A telescope that sets its sights on cyber-crime

A TELESCOPE that can peer into the depths of the net to spot the gathering threat of a botnet could help combat cyber-attacks.

Botnets - networks of compromised computers that are controlled by someone with malicious intent - are an increasingly common feature of the internet. They can be used to flood a target website with useless data to bring it down, launch spam, or spy on computer users by looking for their banking logins and passwords.

To combat this threat, Endgame Systems of Atlanta, Georgia, has come up with a system, called the internet telescope, that can map the physical location of computers infected with the malicious software, or malware, used to run botnets. It can even identify the type of malware on the machine and pre-empt its next moves.

Cyber-criminals use the internet to plant malicious code on computers that lack up-to-date security patches. Thousands of such machines, known as bots, can then be controlled by the botnet operator without the owner realising their computer has been recruited into a botnet. Endgame passively tracks these compromised PCs from the botnet traffic they disgorge, geotagging the data to create a global threat map.

It then dissects the malware to work out the web addresses of the next few domain name servers each bot is programmed to seek instructions from once the current control domain expires - a trick they play to evade detection. Once these domains are known, Endgame buys them up before the person controlling the botnet, or "botmaster", does, ensuring that it seizes control of the entire botnet when it switches to its new control address.

Endgame can then either kill the botnet - by ordering all bots to cease activity - or try to catch the botmaster by interfering with the botnet's activity in such a way as to blow their cover. The botmaster might, for example, contact their domain registrar to find out what's wrong with their domain. This would provide the registrar with contact information which could be passed onto law enforcers.

Endgame's CEO, Chris Rouland, presented his company's work at the Cyber Warfare conference in London last week. The firm's customers include government agencies and companies who want to know if the organisations they plan to do business with could infect their computers.

In his presentation, Rouland gave the example of a company that wanted to know whether an energy firm it was planning to work with was a cyber-security risk. Using the internet telescope, it zoomed in on the geotagged data to determine that some of the proposed partner company's computers had indeed been compromised by a botnet.

UK government officials told the conference that more real-world countermeasures like Endgame's are needed - and fast. Without them, today's attacks on crucial infrastructure, such as banking networks, may encourage nation-on-nation cyber-warfare in future.

"We underestimate the skill set of organised cyber crime. It is persistent, very well organised and focused," says Amit Yoran of cyber-forensics firm NetWitness based in Herndon, Virginia.

It is also increasingly successful. Over $1 trillion was stolen online in 2008, according to computer security firm McAfee. "That's because we are using technology designed to fight the cyber-threats of 1995," Yoran says.

Most security software impedes known threats, but the most skilful botnet operators don't use known malware. A survey by communications company Verizon, based in New York City, found that 59 per cent of cyber-attacks involve custom-written programs that bypass existing security systems.

Some excellent programmers are behind these attacks, says Jim Butterworth, a director at computer forensics firm Guidance Software of Pasadena, California. "Some malware code has been through far more quality assurance than a lot of commercial software."

Developing countermeasures is being made tougher by the speed of online developments, says Yoran. The shift to mobile computing platforms and social networks such as Twitter helps malware to spread in milliseconds, he says.

The speed of cyber-attacks has also had an effect. In the US, the newly established 24th Air Force heads up the military's cyber security operation. Charles Shugg, the 24th's second in command, says his "hunter" teams, who fend off online attacks or pre-emptively seek out online vulnerabilities, often have no time to develop countermeasures. "Things happen so quickly in the cyber-domain that the hunter teams' offence and defence are often one and the same thing."

Tools such as Endgame's internet telescope may have a role to play in providing the intelligence needed to combat botnets as this type of location-aware technology may slash the number of bots available to launch cyber-attacks.

Without action, says Gerard Vernez, a cyber-security expert with the Swiss army, the networks we depend on will be vulnerable. "What are we doing now? I call it plug and pray," he says.

Courtesy Computer Crime