Alarm growing over bot software

While many network administrators worry about the next worm, security experts are warning that a quieter but equally damaging threat is slowly gaining control of large networks of computers.

Known as bot software, the remote attack tools can seek out and place themselves on vulnerable computers, then run silently in the background, letting an attacker send commands to the system while its owner works away, oblivious. The latest versions of the software created by the security underground let attackers control compromised computers through chat servers and peer-to-peer networks, command the software to attack other computers and steal information from infected systems.

"It has been one of the big underreported problems in security," said Johannes Ullrich, chief technology officer for the Internet Storm Center, a unit of the SANS Institute that tracks network threats.

On Thursday, Ullrich and other Internet security watchers warned that the most common kind of bot software, Agobot, had been upgraded. A new variant incorporates publicly available code for breaching a computer's security through a vulnerability in a security component installed on almost every Microsoft Windows system sold in the past five years. That component is called the Local Security Authority Subsystem Service, or LSASS.

The LSASS version of the Agobot software uses a particular application data channel, or port, to attack vulnerable systems. On Thursday, Ullrich said traffic on that port had jumped in the previous 24 hours.

Security company Symantec, which, like the Internet Storm Center, monitors sensors around the Internet, also warned Thursday that the LSASS version of Agobot--or Gaobot, in Symantec's parlance--is spreading.

"The worry here is: How many hosts are out there infected with these things?" said Alfred Huger, senior director of Symantec security response.

Bot stealthiness
Anxiety is understandable, given that Symantec and the Cooperative Association for Internet Data Analysis, or CAIDA--two groups thought to have some of the best data on Internet attacks--both undercounted the extent of the MSBlast infection by an order of magnitude.

The groups' researchers had estimated that the MSBlast worm and its variants compromised half a million systems at most. Yet last month, Microsoft revealed that its Windows Update system had patched and then cleaned 8 million systems infected with the virus. On Wednesday, the software giant changed that number to 9.5 million.

Symantec puts the number of computers compromised with bot software in the hundreds of thousands. Other security experts have put the number in the millions.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

Bot software is much harder to detect than worm programs because it tends to be more stealthy. Worms, which spread automatically and randomly, create a lot of data traffic as they attempt to infect new hosts; such "noisy" activity puts the software in the spotlight for network monitoring devices. But bots are generally commanded to search smaller networks for new systems to infect, reducing the amount of bandwidth that compromised servers produce and making the programs less obvious.

Another concern, Huger said, is how versatile bot software has become.

It can, for instance, be teamed with worms and viruses to create especially daunting hybrids. Symantec's security response team believes that the Witty worm, which attacked computers running security software from Internet Security Systems, was launched by 4,200 "bots"--systems infected with bot software--connected together in a "botnet." Symantec found that the worm spread from those computers even though they weren't running the vulnerable ISS software. So bot software was likely the culprit, Huger said.

"The chances of (Witty) not being launched from a botnet are very thin," he said.

CAIDA also believes the Witty worm had been "pre-seeded," or given a set of known vulnerable systems to attack first in order to speed up the spread of the worm. According to CAIDA's analysis, however, the worm's initial spread involved about 110 to 160 systems--a small fraction of Symantec's estimate.

Spammers have also started using botnets to send bulk e-mail solicitations to Net users while hiding the spammers' location. Several viruses, including Sobig and MyDoom, have infected computers with simple bots that aim to ease the spammer's job.

Threat seen as broadening
The versatility of bot software also lets online miscreants use botnets to attack Web sites with massive data floods, or denial-of-service attacks. Some attackers have even used the computation power of the combined computers in a botnet to create their own distributed supercomputer for breaking encryption, especially on passwords, said David Dittrich, an information security researcher with the University of Washington's iSchool.

"It seems like a logical progression that people have added programmable mechanisms to the bots to add functionality," he said.

It's possible to add new features to the bot software because the creator of Agobot released the source code to the Internet. Agobot uses Internet relay chat as the communications channel to control infected machines. The program has spawned hundreds of variants, including Phatbot, which creates an encrypted peer-to-peer network to relay commands to the compromised systems.

The U.S. Computer Emergency Response Team warned of the Phatbot variant earlier this month, telling companies to watch out for the new attack software. The creation of the LSASS variant of Agobot may itself be a warning, because it likely indicates that a worm is around the corner, said the Internet Storm Center's Ullrich.

Code that takes advantage of software flaws tends to evolve from a simple program, or script, into a fully automated virus. Inclusion of such code in bot software is generally the last step before the code evolves into a virus or worm.

"The worm is the end of the life cycle, as far as exploits go," Ullrich said.

Such was the case with MSBlast; several variants of Agobot incorporated code to take advantage of a Windows vulnerability in the weeks before the MSBlast worm arrived and used the same flaw to spread.

This time around, however, the emergence of a worm may initially be hard to detect, because the LSASS variant of Agobot has spread so widely and is already creating a lot of noise, he said.

"It will be a bit hard to tell when it first arrives," Ullrich said, "because there is so much traffic out there."