Several of the characteristics of botnets are not only significant in and of themselves, but are emblematic of some of the unique challenges that cyberwarfare as a whole presents.
This is part of a series run by Stratfor with some additional commentary (and jokes) by me.
Analysis
Botnets are a conglomeration of thousands (or more) hijacked computers known as zombies. These networks can amass the processing power of many computers and servers from all across the globe and direct them at targets anywhere in the world. Botnets are used not only in massive spam campaigns on a daily basis but are also used in cyber-security attacks.
In DDoS attacks, individual bots can direct their computers to repeatedly access a particular target network or Web site — with the entire network of zombies doing so at the same time. These kinds of attacks, depending on their scale and the target system’s ability to cope, can begin to degrade accessibility or completely overwhelm and shut down access to that network, Web site or server. They can also autonomously exploit a user’s address book and e-mail server to send out spam or infected e-mails or distribute other types of malicious software — including copies of itself to further expand the network.
The good botnets has its software written and controlled by individuals; these botnets are often controlled by subnational actors — be they hackers, terrorist organizations or cybercriminals. Less effective botnets can be created by downloading existing software from the Internet, but because they are widely available, systems with up-to-date security software are generally already protected against them. In stock trading, it's kind of like trading the news -- there's no point because once it's widely distributed it is already priced in.
Ultimately, DDoS attacks can be a particularly crude method of challenging advanced systems. But while some technologies have been developed to help reduce their effectiveness, thus far this fairly simple technique has continued holding its ground against improvements in computer security, especially for short-duration disruptions and remains the most effective and unstoppable method of attack with large botnets. Even if the DDoS cease to be an effective tool, the capability to muster a massive pool of processing power will likely remain a key aspect of cyberwarfare for some time to come.
In my previous post, which is taken from a series that Stratfor has run recently, we looked at some of the motivations of hackers. Let's take a look at some more.
The tenets of altruism vary greatly, depending on the person subscribing to it, but often they are based on an individual’s beliefs regarding the Internet and are often associated with what are considered positive actions intended to serve a perceived public good. These tenets can include the free flow of information, security preservation and user protection. In some ways, altruism can be understood as a variation of the Hacker Ethic with a benevolent bent. But because it all comes down to a personal perception and world view, “altruistic” hackers may sometimes perform actions that seem quite malicious to others (e.g., shutting down Web sites that are believed to be blocking the free flow of information).
Hackers who believe in altruism either aren't fans of Ayn Rand or haven't read anything by Ayn Rand.
Hacktivism promotes the use of hacking to accomplish political goals or advance political ideologies. Depending on the campaign, these actions may involve both white-hat hackers and black-hat hackers and can include Web site defacement, redirects, DoS attacks, virtual sit-ins and electronic sabotage. Many hacktivist actions often fall under the media radar but their political, economic, military and public impact can be significant.
An example of this is way back in the 1990's when some hackers broke into the CIA web site and changed the name on the main site to the "Central Stupidity Agency." I actually don't know if this actually happened because I never personally verified it... but I think it falls under the hacktivism mantle.
Although a rare hacker ideology, nationalism can envelop large portions of the community given the right cause or circumstance. By their very nature, hackers are individualists who rarely pledge allegiance to other hackers or groups, let alone countries. This is partially due to the fact that the Internet itself and the hacker community it supports have their own cultural elements — indeed, some of the other motivations discussed above often supersede or transcend national identity. There are situations, however, when hackers can be motivated to act in what they perceive to be the best interests of their respective nations.
Those are some of the motivations of hackers. One day maybe I'll do a series on the motivations of spammers, but I think I can sum it up in one word: greed.
Those types of spammers would have no disagreement with Gordon Gecko who asserted that "Greed is good."
There are more than just blue, black and white hat hackers. There are a few more types of folks out there that don't fit into the above categories. This article is taken from Stratfor with some commentary by myself.
Many of the hackers described in my previous post are also coders, or “writers,” who create viruses, worms, Trojans, bot protocols and other destructive “malware” tools used by hackers.
Spammers who write their own viruses (to infect PCs into botnets) have an advantage over other spammers. Spammers who are coders with some background in marketing or psychology have a bigger advantage still.
Crackers are hackers who circumvent or bypass copyright protection on software and digital media. The most prominent recent example of cracking was the “unlocking” of Apple’s iPhones in order to break software-imposed restrictions on the use of GSM cellular networks other than AT&T (which made a deal with Apple to be the sole provider of iPhone service).
In anti-spam, a type of cracker might be someone who attempts to crack a spam filter. For example, some spammers will sign up for Hotmail accounts and spam themselves until something gets through. Once they do, they spam all of their Hotmail spammees.
Script kiddies represent an intermediate category of actor between regular computer user and hacker. A script kiddie is more knowledgeable about computers and the Internet than most users but has yet to develop the skills, experience and expertise to be a truly effective actor. This would be a lot like me pre-2004.
Script kiddies know just enough to get themselves in real trouble or to bring real trouble to bear on others. In my own world, I know just enough about our back end databases to be dangerous. It's really useful to be able to insert into the database, but at the same time it took me two hours to restore all the rules when I accidentally forgot to specify the rule number when I said update SpamRules set text='this is changing the spam rule'; Not including the "where rule_id=xx" really cost me some time.
After I did it a second time, I learned my lesson.
Not all actors in cyberspace are human. This is not to classify every server and application in cyberspace as an actor. But there is a unique non-human actor in cyberspace known as a zombie, which is a computer wholly or partially controlled by a bot. A bot, for our purposes, is a parasitic program that hijacks a networked computer and uses it to carry out automated tasks on behalf of a hacker. Individual bots can be building blocks for powerful conglomerations of bots. One famous example is the conglomeration of bots infected by the Storm worm.
Once many bots and bot herders have been amassed, they can be consolidated into a collective computing network called a botnet, also called a “bot army.” This allows a single hacker to wield simultaneously the computing power of many thousands of machines — or more — and accomplish tasks that would otherwise be impossible with a single computer. Mass spam campaigns are one of the uses of botnets. It makes it possible for spammers to send out piles of spam without triggering reputation filtering.
Why do hackers do what they do? Are they motivated by something? Altruism? Greed? Strafor examined this in one of their recent articles, parts of which I have below with some additional comments from me.
The personal motivations driving individual hackers are virtually infinite. But there are a handful of dominant ideologies that can offer insight into the mindsets and motivations of much of the larger hacker community. Not all hackers subscribe to or are driven by these beliefs, but most are shaped or affected by them in some fashion.
Any discussion of these ideologies must begin with the basic Hacker Ethic, the founding principle of the hacker community.
Interpretation of this ethic can vary, but it essentially entails the following beliefs:
These fundamental principles, and variations thereof, are commonly held in the hacker community and have evolved over time into some of the ideologies described below.
The basic principles of exploration — an outgrowth of the Hacker Ethic and the first ideology many hackers adopt — are to look into every corner of the Internet and bypass any security simply for the sake of improving skills and learning how to navigate cyberspace covertly. As a side note, I've been known to do this when playing around trying to improve my Linux skills - play trying out new commands to see what they do. That's how I acquired skill in awk and xargs. Of course, I wasn't trying to break into anything at the time.
In the process, explorationists generally try to leave no trace and to avoid any damage to the system (which would, inherently, be evidence of their intrusion). The better an explorationist is, the better they are at hiding their steps. Of course, sometimes ego can get in the way. Not me, though. I'm the least egotistical person I know.
Many of this ideology’s tenets originate from newer versions of the Hacker Ethic — especially the white-hat version, which emphasizes benevolent rather than malevolent actions.
Another outgrowth of the original Hacker Ethic is informationism, which holds that information should be allowed to flow freely throughout the Internet and, by extension, throughout all human societies. Hackers who embrace this ideology often have specific areas of interest they monitor to identify developments and actors that they might perceive to be limiting the free flow of information. Once these hackers identify constraints, they attempt to remove them by a variety of means, from simply rerouting data to removing security protocols to staging comprehensive network attacks — essentially making that information free through force.
When I read the book "Spam Kings", there was a brand of informationism. Whenever somebody would post a spammer's contact information, piles of more anti-spammers would mirror that data and repost it on their own sites. Authorities might be able to shut down the original poster, but they couldn't catch them all (like Pokemon). In effect, anti-spammers would ensure free access to information, namely the identity of known spammers, by sheer volume.
In my next post, I'll get to a few more motivations.
My name is Mark Hassall and as Director in the Identity & Security Business Group at Microsoft Corp, I am responsible for partner marketing for Microsoft’s Forefront and IDA family of products. After spending a lot of time with many of our partners last week at Microsoft’s Worldwide Partner Conference (WPC), I came away with a number of impressions. For starters, I was reminded how great it is to get face-to-face time with friends in the industry. Secondly, it is incredible to see how the identity and security market continues to evolve at a rapid rate. If our channel partners took at least one thing away from our time at WPC, I hope it is this: our partners have always been, and will always be, at the core of Microsoft’s identity and security strategy. In fact, I feel there has never been a better time to have a partnership with Microsoft. For example: at WPC the newly established Microsoft Identity and Security Business Group announced a $75+ million investment in sales, marketing and readiness initiatives and a series of program enhancements designed to further aid channel partners in designing effective, profitable business models while working with their customers to stay on top of the ever-changing security landscape.
We also announced some great promotions at WPC. We expanded the Security Software Advisor (SSA) program, which allows partners to earn fees of up to 30 percent of the price of a customer's security product order through Microsoft Volume Licensing, and will now pay advisor fees on Identity and Access products (Microsoft Identity Lifecycle Manager and Microsoft Active Directory Rights Management Services) in addition to Microsoft Forefront products. By enrolling in the Security Software Advisor program, partners will be able to claim up to 10% of the product list price as advisor fees, when they recommend and deploy these identity and access products and will be in an ideal position to capitalize on the rapidly converging market for identity and security solutions.
Another new feature in the SSA program is the ‘Jumpstart’ offer where partners filing their first SSA claim will receive a 50% bonus payment on top of the advisor fee as well as two Microsoft Learning exam vouchers to help partners get certified and qualify for the Security Solutions competency. This limited time promotion runs from July 1st through September 30th 2008.
This is exciting stuff for my team and I as these program enhancements will lead to more opportunities for our partners and will strengthen the current relationships. In fact; in a recent study commissioned by Microsoft, IDC found that Microsoft partners that have the Microsoft Security Solutions Competency and/or qualify for the Microsoft Security Software Advisor program outperformed other benchmarked companies offering security solutions in 12 of 15 of the Key Performance Indicators (KPIs) surveyed. Key performance metrics include:
• Bottom line profitability – operating profit margins are one third higher for Microsoft partners
• Business velocity – revenue growth is three times higher than benchmark companies
• Business execution – revenue per employee is over $45,000 more per employee for Microsoft partners
• Services fulfillment – services to product resale ratio is double the rate of benchmark companies.
The report found that these results can be attributed to a number of factors, including services opportunities, availability of qualified technical resources, process efficiencies and deeper relationships with customers. The report can be found here: https://partner.microsoft.com/download/US/40030202
If you’re a Microsoft partner or you’re thinking about joining the Microsoft partner program, I urge you to sign up for SSA now and attain the Security Solutions Competency. As many of our partner friends witnessed last week in Houston; it’s an exciting time for both of the Forefront and IDA product families and we want partners to join in and start thinking about how you can drive revenue by attaching to existing infrastructure solutions. As I said when I started this blog partners are at the core of our strategy and we want you to engage with us on joint identity and security opportunities. You can find out more about these programs and opportunities at https://partner.microsoft.com/global/productssolutions/securityproducts.
-Mark Hassall