In the second half of last year, more than six million computers were taken over by infectious programs known as “botnets.” The number represents an increase of 29 percent when compared with the first half of the year, according to security firm Symantec’s latest Internet Security Threat Report.
Unknown to the computer owners, these infected computers are used at will by crime groups to perform avariety of illegal activities. They range from stealing users’ identities and confidential informationlike bank account numbers and passwords to sending out massive amounts of spam e-mail. They also can conduct DOS (denial of service) attacks, phishing attacks and other illegal activities.
So many home- and small business-based computers lack adequate antivirus protection and up-to-datevulnerabilities patching that criminals have little trouble compromising computers.
“We are seeing bot infections continuing. Bots are very dynamic in nature. They can constantly updatethemselves,” Ed Kim, director of product management at Symantec, told TechNewsWorld.
A bot is a computer whose operation has been secretly hijacked by malware. The infected computer, which is often referred to as a “zombie,” has a Trojan program which directs the computer to connect to a remote location to download additional instructions.
A group of hijacked zombie computers forms a botnet. Much like a real computer network tetheredtogether under the control of a systems manager, botnets are under the control of a bot herder or botmaster, explained Kim.
“The zombie operator can see anything on the infected computer, including documents, passwords and social security numbers,” explained Ron O’Brien, senior security analyst for security firm Sophos.
The organization of criminals then rents out the botnet to a person conducting a spam campaign. The botherders can also sell stolen confidential information to other crime groups.
The Birth of a Zombie
Hijacked computers start with uninformed or unconcerned consumers. They buy a new computer with one or more trial versions of antivirus protection. When the initial subscription lapses, the consumer oftenfails to renew.
Most people choose not to continue the antivirus protection because they don’t want to give credit cardinformation over the Internet or don’t think it is necessary, noted O’Brien. Others fail to renew becausethey either do not care or think that the computer will remain protected against virus infections withoutupdating signatures.
The result is the computer quickly becomes infected with viruses distributed by e-mail and from visiting an infected Web site. It is practically impossible to avoid virus infections unless the computer user neverreceives e-mail and never surfs the Web.
“250,000 viruses exist today with an excess of one million vulnerable computers,” O’Brien said.
Two factors continue to give criminals the upper hand in expanding their botnets. One is the huge numberof computers that remain unprotected and unpatched for vulnerabilities. The other is the rapidlyincreasing use of the Internet.
For instance, in January 2006 one in every 330 e-mails had a virus attached to it. However, consumers have learned not to click on attachments from unknown parties. In January 2007 only one in every 40 e-mails contained a virus.
However, the problem isn’t going away, according to O’Brien. Instead of relying on e-mail, the bad guys have changed their deliver method to the Internet.
This new reliance by malware writers on using infected Web sites is happening without the knowledge orintervention of the Web site owners. There are 8,000 Web sites a day hosting new viruses, mostlyunknowingly, O’Brien noted. To make matters even worse, on average 45 new Web sites per day get infected with code that infects visitors landing on a page, added Paul Henry, vice president of technology evangelism at security firm Secure Computing in describing the growth of drive-by infections.
Other types of Internet-based infections require the Web visitor to actually click on an image. Some14,000 of these sites added daily, noted Henry.
“Server owners usually have no clue,” he said.
If server operators are using adequate protection, their servers wouldn’t be infected. However, most of them are still using packet filtering methods instead of true layer 7 protection, said Henry.
“The vast majority of enterprise clients only have protection for their server but nothing to protectcomputers on their network. They feel that having a packet filtering firewall is adequate,” Henry toldTechNewsWorld.
Secure Computing recently discovered a new malware tactic that Henry thinks will soon be adding to botnet troubles. A so-called zlob is complex, tricky and deceptive. The zlob poses as a fake video file posted on YouTube. It contains a second bit of code that causes the movie to download onto the PC. It then installs two Trojans that bombard visitors with ads.
Currently, the only payload is the ad blitz. However, Henry sees a high likelihood of more dangerous malware attached to this exploit soon. The zlob can very easily be an e-mail vehicle capable of hundreds of variants of zlobs.
This newly-discovered form of Web-based malware is currently masquerading as a YouTube video object and does not require users to download an .EXE file in order to run. No one expects to find malware hidden in YouTube files. Yet the medium’s popularity is highly alluring as a mass distribution vehicle for malicious code, he warned.
“What’s alarming is that from a security perspective many organizations will be blindsided and potentiallyseriously exposed,” warned Henry. “Most of the leading firewalls are configured only to protect internalWeb servers, and not capable of blocking returned Web code from external servers, which is the trend andcertainly the direction this threat takes.”
Solution in ISPs
While consumers and server operators are a big part of the problem, Internet service providers (ISPs)could be effective in blocking the spread of bot infections but don’t, complained Henry.
Up-to-date anti virus protection maintained on individual computers prevents much of the malware fromattacking consumer and enterprise computers. But more protection is needed for the zero-day infections.These attacks come from new viruses that enter a computer before new signature detection is distributed byantivirus vendors.
“ISPs need to do this, but there is no financial incentive for them to do so. There are no consumer-levelproducts to block zero day attacks. This is one of the main reasons that botnets are out of control,” saidHenry.
Symantec is one of the first security vendors to develop a new product to product consumers from botnetinfections. Symantec released late last month a beta version of Norton AntiBot.
“Vendors have a major opportunity now to address this botnet problem,” said Kim.
Norton AntiBot beta uses behavioral technology, not antivirus signatures. It looks at what a file isdoing and is always on actively monitoring. It finds and remediates the threat, he said.
Norton AntiBot is a stand-alone product that compliments all third-party antivirus products.
As of July 5, the Symantec Web site also displays a page for a commercial version of Norton AntiBot selling for $29.99 for up to three computers per household.
This story was originally published on July 10, 2007, and is brought to you today as part of our Best of ECT News series.