Donal MacIntyre - Cyber Terrorism

On Sunday November 9th 2008, Steve Santorelli from Team Cymru's outreach team took part in a BBC Radio program on "Cyber Terrorism", in particular dealing with botnets in the context of the recent attacks on Georgia and Estonia.

The Donal MacIntyre programme goes out live on Sunday evenings at 7pm UK time on BBC Radio Five Live (see http://www.bbc.co.uk/fivelive/programmes/donalmacintyre.shtml).

Donal has a strong background in investigative journalism on UK television and this was one of the first mainstream media programs to examine botnets and the recent ddos attacks in Eastern Europe in any detail.

You can listen to the entire November 9th 2008 Donal MacIntyre program (RealPlayer required), or download the 22 minute audio clip of the Cyber Terrorism segment (19 MB MPEG-4 Audio) if you did not hear the original program when it aired.

Following are some supporting notes that were used to provide some context of the wider botnet threat. They are somewhat basic but may well be useful for someone trying to understand this technology for the first time:

Botnets are the scourge of the internet, if you've been affected by any kind of cyber crime in the last few years, in fact if you've ever received any spam e-mail, then you'll probably have been affected by a botnet.

A botnet is, at a very basic level, a collection of computers that have all been infected with the same computer virus. These computers belong to innocent users like you and I - we'd never really know if we had been infected, we'd just continue to use them to surf web sites, send e-mail and log into our bank accounts - all the while being completely unaware that those same computers are being conscripted into an army of "zombies" and being used by criminals to steal, hack and attack all over the Internet. They key point with a traditional botnet is that all of the infected machines allow themselves to be completely controlled via one central computer server called a Command and Control server. This could be located anywhere in the world, as can the infected machines... and as can the people using the botnet to make money from us.

Botnets started out as helpful tools used by internet users back in the early days of the late 90's. That is nearly prehistoric times in Internet terms, but botnets were used to protect the early internet chat rooms from being taken over by mischievous kids. They worked well but, as money moved online with online shopping and banking, criminals turned to the Internet, as the risks of being caught were low and the rewards were far higher than, for example, drug crime or bank robberies.

Criminals realized that, by writing viruses that quietly infected thousands of machines, they could amass an army of zombies that could be used to make money in several ways, for example (and this is not an exhaustive list):

  • sending spam - the overheads are negligible and people do still buy (normally fake) medication, pyramid scams, dodgy loans and the like
  • sending phishing eemails and hosting phishing sites on infected machines
  • attacking other computers in "distributed denial of service" attacks (aka DDOS) as part of an extortion scheme
  • click fraud to defraud online advertising companies
  • harvesting passwords, e-mail addresses and financial data from infected machines
  • installing adware and spyware where the criminal will get paid a few pennies for each installation

There are several thousand major botnets on the internet, each comprising between perhaps a few hundred and tens of thousands or more infected computers. If you haven't got any regularly updated anti-virus software then it highly likely that your computer is currently part of one or more botnets.

There's a very mature infrastructure surrounding this "Underground Economy" whereby a person running a botnet will form part of a team of specialists that will work together on a criminal enterprise - much like the "get-away" drivers or armorers (providing untraceable firearms) of the old days of bank robberies where specialists were contracted to provide a distinct service. Often botherders will temporarily rent their botnet out to another criminal, or just carve off a few thousand "bots" to sell as a ready-made botnet.

Now, the Underground Economy is riddled with, well, criminals - as you'd expect. There is in fact very little honor amongst thieves and these criminals will rip each other off constantly. It's therefore quite tricky to just drop into an online chat room and try to talk someone into selling or renting you their botnet. They will think you're either an undercover police officer, a dangerous amateur that will bring lots of unwanted attention onto them, or simply someone they don't know and trust who will probably rip them off by not paying them.

A typical deal hatched in a chat room will start with someone advertising their criminal wares in text form. A buyer with a specific need will contact the advertiser by inviting them into a private chat room where they'll decide if they trust each other and negotiate a price. Thats all it takes - there are hundreds of such deals happening each and every day online.

These criminals are not normally very technical people - the people who actually write the latest botnet software sell this code for a few hundred dollars or less but make it very easy to configure and customize your own botnet. It often requires as little technical knowledge as being able to install a new program on your home computer!

These criminals come from all over the world and can be a mixture of teenagers who would never dream of committing a "real life" crime such as burglary, as well as more professional and experienced criminals who are used to large scale financial frauds and have the resources for money laundering. Some recent arrests also suggest that "normal" and sometimes quite violent criminals are starting to move away from muggings and burglary and into cyber crime - why take the risk of being arrested and sent to jail for 5 years for street robbery when you can make a lot more from your front room? Even if you get caught (which is very unlikely) you'll not get anything close to 5 years as a penalty.

It's all about money - and these criminals will put aside ideological and political differences to cooperate to make money from innocent internet users. But it's actually really quite simple to prevent your computer from being abused like this.

So how do you prevent your computer from being part of a botnet? If you follow these simple rules, you'll substantially decrease the changes of your being part of a botnet:

  • use a regularly updated anti-virus program and a firewall. Many operating systems come with a firewall and there are several good, free anti-virus packages available online. Many ISP's also provide these packages as part of your monthly subscription.
  • regularly update your operating system to 'patch' new vulnerabilities as they are discovered
  • practice safe e-mail usage: don't open e-mail attachments unless you know the sender and you were expecting the attachment
  • upgrade to one of the latest internet browsers with anti-phishing technology
  • be wary of 'free' software, toolbars, file sharing sites and the like - these are all common sources of viruses

Law enforcement and industry specialists are doing their best to help protect you as well. There have been some successful arrests and prosecutions in recent years, cooperation between the groups is getting faster and is based on a mutual appreciation that trust and cooperation are essential. Equally though, some barriers still exist that mean that the advantage rests with the criminals. Law Enforcement arguably have:

  • limited training and resources
  • competing priorities
  • insufficient legal tools to deal with cross-border crimes

...imagine that you are try to work on a botnet with a Command and Control server that is, for example, in Paris. The infected computers might be dotted all over 30 different countries. The suspect is hiding his identity by bouncing his connection through other infected computers in Beijing and New York but in fact he himself is based in Toronto.

How on earth do you work that one out as a police officer? It's a detective's worst nightmare - the paperwork alone to get the evidence you need would (and does) take years.

Meanwhile, the criminal is running phishing attacks using his botnet that last a matter of hours before he packs up and moves the entire operation to a different set of computers. Often it must be considered a success just to disable the central command and control computer to "cut the head off the botnet" in the knowledge that you'll never find out who is behind it - you're just fighting fires and trying to take botnets down as fast as they appear.

The future isn't looking positive for the good guys: new types of botnet have emerged in recent years called "web based" and "peer to peer based" that are more difficult to trace and disrupt. Peer to peer in particular uses the same technology as file sharing software packages such as Napster or Bittorrent - it's a distributed network with no central point of control to try to take down. Criminals are learning from the way industry specialists and law enforcement have approached the early botnets: now they're changing the way they build botnets, adding encryption and making key elements move from one infected machine to another every few minutes - it's like trying to hit a moving target and law enforcement and industry find it hard to keep up with them to take them down fast enough.