MayDay: The Storm Continues – Batten Down the Hatches

(Business News, 01 Sep 2008 )

Corey Nachreiner, WatchGuard Technologies Inc.

How to measure the real cost associated with botnets today that control over a million PCs worldwide and launch more than
100 billion spam messages a day, flooding the mailboxes of unsuspecting recipients?

Cyber dependency has grown to such an extent that cyber vandalism is an issue that needs to be addressed by every
computer owner, from large organisations to individuals. The current dynamics of internet crime—its sophisticated
technology, boundless scale and massive economic impact—redefine the term internet security.

IBM ISS General Manager, Val Rahamani, claims, "The security industry is dead, long live sustainability." Just as new
internet security products are launched, new online threats arise. In the endless game of catch up, most industry experts
now believe that network security is doing its job if the processes and systems just stay one step ahead of the incessant
threats.

Botnets: Top Threat in 2008

Botnets, a collection of compromised computers infected with software robots or bots, continue to figure prominently in the
"Top Threats of 2008" by many prominent leaders in the ICT industry. Botmasters, or bot herders, seem to have one
purpose in life: launching viruses or worms to infect ordinary-user PCs with malicious applications or bots. Bots on the
infected PCs are coded by the operator or botmaster to log onto a designated server—christened the Command and Control
(C&C). Access to the network of bots attached to the C&C is then sold to spammers who use the data for monetary gain in a
plethora of ways.

From Storm to Kraken and MayDay, now there's Sribzi—botnets have evolved to stunning levels of sophistication at
lightning speeds, raking in big bucks for the spammers and botnet operators alike. Since their inception in 1998-1999, when
the notorious NetBus and BackOrifice2000 appeared as the first backdoor programmes enabling remote administration of
infected computers, cyber criminals have been having a field day wreaking havoc across the internet. Trojans worked
behind the scenes—without the user's knowledge or consent—performing file operations on remote machines or launching
new programmes. At that time, to control an infected computer, all a cyber criminal had to do was establish a connection
with the infected machine via a LAN-based application on the TCP/IP protocol stack, and exploit the Windows API for
control.

Within a year or two, programmes advanced to an extent wherein botmasters were able to control several machines
simultaneously—operating as network servers, which opened a predefined port and passively waited for the botmaster to
connect. Further innovations saw infected computers initiate connections themselves, monitoring every move the unknowing
PC user made. This first lot of backdoor administrators was likely hackers, since they used a channel normally used only by
hackers—Internet Relay Chat (IRC). They connected to IRC servers on a predefined IRC channel and waited for messages
from the botmaster in control of the C&C.

Botnet hijacking soon became the norm as a new generation of malicious users appeared, scanning IRC channels with
suspiciously heavy traffic where they could gain entry and hijack the botnet—effectively taking control of the network and
reordering the bots to password-protected IRC channels. These hijackers eventually developed a way by which an unwitting
computer on a LAN could connect to an internet server and relinquish control to a botmaster anywhere in the world—
bypassing proxy servers and Network Address Translations (NATs). The hijacker could then establish an HTTP connection
with the administration server using the client computer's local settings—ensuring accessibility. After that, a simple script
could control small computer networks. Enter cyber criminals cashing in by selling botnets to spammers, who, in turn, lined
their pockets by sending phishing emails, stealing files, documents or personal information—including passwords and other
sensitive data—to launch spam-email campaigns, denial-of-service attacks (DDoS) and online-fraud schemes. In some
cases, a large number of computers could even be managed using any internet device—including a mobile phone that
supported WAP/GPRS—further raising the cyber-crime bar.

These first botnet networks were vulnerable; they depended on a single C&C and were designed to simultaneously infect
computers with different bots connecting to different C&Cs. It was the evolution of peer-to-peer (P2P) botnets, without a
C&C, that enabled botnets to become the internet’s worst enemy. Newfangled botmasters only had to send a single
command to any computer on the network and the subservient bots would spread the command to other computers in the
botnet automatically.

230 Dead as Storm Batters Europe

Batter it did. And not only within Europe. The new-kid-on-the-block took more than 503 million computers by storm
worldwide. The Storm botnet emerged in January 2007 as a traditional computer worm and quickly morphed into the
commander of the internet, luring users with spam hidden in subject lines related to extreme weather. In the beginning, the
malicious programme was distributed as an email attachment to spam messages (often appearing as PDF files named
"ReadMore.exe"). Once opened, the code infected victims' computers, leveraging P2P architecture to spread rapidly—
converting into as many as three to five new Storm worms a day. Later, attachments were replaced with links to infected
files inserted into spam messages and links to infected web pages and blogs.

It soon became clear that Storm was not yesterday's bot. Developed and distributed by professionals, the bot code mutated
on a dedicated computer on the internet, rather than within the programme itself—spawning new versions as quickly as
once an hour; thus, making antivirus database updates ineffective for many users. The Storm botnet was also programmed
to protect itself from frequent requests from the same IP address, launching a DDoS attack on any suspicious address to
keep network analysts at bay. Meanwhile, the bot tried to remain as inconspicuous as possible, using limited system
resources to avoid detection. Notably, instead of communicating with a central server, Storm only connected to a small
number of computers on the infected network (typically 85,000 machines, of which only 35,000 were set up to send spam)—
making identification of all zombie machines virtually impossible. Finally, the botmaster was constantly changing distribution
methods and using sophisticated social-engineering techniques.

"Storm evolved like an ever-shifting malware kaleidoscope," says Scott Pinzon, Information Security Analayst, WatchGuard
LiveSecurity, CISSP. "As it grew in size and strength, Storm was called the world's most powerful super computer." From
annoying, colossal amounts of spam to the fallout from the debilitating cyber attack on Estonia, the full extent of Storm's
reach and ensuing damage will never be known. By year end, the Storm botnet seemed to have dissipated—either broken
up into parts and sold or abandoned due to lack of continued profitability.

You Can Call Me Kraken or Bobax or Bobic, or…

Emerging earlier this year, the so-called Kraken botnet, also known as Bobax, took over Storm's claim as the world's largest,
most-destructive botnet—boasting between 185,000 to 400,000 hacked computers in its collection. With the capacity to
spam about nine billion messages a day, Kraken has been in and out of the news with other aliases including Bobic,
Oderoor, Cotmonger and Hacktool.Spammer—and is even disputed to be the same botnet known as MayDay.

Like most botnets, the purpose of Kraken seemed to be the propagation of massive amounts of spam. The Kraken code
came in a file that looked like an ordinary image file, such as JPEG or PNG, but with a hidden extension that prevented
users from recognising it as an executable file. Once an innocent user opened the file, it copied itself onto the user's PC and
deleted the original copy—erasing all its tracks. Kraken, therefore, presented enormous difficulty for analysts to detect. This
malicious botnet caused individual PCs or servers to send as many as 500,000 spam messages in a single day—double the
size of Storm. Spotted in at least 50 Fortune 500 companies, it was undetectable in over 80 percent of machines running
antivirus software on Microsoft Windows operating systems. Unlike Storm, the Kraken botnet code included a list of domains
anywhere in the world where the C&C server might be located. Once a machine was newly infected, it began sifting through
that list to find the current C&C. If a C&C server was taken down, which happens regularly with large botnets to avoid
detection, Kraken's botmaster could simply move the C&C function to another domain instantly—effectively evading even
the most robust network security. Until recently, Kraken ruled the internet, causing mayhem and uncountable monetary gain
for both spammers and the bot herder.

MayDay: Storm’s Little Brother

By late January/early February 2008, MayDay arrived on the scene, appearing as a P2P architecture-based Botnet, more
cunning and more sophisticated than Storm. After launching, a bot—connected to the web server specified by the
programme—registered itself in the server database and received a list of all bots on the infected computer. This established
P2P communication, based on ICMP message, with other bots in the zombie network. To avoid detection, MayDay carefully
measured how much traffic passed between the C&C and each bot client. In addition, it enforced a short window wherein
communication must happen. However, its non-encrypted, network-communication protocol had not been designed to
eclipse antivirus software and it never possessed the same ability to vary itself frequently, unlike Storm. Though it did not
compare in size or strength, MayDay is heralded as a serious Botnet with a tidy code applicable to Windows and Linux—
indicating a skilled development team. Nobody has seen hide nor hair of the MayDay bot for a few months now. Is it still
lurking out there waiting for July to surface again?

Srizbi: The Perfect Storm

The latest newcomer topping the botnet charts is Srizbi, accounting for up to 50 percent of all spam today—weighing in as
the single-largest menace on the internet at this time, dwarfing even Storm. Total infection rate to date is around 300,000
PCs across the globe, spewing an estimated 60 billion spam emails per day. All those emails about watches, pens, and
male-enhancement pills flooding your mailbox are all probably the work of Srizbi. Even at its height of destruction, Storm
only accounted for 20 percent of worldwide spam. So far, Srizbi is out producing all the other botnets combined. Super
botnets have already begun to dominate internet traffic. 

It appears as if Srizbi is reproducing itself in the emails it distributes. Though not unique, this feature may be helping the
botnet from being detected at this stage and deceiving people by using more sophisticated social engineering. History
suggests that Sribzi will fade away, just like Storm, just like Kraken, just like Mayday. However, by then, another new super
botnet will probably have taken its place.

Summary
No doubt, botnets today are a key internet disrupter and have proven to be the most powerful and effective cyber-criminal
tools to date. From lucrative phishing and fraud scams to extortion and exerting political pressure on governments, today's
cyber criminals are an intelligent breed—using social engineering to entice a victim to click a link or open a file, instead of
cracking a firewall to penetrate a machine. Additionally, botnet crime is becoming increasingly dangerous owing to its ease
of use and availability. The economy supporting these cyber crimes has grown to such an extent that everything from virus-
writing kits to spam-spewing zombies are now available for purchase or hire. Unfortunately, home-users' computers make
up a large part of infected zombie machines. A bot master's worth is judged, not by his technical prowess, but by his ability
to gain access to networks with millions of compromised machines. The bounty is just too great to expect cyber criminals to
go away.

However, internet security experts debate how to control these damaging devils that creep into our machines and then run
rampant day and night. Executive Director of National Cybersecurity Alliance, Ron Teixeira, strongly believes that only a
combination of network-security tools can prevent botnet attacks in the future. We need to educate the industry and the
average computer user about the problem and illustrate easy and practical ways to prevent malware infection. To the
industry, he petitions more investment in network-security technology to thwart the attacks at the outset. Lastly, he urges
heavy-handed law enforcement to ensure cyber criminals are seriously punished, once caught.

Tips to Banish Botnets Once and for All

- Deploy in-depth defence strategies and multi-layered network security 
- Promptly patch and vigilantly download security updates 
- Block JavaScripts 
- Monitor ports and plan port security to block unauthorised traffic 
- Generate user awareness amongst friends and colleagues 

REFERENCES
Keizer, Gregg, 10 April 2008, “RSA – Top Botnets Control 1M Hijacked Computers”, Computerworld.com.au,
http://www.computerworld.com.au/index.php/id;1183357273 

Higgins. J.K, 10 April 2008, “IBM: The Security Business 'Has No Future'”, Dark Reading, San Francisco,
http://www.darkreading.com/document.asp?doc_id=150830&f_src=darkreading_section_296

Gaudin. S, 6 September 2007, "Storm Worm Botnet More Powerful than Top Supercomputers," Information Week, New
York, http://www.informationweek.com/news/showArticle.jhtml?articleID=201804528

Nachreiner. C & Pinzon. S, March 2008, “Understanding and Blocking the New Botnets”, WatchGuard Technologies, Inc. 

Higgins. J.K, 7 April 2008, “New Massive Botnet Twice the Size of Storm”, Dark Reading, San Francisco,
http://www.darkreading.com/document.asp?doc_id=150292&WT.svl=news1_1

Dunn, John E., 17 May 2008, “Srizbi Becomes World's Largest Botnet”, Techworld.com,
http://www.pcworld.com/businesscenter/article/146017/srizbi_becomes_worlds_largest_botnet.html

Stewart. J, 8 April 2008, “Top Spam Botnets Exposed”, http://www.secureworks.com/research/threats/topbotnets