Puppetnets and Botnets: Information Technology Vulnerability Exploits that Threaten Basic Internet Use

Erwin Louis Carrow University System of Georgia

Board of Regents 270 Washington Str. S.W.

Atlanta, Georgia 30334 USA 404-657-9890

erwin.carrow@usg.edu

Abstract The focus of this paper is to identify dominant trends of information security threats to the Internet 2001 to 2007. This paper is intended to provide an understanding of the new emphasis of attacks through use of robotic networks and how some users and organizations are already preparing a response using innovative visualization techniques in conjunction with traditional methods. The scope of research will focus on basic enterprise level services that are commonly provided by various corporations; e.g., e-mail, browser applications, wireless and mobile devices, IP telephony, and online banking. The research will first review the network infrastructure common to most corporate organizations and assume basic enterprise components and functionality in response to the current security threats. The second emphasis will consider the impact of malware robotic networks (Botnets and Puppetnets) on the corporate network infrastructure and how to address these threats with new and innovative techniques. This approach is pragmatic in application and focuses on assimilation of existing data to present a functional rationale of attacks to anticipate and prepare for this coming year.

General Terms Management, Measurement, Documentation, Performance, Design, Security, Human Factors, Theory, Verification.

Keywords Botnets, Puppetnets, Black holes, Honeypots, Honeynets, Honeymoles, Security Threat Gateway (STG), user space

1. INTRODUCTION Current trends in Information Technology Security exploits

have progressively placed more emphasis on targeting common services used to support users and corporate entities. The most common services for corporate entities and home users consist of

email service, website hosting, Internet web browsing, and connectivity through both wired and wireless access points. Additional services include, depending upon the complexity of the network, Domain Name Service (DNS), Intrusion Detection Service (IDS), Intrusion Prevention service (IPS), Firewall for network perimeter security, and some type of Domain X500 Directory service for user level access control. The vector for hacker exploitation has not dramatically changed over past years, but the vehicle for implementation of the attack has become increasingly automated and subversive under the guise of robotic attacks. These attacks are often made using unknowingly compromised users’ personal computers or corporate resources employed for malicious internet attacks through ordinary web browser code or in underlying background processes through some remote control access. These infected systems act as conduits for malevolent attacks redirected against individual users, websites, or network domains. Once a hacker or organized crime element has gained control of an extensive array of these computer devices, they can then be used as an army of resources to launch single or multiple attacks against an Internet objective. These networks of hacker control systems are commonly referred to as Zombies, Botnets, and in lesser degree, Puppetnets. With the introduction of new technology, older exploits are being retooled for the new infrastructure communications capabilities which include: IP telephony integration, wireless and mobile devices, video, and storage area networks. Currently the application of technology exploitation is fertile and seemingly limits-less due to the ever-growing avenues of technological advances. This explosive growth of the internet has challenged effective network infrastructure administration, and more importantly, the ability of security for tools and processes to mitigate malicious exploitation of ordinary users. This paper will summarize common exploits in current use, and propose methods in how to identify the basic tactics and respond in a timely manner.

2. TRENDS AND CURRENT STATE OF VULNERABILITY

The use of automated attacks has become so serious that many are questioning the security of Internet use for online banking, email, or even simple web browsing. In December of 2006 the Microsoft Corporation announced their concerns over Botnets, Zero-day exploits, Trojans, and Rootkits infected computers. Starting in January 2007 Microsoft has organized several closed doors meetings with a broad cross section of

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Information Security Curriculum Development Conference’07, September 28-29, 2007, Kennesaw, Georgia, USA. Copyright 2007 ACM 978-1-59593-909-8/00/0007…$5.00.

85

security experts to strategize a response to the growing security concerns. Microsoft’s motivation stems from their own statistical figures exemplifying that “half of the four million malware infected systems detected in the second half of 2006 … were under the control of Botnets of one kind or another.” Similarly, the Symantec Corporation identified 4.5 million computers in the first half of 2006 which were infected with robotic malware [4, 6]. Microsoft’s concern and response can clearly be seen in the simple use and function of their new Vista operating system which closely monitors all user activities and delivers immediate feedback if an unexpected or unsecured operation is attempted. The underlining threat identified in these meetings is that these Botnets were not isolated autonomous entities, but tightly controlled and organized networks. The consensus is that this army of zombie computers are being controlled and used for various applications by organized crime.

As a part of a survey taken in 2005 of over 1400 corporations ranging from finance to manufacturing; over 1240 were banks located in the United States reported that, 59% were increasing their IT security investment in privacy and transaction processing, 70% were increasing security software, and 80% had already adopted vital security intrusion detection and prevention infrastructure [5]. This emphasis is not expected to change for 2007 where the number one and two items for technological trends for expansion and development in the Small Medium Businesses (SMB) market are security and storage area networks. It is expected that the SMB spending will exceed large businesses expenditures [3]. Banking industry’s motivation for leading the way in security implementation is very clear; they must protect the interest of their clients.

Consumers now alerted to the significance and capability of Internet deception are requesting more stringent constraints to safeguard their online transaction processing. A recent online survey commissioned by RSA Security Inc. in Bedford Massachusetts stated 52% “are ‘somewhat’ or ‘very much’ less likely to sign up for or continue to use online services from their banks” due to the dominating deceptive phishing trends. This is an increase of 39% from the 2005 survey and 49% from the 2004 survey. The survey indicated 82% of the respondents were “somewhat” or “very much less likely” to respond to e-mail messages from their banks and 5% had actually revealed sensitive information due to phishing [22]. Clearly from consumer feedback, the common user is overwhelmed by the level of fraud that dominates the Internet.

With all the publicity over hacker phishing and pharming and the years of investments corporations have made in educating users, one would think these social engineering exploits should now be ineffective. Because the naïve users are often exploited through perceived trusted relationships or an organizationally safe environment, basic social engineering within a personal or corporate setting is still being successfully implemented. Organizations still need to provide practical steps to improve existing policies and train users in how to respond or more often how not to respond to such exploits [16]. The sophistication of implementation for these attacks has many recognizing that organized crime is investing more effort in concealing their tracks by using unsuspected users’ systems. Various experts are predicting that criminal organizations will cause unprecedented losses in 2007 targeting “corporate and consumer defenses” through use of zombie computers organized into Botnets. These Botnets enable spyware, spam, spim, phishing attacks, and DDOS attacks resulting in billions of dollars in lost revenue from theft, extortion, or productivity [17] [27]. With this level of sophistication comes a new level of challenges for system administrators in SMB corporate network environments and the

ordinary home user. No longer is it just the larger corporate entity that is at risk, but even more commonly, the Internet user.

Comparison of Malware Security Trends from 2001 to 2007

Author / publication / corporation

Title Number of contributors Year of publicatio

n

Type of comparis

on

Gibson, Steve

Spyware was Inevitable

Single Contributor, academic peer reviewed

2005 Moderate overview

SCMagazine Staff

IT security reboot 2006: The year's

top news

Staff Reviewed 2006 Detailed overview

Keizer, Gregg

Gartner outlines top enterprise

security threats for 2003

One contributor and professionally peer

reviewed

2003 Detailed overview

Maguire, James

Top Ten 2007 Security Problems:

Predictions

One contributor used Corporate feedback for

statistical review

2006 Moderate overview

SANS Staff SANS top-20 Internet security

Significant number of contributors from the

professional community and academic peer review

2006 Very detailed

Schneier, Bruce,

Attack trends 2004 and 2005

Single Contributor, academic peer reviewed

2005 Moderate overview

SANS Staff The Top 10 Most Critical Internet Security Threats

Significant number of contributors from the

professional community and academic peer review

2001 Very detailed

SOPHOS Staff

Threat analyses: These analyses

describe some of the more common

or interesting threats and

applications.

Interview via a podcast broadcast with technical

security expert

2007 Limited, applicatio

n primarily focused

upon IBot activity

86

Table 1. Resource Listing for Comparative Analysis of Trends

3. RECOGNITION OF THE CHALLENGES FOR INTERNET SECURITY

Through a comparative analysis of security exploits and trends from various resources, there is relatively little difference between the exploits used today as compared to 2001. Table 1 highlights the research and analysis of exploits from 2001 to the present from various contributors. The research incorporates a broad cross section of organizations with insight and contribution ranging from individuals to large peer-rated committees. There have been new innovations, but the basic hacking attack process has remained the same but with a greater emphasis on the deployment vehicle – Puppets and IBots. These contributors also exemplify how organized crime is playing a significance role in their use and application of these exploits. New technology has afforded more flexibility and freedom since Botnets and Puppetnets have allowed the attacker to maintain their autonomy and anonymity. Though progress has been made, there are very few advances in trace-back techniques to clearly identify the sources of most attacks using TCP and even fewer with UDP due to the connectionless characteristics of the protocol [24]. Even more significant is the lack of substantial government involvement to safeguard individual users from loss. The Federal Bureau of investigation will not involve themselves in any acts of loss unless they are substantial. Therefore, careful assessment must be made to ascertain the extent of corporate or individual user liability before government support can be expected. With that understanding, consideration can be given to the tools the hacker is using to exploit resources or extort information. Once associated pitfalls are effectively identified then the proper constraints can be implemented to mitigate loss.

Botnets, more common than Puppetnets, have been cultivated and allowed hackers to remotely take control of a user’s machine to do their own bidding through some backdoor or rootkit application embedded on some unsuspected host. A basic limitation once the computer device has been taken over is that they must be on and accessible via the Internet. The level of control is extensive and system process domination is very obvious. There are currently many malware applications on the market today that are capable of monitoring and identifying whether a system is infected or not [15]. The use of these applications can limit the affect of possible infection. A common scenario process for infection to occur is for an unsuspecting user to download some utility they find on the network. Upon installing the application to their system, not realizing in the background, code from the same install adds a backdoor to their system created for the hackers’ later use. Once installed, some malicious utilities are capable of replicating themselves to other systems on the same network, extending the hackers influence and capability. These common exploits are referred to as Viruses, Trojans, and Worms with the distinctive term identified from the extent of their capabilities.

Figure 1. Sample code for Puppetnet DDoS attack [12]

Unlike Botnets, a Puppetnet’s level of control is limited and the infection difficult to detect since the systems themselves are not actively infected and activities are limited to the browser memory space (sample code is shown in figure 1), where code is piggyback over normal HTTP traffic exchange. The exploit limits its activity to the TCP/IP protocol stack application layer spawning background session processes through the guise of the browser, never infecting the local host operating system (figure 2). Therefore, little detection is available from traditional malware detection tools. Since the threat is not localized and interacting with the operating systems’ core processes, the user remains unaware their machine is being used to act against others remotely. Also the level of control from the hacker is very limited, thus the system is a puppet on a string versus an IBot zombie. This demonstrates the elusive nature of various tools that the new Internet criminal is using for personal gain and profit. The malicious payload has not changed (can use a variation on a common worm infestation), but the method of delivery has now become virtually untraceable making it difficult to determine if you are the medium for carrying out someone else’s misdeeds (figure 3). The system application layer infection incurred for puppet-like control of your system through visiting an infected “authentic” websites. Here the sponsor is unaware that they are transmitting a worm infection to propagate Puppets and create Puppetnets. The same situation can occur as with many of the current phishing and pharming scams, whereby users are lured to a malicious website to exploit personal information gained through social engineering, and in the process the victim can also receive a piggybacked puppet exploit, as well as lose valuable personal information. [12].

Figure 2. DDoS using Puppetnets [12]

87

Figure 3. How Puppetnets propagate worms from infected server through browsers [12]

The Centers for Disease Control on February 2, 2007, fell victim to a virus attack that was spread to many innocent viewers through their websites’ video downloads. Currently the breach is being investigated, and the full extent of the exploits is being determined [7]. This event brought in the support of the Federal government due to the risk of the target being attacked. What is significant is that a public radio announcement along with public announcement services suggested that if you had visited the site you could be vulnerable to virus infection. This announcement shrouded in ambiguity suggests a footprint similar to the very nature of a puppet viral infection. Therefore even if you viewed the site you could now be a tool for hacker exploitation infected from a Puppet sick website (figure 3). This deceptive charade of representing websites as valid representations of commercial institutions sites to gain personal information from unknowing users has been prevalent since 2004. Commonly known as phishing, the basic principles employed by hackers is to combine social engineering with technical deception by making it look authentic and safe. Awareness and validation are key considerations that users and businesses should incorporate into their understanding and security practices in combating loss and avoidance of deception. This means one cannot be indifferent. Internet security is more than a proper technological application of standards. It is the knowledge and understanding of who one’s enemy is and how to avoid being exploited [28].

These attack models can be used to exploit not just Local Area Network (LAN) or Wide Area Network (WAN) topologies, but also Wireless Local or Metropolitan Networks as well (WLAN, WMAN). Stanford researches are focusing on the current wireless technology afforded to hackers and the various vulnerabilities this technology provides to interrupt normal operations. Their study describes wireless frequency patterning to establish signal-prints of would-be attackers spoofing various MAC addresses. From these signal-prints, cross-referenced vectors can geographically pinpoint origins of disruption. The cross vectoring of signals identifies typical patterns behind the sources of various attacks; it can confirm that an attack is actually occurring and locate the origin of the transmissions. Part of the problem encountered in combating penetrations and attacks is determining if they are really occurring in real-time since

attempts are often covert and their source of origin very difficult to trace [1]. Though there are degrees of success, many issues still need to be addressed for wireless and mobile technology applications. Less common than wireless exploits, mobile cell phone devices can be subject to Distributed Denial of Service attacks. In these types of attacks, the wireless device is flooded with unsolicited traffic where at a minimum, the users’ cell phone battery is drained of power and rendered useless [23].

Today there are many Zero Day exploits and application layer vulnerabilities that are not detected by scanning software. Traditional malware vulnerability schemes attempt to address the current functionality of malware that has been embedded into operating systems. This process of observation identifies and monitors process events that make calls to application resources not initiated by the system user. Many such applications position themselves between the kernel and system application to measure process calls and identify patterns and behaviors. For most malware to be effective, it must evade user and anti-malware applications’ detention as demonstrated with Puppetnet technology. The new strands of attacks demonstrate the elusive characteristics and capability of malware. New patterning methods must be developed for event processing in anticipation of zero-day attacks [15]. In a recent interview with a representative from Sana Security, Jon Summers (personal communications, February 13, 2007) highlighted the time lag seen in figure 4, between when an anomaly is identified, and a fix is posted by most antiviral solution providers. What is significant is the minimum of 30 hours before a fix can be released and applied, and the 30 days for full deployment to be implemented. This figure should alert us all to level of risk inherent till an appropriate patch can be created, deployed, and implemented. The obvious question is, if a vulnerability is identified, how are the unsuspecting victim’s systems being utilized till a fix is applied?

Figure 4. Time delay comparison of malware detection to deployment of safeguard - SanaSecurity.

4. DISCUSSION Solutions for the avoidance of hacker’s exploits, whether

they are Botnets, Puppetnets, or other maladies have not really changed; they now just require more diligence and caution. Common sense mitigation includes: system patch updates, disabling JavaScript, filtering attack signatures, implementing tighter controls for client-side and server-side behavior, monitoring traffic flows, and employing tracing methods as

88

appropriate. The same old method of highlighting awareness of the problem and then of addressing the problem to the proper authorities or corporate stakeholders to determine a cost effective method to mitigate risk still applies. Training of staff regarding the operational procedures that must be applied for conducting business using Internet resources must be consistently emphasized and regularly scheduled [16]. Training for the common Internet user poses a different sort of problem which can only be addressed informally. But even more than the operational procedures, technical applications embracing new relevant tools that defend or define the extent or application of an attack need to be incorporated into the strategic makeup of every network.

The Black Hole network is one such method. A Black Hole network is a strategic practice of network placement for redirection of unused address space traffic to a black hole address space for statistical analysis to include avoidance of malicious IP traffic originating from Internet attackers and has been in practice for many years [2]. Various applications for this practice are now starting to be employed in many practical ways to mitigate attacks through redirection of bogus packets for statistical analysis to this dead address space (figure 5). Because a hacker quickly discovers that their attempts are being redirected, those that employ black hole techniques are combining this technique with a viable target to maintain the attackers’ interest for further analysis of their tactics.

Figure 5: Internet traffic sensor redirection architecture [2]

To maintain a hacker’s interest, researchers at the University of Houston in Houston, Texas justify the use and application of “Honeypots” to aide in computer forensic efforts. A common deployment for system administrators maintaining a hacker’s attention is to include a computer system’s presence in the dead address space (Blackhole) that demonstrates potential for exploitation. Through the safe and effective practice of Honeypots, hacking strategies are analyzed and trends determined to more effectively counter criminal exploits. A more extensive application of the Honeypot concept is when multiple devices listed in unused address space are available and vulnerably configured. This concept is called a Honeynet. Security technicians need to gain more understanding of the hackers attack trends so loss may be minimized. Honeypots and Honeynets provided a controlled test environment that identifies these exploit trends and provides valuable insight [19]. Now that ethical practices and legal constraints have been clearly identified, Honeynets are common in application providing valuable data to aid research in combating Internet abuse.

A recent breach reported on the local Atlanta news (2007, February 22) identified how a hacker had infiltrated a university network infrastructure and accessed faculty, staff and student information. Details are still pending, but it is clear these activities were discovered and captured with Honeynet tools currently being implemented at Georgia Technical University. Per a recent interview with Chris Lee (personal communications, February 15, 2007), the administrator at Georgia Institute of Technology Honeynet research Project, there are many variations of the Honeypot application. Honeypots at Georgia Institute of Technology are purposely being deployed for high-interaction, low-interaction (nepenthes), WiFi, as virtual systems in VMware, VPN bridged-ethernets to form large Honeynets, and Honeymoles which redirects traffic to remote network locations. The significance of this approach is that attackers are constantly being tracked and monitored to identify the extent of their capabilities for analysis and documentation.

Some scholars have focused their efforts on attempting to create visual representations of identified attacks so that through simple observation a user can immediately respond [11]. Through tracking and observing of tagged session flows, a visual representation can be seen of any perceived attack (figure 6). Attack detection is, therefore, not dependent upon signature or anomaly based applications to alert the user. One of the major problems that system administrators experience is determining whether an attack is occurring in real-time. Typically system administrators spent valuable time having to sift through superfluous data before assuming a course of action to counter an attack. With a visual representation of suspicious qualifiable patterns, administrators gain more insight in how to initiate an immediate response to an attack [13]. Therefore, we have moved beyond basic signature or anomaly based detection methods with preprogrammed responses often seen in most IDS or IPS application to a more intuitive human sensory approach that can clearly identify and distinguish traffic patterns quickly and respond accordingly. Visualization of attack patterns gives the system administrator for a network another definitive tool of what is actually happening on the network in real-time [18]. The application of visual representation of network traffic is becoming a dominant trend in the war to combat Internet crime.

Figure 6: Impromptu Client with Activity Wear, User Characterization, and Media Characterization [11]

89

5. CONCLUSION AND FUTURE WORK The general motivation and methods of common information

technology exploits have not changed in the past five years. Instead, the methods have become more technically elite and challenging to identify. Clearly, various organizations are voicing a concern over the influence and capability of Botnets and Puppetnets and the elements of organized crime propagating their use. New technical innovations provide many opportunities for the reworking of older known hacker exploitations, with a new medium for transmission. Though there are new methods, they are often nothing more than a variation of a past exploits. Social Engineering, Viruses, Trojans, DDOS, and Worms can be repackaged in many different ways. The social mindset and orientation of the attacker and the typical strategic approach of their attacks has remained the same [29]. Our response today must have the same level of sophistication employed by the new innovations that hackers are implementing. We need to educate Internet users of the hackers’ exploits and current trends. We also need to track and monitor exploits being employed in order to anticipate future attacking strategies, graduating level of hacker enticement with containment through methods seen in Blackhole and Honeynet applications. There are many new strategic methods and tools of application that can be deployed to identify and anticipate an attack. Extensive research should be devoted to visualization techniques. More practical tools should be explored to empower the common Internet user. The Internet today is faster, more information enriched, and sadly, unsafe from malicious exploitation of the ordinary user.

6. REFERENCES [1] Cheriton, D. R., & Faria, D. B., (2006, September).

Detecting identity-based attacks in wireless networks using signalprints. Proceedings of the 5th ACM workshop on Wireless security WiSe '06, ACM Press, 43-52.

[2] Cooke, E., Bailey, M., Mao, Z. M., McPherson, D., Watson, D., & Jahanian, F., (2004, October 29). Toward understanding distributed blackhole placement. WORM, ACM Press, 54-64.

[3] Cox, Mark, (2007, February). Top ten trends among SMBs. eChannelLine Daily News, Retrieved February 15 2007, from http://www.connectitnews.com/usa/story.cfm?item=437.

[4] Criminals increasingly turn to zombie PCs – Microsoft fears the rise of the Botnet. (2006, December 27). Techworld Kavanagh Report, Retrieved January 25 2007, from http://www.techworld.com/news/index.cfm?newsID=7674.

[5] De Guzman, Mari-Len, (2005, June 20). Banks to spend more on IT security, survey says privacy regulations and other compliance issues are behind the spending uptick. IDG News Service. Retrieved January 25 2007, from http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=102642.

[6] Dunn, John E., (2007, January 24). Microsoft Holds Botnet Summit – Secret Squirrels Mull Security Threats. Techworld Kavanagh Report. Retrieved January 25 2007, from http://www.techworld.com/news/index.cfm?newsID=7835.

[7] Gaudin, Sharon., (2007, February 6). CDC plagued by virus of a different strain. Information Week. Retrieved February 16 2007, from http://www.informationweek.com/news/showArticle.jhtml?articleID=197003756.

[8] Gibson, Steve, (2005, August). Spyware was Inevitable. Communications of the ACM, Vol. 48, No. 8.

[9] Keizer, Gregg, (2003). Gartner outlines top enterprise security threats for 2003. Retrieved January 25 2007, from http://www.techweb.com/wire/26800849.

[10] IT security reboot 2006: The year's top news. (2006, December 14). Retrieved January 25 2007, from http://www.scmagazine.com/us/news/article/610018/it-security-reboot-2006-years-top-news/.

[11] Jennifer Rode, Carolina Johansson, Paul DiGioia, Roberto Silva Filho, Kari Nies, David H. Nguyen, Jie Ren, Paul Dourish, and David Redmiles, (2006, July). Seeing further: Extending visualization as a basis for usable security. SOUPS 2005, July 12-14, 2006, Pittsburgh, PA, USA, 145-155

[12] Lam, V. T., Antonatos, S., Akritidis P., & Anagnostakis, K. G., (2006, October). Puppetnets: Misusing web browsers as a distributed attack infrastructure. Proceedings of the 13th ACM Conference on Computer and Communications Security CCS '06, ACM Press, 221-234.

[13] Lee, C. P., & Copeland, J. A., (2006, November). FlowTag: A collaborative attack analysis, reporting, and sharing tool for security researchers. Proceedings of the 3rd International Workshop on Visualization for Computer Security VizSEC '06, ACM Press, 103-107.

[14] Maguire, James, (2006, December 20). Top Ten 2007 Security Problems: Predictions. Retrieved January 25 2007, from http://www.esecurityplanet.com/article.php/11162_3650151_2.

[15] Moffie, M., Cheng, W., Kaeli, D., & Zhao, Q., (2006, October). Hunting Trojan Horses. Proceedings of the 1st Workshop on Architectural and System Support for Improving Software Dependability ASID '06, ACM Press, 12-17.

[16] Orgill, G. L., Romney, G. W., Bailey, M. G., & Orgill, P. M., (2004, October). The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems. Proceedings of the 5th Conference on Information Technology Education CITC5 '04, ACM Press, 177-181.

[17] Reavis, James, (2007, January 17). Ready or not, here comes 2007! Retrieved January 25 2007, from http://www.riskbloggers.com/jimreavis/2007/01/ready-or-not-here-comes-2007/.

[18] Rode, J., Johnansson, C., DiGioia, P., Filho, R. S., Nies, K., Nguyen, D.H., Ren, J., Dourish, P., & Redmiles, D., (2005, July 12-14). Seeing further: Extended visualization as a basis for usable security. Symposium on Usable Privacy and Security, SOUP, 145-155.

90

[19] Sadasivam, K., Samudrala B., & Yang,T. A., (2005, April). Design of network security projects using honeypots. Journal of Computing Sciences in Colleges, Volume 20 Issue 4, 282-293.

[20] SANS top-20 Internet security attack targets (2006 Annual Update) version 7. (2006, November 15). Retrieved January 25 2007, from http://www.sans.org/top20/2006/.

[21] Schneier, Bruce, (2005, June). Attack trends 2004 and 2005. Queue Volume 3, Issue 5.

[22] Security issues are eroding trust in online banking, survey shows. (2007, January 29). Retrieved January 30 2007, from http://www.digitaltransactions.net/newsstory.cfm?newsid=1232

[23] Swami, Yogesh Prem & Tschofenig, Hannnes, (2006). Protecting mobile devices from TCP flooding attacks. ACM Press, 63-68.

[24] Tupakula, Udaya Kiran & Varadharajan, Vijay, (2006). Analysis of traceback techniques. Conferences in Research and Practice in Information Technology, CRPIT, Volume 54.

[25] The Top 10 Most Critical Internet Security Threats - (2000-2001 Archive) Version 1.33. (2001 June 25). Retrieved January 25 2007, from http://www.sans.org/top20/2000/.

[26] Threat analyses: These analyses describe some of the more common or interesting threats and applications. They only cover a small proportion of the viruses, spyware, Trojans, worms, adware and PUAs detected by our products, (2006). [Podcast, sophos-podcast-011] Retrieved January 25 2007, from www.sophos.com/podcasts.

[27] Treese, Win, (2004, September). The State of Security on the Internet. - Putting It Together. netWorker Volume 8 , Issue 3.

[28] Van der Merwe, A., Loock, M., & Dabrowski, M., (2005, January). Characteristics and responsibilities involved in a phishing attack. Proceedings of the 4th International Symposium on Information and Communication Technologies WISICT '05, Trinity College Dublin, 249-254.

[29] Zhang, L., (2003, September). Why do people attack information? And what will be the trend in the future? Department of Computer Science, University of Helsinki, Finland, 1-5. Retrieved January 25 2007, from http://www.cs.helsinki.fi/u/lamsal/ teaching/autumn2003/student_final/lili_zhang.pdf.

91