On the morning of May 30th, 2007, FBI agents entered 1200 Western Avenue, a waterfront apartment complex overlooking Puget Sound in Seattle. Shortly after 8 a.m., Robert Alan Soloway, 27, opened the door to Special Agent Kenneth Schmutz and other federal agents bearing a search warrant and a pair of handcuffs. At the same time in Arlington, Tex., and Covington, Ky., James C. Brewer and Jason Michael Downey were netted in a sting operation that the FBI's Cyber Crime division dubbed "Operation Bot Roast."
Soloway and company are accused of multiple counts of fraud, ranging from aggravated identity theft, mail fraud, wire fraud, and money laundering. The three men are alleged "bot herders," virtual puppet masters of wide-reaching networks made up of thousands of "zombie" computers infected with malicious code. The goal? Identity theft, credit card fraud, and money laundering without the PC owner's knowledge. While these three arrests represent small victories, most analysts agree they're just the tip of the iceberg in an emerging type of cyber crime called bot herding.
Symantec reported that more than six million distinct bot-infected computers were operating worldwide in the second half of 2006, and the FBI recently announced that through Operation Bot Roast, they have identified more than one million user IP addresses infected by bots.
Stealth Attack
To build these botnets, bot herders like Soloway, Brewer, and Downey use multiple avenues of attack, including spam e-mail, instant messages, peer-to-peer networks, and IRC channels. However, the biggest net is usually Web pages--not pornographic and hacking sites, which are the usual suspects. According to Roger Thompson, CTO and founder of Thompson Security Labs, more and more legitimate sites are being compromised by bot herders. "Simply viewing a legitimate page that's been hacked and modified with IFRAME code can load all manner of bots or malicious code onto the user's machine."
Once a
botnet has been established, bot herders can sell their use for thousands of dollars to hackers, spammers, or identity thieves in order to deploy massive spam e-mail campaigns and DDoS network attacks to steal sensitive financial information from infected computers across the world. Brewer infected Chicago-area hospitals from his home by using botnets to overload systems and then take them offline.
Experts at major Internet security companies have taken notice and anticipate an exponential increase in this type of cyber crime. "This year, 2007, will be the year of the bot," said Brian Grayek, vice president of threat research for CA. "Just in the last few months we've seen a 10 to 60 time increase in botnet activity." As bot herders gain access to more computers, they can use their growing network to create a viral hive of zombie PCs.
Constant Vigilance
The most troubling aspect of this new type of threat, according to Vincent Weafer, senior director of development at Symantec, is that user awareness is decreasing. Previously, spyware and malware were highly visible to the user in the form of pop-ups and system slowdowns. Bots are far stealthier because they infect the system silently and operate efficiently so as not to alert the user.
To get the word out about these stealthy assassins, sites like mynetwatchmen.com, a security-update and research blog, have launched awareness campaigns. Most of the major Internet security firms offer their own blogs with security tips and news updates. But the number of people visiting these sites pales in comparison to the millions of social-networking users who have made MySpace and Facebook their virtual homes. These sites are fertile hunting ground for bot herders and other cyber criminals because members are constantly creating and accessing interactive pages that can be loaded with malicious code.
This past January, nearly 60,000 MySpace users had their accounts compromised by clicking on spam e-mail, which linked to a phony MySpace login page that would record user names and passwords. Another attack was uncovered in June where hackers were able to upload malicious code to their MySpace profiles by circumventing the site's built-in JavaScript filter and thereby execute code in a visitor's browser. Although browser security patches have addressed most of these exploits, Thompson believes that many more exploits are on the way, no matter which browser you use. "Firefox, in my opinion, is probably the most secure, but they all have their flaws, mainly because any browser can create an instant tunnel straight through the firewall, negating that first line of defense."
Even Facebook, which uses more advanced Web-based tools like Ajax, has had its share of problems, albeit with less complex security holes. Simply by befriending new Facebook users--often through botnet-propagated message blasts--cyber criminals can dupe unsuspecting members with innocuous Facebook e-mail messages.
