Bots are a bigger security problem than we think. Those of us who work in security are not unaccustomed to running into bots on the networks we monitor; in Check Point's 2014 Annual Security Report, released last month, our research found that 49 percent of organizations had seven or more bot-infected hosts.
Malware exposure and infections increased across the board last year, reflecting the increasing success of targeted malware campaigns. In 2013, 73 percent of organizations had at least one bot detected, compared with 63 percent in 2012. Meanwhile, 16 percent of organizations were infected with more than 35 hosts and 77 percent of them had bots on their networks that were active for more than four weeks. But the truth is that we have seen situations that have been far worse--networks with literally thousands of bots running on them.
To an untrained eye, having a handful, let alone hundreds or thousands, of bots on your network might seem alarming. But, all bots are not created equal in terms of their ability to disrupt an individual or organization. Some bots are no more than a nuisance while other bots have the potential to reap havoc on a network. And, what that bot does on your network really depends on the skill of the developer, the purpose of the bot and the ability of that bot to make it on your network in the first place.
Bots have ranged in severity. A few examples (from bad to worse) are:
- Adware-based bots: Those that drive up revenue for publishers by clicking on banner ads.
- Zeus: A bot that looks to steal financial information, such as bank account information and social security numbers, from large organizations and individuals. Can be deployed as a prebuilt kit.
- StuxNet: The mother of all bots, programmed to stop the production of uranium at the Iranian Nuclear power plant and arguably sent the country's nuclear ambitions back months, if not years. This is the extreme example of targeted malware, designed for a very focused purpose and leveraged attack vectors that are largely unknown.
So, where there's a will there's a way.
What's driving the proliferation of these bots? If ten thousand bots on a network is an indication of anything, it's that the ability to create and distribute bots is easier than ever. Almost anyone can unleash a bot onto a network. How is that possible, you may ask? There's big business in selling bots to any Monday morning quarterback and criminal elements are developing and selling bot kits, offering customization, 24-hour support and a rented command and control center to anyone with a credit card. The Zeus toolkit is a good example. Any individual that wants to deploy Zeus in an attempt to steal financial or personal information can try their hand at it by buying and downloading a toolkit online.
What can organizations do to protect their networks against these bots and their repercussions, big and small?
Aside from the traditional routes, which include network scanning and banning sites and applications that distribute these bots, technology and security professionals should be much more open to sharing information about these threats both inside the organization and with their peers.
There is a perception among security professionals that sharing information on attacks and threats is an admission of their failure to do what's needed to protect the network. However, bots are so prevalent due to the sheer fact that they make their authors so much money; there's no reason to believe that they will become less pervasive over time. When it comes to bots and other threats, information sharing is a critical weapon for the arsenal of security professionals.
The easiest way to start is to take advantage and contribute information about your own environment to threat feeds. Many organizations are hesitant to share information about their own environment, but distributors of this information have the technology in place to anonymize details in the effort to provide greater and more holistic intelligence to the larger community. The more people who share data, the better the data becomes.
Another way to share data, and this one is even more optimistic, is when an attack is identified and remediated. Sharing these details with the security community helps others understand potential attack vectors, as well as recovery options. We can, essentially, learn from past issues. It also serves to highlight the issue, to ensure others are taking real threats seriously.
As threats become even more prevalent and sophisticated, data sharing will become imperative. The data is only as good as our willingness to share. And, as hacking becomes big business, information sharing will be become on of our best defenses against hackers.
Kellman Meghu is Head of Security Engineering (Canada and Central US) for Check Point Software Technologies Inc., and has spent the past 20 years deploying application protection and network-based security.