Tackling the botnets at source

[bamalli]

Tackling the botnets at source

Windows XP on sale, PA
Botnet herders target home Windows PCs
There is little doubt that the nature of hi-tech crime has changed significantly since the turn of the millennium. Now those involved in it are more interested in making money rather than headlines.

Alongside this change has gone the rise of the botnet - a network of slave machines used to support all kinds of cyber crimes.

The machines forming a botnet are typically hijacked home computers that have been compromised by an e-mail bearing a virus as an attachment or by a worm that has scoured the internet for vulnerable machines.

One of the computer security groups to emerge as a response to these botnets is the Shadowserver Foundation - a loose coalition of volunteers who dedicate themselves to finding out how botnets are created, where they are and how they are run.

It also tries to raise awareness of the botnet problem among all ranks of computer users, from the average home user to hosting and net service companies.

The organisation was set up in 2004 and now has about 15 members spread around the world.

   
the problem will never go away until law enforcement gets more involved...
Andre M. Di Mino

Hi-tech crime: A glossary
The majority of members, such as the group's co-founder and director, Andre M. Di Mino, work with computers for a living, though one Shadowserver member works in the delicatessen department of a supermarket near his home in Liverpool when he is not online.

Spot the bot

One thing Shadowserver is not, says Mr Di Mino, is a vigilante organisation.

"We never take a bot net down," he says. "We're strictly passive observers. Though we will alert a net service provider, hosting company or let law enforcement know if there is something of particular interest to them."

He adds: ""We gather information, all we can learn about botnets, how malware spreads and the different techniques that botnet operators use to avoid detection."

Tracking botnet activity is a huge task for Shadowserver members. Mr Di Mino estimates that, at any one time, upwards of 15,000 botnets are working. In total, it is thought, they have about one million machines under their control.

Botnets have grown because cyber criminals have discovered how useful they can be when they want to conceal what they do.

Chinese net users, AFP/Getty
China is becoming a popular spot for bots
The machines in a botnet can be used as an attack platform to bump websites offline unless a ransom is paid. They can be used to send spam, to seed viruses, or as dead drops for information stolen by keyloggers.

Typically, a botnet owner will rent out their net to anyone that wants to use it. Going rates depend on what they plan to do with them. Many botnet herders make more than $5000 per month.

"We are seeing more revenue driven botnet operations," says Mr Di Mino, "because there's real money to be made in it."

For example botnet herder Jeanson James Ancheta made more than $100,000 by renting out access to the 40,000 machines he had control over. Arrested in November 2005 he was sentenced to 57 months in jail in May 2006.

New threats

To gather information about botnets and the malicious programs they use to hijack machines, the Shadowserver Foundation uses honeynets spread around the world that record everything that happens to them and catches samples of the malware used to try to subvert them.

Some of the Shadowserver members reverse engineer the trapped malware and provide information about it to security companies around the world. The information it gathers is also used to generate signatures for particular attacks so intrusion detection systems can work out if incoming data has a hostile intent.

Cash and keyboard, BBC/Corbis
A botnet can be very valuable in the right hands
What is starting to change, he says, is the size of the botnets and how they operate. In the early days botnet controllers, or herders, went out to grab as many machines as possible. Sweden had one million machines all by itself.

"Now," says Mr Di Mino, "botnet operators are doing more with less."

They are starting to establish a relatively small network of a few thousand machines that they know they will be able to control. Botnets are a valuable commodity and operators often have to fight off the efforts of others to steal machines in their network.

As well as getting smaller, botnets are starting to use encryption for the communication between all the nodes making it hard to track who is in charge. What is also changing is the ways machines are recruited into botnets.

"The traditional e-mail attachment with malware in there is still very popular," he says but some enterprising hi-tech criminals are using weaknesses in Microsoft's Internet Explorer to install botnet code when net users visit the wrong site in so-called "drive-by downloads". Others are using lures sent via instant messaging or net chat rooms.

Mr Di Mino anticipates that the Shadowserver Foundation will be kept busy for a long time to come. He has little doubt that botnets will persist - they are just too lucrative and useful for the criminals to give up.

He says: "They may change in complexity, sophistication and vehicles of attack," he says, "but the problem will never go away until law enforcement gets more involved to apprehend and fully prosecute the botherders and those supporting them."

By Mark Ward
Technology Correspondent, BBC News website