Botnets, networks of compromised computers, are here to stay. Sadly, the Storm (which I wrote about last week
) is just one of many active botnets today. According to Dr. Jose Nazario of Arbor Networks, "We currently track about 1,800 live botnets a day. The bulk of those come up and go down within a day." As for how many machines are infected, he couldn't estimate. "It's fair to say (the number of infected machines is) in the millions, probably tens of millions that are active members of botnets of varying sizes--from a few hundred nodes of a botnet to tens of thousands of systems that are part of a botnet." While a majority of these are short lived, lasting only a few hours, some continue for days and even weeks. The problem doesn't appear to be going away, and there are reasons why it probably won't any time soon. That said, is there any hope we might someday kill off botnets entirely? Dr. Nazario offers some perspective on that this week.
How big of a problem are botnets?
The numbers of reported botnets sometimes increases slowly, sometimes fast. Part of the problem is that even though part of the machine might be infected, it might not be an active part of a botnet; the command and control center might be down. All of these give us reason to think the numbers might be hard to estimate. "The bulk of the (botnets)…are killed within a day; even more in the course of a week." Nazario says his company has started to name the more prolific botnets among them.
The bulk of the (botnets)…are killed within a day; even more in the course of a week." Nazario says his company has started to name the more prolific botnets among them.
Aside from Storm, Nazario says he has been tracking several Russian Distributed Denial of Service (DDoS) bot codes, and one of the larger botnets is called "Black Energy." "The author is a Russian language speaker who offers his help files and other things in the Russian language and sells it on the Russian language forums for anywhere from $40 on up. It's strictly a DDoS botnet." Two others, "TeamUSA" and "Peruvian Power," he said, have been long running and relatively successful in remaining active, although he admits that most people haven't heard of them.
Focused or general?
Black Energy is focused on DDoS attacks, but that's unusual. "For the most part, botnets are general purpose. The kinds of high-value infiltrations that we see appear to be more surreptitious, more lucky breaks. The botnets, just by nature, are very hard to direct too closely." More often they are used to spew spam out onto the Internet.
The means of gaining a whole lot for very little effort is too much of a lure to ever make the botnet problem go away.
The same is true with the machines that are compromised. "You can, of course, focus on a specific subnet and network like that, but actively trying to keep it stealth, moving into an enterprise or government organization can be tough. However we do find botnets coming outside those networks by their activity." Nazario says the ability to target specific organizations is overrated. "We think, generally, on the basis of other parts of the botnet, (targeted installations) are just blind luck."
Killing command and control
I asked Nazario how we might defeat botnets. "The problem is constantly changing," he said, so "it's going to have to be a multifaceted approach." One approach, he said, was to include antivirus vendors, so they can block new Trojans and bots on the desktop. Another approach is for networks to implement "network-based controls that basically lock the communication between the infected machine and the command and control system." He said that way, if "the machine might be infected, it cannot receive commands to install the malicious software to launch attacks." Finally, he said, Arbor Networks and others have been working on killing the command and control centers. There are fewer of those, he said, and generally killable by network operators.
Unfortunately, there's certainly going to be pressure, I think, to move more botnets into a peer-to-peer strategy to defeat that. Nazario said there are only a handful of peer-to-peer bots now, with the Storm worm being the most visible among them. That's probably going to be one of the major features we're going to see in the future, because even if you have a Web server, an IRC server that commands the botnet, it can be blocked or shut down.
Nazario said the other trend he's seeing is of botnets gravitating toward networks that are relatively friendly to online crime or online malicious activity, sites that openly ignore the abuse complaints. "They might be turning a blind eye toward it; they might be actively participating in the activities by payments or offering support, and that makes it harder as well."
To locate an IRC server, for example, someone on the unfriendly networks--I call them friendly to the bad guys and unfriendly to the good guys--then you can stay up for months on end, and no one will basically act.
Are we winning?
"I'm always going to be an optimist. I have to be." Nazario said there are more tools out there today to address the botnet problem than there were yesterday. And he thinks there is more awareness, even among non-network administrators, and all of that will work to make it a manageable problem within a few years. "The problem I don't think will ever go away."
The motivation for criminals to build botnets is simply too great. "The means of gaining a whole lot for very little effort is too much of a lure to ever make the botnet problem go away." But through widespread deployment of antibotnet techniques, and better network controls for network operators as well as host-based solutions, we can get a handle on this, he said.
Will we soon come to accept botnets the way we've learned to live with computer viruses?
TalkBack to me.