Wednesday, December 10, 2008

The danger of botnets

Botnets are bad news, and recently governments have been learning just how bad.  A botnet is a term for a network of computers that have been hijacked through malware infections--aka viruses, worms, trojans--so that a hacker can remotely control them.  These infected and remote-controlled (robot or "zombie") computers can then be used for all sorts of purposes.  These computers are your computers--everyday desktops that have been infected by a virus and can now be controlled by someone else at any time.  Spam production is the most common use...but these hidden networks can, in the wrong hands, be used for far more dangerous purposes.  A botnet attack on the nation of Estonia last year nearly drove the country's entire digital infrastructure offline, and there is now a movement to declare botnets "eWMDs"--electronic weapons of mass destruction.

The following xxcerpt from the Hoover Institution's Policy Review journal (No. 152, December 2008 & January 2009; http://www.hoover.org/publications/policyreview/35543534.html) offers a simple explanation of botnets.

eWMDs

The internet has enabled the bountiful benefits of eCommerce, and the incorporation of eCommerce into our economies has, in turn, created a dependence on the Internet, similar to our dependence on water, electric, and telephone utilities. Unlike other utilities, however, communication utilities can be crippled without even necessarily being physically attacked — they can be attacked in cyberspace. Such a cyber attack can result in loss of life, loss of wealth, and serious impediments to the flow of goods and services. In a modern just-in-time economy, these disruptions have the potential to cause catastrophic damage. Cyber attacks present a grave new security vulnerability for all nations and must be urgently addressed.

Cyber warfare is asymmetric warfare; more is at risk for us than for most of our potential adversaries. Another asymmetric aspect is that the victims of cyber warfare may never be able to determine the identity of their actual attacker. Thus, America cannot meet this threat by relying solely upon a strategy of retaliation, or even offensive operations in general.

Cyber attacks are best accomplished through exploiting intelligence on the enemy's networks and servers, and on those servers' software, the current vulnerabilities of the software's applications, and standard security practices and typical lapses. Cyber attackers can exploit their targets' networks and servers such that those systems not only stop supporting their intended purposes, but actually work against those purposes. As evidenced by recent attacks on the Pentagon computer system, the United States must assume that our potential adversaries in the world are preparing for such attacks.

Cyber warriors may choose to be discreet about high-value targets, the security of which is compromised, and wait for the optimal moment to launch their attacks. But they can also put low-value, low-security targets to coldly efficient use. A low-value target computer can be unwillingly, unknowingly conscripted (by being infected by a virus, worm, or Trojan software) in future attacks as a zombie in a botnet. Botnet is a term for a collection of software robots (bots) which run autonomously on compromised computers (zombie computers). These computers run malicious programs under the command of a so-called bot herder, who can control the group remotely. Any computer can be infected and available for use as part of a botnet without the computer's owner knowing it. In the spring of 2007, Estonia was the victim of a month-long cyber attack, which, according to the New York Times, "came close to shutting down the country's digital infrastructure." Your personal computer may have been used in that attack without your knowledge. Cyber attacks involve not just one malicious computer but thousands of computers at a time, with new ones constantly joining the fray. Because so many computers are engaged, cyber sallies are all the more difficult to deflect.

When one computer floods a target's server, router, or Internet connection with traffic (i.e., saturating the target with external communication requests, thereby overloading its capacity and effectively making it unavailable for others), it is called a dos (denial-of-service) attack. A dos attack is defeated by reconfiguring routers to reject all traffic from the originating ip address — that is, from the address of the aggressor computer. If a large number of computers are used in the battle, though, it is called a ddos (distributed denial-of-service) attack. In these cases, the routers of the target must be reconfigured to reject the ip address of each offensive, zombie computer as it is discovered. ddos attacks can be overwhelming — it was a ddos fusillade that crippled Estonia — so all computer owners have a civic duty to secure their machines against becoming part of a botnet.

The U.S. government has a similar duty, but on a larger scale. Because botnets represent such a real threat to our domestic cyberspace and all the assets that those Internet-accessible computers control, it is a vital national interest to secure the domestic Internet.

The rest of the article can be found at http://www.hoover.org/publications/policyreview/35543534.html.  It goes on to describe the exact nature of the attack on Estonia, the continuing national security threat from botnets, and what governments and organizations can do to prevent it. 

Elaborate and destructive as it was, the attack on Estonia appears to have been engineered by a single hacker (the Russian government denies involvement, but the article also discusses how their hackers utilized cyber-attacks against Georgia concurrent with their recent invasion of that country).  It's terrifying to think of the destructive potential of such things in the face of widespread lack of owners' education about computers and internet security.  Aside from international threats, botnets can be used for spam, bandwidth theft (where someone else puts stuff on your computer for others to access or download), identity theft, and fraud.  However, there are things that we as private computer-owning individuals can do to prevent our property from being appropriated in such a manner.  Even better:  most of them are very simple.

Prevention

You are less likely to get sucked into a botnet if you do these things:

  • Keep your computer updated with security fixes.  Those irritating patches Microsoft keeps sending you are *not* worthless.
  • Use a good spam filter.  
  • Use anti-spyware, anti-virus and firewall protection.  On my own computer, I use Avast! anti-virus, a free anti-virus program available on the net (Norton and McAfee are two other popular ones, but I find they tend to conflict with my other software).  And a program I'd recommend to anyone, LavaSoft's free AdAware anti-spyware program.  Run anti-virus and anti-spyware checks frequently.  I run them both once a week.
  • DON'T CLICK on dubious links in spam emails or shady websites.

Most of us know by now to also avoid suspicious emails, particularly random messages with subject tags about holidays, celebrities or current events. Watch out for phishing scams, never click on (and absolutely don't buy!) anything advertised in a spam email, don't open attachments when you don't know what they are or who they're from, and when in doubt, just don't click. In cases where I find an email questionable but worth checking up on (I got a really good fake email about my PayPal account, once--this is called phishing and is a form of fraud), I will close my email and open a new browser page where I type in the URL myself to double-check.  Most sites such as Paypal or eBay or...whatever your bank is will offer links so you can report internet fraud to them.  USE IT, especially if the email (or whatever) is cunning enough to actually take you in.  They need to know when there's a danger to their users.

Detection and Removal

It's difficult to detect if your computer has been caught up in a botnet. If you notice that your computer is sluggish, that's a potential warning sign (or it might mean you need to defrag your computer--long story short is, your hard drive is like a piece of paper with a lot of writing on it.  When your computer puts in something new, it'll add it wherever there's space.  Defragmenting your hard drive essentially sorts the lists out for easier reading, which makes it run faster). If friends start complaining they're getting spam or random messages with suspicious attachments from you, that's also a good indicator.  (For related reading, see Make Windows XP Run Faster.) There are also logging features on your computer that can help you trace unauthorized usage, if you know what to look for (checking your email outbox for mysterious sent messages is an easy one, as is checking your browser history).  But in general, if you have been affected by a botnet, you've got some sort of malware infection. Running good anti-virus and anti-spyware software (refer to the links above), will usually detect, take care of, and/or prevent the problem.

Finally, the easiest way to make sure a hacker can't access your computer, whether infected or not:  turn it off or disconnect from the internet when you're not using it.

No comments: