Collaboration

Be aware of the growing threat of botnets

Botnets are a rapidly increasing risk to Internet security. These groups of compromised Windows computers are the tools of the trade for all manners of extortion and spam relay on the Internet, and they are growing in numbers. In this edition of Internet Security Focus, Jonathan Yarden examines this growing threat and discusses what it means for Internet security.

2005 was not an exceptional year for Windows security—or Internet security in general, for that matter—and 2006 isn't looking to be much better. While the year may gave been profitable for Internet security companies, corporations and average computer users continued to suffer from virus and worm outbreaks and the continuously growing threat of malware.

It didn't help that 2005 went out with a bang, when a zero-day Windows exploit that emerged during the holiday season caused a mad dash to secure systems. The critical vulnerability, which stems from how the OS renders Windows Meta File images, caught everyone by surprise, resulting in more than a million compromised PCs.

In fact, a few antivirus and security companies, including the SANS Institute's Internet Storm Center and F-Secure, recommended installing an unofficial fix authored by Russian software developer Ilfak Guilfanov rather than wait for Microsoft to get around to releasing the patch. It was a rare move from security vendors, and I don't recall it ever happening before.

However, it only highlights the serious nature of the vulnerability. Zero-day vulnerabilities are critical threats, and they genuinely require immediate attention. In the end, Microsoft actually released its fix for the WMF vulnerability several days earlier than expected, but not before many users turned to the unofficial fix.

Of course, in retrospect, the zero-day exploit isn't too surprising. Malware authors love the holidays—what better time to increase the likelihood of a worm or virus spreading?

And then there's all those brand-new Windows systems connecting to the Internet for the first time. While most TechRepublic member know that preinstalled Windows systems are vulnerable to a variety of exploits and recognize that someone could remotely take over the system within minutes of connecting to the Internet, it's important to remember that the majority of mainstream computer users do not share this knowledge.

And depending on the malware, a newly infected computer can mean much more than annoying pop-ups. More than a few viruses and worms connect to an Internet Relay Chat (IRC) channel to listen for instructions—and join a legion of other compromised Windows systems.

Known as botnets, these groups of compromised computers are a growing threat on the Internet. They are the tools of the trade for all manners of extortion and junk e-mail relaying on the Internet, and they are growing in numbers.

In fact, law enforcement has long been aware of this immense threat and has been actively working to shut down botnets for a while. For example, the objective of Operation Spam Zombies, a U.S.-sponsored initiative launched by the Federal Trade Commission (FTC) last year, is to put a stop to the compromised Windows computers used to relay junk e-mail.

However, I've been critical of this proposal from the start because it doesn't highlight the real risk of these so-called zombie systems, which malicious hackers can control remotely for their own nefarious deeds. In reality, junk e-mail comes in at the bottom of my list of Internet security threats—but compromised computers controlled through IRC are at the top.

Botnets are useful for all kinds of destructive Internet activity, either by individuals or organized cyberspace criminal gangs. The recent guilty plea of Jeanson James Ancheta, who operated a large botnet for both extortion attempts and installing spam-relaying malware, is only one person in the highly organized "Botmaster Underground," a covert group of hackers skilled in bot attacks that regularly rent the use of their zombie Windows systems for all types of illicit activity.

Of course, spam relaying is undoubtedly annoying, but it's merely a byproduct of these botnets controlled from a single source. And while law enforcement should continue to focus on shutting down botnets, we can't stop looking for a way to prevent compromised Windows systems in the first place.

But this problem, unfortunately, is much more difficult to solve. I planned to gather some statistics about these compromised Windows systems until a coworker reported that CipherTrust had beaten me to the punch. CipherTrust's ZombieMeter tracks traffic from zombie PCs around the world.

Regardless of statistics, it should be clear that Internet security as a whole almost entirely depends on the security of Microsoft Windows—whether it's actually your chosen OS. This alone has led many users to suggest a potential antivirus conspiracy; they argue that entire sectors of the "Microsoft economy" centered around Internet security would collapse if Windows was truly secure.

While I tend to disagree, compromised Windows systems do represent the largest threat to the Internet as a whole. Organized and controlled as botnets, these systems are essentially Internet weapons of mass destruction. And that's why, when it comes to programs such as Operation Spam Zombies and other law enforcement initiatives, junk e-mail needs to take a back seat to the more insidious threat of botnets.

Miss an issue?

Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.