Botnets: Bigger isn't always better

Rootkit and botnet developers are fighting back. It seems that every advance made by security researchers is countered with new and more sophisticated malware. Just what are these new advances and what can the rest of us expect?

Last August in my article "Storm Worm: The Energizer Bunny of Botnets," I mentioned that Storm was making a resurgence as the largest botnet creator in history. Yet for the past few months, Storm's botnet has been eerily quiet. You may remember the e-mail spam message falsely announcing the start of "World War Three" back in July. That was the last major spam campaign propagated by Storm's botnet.

Where's the Storm?

Kelly Jackson Higgins of raised some compelling reasons why Storm isn't having much impact in the article "Storm May Finally Be Over":

"Storm is now about ten times smaller than it was nearly 10 months ago, according to Damballa's estimates. The botnet began a gradual decline in size after Microsoft's Malicious Software Removal Tool began detecting and cleaning it up late last year."

Another theory in the article mentions that security researchers may have been able to infiltrate the Storm botnet and neutralize it:

"It's very possible someone might be interfering with Storm," Joel Stewart Director of Malware Research for SecureWorks mentioned. "At RSA (Conference), I showed the RSA key that's used for Storm controllers to authenticate themselves to the bots. If you can reverse-engineer that key, then you can become the controller and take over any number of bots."

I found the article interesting as it points to Storms' size and scope as being its downfall. The botnet's inactivity is certainly welcome news. I'm somewhat cynical though, as I personally haven't seen any reduction in the amount of spam. In fact, I'm of the opinion that the amount is increasing. Why is that? I have the nagging suspicion that botnet creators are keeping well ahead of the learning curve by using new and less obvious tactics.

Next generation of botnets

Paul Royal, Director of Research for Damballa, points out one of the new tactics being used:

"Rather than the Swiss army knife approach that Storm took, more botnets will instead be smaller and created for specific purposes. One http-based botnet Damballa has been watching, for instance, has a single mission: to collect email addresses from the machines it infects."

Http-based botnets are difficult to trace, as they use port 80, and we all know how much Internet traffic is flowing over that port. Kelly Jackson Higgins has another interesting article "Botnets Don Invisibility Cloaks" that discusses this very subject. The article is almost a year old but more relevant than ever.

Another new trend in botnets is peer-to-peer command and control. It's considered more difficult to detect than http-based command and control traffic as explained in Higgin's article:

"Peer-to-peer is difficult because it's not a centralized network, each bot can send commands on its own. That's more distributed, making it difficult to isolate the actual bots, where they are, and where the commands originated from."

Georgia Tech Information Security Center's recent summit

TechRepublic's Paul Mah in his latest Security News Roundup made mention of Georgia Tech's Information Security Center (GTISC) and their annual security summit. A great deal of pertinent information about botnets came from the recent summit. For example, in the 2009 report (pdf), Wenke Lee, associate professor at GTISC, collaborates what Paul Royal mentioned about http-based botnets:

"A bot actually remains on the machine, maintains a command and control mechanism to enable communication with the bot master, and can update itself based on those communications. The updates enable new bot communication and malicious capabilities, and are often used to avoid detection.

Bot communications are designed to look like normal (Web) traffic using accepted ports, so even firewalls and intrusion prevention systems have a hard time isolating bot messages. It's very difficult to filter bot traffic at the network edge since it uses http and every enterprise allows http traffic."

Not just smaller, but sneakier

So far I tried to point out that botnets are smaller, more sophisticated, and single-purposed. I'd be remiss if I didn't mention the fourth area of improvement, which is how the bot gets on the unsuspecting user's computer. Once again, Professor Lee of GTISC explains how this is easier than ever:

  • Infection can occur even through legitimate Web sites.
  • Bot exploits/malware delivery mechanisms are gaining sophistication and better obfuscation techniques.
  • Users do not have to do anything to become infected; simply rendering a Web page can launch a botnet exploit.
Final thoughts

Every article that I read about botnets mentions that this problem is here for the long haul, stating simple economics as the reason. Botnets are big business, making people a great deal of money, and as long as that's the case botnets aren't going away.

I sense the frustration, as there's precious little we the users can do. I wrote my last article, "Spam Relay: Up Close and Personal," as a vivid personal reminder for me. As I was writing this article, I realized that many of you must have similar experiences, which got me thinking (in trouble now) that we should gather all that hard-earned information in one place and share it. What do you think?


Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox