Botnet operators may change their tactics due to the shutdowns of ISP Intercage and Web hosting company McColo. Security researchers predict a shift to a more distributed botnet model and redundant command and control servers.
Between the shutdown
of Web hosting company McColo Nov. 11
and the death of ISP Intercage, aka
Atrivo, in September, we may be entering a new phase of Internet security-one
where every part of the Internet's ecosystem takes a more proactive role in
securing Web users.
But attackers always adapt to the times, and security experts expect botnet
operators to focus on avoiding situations where a knockout blow like the McColo
shutdown can take them offline.
"There has been a great deal of talk about a more distributed botnet
infrastructure and several smaller botnets were already following this
model," said Graham Cluley, senior technology consultant with Sophos.
"However, because the big [old-fashioned] botnets were still working there
was no need for them to change their methods. The closing of McColo will force
Joe Stewart, SecureWorks'
director of malware research, shared a similar
opinion. He predicted that some of the more tech-savvy botnet operators may
design a fast-flux hosting platform for their command and control servers on
compromised home computers. Others, he speculated, will follow the path of the
Storm botnet and try going the peer-to-peer route.
"It is very hard to build a fully decentralized P2P system that is
scalable and reliable," Stewart said. "Storm wasn't even fully P2P,
it used a tiered-proxy C&C [command and control] system, and you could
still shut down the master controller at the top to kill the botnet temporarily
if you could find it."
After Intercage was shut down, spam levels dropped as well. However, that
decline only lasted a few days. By the end of October, the proportion of spam
circulating the Internet was unchanged from September, according to a report by
MessageLabs, now part of Symantec.
The short fall-off shows that botnet controllers will react to a disruption
in service by pointing their bots to a new C&C channel as soon as possible.
That fact has left some researchers a little surprised that the latest decline
in spam has lasted as long as it has.
"The volumes are still way down," said Matt Sergeant, senior
anti-spam technologist at MessageLabs. "Asprox has come back, but it was
always a fairly low-volume botnet in comparison to the big guns. Warezov has
spiked, taking advantage of the other bots being down, we presume, [as] its
C&C wasn't hosted at McColo."
To avoid this situation in the future, Sergeant predicted botnet operators
would look to have multiple redundant C&Cs and more algorithmic
generated DNS (Domain Name System) names for failover purposes.