Botnets are an insidious fact of the modern Internet. Botnets are groups of computers from all around the world that have been infected through some form of malware which, after infection, respond to instructions from a remote computer. They are used by cyber criminals to launch distributed denial of service (DDoS) attacks, to generate spam, and to execute a wide variety of other exploits. On January 13, 2012 The Hacker News reported that Microsoft launched a real-time, hosted, threat intelligence feed that tracks the status of botnets that are creating havoc on the Internet. Yesterday, Kaspersky Labs issued a short slideshare that summarizes the botnet statistics for their use in DDoS attacks in 2014.
Legendary Botnets
The cybersecurity private sector community has recently been working hand-in-hand with public sector law enforcement agencies to take-down these incidious botnet. For example, Microsoft was one of the parties to the take-down of the Rustock botnet on March 16, 2011. Rustock targeted flaws in the Windows operating system and was capable of sending up to 25,000 spam messages per hour from an infected computer. Rustock’s signature spam was a pharmaceutical offering. Operation b107, as the Rustock take-down was called, was a joint effort by Microsoft, privately-owned FireEye, the University of Washington, and U.S. Federal law enforcement agents. During the Rustock operation, beginning in 2006, this botnet was responsible for infecting up to an estimated 2.5 million computers. After the closure of McColo, Rustock’s San Jose-based Internet Service Provider (ISP), it temporarily lost its link to the command and control server. But connectivity to the botnet was regained by Rustock’s operators and by August, 2010, there were still an estimated 1.3 million infected computers generating spam from Rustock. Crippled, but not slain, these computers were still generating about 46 billion spam emails per day according to Paul Wood a MessageLabs intelligence analyst with Symantec.
But Rustock was not the only legendary botnet. Another botnet, known as Waledac, was spread by coupons and fake New Year’s e-cards that were sent to unsuspecting victims. Mikko Hyppönen, chief research officer at anti-virus provider F-Secure, reported that this botnet was exploiting a known vulnerability in Adobe Flash and Microsoft’s Internet Explorer. The payload for this botnet was a Trojan that gave the cybercriminals full access to the user’s PC, executed spam and participated in DDoS attacks. With Waledec the command-and-control servers were also capable of downloading fake anti-virus protection programs. What made this botnet so dangerous were the various permutations it went through during its lifetime. It even added a geolocation feature during one of its variants. This was a social engineering feature not seen before by security experts. Another version of Waledec also spoofed a Reuters news site warning of a bomb blast in the recipient’s city. The goal was to dupe users into clicking on a video link that would install the Trojan and extend the reach of the botnet.
Another high profile case of a botnet countermeasure with Microsoft cooperation was the Kapersky Lab take-down in 2011 of Kelihos/Hlux. This was a very sophisticated botnet that targeted consumers of financial services. Tilmann Werner of Kapersky Labs notes that this botnet used pump-and-dump stock scams, and was responsible for theft of sensitive financial information. It also served as a vehicle for spam and DDoS attacks. In essence, the botnet has been ‘sinkholed’ or taken over by the Kapersky Labs. This means that the command and control servers are now under the control of white hat hackers that are systematically terminating the operations of the “worker” or host botnet computers. Werner reports that, as of September 29, 2011, they had 3,000 hosts connected to the sinkhole every minute. While Microsoft used a legal route to disable the domains and identify the responsible parties Kapersky Labs concentrated on disabling the command and control servers for the botnet. One of the innovations of this peer-to-peer botnet was its architecture which allowed for fast reactions against take-down attempts.
For cyber security analysts the take away lesson from these three legendary botnets is that these robot armies are becoming more and more sophisticated. This raises obvious questions about the role of government in the management of these risks for individuals and companies.
As a consequence, private sector initiatives, such as those being implemented by Microsoft, Cyvelliance and others with real time threat intelligence feeds will help cyber security experts manage the risks and fill in the public policy gaps until Congress has a chance to catch up.
In the meantime, individuals need to take action to install malware protection programs from trusted sources to make sure their computers do not become tools of the cyber criminals seeking to exploit others.
Botnets do not rule…at least for a while longer, humans do.