Botnets, Trojans and phishing 2.0 pose serious online banking threats

Sameer Ratolikar, Bank of India's chief information security officer discusses issues related to botnet attacks and its effect on Indian online banking.

SameerRatolikar, Bank of India's chief information security officer discusses issues related to botnet attacks and its effect on Indian online banking. Can you tell us how botnets and Trojans work? What are the differences between these security threats?
Botnets and Trojans fall under the category of crimeware, with the same purpose and objective. A Trojan basically hides its own identity. In many cases, if you download content from a website, the hidden malicious content (Trojan) gets downloaded with the genuine content. After the Trojan is downloaded and installed on your machine, a blackhat hacker can get remote access to the targeted computer. Often, the Trojan may be a key logger which captures keystrokes and silently sends it to the hacker's command centre.

A desktop or laptop affected by malicious software becomes a part of the botnet(s). Such clients are called Zombie machines and are used as relay servers for spam transmission. Due to the large scale infection of machines in such attacks, it becomes difficult to prevent spam by blocking a particular IP address as such. It is difficult to identify botnets through ordinary antispyware and antimalware solutions since they are very intelligent. Hence such attacks can prove to be very harmful for corporate networks. Are there any ways to detect bots in networks?
Bots are typically controlled by a centralized command control centre or server, so typical antispyware tools find it difficult to locate bots. Infected machines can serve typical requests through port 80 or port 443, which usually allowed for traffic in firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS). Thus, an infected client sends malicious traffic which is hidden under genuine traffic.

Vendors claim that IPS and IDS have the capability to detect bots. On this front, I have not tested these capabilities apart from a feature called deep packet inspection (DPI). Several firewalls and network IPS vendors claim that DPI is enabled to detect bots. However, I have not seen firewalls or IPS solutions that block such attacks, even though they provide good defense against distributed denial of service attacks. Can you suggest any solutions or processes to protect corporate networks from botnet attacks?
Blended threats such as botnet attacks require application layer protection. To defend against these, you should set up a secure Web gateway which is connected to a global reputation-based agency or centralized intelligence agency. Antivirus companies which possess their own honeypots also provide such intelligence services. These vendors are aware about hacker command control centers, malicious IP addresses and domains.

Layer defense is always the best approach against blended threats. Protect your machines (with endpoint security solutions) and networks using a secure gateway of firewalls with application layer support, antivirus, antispyware, malware and IPS. Even after all these, you cannot completely rely on technology, since you will need continuous updates from intelligence services.

In terms of processes, you require good vulnerability assessment and penetration testing for your critical infrastructure. You will need to perform regular risk assessment of critical servers and mitigation controls to reduce your risk appetite. Employees must be educated on regular basis through means such as emails and newsletters. At Bank of India, we have developed a unique internal information security portal to educate our users. The portal carries information security policies, whitepapers, regular virus updates, news on security incidents and quizzes. How secure is the Indian cyber space when it comes to Internet banking? What kinds of initiatives are required to improve security levels?
Our total internet infrastructure operates on HTTPS, which is a combination of the hypertext transfer protocol and SSL. There are new kinds of attacks such as man-in-the-browser and man-in-the-middle attacks, which are capable of being executed over SSL. Incidentally, the Reserve Bank of India's guidelines on Internet banking has not been updated since June 2001.

Regulatory authorities, banks and technology players should come together to form comprehensive Internet banking guidelines to address new attacks. We need to realize that attack vectors are moving from phishing 1.0 (with key logger attacks to misguide users to fraudulent websites) to phishing 2.0, where malicious Trojans are capable of manipulating online transactions in real-time. For example, assume that you transfer Rs 10,000 to my account. A Trojan has compromised my browser, which makes it Rs 1,00,000 in real-time. We need technology solutions which can provide transaction verification and mutual authentication features. We must remember that SSL is an encryption protocol and not an authentication protocol. Hence we need good authentication mechanisms on the Internet.

In the future, you will see "Crimeware as a Service (CaaS)" kind of attacks. Now-a-days, hackers are not putting polymorphic code on users' machines. The polymorphic engine does not reside within the virus code, but is remotely controlled using a command center server. This is called CaaS because the actual viral code does not actually reside on the host, but in the cloud — similar to the Software-as-a-Service platform. Even though you have the latest antivirus and antispyware tools, it will not be able to detect malicious code, because there is no code or signature which resides on your PC. Today's security solutions are not able to mitigate this problem.

Read more on Hackers and cybercrime prevention