In a recent post of mine, “Kraken: The biggest, baddest botnet yet,” there wasn’t much good news. In fact, reports describing the potential for harm and economic loss are downright scary. There maybe a glimmer of hope though. I just finished reading a Techworld article, “Researchers ‘poison’ Storm botnet” by Matthew Broersma and wanted to share that information with everyone.
It appears that the German researchers can actively engage botnets. Up until this report, most researchers trying this approach received major DDoS attacks from the botnets they were studying. In his piece, Mr. Broersma mentions:
By taking a more active approach, the researchers found a way to “poison” the communications of the Storm bots, effectively disrupting them.
“Our strategy can be used as a way to disable the communication within the Storm botnet to a large extent,” they wrote in the study. “As a side effect, we are able to estimate the size of the Storm botnet, in general a hard task.”
Previous research has been based on passive techniques such as observing network events such as the number of spam emails thought to have originated from a particular botnet, the researchers said.
They said the new study is the first to use active techniques, crawling the P2P network, keeping track of all peers and distinguishing infected peers from benign ones based on behaviour.
Crawling the “Stormnet” every 30 minutes from the beginning of December 2007 to the beginning of February 2008, the researchers found between 5,000 and 40,000 peers online at any given time, with a sharp increase in bots during the Christmas and New Years Eve periods.
The bots were located in more than 200 countries, with the biggest proportion in the US, at 23 percent.
I’ve read the researcher’s paper, “Measurement and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm” (pdf), and it’s much more interesting than the title. The paper gives a great explanation of botnets and is a must-read for anyone looking to understand how a peer-to-peer botnet works.