In some of my previous posts, "What are botnet herds up to?", "Skype to control Botnets", "The War against Botnets and DDoS attacks", and "Recent Malware Developments", I was actively providing resources and updating my blog readers (thanks for the tips and the info sharing, I mean it!) related to one of the most relevant threats to the Internet ( more trends and bureaucracy ) - Botnets.
I recently came across a well researched report giving a very in-depth overview and summary of important concepts related to Botnets. Recommended bed time reading, and here's an excerpt :
"In this paper we begin the process of codifying the capabilities of malware by dissecting four widely-used Internet Relay Chat (IRC) botnet codebases. Each codebase is classified along seven key dimensions including botnet control mechanisms, host control mechanisms, propagation mechanisms, exploits, delivery mechanisms, obfuscation and deception mechanisms. Our study reveals the complexity of botnet software, and we discusses implications for defense strategies based on our analysis"
Some of the findings that I also came across in my "Malware - future trends" search worth mentioning are :
- "The overall architecture and implementation of botnets is complex, and is evolving toward the use of common software engineering techniques such as modularity." Namely, no one is interested in reinventing the wheel again, and the Simple Botnet/Malware Communication Protocol I've once mentioned (originally came across the concept here) could give the malware scene an impressive scale, but could it also put AV vendors and researchers in favorauble position where exploiting protocol weaknesses is more beneficial than current approaches?
- "Shell encoding and packing mechanisms that can enable attacks to circumvent defensive systems are common. However, Agobot is the only botnet codebase that includes support for (limited) polymorphism"
Smart! Mainly because of the fact that "The malware delivery mechanisms used by botnets have implications for network intrusion detection and prevention signatures. In particular, NIDS/NIPS benefit from knowledge of commonly used shell codes and ability to perform simple decoding. If the separation of exploit and delivery becomes more widely adopted in bot code (as we anticipate it will), it suggests that NIDS could benefit greatly by incorporating rules that can detect follow-up connection attempts."
-"All botnets include a variety of sophisticated mechanisms for avoiding detection (e.g., by anti-virus software) once installed on a host system."
Retention instead of acquisition of new zombies would tend to dominate from my point of view. Patching the hosts themselves, hiding presence, dealing with the easy to detect idle zombie's presence, TCP obfuscations, tests for debuggers, are among the current methods used.
Botnets will continue to dominate due to their concept and potential for growth, and while monitoring and doing active research is still feasible, encrypted communications as a logical development should also be researched as a concept, but how many *public* IRC servers, if such are used, support SSL encryption?
Technorati tags :
Security, Information Security, Malware, Botnets
Friday, February 24, 2006
Master of the Infected Puppets
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com