Skip to main content

IRC botnets: The Needle and The Damage Done

Since August 15th, many organizations have been struggling to recover from the onslaught of the various exploiting the Universal Plug and Play (UPnP) buffer overflow exploit. Those unfortunate enough to see large numbers of systems hit by one or more worm variants face the usual challenge of recovering the systems. Microsoft and the AntiVirus Vendors are eager to help you recover your systems, with several offering their own custom cleanup tool to eradicate the worms. Victims of this crop of would do well to heed the long standing recommendation of information security experts. Recover your contaminated systems by re-imaging them from pristine media, particularly if they were able to contact the outside world even for a few minutes using an control channel. It's often difficult for non-technical management to weigh the risks involved with any given outbreak. This week I've heard this sentiment expressed almost exactly the same way from managers in several different organizations:
"It's just a virus, right? I have those on my home PC all the time and nothing bad has ever happened."
Well, I'm sorry to be the bearer of the bad news, but that's not the way it is, certainly not any longer. The largest to date, in which up to 40 million credit card numbers were recently stolen was reported to be due to a "computer virus". That was undoubtedly a pretty bad event for quite a few people. It can take many months, even years, for an innocent individual to recover from problems deriving from the theft of their identity. Far more people than you might think are affected by identity theft, as described in the Federal Trade Commission – Identity Theft Survey Report from two years ago. Experts acknowledge that the problem is getting worse, as large scale automated attacks by worms and botnets are employed to harvest identity data. Worms and bots execute arbitrary code on the zombied systems hosting them. They typically run with Administrator rights and can do anything the computer can do -- and they start doing it within seconds after the systems is exploited. These things are not just hypothetical. Here are a few of the things that zombied PC systems have been observed to perform, at the request of remote attackers, controlling zombied systems from outside the corporate firewall. By the way, these are not alarmist proclamations, rather, they are mundane work-a-day activities of the typical botnet, observed and documented by many independent security consultants.
  • contact an IRC channel at a remote location, and receive arbitrary instructions
  • update the bot software, install new bot modules
  • scan penetrated networks for other vulnerabilities
  • probe the vulnerable systems and spread the bots
  • perform denial of service attacks on other networks
  • harvest (find and upload to remote servers) private, sensitive, secret or classified documents from hard drives
  • harvest passwords, user names, and other login information (from the Windows Registry, the Internet Explorer cache, cookies, and text or document files on the system)
  • harvest email addresses, contact information
  • sniff network traffic to capture passwords and other information
  • install rootkits, trojans, keystroke loggers and other malicious software
  • use the system to send spam
Botnet controllers could also employ the zombied PC for or other fraud (e.g. for internet advertising). The modern worm and bot attack has all the characteristics of yesteryear's intrusion -- a manual exploitation of a system by a hostile attacker. The universal consensus of the information security community to a crack of a system by an intruder is that a system must be re-imaged to regain assurance of its security. This recommendation hasn't changed in years, despite advances in rootkit detection techniques. The authors of such systems consider them to be useful for forensic analysis, not system recovery. When a modern Botnet invades your network, a remote person (or team of people) unknown to you has (or have) gained Administrator access to your systems. They have taken actions that you cannot trace because they were not logged and because they may have modified system files or installed a rootkit. Somehow, because these attacks evolved slowly over a period of years from mundane virus and ostensibly benign worm attacks, managers sometimes don't take them seriously. The primary difference between a classic intrusion and a botnet invasion is that the cracker quickly (within minutes) gains control of dozens, hundreds, or even thousands of compromised systems with a bot. The tasks allotted to the botnets can be automated as well. The nature of the threat is considerably greater than the virus or worm of days gone by. It's more appropriate to think of a bot as a manual intruder, multiplied times the number of contaminated systems, and treat it with the same degree of seriousness. One last motivation for treating botnet invasions more like traditional "intrusions" is provided by increasing attention of legislative, regulatory and oversight agencies. Private and governmental organizations alike may be under increasing legal and regulatory obligation to provide stronger assurances that recovery strategies are adequate. Legislation at the Federal and State level may require private industry to disclose serious computer breeches which expose their customers, business partners and employees to risk. Sometime in the next year or so, you're going to read about a big problem -- a giant identity theft, a massive leak of confidential or sensitive documents, an organization with hundreds of machines owned by a botmaster for months before it was discovered. Don't let it be your organization that you're reading about. If you didn't focus on prevention after the last botnet invasion, and you got hit again, don't try to cut corners now. Restore compromised systems from pristine media, then get to work on a layered defense posture.

Technorati Tags: , , , , , , , , ,


Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual domai…

Hacker 0x80 0wn3d by FBI (Arrested after Accidental Outing by Washington Post) [1]

What can the botmaster 0x80's impending misfortune [1] teach us about information security? Quite a bit. What the botmaster and the reporter didn't count on is a security risk known as "the aggregation problem" or "point and click aggregation". It's not surprising, as even practicing security professionals are often unaware of this problem, or vaguely aware of the concept but not the name. Information Security dictionaries online generally lack the terms, and don't mention them in their discussion of "disclosure" either. The aggregation problem happens when a series of small facts, any one of which if disclosed present a minimal security risk, combine to present a greater security risk when disclosed together. When aggregated, information from publicly available sources may accidentally disclose information that was intended to remain confidential. As it happens, an IETF glossary contains a definition of the basic term. RFC 282…

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident.

I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company.

Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber