Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
A Botnet by Any Other Name
Gunter Ollmann, 2009-05-01

The news has been awash the last few weeks with fears over globe-spanning botnets and their criminal intent: Conficker managed to hog the limelight for well over a month, and then came Finjan's disclosure of a previously unknown — and currently unnamed — botnet consisting of some 1.9 million malicious agents.

All this attention underscores a increasingly significant problem for botnet researchers: how precisely should botnets be usefully named?

It's not an easy problem to solve. The antivirus industry has had decades to reach a consensus for naming new malware, yet it has failed to do so. Such a track record does not build confidence for botnet naming. Despite botnets not being the same as viruses the historical process has been to name a botnet after the primary malware discovery, and this approach is already proving to be an increasingly redundant convention.

Current botnets are best thought of as delivery platforms for centralized malware distribution. That’s a much more sophisticated entity than a named malware sample that just happens to have a recognizable command-and-control channel. Both Conficker and Finjan's "Big Bot" botnets ended up deploying a multitude of spammer tools, spyware, fake security software, and keyloggers to their infected hosts. The specific malware used to establish command-and-control over the compromised host was just a means to an end, and did negligible direct damage by itself.

Bots do enable the criminal entities behind them to focus upon their global infection vectors and tactics, and to defer the deployment of insidious money-making malware suites to a more convenient time or to delegate to others.

One of the consequences of these botnets is that the malware footprint on the infected host is in a constant state of flux, making it difficult — if not impossible — for the botnet to retain a meaningful association with the original malware sample that fathered its name.

To make matters worse, multiple malware agents may be deployed via the original botnet agent, and both the original botnet agent and its command-and-control channel can be changed at any time by their human controller. Any botnet can morph and become unrecognizable after a surprisingly short period of time.

Maybe the existing botnet naming conventions would have been sufficient — especially for historical tracking purposes — if the above was all that researchers had to worry about. The problem, however, now lies with the fact that botnet building is a profitable business model. The criminals orchestrating the building of a botnet can choose to bundle disparate botnets together or carve up a bigger botnet, and sell or lease access to other third-party criminal syndicates. Once a sizable botnet has been created, criminal controllers now generate even more income by dividing it in to optimized sub-botnets and selling or leasing parts of it to other criminal teams that specialize in identity-fraud operations for example. And, amateur botnet builders can make money selling the smaller botnets they’ve created to larger botnet consolidators.

Story continued on Page 2 

Gunter Ollmann serves as vice president for research at Damballa, where he is responsible for evolving-threat research and developing new technologies to combat cybercrime. Gunter has spent the last decade building advanced penetration testing, reverse engineering and threat research teams around the globe.
    Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Comments Mode:
A Botnet by Any Other Name 2009-05-19
Liran chen (1 replies)
Re: A Botnet by Any Other Name 2009-05-29
Shane Coursen
A Botnet by Any Other Name 2009-06-12
A Botnet by Any Other Name 2009-06-12


Privacy Statement
Copyright 2010, SecurityFocus