Security News > 2006 > March > Bringing Botnets Out of the Shadows

Bringing Botnets Out of the Shadows
2006-03-22 07:39

http://www.washingtonpost.com/wp-dyn/content/article/2006/03/21/AR2006032100279.html By Brian Krebs washingtonpost.com Staff Writer March 21, 2006 Nicholas Albright's first foray into some of the darkest alleys of the Internet came in November 2004, shortly after his father committed suicide. About a month following his father's death, Albright discovered that online criminals had broken into his dad's personal computer and programmed it to serve as part of a worldwide, distributed network for storing pirated software and movies. Albright managed to get the network shuttered with a call to the company providing the Internet access the criminals were using to control it. From that day forward, Albright poured all of his free time and pent-up anger over his father's death into assembling "Shadowserver," a group of individuals dedicated to battling large, remote-controlled herds of hacked personal PCs, also known as "botnets." Now 27, Albright supports his wife and two children as a dispatcher for a health care company just outside of Boulder, Colo. When he is not busy fielding calls, Albright is chatting online with fellow Shadowserver members, trading intelligence on the most active and elusive botnets. Each "bot" is a computer on which the controlling hacker has installed specialized software that allows him to commandeer many of its functions. Hackers use bots to further their online schemes or as collection points for users' personal and financial information. "I take my [handheld computer] everywhere so I can keep tabs on the botnets when I'm not at home," Albright said in a recent online chat with a washingtonpost.com reporter. "I spend at least 16 hours a day monitoring and updating." On a Sunday afternoon in late February, Albright was lurking in an online channel that a bot herder uses to control a network of more than 1,400 hacked computers running Microsoft Windows software. The hacker controlling this botnet was seeding infected machines with "keyloggers," programs that can record whatever the victim types into online login screens or other data-entry forms. Albright had already intercepted and dissected a copy of the computer worm that the attacker uses to seize control of computers -- an operation that yielded the user name and password the hacker uses to run the control channel. By pretending to be just another freshly hacked bot reporting for duty, Albright passively monitors what the hackers are doing with their botnets and collects information that an Internet service provider would need to get the channel shut down. Albright spied one infected PC reporting data about the online activities of its oblivious owner -- from the detailed information flowing across the wire, it was clear that one of the infected computers belongs to a physician in Michigan. "The botnet is running a keylogger, and I see patient data," Albright said. The mere fact that the doctor's PC was infected with a keylogger is a violation of the Health Insurance Portability and Accountability Act (HIPAA), which requires physicians to take specific security precautions to protect the integrity and confidentiality of patient data. "The police need to be notified ASAP to get that machine off the network." A little more than an hour and a few phone calls later, the doctor's Internet service provider had disconnected the infected PC from its network and alerted the physician. Albright sent an e-mail to the FBI including all the evidence he collected about the attack, but he wasn't terribly sanguine that the feds would do anything with it. "Anything you submit to law enforcement may help later if an investigation occurs," he said. "Chances are, though, it will just be filed away in a database." A Spreading Menace Botnets are the workhorses of most online criminal enterprises today, allowing hackers to ply their trade anonymously -- sending spam, sowing infected PCs with adware from companies that pay for each installation, or hosting fraudulent e-commerce and banking Web sites. As the profit motive for creating botnets has grown, so has the number of bot-infected PCs. David Dagon, a Ph.D. student at Georgia Tech who has spent several years charting the global spread of botnets, estimates that in the 13-month period ending in January, more than 13 million PCs around the world were infected with malicious code that turned them into bots. Botnets typically consist of Microsoft Windows machines that belong to small-business or home-computer users who failed to secure their PCs against hackers and viruses. Their machines are typically infected when the user opens an infected e-mail attachment. While firewall and anti-virus programs can help block such attacks, online criminals are increasingly developing programs that evade detection or even disable security software. "What I've seen from my work with Shadowserver has blown me away," said André M. Di Mino, 40, a private technology consultant from Bergen County, N.J. Di Mino teamed up with the group in October after he left a job as a chief information officer at a business-services company. "I know many users within my former organization who felt that anti-virus and spyware scanning would save them," Di Mino said. "However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs. Catching Viruses With Honey When he's not manning the deli counter at a supermarket in Liverpool, England, 20-year-old Shadowserver member Dave Andrews is usually poring over new computer virus specimens. (Unlike Andrews, the vast majority of the volunteers are located in the United States.) Like most other members, he began fiddling with computers and programming at an early age. Four months ago, Andrews was on track to become a computer-systems engineer in the British military, but he said he was honorably discharged on account of a recurring physical injury. Most of the Shadowserver crew have backgrounds in computer security, and they are all volunteers who spend most of their free time on the project. Andrews's virus specimens were collected by an automated software tool designed to catch new pieces of computer code that criminals use to infect PCs and turn them into bots. Shadowserver locates bot networks by deploying a series of "honeynets" -- sensors that mimic computers with known security flaws -- in an effort to lure attackers, allowing the group to capture samples of new bot programs. Most bots spread by instructing new victims to download the attacker's control program from a specific set of Web sites. By stripping out those links, Shadowserver members can begin to build a map of the attacker's network, information which is then shared with several other botnet hunting groups, security volunteer groups, federal law enforcement, and any affected ISPs or Web site hosts. Each unique piece of intercepted bot code is run through nearly two dozen anti-virus programs to determine if the code has already been identified by security vendors. Shadowserver submits any new or undetected specimens to the major anti-virus companies. Andrews said he is constantly surprised by the sheer number of bot programs that do not get flagged as malicious by any of the programs. "Generally, one or two [correct identifications] is considered good, but there are hundreds of bot programs that each anti-virus program doesn't catch on their own," Andrews said. In Andrews's experience, by far the most common reason criminals create botnets these days -- other than perhaps to sell or rent them to other criminals -- is to install online ad-serving software that earns the attacker a few pennies per install. "The majority of these [botmasters] are hardcore users who repeat over and over, because it can earn them money by the installation of adware," he said. A Thankless Job Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots. "The botnets we've already shut down have a real possibility of popping back up again tomorrow," Albright said. Such constant attacks and setbacks can take an emotional toll on volunteers who spend countless hours not only hunting down bot herders but in many cases notifying the individuals or institutions whose networks and systems the hackers have commandeered. This is largely a thankless job, because in most cases the victims never even respond. David Taylor, a senior information security specialist at the University of Pennsylvania, knows all too well what botnet-hunting burnout feels like. Taylor was invited to join Albright and the Shadowserver crew following a story at washingtonpost.com detailing his conversations with a botmaster named "Diabl0." The hacker bragged about making money with his botnet through adware installations. (Diabl0 -- an 18-year-old Moroccan national named Farid Essebar -- was eventually arrested on suspicion of authoring the "Zotob" worm that infected hundreds of companies in a high-profile attack last fall.) A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems. Working a week straight, Taylor located nearly all of the infected machines and had some success notifying the owners of those systems, but the Taiwanese ISP the hackers used to host their control center repeatedly ignored his requests to shutter the site. Since that incident, Taylor has distanced himself from bot hunting -- if only, he says, to make time for other interests. These days he spends most of his spare hours doing something far less stressful -- painting. "Bot hunting can really take over your personal life, because to do this right you really have to stay on top of it -- it can't just be something you do on the weekends," he said. "I guess it takes a special type of person to be able to sustain botnet hunting. ... I don't know anyone who pays people to do this kind of work." Recent media attention to the Shadowserver project has generated interest among a new crop of volunteers eager to deploy honeynet sensors and contribute to the effort. Albright says he'll take all the help he can get, but he worries that the next few years will bring even more numerous and stealthy botnets. "Even with all the sensors we have in place now, we're still catching around 20 new unknown [bot programs] per week," he said. "Once we get more sensors that number will probably double." Albright said that while federal law enforcement has recently made concerted efforts to reach out to groups like Shadowserver in hopes of building a more effective partnership, they don't have the bodies, the technology, or the legal leeway to act directly on the information the groups provide. "Our data can't be used to gather a warrant," Albright said. "Law enforcement has to view the traffic first hand, and they are limited on what and when they can view." "It's going to get a lot worse in the next two years. We need a taskforce or law enforcement agency to handle these types of intrusions ... and that needs to be all they do," Albright said. "Sadly, without more law enforcement support this will remain a chase-your-tail type game, because we won't ever really shut these networks down until the bot master goes to jail, and his drones are cleaned." © 2006 Washingtonpost.Newsweek Interactive _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org


News URL

http://www.washingtonpost.com/wp-dyn/content/article/2006/03/21/AR2006032100279.html