Bot Busters

Winter 2007

Left to right, Department of Computer Science “Bot Busters”: Moheeb Rajab, graduate student; Andreas Terzis, assistant professor; and Fabian Monrose, assistant professor.
Left to right, Department of Computer Science “Bot Busters”: Moheeb Rajab, graduate student; Andreas Terzis, assistant professor; and Fabian Monrose, assistant professor.

In the dark world OF Internet FRAUD, a sinister new foe has emerged with the potential to wreak havoc . Can it be thwarted ? At the JOHNS HOPKINS university’s Information Security Institute, an intrepid team of researchers is on the case.

In a quiet office tucked off a nondescript corridor on the Homewood campus, a small collection of aging computers is holding open house on an obscure corner of the Internet. Eighteen months ago, a couple of researchers at the Johns Hopkins University Information Security Institute put the machines there in a kind of a ‘let’s try it and see’ experiment.

“We were interested in ‘malware,’ which is the term used to describe the malicious software—such as computer viruses and worms—that circulates through the Internet,” says co-principal investigator Fabian Monrose, assistant professor in the Whiting School’s Department of Computer Science. “We wanted to try to assess the prevalence and identify the trends in this area.”

What they found sent shock waves of surprise across Hopkins—and far beyond.

The Hopkins Information Security Institute (which insiders abbreviate to JHUISI and pronounce “juicy”) was established in 2000 to conduct research and train students in the complex technical, legal, ethical, and public policy issues of electronic privacy and computer security. Noting that “securing information is one of the fundamental challenges of the digital age,” the institute’s founding mission statement foresaw the need for advanced research into computer security.

It was an idea exactly suited to its moment in history. JHUISI was born at a time when the Internet (according to the nonprofit Internet Systems Consortium) was just rounding 100 million “hosts” … and heading for the stratosphere. The ISC arrives at this number, commonly used to measure the size of the Internet, by twice annually counting every Internet Protocol (IP) address—a 32-bit number that can be thought of as each computer’s unique “street address” on the Internet—that has been assigned a name. In the six years since JHUISI was founded, according to ISC figures, the number of hosts has doubled, and doubled again, to approximately 400 million, with more than 100,000 new hosts appearing daily. Securing the information, ideas, and financial transactions that flow continuously across this vast protean landscape requires tremendous technological sophistication, and—just as importantly say researchers—a willingness to be surprised.

“By observing the evolutionary changes across different generations of Internet worms, it became apparent to us that each generation became smarter —THAT IS MORE VIRULENT AND MORE STEALTHY—THAN THE PREVIOUS ONE.” Andreas Terzis

And surprised they were, when the motley collection of older computers and new machines running old versions of Windows operating software were put online. Each machine was assigned its own “virgin” IP number, a never-before-assigned Internet address within the JHU IP address space. Some of the newer computers were configured to run two or more “virtual machines,” each with its own IP address. In theory at least—since none of these unique addresses had previously been assigned—when connected to the Internet the machines should have sat quietly undisturbed, receiving only the occasional misdirected ping. Instead, they lit up like Christmas trees, responding immediately to a chatter of network inquiries asking who they were, and what they were doing, and—most sinisterly—whether the inquiring program could come in and play.

To all such inquiries the machines answered, “Yes! C’mon in!” Monrose and coprincipal investigator Andreas Terzis deliberately placed machines running insecure versions of Windows XP (missing the later security patches released by Microsoft) to invite malware infection. Such machines are known as “honeypots” since they are attractive lures for malicious computer software such as viruses and worms. A networked series of machines like the system Monrose and Terzis created is known as a “honeynet.”

“The idea is that you put vulnerable machines out there to act like flypaper and collect samples of what’s floating around on the Web,” Monrose says. Many people, even those who work in the information technology field, have little idea of the sheer quantity of nefarious activity taking place. “We can get 100,000 unsolicited probes in a 10-minute period,” Monrose reports. According to research team member and graduate student Moheeb Rajab, it takes on average just five seconds for an unprotected machine in our network to get compromised.

The statistics are sobering for anyone whose job it is to safeguard computer networks and electronic information. But for the Hopkins researchers the scope of the problem was not exactly surprising. “We started this line of research a little more than two years ago when we first analyzed the behavior of largescale worms such as Code-Red II and Nimda that made the headlines back in 2002 and 2003,” says Terzis, an assistant professor in the Department of Computer Science. “By observing the evolutionary changes across different generations of Internet worms it became apparent to us that each generation became smarter— that is, more virulent and more stealthy— than the previous one. The idea was that by running such a honeynet, we would be able to directly observe the ‘cutting edge’ of malware technology.”

What most surprised Terzis and Monrose was not the scale of the attacks their honeynet was subject to but, rather, the kinds of software that were doing much of the attacking. Although the news media was full of stories about computer viruses and worms, the Hopkins team soon discovered that a third category of malware known as bots (a shorthand term for ‘software robots’) was rapidly becoming the most active— and probably the most dangerous—malicious programs circulating on the Internet. In a paper describing their research just published in October, they estimate that almost a third of all malicious connection attempts made to their honeynet can be directly related to botnet-related spreading attempts, and that as many as one in 10 networks has at least one client involved in bot-related activity.

Bots are software robots that run autonomously. Unlike computer worms, however, bots can also be controlled remotely by an operator, known as a botmaster, who links communities of compromised computers into a private community known as a botnet. Three characteristics define bots and botnets: They can be controlled remotely, they are able to implement multiple commands, and they contain an automatic spreading mechanism to distribute the program further and bring additional compromised machines into the botnet. “In the wild” (as researchers refer to the Internet beyond the borders of their own machines), botnets have been observed ranging in size from just a few infected computers to several thousand machines.

Jay Zarfoss and Fabian Monrose
Graduate student Jay Zarfoss (left) confers with Fabian Monrose.

“No one really knows how prevalent this is, but research suggests there are hundreds of thousands of machines that have been infected,” says Niels Provos, a security researcher at Google. “It used to be that a firewall kept you safe, but that is no longer the case. Once your computer has installed that software that connects back to the botmaster, your computer is owned. You’ve got a zombie, but you most likely won’t even know it.” One of the initial uses of botnets was to launch dedicated denial-ofservice attacks. The botmasters attempted to monetize their holdings by threatening to blackmail websites with the threat of a DOS attack, often targeting some kinds of marginal but high cash online sites, such as pornography or gambling, that could be especially vulnerable since such sites are not eager to request help from law enforcement agencies. Provos notes that the focus of botnets seems to have shifted away from this approach in recent years: “Extortion does not work very well in general because there is a money trail leading to you. Usually, the amounts are high enough to get the FBI interested. On the other hand, if you can do identity fraud and steal a thousand dollars here and there, that seems to stay below the radar.”

Once a vulnerability in a computer operating system—and especially in Microsoft Windows—becomes known, malicious programmers design bots that automatically go looking for vulnerable machines to exploit the weakness and capture control of the computer. “We can say with confidence that bots are one of the topmost threats to the Internet,” says the Whiting School’s Rajab. “It’s easy to release these programs in the wild, and to date, there really are no solid countermeasures available.”

The Money Makes It Right

What makes bots especially dangerous, say researchers, is that they represent a whole new class of mischief on the Internet. In their article, Monrose, Terzis, Rajab, and fellow researcher and graduate student Jay Zarfoss note the ominous new direction that bots represent: “While other classes of malware were mostly used to demonstrate technical prominence among hackers, botnets are predominantly used for illegal activities.”

Bots point to a new class of Internet criminals motivated to use their programming skills to make money. In April, 2006, USA Today reported on the case of Jeanson James Ancheta, a 19-year-old high school dropout whose botnet of thousands of compromised PCs enabled him to earn enough cash “to drive a souped-up 1993 BMW and spend $600 a week on new clothes and car parts.” According to court records, Ancheta signed up with Internet marketing companies to distribute ads on commission. But rather than following the legal procedure of establishing a website and asking visitors permission to install the ads, he used his botnet to covertly install adware on compromised computers. In six months Ancheta and a partner earned nearly $60,000 this way. In an online chat session Ancheta reportedly told his partner: “It’s immoral, but the money makes it right.”

Ancheta’s scheme was just one of the ways a botnet can be used to make money. Says Terzis, “Botnets represent in many ways the ‘cutting edge’ of malware technology these days because they are used to generate revenue for those individuals who take control of unsuspecting users’ desktops. Botnets are used to send spam e-mails, to host ‘phishing’ websites, for identity theft, as well for extortion of online businesses by launching denial-of-service attacks. The fact that botnets generate a revenue stream for the people who control them gives them all the motivation to make them more virulent (and thus infect more vulnerable machines), harder to detect, and harder to eradicate. Moreover, botnets form a Darwinian universe in which the most efficient botnet will exploit all the resources—that is, all the vulnerable machines—and become more powerful.”

Botmasters controlling a network of compromised PCs can use their captive machines (which are often referred to as “zombies”) to engage in many different kinds of nefarious activities over periods of time. Some sell or rent their botnets to others to use, and currently, their chief clients are spammers, who send out the mass e-mails touting such things as pharmaceuticals or stocks that eventually find their way into almost every e-mail user’s inbox.

Previously, such mass e-mailing typically came from a single computer server, and so was relatively easy to block. But in October, the Internet security website reported a sudden and dramatic increase in the global volume of spam, which by some counts has more than tripled in the past half year. Increasingly, said the online report, “spam emanated from networks of compromised PCs, known as botnets.”

As the economic value of botnets increases, so does the sophistication of the bots and their botmasters. Some bots have been discovered that gain control of computers through a particular vulnerability but then, once in control, actually instruct the infected machine to go online to download the appropriate security patch to ensure other botmasters won’t find and exploit the same weakness. In addition, some bots are designed to neutralize existing virus protection already loaded on the machine, altering programs so that the protective software will appear to be running—and even retrieving periodic updates—when it is in fact disabled.

Armed with preliminary data showing the higher-than-expected prevalence of botnet attacks against university IP addresses, and with both direct and anecdotal evidence of the new sophistication and capability of the software robots and their masters, Monrose and Terzis made a special presentation to senior university leadership about the scale and danger of this new threat. “They were stunned,” says JHUISI researcher Computer Science professor Avi Rubin, who sat in on the meeting. “They kept saying, ‘Really?! Can they really do that?!’ They had no idea of the extent of the problem.”

Johns Hopkins Chief Information Security Officer Darren Lacey says botnets have caught many systems administrators unaware. “When we first started seeing bots three or four years ago we thought they were no more risk than worms or viruses,” he says. “But we missed the boat; we’re seeing many more compromised machines from bot attacks, and the damage they can do is potentially much greater.”

Both Lacey and Rubin think the research coming out of the Hopkins honeynet points the way to the future of computer security. “I’m a big fan of this research, because it’s at the leading edge of the Internet,” says Rubin. “It’s definitely true that the stakes have suddenly gotten much higher.” He sees a close parallel to his own work in analyzing the many documented shortcomings in touch screen electronic voting machines. He says in both instances, the degree of vulnerability correlates directly to the amount of motivation some people might have to compromise the integrity of a system. “Look at how much people pay for campaign ads and ask yourself, ‘What is at stake here?’” he says. “Consider, for instance, a hypothetical defense contractor who might believe that contracts worth billions of dollars hang in the balance of an election. That’s a huge amount of motivation for some people to try to win elections by tampering with the vote—and computers can provide a uniquely untraceable way of doing that.”

In much the same way, the burgeoning world of e-commerce provides a tempting target for criminals hoping to shave off just a small fraction of the billions of dollars of transactions occurring there, or to try attacking a large and well-funded organization like Johns Hopkins, in hopes of skimming funds or valuable information from the nearly ubiquitous Internet connectivity across the institution.

“The university’s scarce and valuable resources are being consumed by our efforts to pre-empt strikes of this kind,” says Johns Hopkins Chief Information Officer Stephanie Reel. “The bad guys are getting smarter and the challenges are getting tougher, and so these are resources we must deploy to protect ourselves. We’re focused on this, but it’s not an exact science, and we never get 100 percent ahead of the problems.”

A Wake-Up Call

While it is relatively easy to put a vulnerable machine out on the Internet and allow it to become infected with a bot, it is a much more difficult proposition to isolate, observe, and understand the malicious software in such a way that does not alert botmasters to the fact they are being observed, and at the same time does not allow the bots to further spread or carry out any nefarious activities.

The research team at JHUISI took both factors into account when developing much of their data collection architecture. “We started with a general purpose collection system to see how well we could capture and isolate malware, but we soon had to create a whole new data collection infrastructure with several unique features,” explains Rajab. “We capture and analyze malicious binaries using a separate system that just does this. The analysis phase is always done using a separate system, isolated from the Internet, because we have to make sure that the binaries we have captured are not allowed to participate in an organized attack or cause other problems. We think we have succeeded, but we continuously monitor any outbound activity to be sure we are not participating in any malfeasance.”

The Internet was designed and built with the assumption that everyone wo uld play fair. But clearly this is not the case. Gerald Masson

Gerald Masson
Gerald Masson, director of Johns Hopkins University Information Security Institute

The system enabled the researchers to collect about 3,000 distinct binaries over a threemonth period, according to Monrose, and track 192 unique botnets of size ranging from a few hundred to a few thousand infected endhosts. In addition, the team discovered evidence of botnet infections in 11 percent of the 800,000 domains they examined, indicating that the problem was commonplace among a large diversity of Internet hosts. “At this time most attacks are still fairly naive,” Monrose says, meaning that a high percentage of botmasters are not exploiting their captured machines to the full extent of malicious activity possible. However, the motivation of money could easily turn many of the attackers into dangerous predators. “The majority of research in this field has always been reactive, focused on coming up with a defense strategy for a problem already under way,” he says. “It’s a problematic approach. We need to look at being proactive, and stop these attacks before they become profoundly disruptive.”

As research continues, Monrose and Terzis hope to better understand how most botmasters organize attacks and what vulnerabilities offer the greatest financial incentives to Internet criminals. “I think their research has all the right components,” says Gerald Masson, founding director of JHUISI and professor and former chair of the computer science department. “It’s technically deep, requires rigorous background to understand the issues, and will have a significant public impact.” He sees their work as a wake-up call for systems administrators and security specialists everywhere. “As a society we’re led to believe that these problems are always the work of some 17-yearold hacker living on potato chips and Coke, but the reality is that there are some very smart and well-trained people involved in doing this.” These new Internet criminals prey on the essential openness and freedom from scrutiny in their victims’ social order. Observes Masson, “The Internet was designed and built with the assumption that everyone would play fair. But clearly this is not the case.”

JHUISI is uniquely suited to harness and transmit the cutting edge of information security research. It is the only institute in the Whiting School with an academic degree program, offering the Master of Science in Security Informatics, or MSSI degree, which features both rigorous technical training along with public policy, privacy law, and health management components. “Students take this education we provide and then go places we never could have predicted,” Masson says. “The breadth of activities at Johns Hopkins is collectively harnessed to create compelling academic offerings with a superb research program. In a way, we are providing the infrastructure for the future of computer security.”

The first MSSI degrees were awarded in 2002 to three students. Now the institute typically has 40 to 45 students who spend two, three, or even four semesters in the program. Recently, JHUISI began offering a dual master’s program with the Bloomberg School of Public Health, and is also working with undergraduates in a concurrent bachelor’s/master’s program that students join in their junior year, completing both degrees in five years, with an undergraduate degree in computer science or applied math, and the MSSI degree. Currently, about a dozen students are enrolled in the joint undergraduate/ graduate degree program.

As information security evolves, JHUISI is recognized as one of just a few national centers doing the research and training of the next generation of leaders that will define the field in years to come.

Best Advice: Clean Living

“For the most part, preventing botnet infection is about having a healthy lifestyle— don’t visit ‘iffy’ websites, be very careful of the attachments you accept, and keep your patches and anti-virus protection updated,” says Andreas Terzis. “There are remedies. One study showed that if you are running, for example, Norton antivirus software, and keeping it updated, then your computer would catch about 95 percent of the botnets we found.”

The problem is, surveys find time and again, that most computer users are not doing these things, and that even many systems administrators often fail to keep current with the patches and updates necessary to fully protect their network. And that is a problem that remains to be solved.

“Internet safety is evolving. Users want to do their jobs, so design has to be simple,” Terzis says. “There is no magic bullet. You can’t say we are going to do ‘X’ and this will solve the problem. It’s going to be a combination of things, an evolving set of techniques. The opposition is highly motivated to make money. For us, the mentality is not trying to react to what happened yesterday, but trying to design for tomorrow’s attacks. That’s our motivation.”