Symantec warns of 'parasitic storage'

Businesses are being warned over the increasing trend for criminals to store sensitive or illegal data on networks of compromised systems

Security specialist Symantec has warned businesses over an increasing trend for criminals to use "parasitic storage" on networks of compromised systems.

While botnets — illegal networks of PCs infected with remote software by hackers — are used mainly for sending spam, criminals are increasingly storing sensitive or illegal data in distributed environments, the security company told on Tuesday.

While saying that the risk is not major, Symantec has warned businesses that PCs can be hijacked and used by criminals to store data. As most computers have space on hard drives and don't completely utilise RAM, thousands of linked, compromised computers can be harnessed for data storage.

"This isn't about accessing data on your machines; it's using your machines to store data. It's a subtle use of a botnet," said Guy Bunker, senior director of technical strategy at Symantec. 

Research independent from Symantec by companies such as Support Intelligence suggests that even some Fortune 500 companies with sophisticated and well-funded IT security systems have had machines compromised in this way.

According to a blog post by Symantec security response researcher Ron Bowes on Friday, a tiny bit of RAM on a large number of computers can be used to store secret data that an attacker wants to hide.

One parasitic storage technique, called "juggling", can be used to manage sensitive or illegal information, according to Bowes. To avoid having incriminating information on their own computers, hackers or criminals hijack large numbers of slow and stable servers and send an encrypted piece of the information to each of them. When the information comes back, it's immediately retransmitted to another random server in the group.

Another method of keeping illegal data flowing is to use SMTP (email) servers. An attacker can store a "decent amount of data" in the SMTP server's buffer, according to Bowes.

Symantec warned that this kind of distributed data storage over the internet could create problems for law enforcement. As the encrypted information can be stored in an SMTP server buffer, if the computer is switched off or unplugged, the data is lost. This gives criminals a plausible denial because, as far as law enforcement can tell, the data may never have existed. Even if the police do manage to intercept some of the information, this may be meaningless. "If the police do get hold of randomised, encrypted credit-card numbers, it's much more difficult to convict, as police must be holding all of the information, plus the keys to decrypt," said Guy Bunker. "Criminals are showing an increase in sophistication."

Another method of parasitic data storage is to combine stenography — encoding text within images — with free image hosting, according to Bowes. Sites that allow users to upload images, including avatars, can be used by criminals. According to Symantec, an attacker can make use of thousands of these sites to hide data.