Bringing Botnets Out of the Shadows

Botnets typically consist of Microsoft Windows machines that belong to small-business or home-computer users who failed to secure their PCs against hackers and viruses. Their machines are typically infected when the user opens an infected e-mail attachment. While firewall and anti-virus programs can help block such attacks, online criminals are increasingly developing programs that evade detection or even disable security software.

"What I've seen from my work with Shadowserver has blown me away," said André M. Di Mino, 40, a private technology consultant from Bergen County, N.J. Di Mino teamed up with the group in October after he left a job as a chief information officer at a business-services company.

"I know many users within my former organization who felt that anti-virus and spyware scanning would save them," Di Mino said. "However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs.

Catching Viruses With Honey

When he's not manning the deli counter at a supermarket in Liverpool, England, 20-year-old Shadowserver member Dave Andrews is usually poring over new computer virus specimens. (Unlike Andrews, the vast majority of the volunteers are located in the United States.) Like most other members, he began fiddling with computers and programming at an early age.

Four months ago, Andrews was on track to become a computer-systems engineer in the British military, but he said he was honorably discharged on account of a recurring physical injury. Most of the Shadowserver crew have backgrounds in computer security, and they are all volunteers who spend most of their free time on the project.

Andrews's virus specimens were collected by an automated software tool designed to catch new pieces of computer code that criminals use to infect PCs and turn them into bots. Shadowserver locates bot networks by deploying a series of "honeynets" -- sensors that mimic computers with known security flaws -- in an effort to lure attackers, allowing the group to capture samples of new bot programs.

Most bots spread by instructing new victims to download the attacker's control program from a specific set of Web sites. By stripping out those links, Shadowserver members can begin to build a map of the attacker's network, information which is then shared with several other botnet hunting groups, security volunteer groups, federal law enforcement, and any affected ISPs or Web site hosts.

Each unique piece of intercepted bot code is run through nearly two dozen anti-virus programs to determine if the code has already been identified by security vendors. Shadowserver submits any new or undetected specimens to the major anti-virus companies. Andrews said he is constantly surprised by the sheer number of bot programs that do not get flagged as malicious by any of the programs.

"Generally, one or two [correct identifications] is considered good, but there are hundreds of bot programs that each anti-virus program doesn't catch on their own," Andrews said.

In Andrews's experience, by far the most common reason criminals create botnets these days -- other than perhaps to sell or rent them to other criminals -- is to install online ad-serving software that earns the attacker a few pennies per install.

"The majority of these [botmasters] are hardcore users who repeat over and over, because it can earn them money by the installation of adware," he said.

A Thankless Job

Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.