For instance, just last week, UK online betting firm Blue Square fell victim to a botnet-based blackmail attempt. And an executive at a satellite TV firm in Massachusetts has been charged with hiring several botnets to disrupt the websites of three rivals, costing one of their web-hosting firms $1 million. The case marks a watershed: "It's the first time we have prosecuted individuals for the mercenary use of botnets," says Frank Harrill of the FBI's cybercrime squad in Los Angeles. "But it won't be the last." While DDOS attacks are nothing new, they used to have a limited impact. A group of hackers would agree on a time to simultaneously contact the target web server manually, but they could rarely conscript enough attacking PCs to overwhelm every channel of a major-league website. But botnets make it a piece of cake to orchestrate distributed attacks from a vast ad hoc network. You could call it disorganised crime. So how does an innocent PC become part of a botnet? First, a computer virus installs a "back door" program that leaves an internet port on a PC open. Both SoBig and MyDoom employed this tactic. The hacker then probes PCs connected to the net to look for open ports and, when they find one, they install a bot on its hard drive. Security experts call these bot-loaded PCs "zombies", since the hacker can wake them from the dead on command. Because bots can be placed on any number of PCs, and chat rooms provide a useful central location from which to control them, there is no technical limit to the size of a botnet, says Viki Navratilova, a systems administrator at the University of Chicago.
And the Internet Relay Chat protocol that chat rooms run is a very convenient means of command and control, says David Dittrich, a systems administrator at the University of Washington in Seattle, because it allows the person who runs the chat room to communicate with all members (or bots) simultaneously. In January, attacking botnets typically comprised around 2000 innocent computers. But by May that had risen to more than 60,000, according to the latest research from e-security firm Symantec Antivirus. Fuelling this is the increase in always-on broadband connections, which makes it much more likely that a large number of zombies will be logged onto a chat room at any one time. The botnet controllers are cashing in. Eavesdropped chat-room exchanges reveal that a DDOS attack appears to cost between $500 and $1500, with smaller botnet attacks priced between $1 and $40 per zombie harnessed. "It's such a reliable way to make money that hackers don't need day jobs," says Navratilova. To detect zombies active in their networks, systems administrators check for telltale "master-slave" traffic.
"If you see 10 of your computers receiving the same data from a computer in Romania, and then rapidly trying to contact a large site, like a government one, you know your computers have become zombies," says Dittrich. Once a zombie is found, the bot inside can be dissected to find the address of the controlling chat room so it can be taken down and the controller traced. But hackers are now covering their tracks by encrypting the chat-room address or by making the bots corrupt their own program code when extracted. "It's kind of like cockroaches. You spray in the kitchen behind the wall but they find other ways to survive. You only get rid of some," says Navratilova.
Author: Will Knight
This article appears in New Scientist issue: 6 November 2004
PLEASE MENTION NEW SCIENTIST AS THE SOURCE OF THIS STORY AND, IF PUBLISHING ONLINE, PLEASE CARRY A HYPERLINK TO: http://www.
"These articles are posted on this site to give advance access to other authorised media who may wish to quote extracts as part of fair dealing with this copyrighted material. Full attribution is required, and if publishing online a link to www.newscientist.com is also required. Advance permission is required before any and every reproduction of each article in full - please contact firstname.lastname@example.org. Please note that all material is copyright of Reed Business Information Limited and we reserve the right to take such action as we consider appropriate to protect such copyright."