Skip navigation

Monthly Archives: May 2009

Internet service providers (ISPs) face a growing problem with the rise in botnets, malware that takes control of large numbers of computers. Over the last several months, the Conficker (sometimes called “Conflicker”) botnet has infected more than 10 million machines by some estimates, dwarfing previous botnets by an order of magnitude. Security researchers have also discovered iBotnet, the first large scale Mac botnet, and Psyb0t, the first malware to take over Internet routers.

These trends pose challenges for cable operators. One task is to alert customers without frightening them. In a March 31 post to the Comcast voices blog site, Comcast Senior Director of Security and Privacy Jay Opperman described Conficker and possible preventive actions.

On the macro level, the biggest problem is the increase in Internet traffic associated with spam campaigns and distributed denial of service (DDoS) attacks, in which millions of compromised computers simultaneously send traffic to a Web site to disrupt service. Earlier this year, Time Warner Cable reported that its services had slowed because of a DDoS attack against its DNS servers.

A cat-and-mouse game is playing out between security experts creating tools for finding viruses, Trojan horses and worms, and hackers finding new ways to circumvent them. Success lies in joining multiple elements rather than finding a single weakness. The massive spread of Conficker illustrates this shift in strategy.
Analysis of a botnet

Starting in November, Conficker spread between Windows computers through a vulnerability that had been patched by a Microsoft Windows update a month earlier. Within a few days, millions of computers had been infected, particularly in countries like China, Russia and Brazil, where pirated copies of Windows did not receive security updates.

After the initial infection, the criminals updated the software so that it could infect other computers via USB drives and local area networks (LANs), even ones that had received the Microsoft patch. A single unpatched laptop could infect an entire office when it was brought into work. Massive infections were reported worldwide, including military computers in the UK, France and Germany.

Then the criminals added more features that blocked infected computers from going to Web sites of security companies and blocked security applications, making it more difficult to remove the malicious software. It was not until four months after it was launched, when the Conficker code had taken control of millions of computers, that it began its first malicious activities. In early April, infected computers started installing scareware and spam software. Scareware tells users they have been infected, but that the virus can be cleaned out if they spend $50 on bogus security software.

As of this writing, no one has found the Conficker authors, even though Microsoft has posted a $250,000 reward, and security personnel have launched one of the biggest bot hunts in history.
Tracking the botnets

Botnets communicate with their controller and locate potential targets over the Internet, which provides ISPs and security personnel an opportunity to study them and, in some cases, control or dismantle them.

Deep packet inspection (DPI) lets cable operators see botnet traffic in progress. In some cases, operators have blocked traffic for IRC, a service commonly used for managing botnets. However, these tactics can anger legitimate users.

Botnet owners typically cause the machines to check in with a server at a specific domain name. Initially, Conficker was instructing infected machines to check 250 different domain names every day to find one with an update or instructions. Hackers only had to control one domain name to send out new commands. But security professionals were able to secure all of these.

The Conficker authors raised the bar to having the zombies check 500 out of 50,000 different domain names every day; despite this large number, security professionals succeeded in locking all of these Web sites out of the hands of the hackers, noted Jose Nazario, manager of security research at Arbor networks.

Infected machines downloaded new updates only because hackers had developed another mechanism to send updates via a peer-to-peer (P2P) network. Nazario said that because of the success of their efforts at blocking these attacks, the hackers eliminated the mechanism for checking Web sites for updates.

The future of security looks more like a partnership among service providers, Internet routing and DNS organizations, security personnel and law enforcement. As criminal hackers become more sophisticated, no one magic bullet will solve the security challenge.

An unintended benefit of Conficker is that it raised the security bar. Nazario said: “It is encouraging that so many folks could put aside competitive differences and work together for a common goal that cuts across different silos in operations and research communities. Traditionally, the folks that do routing, run DNS servers, and security researchers don’t talk to each other. This was a huge change.”

Author : George Lawton