Recent press reports reflect that a significant number of corporations, govt agencies infiltrated by `botnet,’ according to news announcements.
According to Wikipedia, a Botnet is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software, but it can also refer to the network of computers using distributed computing software. While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families, but operated by different criminal entities.
While the term “botnet” can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called zombie computers) running software, usually installed via drive-by downloads exploiting web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure.
A botnet’s originator (aka “bot herder” or “bot master”) can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC “bots”. Often the command-and-control takes place via an IRC server or a specific channel on a public IRC network. This server is known as the command-and-control server (“C&C”). Though rare, more experienced botnet operators program their own commanding protocols from scratch. The constituents of these protocols include a server program, client program for operation, and the program that embeds itself on the victim’s machine (bot). All three of these usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network.
A bot typically runs hidden and uses a covert channel (e.g. the RFC 1459 (IRC) standard, twitter or IM) to communicate with its C&C server. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a “botnet” is sometimes referred to as “scrumping.”
Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections and network types. Sometimes a controller will hide an IRC server installation on an educational or corporate site where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently as most script kiddies do not have the knowledge to take advantage of it.
Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet and the Norwegian ISP Telenor disbanded a 10,000-node botnet. Large coordinated international efforts to shut down botnets have also been initiated. It has been estimated that up to one quarter of all personal computers connected to the internet may be part of a botnet.
According to recent press reports, security experts have found a network of 74,000 virus-infected computers that stole information from inside corporations and government agencies. The unusual thing about the incident is not that it happened but that it was discovered, and it is a reminder of the dangers of having computers with sensitive data connected to the open Internet.
More than 2,400 organizations, including financial institutions and energy companies and federal agencies, were infiltrated by the “botnet,” according to the NetWitness Corp. security firm, which discovered it.
NetWitness didn’t name the companies or agencies whose computers were compromised. The Wall Street Journal said the affected companies included Merck & Co., Cardinal Health Inc., Paramount Pictures and Juniper Networks Inc. Merck and Cardinal Health said in statements Thursday that one computer in each company was among those in the botnet but no sensitive information was taken.
The victims don’t appear to have been specifically targeted, unlike the recent computer attacks on Google Inc. that prompted the Internet search leader to threaten to pull its business out of China. That’s an important distinction, because it shows how online secrets can fall into the wrong hands even when criminals aren’t necessarily looking for them.
“This kind of stuff is out there and it’s pervasive,” said Amit Yoran, CEO of NetWitness and former cybersecurity chief at the U.S. Department of Homeland Security. Parts of the botnet discovered by his firm likely are still active. He said the network appears to be run from computers in Eastern Europe and China, but it’s not certain the perpetrators are there.
Botnets are networks of poisoned PCs that are remotely controlled by hackers and behave like their criminal robots. The PCs are often infected when their owners visit bad Web sites or open malicious e-mail attachments.
Botnets are a major tool for cybercrime. They help criminals amass troves of stolen data that they can sell on the black market or use for their own schemes, such as yanking money from victims’ bank accounts.
The biggest on record is the one created by the Conficker worm. That infected anywhere from 3 million to 12 million PCs running Microsoft Corp.’s Windows operating system and is still active.
The botnet NetWitness discovered used malicious software called “ZeuS” that steals passwords and other online credentials. It’s primarily focused on poaching Internet banking credentials and is well known in the security community.
The fact that so many companies and government agencies were hit generally appears to have been incidental. Yoran said the attackers were targeting specific information rather than specific organizations.
Still, they were very successful, snatching more than 68,000 credentials over four weeks. Most of those credentials were login details for Facebook and Yahoo and other personal e-mail services. On the face of it those aren’t the most sensitive pieces of information, but they can hold the keys to unlocking other types of online accounts and private data.
Security experts who weren’t part of the NetWitness report said the findings illustrate the growing risk from the ZeuS software, whose authors are constantly updating it to evade detection by antivirus software and other security measures.
A bigger concern, Jackson said, is a new version of ZeuS that has appeared in the last few months and is more powerful and even harder to detect.