Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
A Botnet by Any Other Name
Gunter Ollmann, 2009-05-01

Story continued from Page 1

The upshot for security researchers is that the "owners" of a botnet change constantly too, along with the individual malware components on each compromised host. Yet, there remains a pressing need for the security community to speak a common tongue in order to combat botnet threats more successfully than in the past.

Joe Stewart of SecureWorks recently proposed that country-level government agencies need to focus upon the cyber criminals behind the botnets, and be empowered with the ability to shut down criminal networks in globe-spanning coordinated efforts. Whether you believe that law enforcement departments operating in multiple countries, under different legal systems and with differing thoughts on how to prosecute cyber criminals can collaborate in a manner that has eluded them for all other international crime to date or not, he is correct in his point that the focus for combating the botnet threat has to be the targeting of the criminals that operate them.

To that end, the industry needs to adopt a better way of associating botnets with their criminal operators if it’s ever to track the threat across international borders or transitions between multiple criminal entities. The original malware sample’s name can no longer be reasonably associated with a solitary botnet, and the malware components can change or multiply upon the compromised host at a moment’s notice. Therefore, a different method of christening a botnet is required.

How should the industry make this happen? The key lies within a mix of cyber-crime tactics and observed control patterns, such as command-and-control techniques or geography, that can then be associated with a unique entity as a kind of electronic fingerprint. These correlating factors all point back to the needs, goals and actions of specific criminal operators, and so create a more logical framework for naming the botnet. Ideally, they also provide a tracking mechanism sufficiently flexible to account for what amounts to a tree of inheritance, as botnets are divided amongst multiple criminal operators or coalesced into larger botnet entities.

In the end, labeling a botnet may be just a name, but a suitable nomenclature for botnet identification is critical if the security industry is to efficiently coordinate defenses and work together with law enforcement forces to target the source of the threat, the professional consortia of cyber-criminals. This naming system must be able to take any two independently observed collections of compromised hosts, operating within different environments, and be able to positively associate them with the same criminal entity.

Collaboration between security researchers will be the key to a successful pan-vendor naming framework and a consistent, accurate enumeration of botnets for the purpose of targeting cybercriminals. But will this collaboration be tempered by commercial realities as security vendors strive to differentiate their technologies and compete for business? Or will the biggest and most influential customers for their technology force them to play together nicely? Time will tell — and probably very soon.

Gunter Ollmann serves as vice president for research at Damballa, where he is responsible for evolving-threat research and developing new technologies to combat cybercrime. Gunter has spent the last decade building advanced penetration testing, reverse engineering and threat research teams around the globe.
    Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Comments Mode:
A Botnet by Any Other Name 2009-05-19
Liran chen (1 replies)
Re: A Botnet by Any Other Name 2009-05-29
Shane Coursen
A Botnet by Any Other Name 2009-06-12
A Botnet by Any Other Name 2009-06-12


Privacy Statement
Copyright 2010, SecurityFocus