It is not often that a drunken discussion provides anything more than a hangover the following morning, but recently a bunch of IT security experts got talking while the beer was flowing and someone asked the question: what is the biggest threat on the IT landscape today? Everything from 'the user' at the obvious end through to 'Bill Gates' at the drunken bum end of the scale was suggested, but the undoubted winner which was revealed before we all passed out was the botnet.
Think about it, botnets have all but taken over as the control centre of the exploits that cause the most damage to the home user and corporate alike. If you are plagued by spam then the chances are there is a botnet out there coordinating the distribution of it, your computer might even be a part of such a distribution chain without your knowledge or consent. If your business finds itself the victim of a Distributed Denial of Service attack, there is the botnet for hire behind the scenes launching the data missiles. If you are the target of a drive-by malware incident, chances are that the Trojan you have downloaded will carry a payload that includes compromising your PC and adding it to a botnet army somewhere or other. Read any security vendor threat report for 2007 and you can bet your bottom dollar than the botnet feature loud and clear and often.
The good news is that with the botnet boom comes the botnet bust. IT security and control firm Sophos yesterday reported that the biggest, not to mention most damaging, botnet ever discovered in Canada has been busted. They say the Mounties always get their man, and in this case the got a woman as well. A total of 17 people ranging from 17 to 26 years old were arrested in a series of dawn raids across the country in connection with a superbotnet that is suspected of comprising an astonishing 1 million compromised computers in 100 different countries. Seven of those arrested have been charged with illegally obtaining computer services, illegally possessing computer passwords, and hacking. Law enforcement agencies also confiscated numerous computers during the raids and are confident that once analysed more charges will be forthcoming against other alleged hacker gang members.
"The Canadian authorities should be applauded for investigating organised cybercrime, which is blighting computer users around the world," said Graham Cluley, senior technology consultant for Sophos. "Huge amounts of money can be made by hackers running zombie botnets: installing adware, renting out the network to launch blackmailing DDoS attacks against websites, or using them to steal identities or spew out spam campaigns. Running an illegal botnet is a serious crime, and those found guilty must be punished appropriately."
A step in the right direction then, but the reality is that even with one superbotnet removed there are plenty of others just waiting to step up to the plate and replace it. What is needed is something more, something proactive, something that can sniff out a botnet and take it down. Something like BotSniffer. I will avoid repeating the many varied and disgusting puns that were forthcoming at that IT security geek beer drinking session as BotSniffer was discussed, but needless to say when you get past the name this is a very serious weapon as far as anti-botnet deployment is concerned. The Georgia Institute of Technology has written an in-depth paper called Detecting botnet command and control channels in network traffic which explains all if you have the head for it. However, the long and short of it is that BotSniffer is a prototype which uses traffic analysis methods to look for tell-tale command and control channels used by botnets.
The Georgia Tech researchers have been testing it in the lab, but by using real world network traces have proved that it could work pretty darn well out of those carefully controlled conditions. It is a clever concept, because command and control channels lay at the very heart of the botnets' ability to move instructions around the widely distributed infected host machines. By looking for these control channels, and the commands interrupted, the botnet is effectively dead in the water. As a bonus, it is also possible to reveal all the bots in a monitored network as well as the command and control servers themselves. A double whammy of anti-botnet loveliness.
According to the Georgia Tech paper: "We observe that the bots of a botnet demonstrate spatial-temporal correlation and similarities due to the nature of their pre-programmed response activities to control commands. This helps us identify command and control within network traffic. For instance, at a similar time, the bots within a botnet will execute the same command - obtain system information, scan the network - and report to the command and control server with the progress/result of the task."