Botnet Operators Likely to Change Tactics in Wake of McColo, Intercage ISP Shutdowns

Botnet operators may change their tactics due to the shutdowns of ISP Intercage and Web hosting company McColo. Security researchers predict a shift to a more distributed botnet model and redundant command and control servers.

Between the shutdown of Web hosting company McColo Nov. 11 and the death of ISP Intercage, aka Atrivo, in September, we may be entering a new phase of Internet security-one where every part of the Internet's ecosystem takes a more proactive role in securing Web users.

But attackers always adapt to the times, and security experts expect botnet operators to focus on avoiding situations where a knockout blow like the McColo shutdown can take them offline.

"There has been a great deal of talk about a more distributed botnet infrastructure and several smaller botnets were already following this model," said Graham Cluley, senior technology consultant with Sophos. "However, because the big [old-fashioned] botnets were still working there was no need for them to change their methods. The closing of McColo will force changes."

Joe Stewart, SecureWorks' director of malware research, shared a similar opinion. He predicted that some of the more tech-savvy botnet operators may design a fast-flux hosting platform for their command and control servers on compromised home computers. Others, he speculated, will follow the path of the Storm botnet and try going the peer-to-peer route.

"It is very hard to build a fully decentralized P2P system that is scalable and reliable," Stewart said. "Storm wasn't even fully P2P, it used a tiered-proxy C&C [command and control] system, and you could still shut down the master controller at the top to kill the botnet temporarily if you could find it."

After Intercage was shut down, spam levels dropped as well. However, that decline only lasted a few days. By the end of October, the proportion of spam circulating the Internet was unchanged from September, according to a report by MessageLabs, now part of Symantec.

The short fall-off shows that botnet controllers will react to a disruption in service by pointing their bots to a new C&C channel as soon as possible. That fact has left some researchers a little surprised that the latest decline in spam has lasted as long as it has.

"The volumes are still way down," said Matt Sergeant, senior anti-spam technologist at MessageLabs. "Asprox has come back, but it was always a fairly low-volume botnet in comparison to the big guns. Warezov has spiked, taking advantage of the other bots being down, we presume, [as] its C&C wasn't hosted at McColo."

To avoid this situation in the future, Sergeant predicted botnet operators would look to have multiple redundant C&Cs and more algorithmic generated DNS (Domain Name System) names for failover purposes.