Cyber Security Institute

Thursday, March 02, 2006

Hunt Intensifies for Botnet Command & Controls

Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers.  A botnet, which is short for “robot network,” is a collection of broadband-enabled computers that have been commandeered by hackers for use in spam runs, distributed denial-of-service attacks or malware installation.  The compromised machines are controlled by a “botmaster” via an IRC (Inter Relay Chat) server installed illegally on a high-bandwidth educational or corporate network.  “If that command-and-control is disabled, all the machines in that botnet become useless to the botmaster.  It’s an important part of dealing with this problem,” said Gadi Evron, a botnet hunter who helps to manage the anti-botnet fightback.

Evron, who serves as the Israeli CERT manager and is a leader in many global Internet security efforts, said the group includes representatives from anti-virus vendors, ISPs, law enforcement, educational institutions and dynamic DNS providers internationally.

Over the last year, the group has done its work quietly on closed, invite-only mailing lists.  Now, Evron has launched a public, open mailing list to enlist the general public to help report botnet C&C servers.  The new mailing list will serve as a place to discuss detection techniques, report botnets, pass information to the relevant private groups and automatically notify the relevant ISPs of command-and-control sightings.  “The vetted lists will still do the bulk of the work, but we needed a public place to involve a wider audience,” Evron said in an interview with eWEEK.

Anti-virus experts have detected signs of a massive, well-coordinated Trojan attack capable of creating botnets-for-hire.

Dan Hubbard, senior director of security and technology research at San Diego-based Web filtering software firm Websense, said the threat from botnets should be high on a CIO’s worry list.  “We’re seeing more and more bots being written for multiple use.”

Roger Thompson, a veteran anti-virus researcher who runs the Atlanta-based Exploit Prevention Labs, said the vigilante approach to targeting botnet command-and-controls comes with upside and downside.  However, Thompson worries that culling the herds may breed a stronger beast.  Like Thompson, Evron admits that the command-and-control shutdowns are only a small part of dealing with the growth of botnets.

The bad guys go back to drawing board and plan a more sophisticated mode of attack. 

With the new mailing list and increased public participation, Evron envisages a scenario where experts in the anti-virus, anti-phishing, anti-spyware and anti-spam industries are all working together on research and development to help curb the growth of botnets.  Websense’s Hubbard agrees there’s no silver bullet to solve the problem.  “The techniques are becoming better and more sophisticated as we come out with new defense techniques.”

http://www.eweek.com/print_article2/0,1217,a=172598,00.asp