NZ ‘bot-herders’ probed over US, Asian attacks

There is a lot more electronic crime activity in New Zealand than many people appreciate, says head of e-crime unit

The New Zealand Police e-crime unit is investigating the first local “bot-herders”, who have developed and operated botnets from New Zealand, says Barry Foster, head of the Police e-crime lab in Auckland.

Foster says the New Zealand bot-herders are primarily targeting academic and business systems outside of the country, in the US and Asia. However, Foster says it is very difficult to prosecute offenders because a lot of the alleged activity involves teenagers.

Foster was unable to give any more detail on the cases as they are still under investigation both here and overseas. He says there is a lot more electronic crime activity in New Zealand than many people appreciate.

Wikipedia defines bot-herders as “crackers who use automated techniques to scan specific network ranges and find vulnerable systems, such as machines without current security patches, on which to install their bot program.”

Infected machines become part of a zombie network and respond to commands from the bot-herder, usually through an Internet Relay Chat channel.

Foster says his team also recently responded to a phishing complaint from a Brazilian bank. The phishing website seemed to be located at a hotel in Auckland. Upon investigation it turned out that criminals had gained access to the hotel’s unpatched server and the hotel was unwittingly hosting the phishing site.

The hotel had a really good Cisco router, but it was sitting on the inside of the other router, rather than the outside, Foster told the audience at the CIO Conference in Auckland last week.

Viruses and worms are still the most common form of attack, and businesses are still getting infected by rootkits or Trojans, Foster says. But there are new threats coming. Botnets is “one, big scary thing” that is going to affect business in the future is, he says.

Another emerging threat is the USB device, says Foster. USB thumb drives are easy to use and conceal. They have a large capacity — they are now available up to 32GB, and can be encrypted, he says. Data can easily be copied with little or no trace, as USB drives now can be used for “portable” internet use, says Foster. Users could, for example, run an internet browser from the USB drive and save all the data to the USB key. When the application is closed down, there is no trace, he says.

If someone is going to steal a company database, they are not going to email the data to themselves anymore, they are going to use a thumb drive and walk out the door, he says. USB drives can easily be concealed in necklaces, watches, wristbands, earrings or pens, he says.

So, what can businesses do to protect themselves? Ensure your ICT staff have appropriate and up-to-date controls in place, says Foster. Have a plan ready to implement for any incident, including identifying investigative and forensic support.

“Do that now,” he says.

Have a response team ready and practise incident scenarios every now and then.

Foster recommends having a look at Microsoft’s Fundamental Computer Investigation Guide for Windows.

He also recommends taking security measures with the consultants brought in to deal with computer forensics. Do a background check of the expert you are planning to use for forensics, he says.

It has happened that convicted IT fraudsters have changed their name on being released from prison, and later on, called themselves computer forensic experts, he says. Make sure that the consultants you bring in do not print reports or copy to CD any illicit material they find, he says. If they do, they are committing the offence of creating objectionable publication, and if you pay them for it, you are distributing that publication for gain, which is up to 10 years in prison, he says.

The e-crime lab dealt with 264 cases last year, and this year it is up to 200 cases already.

Join the newsletter!

Error: Please check your email address.

Tags USBpolicee-crime labbotnetSecurity IDphishinghackerhackingillicit material

Show Comments
[]