Feature Article: Botnet 2011

by Steve Fox, Senior IT Security Auditor, Coalfire

The very word botnet almost sounds like a B-grade science fiction flick. In all reality, it does have a rather sci-fi premise. It sounds crazy, but a botnet is a collection of computers that are infected with nasty malware, and find themselves under the complete control of the botnet’s mastermind—who generally has sinister motives. (Cue the creepy music.)

Botnets are often a scheme-of-choice for organized crime rings. The bad guys slyly capture keystrokes from corrupted computers in order to gain access to bank accounts and credentialed systems and to launch spam campaigns or distributed denial of service attacks. Unfortunately, this is not science fiction or any other kind of fiction; it is a very real threat. The past year has witnessed a dramatic rise in the viruses that silently draw unsuspecting computer users into the sticky web of a botnet platform, and the consequences are significant.

Despite a nearly universal awareness of antivirus software and the necessity of maintaining system patches, the botnet thugs are winning. Botnet architects have devoted themselves to developing bugs that can bypass antivirus detection, and they are doing it well. Current detection rates have dropped nearly 30%. In other words, two out of every three viruses slip right past protective software and begin to wreak havoc on fully patched, up-to-date systems. They are nearly as vulnerable as unpatched systems.

System infiltration generally happens via a drive-by download or through social engineering. The drive-by method automatically installs malware on unsuspecting victims when they visit a booby-trapped web page. Social engineering tricks victims into installing the malware themselves by deceiving them into opening corrupted attachments on an email. (e.g., "There is a problem with your federal tax return. Please review the attachment to avoid IRS penalties.") Both methods are equally effective, and the result is always the same: total and complete domination of the compromised computer by the botnet operator.

Money and Information
Cyber criminals are generally after the same things that most criminals want: money and information. The entire focus of the botnet platform is to capture the login credentials of people with access to those gems.

When money is the goal, payroll and human resources departments are often the targets. Once the computers are under the control of the botnet organizers and the login information is in their hands, they can easily wire transfer large sums of money from the organization’s bank accounts to offshore accounts where access is easy and anonymous.

If it is information they seek, botnet bad guys will hone in on senior strategists or C-level executives who have access to sensitive corporate intelligence. Market strategy information or proprietary R&D can be quite valuable to the competition.

2011 Rocky Mountain Information Security Conference
Due to the unprecedented spread of this cyber threat, Coalfire has conducted significant research into botnet risks, developments, and protective measures. We have been asked to share our findings at the 2011 Rocky Mountain Information Security Conference. Karl Steinkamp and Steve Fox, both Senior Security Advisors at Coalfire, will be presenting on topics such as: what botnets are and how they pose risks to business; recent development and growth of the Zeus and Spyeye botnet; the latest trends in the wild; 0-day prevalence; advancements in antivirus evasion; and how to protect your web applications and end users’ computers.

The 2011 Rocky Mountain Information Security Conference will be held on May 13th in Denver, Colorado.  For more information about the conference, please visit http://www.isaca-denver.org.