Bot armies on the march

23 Oct 2008

US authorities just busted the world's biggest spam gangs. So why is my mail filter still working overtime‾

The filing of charges against "HerbalKing" spam gang in early October was supposed to signify the breakup of the group, which sent billions of messages offering weight-loss and male enhancement remedies.

The US Federal Trade Commission, who was granted an injunction against the gang leaders, an Australian-based Kiwi called Lance Atkinson and a Texan, Jody Smith, said they generated as much as a third of all spam worldwide.

Court papers alleged that one product, "VPXL", was touted as a herbal male-enhancement pill. "The agency alleged that not only did the pills not work, but they were neither "˜100% herbal' nor "˜safe', because they contained sildenafil - the active ingredient in Viagra," the documents said.

But although the alleged offenders have been under arrest for a couple of weeks, there's been no letup in the volume of unsolicited mail.

The spam is distributed through botnets, which by their nature of course don't require the active presence of crims. Some speculate that other gangs have taken over the botnet, which is possible.

But it raises the tricky question about how to deal with the proliferation of botnets, the fastest-growing internet threat. The latest Emerging Cyber Threats Report, issued by Georgia Tech on October 15, places botnets at number two, behind malware and ahead of cyber warfare.

As many as a tenth of all PCs may be infected now, and that could rise to 15% next year, the report says. Even 3%-5% of enterprise PCs are infected. Combined together, bots can quickly become "bot armies", capable of engaging in data theft, DDOS and spam.

They are harder to detect than viruses or spyware. Bots can lie low for some time and maintain their communication with a "malicious master" via regular PC comms ports. They easily evade signature-based defenses.

Wenke Lee, an associate professor at Georgia Tech, says that whereas malware is a single-purpose attack, a "bot actually remains on the machine, maintains a command and control mechanism to enable communication with the bot master, and can update itself based on those communications."

So they're easy to install on an unprotected PC, hard to detect, and dangerous when combined into an army of millions.

One solution is technology. Lee and his team are working on traffic behavior analysis. Anomalies in connection duration, time of day, or type of information transferred can indicate a botnet command and control attempt.

The other solution involves more cooperation between law enforcement and the IT industry. The US has just passed new legislation against botnets - but that's just the US.

Internet security firm F-Secure thinks it's time for a global internet police force - to tackle gangs at "the top of the crimeware food chain".

Related content

Follow Telecom Asia Sport!
No Comments Yet! Be the first to share what you think!
This website uses cookies
This provides customers with a personalized experience and increases the efficiency of visiting the site, allowing us to provide the most efficient service. By using the website and accepting the terms of the policy, you consent to the use of cookies in accordance with the terms of this policy.