|
|
To print: Select File and then Print from your browser's menu
-------------------------------------------------------------- This story was printed from ZDNet Australia. --------------------------------------------------------------
|
Battle of the bots By Penny Jones, ZDNet Australia February 21, 2005 URL: http://www.zdnet.com.au/insight/security/soa/Battle-of-the-bots/0,139023764,139181336,00.htm
 special report So you can't hear them, and you can't see them, and really there is nothing there to tell you if you have them on your system. But be warned, bots are with us, and they do have a search-and-destroy attitude that could be the death of your business.
At about the same time I, Robot came to our screens, hackers were already about to launch a robotic attack of the virtual kind -- using bundles of code known as bots to exert control over the cyberworld. Each day, as computer users unassumingly logged on, more and more bots gained control, multiplying from 2000 monitored bots a day (as measured by Symantec at the end of 2003) to an average of 30,000 this past June. (Spikes of 75,000 were also measured during this period.) Unlike Asimov's NS5 (the robot that, apart from one AI being, assumed a mass personality) bots come in many different individual forms. Like the NS5 though, network bots do have power in numbers.
The bots that are terrorising us today are actually programs, and they've been around for quite a while in a much more benign form. The first bots were used to create virtual opponents for video games or to spider Web sites. The first bot -- the Eggdrop bot -- was written in 1993 to help form party lines on Internet Relay Chat (IRC) lines. As bots became more sophisticated, they began to take on more sinister roles in the hands of some creators. Now they can be secretly installed on a target system, and once there, an unauthorised user can take control of the system, giving out malicious directions for one or a whole group of bots the controller may have set up. They have recently been known to launch viral attacks, extort finances from companies, or send spam from your machine, without the user even being aware they are there. Bot business has suddenly come to mean big money. In the same sort of place that Internet porn, fake Rolex watches, and promises of cheap Viagra lurk, you can find a black market for bad bots. According to Symantec security response team senior director Vincent Weafer, bots hidden on your machine can be put up to a range of dirty deeds netting their creators up to AU$100 an hour. Individual bots can disable virus protection and allow the nasties in, or armies of bots can make their way past the front line, using sheer force to flood a system and bring a business -- particularly an online operator -- down. Many of these bot sources can be found over the Internet, proferring their services to one and all. "The [malicious] motivation between the launch of bot attacks can vary between profit and distortion," Weafer says. The controller of a bot can say 'I am going to do a Dedicated Denial of Service [DDoS] attack on you unless you pay me money'. One sector where this scam is often used is with online gambling sites. "Bots are also certainly seen as a tool for the relay of spam, or they can be used to gain credit card information and to store illegal material on people's machines... bots really are dangerous because they can use machines for so many different purposes. In many cases bot networks themselves are available for rent at a per-hour amount. This depends on the number of machines or bandwidth types. One we pulled off had about 220 bots that had been sold for AU$800 a week, another had bots on 9000 machines. The average network amount is 2.5 cents per bot week. Rental is very low so it makes sense to use bots for extortion or for spamming," he adds.
For Australian businesses such as Professional Punter, a small site that makes money off the sale of gambling tips, bots are real-world threats. "In gambling, bot attacks are well-known and viewed in a pretty bad light," Professional Punter managing director Guy West says. And while his business knows about bots, which have made extortion attacks on larger bookmaking sites such as Centrebet and Canbet, it certainly can't afford the level of security it says it requires to ensure an attack will not happen to them. "We just have to grin and bear it," West says. "We have to take the normal precautions with our firewalls, antivirus software, and be careful opening of attachments but I don't think we would have the right security to cope with a sophisticated attack. But then again we don't really have the money to make huge extortion payments. I think only the big companies can really afford to take it seriously." UK betting site Betfair disagrees. It made a desperate plea on 29 November 2004 to its government and industry organisation asking them to heighten awareness and further fight against DDoS attacks, saying that while they have only affected a handful of larger businesses so far, any company relying on the Web for transactions is ultimately at risk. Online travel sites, book vendors, healthcare systems are all areas that could just as easily be a target of bot attacks, Betfair CTO David Yu says. Betfair says it has been targeted by Web-based criminals and has been a victim of DDoS attacks on three separate occasions, with hackers flooding its servers with mail sent from botnets, which often lurk on small business and home computers.
It has been suggested bot networks have also been launched by competitors or opponents in business, and that not all attackers have money on the mind -- some simply want to cause a little chaos. Whatever the motive, all those on the receiving end of a bot attack need to realise the implications. Unfortunately, many in business still do not.
In the last two years, Australia has become one of the prime locations for the launching of Internet-based attacks. Only China, Canada, and the US have more. A majority of these attacks has been put down to the increase of bot-infested machines seen in the country. "Unfortunately in Australia, being a well-connected society, we are a prime target," McAfee marketing director Alan Bell says. One of the biggest dangers in a well-connected society is that everyone can be at risk. He says both small and large businesses could find themselves targets of bot attacks, but it is the larger businesses that will see more damage inflicted. "But the upside is, in Australia, these people do tend to be more protected. Here, only 25 percent of companies are running without adequate protection -- but the average user of a computer (your home user) does not have quite as much value on their system and would probably never think that they need to." Small businesses, which use their computers in a limited capacity, tend to be the biggest liability when it comes to bots. They are generally targeted not for attacks, but instead as hosts, much the same as home computers. "Bot networks typically work off of unsuspecting computers, so most of the time people will not even know they are affected and will not see any need to protect against them," Australian computer Emergency Response Team (AusCERT) senior security analyst Jamie Gillespie says. But McAfee's Bell says small businesses should also be concerned. He says one simple attack could easily bring a business of this size down with a loss of information from customer lists to credit card details. "Many of these businesses think it will never happen to them because they are unknown [to the hackers]. But bots and those who control them aren't always looking for someone in particular. If a business is vulnerable it will get caught -- they won't always care how big a machine is. All they might want is your banking information.
Gillespie agrees. He says most people, in cases where bots launch or deactivate viruses or the armour against them, will put the problem down to a virus before they look any further. "A bot can have strong similarities, and not appear to the user as anything else," Gillespie says.
"Software that is around for cleaning networks or preventing bot attacks is fairly expensive, it's proprietary and it is more of the big end of town that have the financial resources to protect themselves in this way. But as awareness and penetration of software reaches the market, the unit cost will come down and we will be able to eradicate more of these problems."
It only takes one bot to create a security risk. Paul Ducklin, head of technology at Sophos Asia-Pacific, says that Australian businesses have been able to escape the risk of bots in the past but the security risk can no longer be ignored -- especially in light of the present escalation of networks. "Bots are now so rapid and prominent that everyone needs to join in the fight against them. Companies in Australia will generally cut some slack for those [inadvertently] harbouring bots but it comes down to liability -- who is ultimately to blame for allowing bot attacks to happen. If your company is taking reasonable and simple precautions, then you should feel you have done the right thing by those you are doing business with," Ducklin says. So what can you do to protect yourself from bots? All fingers seem to point to the very things you should also be doing to protect from all other strains of attack such as viruses, Trojans, and other malicious virtual life forms. This means firewalls, antivirus software, and simple e-mail protection procedures like canning all dubious e-mails and not opening vague attachments. But with a multitude of hackers out there, often targeting not only computers in your own country but a series of machines worldwide in an attempt to dodge national legislation and information technology laws, there is another important element: keeping all protection updated.
Ducklin says it is often software sloppiness that tends to lead to a bot infestation. "The difference between a botnet computer and a normal one is that someone has collective information about the computers being utilised. If someone gets on your machine you should automatically assume that all security bets are off -- bots can have codes that will disable firewall and security monitoring and antivirus software. This can leave your network open to Trojans and viruses that are three years old," Ducklin says.
Bots may not have the same menacing exterior as the NS5 villain computer from I, Robot, and they may not be able to inflict the same physical damage, but bots are -- in a philosophical sense -- very much the same. The term bot is in fact short for robot, which of course is something that performs a set of actions on behalf of a remote controller. In the case of a virtual bot, they are bits of code controlled by malicious hackers, that sit on machines as "zombies" and perform actions as directed by their masters. A bot can connect to a service provider and apply for an e-mail address, providing false but seemingly genuine personal details for relevant fields -- just like automated form fillers. McAfee marketing director for Asia-Pacific Alan Bell says it is best to look at bots as cultivated entities "because they are used again and again."
"Bots are also self adapting -- most viruses tend to be static whereas bots will pull down updates from Web sites so they can adjust their attack to whatever latest vulnerability is out there. If they cannot get one in one way, they will get it another. They also know how to keep a low profile so you won't notice them on your security report," Bell says.
It must be hacker's dream -- all of a nation's financial information on the one system. So what does the Australian Taxation Office (ATO) do to protect the interest of a nation? Having a whole nation's financial records in your hands puts you in a dangerous position -- especially when it comes to bot networks. So it is no surprise that the ATO highlights these threats in red, putting them up there with risks associated with Trojans or other viruses. Australian Tax Office CIO Bill Gibson says that what puts the ATO at greater risk is the increased Internet contact the office has taken on in recent years with its customers. This has lead to a review of the ATO's security architecture (partly to further wipe out the possiblility of new bot attacks) and further education campaigns to try stop bots from making it onto client's systems in the first place. "The problem is we may feel we have got reasonably good protection against known [bot] threats, but it is the unknown ones we have to watch -- you don't want to be the first to discover a new threat, you want someone else to find it first so you know how to protect against it," Gibson says. "So one of the things we are, and I think everyone should be conncerned about, is external clients. External clients may not realise how important it is to protect against these sort of things and they will often be the ones who will allow them to spread or enter your system. So Gibson says the ATO is constantly educating the tax community about the need to keep security up-to-date. "We say if you want to engage in electronic tax lodgement -- something we are encouraging -- then you must keep your password up-to-date and antivirus and firewalls as recent as possible." The ATO has two major concerns when it comes to bot networks. One is the use of bots to retrieve personal and confidential information lodged by clients, the other is the possibility of a Dedicated Denial of Service (DDoS) attack which, if successful, could bank-up work and cost the busy department big dollars. "The ATO deals with a huge amount of client data and tax payer information so we have had put a very tough filtering regime in place -- some organisations are a little looser in the way they allow traffic through their firewalls but we constrain, very tightly, and limit everything to significant attachments. That is one of the fundamental things we have done to change our risk profile. Of course the trade-off is how much you deny yourself access to -- we are very conservative in this way." Constant updates are also key. Gibson says as part of their desktop management contract with UDH, the ATO is constantly pushing out virus and patch updates. "We basically have a rolling cycle of updates every day -- those updates come through hours within receipt. We have 22,000 to 25,000 devices we need to get to so you we have to be careful we don't flood the network so we program it routinely so our system does get updated. It is all just a part of keeping a healthy system."
This article was first published in Technology & Business magazine.
Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
