One reason organizations implement honeypots is to identify malicious botnets.  A honeypot, which is a fake network, is designed to attract and analyze botnet activity. In order for the honeypots to educate us with data, we need to develop a better understanding of how botnets achieve their missions. Let’s review potential activities performed by some of the various types of botnets.

1. Distributing Malware
Many times botnets are used to quickly distribute new bots on open networks. For our botnet friends this is actually not very hard to accomplish. The reason this is easy is due to bots being able to potentially implement scripts for downloading and executing any file via HTTP or FTP. This is exactly how email viruses are spread using a replicating botnet. In a very short period of time a self replicating botnet can hook into 10,000 computer hosts. This sets up a staging platform for exponentially spreading a mail virus around the world, in a very short period of time.

2. Eliminating Competition with Google AdSense
Companies pay Google a pay-per-click fee for each time their ad receives a mouse click. These clicks are supposed to increase traffic to a company web site, which should result in more sales. Companies on a limited budget can potentially go broke, if the number of clicks on their Google ad is more than the actual sales generated. It is a known fact that unscrupulous companies have previously eliminated competition by artificially inflating their Google ad sense clicks. This type of attack leverages botnets to automatically and continuously click on these Google advertisements. Google has since implemented security measures to makes this type of botnet attack infrequent.

3. Large Scale Identity Theft
Botnets can quickly generate those famous phishing emails.  So large numbers of people are fooled into visiting bogus web sites, because the emails appear to be from legitimate companies (i.e. Paypal, eBay).  These botnets kick out massive amounts of emails to lure people into going online to submit personal information. These fraudulent emails are created and sent by bots via a programmed spamming algorithm. These same bots can also host multiple fake brand name websites to harvest identity information. Just as quickly as one of these fake sites is shut down, another one can pop up.

4. Traffic Sniffers
Using a legitimate packet sniffer, bots can search for interesting clear text (unencrypted) data being passed back and forth by a compromised computer. These sniffers are solely focused on retrieving sensitive information, such as user name and password. The data found through this sniffing process can also stumble across other interesting information. If a computer is compromised multiple times, while also being a host for more than one botnet, data packet sniffing can also allow for gathering additional sensitive information from another botnet. So it’s possible for one botnet to steal from another botnet or even take over that botnet.

5. Keyloggers
If the compromised machine uses encrypted communication channels, such as Secure POP3 or HTTPS, simple botnet sniffing of network packets on a target computer will not work. The reason why sniffing will not work is the appropriate decryption key for the packets is unavailable. Of course there are other bots that do offer features to provide a malicious work around in this situation. With the help of keylogger bots retrieving sensitive information is now a piece of cake for attackers. On top of that bots can be programmed with a selecting filtering mechanism that looks only for certain of key strokes. For example the bot can be programmed to look for key strokes sequences near the keyword “ebay.com”. This expedites stealing what people may believe to be secret information. Now imagine this single keylogger botnet running on thousands of infiltrated computers. Then throw in the fact these computers are all running simultaneously to quickly retrieve personal account information to harvest back to the initiating attacker.

5 Lessons that Botnets teach Honeypots

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The Georgia Tech Information Security Center (GTISC) released its “Emerging Cyber Threats Report for 2009″, which reported on the top five information security threats for the coming year. The results were notably different from last year’s top five, which were: Web 2.0 and client-side attacks, targeted messaging attacks, botnets, threats targeting mobile convergence, and threats to RFID systems. According to the report, the biggest threats for next year are: malware, botnets, cyber warfare, threats to VoIP and mobile devices, and the evolving cyber crime economy. The report notes that all emerging threats and attacks are data-driven.

In describing the growth of malware, the report notes that the cyber criminals have gone beyond mass distribution and are now focusing more on localized and personalized attacks, which appear to be more realistic and give them a better chance of penetration. Expect targeted attacks (such as spear-phishing) to increase. Related to malware is the botnet threat, and the report expects for botnets to grow worse next year. Last year’s report held that ten percent of all online computers were part of botnets, and this year’s report predicts that number will rise to 15 percent. In discussing the cyber crime economy, the report sugests that attacks will become increasingly profit-driven.

The report notes that technological solutions from the security industry are an essential part of the solution, but only a part–and this must be balanced with education and increased regulation. The report suggests following the model of road and airline safety. For example, car insurance is mandated by the government, and one of the analysts suggested a similar mandate for security protection. Of course, many such mandates are already in place, although it stops short of a universal regulation, or at least, a mandate that applies to all entities that are part of the country’s critical infrastructure.

Cyber threats in 2009

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators