Security Alert: When Bots Attack

The malicious code snuck through Auburn University’s firewall and onto one of the school’s lab PCs in an electronic message. On that September day in 2004, Auburn’s network security specialist, Mark Wilson, watched from his computer what happened next.

The message contained a link, an invitation to visit a Web site that the PC’s owner, possibly a student, found too enticing to resist. He or she couldn’t know that clicking this link would download dirty code, letting it burrow into the PC through an unpatched bug in the Microsoft Windows operating system. It wasn’t a straight Trojan or a worm, but a combination of programming malice with far greater potential for harm. It would allow hackers to seize control of the machine and turn it into a “bot,” a remote-controlled robot that they could order to send spam or steal data and, most important, turn other vulnerable computers on the university’s network into bots just like it.

But the trick worked. Click. Immediately, the Alabama university, like so many other colleges, companies and government agencies, fell victim to what security experts call one of the biggest cybersecurity threats out there: bot attacks. Auburn’s network was thrown open to hackers all over the world.

With the back-to-school assault on Auburn, whoever launched the attack was probably after more computers to enlarge his or her botnet, Wilson says. The code exploited a bug in Windows’ LSASS, or Local Security Authority Subsystem Service, which is how Microsoft verifies users who log on to the Windows 2000 or Windows XP operating systems. Though Microsoft had released a patch five months earlier, not all of the computers at the

23,000-student school were updated, Wilson says.

Auburn, of course, isn’t the only organization to be hit by bots.

On any given day, 3 million to 3.5 million bots are active around the world, says Alan Paller, director of The SANS Institute, a security researcher in Bethesda, Md.—enough to disable all U.S. online retailers three times over. And each day those bots infect 250,000 Internet Protocol addresses, representing hundreds of thousands of Internet-connected devices, according to CipherTrust, a security consultant.

While more than 50% of bot attacks go after home PCs, CipherTrust has also found bots in 40% of large and midsize companies. Caterpillar, CNN, eBay and Microsoft are among the companies that have suffered bot attacks.

And the threat is growing. The number of new successful bot strains—variants in bot code—was up 538% last year alone, says another computer security company, Cybertrust, which tracks the activities of 11,000 hackers and works with the Federal Bureau of Investigation on cybercrime cases.

Consider the government’s recent, high-profile case against Jeanson James Ancheta, a 21-year-old hacker from Downey, Calif. Ancheta, who holds a high school equivalency diploma, pleaded guilty in January in U.S. District Court in Los Angeles to building and selling bots, using the profits to build his business, and using his network of thousands of bots to commit crimes.

According to the plea agreement, he had made more than $60,000 and infected at least 400,000 computers, including machines at two U.S. Department of Defense facilities. He also provided bots for intrusion by others. One potential target was electronics giant Sanyo, which declined to comment. So did a spokesman for the DOD’s Joint Task Force-Global Network Operations, who refused to discuss details of Ancheta’s attack “for security reasons.”

“It’s a constant battle,” says Michael Lines, chief security officer at credit reporting firm TransUnion, the consumer credit report company in Chicago. Lines says TransUnion, with its one terabyte of sensitive financial data, is a frequent bot target, though he will not provide details. “There is no single technology or strategy to [solve] the problem,” he says.

Bots may disappear as people clean up their PCs and patch their software so malicious code can’t get in, but they are quickly replaced by new bots adapted to exploit different problems, including “zero-day exploits,” software bugs for which patches don’t yet exist.

One reason bots are such a troubling security concern is that hackers don’t have to build their own code to create the intruders—they can download bot toolkits for free on the Internet.

They can even buy access to bots. Ancheta linked a price list to his “botz4sale” online channel, according to the plea. He offered up to 10,000 compromised PCs at a time on the underground hack market for as little as 4 cents each.

Some bots cost more. A PC on a government network, for example, may sell for as much as $40, according to CipherTrust, because it offers access to loads of potentially interesting information. Bots that attack brand-new exploits are also considered more valuable.

Once a bot is created behind a corporate firewall, the person who controls it can mess with company applications by, for example, installing a keystroke logger on the PC to capture passwords as they are typed.

Or by exploiting the right application or operating-system bug, a botmaster can copy, manipulate or delete customer information, personnel records or almost any data on the infected machine.

In Israel, Ruth and Michael Haephrati, age 28 and 44, pleaded guilty in March to several conspiracy and computer crimes involving bots, according to published reports in ComputerWeekly and in Globes, an Israeli news service. They built spying software that they sold to Israeli competitive intelligence companies, which snuck it onto vulnerable computers at their clients’ competitors, illegally gathering corporate information, according to the reports.

Ancheta, on the other hand, used his botnet for other moneymaking ventures. He sold or rented bots to people looking for computer power to send spam, or launch denial-of-service attacks to disable specific Web sites, according to his plea. He made a few hundred dollars from each deal.

Like a legitimate technology vendor, Ancheta provided consulting help with his product. Tips included how to perform bits of mischief such as a “synflood,” to take out a Web server by flooding it with bogus requests to connect, according to his plea.

More lucrative for Ancheta was defrauding online advertising companies. Adware companies will pay “partners” for each digital advertisement they install on a PC. The adware monitors the user’s activity, such as what terms he searches for at Google or Yahoo, and then displays related pop-up ads. Sometimes ads will just play across the screen, unrelated to anything the user is doing.

Above-board adware partners can, for instance, bundle adware with other software they sell, such as games or screen savers. But when botmasters play this game, they instruct their bots to install ads on machines they’ve taken over, collecting as much as 40 cents for each successful placement. They sometimes clog a PC so much it can’t function.

Check stubs, bank records and files from online payment service PayPal seized by prosecutors show that Ancheta and an unindicted co-conspirator, someone indentified in court papers as a juvenile nicknamed “SoBe,” took in $58,357.86 this way in less than 12 months.

In an AOL Instant Messenger conversation between Ancheta and SoBe that was archived in files seized in the case, Ancheta said of the money he made from adware, “It’s easy, like slicing cheese.” But the cash flow depended on keeping his botnet strong and growing.

Exactly how Ancheta got his bots into computer systems is not known. Some court records so far are sealed, the companies and government agencies named in the case won’t talk, and neither will Ancheta’s lawyer, who did not respond to Baseline’s request to talk with Ancheta.