[ISN] Researchers: Botnets Getting Beefier

From: InfoSec News (alerts@private)
Date: Wed Apr 18 2007 - 02:12:33 PDT


http://www.eweek.com/article2/0,1895,2114741,00.asp

By Lisa Vaas
April 16, 2007

Think botnets are bad now? We ain't seen nothin' yet.

A select group of some 40 security researchers gathered on April 10 in 
the first Usenix event devoted to these networks of infected machines. 
The invitation-only event, called HotBots, was held in Cambridge, Mass.

At the event, researchers warned that botnetswhich can contain tens or 
even hundreds of thousands of zombie PCs that have been taken over for 
use in spamming and thievery of financial and identity-related dataare 
on the brink of a technological leap to more resilient architectures and 
more sophisticated encryption that will make it that much harder to 
track, monitor and disable them.

Specifically, security researchers have spotted the early development 
stages of resilient botnets that have included peer-to-peer 
architectures. Botnets have traditionally been organized in a 
hierarchical structure, with one central command-and-control location. 
This centralization has been a blessing to researchers, as it gives them 
a single point of failure on which to focus.

With a P2P botnet, however, there is no centralized point for command 
and control. Each node in the network acts as both client and server, 
eliminating the central chokepoint. Individual nodes can be knocked 
offline, but the gaps in the network will be closed without the loss 
affecting the botnet's operation or the attacker's control.

"P2P networks [are] the biggest challenge we're facing," Dr. Jose 
Nazario, senior security engineer for Arbor Networks, headquartered in 
Lexington, Mass., said in an interview with eWEEK. "Bad guys know this. 
[P2P botnets are hard to take down] for the same reasons that media 
companies have trouble shutting down P2P networks."

Not that P2P botnets are all that new. In a paper presented at HotBots 
titled "Peer-to-Peer Botnets: Overview and Case Study," Julian B. 
Grizzard, David Dagon, Vikram Sharma, Chris Nunnery and Brent ByungHoon 
Kang gave a timeline that shows the rise of malicious bots beginning at 
least as far back as 1998, with the release of GTBot Variants, an IRC 
(Internet Relay Chat) bot based on mIRC executables and scripts. A 
recent example of a P2P botnet was the Storm worm, also called the 
Peacomm Trojan. The Storm worm initially wreaked havoc via spam e-mail 
in January and then in February spawned a variant that used instant 
messaging platforms to spread.

Researchers the week of April 9 noted the return of the Storm worm, as 
more than 2 million spam e-mails arrived carrying the latest variant. 
Whereas the initial wave of spam used recent real or fake news headlines 
to convince users to execute malicious files, last week's Storm surge 
used e-mail subject lines claiming "Trojan Detected!" or "Worm Activity 
Detected!"

Although they are not new, P2P botnets have undergone recent 
breakthroughs in terms of design and modular code bases, the paper's 
authors argued, saying that one botnet in particularAgobotmarked a 
"turning point in which botnets have become a more significant threat."

"Peer-to-peer bots are now under widespread development," the authors 
wrote. "Some peer-to-peer bots have used existing peer-to-peer protocols 
while others have developed custom protocols. We predict that 
peer-to-peer botnets will mature to a level in which they might become 
more widespread than traditional decentralized C&C architectures."

Another problem in fighting botnets is that less savvy computers users 
can be oblivious to the need to update their anti-virus programs, 
Nazario said. "We see people with AV who don't update it or don't know 
it needs to be updated We see protection that's way out of date," he 
said.

What to do about these sophisticated botnets? Nazario said Arbor 
Networks now looks for known nodes on P2P networks. The security firm 
works with a number of partners, including anti-virus software vendors, 
to make sure it has updated code for detecting bots on machines. Arbor 
also works with Internet operators to shut down access to command 
servers in traditional command-and-control botnets. "If we can shut down 
[a botnet], machines are still infected, but the damage is lessened 
greatly," Nazario said.

One of the most efficient ways for enterprises to address the bot 
problem is to blacklist malicious sites and hosts and block access to 
them. Still, working with anti-virus signatures is "an arms race," 
Nazario said. "It's always a day or so behind. These guys are 
incentivized with the money we're seeing" in the bot economyor what some 
are calling "botconomics," he saidand thus attackers are always one step 
ahead of their pursuers when it comes to technological advances and 
creating new bot networks.

Botnet watchers are also seeing a trend toward stronger encryption. 
Encryption is used by attackers to ensure that bots added to the network 
are in fact legitimate, as opposed to being nodes belonging to 
researchers working to infiltrate a botnet and block it or take it down.

The good news on that front is that, typically, attackers don't write 
very good encryption algorithms. "Breaking them is pretty trivial," 
Nazario said. "We're generally a smart bunch of people. We can break 
their home-brewed encryption pretty easily. The keys are exposed, so we 
can simply grab the keys and use existing encryptions and algorithms to 
take part in the network. It's easy as pie."


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Wed Apr 18 2007 - 02:23:49 PDT