web bot

Some ISPs try to be helpful with security, offering discounted or bundled software and pages of advice. But when you get in trouble and your system is infected with malware, they don't do anything to stop you or contain the problem. You could be spamming people all over the world, running phishing sites, all without your knowledge, and your ISP won't do anything.
Now Qwest is standing up and separating itself from the apathetic pack. In what is roughly a consumer ISP implementation of the enterprise technology known as NAC (network access control), Qwest will warn, and ultimately block, users whose systems are performing malicious activity.

ADVERTISEMENT The company is vague about the details, but they monitor their network for malicious activity, which isn't all that hard to do. When they detect a customer who may be infected and is acting as a "bot," the next time a user on that account connects they are brought to a special Web page that explains the situation to them and provides specific instructions on how to disinfect the system.

SMTP (for outbound e-mail) is also blocked, so the user cannot send e-mail, but they need to open their browser to find out what's going on. The notice will be there in the browser no matter where they attempted to navigate.

Computer scientists in Menlo Park are releasing a free diagnostic program today to help network administrators find PCs infected with an insidious new type of virus that has already tainted millions of computers and used them to generate billions of spam e-mails.

Since this malicious program, variously called Peacomm or the Storm Worm, appeared in January, it has infected upward of a million PCs, each capable of sending out about 28,000 spam e-mails a day, according to Phil Porras and Vinod Yegneswaran, computer scientists at SRI International in Menlo Park, the nonprofit think tank that is releasing the newest version of its BotHunter tool.

A botnet is the nickname given to illicit computer networks created by malicious hackers who write a type of program called malware. Once the malware gets onto a PC, it hides and creates a sort of electronic alter ego that surfs or otherwise connects to the Internet - without the knowledge or involvement of the PC's human owner.

These infected PCs are called zombies because they take orders from afar, and what makes Peacomm such a particular annoyance is that it uses infected PCs to send out spam e-mails, which not only annoy recipients but slow down the infected PC in subtle ways that may escape the attention of the owner, Porras said.

Peacomm also uses some new tricks to cloak the Internet server, or mother ship that controls its vast network of zombies. Porras said this has helped it grow, because the current bot-killing strategy - trace commands back to server and take it off the Internet - has not worked because the mother ship has so far been able to conceal its location.

So the new SRI tool tries to attack the problem from the other end, by giving network administrators at corporations, schools and other institutions the ability to find infected computers on their networks and take steps to cleanse them, Porras said.

But the tool is not intended for use by consumers who get their high-speed connection from Internet service provider such as Comcast or AT&T. Instead, it would be up to the ISPs to download this tool, or use some other means to find Peacomm-infected PCs, said Johannes Ullrich, chief research officer for the Internet Storm Center, a network security organization.

But even if an ISP finds Peacomm-infected zombies in its network, there is no cheap or easy way for the company to fix the consumer's problem, Ullrich said.

"When the user calls in, it costs about $50 and wipes out one year of profit from that customer," Ullrich said.

Not surprisingly, the Bay Area's big ISPs, Comcast and AT&T, were eager to point consumers to their Web sites and suggest that all the protections and answers were to be found there.

Comcast spokesman Andrew Johnson said all of the company's Internet subscribers have access to a free copy of the McAfee anti-virus program that, he said, could detect and defeat Peacomm. AT&T Spokesman John Britton pointed consumers to a similar set of online protections available through its alliance with Yahoo.

Ben Greenbaum, senior research manager for Symantec, another security program vendor, said his company's anti-virus tools can also detect and defeat Peacomm.

But the SRI researchers who put out the BotHunter tool say this particular malware changes itself so often that they fear anti-virus tools may be falling behind, which put more onus on network administrators - whether they run a corporate net or an Internet service community - to scour their networks for Peacomm.

"This is very close to a vaccine," said Rick Wesson, an Internet security expert with Support Intelligence in San Francisco.
Enterprises may rest a bit easier now that Symantec is going after botnets, with the expansion of its Managed Security Service to include the Global Intelligence Network (GIN).

The new service scans network traffic for threat data sources, identifies malware and checks traffic against known blacklists. The service includes botnet detection at no extra charge.

"Bots," of course, are tiny applications surreptitiously installed on a computer and used for malicious tasks like sending spam e-mails or launching a distributed denial of service (DDoS) (define) attack. They're designed to remain hidden and operating in the background, waiting for orders from a remote "command and control" server. A group of bots under the control of one individual or command and control server is called a "botnet."

There's no truly accurate measure of how many bot-infected computers are out there, but the number is usually cast in the millions.

Not surprisingly, Symantec recorded 2,000 bot-related incidents in September alone. Without its new botnet detection methodology, the company would have missed around 55 percent of those infections, according to Grant Geyer, vice president of managed security services at Symantec.

GIN monitors known command and control servers, which are only a few thousand in number compared with the likely millions of bots. The service tracks where these servers send their instructions, and by tracing their outbound traffic, Symantec is able to find bot infections.

Within 10 minutes of discovering a botnet, GIN notifies customers of problems and the suspected IP address to be cleaned. It also provides them with all of the evidence that led to the conclusion of infection. The solution isn't perfect because it finds infections only after the fact, but it helps, Geyer said.

The service should be of particular interest to businesses, even though botnet infection is largely believed to be a consumer problem, since home users have less security in their homes and are more often the target of the bad guys. But corporations are certainly not immune.

Adding to the problem is that in corporate networks with tens of thousands of computers, it's easy for some systems to fall through the cracks. The most famous case came in 2001, when the University of North Carolina found a missing server that had been accidentally walled up by construction workers some four years earlier. The NetWare server continued working dutifully all that time, even though the admins had no idea where it was.

However, Geyer said the bigger risk for infection comes from users taking their computers home than from administrators losing a server to drywall.

"It is very difficult for enterprises to remain secure today," he told InternetNews.com. "Companies will have tens of thousands of systems on the network. If a user takes a laptop home and browses around and gets infected, they can bring it back to the office."

That's not counting the risks associated with bad user behavior in the office -- surfing to dangerous Web sites and setting up unregulated wireless access points or even their own Web servers -- and IT gaffes like failing to configure a firewall properly.

"There's no foolproof means of stopping security threats," Geyer said. "Any organization that suggests there's a silver bullet to solve all security problems is somewhat foolhardy. The trick is to make sure organizations have security options in depth, so even if you can't see initial infections, you can spot the secondary problems that occur."

Once a computer has been infested, it waits for orders from criminal bot herders, who turn these zombie computers into massive bot networks that spew spam and other malware across the Internet.

You may not be able to block the botnet invasion completely, but with layers of bot-hunting technologies and common sense, you can minimize the effect on your network.

'Everybody Gets Bots'
Before you can battle the bots, you've got to understand the scope of the problem. "We've been in denial about the scale of the problem,'' says Michael Barrett, CISO of PayPal in San Jose, Calif.

In fact, in a recent survey of 394 Network World readers responsible for network security, a surprising 43.7% said that compromised clients were not a significant problem. Another 30.2% said that they have not seen evidence that any computer on the network has ever been infected.

Just because nearly three-quarters of respondents aren't on high alert, it doesn't mean the threat isn't there, says Rick Wesson, CEO of Support Intelligence, a San Francisco firm that tracks bot outbreaks. On any given day, his company's honeypot will trap all kinds of insidious and fraudulent spam coming from zombie clients.

"The deal is that these bot herders are pretty smart, operating systems are very vulnerable, and everybody gets bots. Most companies run pretty tight networks, but the idea that you are not going to have bot networks running on your systems is naive. We have a lot of data that says a sizable portion of the Fortune 1000 has bots," he says.

If the Fortune 1000 can't stop bots, smaller organizations and consumers don't have a prayer. The little guys have fewer resources to perform security updates or to monitor their networks and machines for strange traffic patterns, says Ken Lloyd, director of security for security service provider Cyveillance in Arlington, Va. Consumers are at the highest risk because they tend to have the least security, Lloyd says.

"Enterprises have the problem, too, no doubt about it," says Martin Roesch, CTO of intrusion-detection software-maker Sourcefire. Enterprises are most vulnerable to roving machines that aren't properly set up to fight off malware attacks. "That's when there's trouble -- it's people getting spammed over [instant messaging], or Trojans and viruses over IM, or getting these things in their in-box, or surfing where they shouldn't be with vulnerable versions of [Internet Explorer] and Firefox," he says.

In fact, Gartner predicts that 75% of enterprises will be infected by bots by year-end.

Criminalization of the Internet
In the past year, bot herding has taken a disturbing turn to organized criminal activity aimed at making money. The stereotypical teenager out for ego-gratifying distributed denial-of-service attacks is a thing of the past. For example, a high-profile arrest in London last summer involved a 63-year-old, a 28-year-old and a 19-year-old. These people are more organized, more professional and more interested in stealth.

"The amount of effort involved in this would literally take a distribution channel. You have the people making it, the people selling it, the people using it. One person could not do this entire thing from creation to use. Script kiddies are out of the question," Lloyd says. "The people who are running these things are basically into organized crime."

Specifically, bot herders are launching high-paying scams, such as spam, identity theft through keylogging (capturing keystrokes to learn users' names and passwords), click fraud (automatically clicking on ad banners for which advertisers pay per click) and warez (the distribution of pirated software).

The scale and the amount of money involved can be enormous, researchers say. For instance, click fraud accounts for about 14% of all clicks and as much as 20% of the higher-priced ads, ClickForensics says. It cost advertisers an estimated $666 million last year, research firm IncreMentalAdvantage says. The Business Software Alliance claims that a quarter of the world's software is pirated, amounting to billions of dollars in losses for software makers.

Black-market servers -- where people buy, sell and contract for botnets -- are flourishing.

"Bots are a big part of the underground economy. . . . It's a new twist, an explosion that we've seen in the last six months or so," says Oliver Friedrichs, director of emerging technologies for Symantec Security Response. These servers are also the place where criminals sell stolen information obtained from their bots, such as credit card numbers.

Battle of the Botnets
Because bot herders obviously spend resources managing and running their botnets, they have become less interested in increasing the number of networks they manage. Symantec reports that the number of command-and-control servers diminished by 25% in the second half of 2006, which indicates that bot herders are consolidating and making each network larger, the company says.

Strange new attacks have caused security researchers to speculate that bot herders are engaged in turf wars and attacking each other. The goal of some malware may be to disable rivals' drones; in the process, that causes havoc with networks. For instance, one recent worm was directed at machines that had visited a malicious pump-and-dump Web site. It infected the machines with a virus that caused them to reboot continuously, rendering them useless for legitimate work (and illegitimate uses), Web-monitoring firm Websense reports.

Because bot herders are more interested in keeping their millions of infected machines secret, they will activate a machine, blast the spam or run the click-fraud game and quickly shut the connection down. Rootkit infections operate invisibly to the operating system. And bot herders control their machines via HTTP (not necessarily relying on Internet Relay Chat); that means detecting bots on your network is hard to do.

Social-networking Diseases
More worrisome still is that today's bot herders use such techniques as toxic blogs, cross-site scripting and iFrames, which do not require a user to take any action, such as clicking on an e-mail attachment, to become infected. If a PC with a vulnerable operating system or browser visits a Web site or blog that contains malicious code, it is secretly infected. Malicious JavaScript, sometimes in adware, is downloaded automatically to the PC. Then it's directed to other malicious Web sites to receive its commands, and the bot is in business. With the popularity of inexpensive Web-hosting based on shared servers, a hacker can use a single operating-system vulnerability to gain access to dozens of Web servers.

Toxic blogs and cross-site scripting, which involve planting malicious code into an otherwise legitimate site, have been around for years. Bot herders are finding new ways to make use of them, however. Among the more infamous instances was the bot herder who hacked into the Dolphins Stadium Web site just before the Super Bowl -- a time when thousands of people would be trying to buy tickets.

Social networks, too, can become cesspools of malware, because these networks let users upload and share files, data and other potentially harmful code. With iFrames, invisible frames can be used to download undetected malware automatically on compromised Web sites, as well as on blogs and social networks.

"Web sites and social-networking sites -- there's so much personal information on these sites and so many users, it's just a gold mine of info," says Chris Boyd, director of malware research for FaceTime Communications, a Web-monitoring company specializing in protecting real-time applications, such as IM and VoIP.

How to keep your PC bot-free