Botnets and Trends of Advanced Persistent Threats
Published by Yi-Lang Tsai under 惡意程式, 資訊安全 on 4/26/2012 11:30:00 下午In the development of information security, cyber attacks have become much more organized and refined. Elaborately planned cyber attacks have taken the place of large-scale attacks, and using malicious software to infect victims' computers is the most common method of carrying out cyber attacks.
Botnets are currently the most severe information security threat, and advanced persistent threat (APT) is the most popular information security issue. During targeted attacks, hackers usually steal information or launch large-scale attacks using Botnets. Once the targets are chosen, hackers carry out long-term and persistent attacks using various methods. Many hacked computers unconsciously participate in attacks launched by hackers. Malicious software used by Botnets is often customized based on weaknesses in the targeted computers. These “special” purpose malicious programs are extremely hard to detect in their latent or infected phase. Unless the behavior and patterns of such malicious programs are known in advance, it is hard to detect them using signature comparisons. Also, once a system is infected, it is difficult for anti-virus software to detect and remove the malicious programs due to their rapid mutation.
(Fig. Botnet Infection Map)
In order to penetrate the firewall defenses, most Botnets use protocols and ports allowed by the firewalls. This approach has changed the conventional information security defense mechanism. In the past, the internal networks were seen as relatively high security networks and external networks were seen as relatively low security ones. Default settings of access control allow computers in higher security networks to link to lower security networks, so that infected computers have free access through information security defenses such as firewalls. This is one of the reasons that Botnets are able to spread on such a large scale.
Commonly used Botnet protocols include http, ftp, tftp, and irc; all of which are widely used by applications. When Botnets use these protocols to communicate, they often go undetected by the webmaster or Botnet-infected systems, especially when the Botnet is in its latent phase and only maintains minimum communication with the intermediate node or the hacker’s control platform(C&C, Command and Control). This communication behavior cannot be effectively controlled using conventional network activity statistics.
The main difference between Botnets and computer viruses, Trojan horses, and Internet worms, is that Botnets not only affect computer systems, but also achieve more effective management through intermediate nodes or central control stations. Infected bots (i.e. infected computers) actively link to these intermediate nodes or central control stations and wait for commands. Once they receive a command to attack, bots are able to launch malicious attacks very quickly. This is different from conventional attacks in which the attacker must send commands individually to the hacked computers located in different areas. Botnets can not only achieve more efficient management of infection, but also launch targeted attacks within a relatively short period of time.
Currently, most underground economic activities are conducted in coordination with Botnets (e.g. stealing personal information, stealing website accounts and passwords, capturing keyboard input using screen loggers, or participating in malicious attacks using Botnets). The malware’s mutation tools used to spread its source codes are very difficult to detect. Additionally, the development of information convergence and digital economics, and the increase of cloud technologies and mobile commerce, also brings with it additional information security protection considerations. In a new environment that utilizes new technologies, mobile and broadband terminals, networks, services, application platforms, data centers, crime investigation, and national security will also face attacks by highly experienced hackers using malicious software.
In 2011, APT was extremely active. The APT is not a new type of attack, rather, it is a combination of several different attack methods in direct response to the targets’ environments. The entire attack process is divided into several stages including data collection and analysis, system and application weakness scanning, Rootkit use, and exploitation of Web Application security weaknesses. Victims of APT include information security equipment and service providers such as RSA Inc. and HBGary, Sony Entertainment Network, Citibank, Google, and VISA Inc.
In addition to the information security equipment and services being hacked, the leaking of client information has also become a major issue. Observing the trend of such attacks, hackers are not only stealing data from typical users’ PCs, but also gaining interests in important and representative targets and planning to launch long-term attacks as well. Through social engineering and web mining and detection, hackers customize their attack methods based on certain targets and these attacks often last several months to a year until their goals have been achieved. The attackers usually use or send network services or documents that seem normal to launch zero-day attacks, but they actually contain malicious programs. The attackers also target unannounced system and application weaknesses, so that the victims are not able to detect the attacks. When Botnets combine with APT, attackers can effectively utilize an immense Botnet to carry out multiple types of attacks simultaneously and use multiple channels to implant malicious software.
We live in a continuously evolving computing and networking environment wherein new applications that have the potential to be hacked are constantly being introduced. New risks are often generated by these new applications. The only way to improve information security is to know the latest developments in information security, understand common attack methods and ways to protect our systems and applications against them, and avoid exposing our systems to unsafe environments in the first place.
