Botnets: The New, Faceless Threat
One hacker armed with one computer isn't going to make a dent in most financial institutions' network security perimeters.
But imagine a faceless army of thousands of compromised PCs outside the walls of your institution. They are computer robots programmed to obey the commands of their master, and will do whatever their botmaster tells them to do. Think what damage they could do.
Some recent examples of bots in action:
- In July, hackers used keylogging software to gather passwords to databases at the U.S. Department of Transportation, consulting firm Booz Allen, Hewlett-Packard Co and satellite network company Hughes Network Systems. The hackers' intention was to hold the databases for ransom. ( For more information read: Ransomware).
- In August, Monster.com said it had been victim of a hack. The confidential contact information of millions of its registered job seekers was stolen by criminals who used compromised computers or "bots," also called zombies.
- And just last month, a cyber crimefighting online organization, FraudWatch.org, buckled under the weight of a month-long denial of service attack. The source of the attack -- a massive botnet.
The Risk for Financial Institutions Are botnets a threat that financial institutions should consider now? Yes, says Lance Spitzner, president and founder of the HoneyNet Project, a Chicago-based global organization that has been researching and developing countermeasures to help detect and rid the Internet of these bot armies since 1999.
"You will want to remember that a botnet is nothing more than infrastructure for criminals to do their criminal activity," Spitzner says. "[Criminals] will do whatever makes them the most money for the least amount of effort. It could be phishing, spam, website takeovers, denial of service attacks, malicious website hosting, extortion, porn, it all changes, depending on what's making the money."
While institutions such as Bank of America still will continue to see phishing hitting their shores, criminals are moving away from phishing, Spitzner says. "That's because the return on investment is not as good as before," he says. "People are wiser and less likely to fall for a phishing email."
They are now, according to the Anti-Phishing Working Group, installing crimeware. The bots are still being used to control whatever crimeware they've installed on the compromised PCs and servers, whether it is a keylogger or a Trojan, or some other type of malware.
[Editor's Note: A keylogger records all the keys typed on a keyboard and silently sends them back to the hacker who then has just to decide the importance of a 10 digit number (is it a social security number sequence? ) or if a password (passwordBOA8456) will coincide with the owner's online bank account. A Trojan masquerades as one thing and is really something else. Most Trojan payloads harbor really bad stuff. Though not limited in their payload, Trojans are more notorious for installing "backdoor" programs that then allow unauthorized non-permissible remote access to the victim's machine by unwanted parties - normally with malicious intentions!]
The Growing Risk The risk that a botnet poses changes depending on what the criminals are doing, Spitzner adds. That they are hard to detect doesn't make the cyber crimefighters' jobs any easier. For instance, instead of going massively big, the bots are going smaller, and are using stealth tactics. "Three or four years ago it used to be a game to see how big a botherder could make their botnet, with sometimes tens of thousands or even hundreds of thousands of bots being herded by one botmaster," he says.
Then, Spitzner says the threat wasn't really that criminal. "It was more of kids showing off what they could do." However, now with the organized crime syndicates in the game, they're still holding the reins of thousands of computers, but they want to stay below the radar and have broken up the botnets to avoid detection.
So now, he says, if a botnet is taken down, it is small network and it only is a drop in the bucket to what's still out there. "They attempt to make as little noise as possible, and make as little of a ripple as possible," Spitzner says.
By contrast, the more advanced, criminal botnets are highly sophisticated and have been very hard to shut down. They use techniques such as fast flux, or peer to peer and use advanced encryption and authentication methods to stop unauthorized users (usually the good guys) from breaking in and shutting them down. "It's very impressive," Spitzner says. (See related story: Phishing -- Can it happen at your institution?)
"We're dealing with the same criminals who were dealing in drugs, gambling and prostitution on the streets 20-30 years ago, and who have moved into the online gambling, extortion, identity theft and fraud," Spitzner says. "Main reason? The return on investment is so much vastly higher, and the threat of arrest and prosecution is nil."