Botnets: a retrospective to 2006, and where we are headed in 2007

a few months back i released a post on where i think anti-botnets technology is heading. now it’s time for what happened in 2006, and what we can expect from here on.

i am not a believer in such retrospective looks, as often, they are completely biased and based on what we have seen and what we want to see. this is why i will try and limit myself to what we know happens and is likely to get attention, as well as what we have seen tried by bad guys, which is working for them enough to take to the next level.

what changed with botnets in 2006:

1.botnets reached a level where it is unclear today what parts of the internet are not compromised to an extent. count by clean rather than infected.
2. botnets have become the most significant platform from which virtually any type of online attack and crime are launched. botnets equal an online infrastructure for abusive or criminal activity online.
3. in the past year, botnets have become mainstream. from a not existent field even in the professional realm up to a few years ago, where attacks were happening constantly reagrdless, it has turned to the main buzzword and occupation of the security industry today, directly and indirectly.
4. websites have returned to being one the most significant form of infection for building botnets, which hadn’t been the case since the late 90s.
5. botnets have become the moving force behind organized crime online, with a low-risk high-profit calculation.
6. new technologies are finally being introduced, moving the botnet controllers from using just (or mainly) irc to more advanced c&c (command and control) channels such as p2p, or multi-layered, such as dns and irc on the osi model.
7. botnets used to be a game of quantity. today, when quantity is assured, quality is becoming a high concern for botnet controllers, both in type of bot as well as in abilities.

what’s going to happen with botnets in 2007:

botnets won’t change. all will remain the same as it has been for years. awareness however, will increase making the problem appear larger and larger, perhaps approaching its real scale. the bad guys would utilize their infrastructure to get more out of the bots (quality once quantity is here) and be able to do more than just steal cash. maximizing their revenue.

further, more and more attackers unrelated to the botnet controllers will make use of already compromised systems and existing botnets to gain access to networks, to facilitate anything from corporate espionage and intelligence gathering, to shame-less and open show of strength to those who oppose them (think blue security), in the real world as well as the cyber one (which to the mob is one and the same, it’s the income that speaks).

meaning, the existing botnets infrastructure will be utilized both in an open fashion, due to the fact online miscreants (real-world mob) face virtually no risk, as well as quiet and secretive uses for third-party intelligence operations.

gadi evron,

  • colossus

    Botnets won’t change? What about Windows Vista being released to the public in early ’07? Does anyone even have a buffer overflow working under Vista? Even the new IE is much more secure. The prey for botnets is ever changing. Are you saying that botnets won’t change much because botnets will be forced to exploit the software of ’06?

    Clearly there is a lot happening in the web application world. I think we will see more web application based botnets in the coming years. I agree that IRC is so last century, i think SQL powered botnets are going to be more popular. I also think we will see more OS X botnets, its a shame there isn’t more open source OS X botnet code…

  • Sirk

    What of artificial intelligence? Could thinking agents be a plausible city on the hill for botnet operators? It seems to me everyone in the industry is assuming this will never happen because botnet writers are not that sophisticated or are too stupid to write anything at that level.

  • Jason DePriest

    Botnets will definitely change. They will be required to change to continue being profitable. As new computer systems are purchased with the latest OS X or the latest Windows (Vista), new modes of entry will be discovered and exploited. I have no doubt that botnet tools will continue to be actively tweaked and enhanced. My guess is that exploitation will continue to hybridize and botnets will become sneakier, faster, and more powerful. They will hide inside innocent web pages on legitimate sites. They will bury themselves with sophisticated rootkits. They will spread slowly and intelligently gather and send data back to their masters. Sirik’s worry about AI is well-founded. There is money to be had in this and it will be done when all other avenues have been exhausted.