ISTR XI – Attack Landscape

As spring quickly approaches, the Internet continues to grow into amore and more complex world driven by commerce. Businesses have longsince moved in and millions of dollars change hands every day online.Along with big business comes organized crime. Perhaps not necessarilythe organized crime immortalized in stories like The Godfather or The Sopranos,but Internet crimes are carried out in an organized way designed toconnect the theft of a single person’s user account credentials to abuyer on the mass market for illegal information. Throughout thisorganization, bots play the leading role.

Bots, once used primarily by their owners to carry out denial ofservice attacks driven by grudges, bragging rights, or politicalmotives, have been firmly incorporated into the toolkit of organizedcrime on the Internet. Bots can do pretty much anything: carry outattacks, host spam relays, carry out DoS attacks, host phishing sites,and log keystrokes on the computer they compromise. Because of theadaptability and updatability of bots, they can actually be used tocarry out every level of activity within Internet-based organized crime.

A bot can start its life by breaking into a user’s computer andstealing the user’s bank account credentials and info when they loginto their bank account from their Web browser. The bot can then beused to infect other computers and steal more information. After thebot spreads, it may host a spam relay that sends spam to all the emailsit harvested from the compromised computer it is on. After that, it mayhost a phishing site that tricks the computer’s user to enter even moreinformation. If it gets away with all of that, it can even be used toset up an IRC (Internet relay chat) server on the computer to allow allthe information that has been harvested to be sold to interestedbuyers.

Considering the importance of bots, it isn’t surprising that theyhave been on the rise over the last six months of 2006. Over 63,000active bot-infected computers per day were observed, an 11 percentincrease from the first six months of 2006. Over six million activebot-infected computers were observed during the last six months of2006, up 29 percent from the first six months of the year, and all ofthis in spite of ever increasing security awareness and legislation. Itshows that criminals are working harder, and I guess they would have tobe if they are only able to sell an entire identity for around $14 USdollars! For more information, please see Symantec's Internet Security Threat Report.