BEST OF ECT NEWS
What Are Botnets and Why Should You Care?

Unknown to the computer owners, these infected computers are used at will by crime groups to perform a variety of illegal activities. They range from stealing users' identities and confidential information like bank account numbers and passwords to sending out massive amounts of spam e-mail . They also can conduct DOS (denial of service) attacks, phishing attacks and other illegal activities.

So many home- and small business-based computers lack adequate antivirus protection and up-to-date vulnerabilities patching that criminals have little trouble compromising computers.

"We are seeing bot infections continuing. Bots are very dynamic in nature. They can constantly update themselves," Ed Kim, director of product management at Symantec, told TechNewsWorld.

Botnets 101

A bot is a computer whose operation has been secretly hijacked by malware . The infected computer, which is often referred to as a "zombie," has a Trojan program which directs the computer to connect to a remote location to download additional instructions.

A group of hijacked zombie computers forms a botnet. Much like a real computer network tethered together under the control of a systems manager, botnets are under the control of a bot herder or bot master, explained Kim.

"The zombie operator can see anything on the infected computer, including documents, passwords and social security numbers," explained Ron O'Brien, senior security analyst for security firm Sophos .

The organization of criminals then rents out the botnet to a person conducting a spam campaign. The bot herders can also sell stolen confidential information to other crime groups.

The Birth of a Zombie

Hijacked computers start with uninformed or unconcerned consumers. They buy a new computer with one or more trial versions of antivirus protection. When the initial subscription lapses, the consumer often fails to renew.

Most people choose not to continue the antivirus protection because they don't want to give credit card information over the Internet or don't think it is necessary, noted O'Brien. Others fail to renew because they either do not care or think that the computer will remain protected against virus infections without updating signatures.

The result is the computer quickly becomes infected with viruses distributed by e-mail and from visiting an infected Web site. It is practically impossible to avoid virus infections unless the computer user never receives e-mail and never surfs the Web.

"250,000 viruses exist today with an excess of one million vulnerable computers," O'Brien said.

Growing Problem

Two factors continue to give criminals the upper hand in expanding their botnets. One is the huge number of computers that remain unprotected and unpatched for vulnerabilities. The other is the rapidly increasing use of the Internet.

For instance, in January 2006 one in every 330 e-mails had a virus attached to it. However, consumers have learned not to click on attachments from unknown parties. In January 2007 only one in every 40 e-mails contained a virus.

However, the problem isn't going away, according to O'Brien. Instead of relying on e-mail, the bad guys have changed their deliver method to the Internet.

Vulnerable Servers

This new reliance by malware writers on using infected Web sites is happening without the knowledge or intervention of the Web site owners. There are 8,000 Web sites a day hosting new viruses, mostly unknowingly, O'Brien noted. To make matters even worse, on average 45 new Web sites per day get infected with code that infects visitors landing on a page, added Paul Henry, vice president of technology evangelism at security firm Secure Computing in describing the growth of drive-by infections.

Other types of Internet-based infections require the Web visitor to actually click on an image. Some 14,000 of these sites added daily, noted Henry.

"Server owners usually have no clue," he said.

If server operators are using adequate protection, their servers wouldn't be infected. However, most of them are still using packet filtering methods instead of true layer 7 protection, said Henry.

"The vast majority of enterprise clients only have protection for their server but nothing to protect computers on their network . They feel that having a packet filtering firewall is adequate," Henry told TechNewsWorld.

New Tactics

Secure Computing recently discovered a new malware tactic that Henry thinks will soon be adding to botnet troubles. A so-called zlob is complex, tricky and deceptive. The zlob poses as a fake video file posted on YouTube . It contains a second bit of code that causes the movie to download onto the PC. It then installs two Trojans that bombard visitors with ads.

Currently, the only payload is the ad blitz. However, Henry sees a high likelihood of more dangerous malware attached to this exploit soon. The zlob can very easily be an e-mail vehicle capable of hundreds of variants of zlobs.

This newly-discovered form of Web-based malware is currently masquerading as a YouTube video object and does not require users to download an .EXE file in order to run. No one expects to find malware hidden in YouTube files. Yet the medium's popularity is highly alluring as a mass distribution vehicle for malicious code, he warned.

"What's alarming is that from a security perspective many organizations will be blindsided and potentially seriously exposed," warned Henry. "Most of the leading firewalls are configured only to protect internal Web servers, and not capable of blocking returned Web code from external servers, which is the trend and certainly the direction this threat takes."

Solution in ISPs

While consumers and server operators are a big part of the problem, Internet service providers (ISPs) could be effective in blocking the spread of bot infections but don't, complained Henry.

Up-to-date anti virus protection maintained on individual computers prevents much of the malware from attacking consumer and enterprise computers. But more protection is needed for the zero-day infections. These attacks come from new viruses that enter a computer before new signature detection is distributed by antivirus vendors.

"ISPs need to do this, but there is no financial incentive for them to do so. There are no consumer-level products to block zero day attacks. This is one of the main reasons that botnets are out of control," said Henry.

New Answer

Symantec is one of the first security vendors to develop a new product to product consumers from botnet infections. Symantec released late last month a beta version of Norton AntiBot.

"Vendors have a major opportunity now to address this botnet problem," said Kim.

Norton AntiBot beta uses behavioral technology, not antivirus signatures. It looks at what a file is doing and is always on actively monitoring. It finds and remediates the threat, he said.

Norton AntiBot is a stand-alone product that compliments all third-party antivirus products.

As of July 5, the Symantec Web site also displays a page for a commercial version of Norton AntiBot selling for $29.99 for up to three computers per household.