How botnets' rise foretells malware's future

How botnets' rise foretells malware's future

Summary: We can learn a lot about the fight against malicious malware from the evolution of the botnet, says Rik Ferguson

TOPICS: Security

Since the ancestors of today's botnets emerged a decade ago, criminal innovation has been unrelenting. The paths the crooks will take next are becoming clearer, but then so are the counter-measures, says Rik Ferguson.

To my mind, two contenders vie for being the malware that started the botnet ball rolling: Sub7 and Pretty Park — a Trojan and a worm respectively. They both introduced the concept of the victim machine connecting to an IRC channel to listen for malicious commands. These two pieces of malware both first surfaced in 1999 and botnet innovation has been constant since then.

Bots in early 2000 were aimed at remote control and information theft, but the move towards modularisation and open-sourcing began the huge increase in variants and the expansion of functionality. Malware authors gradually introduced encryption for ransomware, HTTP and Socks proxies allowing them to use their victims for onward connection or FTP servers for storing illegal content.

Over the years, botnets steadily migrated away from the original IRC command-and-control channel. This port is seldom opened through firewalls and the protocol is easily identified in network traffic. Instead bots began to communicate over HTTP, ICMP and SSL, often using custom protocols. They have also continued the adoption and refinement of peer-to-peer communications, as would be demonstrated five years later by another famous botnet, namely Conficker.

Organised crime
Gradually the criminal interest in the possibilities afforded by botnets began to become apparent. At the start of the decade, spamming was still largely a work-from-home occupation with large volumes of spam being sent from dedicated server farms, open relays or compromised servers. Bagle, Bobax and Mytob changed all that for good with Mytob essentially a blend of an earlier mass mailing worm MyDoom and SDbot.

This worm enabled criminals to build large botnets and distribute their spamming activities across all their victim PCs, giving them agility, flexibility and importantly helping them to avoid the legal enforcement activity that was starting to be aggressively pursued.

From then on we have seen the rise and fall of many famous botnets, the oldest criminal spamming botnets. In 2007, we saw the birth of the famous Storm botnet along with Cutwail and Srizbi. Right now, the Shadowserver Foundation is tracking almost 6,000 unique command-and-control servers and even that figure does not represent all the botnets out there.

At any one time we are tracking tens of millions of infected PCs that are being used to send spam and that figure does not include all the other bot-infected PCs being used for information theft, denial of service or any of the other myriad crimes.

The concerted action that both public and private organisations are taking against botnets means criminal innovation never stops. As new technologies arise criminals look for ways to adopt or abuse them, whether to facilitate the generation of profit, to increase their scalability and flexibility or to provide more effective camouflage.

Initially command-and-control IP addresses were hardcoded into each bot, which made their identification and eventual disruption by malware researchers more simple, but the bad guys learn from their failures every time.

Lost in the white noise
Since the second half of 2007 criminals have been abusing the user-generated content aspect of web 2.0. The first alternative command-and-control channels identified were blogs and RSS feeds, where commands were posted to a public blog by the criminal and the bots retrieved those commands through an RSS feed.

Likewise, output from the infected machines was posted to an entirely separate and legitimate public blog for later retrieval by the command-and-control server, again over RSS.

As web 2.0 services have multiplied and even gained a certain level of acceptance within the enterprise, criminal innovation has continued apace. Compromised, otherwise innocent, servers in Amazon's Elastic Cloud Computer (EC2) cloud, for example, have been used to host configuration files for the Zeus bot.

Twitter has been used as the landing page URL in spam campaigns, to attempt to...

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Good read.