Owen ‘Akill’ Walker’s bot code is considered among the most advanced bot programming encountered by international cyber-crime investigators, according to the Police summary of facts.
The code had some special features, such as protection from discovery, the ability to spread automatically and the ability to identify and destroy rival bot code.
But two local security experts are not convinced of the superiority of this particular botnet or of its creator.
University of Auckland cyber security guru Peter Gutmann says that based on the information he has found, Walker used an existing bot, Akbot, and added some of his own code to it. Gutmann adds, however, that it has been difficult to find accurate information about Akill and the activities he was involved in.
Akbot is a quite primitive bot that was state-of-the-art about five years ago, says Gutmann. It is controlled via IRC (internet relay chat) systems, which was also common a few years back.
There are sophisticated bot-herders out there who are very difficult to track down, says Christian Seifert, a computer security PhD student at Wellington’s Victoria University. These botnets are not controlled via the traditional IRC channel, in which bots listen to one central IRC channel to be controlled, says Seifert, who also runs the local chapter of the Honeynet Project, a non-profit security research organisation.
Instead, these well-hidden botnets have peer-to-peer-like structures in which the bots use encryption and trusted relationships to communicate, he says.
“These are much more difficult to track down and analyse, and the bot-herder is not likely to be identified,” he says.
Gutmann says he has not seen it mentioned anywhere in statements about Akbot that it can remove other bots, but even if it is capable of doing this, this feature is not very rare. He says one example of a quite remarkable way of finding and destroying other malware was a few years back when the SpamThru bot used a pirated copy of Kaspersky’s anti-virus software to get rid of rival malware.
The tactic of destroying rival malicious code is so common that malware authors occasionally go to war over it, says Gutmann. In mid-2007 the authors of Storm and Mpack briefly turned their malware on each other in retaliation for the other side removing the malware from their machines, he adds.
Seifert is not impressed either. That bot code is encrypted and difficult to detect by anti-virus software is rather the norm today, he says.
A recent study conducted by Victoria University and the University of Washington revealed that anti-virus detection accuracy was 69% on a sample of malware pushed by drive-by-downloads.
“Every time malware writers compile their malware it looks different to the anti-virus engines and it often goes undetected,” says Seifert.
A large number of different botnets exist today, for example, Kraken, Srizbi and Nugache, he says.
“The fact that ‘Akill’ was one of the few caught makes me believe [that] he was not very careful about his operation,” he says.
The distributed denial-of-service attack that hit a server at the University of Pennsylvania, an attack which Walker has pleaded guilty to, also shows that he wasn’t very careful, says Seifert.
DDoS attacks and massive worm outbreaks were common a few years ago, he says. Today, cyber-crime operations have gone underground.
“Malware sits hidden on thousands of machines and silently collects information that can be used for financial gain,” he says.
Gutmann agrees. The people that are running botnets commercially are in it for the long-term, he says. Bot-herders are usually not caught, which could be helped by the fact that they often operate in jurisdictions where the Police have other things to do than hunt down bot-herders, says Gutmann.
It is also very unusual that bot-herders do everything themselves — write the code, run the botnet and do the transactions — like Walker did. Outsourcing is huge in the cyber-crime world, he says.
A lot of bot code is written in Russia, says Gutmann, and Akbot is nowhere near the sophistication of what is created in Eastern Europe.
Because Akbot is not terribly sophisticated, and because Walker did everything himself, he seems to be little more than a script kiddie, says Gutmann.
“This seems to be a throw-back to some time ago when people did it for fun,” he says.
But there are so many different claims about this case out there on blogs and other sites that it is hard to get an accurate picture of what actually happened, says Gutmann. Some of this contradictory information could be caused by a conflict between hacking groups that used the attacked server at the University of Pennsylvania, he says.
According to some reports, Walker’s co-pilot Ryan Goldstein — who has pleaded guilty in a US court to helping a hacker crash the School of Engineering and Applied Science’s server — was banned from the particular server, home to the TAUNET IRC service.
These reports say Goldstein was kicked out, there was some name-calling and Goldstein then asked Walker for help to launch the attack against the TAUNET server as an action of revenge.
Other reports claim that the attack was not deliberate. Walker himself told Police that he used the university’s server to update his botnet, and that the DDoS attack was unintended.
Some reports claim that Goldstein gave authorities Walker’s name when he was caught.
Gutmann says it is great and useful that authorities tracked Walker down, but there are still a large number of bot-herders out there.
US computer forensics researcher and blogger Gary Warner put it like this:
“We haven’t landed Moby Dick here. We haven’t stopped a ‘Criminal Mastermind’. We caught a few juveniles with anger management and social problems, who made $40,000 selling hacked computers to a Dutch advertising company and attacked a university chat room because the boys there told another boy he was not their friend any more.”