The cyber mafia and the cloud

By
Friday, July 1, 2011

Today's attacks on computers are not simple user-by-user infections that can be easily sorted out by an antivirus; rather, they are  collective contamination by malwares known as "bots."

The bots are built using toolkits and controlled by a "botmaster" who can coordinate networks of infected machines called "botnets" to carry out attacks. According to a report from Slovakian antivirus and security software developer Eset, titled "Trends for 2011: Botnets and Dynamic Malware," a hacker can rent a server to store malware and exploit kits or botnet components for only US$80-200 a month.

To talk more in depth about this threat, BNamericas spoke to Paul Mockapetris, chairman of US provider of DNS solutions Nominum and who also invented the Domain Name System (DNS) in 1983.

BNamericas: How do botnets operate?

Mockapetris: We always hear about how businesses can use cloud computing and be so effective. Well, botnets are doing cloud computing, but they are doing it for an evil purpose.

BNamericas: Cloud computing?

Mockapetris: The cost for the use of the machines is low because the botnet just takes over your excess capacity and can be used for different purposes.

BNamericas: And how does it work?

Mockapetris: The most common ones are sending a denial of service attack via spam, where you send a package to a particular destination and you just overwhelm it, like causing an instant traffic jam to their website by just sending a lot of packages. You send things that look like web requests to a web server that can handle a bunch of requests from normal users, [but it] suddenly sees 100 times more attacks from fake users created by the botnets.

BNamericas: And what's the motivation behind this?

Mockapetris: Crime is the motivation. One of the most recent studies suggests that clearing payments was one of the ways to fight spam. Spam has been remarkably resilient during the last couple of years. There have been more subtle attacks where you go to a website and click on a link and your machine can be compromised.

Behind all this are criminal money-making activities. You get paid for spam, which is not much, but when your cost is low because you're using someone else's bandwidth and machines you can make money doing it. Certainly, stealing ID, credit card numbers and all that is a big business.

BNamericas: But if they are destroying systems, how can they make money by having fewer computers available?

Mockapetris: People often say that spam is designed to collapse networks, and this is not true. Hackers have been paid to distribute malware all over the place. You need to produce 2mn messages in order to produce US$1 in terms of revenues, so you need to send a lot of spam to produce revenue.

BNamericas: Are some countries more likely to be the center of operations than others?

Mockapetris: A lot is dependent on how the law is enforced. The types of crime vary - from DVD piracy where, for example, there are countries where a movie is available as a pirated DVD before its official release date, to the more direct crimes of getting people's bank accounts or stealing their software. If you are going to be in business, you go for the more relaxed enforcement environments to set up.

BNamericas: And what about users? How aware are they?

Mockapetris: Some markets are more mature than others. So people who have had the internet for a long time aren't surprised to find a bunch of spam emails in their inboxes from Nigeria saying they need to transfer some money but need your bank details... People think, "I've seen this movie before," and ignore them. But those who get their first smartphone and suddenly get a message - it can look very legitimate. It takes a while to get that type of maturity to the users, and they [the criminals] want new users because they're less sophisticated. It's a very complicated phenomenon.

BNamericas: Is Latin America creating or receiving them?

Mockapetris: Latin America is a vertical market, from Mexico to Chile. This is probably a new market and people are doing these things. Like with any new market, there's a period of learning, and I think that's what's going on regarding internet adoption and the affordability of internet in the region. I don't think many people know how great the market is. But when we take some of our server data, we see that Latin America is variable in terms of suspected activity, but not much. But that's what you'll expect when you have new users and new things coming out.

BNamericas: Are antiviruses not enough?

Mockapetris: The question here is whether you protected yourself soon enough. What we do [at Nominum] is to provide a service that when [you] say "go to x.com site," we might not know if that's a bad site. So instead of directing you there, we will ask are you sure you want us to go there?

Meanwhile, it could be that your antivirus will get automatically updated, something that can be very annoying and tends to happen with Microsoft, let's say, every Tuesday. So if you are planning to launch an attack, which day will you do it? See? These [botnet] attacks don't happen like that, so the service we provide is a little bit more timing up front. If we see a new threat we can let people know around the world in a second. And sometimes people detect the virus that attacks a specific machine, and they know it's bad but they haven't discovered the antivirus. This is like when we have swine flu but we didn't have the vaccine, so there's a layer of protection that steers you away from getting close to these things, which is the first layer of defense. Being able to defend yourself is also part of it. Unfortunately, there's no one way to know if you are totally safe.

BNamericas: What's the best way to navigate safely on the internet?

Mockapetris: You need to have a bit of internet street sense, knowing which internet sites are known to be a problem, and using our service can do that automatically for you. But also take a look at the contact and search for internet signatures. But from the moment that something seems to be harmful to actually detecting the source can take a while, and cutting that time down is a way of keeping you safe.

BNamericas: How does your product work?

Mockapetris: The network protection server basically knows about a bunch of sites and addresses and other things that are known to be harmful. The other thing that it can do is look at the activity on the network, because every time you open up a website the service will look up DNS and check for suspicious activity.

But also, if the system detects that there's a user that seems to be sending 50,000 messages a day, either that means that the user is a very fast typist, or perhaps the machine has been infected and the virus is sending out these emails. So if you can tell the person there's something wrong there, they can take steps. In many universities they do this kind of detection on students' PCs and tell the students to clean their machines.

There's the detection of infection in the users' machines but also protecting them, as these botnets communicate with each other to do their work, and what you can do is to try to interfere with their use of the DNS to do their work. So basically, if you look at the entire lifecycle of a botnet, it tries to keep people infected. You can prevent the attack by preventing the operation of the botnet program, and that's the way to protect yourself.


About Paul Mockapetris

Paul Mockapetris, considered one of the "fathers of the internet," created the Domain Name System (DNS) in the 1980s at USC's Information Sciences Institute (ISI).

At ISI, after working on the design and initial implementation of the SMTP protocol for email, Mockapetris began to design DNS and then operated the original "root servers" for all internet names. After the formal creation of the Internet Engineering Task Force (IETF) in 1986, DNS became one of the original internet standards. The IETF continues to be the focus of new applications and extensions to DNS.

From 1995, he held leadership roles at several Silicon Valley networking startups.

Mockapetris has dual degrees in physics and electrical engineering from MIT, and a PhD in information and computer science from the University of California, Irvine.