Hi, I'm Mitch. I'm going to talk to you today about Bots and Botnets. Bots and botnets are notoriously difficult for organizations to detect and defend against using traditional anti-malware solutions. In a botnet, advanced malware works together toward a common objective, with each bot growing the power and the destructiveness of the overall botnet. The botnet can evolve to pursue new goals or adapt as different security countermeasures are deployed. Communication between the individual bots and the larger botnet through command and control servers provides resiliency in the botnet. Given their flexibility and ability to evade defenses, botnets present enormous threats to organizations. The ultimate impact however, of a botnet is largely left up to the attacker from sending spam one day to stealing credit card data the next, or far beyond, as many cyber attacks go undetected for months or even years. Botnets themselves are dubious sources of income for cybercriminals. Botnets are created by cybercriminals to harvest computing resources. Essentially, turn the computer of an unsuspecting user into a drone or a bot for nefarious purposes. Control of botnets through command and control servers can then be sold or even rented to other cybercriminals. The key to taking down or decapitating a botnet is to separate the bots from the botnet or the command and control servers, which are like the brains of the overall botnet. If the bots cannot get to their servers, they can't get new instructions. They can't upload stolen data, or do any of the other things that make botnets so unique and dangerous. The layman may think, "Hey, taking down a botnet sounds easy." Call the SWAT team, bust down some doors and you're done, right? No. The reality is it's much, much harder. Extensive resources are typically required to map the distributed command and control infrastructure of a botnet. It's almost always requiring an enormous amount of investigation, expertise, and coordination between numerous industry, security, and law enforcement organizations worldwide. Disabling command and control servers often requires both physically seizing the servers and taking ownership of the domain and/or IP address ranges associated with the servers. Very close coordination between technical teams, legal teams, and law enforcement is essential to disabling the command and control infrastructure of a botnet. Many botnets have command and control servers all over the world and will specifically function in countries that have little or no law enforcement for Internet crimes. Further complicating takedown efforts, a botnet almost never relies on a single command and control Server. Rather, it uses multiple command and control servers for redundancy purposes. Additionally, each server is typically insulated by a variety of intermediaries to clip the true location of the server. These intermediaries include peer-to-peer networks, blogs, social networking sites and even communications that proxy through other infected bots. This means that simply finding the command and control servers is a considerable challenge. Most botnets are also designed to withstand the loss of a command and control server, meaning that the entire botnet command and control infrastructure must be disabled almost simultaneously. If any of the command and control servers are accessible, or any of the fallback options survive, the bots will be able to get updates, rapidly populate a completely new set of command and control servers and the botnet will quickly recover. Thus even a single command and control server remaining functional for even a small amount of time can give an attacker the window needed to update the bots and recover the entire botnet. The largest botnets are often dedicated descending spam. The premise is fairly straightforward. The attacker attempts to infect as many endpoints as possible, which can then be used to send out spam email messages without the end-user's knowledge. The relative impact of this type of bot on an organization may seem low initially, but an infected endpoint sending spam could consume additional bandwidth and ultimately reduce the productivity of that user and even the network itself. Perhaps more consequential, the organization's email domain and IP addresses could easily become listed by various black hole sites or black hole lists, causing legitimate emails to be labeled as spam and blocked by other organizations and damaging the reputation of that organization. An example, the Rustock botnet. It was a spamming botnet, capable of sending 25,000 spam email messages per hour from one individual bot. At its peak, it sent an average of 192 spam emails per minute per bot. Rustock is estimated to have infected more than 2.4 million computers worldwide. In March 2011, the US Federal Bureau of Investigation working with Microsoft and others, was able to successfully take down the Rustock botnet, which had operated for more than five years and at the time, was responsible for sending up to 60 percent of the world's spam. Thanks for joining me for this discussion on bots and botnets.
