Over the last few decades, markets and economies have been revolutionized with the advent of this powerful medium we call the Internet: Access to information and freedom of expression are not limited to any geographical boundaries; the world has shrunk to the size of electrons. I keenly remember the challenges facing the protagonist in Phillip Dick’s science fiction novel, ‘Do Androids Dream of Electric Sheep?’, while dealing with rogue androids. The Internet, with its decentralization, openness and commercial dependability has become the haven for a new breed of criminals, where botnets rule the dark, creepy labyrinths. Throughout this time, we at Symantec have been at the forefront in fighting this war of information accessibility and reliability.
Right now, botnets are one of the most concerning problems in information security and are considered to be source of all evil like spam, click frauds and denial of service attacks. Bots are software and malicious programs which are installed on your computer illegitimately, forming the part of a larger command-and-control network called the botnet.
It all started in 1993 with the release of Eggdrop, the first Internet Relay Chat (IRC) bot which allowed users to link multiple bots in a distributed fashion, thus introducing the concept of botnet to the hacking community. Then came the headline-grabbing event of Distributed Denial of Service attacks (DDoS) on Yahoo!, eBay, eTrade and CNN, which knocked them offline in 1999. This was probably the first time when the booming dot-com sector realized how vulnerable the Internet infrastructure was to such an attack.
A full-scale investigation revealed the hand of a few bored teenagers who allegedly used some freely available DDoS tools like Trinoo, Stacheldraht and TFN to perpetrate the attacks. These tools gave them the ability to maintain and control a group of compromised hosts in a highly efficient manner, signifying the advent of a new era in online fraud and extortion.
With some ingenuity and improvisation like an IRC-based command-and-control, and integration with worms and viruses, the attackers laid the foundation of organized crime in cyberspace. Pretty soon, these botnets were being used for purposes like online extortion, email spam, Adware, Spyware and click-fraud and identity theft.
With the advent of efficient and reliable botnet propagation payloads like Sobig, SDBot, Rbot, Agobot and Phatbot, the size of these botnets can run into thousands. In 2005, Dutch authorities dismantled a botnet which had compromised a humongous botnet controlling 1.5 million compromised computers!
The DeepSight Threat Analyst Team investigates dozens of worms and viruses that use a variety of botnet seeding and propagation mechanisms. In recent months, Trojan.Peacomm was one such interesting worm, which made use of a peer-to-peer communication channel, rather than the popular IRC-based channel. Symantec Security Response had discovered that this protocol is in fact the publicly documented Overnet protocol. The use of a P2P communication channel showed a high level of sophistication and makes it much more difficult to detect and to analyze the exchange of information between infected systems.
According to the latest Symantec Internet Security Threat Report, between July 1 and December 31, 2006, Symantec observed an average of 63,912 active bot-infected computers per day, an alarming increase of 11 percent from the previous six months. It also noted that China had the highest number of bot-infected computers during the second half of 2006, accounting for 26 percent of the worldwide total.
Botnets have almost become synonymous with cybercrime in the last few years. Although a good deal of user-awareness has been created, there remains a lot to be done. The perils of losing your identity, money and business over the Internet are all too real. Instead of being reactive, companies and users should act preemptively in weeding out this disease which plagues our online lives and costs millions of dollars. A deliberate and constant stress on security with a healthy dose of paranoia can only solve this menace.