Of Viruses, Botnets, and Logic Bombs

The first known virus to infect a personal computer was named Brain.A.It was developed by two Pakistani brothers and was initially detected in January 1986. The virus changed a file name on the computers it infected, causing them to freeze in some cases. How the world has changed since then! In just one generation, we have gone from novelty to very real threats in cyberspace. In this lecture, we’ll learn about the instruments that are used to exploit the five Internet vulnerabilities we discussed in part 3—botnets, Trojans, and logic bombs—and try to estimate the scope of the problem of cyber crime.
Distributed Denial-of-Service (DDoS) Attack
 A distributed denial-of-service (DDoS) attack is a common frontal assault on the Internet. Such attacks are relatively easy to mount but less harmful than some other types of assaults.
 The DDoS attack takes advantage of the fact that even though the cyber network is huge, it is still limited physically. Any one company has only so much bandwidth and so many servers. In a DDoS attack, a malicious actor fl oods a website with requests to connect, drowning out legitimate requests and, in effect, shutting down the site. Only access is affected in this type of attack; nothing happens to the data at the target company.
 A DDoS attack is carried out by a distributed network of helpers. If you volunteer to join the attack, you download a free program known as the Low-Orbit Ion Cannon (LOIC). With this simple automated program, you enter the web address or server you want to attack, hook up to the Internet, and push start to flood the target with requests to connect. If enough people join the attack, the target can be completely cut off.Botnets
 We tend to think of attackers as having volunteered to join a DDoS attack, but in fact, not everyone is a volunteer. With botnets, many
DDoS attacks are carried out by computers that have innocent owners. The term “botnet” is short for “robot network,” essentially a network of controlled computers.
 Botnets work by infecting innocent computers with some piece of malware that then connects to a controller computer for instructions. If there are no instructions, the malware does nothing until its next scheduled check-in time. But sometimes, the command-andcontrol program sends out a message: “At precisely noon GMT on July 4, try to connect to GlobalMegaCorp.com.” At the appointed time, all the computers connected to the broader web will follow the instructions.
 This is also how scammers arrange for spam to be sent; they rent out botnets from the herder (the owner of the botnet) and buy e-mail addresses that have been “harvested” on the web by an automated program called a “spider” or “web crawler.”
 Botnets can vary in size, from hundreds to tens of thousands of computers. Most of them are constantly active, sending spam or engaging in some other malevolent activity literally every second of every day.
 Besides sending spam, botnet malware programs usually also try to spawn themselves by infecting other innocent computers, typically through an e-mail message or some other innocent form of communication.
Trojans
 A Trojan or Trojan horse is a computer program or message that, on the outside, looks like an innocent piece of code but contains a malicious piece of software.
 Usually, an attack begins with the simple communication, often an e-mail. This is called a spear-phishing e-mail, because it targets a specific individual or recipient, much like a spear used to catch a fish. These spear-phishing e-mails are designed to appear as though they have come from an innocent source, but they have a malicious program hidden in either the e-mail itself or an attachment.
 When the recipient clicks on the attachment, the malware begins the automated download of a controller program. This program then opens up a back-door communication channel, allowing outside individuals to access the programs that control the target’s system.
 Some of the attackers create new breaches in the system; others use their position to give themselves authority to access all of the available data. If it is a hit-and-run attack, the attacker may remove information from the target system, such as log-in codes or financial data.
 Another class of attacks, called advanced persistent threats (APTs), are intrusions that reside inside the target system for a long period of time and make the target computer vulnerable to continuous monitoring from the outside.
o An APT called GhostNet was found in March 2009 in the computers operated by the offi ces of the Dalai Lama.
o Acting remotely, the installers of this malware could turn on a keylogger—a program that captures all the keystrokes entered on a keyboard attached to a computer. They could, for example, capture the organization’s bank account passwords.
o Also remotely, those who controlled the malicious software were able to turn on the video cameras and microphones on the computers in the offi ces of the Dalai Lama. They could see and hear anything that was happening within range of the computer.
o It took an information warfare organization in Canada more than a year to unravel the chain of controlling computers and find out who was behind the GhostNet attack. In the end, the chain petered out in servers on Hainan Island off the coast of China, the home of one of the signals intelligence organizations of the People’s Liberation Army.
Logic Bombs
 Sometimes, the object of an intrusion isn’t monitoring for information at all. Sometimes, the attack is intended only to leave a package behind, a program that sits quietly in the computer doing nothing at all, waiting.
 When it finally get the signal to act—perhaps from outside, or perhaps the program has a preset day and time—it will explode into action. Such silent programs are called logic bombs.
 One of the major concerns of security experts today is that we don’t really know whether there are any logic bombs in some of our networks—and there’s no way to find out.
Zero-Day Vulnerability
 A zero-day exploit is one that the attacker is sure will work because it has never been used before. The vulnerability becomes known on the same day that the attacker uses it to take advantage of someone. In other words, there are zero days between when the vulnerability is discovered and when it is used.
 In cyberspace, most vulnerabilities are gaps in programming code that, when discovered, can be exploited by outsiders. It’s not surprising that such gaps or mistakes exist in programs that have millions of lines of code, such as the operating system for Windows. But certain fl aws allow outsiders to force the code to take unanticipated actions, often with adverse consequences.
 Once a vulnerability is exposed and exploited, it can be fixed by software designers. That’s why software security firms are constantly shipping updates to your computer, and software developers are constantly recommending that users download patches for their software. They are providing you with the “fixes” to vulnerabilities that have recently been discovered, most often because some malicious actor has taken advantage of them.
 But new vulnerabilities—ones that have not yet been exploited—are a valuable commodity for bad actors. They can be used for important attacks because they are unlikely to have been patched and will almost surely work. Using at least one of these zero-day exploits is standard in more sophisticated attacks; Stuxnet used four—a sign of the importance the developer placed on the success of that attack.

In June 2012, a group of researchers hijacked a drone by fooling the GPS onboard the aircraft—a reminder that everything that is
attached to the network and addressable is vulnerable.

Defending against Attacks
 It’s important to note that the good guys can and do use the same tools as the bad guys. In order for the Canadians to track the GhostNet attack to China, they put malicious tracking software into some of the computers that were intermediaries for the attack. These programs allowed the Canadians to put “beacons” on the network traffic as a means of tracing it.
 Another particularly useful tool of the defenders is the “honeypot”—a computer that poses as an innocent but isn’t. Such computers allow defenders to capture new malware before it infects others. In a similar vein, “spam traps” are systems designed to collect and analyze spam so that your filters know how to stop it.
The Extent of Cyber Attacks
 How significant is the problem of cyber attacks today? Although this question is a vital one, data on actual vulnerabilities and their effects are hard to come by. We don’t even have good information about the number of intrusions that happen on a daily basis; it’s such a large number that the U.S. government stopped counting several years ago.
 One massive study of Internet traffic conducted for Bell Canada in 2010 demonstrates the scope of the problem. In this study, investigators observed about 80,000 zero-day exploits per day in Canada alone and estimated that more than 1.5 million compromised computers attempted more than 21 million botnet connections each month. These data are more or less consistent with estimates by large cybersecurity companies elsewhere.
 But knowing that there is a lot of activity isn’t the same as knowing what the effects there are. As a 2011 paper produced by PayPal noted, “Estimates of the magnitude and scope of cyber crime vary widely, making it diffi cult for policymakers and others to determine the level of effort to exert in combating the problem.” And what is true of cyber crime is true, to an even greater degree, of instances of cyber espionage.
 The data we have on cyber crime tend to be unsatisfactory. In 2011, the U.S.-based Internet Crime Complaint Center (IC3) received more than 314,000 complaints of Internet crime, with reported losses of $485 million. These modest numbers pale in comparison to more apocalyptic estimates of malfeasant activity on the Internet. The last estimate of the U.S. Government Accountability Office (made in 2005) was that the annual loss due to computer crime was approximately $67.2 billion for U.S. organizations.
 One other way of trying to estimate the scope of the cyber crime problem would be to examine how much is spent in preventing intrusions and theft. After all, businesses wouldn’t spend more in prevention than they anticipate in losses. The Internet Security Alliance has estimated that private-sector security spending totaled an astonishing $80 billion in 2011.
 In the end, we don’t know for sure what the scope—the actual dollar damage—of cyber crime really is. The most that can be said is that a lot of risk is out there, and that data about actual harm remain painfully elusive. botnet: A network of computers controlled by an outside actor who can give those computers orders to act in a coordinated manner, much like orders to a group of robots. denial-of-service attack: An attack in which a malicious actor repeatedly sends thousands of connection requests to a website every second. The many malicious requests drown out the legitimate connection requests and prevent users from accessing the site.
*** distributed denial of service (DDoS)***: A DDoS attack is related to a denialof-service attack, but in a DDoS attack, the attacker uses more than one computer (often hundreds of distributed slave computers in a botnet) to conduct the attack. Internet Criminal Complaint Center (IC3): The IC3 is a unit of the U.S. Department of Justice. It serves as a central collection point for complaints of criminal cyber activity and provides estimates of criminal effects.
keylogger: As the name implies, a keylogger program is one that records all the keystrokes entered on a keyboard (such as the letters and numbers in a password) and then reports those keystrokes to whoever installed the program.
logic bomb: A program that tells a computer to execute a certain set of instructions at a particular signal (a date or a command from outside, for example). Like many bombs or mines, the logic bomb can remain unexploded and buried for quite some time.
phishing: Phishing is a cyber tactic that involves dangling “bait” in front of an unsuspecting user of the Internet. The bait may be an e-mail with an attractive link to click on that takes the unwary user to a malicious site.
spear-phishing: A phishing attack that is targeted at a particular, specific recipient; the name comes from the similarity of using a spear to catch a
particular fish.
Trojan horse: As the name implies, a computer program or message that, on the outside, looks like an innocent piece of code. Contained within the code, however, is a malicious piece of software.
zero-day exploit: A vulnerability in a software program that has not previously been used or discovered. Because most vulnerabilities are quickly patched after they become known, zero-day exploits, which are not yet patched, are valuable to malicious actors. They leave systems open to intrusions that will be successful on the “zeroth” day.
Questions to Consider

1. Which is more dangerous to you personally, a targeted spear-phishing attack or a DDoS attack on your bank? Which types of attack are more threatening to national security?

2. Given the uncertainties in the data, do you think people are making too much of the threat? Are those who talk about a cyber–Pearl Harbor crying wolf?