If, as author Philip K. Dick wondered, robots dream of electronic sheep, their collectivist cyber-equivalents, botnets live for the fleece. Used to enable or commit several types of fraud, including click fraud against PPC providers such as Google, Yahoo and the host of smaller pay-per-click programs, botnets are proliferating across the Internet at an alarming rate. The only thing matching the increase in criminal use of botnets is the increasing sophistication of their operators.
“The level of sophistication that we’re seeing – and the speed at which new fraudster techniques are introduced – is tremendous,” says Keren Levy, director of the Online Threats Managed Services group at RSA Security. In June of this year RSA Security and Panda Software collaborated to detect and dismantle one of hundreds of botnets operating online, one that was specifically designed to commit click fraud.
“Botnets are a silent epidemic,” states Ryan Sherstobitoff from Panda Software as he ducks behind a row of trade-show booths to find a quieter place to speak. “The botnet we recently helped dismantle with RSA had infected over 50,000 computers with the Clickbot.A Trojan. Imagine if each of those 50,000 computers made the botnet controller one dollar each day the system operated. If it takes us a few weeks to shut him down, the operator makes millions.”
The actual people who operated the network of bots that RSA and Panda broke remain at large and anonymous. They have not been identified and history suggests they will be back for more. The folks who hack at this level are light years beyond the script-kiddies of yesteryear. According to Sherstobitoff, the folks who hack at this level are organized, well paid, and very, very dangerous. So are the people they work for.
“We’ve traced a number of operations centers back to Eastern Europe, the former Yugoslavia, China, and even to North Korea,” said Sherstobitoff. “There are multiple crime organizations doing this, some of which sell Trojans to each other and to outsiders.”
When we spoke, Sherstobitoff was at an education and IT trade show in Nashville Tennessee. He has worked with Panda Software for three challenging years. His business card says he is a Product Technology Officer for Panda Software U.S.A. To be more accurate, Sherstobitoff has become Panda’s security evangelist. His job has him traveling to trade shows, speaking at conventions and meeting with IT workers across the country preaching the mantra of tighter computer security. Knowing that cyber-security experts have only seen the tip of the iceberg, Sherstobitoff emphasizes the importance of personal and corporate responsibility.
Botnets can be described as a cross between a computer virus and the Borg. Where common viruses are designed to act independently, botnets are literally networks of infected computers that can be controlled by a master computer. Infection comes in the form of malicious code or malware. This code can get onto a system in a number of ways including email attachments, music or video downloads, and through open ports and flakey firewalls. Most who have it will never know they are running it and that’s just the way the fraudsters like it.
Out of sight is out of mind is the axiom that online fraudsters rely on to take money out of the pockets of their victims. According to the Panda Software website, over 20% of all home, school or office computers in the U.S. are infected with malicious code and, just to hammer the point home, most of them will never know it. This means that one in five computers in the U.S. might, at any time, turn into a higher-functioning zombie. Though computers that become zombies appear to run normally, someone else is using part of their processing power. That someone is likely doing illegal things. A medium sized network like the one broken up by RSA and Panda is 50,000 computers strong. Each zombie has its own IP address and each can be used to fully mimic human behaviours or to scan and record personal information when ordered to by its operator.
It is amazing how easily malicious files can be acquired and how much financial and social damage they can do. These types of files come in all shapes and sizes. Some burrow into a computer’s registry as a worm, some are invited in as Trojans, and some are attached to ID phishing attempts. One noted example of ID phishing email containing a Trojan is referred to as the Barclays Bank letter.
Once inside a computer, malicious files can perform whatever functions they are programmed to do. Some are even designed to accomplish multiple tasks from recording ID and keystroke information to using infected computers to mimic live visitors in click fraud schemes.
The bust Panda and RSA made involved a botnet built around the aptly named Clickbot.A, which was specifically designed to commit click fraud. Clickbot.A is a Trojan file that registers itself as a browser helper object so that whenever Internet Explorer is run it is automatically activated. When active, Clickbot.A is used to obtain, “…financial profit from fraudulent clicks on advertisements sponsored by a certain company, which in return does not get any visits to its website.”
According to a Panda Software press release, the Clickbot.A Trojan scam went down this way:
“- Fraudsters set up a number of Internet addresses and posted a series of (genuine) syndicated search-engine advertisements.
– The bot network -comprised of more than 50,000 zombie machines infected by Clickbot.A – was programmed to access these Internet addresses and to register clicks on the syndicated advertisements.
– The fraudsters received a slice of the ‘pay per click’ advertising revenues even though the original advertisers did not receive any visits to their sites.”
The real victims of click fraud are PPC advertisers. Both the perpetrators and the PPC advertising providers make money every time an advertiser pays for a fraudulent click. If the fraudsters have been paid out by one of the PPC engines, it is a safe bet that engine has made money as well. Though the search providers, most notably Google and Yahoo, already detect and delete a wide array of invalid clicks, the rapid proliferation of botnets is considered mute testimony to the success of the underworld endeavor.
As efficient as they are at automating fraud, botnets require human control and activation. There is always a central controller. The controller is not necessarily the person responsible for writing the malicious code. The controller might not even be directly associated with the person or organization profiting from the scheme. Controllers are often highly paid mercenaries who happen to be very, very good hackers.
There are hundreds, perhaps thousands of controllers out there. They are extremely difficult to catch, even though they leave traces everywhere they go. With the ability to manipulate a massive network of zombies, Controllers can shift their command centers from computer to computer, effectively masking the route back to their own locations. When their networks are eventually detected and parts of the network dismantled, they can turn everything off and vanish into the ether of cyberspace. The controller truly is the ghost in the machine. Even if a controller happens to get caught, chances are that person has no idea who has paid them for their talents.
Running a botnet operation requires a number of unique skill sets. Fake businesses with bank accounts need to be established to accept payments. When paid out, click fraud revenues need to be laundered before the fraudsters can safely enjoy their ill-gotten gains. Friendly bankers, more fake businesses and allied accountants are required in order to facilitate the fraud and keep difficult questions to a minimum. As none of the players mentioned above are proficient enough hackers to build a better botnet, someone needs to write the malicious code or know someone who they can obtain a copy from. This isn’t a world where the script-kiddies play. This is the world of slash and burn organized crime.
The criminals know what they are doing and time is truly on their side. Sherstobitoff described the tension of living in what is becoming a fulltime Zero Day posture. Zero Day, hour or minute is the term used to describe when a botnet or other cyber-security threat is detected. Once detected, that threat needs to be dissected in order to learn how to destroy it. Any one of those threats might have been active for days, weeks or months before being detected.
Cyber-security experts play the role of Tom to the hackers’ role of Jerry. In the game of cat and mouse, the security cats are always a bit behind the curve of the eight ball and the hackers know and love it. When a new virus is discovered, the malicious code writers make sure the security experts find a few thousand variants, just to keep them busy figuring out which variant is the real threat. Finding and figuring out a fix might take hours or it might take a few days. Once the actual threat is determined and a patch prepared to distribute through Norton, McAfee or other anti-virus software it can take between 8 – 16 hours to update computers around the world. Zero Day for Variant A is often the birthday of variants B, C, D, E, F, and Z. Everyday can be a Zero Day and some must feel like Groundhog Day.
Cyber-security experts are not really concerned about idle threats. They have far too many real ones to deal with. The threats posed by botnets are not limited to the personal or business finances of personal or business computer users either.
On December 1, the US Attorney’s office indicted a 26-year old Romanian hacker named Victor Faur on charges he hacked into over 150 NASA and US Navy computers. According to the US Government, Faur leads a group of elite hackers known as the “WhiteHat Team”. While Faur is said to have only used his exploit to open chat rooms for other WhiteHat members in order to prove he had cracked the most robust systems in the world, his accomplishments could earn him up to 54 years in an even more secure setting, a US federal prison.
On the same day Faur’s indictment was being read in a Los Angeles courtroom, the Department of Homeland Security issued a warning regarding a possible Internet attack on US banking and investment interests including the New York Stock Exchange and Nasdaq markets. Though the advisory was issued by HSD spokesman Russ Knocke, “as a routine matter and out of an abundance of caution,” it speaks to very real and persistent fears that such an attack is possible.
In May 2006, a botnet was used to bring down approximately 10-million TypePad blogs and LiveJournal communities in an overwhelming DDoS attack (distributed denial of service) on Six Apart. Six Apart client, BlueSecurity.com was the actual target of the attack but the power of tens of thousands of zombie computers sending repeating requests to their servers crashed out their entire network. (source: Wired Magazine issue 14:11)
It is remarkably difficult to catch the controller. The fake businesses and the bank accounts attached to them can come and go as quickly as necessary. In the blink of a few short months, a criminal organization can make a few million dollars. According to Panda’s Sherstobitoff, very few of the operations detected and dismantled are actually caught, in a real-world sense of the word, a discouraging 2 – 5%.
The sky is not falling but it is getting more expensive to keep it suspended every passing day. Home computer users, education networks and corporate IT departments might be under constant attack but there are ways to deter, detect and disrupt the hackers.
Using standard anti-virus products is important, however, they do not cover the full spectrum of threats. Most anti-virus software is also limited by the Zero Day concept and is therefore only as effective as its most recent update. Products like ZoneAlarm and AdAware are good additions to home and business computers but Sherstobitoff strongly recommends the tightest security should come at the server and ISP level. Sherstobitoff suggests ISPs and companies running web servers use anti-hacking software based on Host Based Intrusion Detection systems that perform deep packet inspection looking for common traits found in zombifing Trojans at the kernel level.
With a 20% infection rate in the U.S. and similar rates around the world, the only real certainty for cyber-security experts is that there is a 1/5 chance the computer in front of you is being used to assist thieves. That is a sad fact of life online. While researching one of the few botnet cases that has been prosecuted, that of Jeanson James Ancheta, this LinuxForums botnet discussion from late January 2006 was found. If you’re not quite disturbed enough by this point, follow that link.