We lost the Botnet battle?

Has your computer been attacked by a botnet? What is it?

Botnet (also known as botnet) is a collection of PCs that allow the use of broadband (broadband), hijacked during virus and worm attacks. Starting with software that connects back to the server to receive communications from remote attackers, these botnets now appear everywhere.

According to Symantec's statistics, in the first six months of 2006, an average of 57,000 bots operated a day.

At the same time, the vendor of this anti-virus software also discovered a huge number of 4.7 million computers that were actively used in botnets. These machines are the place for botnet managers to distribute spam, launch DoS attacks (denial of service), install malware or keyboard detection software log keystrokes for the purpose of stealing information.

The machines in the botnet have vandalized operating systems, which stand out as a locking hub for many professional organized crime groups around the world. They use stolen bandwidth of hijacked computers to earn money from illegal Internet activities.

Botnets will install adware and spyware to spread spam and launch phishing attacks. CPU looping from the botnet is geared towards a multi-billion dollar underground business that thrives on lax security computers. They also use this 'money tractor' to connect physical devices together into a worldwide system.

Currently the general feeling of security experts is frustration. They cannot search and disable botnets. Disappointment affects the security products and attitudes and attitudes of technology workers, who rely on them.

' We have known about botnets for a few years now. But all we get is the level of illustrating how they work. I'm afraid it will take another two to three years for us to create a response engine , 'said Marcus Sachs, a spokesman for SRI International director in Arlington.

SRI is a non-profit research institute supporting the US government's Cyber ​​Security Research and Development Center.

The battle with botnets is enhanced with the active participation of volunteers. They identified the ' command-and-control ' infrastructure of the botnet, working with Internet service providers (ISPs), forcing them to enforce authentication rules to disable them. But the general feeling is still disappointment. The botnet hunters discovered that after years of reducing some command-and-control botnets, their efforts are now wasting.

' We have managed to try to contain this trend, but it seems to be useless ', Gadi Evron - expert of security research of Beyond Security in Netanya (Israel), is also the head of the hunting group. Find the botnet said. ' When we disable a command-and-control service, the botnet is immediately re-created on another host. We cannot destroy them thoroughly . '

' We are facing a tough intellectual war. 'Rafting' of botnets has been improved and developed at a rapid rate, we cannot catch them. There are too many obstacles on our path , 'Evron added.

The current installation process includes the use of hijacked computers to allocate DNS servers (Domain Name System) to provide domain name resolution services to vandals.

This allows bots to change dynamic IP addresses without changing the DNS information or on the host (and also the fixed fixation) of phishing websites on bot computers.

Statistics from various sources show that Evron's pessimistic situation is realistic in the current situation. According to the Malicious Software Removal Tool (MSRT), Trojan back-door and bot are ' significant and authentic threats to Windows users '.

The repeated number of MSRT in January 2005 showed that the tool removed at least one Trojan in about 3.5 million unique computers. Of the 5.7 million computers infected about 62% of the cause is caused by Trojans or bots.

The race of "cat and mouse"

Trend Micro, a Tokyo-based security company, has sold its botnet reduction technology to Internet service providers. The company estimates that more than 5% of all computers connected to the Internet are used in botnets. They become more and more sophisticated each year.

' These guys' are getting better and better beyond your imagination ,' said Jose Nazario, a security and software engineer at Arbor Networks in Lexington (USA).

' We see that the botnets are now more carefully managed. The techniques they use to make bot partition more sophisticated and interesting. Bots are partitioned on different servers according to bandwidth or region. If it's a dial-up machine, botnet managers know that bots won't be used much. So they only put on one channel, connect to spyware (spyware) and pay for the installation , 'Nazario said.

Joe Stewart, an experienced SecureWork security researcher in Atlanta, spent time structuring backwards bots and eavesdropping on communications on botnets. The information that confirms the scary thing is that the botnet creators are winning the high-tech cat-and-mouse chase against the protection programs 'trying to chase behind'.

For example, Sinit back-door Trojan has completely used a P2P distribution model, confirming the increasing sophistication of botnets. ' With Sinit, no central service cannot be interrupted. Each infected device becomes part of a P2P network. Thereby Trojans are spread on all hosts , "Stewart said.

Evron, who started searching for botnets in 1996, said bot creators are using free domain services to quickly move machines away from protected areas. Botnets currently act as offline terrorist cells, where botnet controls are grouped in a tree-like structure.

' They upgrade points that make it impossible to detect or remove any commands or controls. Sometimes, commands and controls can be some weak link. Today there are enough redundant control channels and easy choice for them to exist ', Evron continued.

SecureWork's Stewart agrees that chasing down commands and controls is no longer effective. ' We are against professional guys. This is a great business opportunity for those who operate in the dark. We are witnessing all the crazy tricks to lead their race . '

Profit trend

Source: perryballard Mocbot worm attack in September is the most authentic evidence aimed at profit from botnet builders.

The attack exploits a security vulnerability in Windows Server Service. Security researcher in the German Honey-net Project found that the hijacked machines to install advertising service software are from DollarRevenue. The company has to pay 1 penny to 30 cents per install.

Over 24 hours IRC control botnet acquired control of over 7,700 machines. For 4 days, the researchers counted about 9,700 destructive attacks from a single command-and-control center. It is estimated that attackers can earn about $ 430 in commissions from DollarRevenue alone.

According to Stewart, the main activity of botnets is linked to spam dispersal and ID phishing attacks.

A typical bot will be installed in thousands of machines and start acquiring e-mail addresses stored on the hard drive. It then establishes and opens a dedicated SOCKS proxy to send huge amounts of spam.

In most cases, bot operators hire botnets to spammers. But Stewart and many others provide evidence that many criminal groups now operate directly on botnets for profit purposes.

They can be used to trigger shady activities (DDoS, DoS distribution, attacks); Exploring traffic theft of text-form data that has lost control; install keystroke exploration software to log in and steal bank documents; use fraudulent clicks on contextual advertising networks; and even use exploration activities or online games.

Randal Vaughn, an expert in computer information systems at Baylor University (Waco, Texas) is optimistic, although the list of weak link users is still very long. Most of them are people who don't know much about technology.

' When you encounter an international problem, legal organizations are not able to help you. Simply because they cannot handle serious botnet problems. They are enthusiastic, serious, but it's hard for someone in the US to ask law enforcement officers in Russia or China to do the job for themselves. I don't think we've ever had active botnet mitigation activities in any part of the world , 'Vaugh said in an interview.

Another idea is that small ISPs' workarounds help users handle problems with infected computers. " There is no economic benefit for an ISP who just sits by the phone for hours and a half to help customers restore the hacked computer. The price for this service is many times higher than the phone subscription price. ". A large number of computer users who use different versions of Windows do not update the full version and bug to create a 'ripe' field for vandals.

" We need to provide ISPs with better tools to handle problems. Resetting them manually with customers is not economically feasible ," Stewart said. He plans to build a communication effort to create a free tool that automatically removes bots on an ISP's network.

Several security companies have started to market anti-botnet products. In September, Trend Micro released InterCloud Security Service, a new service that provides botnet removal technology for ISPs, universities or other major network providers. InterCloud has the ability to identify vandals on the network, providing automatic re-sorting solutions to prevent them in real-time environments.

Damballa, start with the links with the School of Informatics at Georgia Institute of Technology. They ventured to increase investment to create technology that accurately identifies the Internet traffic generated by vandals or hijackers of computers.

But, now the vandals are still winning.

T.Thu