The recent FBI-led “Operation Bot Roast” and the high-profile cyber attacks in Estonia together illustrated how pervasive and dangerous botnets are.
The FBI’s investigation illustrated the depth and scope of the botnet problem by identifying approximately 1 million infected computers that could be remotely controlled by a malicious hacker to send spam, launch denial of service attacks (DoS), engage in click fraud, carry out identity theft, and other criminal activities. Surely the infected computers identified in “Operation Bot Roast” only represent a fraction of the problem. Many experts believe that as many as one quarter of all computers, approximately 150 million, connected to the Internet are infected and apart of a botnet (source).
The cyber attacks in Estonia demonstrate that botnets can threaten the security of nation-states (Previous Report). While the cyber attacks against Estonia did not cause any loss of life, they were in effect similar to an embargo and certainly caused a great deal of economic damage.
New and Improved Botnets
Given the scope and seriousness of the threat presented by botnets it is distressing to learn that cyber criminals have recently increased both the resiliency, redundancy, and security of their botnets.
Peer-to-Peer Botnets
Cyber criminals have first begun to decentralize the command-and-control functions of botnets. Previous generations of these zombie networks were hierarchical in nature and were controlled by a central command-and-control server. As a result, security professionals dismantle botnets by locating and disabling the command-and-control server. In an effort to improve the resiliency of their botnets many cyber criminals migrated their networks to a peer-to-peer model in which each infected computer acts as both a client and a server (source). Each bot will both send and receive instructions to other bots in the network. As a result, in order to disable the entire botnet security professionals must identify every infected computer instead of targeting one command-and-control server. This peer-to-peer communications model has the potential to drastically improve the redundancy and resiliency of botnets.
Encrypted Communication
Cyber criminals have also worked to improve the security of their botnets via the use of encryption (source). Cyber criminals use encryption to obfuscate communications among bots in order to prevent security professionals from gathering intelligence and designing plans to disable their illicit networks. Cyber criminals may also use encryption to authenticate bots into the network in an effort to prevent security professionals from surreptitiously joining the botnet to gather intelligence and design a plan to disable the rogue network.
Offense versus Defense
While these upgrades in botnet design and communication are disheartening, these enhanced botnets may represent encouraging news for security professionals. Quite simply, security professionals have made it more difficult for hackers and cyber criminals to operate. Creating, configuring and maintaining a botnet to communicate with encryption across a peer-to-peer network is more expensive and difficult than creating, configuring and maintaining a hierarchical botnet that communicates across open channels. Unfortunately, once cyber criminals develop a new strategy to defeat existing defenses it is likely that these new techniques will be quickly disseminated and embraced by the cyber criminal underground via the malware marketplace (Previous Report, Previous Report, Previous Report). This malware marketplace enables cyber criminals to share new techniques and attack vectors with other criminals, allowing them to overcome the laborious defenses erected by security professionals.
We expect this “arms race” between cyber criminals and security professionals to continue unabated. Unfortunately, as long as there is money to be made cyber criminals will continue to develop new and more sophisticated avenues of attack and force security professionals to develop equally sophisticated defenses.