
A TELESCOPE that can peer into the depths of the net to spot the gathering threat of a botnet could help combat cyber-attacks.
Botnets 鈥 networks of compromised computers that are controlled by someone with malicious intent 鈥 are an increasingly common feature of the internet. They can be used to flood a target website with useless data to bring it down, launch spam, or spy on computer users by looking for their banking logins and passwords.
To combat this threat, Endgame Systems of Atlanta, Georgia, has come up with a system, called the internet telescope, that can map the physical location of computers infected with the malicious software, or malware, used to run botnets. It can even identify the type of malware on the machine and pre-empt its next moves.
Advertisement
Cyber-criminals use the internet to plant malicious code on computers that lack up-to-date security patches. Thousands of such machines, known as bots, can then be controlled by the botnet operator without the owner realising their computer has been recruited into a botnet. Endgame passively tracks these compromised PCs from the botnet traffic they disgorge, geotagging the data to create a global threat map.
It then dissects the malware to work out the web addresses of the next few domain name servers each bot is programmed to seek instructions from once the current control domain expires 鈥 a trick they play to evade detection. Once these domains are known, Endgame buys them up before the person controlling the botnet, or 鈥渂otmaster鈥, does, ensuring that it seizes control of the entire botnet when it switches to its new control address.
Endgame can then either kill the botnet 鈥 by ordering all bots to cease activity 鈥 or try to catch the botmaster by interfering with the botnet鈥檚 activity in such a way as to blow their cover. The botmaster might, for example, contact their domain registrar to find out what鈥檚 wrong with their domain. This would provide the registrar with contact information which could be passed onto law enforcers.
Endgame鈥檚 CEO, Chris Rouland, presented his company鈥檚 work at the Cyber Warfare conference in London last week. The firm鈥檚 customers include government agencies and companies who want to know if the organisations they plan to do business with could infect their computers.
In his presentation, Rouland gave the example of a company that wanted to know whether an energy firm it was planning to work with was a cyber-security risk. Using the internet telescope, it zoomed in on the geotagged data to determine that some of the proposed partner company鈥檚 computers had indeed been compromised by a botnet.
UK government officials told the conference that more real-world countermeasures like Endgame鈥檚 are needed 鈥 and fast. Without them, today鈥檚 attacks on crucial infrastructure, such as banking networks, may encourage nation-on-nation cyber-warfare in future.
鈥淲e underestimate the skill set of organised cyber crime. It is persistent, very well organised and focused,鈥 says Amit Yoran of cyber-forensics firm NetWitness based in Herndon, Virginia.
鈥淭he skill set of botnet creators is underestimated. They are persistent, well organised and focused鈥
It is also increasingly successful. Over $1 trillion was stolen online in 2008, according to computer security firm McAfee. 鈥淭hat鈥檚 because we are using technology designed to fight the cyber-threats of 1995,鈥 Yoran says.
Most security software impedes known threats, but the most skilful botnet operators don鈥檛 use known malware. A survey by communications company Verizon, based in New York City, found that 59 per cent of cyber-attacks involve custom-written programs that bypass existing security systems.
Some excellent programmers are behind these attacks, says Jim Butterworth, a director at computer forensics firm Guidance Software of Pasadena, California. 鈥淪ome malware code has been through far more quality assurance than a lot of commercial software.鈥
Developing countermeasures is being made tougher by the speed of online developments, says Yoran. The shift to mobile computing platforms and social networks such as Twitter helps malware to spread in milliseconds, he says.
The speed of cyber-attacks has also had an effect. In the US, the newly established 24th Air Force heads up the military鈥檚 cyber security operation. Charles Shugg, the 24th鈥檚 second in command, says his 鈥渉unter鈥 teams, who fend off online attacks or pre-emptively seek out online vulnerabilities, often have no time to develop countermeasures. 鈥淭hings happen so quickly in the cyber-domain that the hunter teams鈥 offence and defence are often one and the same thing.鈥
Tools such as Endgame鈥檚 internet telescope may have a role to play in providing the intelligence needed to combat botnets as this type of location-aware technology may slash the number of bots available to launch cyber-attacks.
Without action, says Gerard Vernez, a cyber-security expert with the Swiss army, the networks we depend on will be vulnerable. 鈥淲hat are we doing now? I call it plug and pray,鈥 he says.
Disorderly measure beats encrypted viruses
Computer virus recognition needs an overhaul if online attacks are to be fought successfully, security expert Jim Butterworth told the Cyber Warfare conference.
A common way to fight viruses is to use an algorithm to create a 鈥渉ash鈥 signature 鈥 a number derived from a string of its instruction text 鈥 that uniquely identifies it.
To check for a particular virus, software only needs to look for this hash, rather than trawl through all its instruction code for all possible viruses. The problem, however, is that antivirus software won鈥檛 recognise the virus if it has been encrypted. So multiple iterations of viruses evolve, each needing to be assigned a unique signature before they can be stopped.
However, encrypting a virus does not change the degree of disorder, or 鈥渆ntropy鈥, in its program code. By working out a figure for the disorder in the sequence of 1s and 0s that constitute a virus, Butterworth鈥檚 firm, Guidance Software of Pasadena, California, assigns it an entropy value.
Paul Dickens, a cyber-operations planner with the UK鈥檚 Ministry of Defence in Corsham, Wiltshire, believes it is an approach worth checking out. 鈥淟ooking for a single score seems a good idea,鈥 he says.