potentially, they are actually operating these websites that are clicking on the ad,” he said. “On an individual bot basis, it is tiny, but when you add it up to the full size of the botnet itself, it can become quite significant.”
Nor is click fraud, the only scheme out there for making botnets profitable. In the case of Bitcoin mining, the network of bots, literally, create money out of computer processing cycles. The workings of Bitcoin, perhaps the most widely used alternative (non-state-issued) currency in the world, are beyond the scope of this article, but currency within the system is given value (as it is in any money system) by its scarcity; and in this system, the scarcity is created by requiring that money be processed by computationally intensive procedures. Having a great deal of computational power enables you to create Bitcoin value more quickly.
Harnessing that power from computers owned by others means you are able to do it at no cost. It’s the sort of application a botnet creator might dream of.
Kindsight offers botnet detection and remediation services to Internet service providers. The company’s NIDS (Network Intrusion Detection System) uses an offline sensor, which is deployed at aggregation points on service provider networks. It analyzes network traffic using signature-based intrusion detection technology that hones in on the protocols used in C&C and peer-to-peer communications, according to Kevin McNamee, the security architect and director of Kindsight Security Labs. The C&C protocols are far less likely to change than the malware itself, which is modified and repackaged continually to outpace antivirus software—to the tune of about 15,000 distinct versions of the ZeroAccess bot in the lab’s malware sample database.
Last year, two versions of the ZeroAccess bot consistently ranked as active, high-level threats, according to Kindsight’s analysis of data collected from its service provider deployments. The newer version, Botnet.ZeroAccess2, which emerged in Q2 2012 and uses an UDP-based C&C protocol, ranked as the top high-level threat in the second half of the year. Botnet.ZeroAccess1, which uses an encrypted P2P protocol, according to Kindsight’s data, dropped to 12th by Q4 2012, and appears to be “winding down.”
At the RSA Conference 2013 in February, Kindsight introduced a Botnet Security Service to address what it said is a growing problem. According to company data, malware generated by various botnets accounted for four out of the top five home network infections in 2012: Win32.Bot.ZeroAccess, Win32.Backdoor.TDSS, Win32.Trojan.Alureaon.A and MAC.Bot.Flashback.K/I. Of the 13% of home networks infected with malware in 2012, almost 50% had a botnet-related issue, and 7% of broadband customers were infected by a botnet, banking Trojan or rootkit.
Macintosh systems were not immune. The Mac Flashback bot, used for ad-click fraud and to steal passwords, emerged as the top malware threat in Q2 2012, according to Kindsight’s data. At its peak in April 2012, it infected 1.1% of homes (roughly 10% of homes with Mac computers, according to the researchers’ estimates). Spread via a Java applet, the fake Adobe Flash update, ended the year in the top five home network infections detected in Kindsight deployments.
Blasts from the Past
Previously, botnets, such as Cutwail, were spam-based, observed Ziolo. The botnets sent out massive numbers of unsolicited emails per day, but most researchers have seen declining levels of spamming. According to Kindsight’s data, this trend continued in the second half of 2012.
Trustwave has reported similar findings. “The volume of spam has significantly decreased during the last couple of years,” Mador said. “However, a much larger portion of it now includes malicious links and attachments, and the impact on users is, therefore, higher.”
According to the 2013 Trustwave Global Security Report, released in February, 75.2% of inbound emails at most organizations are considered spam, and 10% of it is malicious. Cutwail sends 80% of the malicious spam, while 85% of “general” spam is generated by seven botnets, out of thousands.
Used in tandem with exploit kits, botnets are reaching even higher levels of criminal activity and effectiveness, according to Mador. “The malicious spam often includes links to pages of exploit kits, most commonly Blackhole,” he said. “The exploit kit uses an arsenal of exploits to infect the local computer. Then typically it installs malware.” Trustwave’s research indicates that these types of campaigns actually work; in one instance, 10% of users clicked on the malicious message link to the Blackhole server.
Malware is also using sophisticated methods to embed itself and hide, according to researchers. “Botnet.ZeroAccess.1 actually installs two copies of itself, so that if one copy is detected and eradicated, the other copy just takes over,” said Ziolo,” so they have built redundancy into the whole system itself.”
Mobile Malware Threat
Botnets for mobile networks have started to emerge and some security researchers expect the numbers to increase in 2013. “The term botnet here would be applied loosely as a system that can send and receive C&C messages to a central host,” explained Mador. Spam Soldier is an SMS spamming botnet that is used to send premium rate messages on Android devices without the users’ knowledge (until they see the bill).
A mobile version of the Zeus banking Trojan (known as Zeus in the Mobile or Zitmo) emerged in 2011, according to Derek Manky, global security strategist at FortiGuard Labs, a division of Fortinet Inc. Zitmo targets multiple mobile platforms and has been known to bypass SMS two-factor authentication, to steal banking data using mobile transaction authentication numbers.
Security researchers at FortiGuard Labs studied Zitmo in 2012, and determined that it has many of the same features and functionality as PC botnets. Based on this feature parity, the security team expects to see new forms of Denial of Service attacks in 2013, stemming from cross-platform botnets made up of infected mobile devices and infected PCs, which are simultaneously acting on commands from the same C&C and attack protocol. (See the FortiGuard 2013 Crimeware report.)
As employee-owned smartphones and tablets take hold in the workplace, the bring your own device (BYOD) environment poses malware threats for enterprises. “The real danger with BYOD is that most organizations have a fairly unsecured and uncontrolled device on the internal network,” said Mador. “It would be easy to spearphish one user in an organization to install one bad piece of Android malware.” Organizations should use firewalls to separate BYOD devices from the rest of the corporate network, he advised, with adequate protections from internal and external threats.
Security researchers expect to see more issues related to Android malware in 2013. Android malware also ranked in Kindsight’s top 20 malware threats for the first time in Q4. The Trojan.Wapsx is described by researchers as a “trojanized app” that steals information from Android devices. According Kindsight, 0.5% of mobile devices (Android and laptops tethered to mobile devices and networks) were infected with high threat level malware in Q4 2012 up from 0.3% in Q3 2012.
Trustwave’s Mador does not see signs that botnets are increasing. “But as with the other metrics,” he cautioned, “it doesn’t necessarily reflect on the threat that these botnets impose on consumers and on businesses.”
The Microsoft Digital Crimes Unit has worked within the legal system, and with technical partners, to successfully disrupt six botnets in three years.
Earlier this year, Microsoft partnered with Symantec to disrupt the Batimal botnet, which the companies claimed was infecting 8 million computers and hijacking online searches in order to perform ad-click fraud. Microsoft filed a lawsuit on January 31, 2013 against the botnet’s operators “to sever all the communication lines between the botnet and the malware-infected computers under its control,” according to blog written by Richard Domigues Boscovich, assistant general counsel, Microsoft Digital Crimes Unit. The court agreed with Microsoft and the company seized evidence from the botnet’s Web hosting facilities in New Jersey and Virginia, with help from U.S. Marshals on February 6. In what many viewed as an unprecedented move, Microsoft used C&C communications to forcibly redirect infected Windows computers to a Web page that told users about the malware and how to remove it.
“Microsoft’s activities are important because quite often they end up with bringing the people behind these criminal activities to justice,” said Mador, formerly a Microsoft Malware Protection Center senior program manager, who worked closely with the Digital Crimes Unit during his 15-year tenure at the company. “That raises the risk for people who are involved in cybercrime or who consider doing that.”
Without international cooperation, botnets can simply switch servers and re-emerge within minutes or hours. Botnet organizations often choose Russia and Eastern Europe as a base because it is easier to avoid prosecution, according to Fortinet.
“The key thing that needs to happen to get this to expand further,” said Alex Harvey, Fortinet security strategist, “is we need to get an international approach. So that if we determine that a botnet is sending millions of messages a day—the command servers are in Russia, part of the infrastructure is in Spain, and the bots are in North America —there has a be a way for all of these groups to cooperate in real time, or really quickly. Because when you take down a botnet, if you don’t take down the whole structure at the same time; it is very easy for these guys to seize control and redirect all that traffic somewhere else.”
At the RSA Conference 2013 in February, Tillmann Werner, the senior security researcher at CrowdStrike Inc. demonstrated a real-time takedown of a global peer-to-peer network. The demonstration was based on attacking the Kelihos botnet using a sinkholing technique to replace C&C communications on a P2P network. During the demonstration, Werner showed how he had coordinated the takedown with government and law enforcement organizations.
In addition to policies and disaster planning, security researchers advise enterprises to adopt a multilayer strategy to defend corporate assets against botnet infections and the DDos attacks that botnets may be harnessed to carry out.
According to Trustwave, a defense strategy should include the following:
- Secure Web gateways – These appliances filter Web traffic and block malicious content. Devices that rely on URL reputations may not be as effective when it comes to blocking exploit kits. “We saw one exploit kit, which modified its links on an hourly basis,” said Mador.
- Secure email gateways – These devices keep spam, including messages with malicious links and attachments, from reaching corporate email boxes.
- Antivirus software – “These products can still block infection by bots quite often,” said Mador, “in spite of the spike in the number of malware samples, and how frequently they are updated.”
- Web application firewall – A server plug-in, appliance or filter designed to protect Web servers at the application-layer, by blocking code injections such as cross-site scripting, malicious links and files.
It’s important to know how botnets work, and to continue to educate end users about best practices when it comes to opening email attachments and downloading unknown software.
Finally, organizations must also pay attention to attacks that cause their own servers to be used as a malware distribution point. Once a server has been detected as compromised and now distributing botnet malware, websites hosted on it have to be thoroughly cleaned, according to Mador. And this includes databases running “behind” the website: This means scanning the content carefully, looking for non-alpha numeric characters, hidden links and related elements, and checking the integrity of connected databases. “In the case of SQL injection,” said Mador, “some database entries may include short script code.”
Expect an increase in malware activity throughout the balance of 2013. And expect it on mobile devices as well. As with other aspects of security, a multilayered defense and continuing end user education offer the best strategy against botnet infections.
About the author
Kathleen Richards is the features editor at Information Security magazine. Contact her at [email protected]