return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

Directed bot nets: Script to virus to bot to worm

  #

Continuing our theme of attacking the critical path, remote attack tools, called bot software, infect PCs without disabling them so that their users are not alerted while the bots work in background. These bots are already among us, numbering from the hundreds of thousands to millions. One of the newest variants has incorporated open source code to breach virtually every vulnerability on "almost every Windows system sold in the past five years."

These bots can be joined with worms and viruses to create hybrids in which worms are launched from a cooperating bot net. The use of a directed bot net allows the perps to conserve bandwidth in their attack and so avoid much of system noise that a conventional worm attack would generate.

Once the bot net has pre-seeded the desired number of machines, the perps can launch a variety of attacks from an active DDoS to a passive computational attack in which the slaved PCs are used a distributed supercomputer for decryption and password cracking. Spammers are also using bot nets to send bulk mailings that mask the senders' address. In all cases the evolutionary process seems to be script to virus to bot to worm.

We have no real idea how many of these bots and bot nets are now in the wild -- sleepers if you will. As a comparison, Microsoft noted that its update system had patched 9.5 million PCs, vastly exceeding the estimates of the antivirus entities that track such things. A new variant of Agobot may soon show us as it uses a specific port to attack vulnerable systems, and traffic on that port was rising at the end of the week.

Given that these bots are already in place and have a 'Swiss army knife' capability of attack vectors, and, I would surmise, an ability to distribute new exploits as they are disclosed and developed, the bot net owners will be working inside our ability to respond with a proper patch. Every machine should, of course, keep all critical patches current, make more and frequent backups, and have network administrators and/or your firewall check for suspicious outbound traffic.

Alarm growing over bot software
By Robert Lemos
CNET News.com
April 30, 2004, 9:16 AM PT


Gordon Housworth



Cybersecurity Public  InfoT Public  
 
In order to post a message, you must be logged in
Login
message date / author


There are no comments available.

In order to post a message, you must be logged in
Login