More on Bots (and the ISC is wrong about worms)

Security

In a previous post I touched on the subject of botnets and their impact on the security community for 2007.

Today I found this article on DarkReading.com that reinforces everything I stated;

  1. Botnets are shifting to web-based and P2P-based command and control (C&C).
  2. This shift represents a drastic improvement in bot longevity due to the inability to detect and control these new C&C methods.

My primary focus for 2007 is going to be on the insider threat. Where I work, we’ve gotten very good control of our permitter over the years. We’ve also implemented an extremely effective worm defense and containment system that has a useful side-effect of also helping to prevent or identify and contain bot installations*. However, in light of the rising threat posed by bots I’m adding ‘bot counter measures’ to my 2007 list of things to address.

As I’ve said, profitability directly equates to the success of any business, legal or otherwise. Bot herders, the chuckle-heads who control these massive bot networks have learned that the spam jockeys will pay for the use of bot nets to distribute their annoying spam, or to manipulate click-throughs, etc. This uptick in money means increased funds for R&D. Its also is, to quote one of my favorite movies; a motive with a universal adaptor.

I’m sure you’re going to see many, many posts from MCWResearch about bot nets because they fascinate me. If they fascinate you as well, you should check out ShadowServer.org. They’re doing a log of great research on and tracking of bot nets, their C&C mechanisms, etc.

*Its interesting to note that according to Shadowserver.org;

The only difference between a bot and a conventional worm is the existence of a unifying control system.

This supports what I’ve said in the past; we haven’t nearly seen the end of worms and the ISC is dead wrong when they make statements to the contrary. Worms are very effective in propagating malware and to be picky about it; calling something a ‘worm’ simply means its self-propagating. So if the ISC says that worms are “so 2004,” they’re saying self-propagating malware is ‘so 2004.’

I only wish it were true.

For more information about this topic

posted by Michael on 01.08.07 @ 11:01 am | 2 Comments

I’m with you, worms are not dead and won’t die for a very, very long time, if ever. Security of the network perimeter has just been beefed up enough over the years to deter worms from being hugely widespread through them. However, these perimeters are now being rubbed out slowly as browser/web takes over, wireless becomes more homogeneous, and everyone (systems) keep getting more and more connected through those network perimeters. Even 6 years ago, networks were fairly containable and trustable entities. These days, every company ends up trusting not only their network, but hotspots and home networks of many people and other orgs. It’s like a second layer of an Internet…

I still suspect to see some POC of wireless driver-attacking worms. I personally think it would be interesting to write one and see how it moves when released at a local wireless hotspot, especially as long as wireless NICs stay powered on constantly and there are still plenty of XP users whose NICs auto-connect to anything that looks alive.

And yeah, what about all the website-borne propogating malware? Or P2P?

Worms are not gone by a long shot, they’re just evolving with the landscape. And someday, I still think we’ll see a return to network-borne worm attacks in another 3-5 years as we get lax with perimeter hardening again.

By LonerVamp on 01.08.07 1:00 pm

I’m not sure that permitter hardening will get lax but I do see the increased threat of malware targeting the enterprise networks, much like Big Yellow did.

The ability for a worm to begin its scan with the local subnet would be extremely effective at owning a big chunk of an enterprise network. Think about it; the likelihood of a large number of machines all having the same vulnerabilities increases exponentially in a centrally-managed environment. If an admin hasn’t deployed a patch to the compromised machine it’s highly likely that patch hasn’t been deployed to many machines.

In a case like that, your best bet is to catch the C&C call leaving your network.

And you’re also correct about ‘wireless’ threats as well, though the radio’s effective range is a big deterrent, unless of course its a blended threat that can use a wireless attack and/or other attacks. A worm that can jump from the wire to the radio could be nasty for cities that have deployed city-wide, free wireless access. And that opens up a whole new ball of liability wax. If the city doesn’t have an air-tight EULA for wireless access then they better provide air-tight wireless access that protects their customers (I would definitely love to work for a city some day).

By Michael on 01.09.07 1:55 pm

RSS feed for comments on this post. TrackBack URI