RSA - Botnet Live

Security

Presenters: Christopher Boyd and Wayne Porter

So far this was the most interesting session for me.

The presenters walked us through the basics of botnets, their history,
etc, before they dived into a detailed description of how the
investigated and ultimately busted a big ring of bot operators by
using alternate techniques. For example, instead of attacking the
botnet itself, they got themselves accepted into the hacker groups or
worked people already in the group, to convince them to provide the
evidence needed to convict them.

Their investigations revealed that botnet operators have developed
their own economic systems that include constuction kits, purpose and
sizing guides, etc. Funding equals longevity, so this is a problem
here to stay.

They defined three waves of a botnet:

  1. Adware and rootkit delivery
  2. Data theft and ddos attacks
  3. Experimentation and testing

The third phase is very interesting to me; that these guys are
organized enough that after they’ve expended a ‘useful’ life of a
botnet, they’ll dedicate a chunk of it to R&D.

The standard defenses apply:

  • Educate employees
  • Ensure that all channels are secured
  • Report botnet activity

Botnets are one of my choices for the biggest story of 2006 and I feel
it will continue to be a front-line issue through 2007 simply due to
the economics involved. It is a hugely profitable venture and is quite
wide ranging. We’re going to see more botnets involved in cyberwarfare
and we’re going to need to get a better handle on it quickly.

Some of the things they mentioned that we can do right now is to get
involved. Contribute to groups like Shadowserver and ISC, who share
information freely and openly to the security community and who champion the cause.

Here are some links they provided. I haven’t visited or validated a
few so if I have a broken link let me know.

http://spywareguide.com
http://Facetime.com
http://Vitalsecurity.org
http://Revenews.com
http://Benedelman.org
http://Honeynet.org
http://Spywarewarrior.com

They have some pictures from the session posted on Vitalsecurity.org. Check ‘em out, they show how packed the room was!

posted by Michael on 02.07.07 @ 1:28 pm |

http://spywaregUide.com is the actual site. Typo is to be excused due to the RSA frenzy.

By William on 02.07.07 2:07 pm

Yeah, me spamming your blog some more. I agree with you fully, botnets were the story last year and will remain so for years, I think. For all the talk and posturing about NAC and user identity and data theft, botnets are still the scariest threat out there, imo.

Eventually, if not already, that third phase could include leveraging the CPU power of that base in addition to the networking power, much like Folding or SETI do now with using spare cycles to perform scientific stuff. I wonder how long some encryption might last when put through the ringers of a botnet cracking party? Or perform a distributed brute force against open authentication systems on the network (what is that? an FTP server listening? brute it from 10,000 different sources!)

I wonder if, 10 years from now, corporate networks will leverage campus systems in much the same way? Need some crunching done on a big report?

By LonerVamp on 02.07.07 2:16 pm

Link fixed. Thanks William.

Interesting thought Loner, to use Botnets to crunch crypto. Yet another reason to hate the bot.

By Michael on 02.07.07 4:20 pm

One more URL typo to fix, this time its my fault ’cause I submitted the final presentation to RSA for Boyd & Porter … should be http://www.spywarewarrior.com

It has been fixed on the RSA official version of the presentation available for download to conference participants.

By Bev on 02.08.07 10:48 am

Thanks for the heads up Bev. I had only verified that the links go somewhere. I kept thinking the spelling looked funny though, lol. (I’m sooo dependent on spell check, its not even funny)

By Michael on 02.08.07 5:39 pm

RSA 2007: Botnet Live

The dust has settled from RSA 2007, and it was standing room only as Wayne Porter and I explored the methods of shutting down Botnets by dealing with details outside of the Botnet itself - in other words, tackling the…

By The SpywareGuide Greynets Blog on 02.11.07 2:30 am

RSS feed for comments on this post. TrackBack URI