Invasion of the botnets: Cyberattacks on the rise

For the past year, the cyber threat landscape has been dominated not by new vulnerabilities and exploits so much as by the sheer number of attacks against information technology systems and the growing professionalization of the bad guys behind them.

In this report:

New threats emerge from once-trusted protocols and services

“The sexiness of the threat has not increased,” said one industry observer who met with a multiagency task force on intrusion. “But the exposure in terms of the number of exploits is growing exponentially.”

The numbers are sobering.

“Malware is at the highest point we’ve ever seen it,” said Dave Marcus, director of security research at McAfee Avert Labs. “2008 was the biggest year so far. The first half of 2009 has eclipsed all of 2008,” with 8,000 new variants appearing each day. “It’s easier to create new malware than ever before.”

Symantec reports similar activity. The company created 1.6 million new threat signatures in 2008, or about one new signature every 20 seconds. It has created 2 million signatures in the first half of this year, or about one every eight seconds.

The most visible results of this epidemic of malware are the periodic distributed denial-of-service attacks that generate a lot of attention. The most high-profile recent example was the July 4 outbreak that apparently originated in North Korea and targeted government and commercial Web sites in the United States and South Korea. Smaller outbreaks have targeted popular social-networking sites, such as Twitter and Facebook.

Such attacks have become a part of online life, observers say. Because of the prevalence of denial-of-service attacks and the volume of transactions now conducted online, some experts rate the attacks as a greater threat than compromises inside a system that can be used for the remote execution of malicious code or theft of information. But most experts agree that in the long run, a successful exploit that executes code inside a system is more likely to do significant damage.

“I see them happening more and more,” George Schu, vice president of Booz Allen Hamilton, said of denial-of-service attacks. “But in general, they aren’t a very serious problem.”

Denial-of-service attacks can disrupt business and online availability of resources but do little or no long-term damage. Organizations need to be prepared to identify and recover from such attacks, but in the end, “you still are going to be attacked,” Schu said.

Yuval Ben-Itzhak, chief technology officer of Finjan, agrees. “There is nothing much you can do about it,” he said.

One difficulty in responding to online attacks, whether they are denials of service or intrusions, is determining their source. Because botnets that launch denial-of-service attacks can be global, the immediate source of the malicious traffic offers little  information about the ultimate source of the attack or its motive. Last month’s so-called North Korean attacks appear to have been controlled from a server in the United Kingdom. Reports of infiltrations of U.S. government and power grid systems by Chinese hackers also could be only speculation.

“Just because it is located in China doesn’t mean that a Chinese [person] is behind it,” said Patrick Peterson, a Cisco fellow and security researcher.

Although denial-of-service attacks can be mitigated, the availability of large-scale botnets — global networks of compromised computers under remote control — as a platform for delivering the malicious traffic makes the attacks difficult if not impossible to prevent. It’s hard to say just how big botnets are. McAfee reports as many as 3 million to 4 million new infections a month, but the lifespan of a botnet can be short, sometimes only a day or two before an infection is discovered and removed. However, some machines also are reinfected regularly.

“You have to be updating and scanning regularly” to avoid becoming part of a botnet, Marcus said.

The spread of malware

These highly distributed malicious networks are created and kept available by the proliferation of malware to infect computers and recruit more zombies.

“The explosion of new malware variants is what keeps me up at night,” said Zulfikar Ramzan, technical director of Symantec Security Response.

Attackers are getting around signature-based anti-malware tools by changing the code just enough to sneak it past the filters. Not every variant works, but enough of them are successful to keep signature writers busy.

“The model is shifting from a massive distribution of a few threats to the microdistribution of a large number of different threats,” Ramzan said. “There can be a unique variant of a threat for every person who downloads it.”

This mass production of variants is being enabled by automated tools and services available to hackers and criminals, a commercialization of malware that Peterson calls “infection as a service.”

“Capitalism is a big motivator,” Peterson said. “A lot of the things they do, they need to do at scale. Twelve or 24 months ago, a lot of criminals were doing everything themselves.”

Underground developers now are specializing in providing professional tools and services to their community at a profit, such as online services with a tool to run new malware variants against the most popular antivirus engines to identify ones that can make it through undetected.

“What we’re seeing is that there is a lot of collaboration going on in the development of malicious code,” said Eddie Schwartz, chief security officer of NetWitness. Collaboration and specialization facilitate the rapid production of designer malware that can target specific groups, types of systems and data.

Growing specialization coupled with the persistence of known vulnerabilities in IT infrastructure is a dangerous combination. Old vulnerabilities persist partially because the infrastructure and user base are so large and complex. For example, old versions of software and hardware are unlikely to be completely replaced over any short period of time and are so embedded that they often are overlooked in patching, Schwartz said.

“I don’t think we’re ever going to get to the point where we can throw out certain vulnerabilities,” he said. That base of vulnerabilities, coupled with more sophisticated exploit delivery tools, “enables malware writers to throw the kitchen sink at people.”

The ability to throw multiple exploits against a system is another growing threat. Automated toolkits allow attackers to bundle exploits in a single package so that a computer or system can be searched for many vulnerabilities. Often, a successful cyberattack does not require a zero-day exploit, just a toolkit of tried-and-true exploits. The attacker needs to find only one unpatched flaw in the system to take advantage of.

Turning pro

Exploits and attacks are becoming not only more automated but also more professional, said Roger Thornton, chief technology officer of Fortify Software. The most serious attacks can go unnoticed because they are difficult to detect.

“Some of the attacks are brilliant in finding a system and compromising it,” Thornton said. “But the system wasn’t even the target.” The compromised system is used to plant code somewhere else in the network, where it gathers data and then leaves while covering its tracks. “Man, these guys are good,” he said.

Bad guys also are getting better at defense, he said. The wide-spreading Conficker worm uses cryptography to protect its command and control communications. When weaknesses were found in a hashing algorithm used by Conficker, it was upgraded to a new algorithm.

“They fix security vulnerabilities,” Thornton said. “These adversaries are doing security better than us.”

Compromised computers also can provide computing power and bases of operation for the criminals controlling them. Thornton described one case in which a financial services company was infected.

“The hackers had uploaded much more data than they had downloaded,” he said. It appeared that the objective had been to upload stolen credit card numbers. The hackers then used this database of numbers to test personal identification numbers used to validate them for transactions.

Trying to find the four-digit PIN for a given card could take 10,000 tries, which would be time-consuming and would tip off the service validating the card after too many repeated failures. But testing one PIN against a database of hundreds of thousands of card numbers is almost certain to be successful. This method creates no suspicious number of failed attempts on any one card, and the traffic it generated was not noticed on the company’s network.

The criminals also covered their tracks well, Thornton said. “All of their logs were encrypted, and encrypted well. There were no artifacts left behind.”

Targeting social media

Another threat trend is the speed with which these rapidly evolving tools are used against new targets, especially social-networking sites. One example is the widely used Twitter microblogging service. Within a month of its appearance, phishers were targeting Twitter, Marcus said.

“I don’t remember anything else that was attacked that quickly,” he said.

Twitter is not alone. Popular networking services, such as Facebook and the YouTube video service, often face attacks that attempt to use them as vectors for delivering malware. They also are subjects of phishing attacks that lure users into visiting inappropriate sites and surrendering personal information.

Despite the innovations, the attacks being delivered through these new sites are often the same types that most people have learned to avoid in e-mail. “A lot of the new technology tends to get exploited in all the old tried-and-true ways,” Marcus said. “Whatever the new technology is, you are probably going to see spam, phishing and password stealing.”

The nature of social networking helps to enable the use of social engineering in malicious attacks, Symantec’s Ramzan said. Social engineering involves crafting an attack with specific information to calm a victim’s fears and convince him or her that a communication is genuine.

“The idea of social engineering has been around for years,” he said. “But with social-networking sites, information that used to be private is now public, so it can make it easier for attackers to inject social context into an attack.”

All of which means that administrators and users need to constantly re-evaluate how they defend their systems, experts say. People need to be as suspicious of tweets and videos as they are of e-mails, and administrators need to think offensively and understand the attacks being used against them when protecting their systems.

Security vendors also need to constantly upgrade their tools and products. For some time, static defenses, such as firewalls and signature-based antivirus and intrusion detection, have been inadequate by themselves. Ben-Itzhak, whose company does content analysis, said real-time content analysis is the critical to defending systems. Organizations should scan incoming code to determine its intent before it is allowed in.

“You can read the code like a book and see what it does,” he said.

Vendors of traditional signature-based tools such as Symantec and McAfee are adding new tools to their products because the rapid proliferation of malware is making signatures inadequate. They are using heuristic and behavior-based detection in addition to signatures and are moving to reputation-based security by monitoring suspect traffic on millions of machines to determine the sources of malicious traffic that should be blocked.

However, no one recommends doing away with signature-based defenses. Because so many known exploits still work and are in circulation, antivirus companies update their signature files as quickly as possible to provide an efficient first line of defense.

“These kinds of threats are still best handled by signatures,” Ramzan said.

No matter how good tools get at warding off the wave of rapidly morphing malware, they are not likely to remain adequate for long.

“In a year or two years from now, there will be another way to attack that will get around these,” Ben-Itzhak said. “Security is dynamic.”