|
Robot armies. Zombie legions. Slave hordes programmed to follow the orders of malevolent masters concealed, out of reach, hundreds or thousands of miles away. It may sound like the plot from a clichéd sci-fi or horror movie. But it actually describes a key feature of the messaging and web threat landscape that has established itself center-stage over the last fi ve years. And it’s a threat that now has businesses fi rmly in its sights. A ‘botnet’ – short for ‘robot network’ – is a group of internet computers, often scattered over a wide geographical area, set up to forward spam or malware to other computers. Crucially, the owners of the botnet computers have absolutely no idea that their machines have been compromised in this way. Computers are generally ‘recruited’ to botnets when their owners innocently click on an email attachment containing a virus, or on an infected weblink. Although nothing might appear to happen, a malware program surreptitiously downloads itself to the hard drive. This enables the botnet controller or ‘herder’ – probably a member of an international criminal gang – to take control of the computer at times of their choosing. The gang then enjoys the luxury of different money-making options. They might harness the botnet themselves or rent it out to other ‘bad guys’ to launch massive spam runs, for example. In blissful ignorance, the owners of the infected machines never realize what’s happening. They’re never aware that the occasional flickering of a hard-drive light is a tell-tale sign that their machines are responding to a remote master’s bidding. To date, home computers have accounted for a vast majority of botnet computers. The bad guys understood that home PCs were less likely than business-based machines to have effective security measures in place. But traditional patterns are shifting. Advancements in sophistication – illustrated by the recent StormWorm phenomenon – mean botnet gangs can now more easily breach corporate defenses and compromise businessbased computers too. Affected companies see valuable corporate bandwidth taken up and networks operating less effi ciently. They also fi nd themselves inadvertently taking part in spamming and illegal activities that afflict internet users worldwide. Infected machines may even fall prey to associated threats which lead to leakage of confi dential, business-critical data and the blunting of competitive edge. This MessageLabs whitepaper looks at how the botnet threat has evolved and the serious danger it now poses to business. But it also shows how the threat can be thwarted, instantly and cost-effectively. The information is based on MessageLabs hands-on experience of providing proven messaging and web security management services for 18,000 clients worldwide, with over 2.5 billion attempted SMTP connections processed every day on their behalf. In the Beginning Around the start of 2003, an ingenious new intruder appeared on the messaging security radar. The fi rst large-scale massemailing virus, Sobig lurked in attachments accompanying unsolicited emails and would secretly install itself on computers of unwary victims who tried to open the attachment. In this way, their machines were hooked into the world’s fi rst major botnet and condemned to regular hijackings by the botnet’s herder. And where Sobig was the pioneer, many similar threats (e.g. Fizzer and MyDoom) followed. Soon, botnets were sucking in thousands, then hundreds of thousands of computers. Increases in botnet activity were also closely linked to broadband rollout. More home computers connected to the internet round the clock meant greater availability to do the bad guys’ dirty work. It was not just the botnets’ scalability but also their sophistication that seemed to increase exponentially. Each new ‘improved’ version of Sobig, for instance, posed a more serious threat than the last. The fi nal version, Sobig.F, could even mass-mail spam simultaneously, not sequentially as before – with many of these emails designed to further propagate the virus. By summer 2004, global spam levels had exploded, unsolicited emails accounted for 90% of email traffi c and no fewer than 10% of emails
intercepted by MessageLabs contained a botnetrelated virus. By 2005, ‘botnet wars’ were even beginning to break out as rival gangs competed with each other to dominate the botnet ‘market’. Storm Front Coming In January 2007, another game-changing event sent shockwaves through the world of the internet. The fi rst detection of the notorious StormWorm virus opened the flood-gates for this type of attack. Spread by botnets, StormWorm proved to be the start of a new generation of threats that employed a whole new set of tactics. It also represented the point when botnets ceased to be basically a home computer user’s problem and began to spread their damaging tentacles inexorably towards the business community. StormWorm’s success – at its peak in mid-2007 it probably infected around two million computers globally – was made possible by a whole arsenal of innovative techniques designed to help the virus defy counter-measures and keep propagating itself. StormWorm botnets don’t rely on traditional ‘command and control’ channels, instead they harness so-called ‘peer to peer’ technology. They can also switch the botnet computers they use every three minutes – a technique known as ‘fast flux’ or ‘bullet proof hosting’. Stopping a StormWorm spam attack once it starts has proved almost impossible. The mass emails that flood out during a StormWorm attack don’t generally contain the traditional infected attachment. Instead, they include a tempting hyperlink to a website, perhaps purporting to contain information on a big news story or important day in the social calendar, such as Valentine’s Day. (The virus earned its name because the fi rst emails propagating it claimed to contain links to information about devastating storms battering Europe.) But the hyperlinks actually lead to StormWorm, awaiting its chance to download itself onto the computers of visitors clicking on the link. This has proved a highly effective way of allowing ever more sophisticated versions of the virus to access and infect (or reinfect) machines worldwide. By March 2008, no less than 45% of the malware detected by MessageLabs infrastructure was being disseminated via ‘bad’ weblinks – with StormWorm accounting for a staggering 96% of this malware (although the proportion declined signifi cantly in April 2008.). StormWorm has also proved adept at launching ‘denial of service’ attacks. These occur when websites or web-based services are swamped with tidal waves of emails preventing them from operating effi ciently – or in some cases operating at all. Another clever feature is StormWorm’s ability to partition botnets and so escape detection for longer, with the herder simply renting out chunks to ‘customers’ looking to launch denial of service attacks or distribute spam.
|
