Tag Archives: botnet

Ideological cyberwarfare and the marketing of intangible threats

Ars Technica points us to a BBC report that claims botnets are increasingly being deployed by ideological and political activist groups as well as the more traditional spammers ‘n’ scammers. There’s undoubtedly a kernel of truth here, but given that the data that informs this conclusion comes from Prolexic, a company whose profits depend on selling computer security solutions to businesses and governments, I find myself wanting to poke holes in the story. It’s easily done, too.

First of all, Anonymous are described as an “anti-Scientology group”, which is a massive oversimplification. If they can be said to be anything at all, Anonymous is an amorphous and capricious cloud of nihilistic pranksters, but framing them as a single-interest group makes them more understandable to the corporate mind-set, as well as portraying them as “something that could happen to you“.

Next item – look at this excerpt:

In one attack both large and small perfume firms were hit in an apparent attempt, said Mr Sop, by green activists to express their disquiet with the way the companies made and tested their products.

[…]

These techniques are far removed from those favoured by organised criminals. Some targeted databases behind a website in a bid to swamp that with bogus login attempts or lengthy search requests that would knock out the server and take out the website too.

Note the use of “apparent”, and the lack of any defined enemy. They have no idea who did it, in other words; the “green activists” thing is likely a guess, one that plays into current fears about ideological activism by companies whose business practices might put them in line for such. Isn’t it at least equally likely that the botnet was hired by another perfume business in order to throw some caltrops in the path of its competitors? Is it so implausible that “organised criminals” could have upped their technological game in recent months? It’s not an area in which I have great experience (or, indeed, any experience at all), but I’d imagine that staying on top in the world of international gangsterism involves making sure you’re using the best tools available… because if you’re not, your competition surely will be.

Furthermore, how many “green” activist groups with a special interest in perfumery have the spare money to waste on this sort of warfare? A big part of activist psychology is the desire to be seen to be doing something; this sort of clandestine skulduggery doesn’t sound like the work of placard-waving protesters to me, and I doubt they’d have the money or contacts to call down the botnet fist-of-god on their enemies. There’s nothing to say it couldn’t be, of course, but I’d want better proof – especially from a source who stands to benefit from setting up straw-man opponents which it can then offer protection from.

A few more bits from the bottom:

Mr Sop said Prolexic suspected that some of the attacks it had seen in recent months were being mounted by governments or their proxies in the hacking community as a way to demonstrate their cyber capabilities.

*cough* *wink* China *nudge* *cough* The Red Peril! The Other! The monsters under Western capitalism’s bed! They’re coming for you!

The resources being put into the attacks, some of which targeted very expensive pieces of net hardware, ruled out the involvement of organised crime, he said.

Really? Why would organised criminal syndicates not be interested in attacking “expensive net hardware” when political or ideological activists would be? And this hardware – what is so different about it that makes it expensive by comparison to “not-so-expensive” net hardware, exactly? Are the victim servers plated with gold, perhaps?

OK, so I’m going a bit overboard here, but everything about the report from these Prolexic people stinks of under-the-radar button-pushing infomercial. Ideologically-targetted botnets are certainly a real issue, and probably more so than they were a year ago… but I suspect this shift in PR focus by security firms to be born of the realisation that defined threats enable sales better than amorphous ones. Which is the more tangible risk, as perceived by a CEO – “scammers might hijack your server because it’s essentially a box that can do anything if instructed properly” or “people who object to your ideology or business practices could treat your network infrastructure as a weak point”? The former is a statistical long-shot; the latter plays on the fear of competition that is key to any successful business.

Getting back to the core point, though, the rise of ideological deployments of botnets is hardly surprising. The people who run botnets are mercenaries of the old school, renting out their services by the day (or maybe even by the hour) to anyone who can meet the price… and for those groups who can’t meet the price (or don’t like dealing with middle-men), it’s depressingly easy to build one yourself, if you’ve the time and motivation. But that’s the key – time and motivation, and the afore-mentioned visibility. Single-issue activist groups want their protests to be seen and attributed to them, because otherwise they’re wasting their time; the stealthy anonymous attacks are logically far more likely to originate from corporations (legitimate or criminal) and nation-states.

So, yes, ideological cyberwarfare is a real and rising threat… but I’m not convinced it’s as grass-roots a threat as it’s being portrayed. After all, if you want to sell your product to corporations and governments, you can’t go demonising your potential customers in your ad copy.

The Hail Mary Cloud: slow but steady brute-force password-guessing botnet

Hail MaryDid you hear about the recent exploit of jailbroken jesusPhones? Yeah, the Rick-rolling one (though that wasn’t strictly the original exploit, rather some Australian script-kiddie’s repurposing of a Dutch exploit from earlier in the month); to sum it all up in a sentence, bad things can happen to your hardware if you install software without changing the default password. As a sensible and experienced web denizen, you knew that already, of course.

But when you set or change a password, you’d better make the effort to think up a good one. Countless studies have shown how easy it is for black-hat types to guess the most common passwords (or alternatively social-engineer them out of you), but the ease of guessing is going to increase rapidly very soon, thanks to something one free software geek from Norway is calling the Hail Mary Cloud. [image by Anna Gay]

Yeah, I know, the pop-culture reference is a bit obscure, so I’ll sum it up for you: the Hail Mary Cloud is essentially a brute-force password-guessing botnet that has been scraping away at SSH daemons in recent months. A Mechanical Turk method of botnet expansion, in other words; why wait for someone to click on a spam email link when you can prise open a back-door on a webserver somewhere? [via SlashDot]

Each attempt in theory has monumental odds against succeeding, but occasionally the guess will be right and they have scored a login. As far as we know, this is at least the third round of password guessing from the Hail Mary Cloud, but there could have been earlier rounds that escaped our attention.

The fact that we see the Hail Mary Cloud keeping up the guessing is a strong indicator that there are a lot of guessable passwords and possibly badly maintained systems out there, and that even against the very long odds they are succeeding often enough in their attempts to gain a foothold somewhere that it is worth keeping up the efforts. For one thing, the cost of using other people’s equipment is likely to be quite low.

There are a lot of things about the Hail Mary Cloud and its overseers that we do not know. People who responded to the earlier articles with reports of similar activity also reported pretty consistently something like a sixty to seventy percent match in hosts making the attempts.

With 1767 hosts in the current sample it is likely that we have a cloud of at least several thousand, and most likely no single guessing host in the cloud ever gets around to contacting every host in the target list. The busier your SSH deamon is with normal traffic, the harder it will be to detect the footprint of Hail Mary activity, and likely a lot of this goes undetected.

If you’re worried, you’re thinking right – even the most complex of passwords can be guessed if you’ve got enough processor cycles (and available attempts) to spare. If the Hail Mary Cloud grows big enough, the era of the password as an even partially effective security method may be over… so start genning up on public key encryption now and avoid the rush.

Brain-food: white hats, anti-hackers and post-modern political loyalty

By way of an experiment, I thought I’d round up a handful of links which made for interesting reading, but about which I felt no particular urge to editorialise (or waffle tangentially, if there’s any measurable difference between the two in my case). If you like the format, let me know in the comments and I’ll do more of them in future. Now, let’s see what we’ve got here…

  • Have you ever wondered why it is that the good guys always wear white? If so, MetaFilter has a comprehensive round-up of pieces about the psychological and/or neuroscientific roots of our association of blackness and whiteness with badness and goodness.
  • If you’ve ever wanted an insight to the world of the computer security professional, SlashDot points to an account by the FireEye Malware Intelligence Lab about their recent beheading of the Ozdok botnet. Simultaneously fascinating in the manner of occult literature (e.g. full of bizarre words and phrases for which most of us have no context whatsoever) and mundane in the manner of a corporate progress report (it’s mainly lists of domain names and IP addresses), it’s an insight into the language and attitudes of a profession we largely ignore, and the sphere in which they work. Great research material for anyone writing a story featuring hackers and counter-hackers.
  • And if you’ve wondered about my curious and relentless obsession with charting the withering of the nation-state as the uppermost level of global political structure, the two minutes it will take you to read this post by John Robb will explain it more thoroughly and concisely than I’ve ever been able to do, despite coming to a similar (though much less elegantly formed) conclusion some number of years ago. Here’s the first half:

    Globalization is in the process of eviscerating traditional loyalties. In the 20th Century, loyalty to the nation-state (nationalism, often interwoven with ideology), was supreme. In today’s environment, a global marketplace is now the supreme power over the land. It has drained the power of nation-states to control their finances, borders, people, etc. Traditional ideologies and political solutions are in disarray as the fluctuating and often conflicting needs of the global marketplace override all other concerns. As a result, nation-states are finding it increasingly impossible to govern and the political goods they can deliver are being depleted.

So, there’s some brain-food for your Thursday – tuck in! Do let me know if you’d like to see more of these bite-sized morsels on Futurismic.

First mobile phone botnet spotted in the wild?

mobile phoneEver find yourself wishing your phone could run the same software as your home computer? Well, at least they are now both susceptible to becoming part of a botnet, as the first known centrally-controlled mobile phone virus has been spotted in the wild:

Sexy Space uses text messages reading “A very sexy girl, Try it now!” to jump between phones. The messages contains a link that, when clicked, asks the user to download software which, once installed, sends the same message to contacts stored in the phone.

Similar SMS viruses have been seen before. But Sexy Space is unusual in that it also communicates with a central server and can thus be controlled by the hackers who created it – the feature that gives conventional botnets their power. If the network of infected phones is seen to be responding to remote commands, it can be described as a true botnet.

Brilliant. Given that recent research suggests more than 50% of computer users have clicked on a link in a spam email, we can evidently look forward to our back pockets being the next frontier for badly-spelled importunings from bootleg pharmacies and an inconceivable number of non-existent Nigerian government officials. [image by Bah Humbug]

[The first smug Apple fanboy to post an evangelical comment will incur the wrath of my crack team of Estonian DDOS experts. If the capability to not have to use your common sense to avoid viruses is really worth the hardware premium you pay for the privilege, I suggest basking silently in the glow of your own self-satisfaction.]

Botnet blue-screens 100,000 PCs

Ye olde Blue Screen of DeathUsually, it’s in the best interests of a botnet operator to let the infection sit on the host machine until finally detected and expunged by the end user. After all, the longer you stay in, the more chance you’ve got of hoovering up useful goodies and infecting other computers.

But the worms and trojans that carry the infections often have less subtle capabilities built into them, as was demonstrated last month when the person (or persons) controlling the Zeus botnet used it to completely FuXx0r a hundred thousand windows machines:

Zeus, unlike many other malware programs, managed to make each installation appear different to virus trackers so that it would be more difficult to remove. But Zeus had another interesting feature—one that isn’t terribly uncommon among botnet software, it turns out. A command was built into the software to kos—or “kill operating system”—and it was apparently executed some time last month.

The reason for BSODing 100,000 machines isn’t quite clear, but several security experts have offered up their opinions. S21sec wrote on its blog that those behind Zeus might have wanted more time to exploit the financial data they had harvested by removing the user’s ability to get online and see that money was being transferred.

It may even have been a momentary error, or a flashy cut-and-run. What interests me about this story is that it shows a new potential angle for so-called cyberwarfare – one that could be more easily justified as a politically motivated attack.

Let’s say you could target all the computers belonging to a specific government or corporation; that wouldn’t be too hard to do with a little research into IP numbers and so forth. If you get a good enough infection rate – and knowing how weak most computer security procedures are, even in organisations that should know better, that shouldn’t be too hard a trick either – you could then choose to deep six that organisation’s computer infrastructure at a time of your choosing with the press of a few keys. If your trojan was designed to do nothing else, or its other capabilities were left inactive, that potential could sit unnoticed for some time – until your revolution was ready, perhaps, or your planned day of protest actions, or your stock value raid. To put it in medieval terms, it would be like having a bunch of sleeper-agent sappers spread throughout your enemy’s castle, waiting for the horns of Jericho. [image by Justin Marty]

It’s probably not the sort of thing that an organisation or country with any reasonable military clout would bother deploying, but destructive botnet warfare (as opposed to corrosive attacks, fraud or espionage) will appeal to the geographically-scattered groups who lack the sort of conventional leverage that can be gathered in one place; 100,000 dead PCs won’t bring down a government or kill a company, but it’s going to make a loud and expensive statement for a very small financial outlay.

Botnets still seem predominantly the concern of criminals with a financial motivation, but as the recent Palestinian conflict demonstrated, political factions are waking up to the potentials; when the situationists and anarchists get wind of this stuff, they might start thinking bigger than smashing bank windows or releasing the penguins from your local zoo.