You May be Attacking Someone, Thanks to Botnets

Do you ever wonder where Spam comes from?  I have no idea where the meat-like version of Spam comes from (nor do I wish to ponder that mystery). But it is pretty well established that a huge component of the e-mail and IM Spam that we all know and hate is generated by automated programs (bots) installed on thousands or even millions of unsuspecting systems.  These bots are remotely controlled via command-and-control or even peer-to-peer networks (botnets) to do the bidding of the bot developer—such as propagate Spam or other malicious software or generate denial of service attacks against designated targets.  And all of this could happen without most people even knowing their system is doing anything.

Botnets are the end result of many malware exploits—as viruses, worms, Trojans, drive-by or click-through attacks may deliver and propagate the bot payload. They are also a crystal clear example of how the objective of attacks have changed from hit-and-run high-profile grabs for fame to instead focus on stealth and establishing and retaining control of assets. Botnets are an ideal tool for the nefarious—they can command huge numbers of widely distributed systems at trivial costs.  While it is hard to estimate how many systems are part of a botnet, the potential is staggering.  For example, the much-publicized Conficker worm is estimated* to have placed more than 4 million unique IP addresses under the control of “bot-masters”.  And this huge resource base allows the bot-masters to rent control of these resources to spammers or other agents looking for ways to generate attacks or other nuisances with low risk of being detected.  In essence, they are allowing criminals and spammers to outsource the generation of their malicious activities. It is a frightening business model indeed.

It is also a difficult challenge for IT. Thanks to botnets, it is possible for an IT manager or CIO to get a call from out of the blue asking why their systems are attacking some other company or government entity’s systems.  Or discover a botnets of 100’s of computers with their company.  These type of events can happen to the best IT departments (even Intel or the US Government). Clearly, IT needs tools to help prevent such scenarios, and the antivirus and intrusion detection/prevention industry is working hard to keep up with the rapid growth in the delivery vehicles for bot code.  The other weapon for IT managers is traffic analysis – looking for strange patterns of activity (such as bursts of e-mail traffic from selected systems or floods of network traffic generated against specific targets) that falls outside of business norms to determine if there is another business being conducted with their assets.  While being part of a networked world has wonderful, powerful benefits, it is not without enhanced risk. A botnet is not a network you ever want a member of.

Intel technologies like Trusted Execution Technology (TXT) and instruction set optimizations such as STTNI can be part of these solutions.  Intel® TXT can be used in solutions that help protect systems from software attacks which provide the malware payloads to compromise systems.  In fact, Intel TXT (to be available with Westmere server systems) provides an entirely new protection capability for most systems—providing evaluation of the launch environment and enforcing “known good” code execution. This is important because most malware tools execute only once the system is booted—so Intel TXT provides a valuable complementary protection. And to help with the growing burden of run-time malware and attack analysis, new (with Nehalem) instructions that accelerate string manipulation can boost content inspection software ability to detect anomalies.  And research and development will ensure Intel continues to develop and deploy building blocks to help IT address today’s challenges and tomorrow’s.

We can do that most effectively only if we’re trying to solve the right problems.  Are your systems under attack? (yes, they are). What types of solutions are most effective for you?  Where is the greatest exposure? Is the pain in stopping attacks or cleaning up after them? This is certainly worth thinking about—before some Government agency comes calling asking why your systems are sending them so much spam!