15 April 2007

[Virtual] World Wide War

Fast-Moving Zombies: Botnets Stay a Step Ahead of the Fixes, Greg Goth, IEEE

Over the winter I and my contacts at the company's ISP noticed a distinct surge in "malware." In communication with my company's ISP, they occasionally mentioned the desperation and frustration of warfare. Mostly the malware was spam, which has been roughly doubling every year since at least 2000.

Much of the increase has been as the result of "botware," or malicious computer programs installed against the user's will and knowledge. Botware floods the internet with literally trillions of e-mails each year, and utilizes the latest spam-thwarting technology.
Users who might be truly interested in discovering whether their computers have been turned into bots can do a fairly simple check from the command prompt. Typing netstat -an reveals both local and foreign IP addresses and the port numbers via which they’ve communicated during the computer’s current session. Users who don’t use Internet Relay Chat (IRC) and see port 6667 displayed on the list of addresses in the command prompt can almost guarantee that their machines have been hijacked.
IRC's are easily installed and activated on Windows machines since the OS was designed to automatically load patches and other programs from the web.
Trend Micro’s Moriarty says IRC is still a bot boulevard, but other protocols are now being exploited as well. “IRC is still predominantly the main source of communication,” Moriarty says. “However, starting around April and May of last year, we started noticing bots starting to use port 80. So now they’re blending in with the normal mix of Web traffic, and it gets a little more difficult to separate the wheat from the chaff.”

Another industry veteran also says he sees a trend away from IRC bots. Andre M. DiMino, cofounder of the Shadowserver Foundation, a volunteer-run resource center focusing on malware, botnets, and electronic fraud activity, says P2P botnets are making a strong appearance. “It’s definitely shifting,” DiMino says. “There’s a lot of P2P bot traffic now. For instance, the Nugache worm ... was a real classic P2P worm. We now believe it was originally released as a proof-of concept on [the normally unassigned] port 8 because we’re seeing more variants. Originally, it was really easy to find — it had a hard-coded list of IPs and was kind of dumb when we first saw it, but now appears to be proof-of-concept. I kind of look at it as IRC botnets could be the bad guys’ honeypots — we’ll all be looking for IRC bots,but the real bad stuff will start happening on other vectors.”
What are some things that Windows users can do to reduce the risk of malware? Basically the problem is that most Windows boxes are configured so that users can log in only as an administrator. I've noticed that theis is not the case in Windows XP, where computer users must chose among a variety of possible identities. Still, a lot of users do tend to log on as an administrator all the time. In this mode, Windows has standing permission to install pretty much anything on the hard drive. Another countermeasure implemented by ISP's is to configure customer machines so they prevent outgoing IRC transmissions:
For example, whereas XP Service Pack 2 has no easily discernible way for users to configure their machines to avoid outgoing IRC communications, some ISP home network equipment does. AT&T’s broadband wireless router manufactured by 2Wire, for instance, lets users disable outgoing IRC traffic, but it’s not the default setting. And some users have been frustrated by system crashes caused by downloading other free firewalls that are incompatible with their ISP-supplied software, XP firewall, or both.
What puzzles me, though, is not merely the invasion of the bots--it's the deluge of spam, spam replete with alarm words that one could reasonably expect an automated spam filter to detect. Is the proliferation of spambots and botnets just maxing out the filters?
ADDITIONAL READING: "A Taxonomy of Botnets" (PDF), by Dagon, Gu, Zou, Grizzard, & Dwivedi;

Labels: ,


Post a Comment

<< Home