Security researchers say the cost of criminal services such as distributed denial of service, or DDoS, attacks has dropped in recent months.
The reason? Market economics.
“The barriers to entry in that marketplace are so low you have people basically flooding the market,” said Jose Nazario, a security researcher with Arbor Networks.
“The way you differentiate yourself is on price.”
Criminals have got better at hacking into unsuspecting computers and linking them together into so-called botnet networks, which can then be centrally controlled.
See related story
Botnets are used to send spam, steal passwords, and sometimes to launch DDoS attacks, which flood victims’ servers with unwanted information.
Often these networks are rented out as a kind of criminal software-as-a-service to third parties, who are typically recruited in online discussion boards.
DDoS attacks have been used to censor critics, take down rivals, wipe out online competitors and even extort money from legitimate businesses.
Earlier this year a highly publicized DDoS attack targeted U.S. and South Korean servers, knocking a number of Web sites offline.
Are botnet operators having to cut costs like other businesses in these troubled economic times?
Security researchers don’t know if that’s been a factor, but they do say that the supply of infected machines has been growing. In 2008, Symantec’s Internet sensors counted an average of 75,158 active bot-infected computers per day, a 31 percent jump from the previous year.
DDoS attacks may have cost hundreds or even thousands of dollars per day a few years ago, but in recent months researchers have seen them going for bargain-basement prices.
Nazario has seen DDoS attacks offered in the $100-per-day range, but according to SecureWorks Security Researcher Kevin Stevens, prices have dropped to $30 to $50 on some Russian forums.
And DDoS attacks aren’t the only thing getting cheaper. Stevens says the cost of stolen credit card numbers and other kinds of identity information has dropped too. “Prices are dropping on almost everything,” he said.
While $100 per day might cover a garden-variety 100MB/second to 400MB/second attack, it might also procure something much weaker, depending on the seller.
“There’s a lot of crap out there where you don’t really know what you’re getting,” said Zulfikar Ramzan, a technical director with Symantec Security Response. “Even though we are seeing some lower prices, it doesn’t mean that you’re going to get the same quality of goods.”
In general, prices for access to botnet computers have dropped dramatically since 2007, he said. But with the influx of generic and often untrustworthy services, players at the high end can now charge more, Ramzan said.
Seven super ways to kick bot
With the bot menace burgeoning how do businesses and individuals prevent their PCs from being infected by bots, detect if they’re already compromised and take remedial steps?
Below we present seven proven tips from security experts.
Step 1 – Secure your systems
A computer system usually gets infected with a malicious bot via many of the same channels it falls prey to other malware, Trojans and viruses.
That being the case, experts say the first level of defence in battling bots, involves the same basic steps that are effective against viruses and Trojans – keeping your systems patched, using firewalls, spam filtering software and so on.
As another popular route for a bot attack is Web links transmitted through instant messaging (IM), users should also look at anti-virus and filtering software for IM.
Some companies have disabled IM because of inherent risks associated with it.
However, for firms averse to taking such a step, or for whom IM happens to be a business critical capability, there are commercial applications that enable one to proxy those connections through a channel that has the ability to filter out malicious software.
Basic steps such as running a quality anti-virus program and installing apps that prevent loading of spyware and adware on your machine are a must.
These apps should also be kept up to date.
Regular – if possible daily – system scans, and enabling the automatic virus detection software that checks every file as it’s opened are also fairly fundamental safeguards.
Step 2 – Watch for warning signs
Keeping a watchful eye on the help lines often gives network and IT managers their first hints of a possible botnet infection.
Any significant increase in calls about slow systems or lots of pop ups could be a sign of bot compromised machines on the network.
Likewise, Internet service providers (ISPs) are well positioned to detect suspicious activity. Sometimes these signs are detected by network service providers that have ISPs as customers.
For instance, Florham Park, N.J.–based Global Crossing, a network services provider has a several ISP customers, and constantly monitors their traffic for unconventional or anomalous behaviour.
“We look for unusual traffic flows, [a spurt in] DNS lookups for names known to be used by botnet controllers, or whether lots of their customers [are] suddenly making connections to the same machine,” says Jim Lippard, director of information security operations at Global Crossing in a podcast.
When such trends are detected, he said, the ISP is immediately notified.
“They, in turn, can either suspend service to an affected customer, contact the customer; or they can put filters in place to block the activity.”
He said an ISP may sometimes put the affected customer into a “walled garden” – a quarantined environment where the person can no longer browse the Web, but is redirected to a Web page that says: You have a problem, here are some characteristics of that problem and here are recommendations to fix it.”
Step 3 – Scan the horizon
It’s not just individual systems, but traffic on company networks that should be scanned as well.
Outbound e-mail scanning, for example, can help detect a spam virus attack when it’s launched from your network. In such cases, locating the compromised PC should not be difficult.
Be very concerned if your IP address becomes part of a black list, as that’s a sure sign of trouble emanating from your network.
Several sites on the Web can check a wide array of registered blacklists for you.
One of these is Spamhaus, a volunteer initiative that aims to track e-mail spammers and spam-related activity.
Spamhaus has developed three widely used anti-spam DNS Blocklists:
– The Spamhaus Block List (SBL) is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services). It is supplied as a free service to help e-mail administrators better manage incoming e-mail streams.
– The Exploits Block List (XBL), is a realtime database of IP addresses of illegal third party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/ viruses with built-in spam engines, and other types of trojan-horse exploits.
– The Policy Block List (PBL) is a database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer’s use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.
Many ISPs and other Internet sites use these free services to reduce the amount of spam they take on.
The SBL, XBL and PBL collectively protect over 500 million e-mail users, according to Spamhaus’ Web site.
Another option is signing up for e-mail feedback groups maintained by MSN, AOL and Yahoo that notify you if spam traffic arriving at those networks is originating from your IP address.
Intrusion detection software running on your network may be able to recognize the patterns of traffic that botnets generate once their inside.
Step 4 – Exercise your [Port] Authority
There are 65,535 available ports, but only 1,024 of them are designated by the Internet Assigned Numbers Authority as “well-known” ports.
But bad guys tend to sneak things through using higher numbered ports which have no use designated.
Some experts – such as Steve Pao, vice-president, product management at Barracuda Networks – recommend blocking Port 25, the IP port used for outbound e-mail.
Pau notes some ISPs are starting to block it on new accounts for e-mail that doesn’t have a legitimate IP address. He acknowledges that’s difficult for individuals to do, because it effectively prevents mail from going out.
But, he says, other features – such as Internet Relay Chat (IRC) should be blocked “because in most cases that will prevent zombies from calling home even if they do get installed.”
Another expert advocates a smart approach to “blocking” that enhances security, while not eroding functionality.
“Block everything you don’t use,” is the advice of Dean Turner, senior manager of security response at Symantec Corp. For most people, he says, use of the Internet requires only a few ports to be open.
“You’ll need ports 25 and 110 for e-mail, port 53 for DNS lookup, port 80 for the Web and port 443 for SSL,” he says, “and if you allow those ports and nothing else you’ll be much safer.”
The list of particularly dangerous ports commonly used by Trojans and other malware programs is available online.
Step 5 – Educate users
Smart and cautious users are an organization’s strongest defence against malware and botnets. Periodic educational sessions with users should focus on issues like:
– The importance of not opening attachments or navigating to links in an e-mail from unknown senders.
– Sypmptoms of a bot attack.
– The importance of immediately reporting to the IT department any signs that their systems are compromised.
Once bots get in they will try to do things like scan and disrupt other systems, with the same kind of behaviour you would see from a worm or a virus.
Industry insiders say IT managers should take proactive steps to ward off botnet infections – steps that go far beyond keeping virus signatures current.
For instance, Patrick Patterson vice-president of technology at San Bruno, Calif.-based Ironport Systems Inc., a provider of Web and e-mail security products, notes that network and IT managers often get their first glimpse of a botnet infection by keeping an eye on the help lines.
“Find out how many people are calling in because their PCs are becoming unusable, either because they are too slow or there is a lot of popup activity.”
If there’s a sudden spike in calls reporting these problems, Peterson says, there’s something like a 10-to-1 chance the PCs have become part of a botnet.
Enterprise network administrators can also keep a close watch for suspicious outbound activity using their network-monitoring software.
Intrusion Detection and Intrusion Prevention systems allow you to identify how your network bandwidth is being used, so if you detect a sudden burst of peer-to-peer traffic or IRC traffic or an unusual set of DNS lookups, those are all characteristic of bot activity.
Step 6 – Share information
Better co-operation and information sharing between anti-virus and anti-spyware product vendors is vitally important to beat the botnet scourge.
Unfortunately, there’s little evidence of such co-operation.
These companies “tend to keep names of malware they find to themselves [so they can] use it to competitive advantage,” says Global Crossing’s Lippard.
Some vendors acknowledge that this indeed the case.
TrendMicro CEO, Eva Chen, in an interview with IT World Canada, recalled the “early days” of the AV industry, when she and John McAfee (founder of anti-virus software vendor McAfee Inc.) used to exchange virus samples.
“Our belief was that you competed by creating a better product, not by collecting more virus samples.”
She rued the absence of this attitude among some newer vendors in the field. “They don’t play by those rules. They see collecting new samples as their competitive advantage.”
Step 7 – Use Web 2.0 tools
Social networking sites and tools often function as double-edged swords.
Spamsters and bot herders use them to spread to launch virus, Trojan or bots attacks.
But the networking potential these sites offer can also be harnessed to counter such threats.
Chen said her company experienced the incredible power of such co-operation following its purchase of HijackThis, a free utility that scans Windows computers to find settings that may have been changed by spyware, malware, or other unwanted programs.
HijackThis creates a report, or log file, with the results of the scan.
Chen said when HijackThis was put out under TrendMicro’s brand name, a Collect the Log feature was added, which gave users the option of sending the scan results log back to TrendMicro for analysis.
“The very first day we received 2,000 logs from customers and over the weeks this number continued to increase,” Chen said. “We were able to use these logs as a basis for data mining – to understand what the newest bot attacks are and to develop an antidote.”
TrendMicro offers companies a Botnet Identification Service that locates botnet command-and-control servers and blocks communications between them and the bots they control.
“By breaking their ability to communicate, the bots are rendered useless-unable spew spam and launch crime-related attacks that could damage your brand image, degrade network performance, and increase support costs,” the TrendMicro site says.