Saturday, October 16, 2010

Botnets and Zombie Computers?....

Does your computer rise up at night and obey orders from some one else like a Zombie??
We will begin with this amazing video on botnets, viruses, worms.

Here is another one which is very informative!

The word botnet does not always referd to malicious software.  It can simple be a name for a group of computers connected to a distributed network, i.e., a group of computers which share tasks towards a common goal.  Despite what the CNN video says the largest botnet found was in 2009 where Spanish police.   This botnet operator had assembled a network of over 12.5 million computers.
Christopher Davis, CEO for Defence Intelligence, who first discovered the Mariposa botnet, explains: "It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were."

These botnets have names like Mariposa, Cornficker, Zeus, Cutwail, Grum, Kraken, Srizbi, Lethic, Mega=D, Bagle, etc.  The story of the Mariposa botnet reads like a novel or hollywood movie script.  This was an army of computers for rent to anyone who wanted to use them.  The botnet was made up computers from personal, government and universities from over 190 countries.  This botnet was first discovered by Defense Intelligence, an intelligence agency that serves all the military services.  In 2009, they discovered the Mariposa botnet and after cooperation with Panda Security and the Georgia Tech Information Security Center, they took control of the server for the botnet. When the botnet operators discovered that the botnet had been taken from them, one of them made the mistake of logging in from his own computer instead of the normal method, an anonymous virtual private network.  This allowed the authorities to identify him and arrest him.  After a time one of the owners of the botnet managed to regain control of the network and launched a DNS attack at the Defense Intelligence.  A DoS (Denial of Service) attack is when massive numbers of computers try to access a website all at once, causing an overload of the server computer for that site and bringing it down in a system crash.  This attack was so effective that it brought down the ISP (Internet Service Provider) for several Canadian universities and government institutions.  The Defense Intelligence finally wrested back control of the botnet and was able to arrest the remaining operators of the botnet.  The Mariposa botnet had the financial identity of over 800,000 people.

DoS Attack (Denial of Service)
The other botnet we will speak about is cornficker.  This botnet is still operational.  Microsoft is offering $250,000 reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of cornficker and $5,000,000 for the creators of the cornfikcer botnet.  Cornficker is believed to be even bigger than mariposa botnet.  It is believed to control more than 7 million computers in over 200 countries.  Although the channels through which this botnet communicates with its zombie computers has been apparently disabled, the virus still lurks in millions of computers.  In February of 2009, the virus infected computers of the French navy.  Grounding some of the aircraft for several days until their flight plans could be downloaded another way.  In April of 2007, Estonia's computers nationwide were attacked.  Watch this:

Sites that typically received 1,000 visits a day where being flooded with 2,000 hits a second.
"Stuxnet is the most refined piece of malware ever discovered."
This September, Iran reported that its industrial computer system had been infected with malware called Stuxnet, which particularly affects computerized control equipment that manages oil pipelines, electric utilities and nuclear plants, especially those with software and equipment from Siemens Corporation.  Over 30,000 computers were infected.

The virus is not a product of a group of hackers.  It, from its design, must be produced by a nation.  Although most think that it is aimed at Iran, it is China who has been hardest hit, if the reports are accurate.  It has possibly infected over 6 million computers and over 1,000 corporate accounts.  The virus was first detected in June by a Russian security firm named, VirusBlokAda.  This virus is targeted at SCADA software which is the primary software used worldwide for the control of industrial devices. Some experts say that since Iran received 60% of the viruses, that the virus was targeted to Iran's nuclear facilities.  But this does not seem to match with the other countries that have been infected, India - 86,000 computers, Indonesia - 34,000 computers while in Iran 14,000 computers have been infected.  Stuxnet has been labelled a "cyber superweapon" since it is soo focused on one type of device and software - SCADA.

How thorny is it to get rid of it?  Extremely difficult.  It is initially spread using USB flash drives, but it is believed to have come from Russian laptops used by advisors to the building of the nuclear facility.  Once the Virus is inside the system, it uses the default passwords to command the system.  If you change the default passwords it could impact plant operations, according to Siemens.  The attack by this virus requires knowledge of industrial processes that are not typical for viruses of this kind.  Zero-day Windows exploits are used which is unusual, since they are very valuable four were used by this single virus.  Most hackers do not use them since once they are used they can be defended against from then on.  The virus is quite large by the standards of other viruses, over 500k in size.  It is written in two different langauges including C and C++.  Officials from Symantec who have cracked Stuxnet's cryptographic system say it is the first worm designed not only to spy on systems but to reprogram them.  Robert McMillan in an article in Computerworld dated September 4 explains how the virus infects the sytem:
The software operates in two stages following infection, according to Symantec Security Response Supervisor Liam O'Murchu. First it uploads configuration information about the Siemens system to a command-and-control server. Then the attackers are able to pick a target and actually reprogram the way it works. "They decide how they want the PLCs to work for them, and then they send code to the infected machines that will change how the PLCs work," O'Murchu said.
This means that they own the system and can make the machines destroy themselves from generators to any other device connected to the software.  The virus had stolen "certification" from JMicron and Realtek which helped it remain undetected for a long period of time. Some experts told Wired magazine that for this kind of sophistication it would have taken many man-months if not years.  The article goes on to say that:
Although it’s unclear what specific processes the malware attacked, Langner, who couldn’t be reached, wrote on his blog that “we can expect that something will blow up” as a result of the malware.  Byres agrees and says this is because the malware interjects what’s known as Organizational Block 35 data blocks. OB35 data blocks are used for critical processes that are either moving very fast or are in high-pressure situations. These data blocks take priority over everything else in the processor and run every 100 milliseconds to monitor critical situations that can change quickly and wreak havoc.
Siemens released a detection and removal tool for Stuxnet.  BUT it seems that it cannot be trusted because some fear that the software instead of removing the virus may actually enable it to update itself!  Also, if the virus is removed it could cause a "significant" amount of damage.
Stuxnet comes with a rootkit, deigned to hide any commands it downloads from operators of the Siemens systems. Because of that, Symantec warns that even if the worm's Windows components are removed, the Siemens software might still contain hidden commands. Symantec advises companies that have been infected to thoroughly audit the code on their PLCs or restore the system from a secure backup, in order to be safe.
Since the virus was detected in the attempts by Iranian programmers to eradicate it, the virus has updated itself three times.

So right now at this very moment, millions of computers all over the world, from corporate ones to perhaps the ones in your home, to others in government departments all over the world sleep ---- until awaked to do their zombie work!  Happy Halloween computers!


Anonymous said...

If you could e-mail me with a few suggestions on just how you made your blog look this excellent, I would be grateful.

Wayne Borean said...

You forgot the simple answer - don't run Microsoft Windows (or run an incredibly antique version of it).

Microsoft Windows wasn't originally designed for security. Mac OS X, Linux, BSD, and Solaris were designed for security. This means that they are far more resistant to attacks.

Learning is new operating system isn't hard. It is no harder than learning the differences between driving a Japanese and North American built car, with their different driver control layouts. People adapt within days.