3 min read

Bots Hammer Estonia In Cyber Vendetta

With nearly all DDoS attacks and spam coming from bots, infections have become a growing concern for businesses as well.
Botnet infections have become a growing concern for businesses. Speaking at AT&T's Cyber Security Conference on Thursday, David Gross, the company's principal for technical security, noted that he and his team have found as many as 64 botnets active out on the Internet in one day, controlling a total of 168,000 compromised computers.

Once an infected computer is turned into a bot, sometimes called a "zombie," they can be used to more subtly attack other computers, installing keyloggers or information sniffers, for example, that allow them to upload or download information to and from computers. They can prevent a computer's antivirus software from receiving the latest signatures and can redirect an organization's domain name system server so that traffic attempting to reach a legitimate site is redirected to a phishing site. They can also be used to send spam. In fact, "at least 97% of all spam delivered today comes from bots," McPherson says.

The success of an organization's defense against its computers being turned into bots depends upon the level of sophistication of the malware being used to create those bots and the botnet herder's skill in avoiding detection. At the very least, companies must regularly patch their software and keep their antivirus software up to date. Companies must carefully monitor not only inbound network traffic for malware and suspicious behavior but also outbound traffic leaving the network, in the event this traffic contains malware from an infected computer that could be used to recruit additional bots.

What makes bots so hard to eliminate is the difficulty of tracing the origins of bot traffic. Bots within a botnet are given their marching orders from a bot posing as a command and control node, and the botnet herder can move this node from one compromised computer to another to avoid detection. "It's hard to find a command-and control-system when a bot herd has 70,000 bots," Gross said Thursday. "Bots can also exist in different countries, which have different laws governing them and their removal." Some botnets can be hosted by computers that exist in anywhere from five to 50 different countries, Arbor's McPherson says.

The most common approach today when an organization's network is being attacked by a botnet is to cut off all traffic to any servers that are being targeted. This, however, isn't a way to solve the problem so much as it is a way to address an organization's most immediate concerns. More effective, and more difficult, is to have cooperation among botnet victims, ISPs, and law enforcement worldwide. "You've got to clean up those compromised hosts and prosecute offenders," McPherson says.

Until this happens, international cyber attacks such as the one Estonia faces will be a threat to every business and every developed nation.