third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Once a computer is infected the malware ensures that a back door<br />
is opened on the computer allowing the botnet herder to give<br />
commands to the infected computer. The computer has thus<br />
become a bot in the botnet, also known as a ‘zombie’. The malware<br />
aims to be as inconspicuous as possible. For example, by lowering<br />
the priority of his own process to the operating system, all actions<br />
that the user carries out take precedence, with virtually no notable<br />
deterioration in the computer’s performance.<br />
In a traditional botnet a bot receives the instructions from a C&C<br />
server. The botnet administrator uses this server to communicate<br />
the commands to deploy the botnet. The C&C server is therefore the<br />
critical component focused on in the fight against botnets. Once<br />
this machine is switched off the botnet can no longer be controlled<br />
and the bots remain inactive. To reduce vulnerability, administrators<br />
build an infrastructure with sometimes hundreds [13: FS 2013] of<br />
individual C&C servers in the same botnet.<br />
An alternative architecture that is used to make combating botnets<br />
difficult is the ‘peer-to-peer’ (P2P) botnet. Here, a bot is instructed<br />
and then passes the command on to the next bot so that is spreads<br />
like a patch of oil across the botnet. Because a different machine is<br />
used as the starting point each time, the source of the instructions<br />
is difficult to determine.<br />
Instructions are also spread on social media. Because of the<br />
astronomical volume of messages on networks such as Facebook<br />
and Twitter there is no monitoring as to whether there are accounts<br />
between them sending coded commands that are read by bots. In<br />
addition, there is repeated switching between accounts.<br />
3.3 Developments<br />
3.3.1 Current situation<br />
The botnet landscape is currently dominated by a number of botnet<br />
families. The most notable is the family of ZeuS botnets. Derived<br />
from this is Citadel, which enjoyed media attention in the<br />
<strong>Netherlands</strong>, following incidents concerning Dorifel and Pobelka<br />
(see boxed texts). Alongside ZeuS, ZeroAccess and Carberp are also<br />
very common.<br />
As well as click fraud, ZeroAccess is often used to exploit the<br />
computing power of bots for bitcoin mining. The bitcoin is a digital<br />
currency that is not managed by a central bank, is not recognised by<br />
international organisations but that is increasingly accepted as a<br />
payment method. It works on the basis of cryptographic principles<br />
123 Microsoft Threat Encyclopedia, W32/Carberp http://www.microsoft.com/security/portal/<br />
threat/encyclopedia/entry.aspx?Name=Win32%2fCarberp<br />
124 C. Rossow et. al.: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets<br />
http://www.christian-rossow.de/publications/p2pwned-ieee2013.pdf<br />
125 http://webwereld.nl/nieuws/112177/update-maakt-botnet-citadel-langer-onzichtbaar.html<br />
126 <strong>NCSC</strong> <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong> <strong>Netherlands</strong> CSAN-2, p. 52.<br />
127 http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/<br />
ENISA_Threat_Landscape/at_download/fullReport<br />
and is ‘mined’ by performing complex calculations. Deploying an<br />
entire botnet to mine for bitcoins is therefore a lucrative business.<br />
Carberp is known for creating fierce competition in the underground<br />
economy. The botnet attempts to switch off other malware [123] and<br />
gain control over a bot for itself. The organisation is so professional<br />
that there is presumably a marketing department behind this botnet<br />
to attract more customers.<br />
Mobile telephones, in particular smartphones, are increasingly the<br />
target of malware, resulting in the emergence of mobile botnets.<br />
Malware that tries to intercept financial transactions sometimes<br />
appears both on computers and mobile telephones to intercept not<br />
just the transaction in the internet browser but any authorisation<br />
code sent by SMS.<br />
Botnet developers are also demonstrating their innovation in<br />
combating detection. In addition to the increasingly common P2P<br />
architecture [124] , they are using encryption and administrators are<br />
communicating by Tor to retain their anonymity. Large botnets are<br />
deployed only in small sections and target very limited objectives<br />
to remain under the radar as much as possible. [125] The conventional<br />
way of switching off botnets through their C&C servers is therefore<br />
virtually redundant.<br />
Botnets often revive because of the ease and speed with which<br />
networks can be built and because of the high percentage of<br />
infected computers. For example in CSAN-2 there was still talk of<br />
dismantling the Kelihos botnet [126] , however this botnet re-appeared<br />
[21: McAfee 2013-1]<br />
on the radar of anti-virus companies in September 2012.<br />
3.3.2 Expectations<br />
The success in dismantling botnets is reflected in the declining<br />
volume of spam sent by these botnets. [127] With spammers’<br />
attention shifting to social media, new botnets are being to set<br />
up to provide different functions, such as DDoS attacks. As a result,<br />
it is impossible to estimate how effective dismantling is, based<br />
on the volume of spam.<br />
In the short and medium term, an increase in the number and size<br />
of botnets can be expected. Drivers behind this are:<br />
»»<br />
revenue from hire remains high;<br />
»»<br />
the increasing interest in carrying out DDoS attacks;<br />
»»<br />
the increasing ease of use of ‘create your own botnet packages’;<br />
»»<br />
the rising bitcoin exchange rate.<br />
Currently, the PC is still the most commonly infected device. This<br />
is expected to remain the case, certainly given its market share, but<br />
proportionally botnets for devices with Mac OS X, iOS and Android<br />
will increase significantly.<br />
64