Botnets 'the Swiss Army knife of attack tools'

Hacker militias can turn to botnets for instant cyberattacks

Hacker militias may be at the bottom of the cyberwar food chain, but when they want to hit a target, they can mobilize botnets that are already up and running, security experts say.

Hacker militias reach for the closest tool at hand -- botnets already up and running, already reaping ill-gotten gains -- when they mobilize to attack the information infrastructure of other countries, security experts say.

"They just pick up what they use every day," said Joe Stewart, director of malware analysis at SecureWorks Inc. and a noted botnet researcher. "[Militias] don't have much time to ramp up, just days, so it has to be something already in use."

Although militias may be at the bottom of the cyberwar food chain, that doesn't mean they haven't caused chaos. Researchers believe that in 2008, Russian hackers marshaled a force of previously compromised computers -- one or more botnets -- to carry out distributed denial-of-service attacks (DDoS) that knocked offline many of the Web sites in the former Soviet republic of Georgia. At the time, military forces from Georgia and Russia were fighting over disputed territory.

DDoS attacks flood sites with so many spurious requests that the sites' servers are overwhelmed and can't handle legitimate requests, are knocked offline, or are taken offline by the hosting firm or Internet provider.

According to Stewart and other researchers, one of the botnets drafted for the brief cyberskirmish was Black Energy, a Trojan horse-hijacked army of PCs thought to have been used to hit Citibank last year . Since then, Stewart has identified its successor, Black Energy 2, which he said is currently being used to launch DDoS attacks against Russian banks. Stewart speculated that the criminals behind Black Energy 2 attack the banks' Web sites to distract security teams as online accounts are pillaged, much like a criminal crew might stage a fire to distract police from a bank robbery across town.

Black Energy 2 could be the weapon Russian militias reach for next time.

"Botnets are the Swiss Army knife of attack tools," said Marc Fossi, manager of research and development for Symantec Corp.'s security response team. "Hackers use them to relay spam, for phishing and to post Web-based attacks or malcode. They're the engine that drives criminal activity on the Internet."

DDoS attacks are the "blunt end of what they can do," Fossi added.

Like Stewart, Fossi agreed that cybermilitias -- self-starting groups composed of volunteer hackers led by cybercriminals -- take up the tools at hand. "It's not surprising at all," he said. "You have so many different levels of attackers, including neophytes who come in not knowing much. But they can buy or rent a botnet from somebody, or buy a kit to build their own botnet."

Small botnets that comprise approximately 2,000 hijacked computers can sell or rent for as little as $150, Symantec's research shows, with the average botnet going for just $225.

"It's very quick and dirty," Fossi said. "All the work is done for you. It's as if someone else puts the weapon together and loads it. All you have to do is point and shoot."

Botnet kits like Zeus sell for considerably more -- between $3,000 and $4,000, according to Kevin Stevens, who works with Stewart at Atlanta-based SecureWorks. But they allow criminals and cybermilitias alike build their own customized attacks to steal PCs from their rightful owners.

"Programmers who might have created their own botnets now create a kit and sell it," said Fossi. "There's less risk in that."

But while ad hoc militia groups have used botnets to launch cyberwar-style attacks, there's no direct evidence that they have been backed by governments, and even less chance that national attacks would be based on commercial botnets.

"They're doing this either for nationalistic reasons or in cooperation with the more corrupt side of governments for favors later, maybe for not prosecuting them for other crimes," said Stewart, spelling out possible reasons why cybercriminals turn to cyberwarfare.

"If I'm [a government] and coming out with something, I would want to create a newer botnet-making kit," said Fossi, not turn to an existing bot builder such as Zeus. "We see tons of [Zeus bots], so there's antivirus detection in place. I'd want a newer bot than Zeus so X and Y and Z don't detect it yet."

"Governments would want something more stealthy, so they would develop in-house," Stewart contended. Existing bots, he said, are too easy to detect.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Knowledge Center.

This story, "Botnets 'the Swiss Army knife of attack tools'" was originally published by Computerworld.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

IT Salary Survey: The results are in