Watchdogs set up 'honey pots' to trap hackers

[Nipun Mohta]

WASHINGTON: The number of zombies out there lurking on desktops is growing. And to fight them, a band of internet security experts is using a ‘neighbourhood watch’ approach and every honey pot it can muster.

The Shadowserver Foundation’s world-wide daily count of zombie computers, which are infected with viruses and bent to malevolent purposes, doubled this month to 3,00,000 from 1,50,000 a year earlier. The spurt comes from more hackers linking machines to form botnets, networks they use to steal identities, attack Web sites and sell pilfered email addresses to spammers.

Internet crimes cost consumers and businesses $239 million in 2007, up 20% from the year before, according to US government data. Botnets are growing in popularity and sophistication as tools for hackers, and Shadowserver’s research helps law enforcement and security companies such as McAfee identify emerging threats.

“It’s becoming an increasingly common mechanism the bad guys are using,” said John Pescatore, an analyst at researcher Gartner in Ashton, Maryland, who used to build secure computer systems for the US Secret Service. Shadowserver is “like neighbourhood watch groups that are a great help to local police.”

Working in shifts around the clock, Shadowserver’s 10 members set up ‘honey pot’ computers designed to attract malicious software.

They monitor zombie machines and hackers, and report their findings to law enforcement and internet-service providers such as Philadelphia-based Comcast. In the weeks leading up to Georgia’s military conflict with Russia in August, Shadowserver was among the first to report that hackers attacked Georgian president Mikheil Saakashvili’s website, taking it down for 24 hours. The hackers used a botnet to swamp the site with requests.

“We see dozens of such attacks on a daily basis,” Shadowserver director Andr? DiMino, who co-founded the group almost four years ago, said in an interview.

Such zombie-computer armies began as the work of lone hackers and evolved into sophisticated tools used by organised crime groups, said DiMino, who goes by the online name SemperSecurus. Dealing with bot-infected computers cost organisations an average of almost $350,000 this year, according a survey by the Computer Security Institute, an industry group that promotes computer-security education.

“Botnets pose a significant risk because they’re the Swiss Army knife of malicious code,” said Nicholas Ianelli, an analyst at the CERT Coordination Center, which studies internet security as part of Carnegie Mellon University’s Software Engineering Institute. “They can do so many things with one compromised host.”

As of August 26, Shadowserver had detected more than 157,000 botnet attacks on websites in 105 countries this year. DiMino said the group is probably finding only a small fraction of botnet activities.

The average daily number of active bot-infected computers rose 17% to 61,940 from the first half of 2007 to the second, according to Symantec, the biggest maker of security software. Arbor Networks, which often works with Shadowserver, detected more than 1,800 active botnets per day in September, up as much as 20% from a year ago, said senior security researcher Jose Nazario.

“We’ve been tracking botnets for years and we’re seeing a dramatic rise,” Nazario

said. Lexington, Massachusetts-based Arbor provides securit

y for more than 300

companies including Yahoo! and Verizon Communications’ business unit.

A year ago, the Federal Bureau of Investigation said an investigation of botnets, dubbed Operation Bot Roast, uncovered more than 1 million infected computers and more than $20 million in economic losses from crimes related to botnets.

Shadowserver’s members spend anywhere from 5 to 40 hours a week tracking internet-security threats. DiMino, a native of New York who now lives in New Jersey, said Shadowserver’s members are not vigilantes and don’t ‘hack the hackers,’ as some other volunteers do.

“It gets us pretty jazzed when we can see that things we’ve worked on have had a tangible result in internet safety,” he said. “That’s really a key motivator for all of us.”

In February, the group said it uncovered an attack on 32 gambling sites, including one run by PartyGaming, the owner of the PartyPoker.com website.

Organisations such as Shadowserver are ‘another weapon in our armoury’ against hackers, supplementing PartyGaming’s own investment in internet security, spokesman John Shepherd said. Shadowserver appears to be “very good at what they do,” he said, declining to comment on the February report.

While Shadowserver wants to publicise its findings, group members keep low profiles — and not just because of the potential for retaliation from hackers who don’t want their botnets exposed, DiMino said.

Source