Even second helping of Bot Roast “won’t eliminate cybercrime”

Botnets will continue to plague the on-line world as long as their use for criminal activities remains profitable.

Experts say recent high profile arrests by the FBI are unlikely to eliminate the menace.

The arrests were made as part of the second phase of an ongoing cyber crime initiative to disrupt and dismantle bot herders known as Bot Roast II.

“The deterrence value that arrests and prosecutions such as these provide cannot be underestimated, but there is little real impact on cybercrime yet,” Dmitri Alperovitch, principal research scientist, Secure Computing Corporation.

The arrests, he said, may “take out a few big players and may scare some others out of the scene.”

Security expert Andrew Hay, Manager of Integration Services, Q1 Labs Inc. says over the long haul, the impact of the arrests will be quite small, and he sees a negative effect too.

“I don’t think the arrests will provide the long-term impact that the FBI is expecting. In fact, [they] may actually be a double-edged sword.”

Making such a public example of these botnet herders, he said, may drive their competitors and colleagues further underground.

Experts say financial gain is the big driver behind most bot activity.

As there is a lot of money to be made, organized crime has got involved in a big way. will continue to drive the development of new, and more sophisticated, botnets, Alperovitch notes.

He says botnets are “at the root of nearly all cybercrime activities we see on the Internet today.”  

And as Hay points out, botnet herders are already breaking down their larger botnets into smaller, dispersed, and harder-to-track bots. The costs and risks of doing business continue to be quite low for the bot masters.

Furthermore, the latter – for the most part – remain beyond the reach of investigators despite several aggressive prosecutions and a commitment to information sharing between law enforcement agencies around the world.

For example, the FBI and British MI5, while actively monitoring and tracking bot activity, cannot easily prosecute bot masters in Eastern Europe and Asia – hotspots for bot activity, where few countries have laws addressing cybercrime.

First line of defense

In response, Canadian businesses would be wise to step up their defenses against the invasion of botnets and potential Distributed Denial of Service (DDoS) attacks, security industry insiders say.

Apart from standard defense tools such as firewalls, intrusion detection/prevention, and router access control lists, IT managers can now access a range of newly available services.

These include Trend Micro’s Botnet Identification Service, or managed security services from Arbor Networks or Damballa – both of which specifically target botnet activity.

Andrew Hay of Q1 Labs believes botnets can only be effectively detected by using advanced flow and log correlation network security management products.

“The mixture of logs and network flows allow you to distinguish attacks from a simple increase in normal traffic.”

The weakest link
“Users are the weakest link,” states Alperovitch.

While technological solutions can be effective – IT professionals must ensure systems are as secure as possible – the key strategy will be ensuring users are aware of the dangers lurking on line, and know how to minimize their risk of infection.

Users must exercise constant vigilance, he says.

Most botnets use social engineering ploys to deliver a payload of malicious code: typically an e-mail message with a tantalizing subject line, containing a link to a Web site which automatically downloads malicious code that turns their computer into a bot – a zombie that does the will of the bot herder.

Infection is also extremely difficult to detect. There is usually no immediate effect that the user will notice.

The botnet Trojan keeps a low profile, using few system resources, and leaving user data intact, even as it harvests passwords or other valuable information and communicates with its command and control server. The aim is to use the host machine for other attacks, not destroy it.

According to Alperovitch, users need to be trained to think of their on-line activity in the same way as they do their personal safety. “If you find yourself in a dark alley, your sensitivity to danger is heightened. You need to do the same on-line.”   

Botnet propagation would be severely curtailed, he said, if users question every unusual or enticing email message, and learned to carefully examine hyperlinks for bogus target URLs.

Reputation systems
Alperovitch also points to the growing importance of reputation systems that allow users to check the trustworthiness of any Web site or domain they are uncertain about. Secure Computing’s TrustedSource.org is one such site.

There a user can enter the URL, IP address or domain name of a suspicious site or email addressee to receive a report on that site’s activities, along with a flag indicating whether the site is neutral or malicious. The idea is to give users a scorecard, such as the one eBay uses for sellers.

Armed with new technologies and services such as these, companies have a fighting chance against the bot armies, but if they do not ensure that system users know how to recognize and respond to threats, botnets will continue to find a way in, disrupting networks and undermining confidence in the Internet as a means of communications and commerce.

Share on LinkedIn Share with Google+