People often tell Richard Henderson, security strategist for Fortinet's FortiGuard Labs that botnets aren't a big deal.
But he says the average person is typically unaware of how pervasive and pernicious these threats have become. “Botnets are a pretty big deal, and the impact of botnets is woefully understated,” he says. “The owners of botnets have been really good at staying under the radar.”
Lat year four of the top five biggest threats to home-based networks were botnets, according to Kindsight Security Labs, which also reported that nearly 50 percent of home network infections in 2012 were the result of botnet-related malware.
And, according to Roger Thompson, chief emerging threats researcher for ICSA Labs, an independent division of Verizon, new botnets are being created all the time. “It's difficult to eradicate them because there's just so many of them,” he says. Thompson, who wrote one of the first anti-virus programs in 1987, says threats have modified over the years, as criminals have improved their techniques – often incorporating the ability to disable anti-virus products into their botnet downloader.
For financial institutions and other high-profile corporate targets of botnets, the related fallout from an attack – whether aimed at financial gain or just to cause instability and mayhem – can affect services and internal business, and cost millions of dollars. Banks and their customers are often inconvenienced for days at a time, especially since more and more customers are depending on online transactions for their day-to-day tasks, says Kurt Baumgartner, senior security researcher for Moscow-based Kaspersky Lab, referencing recent attacks on financial institutions such as American Express. “Organized crime continues to have a pretty sophisticated business model here with larger and more sustained attacks,” he says.
Indeed, botnet attacks have been the purview of crime rings inside and outside of the United States for years. One of the key issues with stamping out botnets is their seeming longevity: They morph and evolve and, simply put, many of them never go away. Indeed, one-third of the top 10 botnets identified by Fortinet are nearly a decade old. While efforts from the anti-malware and law-enforcement communities have temporarily taken down or crippled botnets such as Mariposa – which consisted of eight to 12 million individual zombie computers – parts of these powerful botnets live on to cause more damage.
Trojan horses, such as ZeroAccess, used to download malware onto affected machines, have been around for years, and have lately become the focus of closer examination, but mitigation is far from solved. “ZeroAccess is getting more attention now,” says Zulfikar Ramzan, chief scientist for the cloud technology group of Sourcefire. But despite the media focus recently, he maintains its effect on the industry, “is one of the most under-reported stories of 2012.”
Ramzan and other industry experts say it's not only the persistence of botnets, but the increasing ease with which less skilled hackers can spread them that makes them difficult to expunge. “A lot of attackers are marrying botnets with attack toolkits, like Blackhole,” he says, referencing the exploit kit used to inject malware into computing devices when they visit a compromised site. Many attackers are seeing botnets as an infrastructure they can “rent out for multiple activities,” says Ramzan, calling this trend “malware as a service.”
Further, a good number of botnets are not all that sophisticated, Ramzan says, “but they are being iterated so quickly, they slip by… And everybody and anybody can get in the game.”
Shane Shook, chief knowledge officer and global VP of consulting for Cylance says botnets have indeed become the preferred mechanism for targeted threat activities. The reason, he says, is that they have become easier to launch and trickier to detect, as hackers have adopted increasingly sophisticated and service-based approaches.
In a recent report for FortiGuard Labs, Henderson discussed the “affiliate model for infections” that many organized crime rings have now embraced, whereby distributors, working for the leaders of the syndicates, recruit people to spread their botnet using different approaches on various sites worldwide. In this way, the low-level and often unskilled participants are guaranteed a steady stream of income, the ringleaders don't get their hands dirty, and the botnets are harder to spot – and, therefore, more successful – because they are spread using such a wide array of vectors, Henderson says.
Cyber crime rings typically pay $100 per 1,000 infected machines, but rates can vary based on the botnet infection and the geography of the machines being compromised. For example, the criminals behind ZeroAccess reportedly pay five times the going rate for underlings who infect machines with their botnet, says Henderson. It's not surprising, therefore, that FortiGuard's research projects ZeroAccess growing at a rate of as much as 200,000 new infections per week. Henderson believes it alone may be actively infecting as many as two million machines, many of which are being used to mine for Bitcoins, a digital currency.
Companies may be fighting an uphill battle trying to destroy – or even detect – botnets, but experts say it is worth it, given the right approach.
Sourcefire's Ramzan says the goal needs to be on detection rather than just prevention, since the onslaught of botnets is too great to stamp out. “People have focused on trying to prevent the threat,” he says. “That works well if you don't have a lot of threats to deal with.”
While traditional signature detection has been effective in the past, ICSA Labs' Thompson says “there's got to be a shift away from the signature scanner as the main line of defense against [botnet] infections.” The sheer number of new botnet signatures is increasing too fast, he says. He believes it's much better to have an approach that relies on looking at underlying behaviors that can point to the miscreants behind the attacks.
Cylance's Shook points to the financial industry as an example of a sector that has made progress to combat potential botnets. He says it's critical to take the time to determine the baseline for communications from corporate servers. Similar to the way financial institutions look for certain behaviors that denote financial fraud, Shook says companies should be using the same algorithms to seek out network threats. Still, anti-virus software remains an essential component.
Meanwhile, Fortinet's Henderson says that on top of baseline security, companies must be vigilant to educate employees about the ongoing threat of botnets. Too often, botnets are still getting into corporate servers because employees click on a malicious attachment, or bring in their own infected devices to use at work, he says. “It's the most important thing: education, education, education,” Henderson says. “Stuff is always going to get through to the desktop level, and you can't quarantine everything.”