Monday, October 16, 2006

Observing and Analyzing Botnets

Informative and rich on visual materials, research presenting a "A Multifaceted Approach to Understanding the Botnet Phenomenon"

"Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted Internet traffic—27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnetrelated spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we examined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon."

Botnets' security implications are often taken as a phenomenon, whereas this is not the case as distributed computing concepts have been around for decades. Some interesting graphs and observations in this research are :

- Breakdown of scan-related commands seen on tracked botnets during the measurement period
- The percentage of bots that launched the respective services (AV/FW Killer) on the victim machines
- Distribution of exploited hosts extracted from the IRC tracker logs

What botnet masters will definitely optimise :
- disinformation for number and geolocation of infected hosts
- alternative and covert communication channels compared to stripped, or encrypted IRC sessions
- rethink of concept of performance vs stealthiness
- rethinking how to retain the infected nodes, compared to putting more efforts into infecting new ones
- for true competitiveness, vulnerabilities in anti-virus solutions allowing the code to remain undetected for as long as possible
- synchronization with results from popular test beds such as VirusTotal for immediate reintroduction of an undetected payload

The future of malware stands for solid ecosystem and diversity, whereas, both, researchers, the Pentagon, and malware authors are actively benchmarking and optimising malware, each having seperate objectives to achieve.

Go through a previous post "Malware Bot Families, Technology and Trends" in case you want to find out more about botnet technologies, and update yourself with the most recent case of DDoS extortion.

No comments:

Post a Comment