Security: Botnets, or The Plague Of Cloud Computing #2
Welcome back my plagued-by-Bots-and/or-Botnets Reader,
It’s no surprise that you can’t really relate your Google Analytics data with your Server Access Logs and User Interaction KPIs, and it’s no surprise that you have such an inexplicably high Bounce Rate either: most of your traffic doesn’t derive by humans nowadays no more!
It was so different back in 2001, wasn’t it? Like today, every Visitor counted; unlike today, more than 90% of your Traffic derived from back-then-privileged-56kmodem-connected-Users; today, for although the Internet worldwide penetration is at unprecedented heights, less than a half of your Sessions are human.
Welcome to the Cloud Era!
Let’s face some facts (Source : courtesy of Incapsula’s “Bot Traffic Report 2014” ):
– In 2014 between 52.3% and 80.5% of your Internet Web Traffic was not human;
– In 2014 between 27.2% and 31.4% of your not human Internet Web Traffic was malicious;
– In 2014, if you weren’t actively looking into this already, between 5 to 8 out of 10 of your Sessions were not human and at least 2 out those same 10 Sessions have been directly – or indirectly – trying to harm you.
Not human Sessions fall in the wide Category of Bots, and one of the most authoritative Bots Encyclopediae, www.botopedia.org , carries a wealth of information on what Bots are; especially, on what good, suspected and bad Bots are: from Botopedia’s own FAQ (and to keep it short in favor of further Articles of ours),
“Good Bots: These are bots such as Google’s search bots or Pingdom which are operated by well-known and commonly-used services.
Bad Bots: These include comment spammers, SQL Injection worms and vulnerability scanners and other malicious bots that are positively identified.
Suspected Bots: In many cases, these bots are used by service providers that have not yet been classified by the classification engine. In other cases these could be browsers behind proxies or obfuscation devices that were misclassified.”
We won’t dwell in the Subject of Bots today, but rather focus on Distributed Nets of Bots, or Botnets, which is enough of a Subject Introduction to cover in a single Article. Bots are a superset of Botnets and we’ll save that Subject for a future Article. We encourage you to visit Botopedia for further education on the Subject of Bots in general.
So what are Botnets and how do they work? Before answering to this question, let’s repeat the definition of the Cloud Computing. Cloud Computing represents a large group of computers connected to the Internet. These resources are accessible anytime, anywhere and to a great numbers of clients. The Cloud offers a lot of advantages to Companies, including lower expenses for hardware and software maintenance as well as ownership.
On the other hand, hackers control some of the most dangerous cloud platforms in the world today. These “dark” clouds are known as Botnets and they can control literally millions of infected machines known as “bots”, which spread malware. If not detected quickly, Botnets can take significant computing power and even cut down your business network. In order to stay safe, you need to constantly monitor this malicious threat. Due to its specific architecture, a Botnet may continue to run wild, even if you destroy some or majority of its bots.
Nowadays, cybercrime is at its peak. Crooks use Botnets to search for security vulnerabilities in User’s Computers to seize these resources and turn them into their own profit. Botnets work stealthily to infect your computer without any recognizable damage. This quiet attack turns your computer into a bot or differently put – a “zombie slave” (ever heard about it?) which is controlled from one central Server. If your Computer has been compromised, the virus will try to copy itself onto other machines and infect them as well, making the Botnet more powerful.
Strength by numbers
Currently, cloud computing centers boost performance while minimizing failure. On the other hand, a Botnet operates just with brute force and huge numbers of bots. A single Botnet can control millions of computers, countless processors and gigabytes of memory and storage, and a huge bandwidth sufficient to overpower even the biggest commercial Internet providers.
Botnets have big advantage over real commercial clouds – they can develop at disturbing speed, unobstructed by failures. Also, Botnets do not target and attack a particular Business. Rather, they spread systematically operating through the lists of IP addresses or they scan the machines and Networks in order to find certain vulnerabilities. For instance, a Bot program can find a Company’s Computer which can be infected using unpatched system vulnerability.
It then proceeds onward, shifting through entire Network seeking other vulnerable machines. In the meantime, the recently infected machine becomes a fully functional Bot. The Bot may infect other machines on the Network, which can infect other Computers and Businesses. It’s a never-ending cycle.
This brings us back to the point, that the big majority of Botnet victims were not targeted by a person. The Botnet spreads everywhere it finds Security Vulnerabilities. Trying to investigate who is behind the “breach” would be a huge waste of time as well as money.
Who profits from Botnets
Botnets exist with the sole purpose of giving their owners huge “dark” Cloud Computing potential that can be used to handle extremely profitable cybercrimes. Cybercriminals who control Botnets can rent out their Botnet to criminal Ventures. For instance, a Spam Operation can use the Botnet to send millions of Spam Emails. Corrupt Companies can use a Botnet to bring down a competitor’s Website via a powerful DDoS Attack. Botnets are also convenient for Cracking encrypted files by simply trying trillions of binary combinations, opening (often stolen) files by “brute force”.
This sort of action is not only very profitable, but it enforces development of even more capable Botnets. Botnet creators likewise increase the sophistication of their Products by analyzing the Security Business’ answer to their past efforts.
Botnet infection can have present as well as long-term consequences. Network failure is the most dangerous of the all possible outcomes. This has a great impact on IT Operations, Customer Account Management, Productivity of Employees and so on. Today, almost every Office and every income-generating Channel can be negatively affected by a Network failure. The price of lost Business can go through the roof. As always and very probably, the heaviest burden falls upon IT.
In charge of their Business Network and their Clients, IT Administrators must frequently drop all other priorities and focus on battling the Botnet infection in order to restore Network Performance. Some of most devastating consequences can impact a Company’s Reputation, Competitiveness and ultimately Profitability.
Last but not least, because Botnets are exclusively used for illegal activities, any Company or Organization infected with Botnets is at risk to be found liable for these actions. Legal expenses, Court procedures and overall negative Public Reputation can result even if the Company really isn’t guilty. Even worse, Client, Partners and other important Business Associates could be infected by their Trusted Partner.
Most Popular Botnets
An army of Zombies, running rampant on the Internet – no, it’s not a nightmare, it’s our reality. The struggle between Zombies and Internet Security Experts rages on and it’s far from over. There are some “Zombie slave” Masters who have been particularly troubling, so let’s take a look at these “dark” Clouds. According to the most authoritative Online lists, the most popular Botnets are:
Zeus is the first on the list of popular Botnets and according to all Reports; it controls more than 3.6 million machines in just the United States. This Toolkit is designed to provide the User with all of the tools required to create and use a Botnet. The primary purpose of Zeus was to steal banking information, but it can be easily used for any other type of data theft. It has a Control Panel which gives you the control of your own Botnet as well as the ability to update it and to retrieve its stolen information.
What’s special about Zeus it a fact that there is no single Zeus Botnet. The Toolkit is sold just like any other commercial Product, which means that there are many different owners of Zeus. Each and every one of them can make one or more Botnets. The latest full version of Zeus is usually sold for somewhere around $700, but only to Trusted Buyers.
Conficker aka Downadup or Kido is a Worm which became popular back in 2009, mostly because it was all over the Media for delivery of certain very destructive payload. Although that was false information, this Worm is nowadays well-known for huge number of Bots it has under control. Conficker typically xploits Windows Vulnerabilities to breach into the machines. It’s very hard to contain it because it uses many advanced Malware Techniques to avoid detection as well as to prevent removal from the infected Computer.
Conficker’s main ability (currently) is to bring down, disable or reconfigure the infected Operating System and other Security Services. The Worm also blocks access to the most popular Security Websites and patches the infected System, so that it wouldn’t be disrupted by any other malicious infection.
The Storm is a backdoor Trojan horse which was first spotted in 2007, when it started to infect thousands of Computers using Emails with shocking titles to distribute Malware. Within two days, it caused 8% of all Global Malware infections. By the end of 2007, the Storm was controlling somewhere between 1 and 50 million of machines. During the recent years, the creators of the Storm have shown very defensive behavior which indicated that its owners are actively working on the protection of the Botnet against any attempts to disable it or track it back to the creators.
According to some assumptions, the Storm has so much power that it could block entire Countries off the Web, and it was estimated that it can execute more instruction per second than some of the most powerful Computers in the world. It usually uses Windows Vulnerabilities to infect the victim’s Computer and it is distributed mainly by sending millions of Spam Emails every day.
How to defend yourself against Botnets
Botnets represent a pretty big threat to Businesses, randomly attacking machines without possibility to trace them back to the owner. However, you can protect yourself and your business with a couple of solutions and good practices.
There are a few things you can do to minimize the threat of Botnets:
– Make sure that your Systems as well as Programs used are updated and patched.
– Use an efficient Gateway Defense Solution to keep bots from breaching into your Computers and Servers.
– If you own the Company, test the perimeters of your Servers and Workstations.
– Make regular Backups of your data
Similarly as with any other Malware, the easiest and Best Practice is Prevention. Doing everything you can to keep the Botnets away is a way better option than dealing with the infection once it’s in there. There are many mistakes that can be avoided by being just a bit more careful (we are talking about regular updates of Systems as well as Backups and Antivirus Scans). In case you are already infected, the best solution is to disconnect the infected Hosts off your Networks, do a System Recovery or install a fresh copy of the Operating System. Yes, data might be lost if you didn’t perform regular Backups, but that is a small price to pay to prevent compromising the security of your whole Financial and Personal data, isn’t it?
We hope that you enjoyed today’s excursus and we invite you to get in touch with us for more on the Subject. Now, share your story!