Nine things about botnets that will scare your pants off

If you (like me) have been under the impression that botnets are no big deal, it's time to realize what a big threat they are to legitimate businesses and organizations. Corporate PCs that are turned into zombies can be forced to distribute spam, steal identity credentials and intellectual property, log keystrokes, commit click fraud and so much more. Here are nine things you might not know about botnets that are guaranteed to make you nervous.

Network World recently published a couple of articles about botnets that raised my interest in the subject. First there was Ellen Messmer's article, "The botnet world is booming." It was followed by her next article, "America's 10 most wanted botnets." Together these articles paint a dire picture of botnets taking over PCs -- the ones on corporate networks as well as the ones we use at home.

I wondered just how deep and wide the botnet problem goes. What I learned with just a little bit of research is enough to make you want to return to the days of stand-alone computing. The reality is worse than most people suspect. Let me share nine known things about botnets that will scare your pants off. At the very least, perhaps this article will prompt you to step up your effort to keep your corporate PCs off the illicit botnets.

1. The process of developing software that creates and controls botnets has reached a professional level. Forget script kiddies that are out for kicks; developers are in it to make a lot of money. The techniques they use to create malware or command and control software are as sophisticated as those used by any commercial software company. What's more, this underground development community is very cooperative -- almost like a legitimate open source community. Software is packaged and sold or passed around, and developers add their "personal touches" to create many variants of the malware. Finjan reports that the Golden Cash network operated by cybercriminals provides an exploit toolkit as well as an attack toolkit to distribute malware.

2. Once a PC is on a botnet, the use of that PC can be bought and sold many times. For example, the Golden Cash network is a vast botnet exchange. Cyberthieves purchase malware-infected PCs from anyone in the underground market, and then bundle them and resell them to criminals who want to rent the use of a botnet. This provides a great incentive for criminals to create even larger botnets.

3. Botnets use multiple automated propagation vectors to spread, including spam, worms, viruses and drive-by download attacks. For instance, legitimate Web sites are often compromised with HTML tags that force a victim's browser to download JavaScript code from a server that's controlled by the attacker. That code can launch a number of exploits against the unsuspecting PC. If any of the exploits is successful, the PC can become the next zombie on the botnet, making it easier than ever for the attacker to collect new nodes on his illicit network.

4. The malware that turns the PC into a bot can hide as a rootkit, making it exceptionally hard to detect and eradicate the malware. The Torpig botnet, as an example, implants Mebroot on the victim PC. Mebroot is a rootkit that replaces the system's Master Boot Record. Therefore, the PC is under the attacker's control even before the operating system loads.

5. Once installed, the malware can attack and nullify the very software that is supposed to prevent or at least detect the malware infection. Intel researchers report that botnet developers have begun to target the antivirus, local firewall and intrusion prevention/detection software and services. The researchers identified at least two ways that a botnet blocked the security software from getting updates:

* A botnet changed the local DNS settings of the affected system to disable the antivirus software from reaching its update site.

* A botnet was actively detecting connection attempts to the update site and blocking them.

6. Botnet malware code is often polymorphic; that is, it changes with every new infection. This means that signature-based antivirus software is useless against it. What's more, the Intel researchers have discovered the use of techniques such as code obfuscation, encryption and encoding that further hide the true nature of the code, making it hard for antivirus software to detect it.

7. Botnets can be reprogrammed, allowing their missions to change. One day the botnet can be sending out spam, and the next day it can be told to collect credit card information from the infected PCs.

8. It used to be that bots generated a lot of "noise," making it easier to spot a compromised PC on a network. These days, some bots transmit little traffic, helping them to fly under the radar of log management systems. What's more, botnet traffic can masquerade as legitimate network traffic, making it hard to detect.9. Legitimate applications such as Web browsers or office productivity tools can be compromised as part of the botnet's malware infection. For instance, the Torpig botnet injects malevolent DLLs into browsers, popular applications, e-mail clients, instant messengers and system programs. After the injection, Torpig can peruse and steal any data that is handled by these applications, including logon IDs and passwords.

If you (like me) have been under the impression that botnets are no big deal, it's time to realize what a big threat they are to legitimate businesses and organizations. Next week, we'll look at ways to detect botnet infestations on your network.

Learn more about this topic

America's 10 most wanted botnets

The botnet world is booming

Botnets: Reasons it's getting harder to find and fight them
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)