Invasion of the botnets: Cyberattacks on the rise

 

Connecting state and local government leaders

In the past year, the threat landscape has been marked not by the emergence of a sexy new vulnerability or exploit but by the sheer number of attacks and the increasing professionalization of the bad guys behind them.

For the past year, the cyber threat landscape has been dominated not by new vulnerabilities and exploits so much as by the sheer number of attacks against information technology systems and the growing professionalization of the bad guys behind them.


In this report:

New threats emerge from once-trusted protocols and services


“The sexiness of the threat has not increased,” said one industry observer who met with a multiagency task force on intrusion. “But the exposure in terms of the number of exploits is growing exponentially.”

The numbers are sobering.

“Malware is at the highest point we’ve ever seen it,” said Dave Marcus, director of security research at McAfee Avert Labs. “2008 was the biggest year so far. The first half of 2009 has eclipsed all of 2008,” with 8,000 new variants appearing each day. “It’s easier to create new malware than ever before.”

Symantec reports similar activity. The company created 1.6 million new threat signatures in 2008, or about one new signature every 20 seconds. It has created 2 million signatures in the first half of this year, or about one every eight seconds.

The most visible results of this epidemic of malware are the periodic distributed denial-of-service attacks that generate a lot of attention. The most high-profile recent example was the July 4 outbreak that apparently originated in North Korea and targeted government and commercial Web sites in the United States and South Korea. Smaller outbreaks have targeted popular social-networking sites, such as Twitter and Facebook.

Such attacks have become a part of online life, observers say. Because of the prevalence of denial-of-service attacks and the volume of transactions now conducted online, some experts rate the attacks as a greater threat than compromises inside a system that can be used for the remote execution of malicious code or theft of information. But most experts agree that in the long run, a successful exploit that executes code inside a system is more likely to do significant damage.

“I see them happening more and more,” George Schu, vice president of Booz Allen Hamilton, said of denial-of-service attacks. “But in general, they aren’t a very serious problem.”

Denial-of-service attacks can disrupt business and online availability of resources but do little or no long-term damage. Organizations need to be prepared to identify and recover from such attacks, but in the end, “you still are going to be attacked,” Schu said.

Yuval Ben-Itzhak, chief technology officer of Finjan, agrees. “There is nothing much you can do about it,” he said.

One difficulty in responding to online attacks, whether they are denials of service or intrusions, is determining their source. Because botnets that launch denial-of-service attacks can be global, the immediate source of the malicious traffic offers little  information about the ultimate source of the attack or its motive. Last month’s so-called North Korean attacks appear to have been controlled from a server in the United Kingdom. Reports of infiltrations of U.S. government and power grid systems by Chinese hackers also could be only speculation.

“Just because it is located in China doesn’t mean that a Chinese [person] is behind it,” said Patrick Peterson, a Cisco fellow and security researcher.

Although denial-of-service attacks can be mitigated, the availability of large-scale botnets — global networks of compromised computers under remote control — as a platform for delivering the malicious traffic makes the attacks difficult if not impossible to prevent. It’s hard to say just how big botnets are. McAfee reports as many as 3 million to 4 million new infections a month, but the lifespan of a botnet can be short, sometimes only a day or two before an infection is discovered and removed. However, some machines also are reinfected regularly.

“You have to be updating and scanning regularly” to avoid becoming part of a botnet, Marcus said.

The spread of malware

These highly distributed malicious networks are created and kept available by the proliferation of malware to infect computers and recruit more zombies.

“The explosion of new malware variants is what keeps me up at night,” said Zulfikar Ramzan, technical director of Symantec Security Response.

Attackers are getting around signature-based anti-malware tools by changing the code just enough to sneak it past the filters. Not every variant works, but enough of them are successful to keep signature writers busy.

“The model is shifting from a massive distribution of a few threats to the microdistribution of a large number of different threats,” Ramzan said. “There can be a unique variant of a threat for every person who downloads it.”

This mass production of variants is being enabled by automated tools and services available to hackers and criminals, a commercialization of malware that Peterson calls “infection as a service.”

“Capitalism is a big motivator,” Peterson said. “A lot of the things they do, they need to do at scale. Twelve or 24 months ago, a lot of criminals were doing everything themselves.”

Underground developers now are specializing in providing professional tools and services to their community at a profit, such as online services with a tool to run new malware variants against the most popular antivirus engines to identify ones that can make it through undetected.

“What we’re seeing is that there is a lot of collaboration going on in the development of malicious code,” said Eddie Schwartz, chief security officer of NetWitness. Collaboration and specialization facilitate the rapid production of designer malware that can target specific groups, types of systems and data.

Growing specialization coupled with the persistence of known vulnerabilities in IT infrastructure is a dangerous combination. Old vulnerabilities persist partially because the infrastructure and user base are so large and complex. For example, old versions of software and hardware are unlikely to be completely replaced over any short period of time and are so embedded that they often are overlooked in patching, Schwartz said.

“I don’t think we’re ever going to get to the point where we can throw out certain vulnerabilities,” he said. That base of vulnerabilities, coupled with more sophisticated exploit delivery tools, “enables malware writers to throw the kitchen sink at people.”

The ability to throw multiple exploits against a system is another growing threat. Automated toolkits allow attackers to bundle exploits in a single package so that a computer or system can be searched for many vulnerabilities. Often, a successful cyberattack does not require a zero-day exploit, just a toolkit of tried-and-true exploits. The attacker needs to find only one unpatched flaw in the system to take advantage of.

Turning pro

Exploits and attacks are becoming not only more automated but also more professional, said Roger Thornton, chief technology officer of Fortify Software. The most serious attacks can go unnoticed because they are difficult to detect.

“Some of the attacks are brilliant in finding a system and compromising it,” Thornton said. “But the system wasn’t even the target.” The compromised system is used to plant code somewhere else in the network, where it gathers data and then leaves while covering its tracks. “Man, these guys are good,” he said.

Bad guys also are getting better at defense, he said. The wide-spreading Conficker worm uses cryptography to protect its command and control communications. When weaknesses were found in a hashing algorithm used by Conficker, it was upgraded to a new algorithm.

“They fix security vulnerabilities,” Thornton said. “These adversaries are doing security better than us.”

Compromised computers also can provide computing power and bases of operation for the criminals controlling them. Thornton described one case in which a financial services company was infected.

“The hackers had uploaded much more data than they had downloaded,” he said. It appeared that the objective had been to upload stolen credit card numbers. The hackers then used this database of numbers to test personal identification numbers used to validate them for transactions.

Trying to find the four-digit PIN for a given card could take 10,000 tries, which would be time-consuming and would tip off the service validating the card after too many repeated failures. But testing one PIN against a database of hundreds of thousands of card numbers is almost certain to be successful. This method creates no suspicious number of failed attempts on any one card, and the traffic it generated was not noticed on the company’s network.

The criminals also covered their tracks well, Thornton said. “All of their logs were encrypted, and encrypted well. There were no artifacts left behind.”

Targeting social media

Another threat trend is the speed with which these rapidly evolving tools are used against new targets, especially social-networking sites. One example is the widely used Twitter microblogging service. Within a month of its appearance, phishers were targeting Twitter, Marcus said.

“I don’t remember anything else that was attacked that quickly,” he said.

Twitter is not alone. Popular networking services, such as Facebook and the YouTube video service, often face attacks that attempt to use them as vectors for delivering malware. They also are subjects of phishing attacks that lure users into visiting inappropriate sites and surrendering personal information.

Despite the innovations, the attacks being delivered through these new sites are often the same types that most people have learned to avoid in e-mail. “A lot of the new technology tends to get exploited in all the old tried-and-true ways,” Marcus said. “Whatever the new technology is, you are probably going to see spam, phishing and password stealing.”

The nature of social networking helps to enable the use of social engineering in malicious attacks, Symantec’s Ramzan said. Social engineering involves crafting an attack with specific information to calm a victim’s fears and convince him or her that a communication is genuine.

“The idea of social engineering has been around for years,” he said. “But with social-networking sites, information that used to be private is now public, so it can make it easier for attackers to inject social context into an attack.”

All of which means that administrators and users need to constantly re-evaluate how they defend their systems, experts say. People need to be as suspicious of tweets and videos as they are of e-mails, and administrators need to think offensively and understand the attacks being used against them when protecting their systems.

Security vendors also need to constantly upgrade their tools and products. For some time, static defenses, such as firewalls and signature-based antivirus and intrusion detection, have been inadequate by themselves. Ben-Itzhak, whose company does content analysis, said real-time content analysis is the critical to defending systems. Organizations should scan incoming code to determine its intent before it is allowed in.

“You can read the code like a book and see what it does,” he said.

Vendors of traditional signature-based tools such as Symantec and McAfee are adding new tools to their products because the rapid proliferation of malware is making signatures inadequate. They are using heuristic and behavior-based detection in addition to signatures and are moving to reputation-based security by monitoring suspect traffic on millions of machines to determine the sources of malicious traffic that should be blocked.

However, no one recommends doing away with signature-based defenses. Because so many known exploits still work and are in circulation, antivirus companies update their signature files as quickly as possible to provide an efficient first line of defense.

“These kinds of threats are still best handled by signatures,” Ramzan said.

No matter how good tools get at warding off the wave of rapidly morphing malware, they are not likely to remain adequate for long.

“In a year or two years from now, there will be another way to attack that will get around these,” Ben-Itzhak said. “Security is dynamic.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.