Botnets: A Global Pandemic
Below is another excerpt that got cut from my Post magazine story on botmasters and their contribution to the growing adware and spyware problem.
Some information security experts say the mainstream Internet security companies have inadvertently yet drastically understated the seriousness and threat posed by the global bot epidemic.
"So far, information security companies and researchers have focused on discrete infections: a particular virus or worm, or the outbreak-of-the-week," said David Dagon, a Ph.D. student at Georgia Tech who is working with researchers at the Honeynet Alliance, an international volunteer group whose members are conducting some of the most detailed research into the modern botnet craze.
Dagon says combating the worm du jour is necessary in the short term, but that many of the Internet's most pressing security problems -- from spam to online financial scams to distributed denial-of-service attacks -- have a root cause in botnets.
"We should pursue a root-cause solution, instead of treating the latest symptom," Dagon said.
In its latest annual Internet threat report, Cupertino, Calif.-based security giant Symantec Corp. reported that the average botnet size was around 10,500 machines.
But Dagon's estimates are far higher. In the 13-month period ending in January, Dagon tracked more than 13.1 million distinct bots on the global Internet. He said Symantec's numbers are a fair estimate of the botnets controlled via Internet relay chat (IRC), a form of online communications that predates modern instant-messaging systems.
However, there are practical limits to the size of IRC-based botnets, and some of the bigger IRC channels have cracked down big time. This has spawned a different class of botmasters who instead use Web sites to control their herds.
"I focus on this class, since it represents the best-of-breed botnet. Here, my data through [January] 2006 shows 36,800 members on average," Dagon said.
But controlling the activities of tens of thousands of hacked PCs can take an enormous amount of computer processing power and Internet-access bandwidth. As such, botmasters have adapted their command-and-control networks to accommodate much larger botnets.
One popular way to control large numbers of compromised machines is through delegation. For example, if a botmaster has compromised 100,000 PCs, but only has the capacity or bandwidth to control 10 percent of those computers, the attacker can organize the victim PCs into hundreds of much smaller groups, with a "lieutenant" bot in each group that orchestrates connections and communications between other members of the platoon and the bot herder's main channel.
In such a scenario, the individual bots are democratic. Should a lieutenant suddenly be unplugged from the Web or discovered and cleaned up by a security professional, the remaining bots in the platoon are programmed to hold a virtual "election" to see which computers should replace it. In most cases, the PC with the fastest and/or most reliable Internet connection becomes the new lieutenant.
There is one factor in controlling vast numbers of bots that can mask the true size of any given botnet, Dagon said. To reduce the load that a massive botnet would place on a command-and-control network, many bots are configured to remain mostly disconnected from the herd, "phoning home" periodically to check for updates or new instructions.
The downside to this setup -- from the botmaster's standpoint -- is that only a fraction of the herd is connected at any given time, meaning new instructions may not reach the entire network for several hours.
Earlier this year, Dagon and others tracked a botnet of more than 350,000 compromised PCs scattered throughout dozens of countries on five continents. But due to individual bots being turned on and off in the normal course of daily life by their unsuspecting users, only about 120,000 connections were visible.
Dagon and his team are currently at work on compiling a family tree of bots based on their code origin, since so many bot designers borrow programming instructions from one another. Some bots even come with their own "open source code license" that exhorts contributors to freely share their innovations.
"Although there are hundreds of bots in the zoo, there's a lot of inbreeding," Dagon said. "And unlike nature, this creates healthier offspring."
So far, it's proving to be a full-time job just keeping up with the new variants. Good botmasters are constantly updating the code they use to infect and control PCs, if for no other reason than to tweak them so that they can slip past new virus signatures shipped out daily to security-software customers Dagon said it is not uncommon to see a single botnet updated four to five times a day.
"Frequent updates are common in the pedigree line of botnets" that are not controlled via IRC, Dagon said. "The botmasters know that the feed and caring of their zombies requires continued reinfection."
The comments to this entry are closed.