During its conflict with Russia in early 2007, the small country of Estonia located in northern Europe came under unprecedented cyber attacks to the point that communication between many of its government sites were disrupted. Accusations were made that Russia flooded Estonia computer systems with Distributed Denial of Service (DDOS) attacks to interrupt internet services. Could such an attack have been carried out, and if so how? Through the use of the latest computer security threat, BOTS and BOTNETS it is plausible that this assault may have taken place.
A BOT is a software program or robot usually created with malicious intent that infiltrates a system via a worm, Trojan, or other backdoor program. Once establishing itself on the system nicknamed a zombie, the BOT communicates its location back to its “BOT herder”, or master, and waits for further instruction. BOTS that have the same herder or master in common then form what is known as a Botnet. This collection of BOTS all wait for further instruction with the capability of running autonomously or automatically. While the average size of a Botnet has been set at about 10,000 nodes, recent investigations by the Dutch uncovered a Botnet of 1.4 million nodes. Conficker, a more recent and highly publicized Botnet, boasts of 10 million nodes.
So what does a Botnet do? The controller of the net might sell its access to an email spammer who in turns activates the BOTS to read address books on the zombie for the purpose of sending out unwanted advertising. Not only does the spammer have access to an incredible number of addresses, their information is automatically updated as the unsuspecting user adds new contacts to their email system. Another more malicious use may be for the BOT to send connection signals to every computer the zombie knows about. These are the DDOS attacks that make computer systems inaccessible by legitimate users disrupting business, government, and other normal traffic on the internet. BOTS can even be programmed to recognize research that a user may be performing to thwart their existence. Instances have been reported where a computer has been comprised so extensively that anti-Botnet work could not continue.
There are some defenses that can be put into place to protect your systems against the infiltration of BOTS. First and most important, be sure that you and your employees know what software is being downloaded to your system and its source. Keeping your anti-virus up to date will help catch threats that may be embedded as Trojans. Some of the latest firewall software now contains botsniffers that seek out these hidden programs while watching for traffic to and from known BOT controllers. When considering new switches or other packet routing software, check their capabilities for detecting potential BOTS by monitoring communication with masters. There is also dedicated software such as Damballa that are aware of well-known BOT masters and provide real-time protection. A quick search on your favorite engine using keywords such as BOT, Botnet, and Security will provide a good starting place of where to look for solutions.
These threats sound like something out of a sci-fi movie, but unfortunately their existence is real. Business owners should be considering this threat as they develop their security readiness plan.
Ted Saul is a senior Support Consultant and Project for Hewlett-Packard, specializing
in security assessments and services. He also provides services to existing and startup companies including
business and implementation plan writing. Ted can be reached through This e-mail address is being protected from spambots. You need JavaScript enabled to view it .