Last week, the FBI announced the end of the second phase of Operation Bot Roast, an ongoing investigation into botnets, and the criminal activity associated with them. I recently asked Dr. Jose Nazario of Arbor Networks where in the world the bot herders, the people who control the botnets, might be. Here are some excerpts:
We see a few major groups. We see Americans and Western Europeans often interested in using the botnet to make money either directly or indirectly by selling services, or stealing information from those botnets to sell and use credit card information bank information, etc.
There are some botnets out of South America, but mostly South America seems dominated by the Brazilian, what folks used to call the banker Trojan, the browser helper object that steals information right out of the browser from banks from online banking or e-commerce transactions. Some of the more high-profile botnets we've dubbed TeamUSA and Peruvian Power. These have been long running and relatively successful. But they're not exactly household names.
The botnet community is also taking off in the Russian language part of the Internet. Lately I've been watching a lot of DDoS attacks come out of Russia, commanded by Russians. Possibly for pay, as retribution, or as punishment to those who try an stop some of the other illegal activities, such as fraud and theft.
I have been tracking lately Russian DDoS bot code run by different groups. The code itself is bought and shared between them. One of the big ones is a code base called Black Energy. The author is a Russian language speaker who offers his help files and other things in the Russian language and sells it on the Russian language forums anywhere from $40 on up. Black Energy is strictly a DDoS botnet
We have watched some botnets from China but I don't see a whole lot of botnet activity coming out of there.
You can read more of Nazario's comments in this Security Watch column. And you hear more of my interview with Dr. Nazario in this Security Bites podcast.
Today the FBI announced the completion of Bot Roast II, the second phase of an ongoing investigation into the creation and use of botnets for illegal online activity. Botnets are networks created by remotely controlling several hundred or several thousand compromised computers worldwide. In 2007, botnets have been used by criminals in various ways to make money online. The ongoing investigation, in at least one specific case, is being assisted by the U.S. Secret Service.
Among the results announced today are three new indictments, the guilty pleas from two others, and the sentencing of three others. To date, the FBI says it has uncovered more than $20 million in economic losses. In one case, it has confirmed damages of nearly $20,000 as the result of distributed denial-of-service attacks caused by a botnet.
One of the individuals named today was at the completion of Bot Roast I in June. He is Jason Michael Downey of Covington, Kentucky, who was sentenced in U.S. District Court, Eastern District of Michigan on October 23, 2007. He will serve 12 months in prison followed by probation, restitution, and community service. One of Downey's victims confirmed to the FBI that financial damages as a result of the DDoS attacks launched by Downey's botnet amounted to losses of $19,500.
New indictments include:
Ryan Brett Goldstein, 21, of Ambler, Pennsylvania. He was indicted on November 1, 2007, by a federal grand jury in the Eastern District of Pennsylvania. Goldstein allegedly used a botnet to create a distributed denial-of service attack on the University of Pennsylvania this past summer.
Gregory King, 21, of Fairfield, California. He was indicted on September 27, 2007, by a federal grand jury in the Central District of California on four counts of transmission of code to cause damage to a protected computer. King allegedly conducted DDoS attacks against various companies.
Robert Matthew Bentley of Panama City, Florida. He was indicted on November 27, 2007, by a federal grand jury in the Northern District of Florida. Bentley allegedly used a botnet for coding and adware schemes. This investigation is being conducted by the U.S. Secret Service.
Additional sentence announced include
Alexander Dmitriyevich Paskalov, 38, with multiple U.S. addresses, was sentenced on October 12, 2007, in U.S. District Court, Northern District of Florida, and received 42 months in prison for his participation in a significant and complex phishing scheme that targeted a major financial institution in the Midwest and resulted in multimillion dollar losses.
Azizbek Takhirovich Mamadjanov, 21, residing in Florida, was sentenced in June 2007 in U.S. District Court, Northern District of Florida, to 24 months in prison for his part in the same Midwest bank phishing scheme as Paskalov. Paskalov established a bogus company and then opened accounts in the names of the bogus company. The phishing scheme in which Paskolov and Mamadjanov participated targeted other businesses and electronically transferred substantial sums of money into their bogus business accounts. Immigrations Customs Enforcement, Florida Department of Law Enforcement, and the Panama City Beach Police Department were active partners in this investigation.
Those awaiting sentencing include:
Adam Sweaney, 27, of Tacoma, Washington. He pled guilty on September 24, 2007, in U.S. District Court, District of Columbia. Sweaney conspired with others to send spam, then gained control of bot-controlled computers to launch additional spam and DDoS attacks.
John Schiefer, 26, of Los Angeles, California. He agreed to plead guilty on November 8, 2007, in U.S. District Court in the Central District of California. Schiefer used malicious software to intercept Internet communications, steal usernames and passwords, and defraud legitimate businesses by fraudulently purchasing goods for himself. Schiefer is the first person to be charged under the federal wiretap statute for conduct related to botnets.
Other arrests announced with Operation Bot Roast I include James C. Brewer of Arlington, Texas, who is alleged to have operated a botnet created from compromised computers at Chicago area hospitals, and Robert Alan Soloway of Seattle, Washington, who is alleged to have used botnets to relay tens of millions of spam e-mails.
The FBI recommends using and updating antivirus software, installing a firewall, not opening unknown e-mail attachments, and using strong passwords as ways to guard against the installation on and use of your personal computer for botnet activity.
What good are several million Storm worm infected PCs? According to one researcher, the current computing power of Storm worm's botnet is greater than IBM's Blue Gene supercomputer. "If you calculate pure theoretical throughput," Matt Sergeant, chief antispam technologist with security vendor MessageLabs, "then I'm sure the botnet has more capacity than IBM's Blue Gene. If you sat them down to play chess, the botnet would win."
The Australian publication IT News also quotes Sergeant as saying, "In terms of power, the botnet utterly blows the supercomputers away." He goes on to say that just 2 million of the suspected 50 million Storm worm-infected machines are equivalent to the computing power of the top 500 supercomputers.
In the last few months, antivirus vendors have reported an increase in Storm worm infections. Infected computers are often used to relay spam. They can also be used to attack Web sites in what's called a denial-of-service attack.
More alarming is the amount of control the Storm worm bot-herders apparently have over their creation. "We've seen spikes where the owner is experimenting with something and those spikes are usually five to 10 times what we normally see," Sergeant told IT News. "That means they can turn on the taps whenever they want to."
MessageLabs has more on the Storm worm in its monthly report on spam.
Remember the Storm Worm, which rapidly swept onto users' computers in January via a bogus e-mail about a real-life, fast-moving European storm front?
Well, security firm SecureWorks released information Thursday noting the size of the botnet has swelled to 1.7 million bots in the months of June and July, up from 2,815 in the first five months of the year.
SecureWorks also notes that while the botnet has primarily been used for spamming, the hacker or hackers in charge of the ever-growing botnet may use its amassed army for more devious activities.
"We don't know the motive of the Storm author, however, one possible theory could be that the hacker plans to use the Trojan for more malicious activity than sending spam," said Joe Stewart, SecureWorks senior security researcher, in a statement.
But one unlikely scenario is using a humongous botnet to steal sensitive personal information. Over the past couple of years, security researchers have noticed the size of botnets has shrunk, as malicious thieves seek to remain under the radar for as long as possible when stealing usernames and passwords for online bank accounts, brokerage accounts and the like. Think of it as the difference between a robber entering a bank vault riding an elephant, or slipping in like a cat burglar.
Stewart, however, threw out one possibility. That maybe the Storm author or authors would lease out their botnet for a massive attack against a country or organization.
The FBI today released a press release summarizing the bureau's efforts so far to shut down botnets. In the release, the FBI acknowledges the work of the CERT Coordination Center at Carnegie Mellon University, Microsoft, and the Botnet Task Force, for either contacting victims or reporting criminal activity. Through an ongoing investigation known as Operation Bot Roast, the bureau has uncovered many botnets, collections of compromised desktop PCs worldwide, that have been used for various criminal activities.
In the release, the bureau cites the recent arrests of James C. Brewer of Arlington, Texas, who is alleged to have operated a botnet created from compromised computers at Chicago area hospitals; Jason Michael Downey of Covington, Kentucky, who is alleged to have used botnets to engage in targeted denial-of-service attacks; and Robert Alan Soloway of Seattle, Washington, who is alleged to have used botnets to relay tens of millions of spam e-mails.
Warning: disturbing a war memorial can provoke all out cyber war--at least in Estonia. On April 27, 2007, Estonia officials relocated the "Bronze Soldier," a Soviet-era war memorial commemorating an unknown Russian who died fighting the Nazis, a move that incited rioting by ethnic Russians and the blockading of the Estonian Embassy in Moscow. It also started a large and sustained distributed denial-of-service attack on several Estonian Web sites, including those of government ministries and the prime minister's Reform Party. A denial-of-service attack (DoS) occurs when someone directs a large number of requests to a target URL; the requests occur so quickly that the Web server can't respond and the site becomes inaccessible to everyone. A distributed denial-of-service attack (DDoS) occurs when hundreds or thousands of compromised computers are enlisted. Within the last week, the intensity of the attacks diminished.
Arbor Networks' Jose Nazario has now blogged his analysis of the Estonian DDos attacks. He reports that Arbor Networks recorded 128 unique DDoS attacks on Estonian-based URLs. Most lasted less than one hour, with the longest lasting 10 hours and 30 minutes. As for the strength, measured in how many packets of information flooded the given URL to make it inaccessible, the attacks were relatively light, with only ten of the attacks measuring 90-plus Mbps, including one of the 10-hour attacks. At its peak on May 9, the attack shut down up to 58 sites at once.
That's a lot of fire power, and it suggests the use of "botnets"--collections of compromised home and office computers worldwide. In this scenario, a "botherder" directs thousands of compromised computers to request simultaneous access to a single URL, effectively shutting down that site. Computer Security Incident Response Teams (CSIRTs) in several countries, as well as NATO, have assisted the Estonian government in handling the attacks. Early analysis suggests the attacks may have originated in Russia.
This is not the first gang war online. In 2004, the authors of Bagle, MyDoom, and Netsky battled each other for several months. Coincidentally, the Bagle worm, which had been dormant for a while, has reappeared and is now challenging Warezov and Zhelatin. There appear to be three distinct gangs currently battling for botnet supremacy.
Back in 2001, the authors of the Goner worm said they were attempting to take down a rival gang's botnet. Intended to be a local, targeted attack, the Goner worm instead spread and caused considerable damage on computers worldwide.
- prev
- 1
- next
