2009-04-22 09:04:26
By Darren Waters
Technology editor, BBC News website
Almost two million PCs globally, including machines inside UK and US government
departments, have been taken over by malicious hackers.
Security experts Finjan traced the giant network of remotely-controlled PCs,
called a botnet, back to a gang of cyber criminals in Ukraine.
Several PCs inside six UK government bodies were compromised by the botnet.
Finjan has contacted the Metropolitan Police with details of the government PCs
and it is now investigating.
A spokesman for the Cabinet Office, which is charged with setting standards for
the use of information technology across government, said it would not comment
on specific attacks "for security reasons".
. When we look at a similar network last year they were in the hundreds of
thousands. Now were looking at mega-size botnets. .
Yuval Ben-Itzhak, chief technology officer for Finjan
"It is Government policy neither to confirm nor deny if an individual
organisation has been the subject of an attack nor to speculate on the origins
or success of such attacks."
He added: "We constantly monitor new and existing risks and work to minimise
their impact by alerting departments and giving them advice and guidance on
dealing with the threat."
It is the second time in a year that PCs inside government departments have
been hacked to form part of a botnet.
On this occasion, the machines were infected with software which allowed them
to be taken over and enslaved in the botnet due to vulnerabilities in web
browsers.
At the mercy
Once a machine has been compromised, it can be instructed to download further
software, which puts the machine at the mercy of malicious hackers.
STAYING SAFE ONLINE
The compromised PCs are capable of reading e-mail addresses, copying files,
recording keystrokes, sending spam and capturing screen shots.
Once a single machine inside a corporate network has been made part of the
botnet it puts other machines on the network at risk.
The Cabinet Office would not give details of what the compromised machines had
been instructed to do, nor the names of the different government departments
that had been infiltrated.
The cyber criminals, who have not been caught, were selling access to the
compromised machines, thought to be mainly PCs inside companies, on a hackers'
forum in Russia.
One thousand machines were being sold at a time for between $50 and $100.
Finjan reports that the botnet is under the control of six criminals who are
able to remotely control the infected machines.
Different organisations
Almost half of the infected machines were in the US. Six percent of the botnet,
about 114,000 machines from 52 different organisations, were from the UK, among
them a single PC inside the BBC's network.
Many of the infected machines will have been caught by routine information
security policies at firms, as it was in the case of the BBC, but Finjan says
many of the botnet PCs are still active.
. We are aware of this botnet and are taking appropriate action .
Metropolitan Police spokeswoman
More than 70 different national government agencies from around the world were
caught up in the malicious network.
Yuval Ben-Itzhak, chief technology officer for Finjan, told BBC News: "When we
looked at the network domain names to see where the [compromised PCs] come from
we were surprised to see many government networks, including UK government
computers.
"Obviously we reported it and they have now dealt with it. There were six UK
agencies with at least one computer in each department that was running the
bot.
"I'm not at liberty to name the actual agencies - but this isn't a unique story
to the UK, they were running in many other non-UK, government bodies too."
Government bodies
A number of different government bodies are responsible for IT security and
deployment across the UK.
They include the Central Sponsor for Information Assurance, the National
Technical Authority for Information Assurance, and the Centre for the
Protection of National Infrastructure (CPNI), the government body which is part
of the British Security Service and responsible for providing security advice
to organisations that make up critical services in the UK.
All of the infected machines were Windows-based PCs and the vulnerability was
targeting security holes in Internet Explorer and Firefox.
Mr Ben-Itzhak said: "What is unique is the number the size of the network. When
we look at a similar network last year they were in the hundreds of thousands.
Now were looking at mega-size botnets."
In contact
A spokeswoman for the Metropolitan Police said: "This is an ongoing
investigation. We are aware of this botnet and are taking appropriate action."
Large botnets can be used to co-ordinate attacks to knock parts of the network,
or specific websites, offline, called a Distributed Denial of Service attack.
Last year, the CPNI told a Cabinet Office-commissioned independent review that
stopping such attacks was difficult.
It said: "The attacks are relatively low in sophistication, but have been
highly effective due to the large number of compromised machines involved.
"It is difficult to defend against a sophisticated Distributed Denial of
Service attack without impacting legitimate business use."
The CPNI recommended that the best defence against these attacks was
appropriate monitoring of the network.
Additional reporting by Daniel Emery.
Hi-tech crime: A glossary
By Mark Ward
Technology Correspondent, BBC News website
Like many subjects, information security comes with its own terminology and the
jargon can be opaque to outsiders. Click below to shed light on the murky world
of cyber crime.
ADWARE
Unwanted programs that, once installed, bombard users with unwanted adverts.
Often those pushing the aware programs get paid for every machine they manage
to recruit.
Some adware poses as fake computer security software. Can be very hard to
remove.
BLACKHAT
A hacker that uses his or her skills for explicitly criminal or malicious ends.
Has been used to mean the writers of destructive viruses or those that use
attacks to knock websites offline. Now as likely to refer to those that steal
credit card numbers and banking data with viruses or by phishing.
BOT
The name given to an individual computer in a larger botnet and which is more
than likely a home PC running Windows. The name is an abbreviation of "robot"
to imply that it is under someone else's control.
BOTNET
A large number of hijacked computers under the remote control of a single
person via net-based command and control system.
The machines are often recruited via a virus that travels via e-mail but
increasingly drive-by downloads and worms are also used to find and recruit
victims.
The biggest botnets can have tens of thousands of hijacked computers in them.
Research suggests they can be hired from as little as 4 cents per machine.
BOTNET HERDER
One of the names for the controller or operator of a botnet.
BULLET-PROOF HOSTING
A company that guarantees that its servers will not be shut down even when the
request to do so comes from law enforcement agencies.
These hosting companies are often located off-shore or in nations where
computer crime laws are lax or non-existent and where extradition requests will
not be honoured.
CARDER
Someone who steals or trades exclusively in stolen credit card numbers and
their associated information.
CASH-OUT
A euphemism that means to steal money from a bank account or credit card to
which someone has gained illegal access.
Hackers who grab credit card data often do not possess the skills or contacts
to launder the money they can steal this way.
CHANNEL
A virtual "room" on the IRC text chat system. Most channels are usually
dedicated to a single topic.
CROSS-SITE SCRIPTING
A sophisticated phishing attack that exploits weaknesses in the legitimate
sites of financial institutions to make attempts to trick people into handing
over confidential details more plausible.
A successful use of Cross-site scripting will make it look like all the
transactions are being done on the website of the real bank or financial
institution.
DEAD-DROP
A hijacked PC or server used to store all the personal data stolen by
keyloggers, spyware or viruses.
Criminal hackers prefer to keep their distance from this data as its possession
is incriminating. Dead drops are usually found and shut down within a few days
of the associated phishing e-mails being sent out.
DDoS
Abbreviation for Distributed Denial of Service. This is an attack in which
thousands of separate computers, which are usually part of a botnet, bombard a
target with bogus data to knock it off the net.
DDoS attacks have been used by extortionists who threaten to knock a site
offline unless a hefty ransom is paid.
DRIVE-BY DOWNLOAD
Malicious programs that automatically install when a potential victim visits a
booby-trapped website.
The vast majority exploit vulnerabilities in Microsoft's Internet Explorer
browser to install themselves.
Sometimes it is obvious that a drive-by download has occurred as they can lead
to bookmarks and start pages of the browser being replaced. Others install
unwanted toolbars.
Increasingly criminals are using drive-bys to install keyloggers that steal
login and password information.
EXPLOIT
A bug or vulnerability in software that malicious hackers use to compromise a
computer or network.
Exploit code is the snippet of programming that actually does the work of
penetrating via this loophole.
FIREWALL
Either a program or a feature built into hardware and which sits between a
computer and the internet. Its job is to filter incoming and outbound traffic.
Firewalls stop net-borne attacks such as worms reaching your PC.
HONEYPOT
An individual computer or a network of machines set up to look like a poorly
protected system but which records every attempt, successful or otherwise, to
compromise it.
Often the first hints of a new rash of malicious programs comes from the
evidence collected by honeypots.
Now cyber criminals are tuning their malware to spot when it has compromised a
honeypot and to leave without taking over.
IP ADDRESS
The numerical identifier that every machine attached to the internet needs to
ensure the data it requests returns to the right place. IP stands for Internet
Protocol and the technical specification defines how this numerical system
works.
IRC
Abbreviation for Internet Relay Chat - one of the net's hugely popular text
chat systems.
The technology is also used by botnet herders to keep tabs on and control their
flock of machines.
KEYLOGGER
Program installed on a victim's machine that records every keystroke that a
user makes.
These tools can obviously be very useful for stealing login and password
details. However, the data that is stolen often has to be heavily processed to
make it intelligible and to extract names and numbers.
MALWARE
Portmanteau term for all malicious software covers any unwanted program that
makes its way on to a computer. Derived from Mal icious soft ware .
MAN-IN-THE-MIDDLE
A sophisticated attack in which a criminal hacker intercepts traffic sent
between a victim's computer and the website of the organisation, usually a
financial institution, that they are using.
Used to lend credibility to attacks or simply steal information about online
accounts. Can be useful to defeat security measures that rely on more than just
passwords to grant entry to an account.
PACKET SNIFFING
The practice of examining the individual packages of data received by a
computer to find out more about what the machine is being used for.
Often login names and passwords are sent in plain text within data packets and
can easily be extracted.
PHISHING
The practice of sending out e-mail messages that look as if they come from a
financial institution and which seek to trick people into handing over
confidential details.
Often they direct people to another website that looks like that of the bank or
financial institution the e-mail purports to have come from. Anyone handing
over details could rapidly have their account plundered.
PORT
The virtual door that net-capable programs open to identify where the data they
request from the net should be directed once it reaches a computer.
Web browsing traffic typically passes through port 80, e-mail through port 25.
ROOTS
A slang term for networks that have been hacked into by criminal hackers.
Derives from the deep, or root, access that system administrators typically
enjoy on a network or computer.
The login details to get root access are often sold to spammers and phishing
gangs who then use these networks to send out millions of e-mail messages.
SCRIPT KIDDIE
An unskilled hacker who originates nothing but simply steals code, techniques
and attack methods from others.
Many viruses and worms on the web today are simply patched together from other
bits of code that malicious hackers share.
SPYWARE
Malicious program that, once installed on a target machine, steals personal and
confidential information. Distinct from adware.
Spyware can be contracted many different ways. Increasingly it arrives on a PC
via a web download. Often uses a keylogger to grab information. Some are now
starting to record mouse movements in a bid to foil the latest security
measures. Some fake security programs pose as spyware cleaners.
TCP
Abbreviation for Transmission Control Protocol - the series of specifications
which define the format of data packets sent across the internet.
TROJAN
Like the wooden horse of legend this is a type of program or message that looks
benign but conceals a malicious payload. Many of the attachments on
virus-bearing e-mail messages carry trojans.
VIRUS
A malicious program - usually one that requires action to successfully infect a
victim. For instance - the malicious programs inside e-mail attachments usually
only strike if the recipient opens them.
Increasingly the word is used as a portmanteau term for all malicious programs
- those that users must set off or those that find their own way around the
net.
WHITEHAT
A hacker that uses his or her skills for positive ends and often to thwart
malicious hackers.
Many whitehat security professionals spend their time looking for and closing
the bugs in code that blackhats are keen to exploit.
WORM
Self-propelled malicious program that scours the web seeking new victims - in
the past this has been used to distinguish it from a virus that requires user
action to compromise a machine.
Worms can infect and take over computers without any help, bar lax security,
from a victim.
ZERO DAY
A Zero day vulnerability is one on which code to exploit it appears on the
first day that a loophole is announced.
As most of the damage done by exploiting bugs occurs in the first few days
after they become public, software firms usually move quickly to patch zero day
vulnerabilities.
ZOMBIE
Another name for a hijacked computer that is a member of a botnet.