Botnets: a serious threat to the web

A botnet is a collection of computers infected by malware. The infected computers, known as zombies, are under the control of a hacker – a so-called bot herder – using a command-and-control (C&C) server. Networking firm Cisco calls botnets the primary threat to the internet, as the equipment of hundreds of thousands of regular users get involved in cybercrime.

Bot herders use proxy servers, shell accounts and ‘bouncers’ to conceal their identity. Some botnets do not need a central C&C server, as they communicate with a set group of peers that communicate in turn with yet another set of peers.

Commands that can be sent to the infected computers include sending a flood of network traffic to a target computer, a distributed denial-of-service (DDoS) attack. The target server, usually a website, becomes so busy dealing with the attacker’s requests that it cannot compute legitimate users’ requests. Botnets also commit click frauds on pay-per-click web ads, with thousands of worthless automated clicks being sold to dishonest ad-brokers. Botnets are used to send waves of phishing attacks – spam emails to trick people into provide their financial details.

There is a brisk market for renting botnets by the hour. Data on infected computers can fetch high prices from data brokers. Normally, data brokers just sell a list of hacked IP addresses sleeping under the control of a single piece of malware.

There has been a number of high-profile botnet attacks recently. The worst attack so far was ‘the DDoS that almost broke the internet’. The Spamhaus Project, an NGO that tracks spammers, was furiously attacked in March 2013. Spamhaus’s domain-name servers were attacked at 300 gigabits per second (gbps), an astonishing volume of traffic given that the average large-scale attack might reach 50 gbps. The largest routers available for purchase are run at 100 gbps, so the brunt of the attack was being carried by the top-level networks on the internet, slowing them down – particularly in Europe.

In January 2014, the Proofpoint security company discovered a botnet attack incorporating over 100,000 devices, including routers, multimedia centres, TV sets and even an internet-connected fridge. The attack sent out over 750,000 spam messages.

Heartbleed – a flaw in the internet cryptography standard, OpenSSL – was discovered in April and left hundreds of thousand of websites in the financial and banking sector open to botnet attacks.

What can be done to stop these attacks? An ISP has the incentive to take enough action against the most dangerous botnets in order to avoid being blacklisted by others, but doing more would not provide additional benefits. The customers seldom appreciate the urgency of protection, or understand that the real danger from a botnet is not in shattering attacks but in low-key infection.

As the number of connected devices grows, mobile technology will increasingly become exploited by cybercriminals, a danger exacerberated by careless use. Shadow IT is the term for applications, systems and infrastructure used without the approval of network owners. Half of all computer users around the world admit they have pirated software, which is often used as a cover for transmitting botnet infection.

Trust is an issue. Far too many security holes are intentionally left unpatched when detected. Analysing malware to exploit its vulnerabilities has become big business, and so has knowledge about critical bugs in networks. The US National Security Agency (NSA) and Britain’s GCHQ have several times found security flaws, but stockpiled them for their own use. These agencies have sabotaged open-source and closed-source products, leading to accusations that these official bodies have been piggybacking hacked botnets for their own purposes in connection with the Heartbleed flaw.

More formalised collaborations on security issues have fared better. Openness encourages ISPs to promote their participation in such programmes in order to earn headlines and goodwill taking down botnets. Last December, Microsoft’s Digital Crimes Unit, in collaboration with Europol’s cybercrime department EC3 and the US FBI, took on ZeroAccess, a large botnet attacking the Microsoft Windows operating system. Before the joint strike, ZeroAccess was estimated to control 19million infected computers; the raid liberated about 500,000 of them. At its peak, ZeroAccess made 100,000 infections a week with a potential daily profit of $100,000.

Policy could provide the right incentives for preventative measures against botnets. Classical countermeasures, like booting from a clean disk or reinstalling the operating system, are used when computers have already been infected. Educating users about how to protect themselves from malware is important, but difficult to achieve on a significant scale.

Remote clean-up with automated malware-removal tools would be a good way to combat botnets, but it poses legal and ethical questions. It would bypass the user’s rights, and downplay the responsibility of keeping one’s own system upgraded and secure. Since anti-virus software is often provided as ‘install-and-forget’, many users seem to appreciate this approach to keep the botnets out of their computers. The risks can be reduced through privacy-sensitive system design, appropriate supervision and transparency. If the users trust the security companies, that is.

Ingress filtering would make sure that incoming data packets actually are from the networks they claim to be from. It would require global standards and collaboration, as well as investment in hardware, security training and router reconfiguration. Insurance companies have an incentive to get involved in this new market to provide certification of ingress filtering and thus reduce premiums to their customers.

Cybersecurity is one of the most important areas for the US and the EU to attempt to harmonise regulations. The inclusion of digital services in the negotiation of the Transatlantic Trade and Investment Partnership (TTIP) free-trade agreement would give the opportunity to rebuild trust, improve cybersecurity and stop the botnets, which is especially important given the increasing use of cloud computing.

The internet was built as an open service, for honest users in a trusted environment. The explosive growth of users is challenging this assumption, as the internet is entering a mature phase. Policymakers face the need to restore this trust. The way to improve cybersecurity and counter the spread of the botnets is to facilitate trust between policymakers, ISPs and internet users through participation and mutual transparency.

Waldemar Ingdahl is a science and technology journalist based in Stockholm. Visit his blog here.