Bot Armies

By Ryan Naraine  |  Posted 2005-06-17 Print this article Print

In an interview, Vaughn said the group has noticed quite a range of botnets, with some C&C servers managing as many as 100,000 compromised machines. "Some with have just 1,000 drones but some are quite large, and theres also a lot of cross-infections where one machine is talking to multiple command-and-controls," he said. In those cases, Vaughn said it becomes even tougher for an ISP or autonomous system operator to shut down the command center.

"Weve seen drones in multiple bot armies, and in some cases, theyre even sold or traded from one owner to another."

A key part of the vigilante effort, Vaughn said, is to work closely with the network operators to quickly strangle the botnet once the C&C is pinpointed. The operators of ASNs (autonomous system numbers) have been largely reticent in the past, but Vaughn said the relationship has improved because network operators now see a business value in clamping down on botnets.

An ASN is a number assigned to a group of network addresses, managed by a particular network operator, sharing a common routing policy. Most ISPs, large corporations and university networks have an ASN. According to Vaughns latest data, the ISPs that are most often plagued with botnet command-and-control include Yipes Communications Inc., Sago Networks, Inc., Staminus Communications and Korea Telecom.

Gadi Evron, the Israeli governments CERT manager who oversees the vigilante effort, said the ASN network operators are becoming more proactive. "This month we would especially like to commend Staminus, who contacted us and have since made incredible efforts to deal with the threat. Also, wed like to mention Internap for their continuous efforts," he said in a recent public update on the groups work.

Evron reported that the Trojan horses used most in botnets include those recently spotted by anti-virus vendors—Korgobot, SpyBot, Optix Pro, Rbot, AgoBot, PhatBot.

To read about a Microsoft worm cleanser that goes rootkit hunting, click here. "I think our efforts are working. Its not eliminating the botnets, but its slowing them down," CAs Thompson said. "A lot of it has been cleaned up, but the trouble is that the bad guys are learning as well. Its the classic cat-and-mouse game to find the command-and-controls before they figure out were on the tail and start moving them around."

Thompson, who is convinced that adware installation affiliate dollars are financing the growth of botnets, concedes that the war will never be won. "Weve got to do something to mitigate it. Unless we get all the adware companies shut down and cut off the supply of money, its always going to be there."

Baylor Universitys Vaughn agreed. "Just last night, I saw a 10 percent increase in command-and-control detections, so we know theyre being replaced just as fast."

He declined to provide numbers on actual shutdowns but insisted that the group is seeing positive results. "Were breaking through the network operators and getting them to a level of awareness that is encouraging. Quite a few of the command-and-control centers are no longer showing up, so we know its working," Vaughn added.

Because the botnet scourge is an international issue, Vaughn said the groups efforts are sometimes stymied by a communication gap. "The command-and-controls have a tendency to hop around a bit. They can hop from one autonomous system to another in a matter of days, especially the very active ones, so its always tough to start talking about being successful." Even when a C&C gets taken out, the drones within that botnet are still susceptible to infection because they are usually unpatched and vulnerable for future infection. "We have the other issue of cross-infections, where you kill one command-and-control and the drone is still talking to another one. These are patterns were trying to identify," Vaughn said.

Thor Larholm, senior security researcher at PivX Solutions LLC, said Vaughns data is a good indication of the scale of the botnet problem. Larholm, who also participates in the vigilante initiative, said the detection of new infections and C&Cs are leading to "active cooperation" between researchers and ISPs.

"A key part is to work with the ISPs to shut down Internet access to these compromised machines. A lot of the problem-solving lies in hands of ISPs, and sometimes they can be slow-moving."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel