Return of the Mega-Botnet

happygeek 0 Tallied Votes 751 Views Share

According to Symantec, 64% of small businesses have seen a surge in the volume of spam received during the previous six months. And it isn’t the only one: whether you talk to ISPs or security vendors, gateway mail filtering services or end users, the message is the same. Spam is on the up, and how. The most worrying thing is the how rather than the why, the latter being the good old Yankee Dollar as always. In the past it was bulk-emailers that caused the spam damage, plain and simple, but now the trend is towards a higher level of sophistication. Behind the new wave of spam is the botnet.

Security specialists MessageLabs are warning that things can only get worse in the run up to the big Christmas online shopping spree, with darknet activity by cyber-criminals showing a worrying acceleration. The cause of the worry being botnets once again, or rather a single botnet in this case. MessageLabs has reported activity suggesting the biggest botnet to hit the Internet for more than two years is being pieced together, and currently stands at just under a million compromised and controlled PCs in size. Compare this to the usual sub 10,000 PC botnet (smaller ones are more difficult to track, so easier to exploit) and you can see why the mega-botnet is causing concern.

The smaller botnets are usually hired out in a piecemeal fashion, available to anyone with the ready cash no questions asked. Want to send some spam? No problem. Distribute some spyware? Certainly sir. Organize a Distributed Denial of Service attack against the ISP of that fellow who dissed you online? Sure, why not. But the thought of a million strong botnet, with the sole purpose of robbing shoppers blind at Christmas, has me all goose-pimply. The most likely usage scenario will be a robbers-for-rent one, with mass spamming of spyware infected email and the resources to exploit the phishing opportunities this will open up. The last botnet of this size that I can recall being reported was way back in 2004, and that was the one that launched the infamous Netsky virus.

Couple the botnet activity with the ability of things like the SpamThru Trojan to use pirated and hacked copies of anti-virus applications to clean bots of other competing Trojans before infecting them and adding them to its own, and you can see why security experts are getting increasingly concerned. The latest SpamThru variant is worthy of further mention in this context as it displays the lengths to which clever yet misguided programmers will go in order to reap the criminal financial harvest. SpamThru will encrypt all spam message templates distributed to the bot network and uses a fully custom P2P protocol for inter-bot machine communication. So even if the control server is taken out, it can quickly update all bots with new details via that P2P network. By forcing host based firewalls to click through ‘allow executables’ dialog boxes (with only a brief on-screen dialog box for evidence) this Trojan does its work all but unnoticed.

Botnets are quite possibly the biggest threat we face at the moment, and some say a threat beyond just that of spamming, spyware and criminal intent. McAfee are warning that national security could be at risk if there were a DDoS attack against government agency targets. Existing deterrents such as terms of imprisonment, a recent botnet operator was sentenced to 57 months for creating a 400,000 PC botnet for example, are unlikely to be enough when balanced against the huge financial gains to be made.

And just because you have got all the latest OS and application patches installed, have your computers and networks well protected with the latest security updates, and practice ‘safe hex’ that still doesn’t mean you are safe. It is all those millions of newbie users and ‘it won’t happen to me’ bozos that you have to worry about. They are the ones that enable these botnets to be built in the first place, they are the ones that enable them to continue running, and they are the ones that will be responsible for the increase in malware infected spam you are going to receive in the coming weeks.