ICS

Botnet

September 23, 2009

ICS in the News: Cyber Startups on the Hunt in Security Arena

Ravi Sandhu, the executive director of the Institute for Cyber Security, was interviewed in an article on how startups are fighting the growing threat of botnets. From the article:

"It's sharing across organizations, within organizations, and increasingly through modes of sharing that people have not been classically doing," says Ravi Sandhu. "What does it even mean to secure a social network? It's not clear. Startups remain fertile ground for [these] new ideas."

As the article states, in addition to this issue, ICS concentrates on security protection for cloud computing, security startups in incubation, and better systems for the military. The article quotes other experts in the realm of startup security, and you can find the full article here.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 05:01 PM in Botnet, CIAS, Cloud Computing, Cyber Security, Incubator, Interview, News, Security, Social Networking, Startups | | Comments (0) | TrackBack (0)

September 16, 2009

Botnets Using Web 2.0 Sites as a Command and Control

In the last month, three botnet command-and-controls (C&Cs) have been spotted in the wild on Twitter and Google Groups. A botnet, perhaps better described as a "zombie network", is a distributed organization of programs that runs in the background of infiltrated computers (laptops, servers, cell phones, etc.) that performs tasks such as information stealing, email spamming, or other types of attacks. Usually these bots try to multiply, to remain hidden, and to scan for private data. Some are more sophisticated than others.

Usually, these bots operate on a peer-to-peer basis, but last month Arbor Networks found a botnet using a centralized C&C via Twitter and Jaiku. Once alerted, they each shut the offending account down, but just days later, a second one was found on Twitter. Meanwhile, just last week, Symantec uncovered a trojan using Google Groups as its C&C in a similar way.

Interestingly, these particular botnet C&Cs were very primitive. More stealthy approaches, such as using steganography to hide bot commands, are not as widely used (or worse, they are and haven't been discovered). With web 2.0 and social networking sites growing in popularity every day, look for more botmasters to abuse these sites in this way.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 11:23 AM in Botnet, Cell Phones, CIAS, Cyber Security, Email, Security, Social Networking, Twitter, Web/Tech | | Comments (0) | TrackBack (0)

September 02, 2009

Speaking at the Malware 2009 Conference Next Month

Folks in Montreal who are interested in botnet security should plan to attend the Malware 2009 in October. There are a number of great speakers and experts in the field attending, which should be quite an experience.

Members from the Institute for Cyber Security will be presenting on "Analyzing DNS Activities of Bot Processes" during the conference from October 13 through October 14. The talk will cover botnets and bot processes at a high level, then discuss how to apply DNS monitoring to track their activities on a zombie machine, as well as some encouraging results.

Dates: Tuesday, October 13th through Wednesday, October 14th, 2009
Location: Delta Centre-Ville, Montreal, Quebec (888) 890-3222

For more details, go to the conference site.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 11:32 AM in Botnet, CIAS, Events, Publication, Security, Web/Tech | | Comments (0) | TrackBack (0)

July 29, 2009

The Mobile Botnet--It was Only a Matter of Time

The recent Symbian smartphone worm likely represents one of the world's first mobile large-scale botnet attacks. As with most botnet attacks, the app is cloaked as a genuine Symbian phone application but instead delivers a payload that gathers device user information and transmits that data out to the host. Additionally, the attack spreads by forwarding itself to contacts loaded into the memory of infected devices.  The latest version, dubbed SymbOS.Exy.C. by Symantec, has the most "botnet-esque" behavior patterns yet seen in a mobile attack campaign.

As covered previously, a botnet is better described as a "zombie network, where each computer hosts a small program (the eponymous bot) that runs in the background that performs tasks on behalf of the attacker. Since cell phones are as powerful as desktop computers from the earlier part of this decade, it's not too surprising that we should see mobile botnets--it was only a matter of time. The only obstacle was a shared platform. One reason why machines running Microsoft Windows  are frequent targets for such virus and botnet attacks is that the Windows OS is the dominant operating system on the market, with over nine out of ten machines running the system. At a high-level, it is safe to say that code written for one OS will likely not run on another.

Symbian, however, dominates the cell phone market share, with about the same marketshare as all other cell phone manufacturers together, Like Microsoft Windows, Symbian (or their users) has become a victim of their own success. It is also very possible that we will see other mobile botnet attacks on this or other platforms in the future.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 10:35 AM in Botnet, Cyber Security, Mobile Development, Security | | Comments (0) | TrackBack (0)

January 21, 2009

On Bots and Zombies: What is a Botnet?

With the recent news of the Conficker worm and that it could lead to the world's largest botnet, and the fact that the topic comes up from time to time at the Institute for Cyber Security, I thought it was worth exploring what a botnet is and what it's not.

A botnet is not exactly what its portmanteau suggests, which is a bot network. If you've ever visited a chatroom, you know what a bot is--its a program that run very repetitive tasks; in the case of a chatroom, they might cycle through eight different phrases to get you to click on a link to their site. Since they are almost always very primitive and easy to identify, they easily fail the Turing test.

A botnet is better described as a "zombie network". A zombie is a computer that has been infiltrated by a malicious attacker (usually by proxy via another zombie) and now hosts a small program (a bot, let's say) that runs in the background that performs tasks on behalf of the attacker. To escape notice, zombie computers tend to function like they always did, but may run slower depending on how much of the machine the bot is using. Usually these bots' main purpose is to multiply, to remain hidden, and possibly scan for private data. Some are more sophisticated than others.

Since many computers are insecure (or not secure enough, let's say) there are plenty of botnets. In fact, a zombie machine may have multiple bots running in it (a zombie with multiple zombie masters!).

Thus, when an article suggests a botnet has affected a thousand machines, what it's saying is that there are one thousand computers (desktop, laptop, enterprise server, doesn't matter--all are susceptible) that have the same program running on them on behalf of the malicious attacker. The Conficker worm may have created upwards of nine million zombies.

One last bit--not every botnet is malicious. Some large-scale deistributed systems can make use of "spare cycles" on a machine (that is, the computer is on but idle) to perform a complex task. The SETI@Home project, which has over three million users, is a famous example. The project analyzes lare amounts of radiowave data, and more computers that help allow the project to cover greater frequency ranges with more sensitivity.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 12:14 PM in Botnet, Cyber Security, Security | | Comments (1) | TrackBack (1)