The Register ®

Biting the hand that feeds IT

The Register » Security » Crime »

Original URL: http://www.theregister.co.uk/2007/06/13/millionth_botnet_address/

FBI logs its millionth zombie address

By Dan Goodin in San Francisco
Published Wednesday 13th June 2007 22:45 GMT

Federal law enforcement agents targeting botnets recently recorded a grim milestone, identifying the millionth potential zombie victim, the FBI said Wednesday.

Operation Bot Roast, as the cyber crime project has come to be known, has now logged more than 1m IP addresses belonging to a botnet. That amounts to plenty of owners, most of whom are oblivious that their Windows 98 box is a cog the sprawling machine at the heart of cyber crime.

So the FBI is working with industry partners such as the CERT Coordination Center (http://www.cert.org/) at Carnegie Mellon University to notify victims, the agency announced in a release (http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm). We wanted to know how a notification effort of this scale might work, so we put in a call to learn more.

It turns out it there will be no mass emails or phone calls informing victims their machines are compromised. Rather, the project amounts to a campaign to educate the masses that the information security revolution starts at home.

"The vast majority of people infected don't really know their computer has been attacked and their computers are part in a wide-ranging number of criminal activities," says Shawn Henry, the deputy assistant director in the FBI's cyber division. "They've got a responsibility to take a look at their equipment and their networks and ensure that they're secure."

Botnets have emerged as the swiss army knife of online crime. They facilitate identity theft by storing huge caches of pilfered personal information. They are the launch pad for most denial of service attacks. And they are the preferred means of churning out spam, which many researchers now estimate comprises 80 percent of the email landing in our inboxes.

In the last couple of years, malware writers have made great strides in designing bots that are largely undetectable to the untrained eye. Many bot applications go through the trouble of installing any missed Windows patches so the compromised machine isn't vulnerable to competing bot herders. The result is a machine that is secretly under the control of a criminal, essentially making it a zombie.

Among the newer uses of botnets is a phishing variation known as the "Rock Phish." Traditional phishing attacks are frequently thwarted when a bank or other target manages to get a domain name registrar to revoke the URL being used by the spoof site. Rock Phish scams solve this limitation by using bots to host the fraudulent sites. When a phishing target succeeds in cutting off a bot, the fraudsters can easily tap another drone to host the bogus site.

"It's the biggest phishing threat out there right now," says Uriel Maimon, a senior research scientist at RSA (http://rsa.com/). He estimates the Rock Phish method is responsible for almost half of today's phishing attacks and are being carried out by a single organized crime ring located in eastern Europe.

Joe Stewart, a senior researcher at SecureWorks (http://secureworks.com/), says Rock Phish attackers store a mountain of pilfered data on a central server and use bots as a kind of reverse proxy to obscure where it is located.

The term Rock Phish got its name from a now discontinued quirk in which the attackers used directory paths that contained the word "rock." The method currently targets at least 44 banks, and has proven particularly adept at keeping researchers in the dark, says Stewart.

Operation Bot Roast was created several months ago as an umbrella for the FBI's hundreds of ongoing investigations involving botnets, Henry says. Those investigations have spawned several arrests, including one in 2005 of a 20-year-old hacker who netted more than $61,000 and claimed to control more than 100,000 machines. Jeanson James Ancheta ultimately pleaded guilty and is now serving more than five years in federal prison.

More recently, other suspects of cyber crime have been nabbed as a result of the FBI's crackdown on botnets. Among them: Robert Alan Soloway, aka the Spam King, who was arrested (http://www.theregister.com/2007/05/31/spam_king_arrested/) in Seattle last month and accused of using a large botnet to send tens of millions of junk mails. The 27-year-old business man has pleaded not guilty and is awaiting trial in the case.

Two other individuals - Jason Michael Downey of Covington, Kentucky, and James C. Brewer of Arlington, Texas - have also recently been charged or arrested in connection with botnet-related crimes.

The FBI marked another significant milestone on Wednesday, announcing its Internet Crime Complaint Center (http://www.ic3.gov/), or IC3, logged its 1 millionth consumer complaint. The IC3 was established in 2000 and is a partnership between the FBI and the National White Collar Crime Center. Its mission is to provide a means for receiving, developing and referring criminal complaints related to cyber crime.

The IC3 has forwarded more than 461,000 criminal complaints, representing losses of about $647m, to federal, state or local law enforcement agencies.®

© Copyright 2008