Bot herders go low key
Published: 18 Nov 2005 11:10 GMT
Malicious makers of bots are finding big is not always better when it comes to avoiding detection, according to a security expert.
Over the past two years, the average network of bots, or compromised PCs commandeered by remote attackers, has dropped from more than 100,000 to an average of 20,000, Mark Sunner, MessageLabs's chief technology officer, said during Tuesday's annual Security Roundtable Webcast.
A botnet is comprised of a number of computers that have been surreptitiously compromised without their owners' knowledge. The move to pint-size botnets helps attackers have more success in delaying detection of their networks, Sunner said.
"When a larger botnet is spreading a virus, it lights up the switchboard of [antivirus] vendors, and they'll respond in a few hours with a signature to contain the outbreak," Sunner said.
"With a smaller botnet, it may take a day or so before it's discovered and a signature is written," he said.
Maksym Schipka, a senior antivirus researcher at MessageLabs, noted that two other issues have also contributed to the shrinking size of botnets.
First, an increase in the numbers of hackers hoping to put together networks has made the task of securing zombie computers more competitive, so it is harder for the "bot herder" to amass a larger number of drone computers.
Second, broadband users, the primary targets of hackers, are taking more steps to secure their computers.
Often, bots have been infected with software that will connect to an IRC server and await instructions from the malicious attacker. Botnets are often used to send out spam and can also be used to send out a flood of data to bring down a system in a distributed denial-of-service attack.
When a phishing scam is launched, antivirus companies will write signatures that identify the attack for their protective products. The more quickly antivirus vendors distribute a signature for a virus and customers deploy it, the less effective that particular botnet can be, Sunner said.
"As botnets get used up, they are blacklisted and less useful for spamming or phishing attacks," Sunner said. "But they get mopped up and are used for DoS attacks."
As DoS attacks don't directly use email or viruses, they won't be caught by blacklists or signature-based antivirus products. Last year, Sunner said his company began noticing old, worn-out spambots were being resold as potential DoS bots on various sites and forums used by attackers.
"People would advertise bots with 'fresh' machines, or ones that were mopped up," Sunner said.
Did you find this article useful?
95 out of 195 people found this useful
- Share this article:
