Bots are a bigger security problem than we think. Those of us who work in security are not unaccustomed to running into bots on the networks we monitor; in Check Point's 2014 Annual Security Report, released last month, our research found that 49 percent of organizations had seven or more bot-infected hosts.
Malware exposure and infections increased across the board last year, reflecting the increasing success of targeted malware campaigns. In 2013, 73 percent of organizations had at least one bot detected, compared with 63 percent in 2012. Meanwhile, 16 percent of organizations were infected with more than 35 hosts and 77 percent of them had bots on their networks that were active for more than four weeks. But the truth is that we have seen situations that have been far worse--networks with literally thousands of bots running on them.
To an untrained eye, having a handful, let alone hundreds or thousands, of bots on your network might seem alarming. But, all bots are not created equal in terms of their ability to disrupt an individual or organization. Some bots are no more than a nuisance while other bots have the potential to reap havoc on a network. And, what that bot does on your network really depends on the skill of the developer, the purpose of the bot and the ability of that bot to make it on your network in the first place.
Bots have ranged in severity. A few examples (from bad to worse) are:
- Adware-based bots: Those that drive up revenue for publishers by clicking on banner ads.
- Zeus: A bot that looks to steal financial information, such as bank account information and social security numbers, from large organizations and individuals. Can be deployed as a prebuilt kit.
- StuxNet: The mother of all bots, programmed to stop the production of uranium at the Iranian Nuclear power plant and arguably sent the country's nuclear ambitions back months, if not years. This is the extreme example of targeted malware, designed for a very focused purpose and leveraged attack vectors that are largely unknown.
So, where there's a will there's a way.
What's driving the proliferation of these bots? If ten thousand bots on a network is an indication of anything, it's that the ability to create and distribute bots is easier than ever. Almost anyone can unleash a bot onto a network. How is that possible, you may ask? There's big business in selling bots to any Monday morning quarterback and criminal elements are developing and selling bot kits, offering customization, 24-hour support and a rented command and control center to anyone with a credit card. The Zeus toolkit is a good example. Any individual that wants to deploy Zeus in an attempt to steal financial or personal information can try their hand at it by buying and downloading a toolkit online.