Pacific Northwest Digital Government SummitSecurity – How Much is Enough?June 20, 2006 SA Kenneth A. Schmutz

National Priorities

Counterterrorism Counterintelligence Cyber Crime

Cyber Crime Components

Computer Intrusions BOTNETS DDOS Attacks Intellectual Property Theft Theft of Trade Secrets Virus/Worm Activity

Child Pornography Internet Fraud

How Severe is the Threat?

THREAT

•Professional Cyber Criminals

•Organized Crime (Foreign and Domestic)

•Money

•Information

Growing Trend

BOTNETS Distributed Denial Of Service Attacks

(DDoS) Extortion Malicious Attacks

Pay for Click (Adware installations) Network Traffic

Identity Theft (keylogging, phishing) SPAM

Components of BOTNET

Internet Relay Chat (IRC) Server Usually a compromised Linux box

Zombies- Compromised computers Home, Military, Government, Education,

and Business infected by a worm, trojan, or virus

Botherder – Person controlling BOTNET

Attack Network

Attack Control Computer

Recent BOTNET Case

ZOTOB Released ~8/2005 Spreads through email and MS05-

039(PnP) Sets up Backdoor via trojan Controlled by Internet Relay Chat (IRC) Zotob A, B, C derived from MyTob Zotob D, E, F derived from Rxbot

ZOTOB- victims

IRC SERVERDiabl0.turkcoders.net

ZOTOB - Subjects

Code Analysis

43 41 4e 00 00 00 00 5b 78 5d 20 42 6f 74 7a 6f 72 B-O-T-Z-O-R.SCAN....[x] Botzor

32 30 30 35 20 42 79 20 44 69 61 62 6c 4f 00 00 2005 By DiablO................

ZOTOB - Subjects

Diabl0FBI Headquarters CyberFBI Seattle Cyber Squad Identify hotmail account for Diabl0

through DNS Whois for blackcarder.net

Worm analysis “greetz to my good friend coder”

ZOTOB - Subjects

FBI flies to Morocco/Turkey

ZOTOB Conclusion

Two subjects located and arrested in less than two weeks from infection

Cyber Prevention Current, patched Operating System

Enable automatic updates Current virus protection

Update as often as service allows Software and Hardware based firewall Anti-Spyware Protection

Now a necessity Identify points of vulnerability

Remote access Laptops

Resources

www.consumer.gov/idtheft/ www.ic3.gov/ www.annualcreditreport.com (877-322-

8228)

Contact

Special Agent Kenneth A. Schmutz (206) 262-2114 Kenneth.Schmutz@ic.fbi.gov