This is the first in a series of blog posts “on all things Bot.”
From bad to good and looking towards the future, Bots remain an information security issue which has the potential to impact all commercial and recreational online activity. This series will explore the security and business ramifications of the modern internet where you may be surprised by all the non-human visitors to your online services.
“Baby Got Bots” – Sir Cyber A Lot, 1992
In the late 80’s early 90’s when your internet was delivered by dial-up or, you had access to a university account – we were a little late to the party in Canada – you probably encountered your first Bot. Back in the day, before the dozen or more collaboration and messaging apps which we use today, there was really only one place to be online – that was Internet Relay Chat (IRC).
Bots played an important role in controlling the constant stream of text and when queried could provide information or “rules of the road”. As a channel admin, on the #Undernet I would log in, a friendly bot would greet me and grant me the rights on the channel I needed to moderate participants (/Kick /Ban).
These bots utilized scripts to carry out a myriad of tasks and fast-forward-to-today, the complexity of tasks has grown but, the fundamental function of a Bot has not: “do stuff online quickly and efficiently.”
Early experimentation by programmers lead to the development of both malicious bots which exploited IRC users such as the Sub7 Trojan and benign, even helpful bots whose role back in the early days of the web was to “crawl it” and index pages – in-fact, in 1996 “GoogleBot” appeared as one of the first web index called a “spider”.
“To the Botcave” – BotMan, 1960
In early 2017, a report by the firm Imperva caught everyone’s attention with the headline reading “Nearly 30 percent of all web traffic is sent by malicious bots.” From their analysis, they concluded that 48.2 percent of all traffic was sent by humans that year (2016). The other 51.8 percent were bots, but only 23 percent of traffic was handled by what the report terms “good bots.” …The rest was made up of nasty ones.”
Deep into the report were far more disturbing and sobering numbers. “In 2016, every third website visitor was an attack bot and 94.2 percent of inspected websites experienced at least one bot attack during the 90-day survey period.” The report estimates that businesses lose an estimated $7 billion dollars each year thanks to ad fraud perpetuated by this nasty software.
Perhaps naively once these startling numbers appeared action would be taken. Sadly, the action taken at the beginning of October 2016, was by a bot programmer working under the alias of Anna-senpai, who released the source code for the “Mirai” bot. This bot specifically targeted a number of Internet of Things (IoT) devices taking them over, forcing them to look for other vulnerable devices and silently waiting for the command to conduct a Distributed Denial of Service (DDOS) attack. We did not have long to wait.
“Crush your online services. See them bluescreen. And hear the lamentations of the system admins. – Bot King Conan, 1982
After some previous DDOS attacks which were perhaps a test run of this new bot capability, on the 21st of October 2016 the Mirai bot DDOS capability was turned on against Dyn DNS which lead to one of the most impactful cyber-attacks ever known – over 170 million people were effectively knocked offline and the estimate of this single attack which lasted about 16 hours is well over ten million dollars.
According to US DOJ court sentencing documents released in 2018: “In 2016, the defendants, Josiah White, Paras Jha, and Dalton Norman, worked to develop and operate the Mirai botnet, an Internet of Things botnet that, at its peak, consisted of hundreds of thousands of compromised devices.
White, Jha, and Norman used the botnet to conduct a number of powerful Distributed Denial of Service (DDoS) attacks. Separately, from December 2016 to February 2017, Jha and Norman created and maintained a botnet devoted to advertising fraud, particularly click-fraud.” Because the Mirai code was publicly released prior to the Dyn DNS attack, it would appear sufficient reasonable doubt existed to make charges against
Paras Jha and Josiah White impossible to pursue.
Although the three received suspended sentences with court-imposed conditions for “Prior to even being charged, the defendants have engaged in extensive, exceptional cooperation with the United States Government.” Some may feel justice was somewhat elusive in this case.
Suffice it to say we now find ourselves with the first inklings of a future where bots and IoT may be regulated to prevent mass DDOS attacks and other malicious automated online activity. The State of California – a leader in digital technology legislation – has taken direct action against the proliferation of insecure IoT devices enacting legislation outlawing default passwords.
In perhaps, revealing far more sinister concerns, California is also in the process of passing legislation “preventing any person to use a bot to communicate or interact with another person in California online with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election.”
Join us in future blog posts to explore the exciting, dynamic and dangerous world of bots.
Image credit: Depositphotos