Back in October 2005 there was a minor outbreak of the SDbot worm. Like the Mocbot worm a month before, SDBot took advantage of a patched flaw in Windows Server Service and dropped a variety of files, including one rootkit. Typical. However, shortly after SDBot, Chris Boyd, Director of Malware Research at Facetime Security Labs, spent some time analyzing the worm and, after some work, discovered who exactly was using this rootkit and what they were using it for--and it wasn't your garden variety spam or denial-of-service attacks, either.

Last week I talked about the underground economics behind botnets and the technical barriers to entry for those who simply want to make big money. This week I want to talk about what people are doing with botnets beyond relaying spam or attacking other sites and whether or not we can take away the financial incentives that lead people to build botnets in the first place.

Botnet 101
To recap, a botnet is a collection of remotely controlled compromised PCs. When someone downloads a remote-access Trojan horse onto their desktop or laptop PC, usually running Windows, the computer is said to be compromised. The code then sends back a little "I'm here" message, and the compromised computer's address is stored in a list. A bot-herder is one who manages the list and uses either Internet Relay Chat (IRC) or peer-to-peer (P2P) to communicate with zombie computers in his botnet.

	In retrospect, the Q8 Army botnet, which used a "whole pile of installs over a number of different months," appears to have been an experiment, said Boyd.

Usually the tasks asked of the zombie computer involve making money. Botnets have been used to fire packets of requests to a single target, effectively shutting them down in what's called a "distributed-denial-of-service" (DDoS) attack until the site pays "protection" money. In the case of Jeanson James Ancheta, the 20-year-old Southern Californian pleaded guilty to four felony charges of computer abuse, specifically for engaging in click fraud against pay-for-cash Web sites. More common examples are renting all or part of a botnet for use as spam relays. However, Facetime's Boyd, while studying SDbot, came away with a more extreme example of what you can use a botnet for.

The Q8 Army botnet
"We don't know what these guys were actually up to," said Boyd. "We chased them through a whole network of these Web sites to the final destination, if you like, which was the official Q8 Army site (now down)." In monitoring the servers, Boyd discovered affiliates in several Middle Eastern countries were using IRC servers to communicate with the SDbot rootkit and using it to install programs that are capable of stealing personal information. Identity theft is also typical with botnets.

"There are so many ways to monetize a bot, a network of bots--spam, phishing, illegal file hosting, DDoS attacks for pay--that you have to solve a lot of economic incentives to make this problem, this pressure on a problem, go away," said Nazario.

However, the people behind the Q8 Army site were getting creative. "They were also pushing radical, sort of, ideological messages and statements onto other Web sites," said Boyd, citing resonances with September 11-type events within the messages. More disturbing, "they were using various files to steal credit card details, then they were using these credit cards to purchase old satellite equipment, old PCs, things like that." As Boyd told a standing-room-only crowd at this year's RSA Conference, "the important thing to remember is, it's not Bin Laden sitting in a cave buying 50 Scud missiles on eBay."

One big experiment
In retrospect, the Q8 Army botnet, which used a "whole pile of installs over a number of different months," appears to have been a grand experiment. Through 2005 and 2006 as Boyd continued to monitor these installs and report his findings to law enforcement, he saw the servers push adware, spyware, Trojans, and rootkits. That was expected. "But they were also performing, incredibly, all these sort of elaborate experiments behind the scenes which, unless you were monitoring these fellas, you likely would not have known this was taking place."

What Boyd discovered was a toolbar on the Q8 Army site (now taken down) which included a modified version of the IRC chat client. The dropdown IRC tool bar enabled you to do "all kinds of weird and wonderful things, and not in a good way." Boyd said he found the standard denial-of-service tools as well as code designed to knock IRC channels off on the fly, and the requisite links to initiate spam and phishing. Then he found something else.

Stealing motion pictures, too
Boyd said on one version of the Q8 Army toolbar included a specially branded BitTorrent client. One could install the Q8 Army BitTorrent on compromised PCs without permission, then push pirated motion picture files onto those infected PCs. By watching the traffic over a few months, Boyd saw how a couple thousand compromised PCs were used to store pirated movies. Then, suddenly, it all stopped, and the toolbar never offered that feature again.

"We don't know if it was a trial run for a bigger, better plan down the line, or if (the BitTorrent tools) were there because they could (do that)." Perhaps the Q8 Army folks had a paying client who wanted to see this functionality in action. You can hear my full interview with Chris Boyd in this Security Bites podcast.

Taking the incentives away
Given that money is perhaps the single force driving the growth in botnets, I asked Dr. Jose Nazario, a senior security researcher at Arbor Networks, if there was any way to take away the financial incentives. He wasn't optimistic.

"There are so many ways to monetize a bot, a network of bots--spam, phishing, illegal file hosting, DDoS attacks for pay--that you have to solve a lot of economic incentives to make this problem, this pressure on a problem, go away," he said.

He cited spam as one example and pointed to the intense pressure upon spammers to today from groups such as Spamhaus.org and others that attempt to identify and shut down known spammers worldwide. But for every success, the spammers have shown great resilience and have continued to evolve. "The arms race is essentially very high in that area," said Nazario. Not even legislation such as Can-Spam has produced much effect.

The future
Given that spam remains such a lucrative business, even today, Nazario said, "We have a ways to go for all these other problems, including credit card fraud, phishing, identity theft, all these other things."

Are we stuck with botnets? Is there any way we take the money out of them? TalkBack to me.