Battle of the bots

You can't see and hear them, and really, there is nothing there to tell you if you have them on your system. But be warned: insidious bots that could threaten your businesses are upon us.

Last summer, Hollywood issued a warning--a new age would begin and a new generation would be born.

How on the mark that was, both on and off the cinema seat. The 21st-century Hollywood rendition of Isaac Asimov's I, Robot only went as far as the physical destruction caused by robots.

At about the same time I, Robot came to our screens, hackers were already about to launch a robotic attack of the virtual kind--using bundles of code known as bots to exert control over the cyberworld.

Each day, as computer users unassumingly logged on, more and more bots gained control, multiplying from 2000 monitored bots a day (as measured by Symantec at the end of 2003) to an average of 30,000 this past June. (Spikes of 75,000 were also measured during this period.) Unlike Asimov's NS5 (the robot that, apart from one AI being, assumed a mass personality) bots come in many different individual forms. Like the NS5 though, network bots do have power in numbers.

What are they?
The bots that are terrorising us today are actually programs, and they've been around for quite a while in a much more benign form. The first bots were used to create virtual opponents for video games or to spider Web sites. The first bot--the Eggdrop bot--was written in 1993 to help form party lines on Internet Relay Chat (IRC) lines.

As bots became more sophisticated, they began to take on more sinister roles in the hands of some creators. Now they can be secretly installed on a target system, and once there, an unauthorised user can take control of the system, giving out malicious directions for one or a whole group of bots the controller may have set up.

They have recently been known to launch viral attacks, extort finances from companies, or send spam from your machine, without the user even being aware they are there. Bot business has suddenly come to mean big money. In the same sort of place that Internet porn, fake Rolex watches, and promises of cheap Viagra lurk, you can find a black market for bad bots.

According to Symantec security response team senior director Vincent Weafer, bots hidden on your machine can be put up to a range of dirty deeds netting their creators up to AU$100 (AU$1 is approximately US$0.8) an hour. Individual bots can disable virus protection and allow the nasties in, or armies of bots can make their way past the front line, using sheer force to flood a system and bring a business--particularly an online operator--down. Many of these bot sources can be found over the Internet, proferring their services to one and all.

"The [malicious] motivation between the launch of bot attacks can vary between profit and distortion," Weafer says. The controller of a bot can say 'I am going to do a Dedicated Denial of Service [DDoS] attack on you unless you pay me money'. One sector where this scam is often used is with online gambling sites.

"Bots are also certainly seen as a tool for the relay of spam, or they can be used to gain credit card information and to store illegal material on people's machines... bots really are dangerous because they can use machines for so many different purposes. In many cases bot networks themselves are available for rent at a per-hour amount. This depends on the number of machines or bandwidth types. One we pulled off had about 220 bots that had been sold for AU$800 a week, another had bots on 9000 machines. The average network amount is 2.5 cents per bot week. Rental is very low so it makes sense to use bots for extortion or for spamming," he adds. Taking a gamble
For Australian businesses such as Professional Punter, a small site that makes money off the sale of gambling tips, bots are real-world threats. "In gambling, bot attacks are well-known and viewed in a pretty bad light," Professional Punter managing director Guy West says.

And while his business knows about bots, which have made extortion attacks on larger bookmaking sites such as Centrebet and Canbet, it certainly can't afford the level of security it says it requires to ensure an attack will not happen to them.

"We just have to grin and bear it," West says. "We have to take the normal precautions with our firewalls, antivirus software, and be careful opening of attachments but I don't think we would have the right security to cope with a sophisticated attack. But then again we don't really have the money to make huge extortion payments. I think only the big companies can really afford to take it seriously."

UK betting site Betfair disagrees. It made a desperate plea on 29 November 2004 to its government and industry organisation asking them to heighten awareness and further fight against DDoS attacks, saying that while they have only affected a handful of larger businesses so far, any company relying on the Web for transactions is ultimately at risk. Online travel sites, book vendors, healthcare systems are all areas that could just as easily be a target of bot attacks, Betfair CTO David Yu says.

Betfair says it has been targeted by Web-based criminals and has been a victim of DDoS attacks on three separate occasions, with hackers flooding its servers with mail sent from botnets, which often lurk on small business and home computers.

"Big governments are dying to prosecute these guys because they're a pain in the neck... they're really causing trouble."
Google and Yahoo also know the real risk of bot network attacks. Early last June, a bot network was used to launch a zombie attack to block access to these sites and it also attacked Web hosting company Akamai, and affected two of its high-profile customers... Microsoft and Apple. By taking aim at domain name system servers run by Akamai, the attackers effectively shut surfers out of the sites by sending e-mails from host computers, all of which mimicked legitimate mail relays. Akamai says it was their own business which suffered most from the attack.

It has been suggested bot networks have also been launched by competitors or opponents in business, and that not all attackers have money on the mind--some simply want to cause a little chaos. Whatever the motive, all those on the receiving end of a bot attack need to realise the implications. Unfortunately, many in business still do not.

An Australian story
In the last two years, Australia has become one of the prime locations for the launching of Internet-based attacks. Only China, Canada, and the US have more. A majority of these attacks has been put down to the increase of bot-infested machines seen in the country. "Unfortunately in Australia, being a well-connected society, we are a prime target," McAfee marketing director Alan Bell says. One of the biggest dangers in a well-connected society is that everyone can be at risk. He says both small and large businesses could find themselves targets of bot attacks, but it is the larger businesses that will see more damage inflicted.

"But the upside is, in Australia, these people do tend to be more protected. Here, only 25 percent of companies are running without adequate protection--but the average user of a computer (your home user) does not have quite as much value on their system and would probably never think that they need to."

"This thing is in Australia, bot attacks are definitely below the radar of most users--you ask the average computer user about them and they won't have a clue, which is unusual considering bot attacks made up 50 percent of attacks last year. I guess they just don't tend to have the massive outbreaks you see with viruses such as MyDoom or Sasser [the Sasser worm] so they manage to keep a lower profile."

Gillespie agrees. He says most people, in cases where bots launch or deactivate viruses or the armour against them, will put the problem down to a virus before they look any further. "A bot can have strong similarities, and not appear to the user as anything else," Gillespie says.

"Software that is around for cleaning networks or preventing bot attacks is fairly expensive, it's proprietary and it is more of the big end of town that have the financial resources to protect themselves in this way. But as awareness and penetration of software reaches the market, the unit cost will come down and we will be able to eradicate more of these problems." Anatomy of bots
Bots may not have the same menacing exterior as the NS5 villain computer from I, Robot, and they may not be able to inflict the same physical damage, but bots are--in a philosophical sense--very much the same.

The term bot is in fact short for robot, which of course is something that performs a set of actions on behalf of a remote controller. In the case of a virtual bot, they are bits of code controlled by malicious hackers, that sit on machines as "zombies" and perform actions as directed by their masters. A bot can connect to a service provider and apply for an e-mail address, providing false but seemingly genuine personal details for relevant fields--just like automated form fillers.

McAfee marketing director for Asia-Pacific Alan Bell says it is best to look at bots as cultivated entities "because they are used again and again."

"Bots are also self adapting--most viruses tend to be static whereas bots will pull down updates from Web sites so they can adjust their attack to whatever latest vulnerability is out there. If they cannot get one in one way, they will get it another. They also know how to keep a low profile so you won't notice them on your security report," Bell says.

Bots can also exist as a type of virus that floats around on your machine making back doors to actually allow people, or other viruses to get in. In most cases they are used for the extraction of information, a trend that Sophos' head of technology Asia-Pacific, Paul Ducklin, says is simply a modern extension of your early fax scams. They can also send spam e-mail, capture screens, and steal application serial numbers.

Key bot facts
The number of bot infections monitored by Symantec rose from under 2000 computers to more than 30,000 during the first half of 2004. During the first six months of 2004, e-commerce was the most targeted sector in all regards of attack including worm, virus and bot network attacks. Of all attacks Gaobot (a network-aware bot that opens a backdoor and can be controlled through IRC channels and has many variants) was the second most (four percent) common attack. It increased in prevalence by 600 percent in the first six months of 2004--this came in below the Slammer attack (15 percent).
Bot networks can occupy a few to thousands, even tens of thousands, of computers that have linked bots installed. You can become a part of a bot network by opening a salubrious e-mail attachment or by picking up a virus (in which bots can be embedded, through Internet chat relay channels or peer-to-peer networks).

Once the bots in a network are installed, their master can awaken them at any given time using your computer, and others in the networks, to launch a Dedicated Denial of Service (DDoS) attack, to send spam, or spread viruses.

DDoS attacks are generally aimed at businesses, whom the hacker or client of the hacker, wants to bring down by rendering servers unusable due to a flood of spam.

It is expected that in the future, bot networks will become even more sophisticated, employing better methods of control and attack synchronisation which will make bots more difficult to detect and locate. Bot networks are often better able to exploit new vulnerabilities in systems than worms as they do not require a propagation code. It is believed Australia is fourth on the list for bot network attack origin, below the US, China, and Canada, and just above Germany and Great Britain. Attacking the bots
It only takes one bot to create a security risk. Paul Ducklin, head of technology at Sophos Asia-Pacific, says that Australian businesses have been able to escape the risk of bots in the past but the security risk can no longer be ignored--especially in light of the present escalation of networks.

"Bots are now so rapid and prominent that everyone needs to join in the fight against them. Companies in Australia will generally cut some slack for those [inadvertently] harbouring bots but it comes down to liability--who is ultimately to blame for allowing bot attacks to happen. If your company is taking reasonable and simple precautions, then you should feel you have done the right thing by those you are doing business with," Ducklin says.

So what can you do to protect yourself from bots? All fingers seem to point to the very things you should also be doing to protect from all other strains of attack such as viruses, Trojans, and other malicious virtual life forms. This means firewalls, antivirus software, and simple e-mail protection procedures like canning all dubious e-mails and not opening vague attachments. But with a multitude of hackers out there, often targeting not only computers in your own country but a series of machines worldwide in an attempt to dodge national legislation and information technology laws, there is another important element: keeping all protection updated.

Ducklin says it is often software sloppiness that tends to lead to a bot infestation. "The difference between a botnet computer and a normal one is that someone has collective information about the computers being utilised. If someone gets on your machine you should automatically assume that all security bets are off--bots can have codes that will disable firewall and security monitoring and antivirus software. This can leave your network open to Trojans and viruses that are three years old," Ducklin says.

"Once you have been compromised it is even more difficult to recover your system unless you can identify what malicious code you were compromised with. A Trojan can go out of its way to make it very difficult for you to even notice that your protection is off."

So having the proper defence is the best protection. Managing e-mail content is a good start to keeping bots at bay. You should also be careful to only let traffic you absolutely need into your system, to make sure the software you use has all its security patches installed, that your system is immunised and applications kept up-to-date and antivirus software recent.

"Businesses are thinking half sensibly and half altruistically when it comes to all this protection. They are realising they have to be doing the right thing by their customers and suppliers and should be stopping these things from harming them and they also must protect themselves," Ducklin says. AustCert's Gillespie says to do all this effectively, systems and security admin must be aware of all the threats that are out there, and their most common forms.

"It really depends on the current security culture that is forged. The implementation of controls such as firewalls can be made a lot easier by having a detailed knowledge of the origin of networks and Internet connection requirements. By understanding these things in advance, a firewall implementation process can be made much simpler and more problem free," Gillespie says.

On individual computers, such as home or small office set-ups, protection should be much the same as that against Trojans. On a much larger scale, to eradicate bots altogether, well, that could take the financially hefty and timely process of daily updates--something that is often too much for many small businesses.

If the NS5 villain computer from I, Robot were real, you would surely expect an NS6 to come out shortly after its release. Well, the same goes with bots. There seems to be an underlying consensus that bots are here to stay--but how we deal with them will determine the form of the future bot. "A big part of the world is concerned with bots now and are trying to raise awareness of them and their networks," Symantec's Weafer says.

Weafer also warns that as protection becomes greater--as in most cases involving malicious hacker activity--the challenge will entice a new breed of bot. "You can look at the world and say the number of source machines in general may decrease, but then you can look in areas like China, where technology is a bit newer to the general society, and see the number of people without adequate security--you'll see that the risk still exists, and probably always will. With a bot network you can chop the off the command control--the head of the dragon--but the rest of the dragon can still get you. It can still be there on your system."

As Vectra's Challans says: security is a constant lifecycle--turn your back and a bot could be there to get you. Turn your back for twice as long and a whole army could be knocking down your door. Case Study: Keeping your botside covered
It must be hacker's dream--all of a nation's financial information on the one system. So what does the Australian Taxation Office (ATO) do to protect the interest of a nation?

Having a whole nation's financial records in your hands puts you in a dangerous position--especially when it comes to bot networks. So it is no surprise that the ATO highlights these threats in red, putting them up there with risks associated with Trojans or other viruses.

Australian Tax Office CIO Bill Gibson says that what puts the ATO at greater risk is the increased Internet contact the office has taken on in recent years with its customers. This has lead to a review of the ATO's security architecture (partly to further wipe out the possiblility of new bot attacks) and further education campaigns to try stop bots from making it onto client's systems in the first place.

"The problem is we may feel we have got reasonably good protection against known [bot] threats, but it is the unknown ones we have to watch--you don't want to be the first to discover a new threat, you want someone else to find it first so you know how to protect against it," Gibson says.

"So one of the things we are, and I think everyone should be conncerned about, is external clients. External clients may not realise how important it is to protect against these sort of things and they will often be the ones who will allow them to spread or enter your system.

So Gibson says the ATO is constantly educating the tax community about the need to keep security up-to-date. "We say if you want to engage in electronic tax lodgement--something we are encouraging--then you must keep your password up-to-date and antivirus and firewalls as recent as possible."

The ATO has two major concerns when it comes to bot networks. One is the use of bots to retrieve personal and confidential information lodged by clients, the other is the possibility of a Dedicated Denial of Service (DDoS) attack which, if successful, could bank-up work and cost the busy department big dollars.

"The ATO deals with a huge amount of client data and tax payer information so we have had put a very tough filtering regime in place--some organisations are a little looser in the way they allow traffic through their firewalls but we constrain, very tightly, and limit everything to significant attachments. That is one of the fundamental things we have done to change our risk profile. Of course the trade-off is how much you deny yourself access to--we are very conservative in this way." Constant updates are also key. Gibson says as part of their desktop management contract with UDH, the ATO is constantly pushing out virus and patch updates.

"We basically have a rolling cycle of updates every day--those updates come through hours within receipt. We have 22,000 to 25,000 devices we need to get to so you we have to be careful we don't flood the network so we program it routinely so our system does get updated. It is all just a part of keeping a healthy system."

This article was first published in Technology & Business magazine. Click here for subscription information.