During the SANS Institute's Conference in October 2004, the Institute's Alan Paller claimed that "Every online gambling site is paying extortion... Hackers use DDoS attacks, using botnets to do it. Then they say, 'Pay us $40,000, or we'll do it again.' "
In the same month as this revelation, UK-based bookies Blue Square received an email from Serbia. It read: "You have time until 5pm your local time. I will now start an attack for one hour. This will be 1/20 of the power I can do." Blue Square's website was duly subjected to a small DDoS attack, but the company had been a victim before and had installed systems capable of identifying and absorbing the malicious traffic. Then things got really nasty.
Blue Square received a sinister phone call. An Eastern European voice said that unless the company paid €7,000 immediately, emails containing child porn would be sent in the company's name. Communications officer Ed Pownall decided to go public about this sinister follow-up threat: "How could we ever explain to shareholders we had paid out to extortionists?" he argued. "We have decided to go public so that if people do receive one of these emails they know it's not from us."
Attacks on the up
Since then, DDoS attacks have leapt almost immeasurably in their sophistication, power and – in some cases – their ingenuity. In March 2008, the eCrime Congress held in London heard from Peter Bassill, Information Security Officer at UK-based bookmaker Gala Coral. He reported that last year, an organised gang set up thousands of seemingly legitimate accounts with his company, using stolen identities. A large botnet then generated masses of seemingly legitimate web traffic for those accounts. The attack produced around 10GB of traffic per second, taking the company offline. Bassill also said that Gala Coral now suffers an average of two such powerful DDoS attacks a year, usually preceded by ransom demands in excess of $100,000.
Luckily, cutting-edge anti-DDoS protection is catching up, and big companies pay for that rather than paying out to extortionists. However, Bassill also warned that while all commercial companies are now under threat, it seems that not all DDoS attackers want money.
The motives for using botnets are becoming increasingly trivial as they fall into younger hands. Like a drive-by shooting to avenge an insult, upsetting the wrong person online could now end in overwhelming retaliation. Security site CastleCops, which hosts community efforts to investigate malware, became the target of such malice last year.
During a five-day DDoS attack in March, nearly 1GB of data flooded the CastleCops site every second, pushing both it and its service provider off the web. Moving to a secondary ISP merely moved the focus of the attack. The perpetrator, according to US prosecutors, was a disgruntled 21-year-old Californian named as Greg C King. His history of actively trying to provoke angry reactions from site owners before launching DDoS attacks stretches back to 2004 when authorities raided his parents' house.
It's not usually the botnet owner performing the attack for his own ends, however. The owner – or 'herder' – simply keeps on growing his botnet, renting it out to other parties on the side. This means that attacks are far more likely to have been commissioned by a third party.
When scam baiting site 419Eater fell victim to a DDoS attack in September last year, it was obvious that Nigerian fraudsters had taken exception to the whistle being blown on their crimes. So who are these botnet herders – and what kind of power is available for rent?
Today, with the internet shrinking distances, the people renting botnets could be anywhere. The owners of the largest botnets, however, tend to be from Eastern Europe. One such group is the shadowy Zhelatin gang, named after the official designation of the trojan used to grow their botnet.
The software the Zhelatin gang installs on unprotected Windows machines became known as 'Storm', after the titles of some of the emails they sent. They enticed people to click on a poisoned link to read more about devastating storms battering Europe – installing the trojan via the victim's web browser in the process. First spotted in January 2007, finding hard information about the size of the resulting Storm botnet is surprisingly difficult.
Some sources put the size of the Storm botnet at between 250,000 and 1 million, while others place it anywhere between 1 and 50 million. Anti-spam service MessageLabs puts the figure close to 50 million, but says that it uses only 10-20 per cent of its total capacity at once.
It's known that the Storm Botnet is highly functional. Its unwitting zombies can send email containing malware to grow the botnet further, phishing attempts, other viruses or spam for whatever product it's commissioned to plug. Storm's command and control mechanism is are silient, distributed peer-to-peer network. It's also known that Storm encrypts command traffic and that it's partitioned into functional units. There's good evidence to suggest that this is for the purpose of renting it out as well as obscuring its true size, so that parts of the botnet can run their commissioned tasks independently of the rest. Storm can also mount overwhelming DDoS attacks, which it's been reported to do– even against its rivals. Gang turf wars, it seems, extend to cyberspace.
Via frequent code updates, Storm has managed to keep software vendors on their toes. Last year, Microsoft released an update to its Windows Malicious Software Removal Tool. This identified and removed Storm from over 274,000 machines. Despite this, however, the botnet continues to grow – as do official efforts to track down and bring to justice the owners and users of this and other botnets.
Operation Bot Roast is how the FBI describes its ongoing efforts to track and prosecute people involved in botnet activities. Begun in response to the threat that large botnet attacks pose to national security, the operation has scored a stream of arrests and exposed the true scale of the botnet problem.
In a press release dated 13 June 2007, the Bureau said that it had identified over 1 million infected IP addresses to date. "The majority of victims are not even aware that their computer has been compromised or their personal information exploited," says FBI Cyber Division Assistant Director James Finch.
The Feds also announced that three bot net herders had been arrested and charged. By November, this number had risen to eight. The FBI had also carried out 13 raids (including overseas operations conducted with the cooperation of local police), and the number of infected machines discovered had nearly doubled, rising to two million. The total amount in losses caused to business and consumers by the botnets uncovered at that point stood at $20million.
One of those herders successfully traced and charged by the FBI was John Kenneth Schiefer, a 26-year-old computer security consultant by day, who by night was the creator of a botnet designed specifically to syphon off PayPal credentials. After pleading guilty to charges of bank and wire fraud, Schiefer now faces up to 60 years in jail.
Operation Bot Roast is the latest in a series of increasingly successful investigations that have seen several gangs jailed. In 2006, Russian authorities convicted Ivan Maksakov, Alexander Petrov and Denis Stepanov. Each received eight years in prison and a $3,700 fine. In just six months, the gang made 50 blackmail attempts, including some against UK companies, netting themselves over $4million. One victim was CanBet Sports Bookmakers. After refusing to pay $10,000 in blackmail to keep their site running during the Breeders' Cup, they lost $200,000 a day while the resulting DDoS attack kept them offline.
While the problem facing large companies is whether to pay protection or risk losing a larger amount, the problem for law enforcement is that botnet evolution is accelerating.
The Kraken awakes
According to Atlanta-based security company Damballa, as of April 2008 the Kraken botnet is officially the world's largest in terms of the number of machines active at any one time – dwarfing even Storm. The company says that it observed Kraken traffic coming from 400,000 IP addresses on a single day in March – up from 300,000 at the start of the month.
"Kraken is the largest [botnet] we've seen to date," says Damballa's Principle Researcher Paul Royal. "We've observed evidence of Kraken‑based compromises in at least 50 of the Fortune500".Some Kraken-infected clients have been known to spew out up to half a million spam emails a day. Damballa also calculates that if Kraken's current growth continues, its active portion will soon be 600,000 strong.
Ingeniously, Kraken not only employs encrypted communications between zombies and their controlling servers, but according to Damballa, the botnet also employs redundancy mechanisms so that its owners can regain control even if some command and control servers are discovered. These servers are known to be located in the US (specifically Dallas), France and Russia. Like Storm before it, a gradually changing code base also keeps Kraken a step ahead of detection software. Paul Royal also says there are bound to be other large botnets that simply haven't been detected yet.
According to data from Trend Micro, the UK currently has 1.25 million virus infected PCs, including those carrying botnet software. The growth in the number of machines infected is evidence that either by unwillingness, mistrust or simply a genuine lack of knowledge, normal people are helping criminals to commit serious online crimes. Unfortunately, the botnet problem looks set to carry on growing.