2008 情財第 0155 号

イスラエルにおけるセキュリティ関連動向調査報告書
Survey on Information Security Situation in Israel
Countermeasures against Bots in Israel

2009 年 3 ⽉
GlobalConn LTD

Survey on Countermeasures
Against Bots in Israel

0
Table of Contents

Page

Overview, Vocabulary 3-4

Introduction 5-6

Chapter 1: Status of Bots Today 7-8

Chapter 2: Statistics 9-12

Chapter 3: Damages 13-19

3.1 BotNet Damage examples 14
3.1.1 Phishing Attack on Bank Leumi 14-15
3.1.2 Estonia Case 15
3.1.3 International Corporation 16-17
3.1.4 International Affects 17-18

Chapter 4: Damage Amount by Bots 19-20

Chapter 5: Countermeasures 21-27

5.1 Prevention 21
5.2 Public Policies 21
5.3 Government & Military Organization 22-24
5.4 The Law in Israel 24
5.5 The Spam Law 24-25
5.6 Private Sector 26
5.7 Net work Security: Vulnerability and Disclosure Policy 26-27

Chapter 6: Researches 28-40

6.1 Bots & BotNet 28-29
6.2 Wide-scale BotNet Detection and Characterization 29-30
6.3 Is Your PC Secretly Running Nuclear Simulation? 31-33
6.4 DDoS Attacks Prevention by Packets Encapsulation 34-35
6.5 Survey on Detection of Covert Channels through VPN 36-37
6.6 Covert Timing Channel 37-38

Chapter 7: Trends 39-52

7.1 The IUCC/IDC Internet Telescope 39-42
7.2 False Positive 42-48
7.3 Multifunctional Bots 48
7.4 Peer-to-Peer 49
7.5 Common Content 49
7.6 Blogs and Personalized Internet Pages 49-50
7.7 Vertical Text Spam 50
7.8 Mobile Application 51

1
 7.9 Sandboxing 51
7.10 The Development of BotNets in the Future 52

Chapter 8: Trends of Security Products 53-58

8.1 Mi5 Networks 53
8.2 Checkpoint 54
8.3 Commtouch Ltd. 55
8.4 BEYOND SECURITY LTD. 56
8.5 PINEAPP LTD. 56
8.6 Applicure Technologies Ltd. 56
8.7 Beefence 57
8.8 RadWare Ltd. 57-58

Bibliography 59

2
Overview

Vocabulary

BotNet Malware made up from a network of bots. The BotNet is a

malicious Bot program aimed to inflict large scale damage to
organizations and end users. The BotNet is an expensive
“Agen” or a product handed by the manufacturer to the
buyer/attacker in order to be deployed at any given time by
the Bot Herder.

Zombie The computer in which the BotNet has been implanted

without the owner’s agreement or knowledge.

Malware Any computer program which is aimed to inflict damage onto

the unsuspecting user and is spread e.g. either actively –
through spam email, or passively – through infected websites
and social networks.

STRIDE Abbreviation of the threats assessed during programming

and processing applications:

Spoofing is stealing the computer’s identity.

Tampering is data modification.

Repudiation is renouncing any liability for the act.

Information disclosure is data leakage.

DDoS = Distributed Denial of Service occurs when a server is

bombarded by too much traffic or data and crashes,
therefore denying service to the users.

Elevation of Privilege (EoP) gives access to unauthorized data

storage.

Threat Modeling The steps taken during programming to mitigate damages

caused by STRIDE.

3
Bot Herder A “middleman” used by the attacker to deploy the BotNet.

Downloader Site The prewritten link of the BotNet program from which the
Bot gets updates and orders.

P2P In order to inflict large scale damage, the attacker expands

bandwidth by eliminating the need for Command & Control
“Brain” and deploying zombies connected Peer-to-Peer.

Sandboxing Containment of a malicious Bot for mitigation and study.

White listing Preapproved list of IPs.

Fuzzing Testing for security holes.

Mitigation The evolving nature of the BotNet and the ingenuity of the
attackers mean that total prevention or blocking is virtually
impossible, therefore most solutions apply mitigation.

Zero-Hour The fast pace in which the malicious “Agent” is spread and
Detection transforms requires Real-Time detection and solution.

False Positive Using P2P for BotNet purposes means Denial of Service of a
genuine end-user.

Trojan horse Backdoor to the target’s computer.

Phishing Online Internet fraud. Retrieving passwords and personal

information through fake proposals and duplicate legitimate
approaches.

Click Fraud E-crime related to E-commerce, where the vendor pays per-
click on advertising and the Bot imitates an end user.

4
Introduction

The BotNet is the modern cyber warfare. Unlike hacking, which targets specific
users or websites, the BotNet is aimed to inflict massive damage to multiple
users in a short space of time.

It is used for extortion, espionage, political activism, military domination and

even as doomsday weaponry. The BotNet can be used to damage the targets
reputation or to inflict financial damage directly or indirectly.

The BotNet is multitasking and can change its objectives while activated. In order
to cause DDoS, the Zombie computer inhibiting the BotNet will send spam on
command. If the purpose of the intruder is to eavesdrop, then the BotNet will
function as a Trojan horse.

However, one should draw a bold line between hacking or defacing of websites
and the use of BotNet. The latter is expensive and not commonly used by the
usual hacker. Breaking a website’s code or even crashing a server does not
necessitate special resources. To inflict harm on a sole target requires only a
single hacker. Even to make a grandiose statement, one only needs to convene a
group of driven youths or fundamentalists who break into the targets codes and
deface a website (see the Bank of Israel case study in chapter 1.6.). Planting an
“Agent” in thousands of Zombie computers requires resources and usually some
financial gain which will at least cover the cost of operation. On the other hand,
this can be a pawn to be used in the hands of power players with deep pockets
or financial backing.

Ways of spreading BotNet are also diverse. Malware can be planted in spam, in
text files, in image files, in voice files and on websites. Transplanting the BotNet
into the zombie has no immediate effect on the end user. Some service providers
choose not to divulge the list of zombies sitting on their platform, and others
wish not to know of the active or non-active zombies. Their platitude is derived

5
from the end user’s indifference and unwillingness to boot their computer as
means of clearing the system of the BotNet, or the fear that the customer will
point the finger to the service provider as the liable element.

In the last security report from 2009, it is said that BotNets are becoming much
more widespread. Some researchers are estimating that some BotNet herders
own millions of systems across the globe. This provides herders with extensive
capability. Not only can they attempt multiple DDoS attacks, but owning these
many systems allows them to control their own online Army. It is foreseen that
there will now be more focus on host-based IDS/IPS solutions to control BotNets.

6
1. Status of Bots Today

Recently published in Israel was the opinion of Mr. Cohen and Mr. Cruman, heads
of the technology department at IBM about BotNet.

Their opinion about the status of Bots today is that “BotNet is adding yet another
trick to its vast repertoire. In the past, the malware would check the process file
name against an internal list and deleted the ones that match the list. Now it
would rather leave processes running and just patch entry points of loading
processes that might pose a threat to it. Then, when processes such as anti-virus
programs run, they simply return a value of 0”.

According to Mr. Cohen, “BotNet enables the operation of the P.C. to work
normally even though a strong malware like BotNet sits quietly in the
background, the owner of the system is not aware of it. Malware starts
operating only when it gets orders from its operator. This is far less suspicious
than a process that gets terminated suddenly from the outside, which means it
will not alarm users due to the fact that anti-virus software is not running. The
technique is designed to fool the network access control systems, which bar
insecure clients from registering on a network by checking to see whether a
client is running anti-virus software and whether it’s patched. According to the
expert, the anti-virus is running but it’s brain-dead. It’s worse than shutting it off,
as it opens the door for Storm bots to waltz past even networks considered
being hardened with network access control”.

“The BotNet is the latest evidence of why Storm is the scariest and most
substantial threat security researchers have ever seen. Storm is patient, its
resilient, its adaptive in that it can defeat anti-virus products in multiple ways
(programmatically, it changes its signature every 30 minutes), it’s invisible
because it comes with a built in root kit, and hides at the kernel level, and its
clever enough to change every few weeks”.

7
It has its own mythology, composed of up to 50 million zombie PCs, it has as
much power as a supercomputer, it has brute strength to crack Department of
Defense encryption schemes and with this power it terrifies the researchers of
this field and the administrators in charge of network security.

On the other hand, those who know how to watch it are guarding their techniques.
They’re afraid of retaliation. They fear that if they disclose their unique means of
finding information on Storm, the BotNet herder will change tactics yet again and
the window into Storm will slam shut.

According to other experts that are quoted in the newspaper, the BotNet’s
strength is exaggerated in the sense of the amount of systems which are infected,
or its capabilities to become supercomputer and the fact that it fights back and
punishes instantaneously. They claim is fiction, however, they still agree it has a
lot of power.

Mr. Cohen concludes when it comes to the war of good guys (security
researchers) versus bad guys (BotNet herders), BotNets have won. He indicates
the case of Blue Security Israeli-based startup whose aggressive anti-spam
measures in May 2006 drew a counterattack from spammers that were so
vicious; it forced the company out of business. “Blue Security did a really good
job of fighting,” said Mr. Cohen. “So [the attackers] did a DDoS and took it off the
Net for awhile. Blue Security went to the best anti-DDoS technology on earth.
The next onslaught came and Blue Securities defenses worked. So the BotNet
herder stole two other people’s BotNets. With three BotNets, the attack worked,
to the point where the ISP said, I’m not going to let you take down my entire ISP
to protect you, you’re on your own. And Blue Security is now out of business.”

8
2. Statistics

Most statistics reports are slanted and show overwhelming data of infected
Zombies or BotNet attacks. Internet security companies have a given stake in
showing the increasing dangers on the one hand, and success in detecting and
blocking on the other hand.

Every single day, new vulnerabilities are discovered and published (One of the
Israeli security companies alone reports 5 - 10 new vulnerabilities in various
systems every day).

We found that companies are reluctant to reveal the cyber attacks and there is
no official publication specifically on Israeli BotNet attack.

Government resources Tehila report 14,000 BotNets and alike attackes yearly on
the government and semi government sites.

Below are some graphs which show international BotNet attacks brought by an
Israeli software security copmpany’s servers.

9
10
11
 A general picture of worldwide active Zombie attacks:

Israeli software security companies accumulate statistics about general cyber attacks
all over the world. Following some details of second quarter 2008:

12
3. Damages

Organized crime has applied its resources to the Internet first and foremost to
realize the rather fast, anonymous and unregulated financial gain integral to E-
Crime. The damages inflicted through BotNet operation are diverse. There are
direct damages and collateral damages. The initial act of tampering with bank
accounts after obtaining passwords via phishing and Trojan horse tools is as
simple as any bank robbery. Accessing sensitive information has two potential
financial gains for BotNet operators. Industrial espionage and selling data to
rivals can be just as lucrative as threatening with extortion. All these operations
still require foot soldiers to activate the chosen BotNet application and execute
the transaction.
The vast success of this type of E-Crime is due to the ever growing global
community turning to E-Commerce and online banking. Banks nowadays rely
heavily on online transactions, so a breach in their security means a loss of
potential business. This is the next layer of damage caused by BotNet. The
reputation of any business is a gainful asset which, when impaired, can have
lasting consequences. Even service providers avoid divulging the BotNet activity
and some Internet Service Providers (ISP) prefer not to get hold of the available
Zombie list so as not to expose their vulnerability. Blacklisting and blocking
legitimate ISP and users is another costly risk. Unless the attack might cause a
total crash or has multiple targets, there is little chance that the end users will be
notified of its occurrence.

The cost of blocking attacks and scanning for new malwares means even more
financial burden. Website owners, large or small, find the need to add layers of
security to their existing firewall.

13
3.1 BotNet Damage Examples

There is a clear distinction between hacking for defamation purposes and using
BotNet to inflict harm or procure gain during an attack. The most infamous case
of industrial espionage in Israel became common knowledge in June 2004. It was
dubbed “The Haephrati Trojan horse” it involved CEOs of leading corporations.
The catalyst was a family feud which instigated an Israeli couple who were
computer experts, residing at the time in the UK, to write an espionage Bot that
was thereafter sold to private investigation firms. Their intent was turning the
Trojan horse into a lucrative business. Though this case has similarities to the
BotNet intent and harm, its modus operandi is completely different.

The BotNet doesn’t act against a chosen individual target. The statement that
BotNet does not target an individual needs to be parenthesized. For example,
Blue Security was an Israeli start-up company which tried to wage an Anti-Spam
Crusade. The method was simple and effective. Blue Securitie’s software
bombarded the spammers with millions of unsubscribe requests that crashed the
spammer’s ISP. On May 2006, the founder and owner of Blue Security had to
admit defeat after one of the spammers engaged in a counter attack. The
assaulted spammer used thousands of Zombies at the tip of his fingers to inflict a
successful DDoS attack. The spammer used other methods of intimidation and
extortion frequently abused by BotNet operators. This case ended with Blue
Security going into hiding and the Internet security community unanimously
agreeing that striking back is not the answer.

3.1.1 Phishing Attack on Bank Leumi

The Security department of Bank Leumi, one of Israel’s leading banks, received
an e-mail message on the 28th of January, 2008, requesting its customers to
enter an enclosed page that requires registration of their identification with the
bank. This was a phishing attack on its customers

14
The security department managed to locate the impersonator’s location and
managed to remove him from the net. The bank immediately contacted all the
customers that entered their identification and asked them to change all their
passwords and to go over their Accounts to see if anything was done that had
not been done by them. The bank also published a note to all its’ customers that
it is not accustomed to ask for identification on the web and this type of request
is a fraud and done to gain control over the customer’s details using an
impersonated web page of the bank.

In order to prevent these types of attacks, the bank issued new regulations for
transfers of funds to a third party through the Internet. According to the bank,
their quick reaction and attempts to catch the intruder reduced the damage to
only tens of customers out of thousands that were exposed to this phenomenon,
and due to its’ actions, none of the customers were damaged due to this attack.

3.1.2 Estonia Case

An additional important case that occurred in Estonia, put the BotNet on the
map in April 2007 as the next Cyber Warfare weapon. Estonia was the
battleground of the biggest cyberspace attack which lasted for 3 weeks, allegedly
triggered by the removal of a Soviet statue. Russia was the immediate suspect
during the 2007 attack, and has seemingly used the same scheme against
Georgia during the outbreak of fighting in August 2008. The Estonian case
recorded the use of about 1 million worldwide Zombies which inflicted a vast
DDoS to government and corporate websites. This attack was extremely effective
due to Estonia's high Internet exposure and usage. It is the first country to allow
online voting for its’ Parliament. According to updated FBI reports, 108 countries
hold Cyber Warfare capabilities.

15
3.1.3 International Corporation

The police authorities revealed that Three Israelis from north of Israel who
were suspected to be part of an international crime organization stole money
from banks in different countries. The headquarters of the organization was
based in Germany where the investigation started. They used the BotNet
technology by which they stole the customers’ identifications. The Israeli police
said that the crime organization acted out of Israel.

Another example where Israeli Technology was involved was a BotNet attack by
hackers which was discovered on September 4, 2007 on the site of eBay
members (the global purchase store site). This attack, which used brute-force,
was for the purpose of uncovering valid account log-in information. The
preparations for the attack against eBay started about a month before the actual
attack. The attack began with hackers compromising third-party websites using a
technique called SQL (Structured Query Language) Injection. Extra code was
dynamically added to the main page of these websites using a hidden IFRAME
tag which loaded a malicious web page. This page contained a VBScript file that
used AJAX to download and save a file called MISuvstm.exe into the Windows
system folder. Once this file was downloaded, it attached itself to the Windows
Explorer process and went hunting for a further Trojan, which was the basis for a
Distributed Denial-of-Service (DDoS) attack on eBay itself. The attack used eBay’s
own Application Programming Interfaces to guess eBay users’ passwords by
brute-force. According to the information published, attackers changed one
user’s eBay identity and sent out at least 25 e-mails to individuals in the United
Kingdom who were attempting to sell Sony laptop computers. The compromised
account, which retained the original user’s high eBay rating, offered the sellers
more money than they asked for in exchange for the laptops being shipped “as
soon as possible.” The technology of the Israeli company Aladdin’s got involved
in this attack. Aladdin first found out about the eBay attacks using its software
scanning product that runs ISPs that detect and block attempted IFRAME
redirections. Furthermore Aladdin’s technology of two-factor authentication is a

16
solution where two different methods of identification are used, such as a user
name and password combined with a physical item, like a mobile phone, credit
card, or hardware dongle device, in the hands of the owner. These solutions,
while not invulnerable, would prevent brute-force attacks such as the one
directed at eBay. More details about Aladdin and its technology will be detailed
in the Israeli technology section.

The Israeli software security companies’ servers survey many computers around
the world to secure and detect BotNet and malicious alike attacks.

3.1.4 International Affects

There is no local character to the operation of a BotNet. In the past, when the
attack needed C&C (Command & Control), there was a local linkage between the
manufacturer of the malware and its consumer. Nowadays, the meaning of there
being a Net of Bots made the place of production redundant. Zombies from all
over the world can be deployed instantly, crossing jurisdictions and confusing
local law enforcement agencies.
The operational mode of BotNet is much the same as drug trafficking. Recent
cases of BotNet deployment proved that the motivation might have been
nationalistic in nature (see the Estonian case study). However, the precise source
of the attack was unidentifiable.

Israel, together with a few nations, dominates the scene as a recipient nation of
spam, viruses and website defacement. Being a target of Muslim Fanatics
heightens the drive to crash servers and service providers on a daily basis. The
flip side of the Israeli-Arab conflict means that there is also heightened activity
among rightwing political activists breaching and defacing terrorist websites and
attracting even more fire in Israel’s direction.

One of the main problems in fighting the spread of BotNet is a lack of legislation
against E-crimes in most countries. It is easy enough to deploy the BotNet from a
certain country and evade all international law enforcement agencies. There are
17
currently a handful of online vigilante groups which try to fill the void created by
the shortage in law enforcement manpower. One such group operates from
Britain and is called Spamhaus.org. Another group fighting BotNet is
Shadowserver.org which is run by proactive security professional, one of whom
is an advisor to Cisco Systems.

18
4. Damage Amount By
B Bots

Following is a table that an Israeli company developed to calculate estimated

cost of the spam damage to enterprises.
enterprises

The table is based on number of employees, their salary, the number of ee-mails
they receive daily and average spam they receive. We entered
entered some basic
information and the calculator calculated the following results:

Calculate: how much does spam cost your enterprise?

Top of Form
Number of employees: 50 Employees

Average annual salary: $ 50000

Average daily email per-recipient:

per 50 Messages

Average % of spam from total email: 20 %

Bottom of Form

Time to delete (seconds): 5 Seconds

Direct lost productivity per employee (hours 5.07 Hours

annually):

Direct lost productivity to the enterprise 31.69 Days

(days annually):

Cost per-recipient per-year:

year: $ 120.64

Direct lost productivity costs to the

$ 6032
enterprise:

Time wasted per response (minutes): 5 Minutes

19
 Response rate: % 1

Additional lost productivity to the enterprise 19.01 Days

(days annually):

Overall cost of responding to spam: $ 3655.85

Cost of 1MB storage (archiving): $ 0.60

Average size of spam message: 16 Kb

Storage cost per-employee:

employee: $ 35.04

Overall storage annual cost to enterprise: $ 1752

Total annual cost for the organization: $ 11439.85

Financial damages are the main interest of large corporations on the one hand
and end users on the other.
other In some cases, the industry publishes their damage
and its cost for security.
security However, the governmental and secret agencies
dominance can be undermined by BotNet attacks.
attacks. Deploying Cyber warfare and
defending against it are the work of governmental and secret agencies which are
treated with the same secrecy
secrec as any other doomsday weapon.

20
 5. Countermeasures

The statistics unequivocally show that no one is completely immune against

becoming a zombie or being a target of a BotNet attack. This situation requires
mitigation, the purpose of which is minimizing the breaches and the damages.

5.1 Prevention

The aim of the BotNet is making the fight against security breaches futile. As
many firewalls are added to block attacks, there are just as many breaches
written into the programs. Security experts all agree that prevention of BotNet
proliferation is impossible. First the harm is already done and until the Zombie is
activated, no one, including the Zombie itself, can tell what it was infected by.
Second, the use of P2P increases the bandwidth and the spreading rate. Finally,
there are too many breaches from which the malicious entities can infiltrate.
These facts should not, however, create a feeling of surrender, as the entire
academic world that works in this field as well as many security companies, are
developing new technologies to prevent the possible infiltration of Bots.

5.2 Public Policies

The Israeli government is taking various countermeasures to protect its

computer systems from Bots and other malicious attacks using different security
technologies and imposing on the Law Ministry and the Ministry for Trade and
Commerce and the police authorities to take different measures to prevent
attacks also on the private sector.

21
5.3 Government & Military Organization

There are two main organizations in the Israeli government which are in charge
of the national Internet security. One is dedicated to all the strategic and
national security sites and is called “The Director of Security of the Defense
Establishment” and is a part of the Ministry of Defense. The second is the
Government’s ISP “Tehila” and is part of the Treasury Ministry.
Tehila was established in order to control all the e-government in Israeli
government.

Further, the Israeli government nominated a Ministerial Committee which is a

steering committee to initiate laws, regulations and rules to determine the
countermeasures that Israel will take to prevent cyber attack. This Committee
established in each Ministry a special committee to take countermeasures to
prevent any attack on the specific office. In addition, the steering committee
nominated a special committee which controls the total countermeasures which
are taken within the government framework.

CERT (Computer Emergency Response Team) was established in Israel in 2005 as

a government body which is aimed to give service on cyber attacks. The CERT is
part of the Tehila project and works in cooperation with the international
information security parallel world. The site provides information for
professionals in the field of information security and citizens interested in
learning how to protect their home computer from viruses and attacks on their
network.

In 2006, a former manager of Israeli CERT started a mailing list where people not
necessarily involved with the vetted, trusted or closed circles of cyber crime
fighting could share information and be informed of threats. The BotNets mailing
list was aimed to get people involved, engaged and aware of cyber crimes.

22
His main objective was to provide the public an open mailing list where anyone
can join in and report a BotNet command and control (C&C) server that they
might see.
The mailing list server targets were to create:
* A place where one can discuss detection techniques.
* A place where one can report the BotNets.
* A place where all relevant private groups will get reports.
* A place where the relevant ISP will be automatically notified.
* A place where action taken on the reports will be seen.

The main concept behind the BotNets mailing list is to provide information and
sharing cyber information online. He thought that sharing the resources could
change the tide of the cyber crime war. One of the strategies that could help is
public information sharing of “lesser evils” already in the public domain.
He thought that to fight a war, one needs to be involved and engaged. It is a fact
that while much progress was made in the efforts to fight cyber crime, there was
nearly no effect what-so-ever against the criminals and the attackers. They
maintained their business and the industry kept writing analysis.

The former manager of Israeli CERT decided to revive the BotNet mailing list. He
says the list was fairly successful two years ago, but quickly lost steam, because
some researchers didn't feel confident in sharing their information in a public
setting. Since he revived the list in September 2008, researchers have been
actively sharing raw data with other list members.

“We have better tools, we’re better organized, we know what we’re doing, but
still we have not really made a dent,” he said. “There have been some arrests,
we’ve taken down some operations, but what it comes down to is that the
criminals are still making money.”

The communities that are currently active are closed and by their nature more
secretive. Less information gets out and less information is shared because

23
 people who should be trusted cannot find the right groups or it’s too difficult to
find an information sharing group.

The ultimate goal of the mailing list is to get more IT administrators and security
researchers involved in combating cybercrime, get them to care about the
problem and get them organized.

5.4 The law in Israel

The Israeli government initiated laws against cyber attackers as a tool for
countermeasures.
In 1995, The Computer Law was adopted in Israel, and prohibits cyber attacks
and prescribes punishment for this type of crime of 3 to 5 years imprisonment.
Following are the details:
o Disruption or Interruption of a computer or computer content. This is
equivalent to breaking and entering, and includes falsifying, transferring,
storing information or output, writing software related to this information or
using such software;
o Infiltrating computer materials illegally;
o Infiltrating computer content with the intent of breaking the law;
o Anything pertaining to computer viruses;
o Denial of Service;
o Writing and distribution of Trojan Horses.

5.5. The Spam Law

The Israeli Parliament approved at the end of May 2008 an amendment to the
Israeli Communication Law also referred to as “The Anti Spam Law”. This
amendment prohibits various sorts of spam: e-mail, fax messages, short text
messages (such as cellular SMS) and automatic dialing systems, if they intend to
induce the recipient to spend money.
24
The strict demand requirement for prior consent in the law is mitigated by two
exemptions. An advertiser may send a one-time unsolicited offer to businesses
to accept further commercial messages. An advertiser may also send unsolicited
commercial messages if the receiver of the message is a client or a potential
client of the sender, if the message refers to a product or a service similar to
products or services purchased by the client in the past from the sender, and if
the receiver is given proper opportunity to refuse any further messages.
Furthermore, the advertiser must conspicuously indicate that the message is
commercial in nature and that the receiver has a right to refuse any further
messages. The advertiser must also provide clear contact details for sending
refusal notices.

The Anti Spam Law became effective in December 2008. Failure to comply with it
will subject spammers and senders of commercial offers to statutory damages of
up to NIS 1,000 (approximately US $300) per one message. The amendment also
indicates that a class action may be brought against infringers.

The amendment allows civil actions to be taken against the spammer, regardless
of the criminal charges. However, the amendment doesn’t refer to spammers
residing abroad. The offender targeted by the amendment is not only the sender
of the spam but the advertiser sending unsolicited mail that stands to gain from
the action.

The law requires that parties sending information receive prior authorization
from the legal parties. The police authority has established a special unit to
follow up and enforce this law.

25
5.6 Private Sector

Many organizations expect more than just an Anti-Spam and Anti-Virus solution.
They require a sophisticated tool that provides customization rules and control
over incoming and outgoing mail, footnotes, attachments, notifications,
forwarding and more. Furthermore, they require that a policy be enforced
throughout the whole organization, groups and even the specific users.
Organizations also expect such a system to be in synchronization with their
existing active directory or other Lightweight Directory Access Protocol (LDAP)
servers. As a result, software security Israeli companies are researching and
developing software as countermeasures for cyber attack. The Academic sector
in Israel, takes part in the Research and development which is also detailed in
Chapter 6.

5.7 Net work Security: Vulnerability and Disclosure Policy.

Following is a research which deals with the social aspect of cyber attack:
* Network Security: Vulnerability and Disclosure Policy.
This research was carried out by, Dr. Chaim Freshman and others, with
cooperation between Tel Aviv University and Michigan State University.

This work deals with the dilemma of software companies that find bugs in their
software. The dilemma is, should the company disclose the bug and issue an up-
date for it, if this is done, then the disclosure itself could facilitate reverse
engineering and vulnerability to hackers. Should the disclosure be mandatory?

The researchers indicate in their research that BotNet programs enable

attackers to link infected computers into a powerful network that can be used to
steal sensitive data, as well as money from online bank and stock brokerages
accounts. The amazing details that these researchers bring are that in January

26
2007, Internet experts estimated that “BotNet” programs – sophisticated
programs that install themselves on unprotected personal computers – were
present in more than 10 percent of the 650 million computers worldwide that
are connected to the Internet. More than this, they cite another research project
that has been done by America Online and the National Cyber Security Alliance
(2004), which found that 80 percent of the computers in the US are infected
with Spyware. According to this work, in spite of the huge efforts and
investigations into writing more secure code, it is virtually impossible to design
software that is free of vulnerabilities. The researchers are not sure that all the
efforts of the software companies which continue to try to discover
vulnerabilities after the software has been licensed and sold. In order to update
the software to overcome the vulnerability, the release of updates enables
hackers to “reverse engineer” and find out how to exploit the vulnerabilities.
The reverse engineering increases the probability of attack.

The main issue that the paper discusses is how to motivate investment in
product security by investigating how a decline in the number of vulnerabilities
and an increase in the probability that the firm will identify vulnerabilities before
hackers affect disclosure policy, price and profits. An additional subject which is
raised in this work is the mandatory disclosure of vulnerabilities and bug bounty
programs. The researchers find that mandatory disclosure is not necessarily
welfare improving. Mandatory disclosure improves welfare only when the
probability of attack is very high and the expected damage is relatively small.
When both the probability of attack and the expected damage are moderate,
mandatory disclosure is welfare reducing since a non-disclosure policy
maximizes welfare. Mandatory disclosure has no effect since the firm will
disclose vulnerability even without regulatory intervention.

27
 6. Researches

The BotNet community is comprised of black hats, trying to outwit the security
experts, and on the flip side, researchers who try to probe the malware. The R&D
of BotNet is putting out fires on a daily basis, but they also are developing
technologies for the long range.

6.1 Bots & BotNet

This research was carried out by, Barak Nirenberg at the Technion, Israel
Institute of Technology.

The project, completed just a few months ago, started by defining Bots and
BotNet. The Bots are software applications that run automated tasks over the
Internet. Typically, bots perform tasks that are both simple and structurally
repetitive, at a much higher rate than would be possible for a human alone. The
largest use of Bots is in web spidering, in which an automated script fetches,
analyzes and files information from web servers at many times the speed of a
human.

The BotNet is the technique allowing the Bots’ masters to control remotely a
large number of infected machines in a single operation, thus creating the
BotNets. According to researchers, the characteristics of the BotNet are that it
runs autonomously and automatically. The BotNet is often associated with
malicious software, but it can also refer to the network of computers using
distributed computing software. It is interesting to note that the Bot creators
evolved their Bots to use Dynamic DNS (DDNS) in order to find their C&C server.
The DDNS is a service which is mostly offered for free on the Internet that allows
a user to own a constant DNS name that will be translated to a specific IP

28
 address. The BotNet master would overcome IP blocking by ISPs. The researcher
of this subject describes in detail the problem of the Bots master control over a
large number of hosts with AVT causing collapse of the entire net. The
researcher describes the process of evolution until it became such malicious
software and, more important, became widely available on the Internet. Today,
most of the Bots are using worms in order to spread on the Internet.

A worm is a kind of malware that spreads over the net by itself automatically,
usually by exploiting security holes and known software vulnerabilities. The
researcher describes in this work the most common method by which Bots
spread today and once more the researchers indicate that there are also several
cases where the infected Bot will try to remove other rival Bots from the host it
infected in order to be the sole owner of the host.

6.2 Wide-scale BotNet Detection and Characterization

This research was carried out by, David Hoeflin and associates.

In this research, the researchers use algorithms which can detect and
characterize BotNets. The researchers use algorithms to detect several hundred
controllers over a period of a few months running on arbitrary ports with a very
low false positive rate.

This paper describes the methodology to detect, track and characterize BotNets
on a large Tier-1 ISP network. This BotNet analysis is performed mostly on
transport layer data and thus does not depend on particular application layer
information. The researchers wrote algorithms that can produce alerts with
information about controllers. Alerts are followed up with analysis of application
layer data that indicates less than 2% false positive rates. Following is a

29
description of how BotNets function. Malicious BotNets are networks of “Bots”,
compromised hosts that are remotely controlled by a master host via one or
more controller hosts. The master host is the computer used by the perpetrator
and is used to issue commands that are relayed to the bots via the controllers.
The controllers are often Internet Relay Chat servers, which are normally used
for relaying messages among client terminals. Controllers are often created from
compromised hosts that perform a coordinating role for the BotNet. The
purposes of using BotNets vary and most of them are related to illegitimate
activity. Some of their uses include launching Distributed Denial-of-Service
(DDoS) attacks, sending spam, Trojan and phishing email, illegally distributing
pirated media, serving phishing sites, performing click fraud, and stealing
personal information. They are also the sources of massive exploitive activity as
they recruit new vulnerable systems to expand their reach. BotNets have
developed several techniques in their malware and infrastructure that make
them resistant to typical mitigation techniques. All this is a threat to the Internet
as well as enterprise networks. The threats undermine the reliability and utility
of the Internet for commerce and critical applications. At the beginning, the
majority of BotNets were traditionally based on Internet Relay Chat. This was
due to the ability of IRC to easily scale to thousands of clients. There are existing
cases of other types of BotNet detection systems based on HTTP, DNS, and peer-
to-peer models.

The advantages of their system are many. The major ones are that the system:
a. is entirely passive and therefore invisible to the operator,
b. has a false positive rate of less than 2%,
c. helps identify BotNets that are most affecting real users (and customers),
d. can detect BotNets that use encrypted communications.

The system helps quantify the size of BotNets, and identify and characterize their
activities without joining the BotNet.

30
 The contribution of this work is the development of an anomaly-based passive
analysis algorithm that has been able to detect IRC BotNet controllers achieving
less than 2% false positive rate. The algorithm is able to detect IRC BotNet
controllers running on any random port without the need for known signatures
or captured binaries. Even though this analysis is tuned to Internet Relay Chat -
based BotNets, the researchers believe BotNets will continue to require
inventory management as well as a command and control structure that allows
the BotNets to be detected using similar methods. There are some distinct
advantages to this type of BotNet detection:
a. Network data analysis is entirely passive, so it is invisible to the BotNets,
b. It does not interfere with network operations,
c. It does not run any risk of contributing to the problem, and
d. It is able to show the dynamics of BotNet activity by detecting activities
that have been most effective in targeting the specific customer sets.

6.3 Is Your PC Secretly Running Nuclear Simulation?

This research was carried out by Yoav Atsion, at The Hebrew University,
Jerusalem.

One of the main targets of Bot’s intruders is to create immense computing

power for different malicious purposes, such as breaking strong cryptography or
stealing information or any other target that needs immense commuting power.
This computing power will be able to create Zombie armies for propagating spam
or launching DDoS attacks. In some cases, it is possible to create the illusion that
the CPU is not being used and in this case, the owner will not know that his
computer has been recorded and is transmitting data to a third party.

The researchers found that all major operating systems today with the possible
exception Mac OS X are vulnerable to such attacks, due to the usage of the CPU

31
and how it prioritizes competing processes. The researchers call the BotNet
attack “cheat attack” as it is a process whereby large percentages of the CPU are
hijacked and every operating system there is scheduled to obey a third party, but
when listing the active process, it will not show that the CPU’s resources are
being used at all, which will make it difficult to detect the attack. The success of
the intruder of such attempts depends on knowing the resources allocated and
how much competing process is used.

It is not customary to measure CPU usage directly but rather by sampling it

periodically using clock interrupts. Periodic clock interrupts are a basic design
feature in all major operating systems. According to the researchers, operating
systems are reactive by nature. Most of the time the operating systems just wait
for an interrupt to happen, when it does, they handle it and return to wait for
the next interrupt. But they also have a proactive component, where they need
to take the initiative for research purposes, it is sufficient to focus on:
Making scheduling decisions and performing a context switch from one
process to another.
Sampling the running process for accounting purposes.
Noting the passage of time in order to support a timer service such as
waking up a process that requested to sleep for some time.

Importantly, all of these activities are typically tied to the same clock interrupts.
This overloading can be exploited by a simple attack that uses the timer to
ensure that a process always starts to run just after a clock tick, but stopping it
before the next tick. As a result, the process is never billed, because it is never
the process that was sampled by a clock tick. The most problematic factor that
arises from this process is that the attack process becomes essentially invisible.
The most basic defense one has against malicious programs is seeing them run
using a monitoring tool. If the system doesn’t account for the CPU usage of the
attacking process, it won’t show up on the monitors. Even worse, the attack
actually leads to miscounting, where another process is billed for CPU time used
by the cheating process. As a result, even if the system administrators suspect
32
something, they will suspect the wrong processes. The cheating process can
further disguise its’ tracks by controlling the amount of CPU it uses so as not to
have too great an impact on system performance.

Even though great efforts were made to overcome the cheating process, the
researchers found that the threat of it is still very real. These kinds of attacks can
infect over 10 million computers combining such worms with the cheating attack
that can be used to create an ad-hoc supercomputer, and run a computational
payload on massive resources in minimal time. There are two ways to account
for CPU usage: one is by direct measurement, and the second by sampling. Even
some systems that actually perform accurate measurements do not use this
information for scheduling. The researchers explain that some systems like Linux
2.6 and the ULE scheduler for FreeBSD have problematic prioritization practices
regarding interactive processes that further increase their vulnerability. They
analyzed their results on different operating systems such as Windows XP, Solaris
and others beside Linux 2.4 and 2.6. The result of this research was run alone on
each system to get a reference value, and was then executed alongside the
cheater to examine the cheater’s effect on the counting application’s throughput
of the operating system. There is a simple, low cost solution.

The solution is to implement the system in Linux, which is complete and based
on accurate billing. The explanation of the “cheat” which has been discussed
above seems simple by using the prioritization of processes that use less of the
CPU. The idea is to avoid the accounting, and then enjoy the resulting high
priority. The mechanism of billing works on the long and short term, a process
that runs for a short period, each time which is scheduled will typically not be
billed, processes that use more CPU time have a higher chance of being
interrupted and billed.

33
6.4 DDoS Attacks Prevention by Packets Encapsulation

This research was carried out by Dr. Avital Yachin, at Technion, Israel Institute of
Technology.

Dr. Yachin based his method on research by Gal Badishi and Dr. Idit Keidar of the
Technion Electrical Engineering Faculty, and Amir Herzberg of the Computer
Science Department at Bar-Ilan University.

The researcher in this project demonstrated a method of defending computer

systems from attacks by creating a packet level authentication mechanism. Each
packet is encapsulated with a secret key known only to the sender and receiver.
Un-authorized packets are filtered right about the NDIS (The Network Driver
Interface Specification) level before they reach the TCP (Transmission Control
Protocol) stack. This ensures much lower resource consumption compared to a
decision on higher levels.

The proposed solution is general and is not restrictive to specific IP addresses or

TCP/UDP ports. In addition, no modifications are required for existing application
and the protection mechanism is totally transparent for them. The suggested
version supports UDP packets encapsulation only in a Windows environment, but
the same concept may be applied to any other protocols and operating systems.

The researcher emphasizes that although consuming the network bandwidth of a

computer system, flooding can take the Internet service down, so it still requires
either a high bandwidth from the attacker side or a very large net of remote
controlled agents. Instead of flooding a computer system (such as a web server),
an attacker may bring a service down by simply consuming the system resources
(CPU power and memory). A simple example of attack on a web server can be
rapid requests for a specific web page (browser refresh). Since the web server

34
processes such requests at the application level, a lot of computer power is
consumed up to a phase where the server crashes.

Authentication process is the main key in this research. Starting by describing the
mechanism of the system in order to create trusted communication between a
client and a server, the client must be “authenticated” by the server. This is done
by attaching to each client with a unique ID (secret code) that is registered at the
server. Clients who were either not registered at the server or who don't have
secret codes will not be able to communicate with the server.

The client’s secret code is used to create a random key that is attached for every
outgoing packet. The key is created by hashing (SHA-1) the secret code with the
current timestamp. When the server receives a packet, it tries to calculate an
identical key based on its timestamp and the list of registered clients. If a match
is found, the packet is passed to the TCP stack; otherwise, the packet is dropped.

The researcher continues by describing key calculation which is composed of the

current time and the current code. The research shows how the system supports
multiple clients/servers. This is done by storing a list of the known secret codes,
and calculating the secret keys separately for every client. The researcher
explains how the system operates and how to capture and filter packets before
they reach the TCP stack.

When filtering data based on a two way authentication method, it provides

client authentication mechanism. The main advantage over IPSec which provides
authentication and encryption mechanism at the IP layers, is that the suggested
solution is much cheaper and it requires a key-recalculation not for every packet
but rather every time period.

35
6.5 Survey on Detection of Covert Channels through VPN

This research was carried out by, Isakov Yehiel at Technion Israel Institute of
Technology.

The main point of this work is to understand the subject of “covert

communications”. As the Internet infrastructure gets more complicated, new
attacks and means of defense are devised in order to protect organizations from
unauthorized access and data leakage. One good solution is covert
communications, which remains the least understood subject with the least
coverage in popular culture. According to the researcher, one of the reasons
might be that the requirements for understanding this subject are above average
ability in understanding how to hack into a non-secure system. One needs a
thorough understanding of network protocols, statistics, probability and even
machine-learning in order to deal with this subject and understand the true
nature of the whole idea of covert channel as an invisible means of
communications. This is something that cannot be detected through usual
techniques and needs the use of much deeper detection techniques, techniques
that operate on a basic level of communications. Actually, covert channels are
reminiscent of the techniques of hiding the information within audio, video,
textual and pictorial content (steganography). While steganography requires
some form of content to serve as cover, covert channel requires some network
protocol to serve as a carrier. Due to these similarities, some of the techniques
used to discover steganographical content might be applied in order to discover
covert channels. One must remember that since we focus on covert channels
through VPNs, there are only a few specific techniques that the adversary can
use in order to create a covert channel. The researcher has two different
definitions for explaining the cover communication of this technology. One of
these definitions is more formal but the second indicates that any information
channel can be exploited by a process to transfer information in a manner that
violates the systems security policy. According to the researcher, there are two
types of covert channel, one involved with writing by the sender and writing by

36
 the receiver and one involving the sender signaling information by modulating
the use of resources (like inter-packet delays and packet transmission rate) over
time so that the receiver can observe it and decode the information.

6.6 Covert Timing Channel

This research was carried out by, Jonathan Avidal and Oren Ben Simon, at
Technion Israel Institute of Technology.

The main target of this project is to create a secret channel which will be difficult
to detect even for a person who knows the algorithm. For this purpose, the
researchers tried to imitate the usual traffic that passes through the channel and
to make minimum change to it. They composed algorithms with new principals
which help prevent the channel reveal. Apparently, the new channel, which was
built by the researcher, is active but should be passive as much as possible.

The secret channel is a hidden channel which uses mutual sources for
transferring information among different bodies in the system by using a secret
channel to computers that can communicate one with the other, and a third
party does not know about its existence. The target of this kind of channel is to
send secret information or to hide sending additional information, sending
password or cryptographic keys or even hide illegal information and so on.

This project deals with a situation when there are two computers’ networks
which are far away from each other and are connected through UDP/IP
communication. The researchers assume that in one of the networks exists a
Trojan horse which tries to transfer secret information from the secret network
to a hostile body which is located on the Internet. The researchers also assume in
their project that the Trojan horse is put into the communication channel and
controls the information transfer, which means that the Trojan horse is able to

37
use the communication channel from one computer network to another
computer network to transfer information to a hostile body.

The researcher divided the secret channel into two kinds:

1. Storage channels that transfer information between two processes by storing
the information in a disc that is common to both of them.
2. Timing channels which means information that is transferred between two
computers by modulation of time responding to the common by one process
that broadcasts and respond interpretation by the receiver.

For example, change of the reaction time of cache or the change of the time
space between two IP messages.

This project will concentrate on the construction of secret channels which is

based on time and size. In this category, we can find two kinds of channels:
1. Active channels that creates new information packages.
2. Passive channels which create manipulations on existing information
packages.

38
Chapter 7: Trends

The BotNet trends include two parts. One is the technology which comes to
prevent and control and detect the BotNet intrusion, and second, products
which includes Israeli products which were developed in Israeli universities or
the companies. In companies, we can find some research that is completed and
being marketed.

7.1 The IUCC/IDC Internet Telescope

This research was carried out by, Efi Arazi, at Israel Inter-University Computation
Center (IUCC).

An Internet Telescope is a tool that monitors the backscatter of spoofed IP traffic

destined to what is known as “Internet dark address space”. It is aimed for
BotNet attacks which are done on some IP address but with the attack
originating from totally random, spoofed IP addresses. When the victim attempts
to reply to some of these attack packets (SYN, ICMP, etc.), the response will go
back to what it assumes is the originating IP address. Some of those replies will
go back to “Internet dark address space”. Dark IP address is space that is globally
routable, but currently there are no computers in this network. In other words,
there should never be any packets destined to this particular network.

This technology has assigned a /16 (former Class B - with 65,536 IP addresses),
which is “dark space”, as a place where the researchers have been able to install
a network monitor, which receives “backscatter” packets from all over the
Internet. There are other Internet telescopes out there like the one at SWITCH.
CAIDA was the first to document it and present analysis numbers and has done
some more recent research in this area.

39
 Attacks seen

The packets that are received by the telescope can be roughly categorized into 4
categories:

1. Host/Port scanning: Host/Port scanning is usually programs that are used by

hackers to learn about the computers and ports that are open in the network
(and possibly available for compromise). In this case, the Telescope would
capture the packets of the scanners. A worm attack is a program that exploits a
bug in the operating system to install a virus, which in turn, will try to spread and
infect other machines on the network. The Telescope would capture the packets
sent by an infected machine in their attempt to infect a new machine in the
Telescope “dark space” network.
2. Backscatter from spoofed DDOS attacks throughout the world: A Denial of
Service attack, is an attack where a hacker tries to consume network resources,
by sending lots of traffic to a specific victim. The Telescope can monitor which
networks in the global Internet are under attack by spoofed, random packets.
We can understand this better with an example. Consider the case where victim
Y, somewhere in the Internet, is under a spoofed TCP SYN attack. The victim
responds with SYN-ACK to the spoofed source address. Since the source was
randomly spoofed, it most probably would also send a SYN-ACK response to the
Riverhead-IUCC monitor network. Hence, the monitor should capture a SYN-ACK
packet from the victim. Since, the monitor network is a /16 (of which there are
65,536 such /16s networks in the Internet), we end up capturing 1/65536th of
the volume of the spoofed attack (assuming the spoofing was indeed random).
The rate of the attack seen by the telescope is actually a lower bound on the
actual attack rate. This is because the telescope receives the rate that the victim
can still handle (i.e., we see SYN-ACK packets only to the part of traffic that the
victim can still handle and provide an answer to the SYN received; if the
computer is overloaded, then SYN packets will be ignored by the victim).

40
3. Configuration Mistakes: a flow that lives for a very short time, and that cannot
be categorized to one of the above categories is basically labeled as
configuration mistakes of one of the computers in the Internet.
4. Others: a long flow that could not be categorized to any of the above groupings.

In general, the distribution of packets into these four categories is as follows:

Internet telescope packet distribution

Type of packet percentage

Host/port scanning 92%

DDOS backscatter 5%

Configuration mistakes 2%

Others 1%

Attacks not seen

By far, not all DDOS attacks can be seen by a Network Telescope. Those that
cannot be seen are:

1. Bogon attacks: A bogon attack is an attack that comes with a source IP that
should never appear in the Internet global routing tables. A list of bogons is
available from Team CYMRU. IUCC filters out some but not all of the bogons so in
general, the Network Telescope will not see bogon attacks.
2. uRPF filtering: Even spoofed attacks may not reach a Network Telescope if they
are stopped along the way via a method known as Reverse Path Forwarding
filtering.
3. Non-spoofed attacks: An attacker can always attack a victim directly, using any
number of attack tools to try to overwhelm the resources of the victim. In
general, these types of attacks would be easy to backtrack and to determine who
the attacker was, so we assume most attacks are no longer of this type.

41
 4. BotNet attacks: Since attacking with an identifiable IP would lead to backtracking,
attackers now use what is known as a BotNet or Zombies attack. By infecting
many PCs and using them as a proxy for launching their attack, attackers are able
to hide their identity. Since a BotNet attack is in general, not spoofed, a Network
Telescope would not see such an attack. There have been cases of BotNet
attacks with spoofed IP addresses but the attacker then takes the chance that
some of the attack packets might be filtered by uRPF checking. It is assumed,
that most attacks these days on the Internet are launched by BotNets.

Results

The dominate source port for traffic that is classified as DDOS. This is the port
that the victim was attacked with the dominate destination port of traffic that
reached the telescope.

1. Information on the traffic characteristic, especially ports. We output the top ten
destination ports and source ports in regards to viewed spoofed attacks for every
day of the last week.

2. A daily list of Machba systems that have been determined to have a worm or
been infected. Infected systems are those that have been seen to be scanning
consecutive IP addresses, whereas a worm is defined as probing a specific list of
predefined ports on random IPs.

7.2 False Positive

(By Mr. Michael Shafir)

False Positives of Alarm generated by security devices signaling a security threat
that isn’t one at all is a common phenomenon in many current web security
solutions. It is a false detection or false alarm, and in proactive devices, it can
result in total blocking of a user or users to a website.

42
False Positives can be generated in different ways. Intrusion Detection Systems
(IDSs), for example, generate logs to alarm administrators of illegal attempts to
enter a website. Such logs, in addition to real alarms, contain false alarms that
overwhelm the administrator. In contradiction to the passive nature of most IDSs,
application security solutions are usually proactive. This means that they are
designed to block access to a website and in the case of a “False Positive” may
block legitimate users from accessing a website.

The reason that False Positives occur is simply that security solutions are
automated and have only limited intelligence capabilities. Most solutions have a
database of known attacks and are constantly comparing incoming traffic to this
database, trying to identify an attack. This opens the door to False Positives since
often the security system views traffic differently than the target system. This
may be because of different protocols and operating systems, as well as
encryption or fragmented streams. Even harmless requests may be misjudged
as. What is the effect of False Positives on a website? - “malicious” when there is
an unusually high and unexpected volume of traffic.

There is a much more important issue than why False Positives are generated.
More importantly, what is more harmful, a successful attack or False Positives?
An immediate answer may be that a successful attack is more harmful. It seems
logical. However, further analysis reveals that in fact False Positives pose a
greater threat. The reason lies in the fact that organizations can evaluate
damages resulting from malicious activities and can quantify them. However,
damages that occur from a False Positive created by a third-party are much more
difficult to predict and protect against.

Let’s look at an example. In most legal systems, if the facts in a case are
ambiguous, the legal system would tend towards letting a suspect go, letting a
guilty person walk free rather than finding an innocent person guilty. For

43
lawmakers, it has long been clear that such a False Positive (finding an innocent
person guilty) causes more damage to society than freeing a guilty person.

The problem of False Positives on the Internet is mainly a result of the way
security companies have approached the problem. Current security solutions
have looked at how to identify the malicious activities and stop them. In order to
do that, these solutions rely on a database with examples of illegal traffic. They
try to match incoming traffic against the database and thus look for attacks.
There are many problems with this logic. First, they are unable to detect attacks
that are not registered in the database. It may be a new kind of attack or a new
version of an old attack. Second, and much more worrisome, are the False
Positives they create.

Let’s examine this issue from another perspective. Let's say that there is a
terrorist who is threatening to start shooting in a crowd of people. The
authorities want to eliminate this threat but they will not shoot into the crowd
because they may cause innocent bystanders to be hit, i.e., it will create False
Positives. So we arrive back to the question of what is less harmful, a successful
attack or a False Positive? Now the answer is clearer. Every law enforcement
agency would choose to let the terrorist get away and then pursue him later
rather than harm innocent people.

Now the question arises of why not adopt this attitude with web security
solutions? Instead of wasting time, money and resources on trying to identify
“bad” traffic, it would be much more effective to protect the site with positive
rather than negative logic. Instead of looking at what is not allowed, one should
be looking to “understand” only what is allowed. This means that the web
security solution “understands” what kind of traffic can be forwarded to the site
and can automatically block all traffic that is not allowed. True, this is a more
complicated solution since it requires the security solution to be much more
sophisticated and equipped with more advanced logic. However, this way of
protecting the website has many advantages over the older methods since, when

44
applied intelligently, it can eliminate “False Positives” and protect the site
against both unknown and known threats.

Although “positive logic” security solutions represent a better way of protecting

websites against current and future generations of attacks, such solutions fall
short of delivering all of the benefits and still create some of the problems of
older methods, specifically False Positives.

Let’s take an example from the real world. Some current application security
solutions parse a retrieved page from a web server, dynamically creating a URL
list from that page. The user should then request the objects as listed on that
HTTP page.

“Direct access browsing”

Direct access browsing refers to the direct access of a web object or objects
which are not listed on that HTTP page. At first thought, this may appear to be
acceptable and not a security issue, but further analysis reveals the problematic
nature of the approach. Let’s take for example, a case where a user is given a
URL link from a search engine into a page deep in the site, or where the user has
bookmarked a link that is not the home page. In this case, the security solution
working with this logic may block the user as if he is attacking, since it cannot
track the users’ actions. While this is not an attack, the security solution may
assume it is and may create a False Positive response.

Another issue that can cause False Positives is the use of proxies between the
user and the website. In this case, the requested page may be stored in the
cache, sometimes for quite a long time (usually only static HTTP pages or
objects). The requested objects would not be retrieved from the origin site and
therefore will not be part of the “tracking list” on the security system. “False
Positives” may be generated and the user's requests may be blocked by the
system. In the worst case scenario, the user will be added to the Access Control

45
List (ACL), thereby blocking his IP address completely for future access. From
that user's point of view, the site is dead or is under a Denial of Service attack.

In order to eliminate this problem, some current application security solutions

require that the “Meta cache” in the entire site’s HTTP page headers will be
disabled, forcing all traffic through the web server alone. If this is the case, what
is the point of having a reverse proxy or cache server at all if the site’s content is
forced to bypass them? In fact, by eliminating the caches and proxies, you are
actually paralyzing the network’s shock absorbers and may be forced to deal
with huge amounts of redundant traffic.

How can you avoid both application attacks and “False Positives” at the same
time?
There is another issue that we have to bring up. One of the greatest security
threats website operators face today are attacks that use perfectly legitimate
traffic as the means of attack. This kind of attack is called a “Fake-Legitimate”
attack. To illustrate this, we can take an example from the “real” world. Let's say
that there are a certain number of good quality fake tickets to a sports event.
The guards at the entrances to this event will have the difficult job not only of
admitting those who have a valid ticket, but also to look at each and every ticket
and try to judge if it is a real one or a forgery.

The problem with these kinds of attacks is that the security system will need to
intelligently differentiate between legitimate and “Fake-Legitimate” traffic. This
requires very sophisticated intelligence as well as fast processing. Today’s
firewalls and other security systems cannot perform this task. Therefore, they
cannot protect the sites from these kinds of attacks. Current solutions try to
combat them but lack the tools to do that effectively. As a consequence, these
systems create “False Positives” in the process.

It is clear that conventional IDS's do not stand a chance in the fight against
either “Fake-Legitimate” attacks or False Positives. These kinds of systems use a

46
signature database of known threats against which they check incoming traffic.
This has serious drawbacks, since the method cannot protect against attacks for
which it does not have a record. It also can generate many False Positives while it
fails to discriminate between legitimate and malicious traffic.

There are also security systems in the market that attempt to detect attacks by
identifying traffic anomalies. While the theory is good, one of the major
drawbacks of such systems is that they find it difficult to differentiate between
legitimate traffic surges and attacks. Such surges can be created by an
advertisement that just ran on TV or a breaking story in the press. Thus, they
often create False Positives by inaccurately identifying such surges as attacks.

Another highly problematic area with today’s passive security solutions is

incident logging. How many times will the network administrator react to false
alarms before he will start to ignore them altogether? Our experience has shown
that within three to four weeks, administrators virtually ignore all alarms since
they are constantly bombarded with false ones. Instead of getting numerous
false and minor alarms, they would rather use their time more efficiently. For the
enterprise, this is a waste of time and resources. Also one of the weaknesses
with most third-party anti-spam technologies: they are good at identifying junk
mail based on blacklists, content, and other cues. But filters that catch all spam
often snare a fair bit of legitimate email as well, can you accept that ? How long?
(I bet, no more than few hours).

The weakness of current IDSs/IPSs is clear. Not only do they need to be able to
inspect over 600 known attack signatures with minimum delay, they need to
reconstruct fragmented streams to avoid partial stream views. Most of the
systems on the market resort to some sort of corner-cutting and are applying
“statistics-based inspections” instead of inspecting every single packet.

For security systems to create false alarms and logs is one thing. But there is a
much more serious problem with active security systems. They can actually block

47
 the traffic to the site. The problem starts when such systems start creating False
Positives and thus block legitimate users. In a case where a person is regarded by
the security system as an attacker and cannot get into his bank account, this will
create a bad impression of the bank. Because of such possibilities, banks prefer
to undergo an attack rather than block a legitimate user. False Positives are
therefore unacceptable.

As mentioned in my previous article, “Are Web Applications Trojan horses”, a

new security approach is needed, one that can effectively detect and protect
against application layer attacks and at the same time, stay free from “False
Positives” and be intelligent enough to automatically learn to protect against
both unknown and known attacks and effectively bar False Negatives. This is the
only way to provide the highest level of security to web applications.

7.3 Multifunctional Bots

The arsenal of malware is in a steady state of growth. Not only do the

manufacturers of malware get more and more inventive, they regress to using
old methods when it suits them. When a new technology or a new trend is
available for the public, it already has an innate hindrance that opens the
backdoor to wrong doers. The bigger the trend, the stronger the attraction is to
cash in on it illegally. Knowing that it is only a matter of time until the security
breach has been spotted, it is a matter of real-time solutions to distinguish
between solving the problem at hand and being exposed to the accomplishment
of the attack. Once the Botnet has been successful in breaching the system it was
sent to, the ingenuity of the attacker has given it the ability to multitask. Hence,
it can financially harm its current host in one of the ways outlined above; it can
spread itself further to harm other connected users sitting on the network, being
a Botnet as opposed to just a Bot; or it can just sit stealthily for as long as its
handler wants.

48
7.4 Peer-to Peer

Bandwidth is one of the Internet’s restrictions. Botnet operators and writers

have reined potential bandwidth underlying in Peer-to-Peer (P2P) power. When
the Bot was dependant on a single Command and Control (C&C), the attacks
were limited to the bandwidth and access of its local infrastructure. Utilizing an
army or Zombie connected through P2P is a stealth way to waiver the need of
C&C and enjoys greater access and longer time of response until the attack is
identified and blocked.

7.5 Common Content

Due to the fact that most security solutions for protection against malicious virus
are equipped with tracing and blocking of image embedded malware capabilities,
spammers have devised clever ways of utilizing common and legitimate content
which filters through. The disclaimer message at the end of an email can be one
such common content. The content based filter tags this as a non malicious
message and allows the infiltration. This method is also aimed to trick the end
user, whose mind will rest at ease after seeing the disclaimer text. If the end user
allows viewing of infected images or clicks on the malicious link, the perpetrator
will also receive confirmation of his attack, which puts the end user at higher risk
of future attacks.

7.6 Blogs and Personalized Internet Pages

The growing popularity of blogs has turned them into a target for Botnet
semination. The big platforms fall on victims first, but the awareness grew, the

49
 attention switched to less popular blog platforms. Some subject lines used
randomly chosen words or misspelled subject lines to evade filtering.

Facebook is also vulnerable to BotNet attacks due to the fact that it provides
access to inside files. Facebook uses two methods to identify and authenticate
users: cookies, which contain session information, and hidden form IDs that are
supposed to ensure that forms come from the user. With either a cookie or
knowledge of a user’s form ID, an attacker can impersonate a victim. A cookie’s
session information would allow an attacker to construct XMLHttp requests and
assume all the same privileges as the user. This is due to the fact that a BotNet
attack will have access to all files on the computer, including cookies files on the
computer. Israeli researchers have come to the conclusion in a research carried
out at the Technion, Computer Science Department, that this type of
Personalized Internet Pages demonstrates huge potential to distribute different
viruses including Botnets and others. (According to these researchers, just in
Facebook there are 124,000,000 users registered as of September 10, 2008).
Despite the enormous potential to distribute different viruses, these networks
were not used as a tool to distribute warms and viruses until recently, where a
new warm by the name Koobface started attacking the Internet Personalized
pages, it distributes itself and endangered all such pages. (The research is in
Hebrew)

7.7 Vertical Text Spam

Experimenting with new methods to bypass tracing has proven effective when
trying to evade the Zero Hour Detection of an attack. Playing with the display is
one of the earliest methods of convolution, yet the use of Asian languages has an
added value. Filters have difficulty due to the writing’s double-byte character
and the fact that the sentences have no spacing between words. The latest twist
was embedding Chinese content with vertical orientation.

50
7.8 Mobile Applications

Wi-Fi has made surfing the web much more accessible via laptop computers,
PDAs, Smartphone and 3G cell phones. There have been mobile malware attacks
in the past two years; however, they have been restricted to spreading viruses as
there hasn’t been a new method of money making schemes through cellular
communication. The same protections are vital on laptops and PDAs, especially
since they have turned into tools of the trade and sometimes contain even more
sensitive data.

7.9 Sandboxing

In the constant chase after development of malware, when the black hats listed
all researchers in the programming of Botnet and made special effort to exclude
them from being targets of active malware, the researchers devised ways to get
the Botnet to activate without harming the host computer. When the malware is
quarantined in what is referred to as a “Sandbox”, it operates under the
impression that it has reached its unsuspecting user, when in fact it is being
probed and explored by security experts. Every finding is diagnosed and
published for immediate practice. That is the nature of the online service and
forum that supplement all three solutions discussed in this paper.

51
7.10 The Development of BotNets in the Future

According to a survey that was carried out by different providers for Tier 1 and
Tier 2, a few interesting conclusions were reached that can indicate how
“tomorrows” BotNets will look.

The number of BotNets increases daily but their size decreases. A few years ago,
we could have identified BotNets that incorporated 80,000-140,000 computers;
today, this number has decreased to a few thousand or even hundreds. This
phenomenon can be explained due to the fact that smaller BotNets are harder to
identity and much easier to sell or rent. An additional reason derives from the
fact that almost every computer today has wideband and therefore a few
hundred computers with 1Mbps can saturate the OC-3 (OC-3 link) connection
that serves many networks.

It is certain that BotNets are a desired product in the market, and many people
are willing to pay in order to purchase BotNet. When there is a demand from the
market, there is also supply, so we can expect BotNets to continue to develop
and to be a very serious threat on today’s computers.

52
Chapter 8: Trends of Security Products

Following is the trends of security products of Bots developed by Israeli

companies, of which their technology is used by different companies around the
world.

8.1 Mi5 Networks

Mi5 takes a different approach to detecting and blocking bots. Instead of just
relying on IP blacklists, or desktop signature detection, Mi5 has developed a
series of patent-pending algorithms that use a combination of cues to detect and
block Bots. The technology looks inside the company’s network for C&C
communication, IP scanning, spamming and other BotNet activity, and develops
a “confidence score” for the traffic coming off Bot infected PCs.

As soon as some activity is detected, Mi5 technology, the WebGate flags the PC
as “suspected.” Once enough of Mi5’s algorithm triggers have been tripped, and
when Mi5 is confident the machine has an active Bot on it, the WebGate flags
the PC as “active” and blocks outbound Bot communications. But since typically
only 5-15% of Bot infected PCs are active at any one point in time, Mi5 goes one
step further, marking PCs that had active Bot activity that are no longer
communicating as “Inactive.” With that information, they can prioritize the
cleanup work and focus on the active Bots first.

Mi5’s WebGate appliances not only block incoming Bot and Trojan infections, but
also track the spread of BotNet infections throughout the organization, and
prevent Bots from sending any data back out of the organization.

This company’s BotNet capabilities are included with every Webgate appliance,
so it is not needed to separate point solutions to tackle the BotNet problem in
the enterprise.

53
8.2 CheckPoint

Checkpoint is developing technology for securing the network infrastructure.

They develop firewall security products which give security features such as
integrated intrusion prevention, virtualization, gateway anti-virus, anti-spam,
web content filtering, as well as IPSec and SSL VPN remote access for computers
and mobile devices. CheckPoint also offers standalone intrusion prevention and
SSL VPN solutions as part of the unified security architecture. With a unified
architecture, our network security solutions provide core technologies that
enable you to deploy a consistent, high level of security throughout your entire
organization.

Their technology: IPS-1 is an intrusion prevention product. It is a dedicated

intrusion detection and prevention system (IDS/IPS) that helps organizations
secure their enterprise network, and protect servers and critical data against
worms, automated malware such as BotNet, and blended threats both known
and unknown. This solution is a turnkey appliance and also software that can run
on open servers.

The technology has:

Hybrid Detection Engine which can leverage multiple detection and analysis
techniques to prevent network—and application-layer attacks.
Attack Confidence Indexing which provides block only known, legitimate
attacks thus ensures protection without impacting business operations.
Multi-alert Correlation identifies patterns in alert activity that would
otherwise be reported as separate, unrelated events.
Dynamic Worm Mitigation identifies and blocks rapidly propagating worms.
Efficient management overcomes data overload with tools that provide
direct, graphical focus only on important security events associated with
critical business systems

54
8.3 CommTouch Ltd.

Commtouch developed security technologies for the e-mail communication

which has become on one hand the most widespread form of communication, on
the other, means to break into computers, spread BotNets and other malicious
spam. Their development is a spam and Zero-Hour™ virus outbreak protection.

Their main two products are:

1. Their Anti-Spam Solution is a technology that gives real-time protection from
new outbreaks. It captures spam in high rates. The technology is specially
developed to no false positives.
2. Another product Commtouch developed is the Zero-Hour™ Virus Protection
which is aimed at detecting new virus outbreaks. This product is a signature-
less technology which blocks suspect messages in a rapid manner.

8.4 BEYOND SECURITY LTD.

This company developed a tool to uncover security holes in servers, expose

vulnerabilities in the corporate network, check computer systems for the
possibility of hostile external attacks and audit vendor products for security holes.

The company’s first product is a security portal on the Internet that researches
security vulnerabilities and issues update of security alerts. It provides warnings
and then provides solutions to these vulnerabilities.

The company developed an automated scanning engine. This product scans the
organization’s network and simulates attacks originating from either the internal
or the external network. It then gives a report of the security vulnerabilities of
the organization and gives possible solutions to fix those vulnerabilities. The
engine of the product is updated on regular basis for the recent security
vulnerabilities.

55
8.5 PINEAPP LTD.

This company develops technology to secure networks and email systems from
attacks such as Botnet, spam and other malicious attacks.

The company developed three solutions:

1. Mail-SeCure is an email perimeter security protection. This technology

combines a three-tier engine with a threat filtering suite. The engine consists
of a multi-layered Anti-Virus, Zero-Hour detection engine and a multi-
layered Anti-Spam engine with Image-based Spam detection technology.
2. Mail-SeCure, an email perimeter security appliance that protects from
targeted and non-targeted email-related threats.
3. Surf-SeCure is an in-line real-time filtering system that protects the
organization from threats, such as Viruses & Spyware, enforcing the
organization’s surfing policy, using content filtering tools such as URL
database, Active Content Recognition.

8.6 Applicure Technologies Ltd.

This company develops multi-platform web application security software

products to protect websites and web applications from external and internal
attacks. The company studies hacker behavior and based on these studies their
solution identifies attacks such as BotNet, SQL Injection, Cross-Site Scripting and
many other application level and stops them before they reach the website or
application.

56
8.7 BeeFence

This company develops a technology that gives real-time investigation which is

designed to eliminate false positive detections and deliver true attack mitigation.
The technology is an analytical engine that is aimed to bridge the gap from
suspicion to certainty.

The technology is an active Intrusion Protection which enables regular business

operation without compromising security. The company’s IT security technology
defends enterprises from external threats such as BotNet, Trojan horse and
other spam. It solves the problem of false alarms at enterprises.

8.8 Radware Ltd.

This company develops a technology to deal with security threats such as Denial
of Service (DoS) attacks, BotNet and server malware, DoS and DDoS flood attacks.
The technology is aimed to block attacks before they get anywhere near the
application level. Their technology gives a multilayer approach. Their main
product DefensePro® is an in-line, intrusion prevention, DoS protection, and
traffic-shaping solution designed for enterprise core and perimeter deployment,
data centers and carrier backbone. It is aimed to be the industry’s solution to
fully integrate adaptive, behavior-based protection capabilities both in the
network and application levels.

This technology integrates multiple layers of defense, including signature-based

protection, protocol anomaly protection, encrypted Secure Socket Layer (SSL)
attack protection, access control and bandwidth management. By using adaptive
behavioral analysis, the technology identifies and mitigates a wide range of

57
network and server threats including Zero-Day attacks such as BotNets and
Trojan horse without requiring human intervention.

58
Bibliography

Articles and Essays

1. “The End of Spam”, Globes, July 7, 2008

2. “The trouble with threat modeling” by Adam Shostack, a Series of Blogs, 2008.

3. “Cyber Assaults on Estonia Typify a New Battle Tactic”, The Washington Post,
May 19, 07.

4. “Digital Fears Emerge After Data Siege in Estonia”, The New York Times, May 24,
2007.

5. “Hundreds of sites infected with dynamic malware”, ZDNet, Jan 18, 2008.

6. “The Art of Cyber Warfare”, Part 1: The Digital Battlefield, Tech News World, Apr
29, 2008.

7. “The Art of Cyber Warfare”, Part 2: Digital Defense, Tech News World, Apr 30,
2008.

8. “Hackers Inc”, NRG, Jan 8, 2007.

9. “Threat Modeling, Once Again” by Larry Osterman, a Series of Blogs, 2007.

10. “Enemies Upon You”, Network, Information Week, Dec 10, 2007.

11. “Attack of the Bots”, Wired, Nov 2006.

12. “Gone Spear-Phishin”, The New York Times, Dec 4, 2005

Personal Interviews
1. Commtouch CTO & President, Amir Lev.

2. Beyond Security CEO, Aviram Jenik.

3. PineApp CEO, Hezi Erez.

4. Technion, Israel Institute of Technology

59