The FBI has been trumpeting an apparently unprecedented action – obtaining a court order from U.S. District Judge Vanessa Byrant permitting taking over servers that had been communicating with a “botnet” called Coreflood, a malicious software that infects Microsoft windows-based computers. Coreflood is designed to steal usernames, passwords and financial information.
A botnet is a particular kind of malware. These viruses contain software that allows them to establish a command and control (C&C) channel through which they can be updated and directed. Once a network of computers have been compromised by a malicious code, they may be remotely controlled by a single computer or server, called a handler, “bot herder” or “bot master.”
Under the restraining order issued by the judge, Internet Systems Consortium (ISC), a private non-profit group, under law enforcement supervision will take over the server providing C&C for coreflood. “According to the filing,” reports Wired, “ISC planned to replace the servers with servers that it controlled, then collect the IP addresses of all infected machines communicating with the criminal servers, and send a remote ‘stop’ command to infected machines to disable the Coreflood malware operating on them.”
It is great to hear that the FBI is on the case, but to be honest, ever-vigilant law enforcement alone will never be enough to save us from cyber enemies. Many botnets are managed from overseas, where the U.S. government will have to deal with a tangle of different laws, interests, and capacity to deal with cyber-serious bad guys. Russia, for example, remains the global capital of cyber-crime. Through 2007, ground zero in the world of illicit Russian online activity was the Russian Business Network (RBN). For groups like RBN, the Internet is a cash cow. They use it to steal personal identity information for resale. RBN was also a world leader in “spam” (bulk delivery of unsolicited e-mail). There is also plenty of evidence that RBN and similar criminal groups extorted money from companies by threatening to shut them down with denial-of-service strikes. A favorite target was going after Internet gaming companies before major sporting events like the Super Bowl.
RBN also acted as “service providers” for others, such as those wishing to distribute child pornography or computer viruses. And they are rumored to be happy to conduct massive denial-of-service attacks – for a price. RBN also sold franchises and marketed its services worldwide. The RBN network, based in St. Petersburg was shut down. It later reappeared on servers in Turkey, Poland and China, but then vanished again to be replaced by other cyber-serious criminals.
While government can and should do more, users of the Internet will still have to bear much of the responsibility to protect themselves from malicious activity — much like the local militia protected their own communities on the frontier.
Malicious software like Coreflood, for example, are spread by “social engineering,” where the users are largely responsible for the fact that their computers were infected (like homeowners unsuspectingly inviting a burglar in for tea). In the case of Coreflood, it is distribued “via peer-to-peer file-sharing networks, as an attachment in newsgroup postings or e-mail, etc. The file is likely to be named to entice the victim to run it (e.g., NEW_YEAR.EXE)…[it] may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems.”
The National Security Agency recently published “Best Practices for Keeping Your Home Network Secure.” It offers a list what America’s cyber-militia must do to protect itself from attack.
