Cyber Criminal Activity (group 2)

Whitepaper Proposal

Summary

Topics: Cyber Criminal Activity

Team members:

Jing Xiao (James)

Ted Zuvich

Michael A. Laurenzano

Elijah Joshua Esquibel

Spyware is causing bigger and bigger trouble and confusion to the Internet users. We will do some research on current spyware intrusion and botnet attacks. We will analyze the severity and range of this threat to the ordinary Internet individuals and organizations. We will use a certain type of spyware and botnet attack as an example and analyze its way of intrusion and operation, the harm it will cause, the cost to prevent it... We will also look into the history of cyber criminal activity, trace the evolution of attackers, targets, defenders, vulnerabilities, threats and goals of attacks.

How are we dividing the tasks:

Spyware intrusion (general analysis and example) -- Jing

Botnets attacks (general analysis and example) -- Ted

Evolution of attackers, targets, defenders, vulnerabilities, threats and goals of attacks. Botnets --Elijah spyware --Michael

Section 1: Spyware Intrusion

Section 2: Botnets Attacks

Section 3: Spyware

Section 4: Development and Expanion of Bots: Atacckers, Victims, and Policy

First Draft

Advancements and Developments in Bot Software

In the Internet Relay Chat was commonly used in the infant sages of internet. “It was originally written by Jarkko Oikarinen in 1988. Since starting in Finland, it has been used in over 60 countries around the world. IRC is a multi-user chat system, where people meet on "channels" (rooms, virtual places, usually with a certain topic of conversation) to talk in groups, or privately. There is no restriction to the number of people that can participate in a given discussion, or the number of channels that can be formed on IRC.”(Vonck) It was a simple way for people to chat and insult each other over the internet, think Microsoft messenger or AOL, but without all the pretty skins and features.

The difference with IRC is that you could impose specific rules and limit the number of users that had access to your server along with passwords for private chat. As time went on people developed ways to monitor activity on these channels the inherent problem with this type of chat is that if the operator lost connection another person would be assigned as operator and given control of the channel. This led people to target specific users and launch DDoS attacks and worse.

In 1993 Eggdrop was written by the then 18 year old Robey Pointer (Marijn) this program allowed the user to monitor a single channel within the IRC and combine the power of bots. In 1999 Prettypark is an attachment that shows a 3D pipes screensaver was distributed and allowed the controller to download an executable file from the IRC server. The possibleilites unleashed by this bot are still active in today's bots. The bot allows a controler to gather and monitor information on an infected PC or in a corporate sense a number of workstations. Later once connected to the controler's server the bot can be used as a Trojan and be used to gather passwords and user login information as well as access their hard disks. The icon is that of Kyle Broflovsk from southpark to entice people to click on the icon.

Prettyprak is not a direct relative of the current IRC bot software that we see today, but did inspire the one that all malicious IRC bots share as a common ancesor and that would be Sdbots. This was not untill 2002 that these types of bots were able to weild the collective power of a botnet under a single channel. These Sdbots were malcicous by nature setting up to run upon startup of an infected PC, and it was C++ based allowing it broad flexablity. It was crafted to be stealthy in that it would cover its tracks to the user of the infected host computer by running in the background under unsuspicuous .exe titles and would download and install automaticly without being noticed.

Vulnerabilities and Threats

Key loggers

Screen Shots

Application termination

Clipboard Copy

Passwords

Peripheral control

Spam

Packet interception(sniffing)

Rootkits

P2P fraud

Motives and Goals

Botnets are used to send out e-mail messages for spam and phishing attacks. They can also be used to send out a flood of data to bring down a system in a denial-of-service attack.

The software that bots operate on is much more difficult to detect than a worm because bot software tends to be less obvious to the user. Worms spread automatically and with blazing fast speed. This speed and randomness creates a lot of traffic (internet noise) that is easily picked up by monitoring devices. Botnets on the other hand are designed to look for networks to infect this does not take as much bandwidth as a worm and allow the bot software to propagate with less detection.

DDoS to the highest bidder by these botmasters are the equivalent to paid hits to take out internet sites. Extortion of money for not commencing a DDoS attack is also a way of making money. Spam, credit card fraud, and affiliates incentive programs also are reasons to setup a botnet and make easy money.

Defense

In an article by David Dittrich we are given five simple ways to fight back the attacks by bots on our computers. In the beginning of he says, “ Large enterprises may have hundreds of compromised hosts being used by a single attacker. And numerous attackers are likely using multiple sets of computers. Defending against botnet attacks is challenging and complex.”3. (Dittrich) His suggestions are as follows:

1. Scan hosts and network traffic for the telltale signs of bot infection
2. Tune routers, firewalls and intrusion-detection/prevention systems to detect and block botnet traffic.
3. Secure hosts against botnet exploit.
4. Apply reverse engineering to bot code.
5. Work with law enforcement to help prosecute botnet creators.

I believe that these suggestions would greatly limit the ability of bot “herders” to collect these massive botnets because they would be discovered at a higher rate and hopefully we can mitigate damages done by reducing time that machines are compromised or that others are infected.

Prevention of attacks

More robust nodes by making sure that your servers, desktops, and laptops all have current patches. TCP/IP stack fortification by use of max queue and syncookies. Eliminate those services that are not necessary and pose a threat more applications equal more vulnerabilities. Restrict TCP to port 80 and 443 on web servers TCP/DNS 35 and other known ports watch for access attempts on open ports.

These bots can be really nasty in that some variants are extremely hard to eradicate. Hard drive format and OS reinstall is easy and cheap. But we must all work together to combat bots and a HD image may be required to help investigators and determine defenses from bots in the future.

Botmasters are driven by cold hard cash pipeline and the incentive system does not seem to be going anywhere anytime soon. What is more alarming is that a zero-day exploit will not be as easily detected as slammer or other types of attacks. The result will be that a group will have a tailored attack rather than a random attack that can be used by terrorists.

The fight against botnets would be greatly made easier if ISP’s and the Anti-Virus makers were able to team up and share information so that botnets could be dismantled and uninstalled from end-users computers.

Works Cited

1. “Invasion of the “Bots” You Could Be A “Zombie” and Don’t Know It!!” National Webcast Initiative NYS Office of Cyber Security & Critical Infrastructure Coordination 18 May 2005 < http://www.cscic.state.ny.us/msisac /webcasts/05_05/info/518q_a.htm>
2. Vonck, Tjerk “Introduction to IRC for people using Windows” 27August 2003 < http://www.mirc.com/ircintro.html>
3. Dittrich, David “Five steps for beating back the bots” Information Security 20 March 2005 <http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1068834,00.html>
4. Marijn “Guide to TCL scripting for Eggdrop 1.6” 05 December 2005<http://www.suninet.org/tclguide/index.php?chap=1&pg=-1>