By Paul Comessotti and Kellman Meghu
(This blog is the continuation of Botnets – The hacker’s backdoor to your network)
Looking at the evolution of the bot threat, the first bot, “GMBot”, was not malicious. In fact, it was created in the late 1980s to emulate a live person in Internet Relay Chat (IRC) sessions.
However, around 1999 bots emerged that were designed with harmful intentions. Thereafter, bots grew more sophisticated, and in some cases, were commercialized as products. The Zeus bot of 2006, for example, originally sold for several thousand dollars. In mid-2011, source code for the Zeus and SpyEye botnet kits was leaked, making these powerful botnet creators available to practically anyone that wants to establish their own botnet.
Today, botnets are primarily used as a backdoor into your enterprise. Once inside, hackers operate in silence and stay under the radar to steal as much information as possible before their presence is detected. Unfortunately, because bots are so stealthy, many companies aren’t aware of when their computers have been infected and security teams often lack the proper visibility into the threats that botnets create.
The future threat
In the coming years, botnets will continue to evolve using a combination of social engineering, zero-day exploits, as well as the proliferation of mobile computing and social networking.
In the past, it was assumed that most of the popular botnets were running on Windows machines, this is no longer true today. Linux and Mac systems are not immune. New botnet variants are cross-platform and the industry should also expect to see more Apple, Android and other mobile based botnets pop up where they communicate to Command and Control servers (C&C) using via 3G or Wi-Fi networks.
A disturbing trend is the use of social networks being used as command and control centres. Social networks and Web based services, like IM, are being used to send instructions to malicious programs installed on victim networks and can give hackers the ability to send encrypted commands. Using social networks such as Twitter, can allow a cybercriminal to set up shop quickly and nimbly shut it down without incurring the expense of managing an entire server.
Leveraging social engineering techniques
In addition, hackers are leveraging new and socially-engineered hacking techniques to drive botnet activity. Social networks also have made it easier to obtain personal and professional information about individuals and create new entry points to execute socially-engineered attacks, botnets and APTs. Check Point research <http://www.checkpoint.com/press/2011/092111-enterprises-victims-social-engineering.html> has shown the primary motivation of social engineering attacks is financial gain (51 per cent), followed by access to proprietary information (46 per cent), competitive advantage (40 per cent) and revenge (14 per cent) and can cost businesses anywhere from $25,000 to $100,000 per security incident.
In this day and age, hackers can easily get the tools and resources needed to execute successful botnet attacks. Unfortunately, this is a cat and mouse game. Each time new antivirus releases a file signature, malware authors create new variants of the malware. Luckily, law enforcement, large corporations and security experts are starting to take things seriously and stop bots, such as the Rustock, in their tracks. By bringing down the C&C servers, bot masters lose control over all of the zombie computers and prevent infection from spreading. While thousands of companies have already been targets of bots and APTs, businesses have the responsibility to stop it from spreading.
(Paul Comessotti is Canadian regional director; Kellman Meghu is Canadian security manager, Check Point Software Technologies)