IT Adviser - November 2009 digital edition

ITadviser Winter 2009 15
security
Over the last year, the incidence of botnet (or zombie)
attacks has been growing rapidly. Some service providers
around the world have already begun to take action against
botnets1
and there is increased interest from others, and from
private companies, in dealing with this serious security
threat.
Botnets are most closely associated with computers being
taken over and used to send out spam emails. However the
threat is much wider than that. At the other end of the scale,
there are criminals renting out botnets to harvest personal
banking and security information, mounting serious
commercial attacks, stealing money or committing fraud.
Both individuals and businesses are being targeted. Web
sites are being infected (so called `drive-by' infections) so that
they deliver malicious code to the sites' visitors. Botnets are
also being used to mount DDoS attacks on businesses, which
can have serious consequences. Twitter was recently the victim
of a DDoS attack and temporarily closed down.2
These are not trivial threats. There is a significant amount of
money to be made in harvesting banking information,
launching blackmailing DDoS attacks, or in just renting out
the Zombie army for someone else to use. So there is continual
recruitment and development of these armies, as well as
investment in the `command and control' infrastructures by
`bot herders', the individuals or organisations which control a
group of botnets.
Botnets can be hugely sophisticated and very resilient, with
their own forms of disaster recovery built in, so they can
continue to function even when attacked.
Recent research by Trend Micro3
, which gives some idea of
the scale of the problem and the difficulties of disinfection,
found that the industry underestimated the length of time PCs
were infected with botnets. The company found that, in 100
million compromised machines, the average infection was 300
days, not the estimated six weeks.
The scale of individual botherds can also be very high.
Recently a botnet of over 2 million PCs was discovered in the
UK and US.4
And a Dutch botnet had over 1.4 million in the
herd.5
How are you infected?
Botnets are multiple software robots (bots) that can run
autonomously. They can be malign or benign, but we are just
looking at the malign here. Bots are typically delivered by e-
mail or from a web site.
Users are now well aware of email-based threats and many
have protected themselves in this area, so web-based delivery of
bots is increasing. This can be through going onto what
appears to be an innocent web site and picking up a malicious
download. This kind of threat can also evade traditional list-
based web content security systems, which rely on prepared
lists of good and bad sites. Typically, infected "good" sites will
not be identified on these lists.
Some `phishing' emails will take you to web sites where you
may inadvertently download a bot. Your users could bring
them in on laptops or USBs potentially infecting your whole
network. You can even catch bots by taking part in MMORPGs
(massive multiplayer online role playing games).
Trojans and worms are common methods of joining
botherds. Conficker, which recently cost Manchester City
Council over �1.5 million, is a sophisticated, self-replicating
worm managed by a central command and control structure.
You are also a target if you fail to use the right anti-virus
software and fail to rapidly update vulnerability patches.
Dangers
Once you're part of a zombie army, you may not notice
anything and be totally unaware that your machine is infected.
But the bot is now secretly installed on your computer and can
use it to send out large volumes of spam in the background, or
harvest keystroke information, passwords, online banking
details, log-on details, etc.

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Produced by PageSuite