Alan Shimmel of SSAATY asked me, along with several other people, to do a 60 second blurb on what we thought was the biggest security story of 2006, all of which has been incorporated into his podcast. That’s a pretty tall order!

Alan’s podcast #26 can be downloaded from Clickcaster here.

2006 was loaded with great stories; we had several small shops gobbled up by big shops. We had botnets gaining traction as profitable ventures. We had third party patches causing a stir. There was a lot in 2006 so I coped out and took two stories that I personally followed closely and those were ‘third party patches’ and ‘the rise of the bot.’ Since I only had 60 seconds to talk on the podcast I had to refer to my blog to flesh out my reasoning for each story so this is the first of a two-part series.

Rise of the Bot

In 2006 we saw botnets being used more and more for profit making ventures like spam relay, click-through manipulation, ad delivery, phishing, etc. We also saw worms delivering bots as their payloads more frequently. This convergence smacks in the face those who hailed the death of the worm…

Because botnets are a profitable venture we’re going to see a very long struggle to get them under control, much like we are experiencing with spam. The current best-known method of taking down a botnet is to take down the command and control (C&C) mechanism, which is typically an IRC channel. Unfortunately the bot herders have wised up to that and are going even further underground by putting their IRC servers on port 80 so that their traffic blends in better with regular WWW traffic. They’ve also leveraged dynamic DNS so they can move the C&C nodes around quickly so that they can keep one step ahead of the security community. We’re also seeing encryption being used as well, rendering IPS/IDS useless in combating the problem.

You can rent a botnet now. This has broad implications when you consider the funding terrorist groups have. A botnet was described to me once as a ‘deathstar on the network.’ If enough botnets were under the control of a single entity they could be used very effectively to at least impede critical ‘Net infrastructure if not cripple it altogether. Cyber warfare spilling onto the Internet on a wide scale is a reality we have to deal with today and botnets will likely be a large piece of the arsenal used against us. The sooner we get solid bot countermeasures in place the better.

So to wrap this one up I’d say that the rise of the bot as a profitable venture is one of the most important security stories of ’06 for the following reasons;

1. Profitability = Longevity with any business, legal or otherwise. We’re in this fight for the long haul.
2. Rapid advancement of technology contributes to the success of the attack
   • Using worms as a delivery vehicle
   • Incorporation of P2P tech for C&C
   • Encrypted comms
   • Use of dynamic DNS
3. The potential use of botnets in cyber warfare

Tomorrow I’ll discuss the impact of third party patches.

For more information about this topic

• Evaluating malware from a network perspective
• More on Bots (and the ISC is wrong about worms)
• Micro defense in depth