08/15/2009

Twitter Used to Control Botnets

Jose Nazario, who's well-known in computer security circles and is also a well-regarded botnet researcher, has made some interesting discoveries about botnets and the darling social media site, Twitter.com.

What he's discovered is that botnet operators are using Twitter's micro-blogs to send command-and-control messages to botnets.

In an article on wired.com on how the malware operators are using Twitter to control botnets it explains,

"tweets turned out to be obfuscated links to sites where further malicious code and instructions could be downloaded."

In a post to the Arbor Networks blog he discusses his findings about Botnets and Twitter. Jose says,

"While digging around I found a botnet that uses Twitter as its command and control structure.

"...what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run.

"It’s an info-stealer operation."

There are a couple of interesting things about these findings:

First of all, this means a whole new level of obfuscation for the writers of viruses, trojans, spyware, and all sorts of other malware, as they're able to hide their controls behind a real company.

In doing so, they're even better able to hide who they are and how their malware networks work.

Further, they're also able to move to a very, very reliable service (i.e. Twitter), and in doing so alleviate some of their own infrastructure problems. After all, even with the couple of outages Twitter has had since it really began to grow in popularity, it's still a highly reliable site.

This means, even if the botnet operators' own servers fail or are attacked, they can easily move things to another location and just make another "Tweet" (posting) to Twitter, and instruct the PCs in their control to go elsewhere for the latest instructions.

As to the question of whether or not PCs are being infected just from visiting Twitter, that definitely doesn't appear the case (at least not just yet), nor does the service appear to be any more vulnerable to becoming that type of virus-spreading mechanism than any other website.

In other words, yes, it's still safe to use Twitter. Regardless of it being "safe" in that respect, it's still smart to run antivirus software.

There's really no substitute for an Internet security suite because A/V and firewall software, which are the two cornerstones of Internet security software, are your best line of defense to ensure your computer stays clean of viruses, trojans, and the like and doesn't become a part of a botnot.

07/29/2009

Research into the Workings of Real Botnets

For starters, let's define what a botnet is:

Loosely speaking, a botnet is a network of computers which have been taken control of for the purpose of malicious use.

Typically, PC users whose computers have been compromised are complete unaware their computers are infected with malware. Once infected, the botnet operators have complete control of your computer and are able to use it to do their bidding, almost always without your knowledge.

Botnet operators use compromised PCs for things like: stealing credit cards, stealing banking passwords, sending spam, and identify theft. If your computer has been infected, your machine might be sending spam, and chances are you'd never know it.

"WHAT?! How is this possible?" some users ask. "Wouldn't I know when someone was on my computer when I'm already on it?"

No. You wouldn't know. Here's why:

There are a ton of different things running at all times on your computer without your knowledge. For instance, there's your network card that makes it possible for you to connect to the Internet; there are your USB ports that make all sorts of things possible like printing; there are the drivers that make your keyboard, mouse, sound card, and video card(s) work.

Each of these things is at work even though you don't know it. They all run silently in the background, (usually) obediently doing their respective job. You'd never really know your network card was receiving a signal, per se, you just know the Internet works.

Such is the case with botnet software: it works in the background, sending and receiving signals, all the while without your knowledge (especially if you're not running antivirus software.)

That's where this newly released botnet research data makes things interesting.

The folks at the Sandia National Labs in Livermore, California, are building a huge botnet research network of over 1,000,000 virtual machines on a Dell supercomputer.

With this research network, according to the New York Times, Sandia Labs plans to study how botnets work so they can be more effectively fought and defeated.

The reason it's so hard to figure out what's going on is because it's hard to get perspective on the networks. Sure, you might be able to see what's going on on an infected machine, or even a dozen, but given that botnets can easily exceed 1,000,000 computers, seeing what the entire network is doing (or at least a big chunk of it) is pretty much impossible.

"'When a forest is on fire you can fly over it, but with a cyberattack you have no clear idea of what it looks like," said Ron Minnich, a Sandia scientist who specializes in computer security.

"'It's an extremely difficult task to get a global picture.'"

Hopefully, the end result will be a much better perspective of how botnets work and a clearer understanding of what it takes to defeat them.

10/21/2008

A Robot Network Seeks to Enlist Your Computer

30 seconds.

That's about how long it took for one of Microsoft's test computers to be infected when their in-house cybercrime investigators connected it to the Internet.

Typically, when used in such a scenario investigators like those at Microsoft setup the machines without any patches, services packs, or antivirus software. The idea is to get the computers infected on purpose and in doing so, to help the investigators track who's taking control of the computers and what their intents are.

The article on botnets in the New York Times goes on to describe how these computers are used. Most commonly, an infected computer, known as a "zombie" becomes a part of a "botnet".

Such botnets can then be used for almost any purpose from sending bulk email to stealing credit card numbers and personal information--and sometimes even for storing these ill gotten gains.

The solutions to these problems--and protecting your data online--remain unchanged:

  • Install the best anti virus software
  • Install a modern software firewall
  • Keep your computer patched and up-to-date