By Ryan Naraine  |  Posted 2006-10-16 Print this article Print

-and-Mouse Game"> Cat-And-Mouse Game

Trend Micro, a Tokyo-based company that sells botnet mitigation technology to ISPs, estimates that more than 5 percent of all computers connected to the Internet have been used in botnets that have become more and more sophisticated over the years.

"These guys are way more advanced than you can imagine," said Jose Nazario, a software and security engineer at Arbor Networks, in Lexington, Mass.
"Weve seen botnets that are very carefully managed. The techniques [bot herders] use to partition the bots are very sophisticated and interesting. Theyre partitioning bots on different servers based on bandwidth or location. If its a dial-up machine, [bot herders] know [the bot] doesnt have much use, so they just put those in one channel and hose them with spyware and get paid for the installation," Nazario said.

Joe Stewart, a senior security researcher at Atlanta-based SecureWorks, spends his days reverse-engineering bots and eavesdropping on botnet communications, and his findings confirm fears that bot herders are winning the cat-and-mouse game with advanced anti-detection techniques.

A classic example of the increased sophistication came with the Sinit back-door Trojan that employed a slick peer-to-peer distribution model. "With Sinit, there was no central server that could be shut down. Each infected [machine] becomes part of a peer-to-peer network through which additional Trojans are spread to all hosts," Stewart said. "The bot herder would inject a command into one node and then spread it to all nodes. The thing that made it really sophisticated was the way all the commands and code were digitally signed. It was near impossible to crack," Stewart said.

Evron, who has been tracking botnets since 1996, says bot herders are using free dynamic DNS services to quickly move machines around to avoid detection. He also has seen evidence of botnets operating like offline terrorist cells, where botnets control each other in a treelike structure.

"Theyve advanced to the point where there is no command and control to find and take down. For a while, the command and control was the weak link. Today, theres enough redundancy and alternative control channels to keep them alive," Evron said.

SecureWorks Stewart agrees that chasing down command and controls has become a futile exercise. "Were up against guys who are in this for the long haul. This is big business for them, and we are seeing all kinds of crazy evasion tactics to stay ahead of us," Stewart said.

Next Page: The profit motive.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel